Privacy Policy

Data protection information

A. Foreword

We, the Hanns R. Neumann Stiftung, Am Sandtorpark 4, 20457 Hamburg (hereinafter jointly referred to as "the company", "we" or "us") take the protection of your personal data seriously and would like to take this opportunity to inform you about data protection in our company.

As part of our responsibility under the data protection law, we are subject to various obligations under the data protection law, in particular in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR"), in order to ensure the protection of personal data of the person affected by processing (we also refer to you as the data subject as "customer", "user", "you" or "data subject").

Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR). With this declaration (hereinafter: "data protection information"), we inform you about the way in which your personal data is processed by us.

B. General Information

Definitions

In accordance with Art. 4 GDPR, this data protection notice is based on the following definitions:

"Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).

"Processing" (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.

"Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, that are authorized to process the personal data; this also includes other legal entities belonging to the group.

"Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.

"Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Amendment of the data protection information

As part of the ongoing development of data protection law and technological or organizational changes, our data protection information is regularly reviewed to determine whether it needs to be adapted or supplemented. You will be informed of any changes.

This data protection notice is dated June 2024.

No obligation to provide personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case in the context of the products presented below and offered by us, you will be informed of this separately.

C. Information about the processing of your data

The collection of personal data concerning you

When you use the coffee&climate toolbox (hereinafter also referred to as the "app"), we collect personal data about you.

Personal data is all data that relates to you personally (see above under General). For example, your name, location data, IP address, device ID, SIM card number, address and email address are personal data, your fingerprint, images, films, audio recordings, but your user behavior also falls into this category.

Legal basis for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:

Art. 6 para. 1 sentence 1 lit. a GDPR ("consent"): If the data subject has voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that they consent to the processing of personal data concerning them for one or more specific purposes;

Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to retain data);

Art. 5 para. 1 sentence 1 lit. d GDPR: If processing is necessary in order to protect the vital interests of the data subject or another natural person;

Art. 6 para. 1 sentence 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or

Art. 6 para. 1 sentence 1 lit. f GDPR ("legitimate interests"): If the processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject (in particular where the data subject is a minor).

The storage of information in the end user's terminal equipment or access to information that is already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:

§ 25 (1) TTDSG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;

§ 25 (2) no. 1 TTDSG: If the sole purpose is to carry out the transmission of a communication via a public telecommunications network or

§ 25 (2) no. 2 TTDSG: If the storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.

For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing can also be based on several legal bases.

Data collected during use

Inevitably, we can only provide you with the benefits of our app if we collect certain personal data required for its operation when you use it.

We collect this data if this is necessary for the fulfilment of the contract between you and us (Art. 6 para. 1 lit. b GDPR). Furthermore, we collect this data if this is necessary for the functionality of the app and your interest in the protection of your personal data does not outweigh this (Art. 6 para. 1 lit. f GDPR) or if you consent to the collection and processing (Art. 6 para. 1 lit. a GDPR). Insofar as special categories of personal data are affected (such as biometric data recognizable in photographs), the legal basis is also your consent (Art. 9 para. 2 lit. a GDPR).

We collect and process the following data from you:

Device information: The access data includes the IP address, device ID, device type, device-specific settings, the date and time of the retrieval, time zone the amount of data transferred and the message as to whether the data exchange was complete, app crash, browser type and operating system. This access data is processed to enable the technical operation of the app

Data that you make available to us: To use the app, you can create a user account. To do this, you must enter at least your login name. However, you are not obliged to create a user account.

Information with your consent: We process other information (e.g. GPS location data or special categories of personal data within the meaning of Art. 9 GDPR in connection with photographs that you post) if you authorize us to do so.

Contact form data: When contact forms are used, the data transmitted through them is processed (e.g. gender, surname and first name, address, company, e-mail address and the time of transmission).

If the processing of the data requires the storage of information in your terminal equipment or access to information that is already stored in the terminal equipment, § 25 (1), (2) TTDSG is the legal basis for this.

Use of cookies

We use cookies to operate our app. Cookies are small text files that are stored on the device memory of your end device and assigned to the app you are using and through which certain information flows to the location that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make our app more user-friendly and effective overall, i.e. more convenient for you.

Cookies can contain data that makes it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, a distinction is made between cookies:

Technical cookies: These are absolutely necessary to move within the app, use basic functions and ensure the security of the app; they do not collect information about you for marketing purposes, nor do they store which websites you have visited;

Performance cookies: These collect information about how you use our app, which pages you visit and, for example, whether errors occur when using the app; they do not collect any information that could identify you - all information collected is anonymous and is only used to improve our app and to find out what interests our users;

Advertising cookies, targeting cookies: These are used to offer the app user customized advertising within the app or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;

Sharing cookies: These are used to improve the interactivity of our app with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is § 25 para. 2 no. 2 TTDSG.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent in accordance with § 25 (1) TTDSG in conjunction with Art. 6 (1) sentence 1 lit. a GDPR. Art. 6 para. 1 sentence 1 lit. a GDPR is permitted. This applies in particular to the use of performance, advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

Cookie Policy

For more information about which cookies we use and how you can manage your cookie settings and disable certain types of tracking, please see our cookie policy [link to cookie policy].

Matomo

In this app, we use the web analysis service Matomo to analyze and check the use of our app. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.

We operate Matomo in a version that does not require cookies. This means that no Matomo cookies are stored on your computer for the purpose of web analysis. To analyze website usage, your IP address and information such as timestamps, websites visited and your language settings are recorded. We store the information collected in this way on our server.

This website uses Matomo with the “AnonymizeIP” extension. This means that IP addresses are further processed in abbreviated form and cannot be directly linked to individuals. The IP address transmitted by your browser using Matomo is not merged with other data collected by us. The legal basis for the use of Matomo is Art. 6 para. 1 sentence 1 lit. f GDPR.

You can prevent the use of Matomo by unchecking the following box to activate the opt-out plug-in: [Matomo iFrame]. In this case, an opt-out cookie is stored in your browser, which prevents Matomo from storing usage data. If you delete your cookies, the Matomo opt-out cookie will also be deleted. The opt-out must be reactivated when you visit our site again.

The Matomo program is an open source project. Information from the third-party provider on data protection can be found at www.matomo.org/privacy-policy/.

YouTube

We have integrated YouTube videos into our online offering, which are stored on YouTube.com and can be played directly from our website. These are all integrated in “extended data protection mode”, i.e. no data about you as a user is transferred to YouTube if you do not play the videos. Only when you play the videos will the data mentioned in paragraph 7.2 be transmitted. We have no influence on this data transfer. The legal basis for the display of the videos is Art. 6 para. 1 sentence 1 lit. a GDPR, i.e. the integration only takes place with your consent.

By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and timestamp are transmitted. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.

The information collected is stored on Google servers, including in the USA. In these cases, the provider has, according to its own information, imposed a standard that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws when transferring data internationally. We have also agreed so-called standard data protection clauses with Google, the purpose of which is to maintain an appropriate level of data protection in the third country.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: www.google.de/intl/de/policies/privacy.

Data storage period

We delete your personal data as soon as it is no longer necessary for the purposes for which we collected or used it (see C. 3., 4., 5., 6), are no longer required. As a rule, we store your personal data for the duration of the usage or contractual relationship via the app. Your data will only be stored on our servers in Germany, subject to any disclosure in accordance with the provisions in F. 1., 2. and 3.

However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings.

Third parties engaged by us (see F. 1.) will store your data on their system for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.

Legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

Data security

We use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and effects) for the data subject. Our security measures are continuously improved in line with technological developments.

We will be happy to provide you with more detailed information on request. Please contact our data protection officer (see D. 1.).

No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

Change of purpose

Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing.

In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

D. Responsibility for your data and contacts

Responsible person and contact details

We are the controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR

coffee & climate
Hanns R. Neumann Stiftung
Am Sandtorpark 4
20457 Hamburg
info@coffeeandclimate.org

In accordance with Art. 37 GDPR i.V.m. § 38 BDSG, we are not obliged to appoint a data protection officer. If you have any questions about data protection, please do not hesitate to contact us using the contact details above.

Please contact this contact point in particular if you wish to assert the rights to which you are entitled, which are explained in section G, against us.

If you have any further questions or comments on the collection and processing of your personal data, please also use the above-mentioned contacts.

Data collection when making contact

If you contact us by e-mail or via a contact form, we will store your e-mail address, your name and all other personal data that you have provided in the course of contacting us so that we can contact you to answer your question.

We delete this data as soon as storage is no longer necessary. If there are statutory retention periods, the data will remain stored, but we will restrict the processing.

F. Data processing by third parties

Order processing

We may use contracted service providers for individual functions of our app. As with any company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.

The following categories of recipients, which are usually processors, may have access to your personal data:

Service providers for the operation of our app and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as these are not processors;

Government bodies/authorities, insofar as this is necessary to fulfil a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;

Persons engaged to conduct our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

In addition, we will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

If your personal data is passed on by us to subsidiaries or passed on to us by subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.

Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. Art. 44 ff. GDPR). If necessary, we will inform you about the respective details of the transfer at the relevant points below.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates or recognised codes of conduct. Please contact us (see D. 1.) if you would like more information on this.

Legal obligation to transfer certain data

We may be subject to a special legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Art. 6 para. 1 sentence 1 lit. c GDPR).

G. Your rights

Right to information

You have the right to obtain information from us about the personal data concerning you within the scope of Art. 15 GDPR.

This requires an application from you, which must be sent either by e-mail or by post to the addresses given above (see D. 1.).

Right to object to data processing and to withdraw consent

In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims.

Pursuant to Art. 7 (3) GDPR, you have the right to withdraw your consent - i.e. your voluntary, informed and unequivocal expression of your consent to the processing of the personal data concerned for one or more specific purposes by means of a statement or other unequivocal affirmative act - at any time. The consequence of this is that we may no longer continue the data processing based on this consent in the future.

In this regard, please contact the contact point indicated above (see D. 1.).

Right to rectification and erasure

Insofar as personal data concerning you is incorrect, you have the right under Art. 16 GDPR to demand that we correct it immediately. If you wish to make such a request, please contact the contact point specified above (see D. 1.).

Under the conditions set out in Art. 17 GDPR, you have the right to request the erasure of personal data concerning you. To make a request in this regard, please contact the contact point specified above (see D. 1.). In particular, you have the right to erasure if the data in question is no longer necessary for the purposes for which it was collected or processed, if the data retention period (see C. 9.) has elapsed, an objection has been raised (see G. 2.), or if the processing is unlawful.

Right to restriction of processing

In accordance with Art. 18 GDPR, you have the right to demand that we restrict the processing of your personal data.

If you would like to make a request in this regard, please contact the contact point indicated above (see D. 1.).

In particular, you have the right to restrict processing if the accuracy of the personal data is disputed between you and us; in this case, you have this right for the period of time required to verify the accuracy. The same applies if the successful exercise of a right to object (see G. 2.) is still disputed between you and us. You also have this right in particular if you have a right to erasure (see G. 3.) and you request restricted processing instead of erasure.

Right to data portability

In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR.

If you would like to make a request in this regard, please contact the contact point indicated above (see D. 1.).

Right to lodge a complaint with the supervisory authority

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority about the collection and processing of your personal data.

You can reach the competent supervisory authority using the following contact details: The Hamburg Data Protection and Freedom of Information Commissioner, Ludwig-Erhard-Strasse 22, 20459 Hamburg, phone: 040 42854 4040, fax: 040 428 54 - 4000, e-mail mailbox@datenschutz.hamburg.de