ECHO eG
Privacy PolicyInformation obligations under Articles 13 and 14 GDPR
Information obligations under Articles 13 and 14 GDPR
Data protection information: Information on the handling of your data
Content
- Data Controller
- Data protection supervisor
- Collection and processing of personal data when visiting the ECHO websites
3.1. Public websites
Information obligations under Articles 13 and 14 GDPR
3.3. Personal Entries
3.4. Cookies
- Collection and processing of personal data of interested parties
- Collection and processing of personal data from customers
- Collection and processing of personal data from suppliers
- Collection and processing of personal data of applicants
- Other Processing Purposes
- Contradiction
- Duration of storage
- Recipients of personal data
- Third country
- Automated decision-making
- Rights of data subjects
- Existence of a right of appeal to a supervisory authority
- Obligation to provide data
- Safety
- Social Media
18.1. Facebook
18.2. Instagram
18.3. Twitter
18.4. LinkedIn
18.5. Xing
18.6. Youtube
- Video embedding via YouTube
- Links to other websites
- Data Collection Officers
ECHO eG, Frankfurt am Main
represented by
Christoph van Lück (Chairman)
Christian Schmidt (stellv. Vorsitzender)
Chairman of the Supervisory Board Gerd Simon
Deputy Chairman Werner Nieberle
Member of the Supervisory Board Peter Hartl
Contact
The Squaire 12
60549 Frankfurt am Main
Fon: +49 69 4171 299-0
E-Mail: info@echo-eg.eu
- Data protection supervisor
ECHO eG
Data protection supervisor
Contact
The Squaire 12
60549 Frankfurt am Main
Fon: +49 69 4171 299-0
E-Mail: datenschutz@echo-eg.eu
- Collection and processing of personal data when visiting the ECHO websites
3.1. Public websites
We, ECHO eG, store personal usage data for up to two months to protect the functionality, optimize and ensure the security of the website.
Legal basis: this processing is carried out on the basis of ECHO's legitimate interest (Art. 6 para. 1 lit. f) GDPR):
When you visit our website, anonymous web server logbooks are generated, which we store for statistical purposes, such as the number of accesses, and for error tracking. Further evaluations of your usage data will not take place without your consent.
Information obligations under Articles 13 and 14 GDPR
When using the closed area of our website and online applications (business processes between ECHO and its customers), the following user information may be collected:
- Identification of the user (in the case of SmartCard: SmartCard ID, certificate; SmartLogin; Npa; SMS-TAN or similar, in the case of an ECHO user account: user name or similar)
- Identification of the customer (consultant number, if available)
- Time of the inquiry as well as our answers
- Volume of data transferred
- Transactions accessed (URLs)
- Error messages of the authentication procedures and applications
The user-specific detailed information will be kept for a maximum of two months. This data is evaluated exclusively for the purpose of error and performance analysis, as part of customer support and for the tracking of transactions carried out.
Legal basis: this processing is carried out on the basis of ECHO's legitimate interest (Art. 6 para. 1 lit. f) GDPR):
The information aggregated on the advisor number, e.g. which advisor number called which transaction on which day, is stored within the framework of the legal provisions, e.g. retention periods in accordance with the German Commercial Code (HGB) and the German Fiscal Code. The same applies to application-specific information collected for billing purposes.
Legal basis: this processing serves the performance of a contract (Art. 6 para. 1 lit. b) GDPR) and is necessary due to legal obligations (Art. 6 para. 1 lit. c) GDPR).
3.3. Personal Entries
In addition, your personal data, including your e-mail address, will only be stored if you provide it to us voluntarily, e.g. in a survey or an order. Your data will also only be used for the purpose stated on the respective page, e.g. to process your order.
Legal basis: depending on the purpose indicated on the respective page, this processing takes place
on the basis of your consent (Art. 6 para. 1 lit. a) GDPR)
for the performance of a contract (Art. 6 para. 1 lit. b) GDPR)
due to legal obligations (Art. 6 para. 1 lit. c) GDPR) or
this processing is carried out on the basis of ECHO's legitimate interest (Art. 6 para. 1 lit. f) GDPR):
3.4. Cookies
ECHO uses temporary and permanent cookies on its own websites. Temporary cookies are limited in time and contain data such as an identification number (so-called session ID). They allow the server to assign consecutive requests from the browser to the same user. They are automatically deleted as soon as the user closes the browser.
Permanente Cookies hingegen bleiben erhalten, auch nachdem der Benutzer den Browser geschlossen hat. Bei ECHO dienen permanente Cookies für Präferenzen und Einstellungen dazu, Ihnen das Arbeiten mit der SmartCard zu erleichtern. Darüber hinaus verwenden wie permanente Cookies für eine unpersonalisierte Statistik, um unser Angebot für Sie weiterzuentwickeln und zu verbessern. Dabei werden keine personenbezogenen Daten ausgewertet.
3.5. Adobe Analytics
ECHO uses the Adobe Analytics service of the service provider Adobe Systems Software Ireland Ltd., 4-6 Riverwalk, Citywest Business Campus, Saggart Dublin 24, Republic of Ireland. The information collected via the cookies on your device is processed with Adobe Analytics for reach measurement.
The data collected for analysis purposes will be stored for 2 years.
You can object to the collection and storage of data for these statistics at any time with effect for the future.
Legal basis: das Setzen der Cookies erfolgt aufgrund des berechtigten Interesse der ECHO (Art. 6 Abs. 1 lit. f) DS-GVO).
You can deactivate the storage of cookies via your browser settings and delete cookies that have already been stored in your browser at any time. Please note, however, that our online offer will only work to a limited extent without cookies.
- Collection and processing of personal data of interested parties
We collect your personal data when you contact us, in particular when you are interested in our products, want to position your products on ECHO, register for our online services or contact us by e-mail or telephone.
ECHO may process the following data about you:
Contact details, customer group/interest, offer data, cost estimates, creditworthiness data, log data, company data.
Legal bases and purposes for processing
4.1. on the basis of your consent (Art. 6 para. 1 lit. a) GDPR)
If you have given your consent to the processing of personal data for specific purposes (e.g. evaluation of data for marketing purposes), the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time.
Please note that a revocation will only take effect for the future. Processing that took place before the revocation is not affected.
4.2. for the fulfilment of contractual obligations (Art. 6 para. 1 lit. b) GDPR)
The processing of personal data is carried out in order to provide our services, in particular to carry out our pre-contractual measures with you.
4.3. on the basis of legal requirements (Art. 6 para. 1 lit. c) GDPR) or in the public interest (Art. 6 para. 1 lit. e) GDPR)
Your personal data may be processed by ECHO on the basis of other legal obligations, such as a court order.
4.4. in the context of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)
If necessary, ECHO will process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. For example, for:
- better customer service,
- Ensuring IT security and IT operations, e.g. transmission protocols,
- Examination and optimisation of procedures for needs analysis and direct customer contact,
- Advertising by ECHO or market and opinion research, provided that you have not objected to the use of your data for these purposes,
- Assertion of legal claims and defence in legal disputes,
- Measures for business management and further development of services and products.
- Collection and processing of personal data from customers
ECHO collects your personal data when you contact us, in particular when you register for our online services or contact us by e-mail or telephone, or when you use our products and services as part of existing business relationships. We also process personal data from publicly available sources if it is necessary for our service. We obtain this data permissibly, for example, from debtor registers or commercial and association registers. Personal data is also transmitted to us by other third parties (e.g. credit agencies).
We process the following data about you: contact details, customer group/interest, sales data, offer data, cost estimates, credit rating data, payment data, log data, audit data, billing data, logs and company data.
If you are Employee of a customer ECHO may have stored your contact details, in particular in your role as a contact person for a particular case. In addition, when you work with ECHO applications/programs, log data from those applications and technical data of the systems you work with may be stored.
Legal bases and purposes for processing
5.1. on the basis of your consent (Art. 6 para. 1 lit. a) GDPR)
If you have given your consent to the processing of personal data for specific purposes, e.g. evaluation of data for marketing purposes, the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time.
Please note that a revocation will only take effect for the future. Processing that took place before the revocation is not affected.
5.2. for the fulfilment of contractual obligations (Art. 6 para. 1 lit. b) GDPR)
The processing of personal data is carried out for the provision of our services, in particular for the execution of our contracts or pre-contractual measures with you and the execution of your orders, as well as in the context of customer administration and support.
5.3. on the basis of legal requirements (Art. 6 para. 1 lit. c) GDPR) or in the public interest (Art. 6 para. 1 lit. e) GDPR)
Your personal data may be processed by ECHO on the basis of other legal obligations, such as a court order.
5.4. in the context of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)
If necessary, ECHO will process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. For example, for:
- better customer service,
- Ensuring IT security and IT operations, e.g. transmission protocols,
- Examination and optimisation of procedures for needs analysis and direct customer contact,
- Advertising by ECHO or market and opinion research, provided that you have not objected to the use of your data for these purposes,
- Assertion of legal claims and defence in legal disputes,
- Measures for business management and further development of services and products.
- Collection and processing of personal data from suppliers
ECHO collects your personal data when you contact us. We also process personal data from publicly available sources. We obtain this data permissibly, for example, from debtor registers or commercial and association registers. Personal data is also transmitted to us by other third parties (e.g. credit agencies).
ECHO may process the following data about you: contact data, turnover data, offer data, cost estimates, creditworthiness data, log data, audit data, service provision data, billing data, logs, company data.
If you are Employee of a supplier ECHO may have stored your contact details, in particular in your role as a contact person for a particular case. In addition, when you work with ECHO applications/programs, log data from those applications and technical data of the systems you work with may be stored.
Legal bases and purposes for processing
6.1. on the basis of your consent (Art. 6 para. 1 lit. a) GDPR)
If you have given your consent to the processing of personal data for specific purposes (e.g. evaluation of data for marketing purposes), the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time.
Please note that a revocation will only take effect for the future. Processing that took place before the revocation is not affected.
6.2. for the fulfilment of contractual obligations (Art. 6 para. 1 lit. b) GDPR)
The processing of personal data is carried out for the purpose of processing and paying for your services as well as in the context of supplier management.
6.3. on the basis of legal requirements (Art. 6 para. 1 lit. c) GDPR) or in the public interest (Art. 6 para. 1 lit. e) GDPR)
Your personal data may be processed by ECHO on the basis of other legal obligations, such as a court order.
6.4. in the context of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)
If necessary, ECHO will process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. For example, for:
- Ensuring IT security and IT operations, e.g. transmission protocols,
- Consultation of credit agencies (to determine creditworthiness or default risks),
- Assertion of legal claims and defense in legal disputes.
- Collection and processing of personal data of applicants
We process personal data related to your application. This may include general information about you (such as your name, address, and contact information), information about your professional qualifications and education, or information about continuing vocational training, or other information you provide to us in connection with your application. If we do not collect the data directly from you and you have an active profile on Xing and LinkedIn, or if you disclose an inactive or only partially active profile to us in the course of the application process, we may also collect personal data through it.
Legal bases and purposes for processing
We process your personal data for the purpose of processing your application for an employment relationship, insofar as this is necessary for the decision on the establishment of an employment relationship with us. The legal basis for this is § 26 (1) in conjunction with (8) sentence 2 BDSG.
Furthermore, we may process your personal data insofar as this is necessary to defend against legal claims asserted against us from the application process. The legal basis for this is Art. 6 (1) (f) GDPR (safeguarding the legitimate interests of the controller). ECHO's legitimate interest is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).
Soweit es zu einem Beschäftigungsverhältnis zwischen Ihnen und uns kommt, können wir gemäß § 26 Abs. 1 BDSG die bereits von Ihnen erhaltenen personenbezogenen Daten für Zwecke des Beschäftigungsverhältnisses weiterverarbeiten, wenn dies für die Durchführung oder Beendigung des Beschäftigungsverhältnisses oder zur Ausübung oder Erfüllung der sich aus einem Gesetz oder einer Betriebsvereinbarung ergebenden Rechte und Pflichten der Interessenvertretung der Beschäftigten erforderlich ist.
- Other Processing Purposes
Your personal data may be processed by ECHO on the basis of other legal obligations, such as a court order. Legal basis on the basis of legal requirements (Art. 6 para. 1 lit. c) GDPR) or in the public interest (Art. 6 para. 1 lit. e) GDPR). If necessary, ECHO will process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. For example, for:
- Ensuring IT security and IT operations, e.g. transmission protocols,
- Assertion of legal claims and defense in legal disputes.
Legal basis for this processing is the legitimate interest of ECHO (Art. 6 para. 1 lit. f) GDPR).
- Contradiction
You have the right to object at any time to the processing of personal data concerning you on grounds relating to your particular situation, provided that this processing is carried out in the context of the balancing of interests (Art. 6 para. 1 lit. f) GDPR) or in the public interest (Art. 6 para. 1 lit. e) GDPR). You may object to the use of your personal data for direct marketing at any time without giving any reason. datenschutz@echo-eg.eu contradict.
- Duration of storage
If your personal data is no longer required for the above-mentioned purposes, it will be deleted on a regular basis, unless its – temporary – retention is still necessary for the fulfilment of contractual or legal obligations. Reasons for this can be, for example:
- Obtaining evidence of legal disputes within the framework of the statutory statute of limitations: Civil statute of limitations can be up to 30 years, with the regular limitation period being three years.
- Log data is stored for up to two years and your requests to our customer service for up to three years.
After these deadlines have expired, the data will be deleted after a post-processing period. This can be up to a maximum of four years for data with a statutory retention period of ten years.
- Recipients of personal data
Within ECHO, access to your data will be granted to those entities that need it to process the above-mentioned purposes. Processors used by ECHO (Art. 28 GDPR) and other service providers may also receive data for these purposes. These are companies in the categories of IT services, logistics, telecommunications and marketing. In addition, ECHO also cooperates with universities to develop and improve services. Data will only be passed on to recipients outside ECHO if this is permitted or required by regulations, if you have consented or if we are otherwise authorised to pass on data. Under these conditions, recipients of personal data can be, for example:
- Public bodies and institutions, where there is a legal or regulatory obligation.
- In rare individual cases of maintenance or fault analysis, support partners of hardware or software can be used. These conclude the contractual provisions on purpose limitation and confidentiality provided for by law.
- Third country
In the context of remote maintenance of standard IT components, it cannot be ruled out that an IT service provider from a third country (e.g. the USA) may in rare cases receive controlled and limited access to personal data for troubleshooting in individual cases. Personal data will only be transferred to service providers outside the European Economic Area (EEA) if an adequate level of data protection has been confirmed to the third country by the EU Commission or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place.
- Automated decision-making
We process your data partly automatically with the aim of evaluating certain aspects relevant to the customer relationship (profiling, e.g. for ABC analysis). However, we do not make automated decisions based on them that produce legal effects on you or similarly significantly affect you without the involvement of any individual.
If we only use automated decisions in individual cases in the future, we will inform you separately if this is required by law.
- Rights of data subjects
If ECHO has stored data about you, you can request information about the data stored about you. Please inform us if we have stored any incorrect data about you or if you do not agree with parts of the data storage so that we can correct, delete or restrict their processing.
Data about yourself that you have given to ECHO will be available to you on request in a transferable format within the framework of the legal requirements.
To exercise a data subject's right, please contact datenschutz@echo-eg.eu Stating
- your contact details and
- the rights of the data subject that you wish to exercise.
- Existence of a right of appeal to a supervisory authority
In the event of complaints, you can contact a data protection supervisory authority. For ECHO, the Bavarian State Office for Data Protection Supervision is the responsible supervisory authority.
- Obligation to provide data
In the context of the business relationship, we require the following personal data from you:
- Data needed to establish and conduct a business relationship
- Data that is necessary for the fulfilment of the associated contractual obligations and
- Information we are legally required to collect
Without this personal data, we will not be able to enter into or perform a contract with you.
- Safety
ECHO shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk and to protect personal data against destruction, loss, alteration or unauthorised disclosure and access. The effectiveness of these measures is regularly reviewed, evaluated and evaluated.
- Social Media
We operate accounts on various social media platforms in order to better communicate with our customers and interested parties, but also to be able to better present ECHO as a company and our products and services. Furthermore, we also use our social media accounts for advertising purposes, so target groups are defined in order to be able to address them in a targeted manner. In this context, we use services from external service providers who may be located in a third country outside the EU. We process personal data in the course of our social media activities on the legal basis of our legitimate interest, Art. 6 (1) (f) GDPR, insofar as the processes do not require consent.
18.1. Facebook
We operate several Facebook fan pages under joint responsibility with Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland ("Facebook") in order to present our products and services via this platform, to offer interested parties a communication channel and to market ECHO as a company.
In this context, we may receive information from Facebook, such as statistical evaluations of the use of the fan page by means of interactions, likes or comments. Further information on these statistical evaluations can be found here or in the Data Policy . You can change your personal settings for ads here administer. We use the information we receive to make our Facebook presence, for example, but also our offer even more attractive and in line with our interests for our customers. The processing of this data is carried out on the legal basis of legitimate interest, Art. 6 (1) (f) GDPR.
Further information on those responsible can be found in the Facebook Page Insights Supplement contain. Please note that we have no influence on the extent to which Facebook collects and processes data on its own responsibility. However, it can be assumed that Facebook uses the aforementioned information for detailed statistics and its own market research and marketing purposes. How Facebook processes data, you can here in Facebook's privacy policy. If you want to exercise your rights as a data subject, the easiest way is to contact Facebook directly, as they have access to the platform and thus all user data as well as the specific processing purposes associated with it. Of course, we will be happy to support you in asserting your rights.
18.2. Instagram
We also use the "Instagram" service of Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, with the parent company Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA. Further information on data processing can be found here .
18.3. Twitter
We operate Twitter accounts of the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland with the parent company Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You can find more information here in Twitter's Privacy Policy. You can customise your attitude towards personalised ads here make.
18.4. LinkedIn
We are also represented on the LinkedIn platform of LinkedIn Ireland Unlimited, Wilton Place, Dublin 2, Ireland ("LinkedIn"). You can find more information about data processing here in LinkedIn's privacy policy. You can choose your individual attitude here administer.
18.5. Xing
We also use the social network Xing of XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. You can find more information here in the privacy policy of Xing.
18.6. Youtube
We also use the YouTube platform of the service provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can find more information in the Privacy Policy . You can view the possibility of objection here here perceive.
19.Video embedding via YouTube
Videos from YouTube are integrated into some of our websites. The integration takes place via a so-called 2-click solution, only when the video is clicked on the standard data transmitted to Google. In particular, the IP address, the specific address of the page accessed by us, the page from which you reached us (link source), the transmitted identifier of the browser as well as the system date and time of the call may be transmitted here. Google may receive additional data about cookies that have already been stored. Google is responsible for this data. Without calling up pages with embedded videos, no data is transmitted to YouTube or Google.
- Links to other websites
If you call up an external website from our site (external link), the external provider may receive information from your browser from which page you came to it. The external provider is responsible for this data. We, like any other vendor, are not in a position to influence this process.
July 2022