Contact Information of the Controller (Party Responsible for the Processing of Personal Data)

Institut für ökologische Wirtschaftsforschung GmbH (a Non-Profit Institution)
Potsdamer Str. 105
D-10785 Berlin

Represented by the Scientific Director, Thomas Korbun, and the Financial Director, Marion Wiegand.

Telephone: +49-(0)30–884 594-0
Fax: +49-(0)30–882 54 39
E-Mail: mailbox(at)ioew.de

Contact Information of the Data Protection Officer

DATENCOACH.DE für fachgerechte Datenhaltung UG (Limited Liability)
Ralf Petersen
Köpenicker Str. 95 A
12355 Berlin
Telephone: +49-(0)30–884 59 4-0
E-Mail: datenschutz(at)ioew.de

How do we Acquire your Personal Data?

The collection of your personal data inherently begins with you. Processing of the data you submit is necessary for the fulfilment of obligations arising out of the contractual relationship you establish with us.

Processing of your personal data is necessary in the course of pre-contractual measures (i.e. the collection of address and contact information from you as an interested party). Without the provision and processing of this data, no contract can be concluded.

In order to render our services, it may be necessary to process personal data permissively obtained from other companies or parties, e.g. the tax authorities or your business associates, etc., according to the respective purpose.

Furthermore, we may process personal data permissively obtained from publicly available sources, e.g. Internet websites, which are used solely for the respective contractual purpose.

Purposes and Legal Basis for the Processing of Personal Data

The personal data so entrusted with us will be processed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Bundesdatenschutzgesetz (BDSG – the Federal Data Protection Act of Germany):

On the Basis of Consent Given (Pursuant to Art. 6(1)(a) of the GDPR)

The purposes for the processing of your personal data are based on the consent you have given us. You may withdraw your consent with future effect at any time. Consent given prior to the commencement date of the GDPR (25 May 2018) may also be withdrawn. The processing of data occurring prior to withdrawal of consent remains unaffected by the revocation. For example: delivery of a newsletter.

For the Fulfilment of Contractual Obligations (Pursuant to Art. 6(1)(b) of the GDPR)

The purposes of data processing arise with the initiation of measures necessary prior to entering a contractually regulated business relationship as well as in the performance of the contract concluded with you.

To Comply with Legal Obligations (Pursuant to Art. 6(1)(c) GDPR) or for the Performance of Tasks Carried out in the Public Interest (Pursuant to Art. 6(1)(e) of the GDPR)

Purposes of data processing here include those arising from legal requirements or those that are in the public interest (e.g. compliance with document retention regulations, proof of compliance with information and disclosure requirements).

For the Purposes of Legitimate Interests (Pursuant to Art. 6(1)(f) of the GDPR)

Purposes of processing may arise in the pursuit of our legitimate interests. It may be necessary to process your personal data beyond the requirements of contractual performance. In the pursuance of our legitimate interests, further processing of your personal data may be justified to the extent that such interests are not superseded by your own interests or fundamental rights and freedoms. Such legitimate interests may specifically include: assertion of legal claims, defence against liability claims, and prevention of criminal offenses.

Who Receives your Personal Data?

Access to your personal data is provided to those departments within our company authorized to process the data and having a legitimate need for the purpose of fulfilling contractual and legal obligations.

In fulfilment of our contract with you, the personal data entrusted with us will only be shared with those agencies and authorities where a legal obligation exists, for example revenue services, social insurance agencies, regulatory authorities, or in the case of a court order or subpoena.

In the course of the provision of services, we may rely upon various data processors to fulfil contractual obligations, e.g. data service centres, IT service partners, document-shredding companies, etc. These data processors are contractually obligated to observe requirements of professional confidentiality and comply with the provisions of the GDPR and BDSG.

Will your Personal Data be Transmitted to a Third Country or International Organizations?

Under no circumstances will your personal data be transmitted to a third country or international organization. At your specific request, however, we may transfer your personal data to another country or international organization, but only with your written permission and release from confidentiality.

Does Automated Decision-Making Processing, Including Profiling, occur?

Pursuant to Art. 22 of the GDPA, no decision-making based solely on the automated processing of your personal data, including profiling, is employed.

Duration of Processing (Criteria for Deletion)

Your personal data will be retained for processing for until attainment of the contractually agreed upon purpose, as a rule, for the duration of the contractual relationship. After termination of the contractual relationship, your personal data will be processed as necessary to comply with statutory record retention requirements or to safeguard our legitimate interests. After expiry of the statutory retention periods and/or cessation of our legitimate interests, your personal data will be deleted.

Anticipated retention periods with respect to statutory retention obligations and safeguarding of our legitimate interests:

• Fulfilment of commercial, tax, and professional obligations with respect to data retention terms. The prescribed retention and/or record-keeping periods are two to ten years.

• Preservation of evidence in accordance with statutes of limitation.  According to par. 195ff. of the German Civil Code (BGB), this can be up to 30 years, although the regular limitation period is three years.
  
  

Information About your Rights

• Right of rectification in accordance with Art. 16 of the GDPR: You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data. With respect to the purposes of the processing, you have the right to amend incomplete personal data — including by means of a supplementary statement.

• Right to erasure (“right to be forgotten”) in accordance with Art. 17 of the GDPR: You have the right to obtain from the controller the erasure of your data without undue delay. The controller is obligated to erase personal data without undue delay where one of the following grounds applies:

     - The purposes for which the personal data were collected have lapsed.
     - You withdraw your consent to the processing; there is no other legal ground for the processing.
     - You object to the processing; there is no other legal ground for the processing.
     - The personal data have been unlawfully processed.
     - Compliance with a legal obligation in Union or Member State law to which the controller is subject compels erasure of the personal data.
     - The personal data were collected in the context of an offer of information society services pursuant to Art. 8(1).

• Right to restriction of processing in accordance with Art. 18 GDPR & Par. 35 BDSG: You have the right to obtain from the controller restriction of processing where one of the following conditions applies:
  - You contest the accuracy of the personal data.
  - The processing is unlawful; however, you oppose the erasure of the personal data.
  - The personal data are no longer necessary for the purposes of processing, but are needed by you for the establishment, exercise, or defence of legal claims.
  - You have objected to processing pursuant to Article 21(1) GDPR. Pending verification of whether the legitimate grounds of the controller override those of the data subject, processing will be restricted.

• Right to data portability pursuant to Art. 20 of the GDPR: You have the right to receive your personal data from the controller in a structured, commonly used, and machine-readable format. You have the right to transmit those data to another controller without hindrance from us.

• Right to object pursuant to Art. 21 of the GDPR: To file an objection, please contact the controller (see above)
• Right to lodge a complaint with a regulatory authority pursuant to Art. 13(2)(d), Art. 77 GDPR in conjunction with Par. 19 BDSG: If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with a regulatory authority. Please contact the appropriate supervisory authority.

Withdrawal of consent pursuant to Art. 7(3) GDPR: If processing is based on your consent pursuant to Art. 6(1)(a) or Art. (2)(a) (processing of special categories of personal data), you are entitled to withdraw purpose-bound consent at any time without affecting the lawfulness of processing based on the consent before its withdrawal.