privacy policy
Responsible handling of personal data is a high priority for the GCE - Green Coco Europe Markting & Vertriebsgesellschaft mbH (GCE). We want you to know whenever we collect which data and how we use them.
This privacy policy explains to you the nature, extent and purpose of processing of personal data within our online service and the associated web pages, functions and contents as well as external online presences such as our social media profile. It also shows you how personal data are handled in GCE as a whole.
We have taken numerous technical and organisational measures in order to ensure that the regulations on data protection are complied with, both by us and by our external service providers.
In the course of further development of our web pages, the implementation of new technologies and changes in GCE, changes to this privacy policy may be necessary. We therefore recommend that you re-read this privacy policy from time to time.
Content
1. Definition of terms
2. Responsible body
3. GCE’s Data Protection Officer
4. General information on GCE processing of data
4.1 Purposes of processing
4.2 Legal basis for processing
4.3 Categories of personal data that are processed
4.4 Recipients and categories of recipients of personal data
4.5 Duration of storage and criteria to determine the duration
4.6 Transmission to third countries
5. Access to the internet services of GCE - data processing resulting from the visit to this web page
5.1 Log files
5.2 Cookies
5.3 Hosting
6. Collection of personal data when contact is made
6.1 Contact by email
6.2 Contact using the contact form
6.3 Letters
6.4 Telephone and hotline
7. Processing of personal data during the provision of information
7.1 Data for newsletter dispatch of GCE
7.2 Order of products and other produce
8. Contact databases
8.1 Criteria for consent in the GCE
9. Registration process
10. Applications and application procedure
11. Entry into contracts with GCE - provision of contractual services
12. Visitors to GCE
13. Online presence in social media
13.1 Instagram
13.2 Facebook
14. Rights of persons affected
14.1 Right of access Article 15 GDPR
14.2 Right to rectification Article 16 GDPR
14.3 Right to restriction of processing Article 18 GDPR
14.4 Right to erasure Article 17 GDPR
14.5 Right to data portability Article 20 GDPR
14.6 Right to object to the collection, processing and/or use, Article 21 GDPR
14.7 Right to revoke statements of consent under data protection law
14.8 Right to lodge a complaint with the supervisory authority
15. Protection of minors
16. Links to the web pages of other providers
1. Definition of terms
GCE privacy policy is based on the terms defined in the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) in Article 4 by the European legislator. Our privacy policy should be easy to read and understandable by all users of our web pages. To this end, we would like first to explain the terms used.
In this privacy policy, we use among others the following terms:
a) Personal data
Personal data means any information concerning an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data are processed by the person responsible for the processing.
c) Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects concerning a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
f) Pseudonymisation
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or person responsible for the processing
The controller or person responsible for the processing means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor
The processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
i) Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
A third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
k) Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her
2. Responsible body
The responsible body for the processing of personal data within the meaning of the EU General Data Protection Regulation and other data protection provisions is the
Green Coco Europe Marketing- und Vertriebsgesellschaft mbH (GCE)
Koenigstrasse 33-37
DE-90402 Nuernberg
Tel. +49-911-580 5889-0
Fax. +49-911-580 5889-90
Geschäftsführer: Stefan Reiß
HRB 24980 Amtsgericht Nürnberg
DE 263432770
GLN 4260183210009
3. GCE’s Data Protection Officer
According to Art. 37 para. 1 GDPR and §38 BDSG, there is no obligation to designate a data protection officer.
4. General information on GCE processing of data
4.1 Purposes of processing
GCE processes personal data for the following purposes:
- Provision of its online service, its functions and contents
- Response to contact enquiries and communication with users
- Provision of information, informative material, brochures, publications or products
- Protection against harmful software and threats to communications technology
- In the context of customer acquisition and service and orders
- To carry out tasks for advice, support, training, investigation, development, research, creation, provision, testing, certification and permission
- For its own security measures
- As part of employment conditions and application procedures
- As part of purchasing processes and contractual conditions with external service providers or other partners
4.2 Legal basis for processing
GCE processes personal data on the following legal bases:
Article 6 (1) a) GDPR
Many processing activities for personal data are carried out in GCE on the basis of voluntary declarations of consent by the respective data subjects, e.g. the dispatch of newsletters, the management of events or the preparation of printed publications. The legal basis for processing activities for which we obtain consent for a particular processing purpose is Article 6 (1) a) GDPR.
Article 6 (1) b) GDPR
If the processing of personal data is necessary to perform a contract, the processing is on the basis of Article 6 (1) b) GDPR. The same applies to such processing activities that are necessary to perform pre-contractual measures, such as in cases of enquiries about our products or services.
Article 6 (1c) GDPR
If GCE is subject to a legal obligation requiring processing personal data, such as meeting tax obligations, the processing is on the basis of Article 6 (1c) of the GDPR.
Article 6 (1d) of the GDPR
In rare cases, the processing of personal data may be necessary in order to protect the vital interests of the data subject or of another natural person, e.g. if you need help as a user or visitor to GCE. The processing is then on the basis of Article 6 (1d) of the GDPR.
Article 6 (1) f) GDPR
Finally, processing activities may be carried out on the basis of Article 6 (1) f) GDPR. This is the legal basis for processing activities not covered by the previous legal bases, where processing is necessary for the purposes of the legitimate interests pursued by GCE or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. No data to perform our tasks is processed on this legal basis by GCE. Before any processing, the existence of a legitimate interest will be particularly carefully considered in individual cases, including consideration of whether a data subject at the time that the personal data is collected and in view of the circumstances in which this occurs can reasonably foresee that processing for this purpose may be performed.
4.3 Categories of personal data that are processed
The following categories of personal data are processed by GCE:
- Inventory data (such as names, addresses, functions, organisational relationship, etc.)
- Contact data (such as email, telephone/fax numbers etc.)
- Content data (such as text entries, photographs, videos, biometric data, etc.)
- Usage data (e.g. Access data)
- Meta/communication data (such as IP addresses)
4.4 Recipients and categories of recipients of personal data
If in the course of our processing we disclose data to other persons and companies such as web hosts, processors or third parties or otherwise give them access to the data, this is done on the basis of legal permission (for example when a transfer of data to a third party under Article 6 (1) a) GDPR is necessary for performance of a contract),
if the data subjects have consented, a legal obligation envisages this, it is necessary to perform a task vested in GCE or on the basis of our legitimate interests.
4.5 Duration of storage and criteria to determine the duration
The criterion for the duration of storage of personal data is the respective duration specified by law. After this duration has ended, the corresponding data will be routinely deleted, if they are no longer required to achieve the purpose, perform a contract or prepare for a contract.
4.6 Transmission to third countries
If we process data in a third country (that is, outside the European Union (EU) or the European Economic Area (EEA)) or this takes place in consequence of the use of services of third parties or disclosure or transmission of data to third parties, this is only done in order to fullfil our (pre)contractual obligations on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permission, we process or allow the data to be processed in a third country only when the specific requirements of Article 44 ff GDPR are met. This means that the processing is for example performed on the basis of particular guarantees, such as the officially recognized confirmation of a data protection level corresponding to the US (such as for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
5. Access to the internet services of GCE - data processing resulting from the visit to this web page
5.1 Log files
Each time a data subject or an automatised system accesses the internet offer of the GCE, a number of general items of data and information are recorded by the system. These general items of data and information are stored in the server log files.
The following maximum data are stored in the log files for 30 days:
- Date and time of the access (time stamp)
- Details of the enquiry and target address (log version, HTTP method, referrer, user agent string)
- Name of the file accessed and volume of data transferred (URL accessed including query string, size in bytes)
- Record of whether the query was successful (HTTP status code)
In the use of these general items of data and information, GCE makes no connection to the data subject. No personal analysis or analysis of the data for marketing purposes or profiling is carried out. The IP address of the visitors to the web page are not stored in this context. The legal basis of the temporary storage of the data is Article 6 (1) f) GDPR. The collection of the data to provide the web page and the storage of the data in log files is necessary for the secure operation of the web page. The user therefore does not have the right to refuse.
5.2 Cookies
So-called cookies are used on the pages of GCE. Cookies are small text files that are exchanged between the web browser and the hosting server. Cookies are stored on the computer of the user and transmitted from there to our web page. Users can limit or generally prohibit the use of cookies by an appropriate setting in the web browser used. Previous stored cookies can be deleted at any time. If cookies are deactivated for our wensite, this may lead to the web page not being able to be displayed or used to the fullest extent. The legal basis for the processing of personal data in the use of cookies is Article 6 (1) f) GDPR.
Cookies are firstly used to collect statistical values, such as the hit rate on web pages. Since GCE does not use any web analysis services or tracking tools of its web pages, this type of cookies is not used. On the other hand, cookies are necessary in order technically to ensure the secure and correct preparation of web pages. This type of cookies is used on GCE web pages, in order to increase the security and functionality of the web services offered. This includes cookies for load distribution on the servers, such as the JSESSIONID cookie, and for session management of the application server. The cookies contain no personal data. No IP addresses or other information are stored that would make it possible to trace back to the actual user. The validity of all cookies used ends when the current session is terminated or the respective web page is closed. As part of particular functions on GCE web pages, further cookies are used in order to be technically able to implement the offers. This is necessary among other things for the order service for brochures using the shopping basket function. The cookies are also only valid for the period of the visit to the web page.
5.3 Hosting
The hosting services that we use are used to make the following services available: infrastructure and platform services, processing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of the operation of this online offer.
For this purpose, we and our processors process inventory data, contact data, content data, contract data, usage data, metadata and communication data of users of this online offer on the basis of our legitimate interest in efficient and secure provision of this online offer pursuant to Article 6 (1) f) GDPR in conjunction with Article 28 GDPR (entry into a contract for processing).
6. Collection of personal data when contact is made
The processing of personal data is carried out dependent on the form of contact.
A distinction can be made between contact made by email, by use of a contact form, by letter or by telephone.
6.1 Contact by email
It is possible to contact GCE by email using the email addresses of various functions, in addition to the personal work email addresses of the employees.
If you use one of the specified contact channels, the data provided by you (such as name, first name, address) and at least the email address will be stored, as well as the information contained in the email including any personal data provided by you for the purpose of making contact and processing your query. In addition, the following data are collected by the system:
- IP address of the source computer for the query
- date and time of the email
We draw your attention to the fact that the processing of the data is carried out on the basis of Article 6 (1) e) or (1) f) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG). Processing of the personal data submitted by you is necessary to process your query.
The GCE only stores your data to process your query and in accordance with the legal and contractual requirements. The data will be deleted as soon as they are no longer needed to achieve the purpose of your query. For personal data sent by email, this is the case when the respective conversation with the user has been concluded. The conversation has been concluded if it can be seen from the circumstances that the issue in question has been conclusively clarified and storage for any follow-up questions by the data subject is no longer necessary. Data additionally collected during the process of dispatch will be deleted after no more than seven days.
6.2 Contact using the contact form
If you use the contact form for communication, you are required to provide your first and last name and your email address. Without this information, the issue raised by you using the contact form cannot be processed. Providing your postal address is optional and makes it possible to process your issue by post, if you so wish.
In addition, the following data are collected by the system:
- IP address of the source computer for the query
- date and time of the registration
We draw your attention to the fact that the processing of the data sent with the contact form and the content, which may also contain personal data provided by you, is carried out on the basis of Article 6 (1) e) or (1) f) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG), for the purpose of processing your query.
GCE only stores your data to process your query and in accordance with the legal and contractual requirements. The data will be deleted as soon as they are no longer needed to achieve the purpose of your query. For personal data from the entries in the contact form, this is the case when the respective conversation with the user has been concluded. The conversation has been concluded if it can be seen from the circumstances that the issue in question has been conclusively clarified and storage for any follow-up questions by the data subject is no longer necessary. Data additionally collected during the process of dispatch will be deleted after no more than seven days.
6.3 Letters
If you write a letter to GCE, the data provided by you (such as name, first name, address) will be stored, as well as the information contained in the letter including any personal data provided by you for the purpose of making contact and processing your query.
We draw your attention to the fact that the processing of the data is carried out on the basis of Article 6 (1) e) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG). Processing of the personal data submitted by you is necessary to process your query.
6.4 Telephone and hotline
If you make contact with GCE by telephone, personal data to process your query will be processed as far as necessary.
GCE only stores your data to process your query and in accordance with the legal and contractual requirements. The data will be deleted as soon as they are no longer needed to achieve the purpose of your query. For personal data, this is the case when the respective conversation with the user has been concluded. The conversation has been concluded if it can be seen from the circumstances that the issue in question has been conclusively clarified and storage for any follow-up questions by the data subject is no longer necessary.
We draw your attention to the fact that the processing of the data and the content, which may also contain personal data provided by you, is carried out on the basis of Article 6 (1) e) or (1) f) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG), for the purpose of processing your query.
7. Processing of personal data during the provision of information
The processing of personal data depends on the type of information provision. We distinguish between the provision of newsletters, printed matter or other GCE publications.
7.1 Data for newsletter dispatch of GCE
If you register on the distribution list for newsletters, your email address and the selected newsletter(s) are stored by us on a server.
In addition, the following data are collected during registration:
- IP address of the source computer for the query
- date and time of the registration
Your consent is obtained during the processing of the data as part of the registration process and reference is made to this privacy policy. The processing of the data is carried out on the basis of your consent pursuant to Article 6 (1) a) GDPR and in accordance with legitimate interest pursuant to Article 6 (1) f) GDPR. We use these data exclusively for the dispatch of the newsletter, for statistical purposes and to analyse system performance.
We do not pass your data to third parties and do not use them for other internal purposes. It is ensured through a registration system with an additional confirmation message containing a link to final registration (double opt-in) that the newsletter is explicitly wanted by you. During the registration, your data will be stored on our servers and a confirmation message with a link to final registration will be sent to the stated email address. If you do not confirm the registration through the link in this email, the data will be deleted after 24 hours. The data for the dispatch of newsletters for the duration that our offer is being used is only stored after confirmation through the link in the email.
The data will be deleted as soon as they are no longer needed to achieve the purpose of your query. The email address of the user will accordingly only be stored for as long as the subscription is active. Other personal data collected during the process of registration will normally be deleted after no more than seven days.
If you no longer consent to the storage of data for this purpose and thereby no longer wish to use our service, you can at any time cancel our newsletters. There is a corresponding link in every newsletter for this purpose. The personal data submitted by you will then be deleted.
7.2 Order of products and other produce
If you order products or other produce through this website or a connected website, it is necessary to process your personal data in order to carry out pre-contractual measures and to fullfil the agreement - that is, to provide the products - in accordance with Article 6 (1) b) GDPR. The following personal data must be given in order for the request to be carried out:
- Last name, first name,
- Street, house number
- Postcode and town
- Email adress
- Telefone number
- Payment information
These data will be processed when the order is handled. Your consent is obtained during the processing of the data as part of the registration process and reference is made to this privacy policy. If the order cannot be completed by us, the data provided by you will be passed on to a processor (dispatch firm). If the stated data are not available, the order cannot be processed. The additional voluntary information are not essential for processing, but assist better processing of the order and simplify the process.
The data provided by you will be deleted as soon as they are no longer needed to achieve the purpose for which they were collected. For the personal data, this is the case when the respective order has been completed. The order has been completed when it can be seen from the circumstances that the matter in question has been fully dealt with and storage for any follow-up questions by the data subject is no longer necessary.
8. Contact databases
The following is not valid for data bases used for business to business acquisition and customer service.
GCE invites interested parties to have themselves registered in contact databases for various purposes. These purposes may include, for example, invitations to events and the provision of information on various focal points of interest, participation in various joint enterprises or activities, training, working groups and expert groups of GCE. To achieve these objectives, you are asked for various data. GCE only collects data absolutely necessary for the particular purpose.
However, GCE needs special consent for this. This also applies if you have already given GCE your contact data, for example by sending a business card or an email with a contact request. In this case, GCE will ask you to give additional consent to the processing of your personal data before including you in a contact database
Article 7 GDPR describes the conditions for a GDPR compliant consent GDPR. The consent is based on the following criteria: voluntary, specific, informed, unambiguous and verifiable. It is in a comprehensible and easily accessible form and expressed in clear, plain language.
If you have given your consent to GCE for inclusion in a contact database for the purposes that you have selected, the processing of your personal data will be carried out in accordance with Article 6 (1) a) GDPR. Your data remain stored until you inform GCE that you no longer have an interest in their retention in the contact database and revoke your consent. Your data will then be deleted at once, unless there are legal retention periods to the contrary.
8.1 Criteria for consent in the GCE
Voluntary
- The submission of a statement of consent by the data subject must be absolutely voluntary. The data subject must be in a position to make a genuine choice and when the consent is obtained he must not be confronted with a fait accompli or otherwise limited in his scope for decision.
- No conditional arrangements may be made (Article 7 (4) GDPR).
- The performance of a contract or the provision of a service, is not conditional on provision of consent.
- Revocation is possible at all times, and it must be as easy as the submission of consent.
Specific
- Separate consents must be given for different purposes and processes. This can also be done by deliberately ticking clearly meaningful selection boxes.
Informed
- The data subject will be comprehensively informed about the purpose and extent of processing,
- about the controller
- about his right to revocation, in particular the consequences of refusal and revocation of the consent
- and about his rights under the GDPR.
Unambiguous
- The data subject can submit the consent in written or electronic form.
- For this purpose, unambiguous confirmatory actions are required, such as clicking on a box or selection of corresponding settings.
Verifiability
- Since the consent must be verifiable even years later, written consents received are archived and consents provided in electronic form are stored.
Language
- Despite the extent of the consent statements required by the GDPR, GCE works to make these as clear as possible to be expressed them in clear, comprehensible and simple language.
During processing, your consent to the progressing of personal data is obtained and reference is made to this privacy policy.
9. Registration process
On our web page, we offer users the option to register with personal data for special access-restricted if they fulfill the respective access requirement.
The data required for the respective registration progress are thereby either entered on the entry screen and transmitted to us or recorded with registration forms that are to be downloaded from the web page, filled out and sent to GCE by post, fax or email.
For each registration process, GCE web pages provide for each topic extensive explanations, information sheets and statements about which data are collected on which legal basis and on the rights and obligations of the data subjects.
10. Applications and application procedure
GCE collects and processes personal data from applicants for the purpose of carrying out application procedures. For this purpose, the applicant provides GCE with consent in accordance with Article 6 (1) a) GDPR.
The processing is usually by electronic means. This is particularly the case where the application documents are submitted electronically. The documents may for example be submitted by email or using the webpage.
During the selection process, the applications received are inspected, any questions arising may be sent in response, invitations to interview will be sent and further personal data may be collected in discussions during the recruitment process, in order finally to be able to reach a decision regarding the choice of applicants.
If an employment relationship results following the application process, the personal data required in the employment context are processed in accordance with Article 88 (1) GDPR in conjunction with Section 26 of the Federal Data Protection Act (BDSG), and where appropriate Sections 106 ff. of the Federal Civil Service Act (BBG).
If the application process does not lead to an employment relationship, the application documents are deleted six months after notification of rejection of the application. The deadline for deletion follows from the application of Article 17 (3b) GDPR (exception from the basic obligation to delete if processing of the personal data is to comply with an obligation under German law or EU law), in conjunction with Section 15 (4) of the Equal Treatment Act (AGG) and Section 61 b (1) of the Labour Court Act (ArbGG) (obligation to retain data under the duty of proof according to the Equal Treatment Act).
11. Entry into contracts with GCE - provision of contractual services
All information that you provide in the context of entry into a contract or fullfilment of a contract by GCE is in principle voluntary. We draw your attention to the fact that incomplete information regarding your contact and / or payment details make it impossible for GCE to complete a contract, since this information is essential for correct processing of the contract. Failure to provide the required personal data would have the consequence that the contract could not be entered into with the data subject.
In order to fulfil our contractual and pre-contractual obligations, GCE processes inventory data (e.g. customer master data such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. text entries, photographs, videos), data in relation to procurement or tendering (e.g. names of contact persons, Competence profiles), contractual data (e.g. subject of contract, duration, contract conditions, services delivered), and payment data (e.g. bank details, payment history).
In this connection, we process special categories of personal data (such as data from which racial or ethnic background, political opinions, religious or philosophical opinions or trade union membership can be derived, as well as genetic data, biometric data for unique identification of a natural person, health data or data on sexual activity) only when these from part of a contract, the processing is necessary and the data subjects have consented to processing for a specific purpose.
The purpose of the processing consists of the provision of contractual services and charging for these services. The legal basis for the processing is derived from Article 6 (1b) GDPR (contractual services) and Article 6 (1f) GDPR (analysis, statistics, optimisation, security measures).
We delete the data after the expiry of legal obligations for warranty and storage.
12. Visitors to GCE
GCE regularly receives visitors. In order to provide access to the rooms of GCE, GCE needs to collect first and last names and where appropriate date of birth and organisational affiliation before the visit, in accordance with Article 6 (1e) GDPR in conjunction with Section 3 BDSG.
The processing of personal data for the purpose of visiting GCE is carried out on the basis of the consent of the visitors in accordance with Article 6 (1a) GDPR. This consent can be revoked at any time. The legality of processing on the basis of the consent given remains unaffected until the revocation is made. If consent is revoked, the persons involved must leave GCE immediately and may not return.
The personal data provided by you and the visitors’ passes are retained for two years in accordance with Section 29 (6) of the Classified Information Order and then destroyed or completely deleted.
13. Online presence in social media
GCE maintains an online presence in social networks in order to inform active users of the networks about the services and products available from GCE and in the case of interest to communicate directly over the platforms. GCE social media channels thereby supplement GCE’s own websites and offer interested persons who prefer this type of information an alternative means of communication.
GCE is currently represented in the following networks with its own online profile:
Faccebook
All social media channels of GCE can only be accessed by visitors to the websites through an external link. GCE does not use plug-ins or other interfaces on its web pages which the respective networks offer for integration of the offers on web pages. You can find more information on this under the heading “External links” in this privacy policy. As soon as the visitors address the respective GCE social media profile in the respective network, the terms and conditions and the data processing guidelines of the respective operator apply.
GCE has no influence on data collection and further use by social networks. There is therefore no information on to what extent, where and for how long the data are stored, the extent to which the networks comply with existing deletion obligations, what analyses and links with the data are made or to whom the data are passed on. GCE therefore explicit draws attention to the fact that the data of users (such as personal information and IP address) are stored by the network operators in accordance with their guidelines for data usage and are used for commercial purposes.
GCE processes the data of users through GCE social media addresses insofar as the users contact and communicate with GCE, for example by comment or direct mail. The legal basis for the processing of personal data after the user consents is Article 6(1a) GDPR.
13.1 Instagram
The online offer of GCE does not include any functions or content of the services of Instagram, offered by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland. The Instagram channels are only accessible through an external link.
If the visitors to the GCE website are members of the Instagram platform, Instagram is able to assign the call to the social media channel to the user profile, if the user accesses GCE Instagram profile while logged in.
We draw attention to the fact that we have no influence over the content or extent of use of data collected by Instagram. For further information on this, we refer to the pages of Instagram at: https://www.instagram.com/legal/privacy/. We should also like to point out that in order to protect your private sphere you can make appropriate changes to your Instagram account.
13.2 Facebook
You can access the social media network Facebook from external links on GCE web pages. All functions in the social media network are offered by Facebook, 1601 South California Avenue, Palo Alto,CA 94304, USA. If you are logged into Facebook with your own profile and call GCE social media channel, Facebook is able to assign your visit to your logged-in profile.
We draw attention to the fact that we have no influence over the content or extent of use of data collected by Facebook. For further information on this, we refer to the privacy policy by Facebook: https://facebook.com/privacy/explanation. If you do not wish your user account to be assigned to your IP address, then please log out from your Facebook account before using our website.
14. Rights of persons affected
14.1 Right of access Article 15 GDPR
You have the right to obtain from GCE confirmation as to whether or not personal data concerning him or her are being processed. Where that is the case, you can require GCE to provide the following information
- the purposes of the processing of the personal data;
- the categories of personal data that are processed;
- the recipients or categories of recipient to whom the personal data about you have been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if specific information is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- whether personal data concerning you are transferred to a third country or to an international organisation; in this event you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR concerning the transfer;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
This right to information may be limited to the extent that it would be expected to make implementation of research and statistical objectives impossible or seriously impaired and the limitation is necessary to achieve the research or statistical purposes.
14.2 Right to rectification Article 16 GDPR
You have the right to rectification and/or completion by GCE if the personal data processed that relates to you is incorrect or incomplete. GCE will make the correction without undue delay. Your right to rectification may be limited to the extent that it would be expected to make implementation of research and statistical objectives impossible or seriously impaired and the limitation is necessary to achieve the research or statistical purposes.
14.3 Right to restriction of processing Article 18 GDPR
Under the following conditions, you can obtain a restriction of processing of personal data concerning you:
- if the accuracy of the personal data is contested by you, for a period enabling GCE to verify the accuracy of the personal data;
- if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- if GCE no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
- if you objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of GCE override your grounds.
Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you have obtained restriction of processing pursuant to the preconditions above, you will be informed by GCE before the restriction of processing is lifted. Your right to restriction of processing may be limited to the extent that it would be expected to make implementation of research and statistical objectives impossible or seriously impaired and the limitation is necessary to achieve the research or statistical purposes.
14.4 Right to erasure Article 17 GDPR
You have the right to obtain from GCE the erasure of personal data concerning you without undue delay and GCE has the obligation to erase these data without undue delay where one of the following grounds applies:
- the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw consent on which the processing is based according to Article 6(1a), or Article 9(2a) GDPR, and there is no other legal ground for the processing;
- you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
- the personal data concerning you have been unlawfully processed;
- the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which GCE is subject;
- the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If GCE has made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the person affected have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
You do not have the right to erasure of the personal data concerning you to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which GCE is subject or for the performance of a task carried out in GCE;
- for reasons of public interest in the area of public health in accordance with Article 9(2h) and 9(2i), as well as Article 9(3) GDPR;
- for statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
14.5 Right to data portability Article 20 GDPR
You have the right to receive the personal data concerning you which you have provided to GCE, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from GCE to which the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6 (1) a) or Article 9 (2) a) GDPR or on a contract pursuant to Article 6 (1) b) GDPR; and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons must not be adversely affected by this.
14.6 Right to object to the collection, processing and/or use, Article 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) e) or 6 (1) f) GDPR. The controller will no longer process the personal data concerning you, unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you. This right to information may be limited to the extent that it would be expected to make implementation of statistical objectives impossible or seriously impaired and the limitation is necessary to statistical purposes.
If you have used your right to rectification, deletion or restriction of processing by the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves to be impossible or associated with disproportionate effort. You have the right to be informed of these recipients by the controller.
14.7 Right to revoke statements of consent under data protection law
You have the right to revoke your statement of consent under data protection law at any time. For this purpose, please send an email to info@green-coco.com. To cancel newsletters from GCE, please use the link shown at the end of each newsletter or use info@green-coco.com. The revocation of consent will not affect the legality of processing carried out on the basis of consent before its revocation.
14.8 Right to lodge a complaint with the supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPRThe supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
15. Protection of minors
Persons under 18 years of age should not transmit any personal data to us without the consent of their parents or persons with parental authority.
16. Links to the web pages of other providers
Our online offers contain links to the web pages of other providers – so-called external links. We have no influence over the contents of the targets of such links, so we are unable to take responsibility for such contents. The responsibility always rests with the respective operator of the external pages. At the time when the external link was established, no breaches of law could be seen. Permanent monitoring of external content for breaches of law without specific grounds cannot reasonably be expected of us. If we become aware of breaches of law, we will remove the corresponding external links without undue delay.