Data Protection Policy

1 Data Protection Policy of GEPA mbH
GEPA - The Fair Trade Company

Protecting your personal data is very important to us. Accordingly we will, of course, always treat your personal data in compliance with the statutory provisions on Data Protection. We have commissioned a qualified and reliable external data protection officer. The appointment of the external data protection officer is carried out by UIMC, Dr. Voßbein GmbH & Co KG.

This policy sets out information regarding the processing of personal data.

 

1.1 Collection and Processing of Personal Data 

As a rule you can use our online offering without disclosing your identity. Where we ask for personal data on our website (such as name, address, or email), for example as part of contract forms or when subscribing or registering, providing such information is entirely voluntary. Such information will be used for our own business purposes (such as sending you the materials/information requested).

If you have any questions, we offer the opportunity for you to contact us via the contact form on our website. For this certain information is marked as mandatory, and this needs to be provided in order to enable us to answer the query. Additional information may be provided on a voluntary basis. Data processing for the purposes of contacting us is done in accordance with Art. 6 (1) S. 1 (a) GDPR, on the basis of the voluntary consent provided by you.

The personal data collected by us for using the contact form will be deleted after your request has been processed and after the relevant retention periods for tax and commercial law purposes have expired.

You can withdraw any such consent you may have given us - e.g. for the purposes of receiving a newsletter or some other interesting information - at any time, without having to provide any reasons and with effect for the future. To do this you may use the contact form above, or any other method stipulated in the newsletter.
 

1.2 Protocols

Every time you access our website, protocols are created and processed for statistical purposes, while maintaining the anonymity of the individual user.

  • Referrer (page on which the link was located through which you came to our website)
  • Search terms (where the referrer is a search engine
  • Your IP-address will be analysed in order to determine the country of origin and the provider.
  • Browser, operating system, installed plug-ins, and screen resolution.
  • Time spent on the pages.

Based on our legitimate interest pursuant to Article 6 (1) (f) of the GDPR, the data stipulated above shall be processed for the following purposes:

  • Ensuring a smooth connection with the website,
  • Ensuring that our website is comfortable to use,
  • Analysis of the security and stability of the system, and
  • for other administrative purposes.

1.3 Contact via email, telephone or fax

If you contact us via email, telephone or fax, your request, including all of the personal data resulting from that query (name, request), will be stored and processed by us, for the purposes of dealing with your query. We will not pass those data on to third parties without your consent.


Where your query relates to the performance of a contract or is necessary in order to carry out any pre-contractual steps, then any such data will be processed on the basis of Article 6 (1) (b) GDPR. In all other cases, the processing of personal data is based on your consent (Article 6 (1)(a) GDPR) and/or our legitimate interests (Art. 6 (1)(f) GDPR), as we have a legitimate interest in effectively dealing with any requests addressed to us.


The data sent to us by you by way of a contact request remains with us until such time as you request that we delete this, withdraw your consent for these data to be stored, or the purpose for storing such data no longer persists (e.g. after we have completed your request). Any mandatory statutory provisions, including in particular the statutory retention periods, shall remain unaffected.

1.4 Data processing when contacting us by phone

When you contact us by phone, then your phone number will be recorded and processed for statistical purposes, although the individual users remain anonymous, unless the number is already assigned to an existing customer. Based on our legitimate interest pursuant to Article 6 (1) (f) of the GDPR, the phone number shall be processed for the following purposes:

  • Ensuring that your query is answered in an effective manner, or, as the case may be, that your query is addressed by us in a target-oriented manner.
  • Analysis of the security and stability of the system, and
  • for other administrative purposes.

We reserve the right to check these data retrospectively if we become aware of concrete indications that there has been some unlawful use. These data are deleted immediately as soon as they are no longer required for their purpose, but in any event no later than after six months.

1.5 Transmission of Data

As a rule, any transmission of your data to third parties for commercial or non-commercial purposes, without your express permission, is excluded. We shall only transmit your personal data to third parties, where this is legally permissible [e.g. on the basis of Article 6 GDPR], and/or where this is necessary. Occasionally we employ service providers for the statutorily envisioned processing of data; for example, we work with the following hosting providers and agencies for our internet pages.

Website

Hosting provider

Agengy

gepa.deHost Europe GmbHSystkom GmbH
gepa-shop.deMagento Inc.Systkom GmbH
gepa-wug.deWebOscar.netfrieauff.com
gepa-ausserhaus.deHost Europe GmbHSystkom GmbH
fairtrade.de1und1 Internet SEtm-webentwicklung GmbH
fair-plus.deHost Europe GmbHSystkom GmbH
gepa-jetztfairemilch.deHost Europe GmbHSystkom GmbH
gepa-wuppertal.deWebOscar.netfrieauff.com

 

However, the full responsibility for data processing remains with us. Moreover, we occasionally use plugins of third-party providers on our website; please see below for further details.

1.6 Liability for own content

The contents of this page have been produced with the utmost care. However, we cannot guarantee that the contents are accurate, complete, and current. As service providers, we are responsible for our own contents on these pages, as per the general statutory provisions.

1.7 Liability for Links (content from external providers)

These own contents must be differentiated from links to contents provided by third-party providers. We have no influence on their contents, so responsibility for the content of the linked pages shall rest with the respective provider or operator of the website in question.

1.8 Rights of the Data Subject

Pursuant to Article 15 et seqq. of the GDPR. and provided the conditions stipulated therein have been met, you have the right to request from us access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority, if you consider that the processing of personal data relating to you infringes this Regulation. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

1.9 Changes to our Data Protection Policy

We reserve the right to amend this data protection policy from time to time in order to ensure that it complies with the legal requirements current from time to time, or in order to implement any changes to our services, e.g. when introducing new services. Any future visit would then be governed by the data protection policy as amended.

1.10 Cookies

 

This page uses cookies. Cookies are text files stored on your computer, which allow us to analyse how you use our website, and to automatically recognise you the next time you visit the website.

Any cookies that are not technically necessary for operating the website will only be used by us if you have provided your consent via the cookie consent tool pursuant to Art. 6 (1) (a) GDPR. You can change your settings at any time, and by doing so withdraw your consent with effect for the future. Additional possibilities for excluding cookies are set out below.

 

1.12 eTracker

The provider of this website uses the services of the company eTracker GmbH from Hamburg, Germany (https://www.etracker.com) for the purposes of analysing user data. As a standard we do not use cookies for the purposes of web analysis. According to eTracker, the following data are collected and made available for analysis:

In the standard modus without cookies:

  • the abbreviated IP address (the IP address is abbreviated immediately upon receipt for technical function, in order to prevent any identification)
  • Information regarding the device used, the operating system and the browser;
  • Geo information up to city level at most;
  • the URL called up together with the page title and optional information regarding the page content;
  • the website, from where the individual page was accessed (referrer site, including assignment to search engines and social media sites, as well as reading campaign parameters);
  • the subsequent pages that were accessed from the accessed web page within a single website in the session;
  • the time spent on the website;
  • any further interactions (clicks) on the website such as search terms entered, downloaded files, external links accessed, videos watched, logins, queries, articles ordered, etc.

 

In cookie mode (only where consent has been given) additionally:

  • (in addition, a cookie-ID (this is only collected where prior consent has been given, see below for more detailed information)

As far as the default mode without cookies is concerned, the following applies: “It is not possible to identify unique visitor values, the frequency distribution of sessions per visitor in the period nor to link visits to customer journeys or conversion paths that result from several visits over periods of more than 24 hours or across several devices.” Source: https://www.etracker.com/docs/datenschutz/interessenabwaegung/

In doing so, we refer to Article 6 (1) (f) GDPR as the legal basis.

Our interest for the purposes of the GDPR (legitimate interest) is optimising our online offering and our online presence. As our visitors’ privacy is very important to us, any data that might possibly allow any connection to an individual person, such as IP addresses, registration or device identifiers, are anonymised and pseudonymised as early as possible. The data are not used for any other purpose, such as combining them with other data or passing them on to third parties.

 

Use of eTrackers with consent and therefore with cookies

To the extent that we do use cookies for the purposes of analysis and optimising, we will explicitly ask for your consent separately in advance. If this is the case and you have given us your consent, then cookies are used that allow a statistical analysis of the reach of this website, measuring the success of our online marketing measures and also to run testing processes, e.g. in order to test and optimise different versions of our online offfering or its component parts. Cookies are little text files that are stored on the device of a user by the internet browser. eTracker cookies do not contain any information that would make the identification of a user possible. When we use cookies, we do this on the legal basis of section 25 of the German Act on Data Protection and the Protection of the Private Sphere in Telecommunications and in Telemedia (TTDSG) and Article 6 (1) (a) GDPR.

 

The following applies to both modes:

The data produced by eTracker are then processed and stored on behalf of the provider of the website, and such processing and storing is done exclusively in Germany, meaning that they are subject to the strict German and European data protection legislation and standards. eTracker has been independently audited and certified in this respect, and has been awarded the data protection quality seal: ePrivacyseal. Etracker is a contractually bound processor. However, the responsibility for data processing remains with us.

 

Opt-out option against any data processing by eTracker

You may object to the data processing as set out above at any time. Any such objection shall have no detrimental effects.

 




Further information regarding data protection and etracker can be found here https://www.etracker.com/datenschutz/.

 

1.13 Google Maps

We use Google Maps to show maps, provided that you have consented to your data being processed (Article 6 (1) (a) GDPR). Google Maps is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043.

 

You will be alerted to these pages accordingly. If you visit a page on our website, which has GoogleMaps embedded, then a connection will be set up with the Google servers, and your IP and browser data will be transmitted to Google. Google may transmit this information to third parties, such as US authorities, where this is a statutory requirement, or where such third parties process these data on behalf of Google. An appropriate standard of data protection is ensured by EU-US-Data Privacy Framework certification.

 

Further information regarding data processing can be found in Google’s Privacy Policy: https://policies.google.com/privacy?gl=EN&hl=en  [external page].

 

1.16 Facebook Marketing Pixel (Opt-in-Solution)

This website uses the Facebook marketing pixel provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland, provided that you have consented to the processing of your personal data that is necessary for this, as per Arti. 6 (1) (a) GDPR.  The Facebook Pixel is an excerpt from a JavaScript code, which allows us to analyse the activities of visitors to our website. This analysis tool works by loading a little collection of functions, which are triggered as soon as a visitor to the website carries out a certain action (a so-called event). Examples of such actions would be adding an article to your shopping basket or making a purchase. We use the Facebook Pixel to measure the effectiveness of our adverts, in order to determine user-defined target audiences for targeting adverts, for carrying out dynamic, target-audience-oriented marketing campaigns, and in order to analyse the effectiveness of the conversions. This means that by using the Facebook Pixel as part of your visit of the social network Facebook, or other websites that also use this tool, we can show you, as user of our website, adverts (“Facebook Ads”) that are of interest to you.

Via this Facebook Pixel we process information regarding the activities of visitors to our website outside of Facebook. This includes information regarding the device of the visitor to the website, the websites visited, purchases made, adverts, which the website user sees, as well as information regarding the way in which the user uses our website. This is the case irrespective of whether the visitor to our website has a Facebook account or is logged into Facebook. Facebook may transmit this information to third parties, such as US authorities, where this is a statutory requirement, or where such third parties process these data on behalf of Facebook.

If you have consented to your personal data being processed by using the Facebook Marketing Pixel, and you want to revoke this consent at some later point in time, then you may do so by changing the settings of the cookie consent tool, or your browser settings.

Alternatively you can deactivate the Facebook marketing function as a logged in Facebook user at https://www.facebook.com/settings/?tab=ads# (external link). Information about how to deactivate interest-based online marketing from Facebook and other businesses who participate in the European Interactive Digital Advertising Alliance generally, e.g. if you do not have a Facebook account, can be found here: http://www.youronlinechoices.eu/ [external link].

Further information regarding data processing by Facebook can be found at: https://www.facebook.com/about/privacy [external link].
 

1.19 Determination of a placement provision - Affiliate Marketing

We cooperate with cooperation partners who advertise our products on various platforms online (“Affiliate Marketing”). Clicking on the advert redirects to our website. The cooperation partners receive a fee for such placements. In order to calculate the fee we record the sales initiated by the cooperation partner, as well as collecting the data relevant for calculating the remuneration. This includes the value of the products purchased, product information, an internal ID, the currency, as well as details regarding the remuneration model agreed with the cooperation partner and details regarding the intermediary itself. The exact calculation of the remuneration for the cooperation partners is carried out by Webgains, our service provider, which processes these data on our behalf pursuant to Article 28 of the GDPR. The legal basis for processing the data: Article 6 (1) (1) (b) GDPR. In addition to that you are requested to accept a cookie for that purpose. With your consent, this cookie will be placed on your device (Article 6 (1) (1) (a) GDPR) in order to permit the transfer of the resulting data to our cooperation partner.

Following payment of the remuneration pursuant to the relevant tax and commecial law profisions, the data listed above will be stored for the purposes of verification purposes. This is also done by our service provider Webgains. Legal basis: Art. 6 (1) (c) GDPR.

In the event that there is any lack of clarity regarding a referred sale, it is possible for our cooperation partner to provide additional information regarding that sale in order to clarify the situation. Legal basis: Art. 6 (1) (f) GDPR.

If you participate in a cashback programme, the programme operator is provided with the required data regarding the payment of remuneration. Further information can be found in the data protection guidelines of the various programmes.

2 Data Processing as part of the Newsletter Subscription

2.1 Data Processing

We, the GEPA mbH, GEPA – The Fair Trade Company, of GEPA-Weg 1, 42327 Wuppertal, telephone: +49 (0)202 266 83 0, email: info@gepa.de, will only process your personal data in connection with the order and your receipt of our newsletter, in order to send you information about our products, services, events and other information about us that you might find interesting. The data provided by you are necessary for us sending you our newsletter. Without these data we will not be able to consider your registration for our newsletter. You can object to such information being sent at any time with effect for the future.


In order to ensure consensual sending of newsletters, we use the so-called double-opt-in process. As part of this, the potential recipient asks to be added to a list. Following this the user is sent a confirmation email and given the option of confirming this registration in a legally sound manner. The address is only actively included in the mailing list if it is confirmed.
 

2.2 Microsoft Dynamics 365 Cloud for Marketing

We use the marketing automation system Microsoft Dynamics 365 Cloud for Marketing provided by the Microsoft Corporation (Microsoft Deutschland GmbH, Walter-Gropius-Straße 5, 80807 Munich) – hereinafter “Microsoft” in order to carry our marketing activities, for analysis purposes and in order to address customers and potential customer in a targeted manner. The data are processed inside the European Union.


In particular we use the system for sending email communications (e.g. in connection with making downloads available), for event management (e.g. administration of participants), and for making available landing pages and contact forms.


Our use of the provider Microsoft and of this system, the carrying out of statistical data collection and analyses, as well as recording the registration process for the purposes of email communication, are all done on the basis of your consent to communicating by email via Microsoft Dynamics 365 Cloud for Marketing. It is our aim to use a user friendly and secure system, which serves our business interests as well as well as meeting the expectations of the users.


The system components that are part of our online offering (such as forms) use so-called “cookies” that are stored on a user’s computer, and which allow an analysis of how our website is used.
In particular the following information is collected: client ID, the geographical location, type of browser, duration of the visit and websites visited.


Pseudonymised email tracking: Part of the statistical analysis is the determination of whether the newsletters are read, when they are read, and which links are clicked. Although this information could technically be allocated to the individual recipients of the newsletter, any analysis of personal data is switched off, and any information regarding the recipients of newsletters are only analysed in pseudonymised form and cannot be decrypted and allocated to individual persons.


You can find further information regarding data protection issues in Microsoft’s privacy statement https://privacy.microsoft.com/en-gb/privacystatement.


Additional information regarding the use of cookies in connection with the system can be found here: https://docs.microsoft.com/en-us/dynamics365/marketing/cookies.
 

2.3 Storage and Erasure of Data

Your data will be stored for as long as this is required for the purposes set out above. These data will be deleted at the latest once the contractual relationship has come to an end and any retention periods stipulated under civil, commercial or tax law have expired.

2.4 Your Rights

Please note that pursuant to article 15 et seqq. of the GDPR you have the following rights as a Data Subject, subject to the conditions defined therein: The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

3 Data Processing as part of the Customer Contract (B2C)

3.1 Data Processing

We, the GEPA mbH, GEPA – The Fair Trade Company, of GEPA-Weg 1, 42327 Wuppertal, telephone: +49 (0)202 266 83 0, email: info@gepa.de, process data relating to your person in connection with the conclusion, performance and execution of the contract entered into, or where this is necessary in order to take steps prior to entering into a contract, as per article 6 (1)(b) of the GDPR, and in order to comply with legal obligations (for example regarding commercial or tax law)  on the basis of article 6 (1)(c) of the GDPR.


Furthermore, data are also processed for legitimate purposes as per article 6 (1)(f) of the GDPR, such as internal market research and marketing purposes, internal statistics, optimisation of offers. The legitimate interests here lie particularly in optimising processes and cost effective allocation; your interests, basic rights and basic freedoms are given due consideration when doing this.


The data provided by you are necessary for the performance of the contract. Without these data we will not be able to perform the contract.

3.2 Information for users of www.gepa-shop.de

You can sign in to the secure area of our website using your personal identifier. For this we process the following data:

  • When did you last sign in
  • Items in your shopping basket

Furthermore, as part of our online shop we also process the following customer data once an order has been placed:

  • IP-Address
  • Master data (Name, Address, etc.)
  • Email address
  • Payment details
  • Customer number
  • Items ordered and order history
  • Date of Birth as part of the legal requirements of the German Youth Protection Legislation (Jugendschutzgesetz).

We reserve the right to check these data retrospectively if we become aware of concrete indications that there has been some unlawful use. These data are deleted immediately as soon as they are no longer required for their purpose, but in any event no later than after six months after they are no longer required.


Where you have provided us with consent to do this, we will be using your data to send you information about our products, services, events, and other information about us that you might find interesting. You can object to such information being sent at any time with effect for the future.

3.3 Transmission of Data / Service Providers

Your personal data may be transmitted to external service providers (such as delivery companies or financial institutions, processing payments). External IT-service providers may also be able to access your data (as part of contract data processing pursuant to article 28 of the GDPR). In such cases the service providers act on our instructions, which is ensured by way of corresponding contracts having been entered into. Some of these service providers have their seat outside the EU/EEC; these service providers ensure an appropriate level of data protection by entering into EU standard contract clauses. At any time you have the opportunity to receive a copy of these arrangements here.

If you order goods from our GEPA online shop at www.gepa-shop.de, then, depending on your chosen method of payment, your personal data will be transmitted to relevant institutions for the purposes of a credit check. Such transmission takes place based on our legitimate interest to avoid instances of non-payment pursuant to Article 6 (1) (f) of the GDPR. Such transmission only takes place where “invoice” is chosen as payment method. Further information can be found at: https://www.gepa-shop.de/zahlung.

3.4 Storage and Erasure of Data

Your data will be stored for as long as this is required for the purposes set out above. These data will be deleted at the latest once the contractual relationship has come to an end and any retention periods stipulated under civil, commercial or tax law have expired.

3.5 Your Rights

Please note that pursuant to article 15 et seqq. of the GDPR you have the following rights as a Data Subject, subject to the conditions defined therein: The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

4 Processing Customer Data (B2B) 

(Personal Data refers to all such data as relates to you as a natural person):

4.1 Data Processing

As a contract partner of your company, we, the GEPA mbH, GEPA – The Fair Trade Company, of GEPA-Weg 1, 42327 Wuppertal, telephone: +49 (0)202 266 83 0, email: info@gepa.de, process personal data relating to your person in connection with producing offers, and to perform the contracts as per article 6 (1)(b) of the GDPR, as well as for the purposes of fulfilling contractual and legal obligations (e.g. in relation to commercial and tax law) on the basis of article 6 (1)(c) of the GDPR. The contract is entered into between us and your company. External requirements (e.g. revenue/tax law) may result in personal data regarding your person may be compared with lists published by public authorities.


Furthermore, data are also processed for legitimate purposes as per article 6 (1)(f) of the GDPR, such as internal market research and marketing purposes, internal statistics. The legitimate interests here lie particularly in optimising processes and cost effective allocation; your interests, basic rights and basic freedoms are given due consideration when doing this.


Only where you have provided us with consent to do this, or where we have reasonably informed you as part of the data collection as per section 7 of the German Act Against Unfair Competition [UWG] / section 107 of the Austrian Telecommunications Act, will we be using your data to send you information about our products, services, events, and other information about us that you might find interesting. You can object to such information being sent at any time with effect for the future.


The data provided by you are necessary for the performance of the contract. Without these data we will not be able to perform the contract entered into with your company.
 

4.2 Information for users of www.gepa-shop.de

You can sign in to the secure area of our website using your personal identifier. For this we process the following data:

  • When did you last sign in
  • Items in your shopping basket

Furthermore, as part of our online shop we also process the following customer data once an order has been placed:

  • IP-Address
  • Master data (Name, Address, etc.)
  • Email address
  • Payment details
  • Customer number
  • Items ordered and order history

4.3 Information for users of www.gepa-wug.de

You can sign in to the secure area of our website using your personal identifier. For this we process the following data:

  • Master data (Name, Address, etc.)
  • Email address
  • Timing of notification
  • Total number of logins
  • When the last order was placed
  • Number of orders
  • Items ordered

We reserve the right to check these data retrospectively if we become aware of concrete indications that there has been some unlawful use. These data are deleted immediately as soon as they are no longer required for their purpose, but in any event no later than after six months after they are no longer required.
 

4.4 Transmission of Data

Your personal data may be transmitted to external service providers (such as delivery companies or financial institutions, processing payments). External IT-service providers may also be able to access your data (as part of contract data processing pursuant to article 28 of the GDPR). In such cases the service providers act on our instructions, which is ensured by way of corresponding contracts having been entered into. Some of these service providers have their seat outside the EU/EEC; these service providers ensure an appropriate level of data protection by entering into EU standard contract clauses. At any time you have the opportunity to receive a copy of these arrangements here.

If you order goods from our GEPA online shop at www.gepa-shop.de, then, depending on your chosen method of payment, your personal data will be transmitted to relevant institutions for the purposes of a credit check. Such transmission takes place based on our legitimate interest to avoid instances of non-payment pursuant to Article 6 (1) (f) of the GDPR. Such transmission only takes place where “invoice” is chosen as payment method. Further information can be found at: https://www.gepa-shop.de/zahlung.

4.5 Storage and Erasure of Data

Your data will be stored for as long as this is required for the purposes set out above. These data will be deleted at the latest once the contractual relationship has come to an end and any retention periods stipulated under civil, commercial or tax law have expired.

4.6 Your Rights

Please note that pursuant to article 15 et seqq. of the GDPR you have the following rights as a Data Subject, subject to the conditions defined therein: The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5 Data processing by suppliers and other business partners (B2B)

5.1 Data processing

As a contract partner of your company, we, the GEPA mbH, GEPA – The Fair Trade Company, of GEPA-Weg 1, 42327 Wuppertal, telephone: +49 (0)202 266 83 0, email: info@gepa.de, process personal data relating to your person in connection with our legitimate interest in producing offers, to perform the contracts, for accounting and cost calculation purposes as per article 6 (1)(f) of the GDPR, as well as for the purposes of fulfilling contractual and legal obligations (e.g. in relation to commercial and tax law) on the basis of article 6 (1)(c) of the GDPR. The contract is entered into between us and your company. External requirements (e.g. revenue/tax law) may result in personal data regarding your person may be compared with lists published by public authorities.


Furthermore, data are also processed for legitimate purposes as per article 6 (1)(f) of the GDPR, such as statutorily stipulated information, such as internal delivery details, delivery purpose, information on quality, certification, or internal statistics. The legitimate interests here lie particularly in optimising processes and cost-effective allocation; your interests, basic rights and basic freedoms are given due consideration when doing this.


Only where you have provided us with consent to do this, or where we have reasonably informed you as part of the data collection as per section 7 of the German Act Against Unfair Competition [UWG] / section 107 of the Austrian Telecommunications Act, will we be using your data to send you information about our products, services, events, and other information about us that you might find interesting. You can object to such information being sent at any time with effect for the future.


The data provided by you are necessary for the performance of the contract. Without these data we will not be able to perform the contract entered into with your company.
 

5.2 Transmission of Data / Service Providers

Your personal data may be transmitted in part to external service providers (such as tax advisors, legal advisors, testing laboratories, certifiers, etc.). External IT-service providers may also be able to access your data (as part of contract data processing pursuant to article 28 of the GDPR). In such cases the service providers act on our instructions, which is ensured by way of corresponding contracts having been entered into. Some of these service providers have their seat outside the EU/EEC; these service providers ensure an appropriate level of data protection by entering into EU standard contract clauses. At any time you have the opportunity to receive a copy of these arrangements here.

5.3 Storage and Erasure of Data

Your data will be stored for as long as this is required for the purposes set out above. These data will be deleted at the latest once the contractual relationship has come to an end and any retention periods stipulated under civil, commercial or tax law have expired.

5.4 Your Rights

Please note that pursuant to article 15 et seqq. of the GDPR you have the following rights as a Data Subject, subject to the conditions defined therein: The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6 Data Processing as part of the Application Procedure

6.1 Data Processing

We - GEPA mbH - GEPA - The Fair Trade Company, Human Resources, bewerbung@remove-this.gepa.de - process your personal data in relation to your person in connection with your application process, and in order to evaluate how you might potentially be employed. In order to come to a well-reasoned personnel decision, we process the information you have provided on the basis of section 26 of the German Data Protection Act (BDSG) and article 6 (1)(b) of the GDPR. In addition to this, evaluations based on objective, non-discriminating criteria will be stored as well; where this is permissible in the individual case, publicly accessible personal data may also be stored in relation to your person.


The data provided by you are necessary for the application process. Without these data we will not be able to consider your application.
 

6.2 Transmission of Data / Service Providers

Provided you have provided your consent thereto, we may also pass your personal data on to our affiliated companies in order to offer you additional entry options within our group of companies. Even those of our affiliated companies that have their seat outside the EU ensure an appropriate level of data protection by entering into EU standard contract clauses.


External IT-service providers may also be able to access your data (as part of contract data processing pursuant to article 28 of the GDPR). In such cases the service providers act on our instructions, which is ensured by way of corresponding contracts having been entered into. Some of these service providers have their seat outside the EU/EEC; these service providers ensure an appropriate level of data protection by entering into EU standard contract clauses. At any time you have the opportunity to receive a copy of these arrangements here.

6.3 Storage and Erasure of Data

Your data will be stored for as long as this is required for the purposes of the personnel selection procedure, as set out above. In the event that you object to the processing of your data during the personnel selection procedure, those data will be deleted, provided that this is not precluded by any statutory retention periods.

These data will then be deleted following the end of the application process, and after any limitation periods have expired, unless you have provided your consent to store your application for further job offers. Speculative applications will be stored until they are withdrawn or, at most, up to two years, following which they will be deleted.

6.4 Your Rights

Please note that pursuant to article 15 et seqq. of the GDPR you have the following rights as a Data Subject, subject to the conditions defined therein: The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

7 Social Media

7.1 Facebook

For the purposes of providing the information services provided under https://www.facebook.com/gepa.fairtradecompany, GEPA mbH, GEPA – The Fair Trade Company, of GEPA-Weg 1, 42327 Wuppertal, telephone: +49 (0)202 266 83 0, email: info@gepa.de, (external data protection officer: UIMC Dr. Voßbein GmbH & Co KG - contact details here) makes use of the technical platform and the services of Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2.

Please note that if you use this Facebook page and its functions, you do so at your own responsibility. This shall apply in particular in respect of the use of any interactive functions, such as commenting, sharing or evaluating.

7.1.1 Collection of Data

Instead of using Facebook plugins, we have decided to only link to Facebook, so that your visiting our website does not automatically transmit your personal data to Facebook.

This technological solution also avoids that we automatically collect your personal data in this respect. By linking to the site, Facebook will also only process your personal data if you actively click the Facebook button. However, if you are already logged in to your Facebook account when you access our website, then Facebook will at least process the information which of our web pages you visited with your IP address, at what time, and with what browser. We have no influence on the type and extent of the personal data processed by Facebook.

We will only start to collect your personal data via Facebook if you become active on our Facebook Fan page, for which we are responsible together with Facebook, and disclose your personal data. By entering your data on our Facebook page, you consent to us processing your data pursuant to Art. 6 (1) (a) GDPR.

Further information regarding the use of your data can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy [external link]

You can find information on how to manage or delete information about you here: https://www.facebook.com/privacy/explanation.

We ourselves neither collect nor process any data from your use of the service. However, should we share any of your comments or respond to them, or if we compose posts ourselves that reference your profile, then the data you have provided to the service, including in particular your (user)name and the contents published on your account, shall be processed to such extent as these have been included in our offer and made available to our fans.

Information pursuant to Art. 26 (2) GDPR: The Operator and we have an arrangement as per Art. 26 (1) GDPR (joint responsibility - see in this respect: Page-Insights-addition in respect of the responsible party). Within this scope, the operator operates the entire IT infrastructure of the service, implements its own data protection provisions, maintains a separate user relationship with you (provided that you are a registered user of that service) and is also responsible, jointly with us, for deleting illegal or inappropriate posts or contents on the page. Moreover, the operator is solely responsible for any questions regarding the data from your user profile, to which we, as a business, have no access.

In cases of requests for information and asserting user rights, the most effective way is to contact Facebook directly. Only Facebook has access to the user data and can take the relevant steps and provide information.

The Data Controller regarding the respective user information is Meta Platforms Ireland Ltd. This business may be contacted either online or by mail to the following address:


Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland


In addition to this, you also have the right to lodge a complaint with the regulatory authority responsible for Meta Platforms Ireland Ltd., the Irish Data Protection Commission, or with a local regulatory authority.

If you would like to assert your user rights in respect of any specific data processing which we have control over, please contact us. In those cases we will check your request (e.g. a request for information or an objection) ourselves, and, where necessary, will forward it to the operator responsible where your request relates to any data processing carried out by an operator of the social media network.
 

7.1.2 Your Rights

Pursuant to Article 15 et seqq. of the GDPR. and provided the conditions stipulated therein have been met, you have the right to request from us access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability. Moreover, pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority, if you consider that the processing of personal data relating to you infringes this Regulation. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) GDPR (consent), you further have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.


For further details see here: https://www.facebook.com/about/privacy (How can you exercise your rights provided under the GDPR?)


If you assert any rights in respect of the collection of data for use with Facebook Insights, we will forward that query to Facebook, as we have neither the technological ability nor the authority to answer your query.

7.2 Twitter

Twitter is a blogging service, which enables users to publish text messages with a maximum length of 280 characters. It is operated by Twitter International Unlimited Company (One Cumberland Place, Fenian Street Dublin 2, D02 AX07 IRELAND). Instead of using Twitter plugins, we have decided to only link to Twitter, so that your visiting our website does not automatically transmit your personal data to Twitter.

By linking to the site, Twitter will only process your personal data if you actively click the Twitter button. However, if you are already logged in to your Twitter account when you access our website, then Twitter will already be processing your data. We have no influence on the type and extent of the personal data processed by Twitter.


We will only start to collect your personal data via Twitter if you become active on Twitter and disclose your personal data. By entering your data on Twitter, you consent to us processing your data pursuant to Art. 6 (1) (a) GDPR.


Further information regarding the use of your data can be found in Twitter’s privacy policy: https://twitter.com/en/privacy [external link]
 

7.3 LinkedIn

Like Xing, LinkedIn is a professional network, enabling people to cultivate their existing business contacts and generate new business contacts. That website is operated by the LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). Instead of using plugins, we merely link to LinkedIn. This means that your personal data will not be transmitted automatically to LinkedIn when you visit our website. By linking to the site, LinkedIn will only process your personal data if you actively click the LinkedIn button. We have no control over the type and scope of your personal data that will be processed by LinkedIn.


Further information regarding the use of your data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy?_l=de_DE [external link]

7.4 YouTube

YouTube is the largest, best-known, and most popular video platform in the world. That website is operated by Google Ireland Limited; Gordon House, Barrow Street, Dublin 4, Irland, a subsidiary of Google LLC.


For data protection reasons we have decided to only provide links to this website, rather than using YouTube plugins. This means that we do not process any of your personal data in this respect, and neither can YouTube automatically collect your data when you visit our website, provided that you are not logged in to your YouTube account when you visit our website. This technical solution enables you to decide if and when you wish to transmit any personal data to YouTube. It is only once you actively click on the YouTube button that your browser makes a connection to the YouTube servers and transmits your user data to YouTube. We have no influence on the type and extent of your data processed by YouTube.


Further information regarding the use of user data can be found in YouTube’s Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en [external link]

7.5 Instagram

Instagram is a free online service that allows users to share photographs and videos. Our website links to the website of Instagram. The site is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland. Our website links to the website of Instagram, instead of incorporating Instagram plugins. This means that your personal data will not be transmitted automatically to Instagram when you visit our website. By linking to the site, Instagram will only process your personal data if you actively click the Instagram button. However, if you are already logged in to your Instagram account when you access our website, then Instagram will be processing your personal data. We have no influence on the type and extent of the personal data processed by Instagram.


Further information regarding the use of your data can be found in Instagram’s privacy policy: https://help.instagram.com/519522125107875 [external link]

8 Data protection officer

If you have any questions regarding the processing of your personal data, you can contact our data protection officer directly, who, together with his team, will also be available in any cases of requests for information, applications, or complaints. 

The data protection officer for GEPA mbH - GEPA - The Fair Trade Company is:

Dr. Jörn Voßbein
external data protection officer
Otto-Hausmann-Ring 113
42115 Wuppertal
https://Datenschutz.UIMC.de
Telephone: 0202 - 265 74 0
datenschutz.gepa@uimc.de

As at 02/2022