Data Protection

Information on data processing under the EU General Data Protection Regulation (GDPR) for members, donors, sponsors, interested persons, and business partners.

With the following information, the controllers provide you with an overview of how your personal data is processed as a member, donor, sponsor, interested person, and business partner under the GDPR.

I. Who is responsible and how can I reach the Data Protection Officer?

The controller within the meaning of the GDPR is:

betterSoil e.V.
Lise-Meitner-Straße 9
89081 Ulm
mail@bettersoil.info
mail@bettersoil.de
www.bettersoil.info

Register court: Local Court (Amtsgericht) Ulm – Register Court – VR 722084

Chair of the Board: Azadeh Farajpour Javazmi, Deputy Chair: Dr. Tobias Orthen

If you have questions about how we process your personal data or about data protection in general, please contact the Data Protection Officers at mail@bettersoil.info. If you prefer secure transmission, please contact us by post.

II. Your rights as a data subject

Every data subject has the following rights:

Right of access (Art. 15 GDPR), right to rectification of inaccurate data (Art. 16 GDPR), right to erasure or the “right to be forgotten” (Art. 17 GDPR), right to restriction of processing of personal data (Art. 18 GDPR), right to data portability (Art. 20 GDPR).

You may object at any time, without giving reasons, to the processing of personal data for advertising purposes, including the analysis of customer data for advertising purposes.

In addition, the data subject also has a general right to object (see Art. 21(1) GDPR). In this case, the objection to data processing must be justified. Where data processing is based on consent, you may withdraw your consent at any time with effect for the future.

The easiest way to exercise your data subject rights is to contact mail@bettersoil.info. You also have the right to lodge a complaint with the data protection supervisory authority responsible for you.

III. Processing of personal data by betterSoil

Below we would like to give you an overview of which categories of personal data we, as controllers, process from you as a member, donor, interested person, and business partner, for which purposes, and to what extent. If data processing takes place when visiting the website, please refer to Section IV, Privacy and Cookie Policy.

1. Categories of personal data

Which categories of personal data are processed by the controller depends primarily on the reason and the context in which a contact or contractual relationship with you arises or exists. A distinction is made, for example, between members, donors, sponsors, interested persons, and business partners. In the context of a membership, a donation, a participation campaign (e.g., petitions, prize draws, Inhouse Academy), an inquiry, or any other contract, the controllers generally process the following categories of data depending on the specific relationship:

• Name, first name, address, contact details (telephone, e-mail), date of birth, place of birth, marital status, industry/profession; additional data on family members, for example in the case of family memberships; membership and donor ID;
• Company details, possibly consisting of name, first name, address, contact details (telephone, e-mail), industry; contact person in the company with name, first name, function, contact details (telephone, e-mail);
• Building/property data in connection with betterSoil climate protection projects;
• Identification data (e.g., ID document data), authentication data (e.g., specimen signature), tax ID;
• Payment transaction and order data (e.g., bank account/credit card data, payment instructions), credit score (payment behavior for business partners);
• Order history and revenues for business partners;
• Member, donor, and interested-person histories with regard to bequests;
• Data of individuals submitting reports in the context of participation in the Inhouse Academy, insofar as this is required for scientific validation purposes and for participation.

If, during membership, the support of donors and interested persons—particularly with participation campaigns—or during a business relationship there are direct contacts with you, further data such as information on the contact channel, date, reason and outcome, and copies of correspondence will be processed.

2. Purposes of data processing and legal bases

The controller processes your aforementioned personal data and categories of personal data for the performance of the respective contract (e.g., membership, donation, participation campaign, other business relationship) or for the implementation of pre-contractual measures (e.g., (paid) requests for information) with you pursuant to Art. 6(1)(b) GDPR. For these purposes, your contact details are also used, for example, in the context of specific information (including success reports on the supported donation project) and for inquiries.

The controllers are also subject to various legal requirements (e.g., Anti-Money Laundering Act, tax laws) and therefore process your data on the basis of legal obligations under Art. 6(1)(c) GDPR or in the public interest under Art. 6(1)(e) GDPR. The purposes of processing include, among others:

• Application and proof obligations in the context of grants from public bodies;
• Control and proof obligations in the context of the allocation of fines and monetary penalties;
• Proof obligations in the context of probate and bequests;
• Fulfillment of social insurance obligations (e.g., statutory accident insurance);
• Reporting obligations to regulatory and law enforcement authorities if the controller becomes aware of violations of legal provisions;
• Fraud and anti-money laundering prevention;
• Fulfillment of tax control and reporting obligations and audit requirements;
• Compliance with official and judicial instructions and orders;
• As well as the assessment and management of risks at the controller.

Where necessary, the controllers process your data within the framework of a balancing of interests under Art. 6(1)(f) GDPR to safeguard the legitimate interests of the controller or third parties. For example:

• Transmission of contact details between requesters and the controllers’ internal and external experts;
• Free information orders and contact inquiries;
• Publication of images on the website, in print products, and on social media channels in connection with reporting on the controller’s events;
• Measures for association management and further development of the statutory purposes;
• Exchange of experience with other national and international environmental/climate protection organizations within the framework of global strategies and global environmental/climate protection;
• Establishment of legal claims and defense in legal disputes;
• Ensuring IT security and IT operations of the controller;
• Prevention of criminal offenses;
• Measures to ensure building and facility security (e.g., access controls);
• Data exchange with credit agencies to determine credit or default risks for business partners.

Also within the framework of a balancing of interests under Art. 6(1)(f) GDPR to safeguard the controller’s legitimate interests, the controller processes your data—for example on the basis of membership, a donation relationship, participation campaigns, purchases in the betterSoil shop, existing contracts or inquiries—for needs-based information within the scope of the controller’s statutory purposes (self-promotion) under the following conditions:

• Postal advertising unless you have objected to this processing; you can object to this promotional use at any time with effect for the future using the contact details listed above (see Section 1; see also Section 7);
• Telephone advertising to companies where your presumed consent exists for this and unless you have objected; you can object to this promotional use at any time with effect for the future using the contact details listed above (see Section 1; see also Section 7);
• Receipt of grants/third-party funding if the campaign, event, etc. in which you participated is financed by grants/third-party funds;
• Improvement of our own services.

The controller does not transmit your data to third parties for advertising purposes.

Where you have given us consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent pursuant to Art. 6(1)(a) GDPR. Consent granted may be withdrawn at any time with effect for the future using the contact details listed above (see Section 1). Consent may be given, among other things, for:

• Sending a newsletter tailored to your interests (for example in the context of information requests) to your e-mail address and all processing necessary for this; see the “Privacy and Cookie Policy” under the section “Subscribing to an e-mail newsletter”;
• Telephone advertising within the scope of the controller’s statutory purposes, including for donations in favor of the controller.

3. Recipients and categories of recipients of the data

Within the controller’s organization, only those departments receive access to your data that need it to fulfill our contractual and legal obligations and, based on a balancing of interests and taking into account the respective data category, to perform their tasks. Service providers engaged by the controller may also receive data for these purposes when they are commissioned as processors pursuant to Art. 28 GDPR.

Possible recipients of personal data include, for example:

• Within the framework of betterSoil e.V.’s multi-tier membership structure, the betterSoil officers responsible for your place of residence;
• National and international environmental/climate protection organizations within the framework of global strategies and global environmental/climate protection;
• Cooperation partners with whom campaigns and projects (e.g., participation campaigns) are carried out online or by means of print products;
• Public bodies and institutions (e.g., regulatory and law enforcement authorities, tax authorities, Federal Central Tax Office) where there is a legal or official obligation or cooperation;
• Grant/third-party funders if the campaign, event, etc. is financed by grants/third-party funds;
• Other banking and financial service institutions;
• Processors, e.g., for member and donation acquisition, for support/maintenance of IT applications, archiving, document processing, call center services, compliance services, controlling, data screening in accordance with legal requirements, printing and dispatch of personalized letters, e-mail dispatch, data destruction, auditing services, and payment transactions;
• Credit agencies in the context of a credit check on companies;
• Other data recipients on the basis of consent given by you.

4. Transfer of data to a third country or to an international organization

Data is transferred to countries outside the EU or EEA (so-called third countries) only if this is necessary for the execution of your orders, is required by law (e.g., tax reporting obligations), you have given us consent, or within the framework of commissioned data processing. Where service providers in a third country are used, in addition to written instructions they are obliged by appropriate measures (e.g., conclusion of EU standard contractual clauses, EU–U.S. Privacy Shield certification) to comply with the level of data protection in Europe.

5. Duration of data storage

The controllers process and store your personal data for as long as is necessary to fulfill contractual and legal obligations and, based on a balancing of interests and taking into account the respective data category. If the data is no longer required for this purpose, it is regularly deleted unless its (temporary) further processing is required—for example, in a separate archive with restricted access rights—for the following purposes:

• Compliance with commercial and tax retention periods (e.g., German Commercial Code (HGB) and Fiscal Code (AO) with the specified retention or documentation periods of two to ten years, e.g., for business letters, contracts, orders, invoices, and donation receipts);
• Preservation of evidence for a period of 30 years pursuant to § 197 German Civil Code (BGB), e.g., in the context of claims established with final effect, claims from enforceable settlements or enforceable deeds;
• Preservation of evidence for a period of 3 years pursuant to § 195 BGB for evidentiary purposes and any necessary clarification of judicial or extrajudicial claims (e.g., correspondence in the context of handling data subject rights, data in connection with a terminated membership, unless longer retention periods exist).

6. Obligation to provide data

In the context of a business relationship (e.g., memberships, donation processing, other contracts), you must provide the personal data that is required to establish and carry out a business relationship and to fulfill the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order, or we will no longer be able to perform an existing contract and may have to terminate it.

7. Use of the Zoom Video Communications Inc. videoconferencing software for digital events

We use the tool “Zoom,” on the basis of Pro and Business license agreements, to conduct digital events such as online meetings, workshops, and seminars (also known as “webinars”) (hereinafter: “online meetings”). “Zoom” is a service of Zoom Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA.

For online meetings, insofar as technically possible, we have enabled continuous end-to-end encryption in our Zoom configuration. We have also configured Zoom so that, as a rule, only data centers in the EU, the EEA, or secure third countries such as Canada or Japan are used to conduct online meetings.

Various types of data are processed when using “Zoom.” The scope of the data also depends on which information you provide before or during participation in an online meeting.

The following personal data is subject to processing:

Registration data / user details:

• Name, first name
• E-mail address
• Telephone (optional)
• Consent to recording (optional)
• Profile picture (optional)
• Password (on betterSoil service devices if “Single Sign-On” is not used)
• Department (optional, for betterSoil accounts)

Meeting metadata:

• Topic
• Description (optional)
• Participant IP addresses
• Device/hardware/browser information

For recordings (optional):

• MP4 file of all video, audio, chat, and presentation recordings
• M4A file of all audio recordings
• Text file of the online meeting chat

When dialing in by telephone:

• Information on inbound and outbound phone numbers, country name, start and end time
• Where applicable, further connection data such as the device’s IP address may be stored

Text, audio, and video data:

• You may have the opportunity to use the chat, question, or polling functions in an online meeting. To that extent, the text entries you make are processed to display them in the online meeting and, where applicable, to log them.
• To enable the display of video and the playback of audio, data from your device’s microphone and any video camera is processed during the meeting. You can switch off or mute the camera or microphone yourself at any time via the Zoom applications.

You may provide additional information about yourself, but you do not have to. You are also free to use the chat function during the online meeting. You can also switch your camera and microphone on, off, or mute them yourself. By default, the camera and microphone are deactivated at the start of a meeting. To participate in an online meeting or enter the meeting room, you must at least provide your name.

Scope of processing
We use “Zoom” to conduct online meetings. If we wish to record online meetings—for example, for the purpose of preparing minutes—we will inform you transparently in advance and, where necessary, ask for your consent. The fact of recording is also displayed to you in the Zoom app. If it is necessary for the purpose of recording the results of an online meeting, we will log chat content. This will generally not be the case.

In the case of online seminars or meetings that must be minuted, we may also process questions asked by participants for recording and follow-up purposes.

If you are registered as a user with Zoom, reports about online meetings (meeting metadata, data about dialing in by telephone, Q&A in webinars, polling in webinars) can be stored by Zoom for up to one month.

Legal bases for data processing
Where personal data of employees of the betterSoil federal office is processed, § 26 BDSG (Federal Data Protection Act) is the legal basis. If, in connection with the use of Zoom, personal data is not necessary for establishing, performing, or ending the employment relationship but is nevertheless an essential component in the use of Zoom, Art. 6(1)(f) GDPR is the legal basis for data processing. In these cases, our interest lies in the effective conduct of online meetings. Otherwise, the legal basis for data processing when conducting online meetings is Art. 6(1)(b) GDPR, insofar as the meetings are held within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6(1)(f) GDPR. Here, too, our interest is in the effective conduct of online meetings.

Recipients / disclosure of data / third-country transfer
We do not generally transfer your data to third parties. Data is only passed on if the data is specifically intended for disclosure, you have expressly consented to the transfer in advance, or we are obliged or entitled to do so by law. Zoom Video Communications Inc. supports us as an external service provider and processor within the meaning of Art. 28 GDPR. As a processor, Zoom Video Communications Inc. processes your data strictly in accordance with instructions and on the basis of a separately concluded data processing agreement. Data processing may also take place outside the EU or EEA. With regard to Zoom Video Communications Inc., an adequate level of data protection within the meaning of Art. 46(2)(c) GDPR can be assumed through the use of EU standard contractual clauses and other appropriate measures (implementation of end-to-end encryption and the use of the Data Routing function; this refers to the ability to determine for yourself through which data centers the data should flow during meetings and webinars).

Further information:
If you access the “Zoom” website, the provider of “Zoom” is responsible for data processing. Accessing the website is only necessary to download the software to use “Zoom.” You can also use “Zoom” by entering the respective meeting ID and any other access data for the meeting directly in the Zoom app. If you do not want to or cannot use the Zoom app, the basic functions are also available via a browser version, which you can also find on the Zoom website.

8. Use of Microsoft Teams videoconferencing software for digital events

We use Microsoft Teams on our website, a service for online meetings and video conferences. The service provider is the American company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft also processes your data in the USA, among other places. We point out that, in the view of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This may be associated with various risks regarding the lawfulness and security of data processing.

As a basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway—particularly in the USA) or for data transfers there, Microsoft uses so-called Standard Contractual Clauses (Art. 46(2) and (3) GDPR). Standard Contractual Clauses (SCCs) are model templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards when transferred to and stored in third countries (such as the USA). By means of these clauses, Microsoft undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

You can find more information about Microsoft’s Standard Contractual Clauses at https://docs.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses.

You can find out more about the data processed by Microsoft in the Privacy Statement at https://privacy.microsoft.com/de-de/privacystatement.

IV. Website Privacy and Cookie Policy

Web hosting

When visiting websites today, certain information—including personal data—is automatically created and stored, and this is also the case on this website. “Website” refers to all web pages on our domain bettersoil.info, i.e., everything from the home page to the very last subpage (like this one). We collect data as sparingly as possible and only process it further where there is justification.

Why do we process personal data?

The purposes of data processing are:

• Professional hosting of the website and securing its operation
• Maintaining operational and IT security
• Anonymous analysis of access behavior to improve our offering and, where applicable, for prosecution or assertion of claims

Which data is processed?

Even while you are visiting our website right now, our web server—the computer on which this website is stored—usually automatically stores data such as:

• the full internet address (URL) of the page accessed
• browser and browser version (e.g., Chrome 87)
• the operating system used (e.g., Windows 10)
• the address (URL) of the previously visited page (referrer URL) (e.g., https://www.linkedin.com/company/bettersoil-for-a-better-world/)

There is usually a data processing agreement between us and the hosting provider in accordance with Art. 28 et seq. GDPR, which ensures compliance with data protection and guarantees data security.

Heroku Privacy Policy

We use Heroku for our website. This is a container-based cloud platform used to develop and deploy web applications. The service provider is the American company salesforce.com Inc., One Market Street, Suite 300, San Francisco, CA 94105, USA.

Salesforce also processes your data in the USA, among other places. We point out that, in the view of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This may be associated with various risks for the lawfulness and security of data processing.

As a basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway—particularly in the USA) or for data transfers there, Salesforce uses so-called Standard Contractual Clauses (Art. 46(2) and (3) GDPR). Standard Contractual Clauses (SCCs) are model templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards when transferred to and stored in third countries (such as the USA). By means of these clauses, Salesforce undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Data Processing Addendum, which corresponds to the Standard Contractual Clauses, can be found at: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

You can find out more about the data processed through the use of Salesforce in the Privacy Policy at: https://www.salesforce.com/de/company/privacy/

Privacy notice for SSL/TLS encryption

For security reasons and to protect the transmission of confidential content—such as the inquiries you send to us as the site operator—this website uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Privacy notice for server log files

The provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request

These data cannot be assigned to specific persons. This data will not be merged with other data sources. We reserve the right to subsequently check this data if we become aware of concrete indications of unlawful use.

Cloudinary Privacy Policy

We use the cloud service Cloudinary for our website. The service provider is the American company Cloudinary Inc., 3400 Central Expressway, Suite 110, Santa Clara, CA 95051, USA.

Cloudinary also processes your data in the USA, among other places. We point out that, in the view of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This may be associated with various risks for the lawfulness and security of data processing.

As a basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway—particularly in the USA) or for data transfers there, Cloudinary uses so-called Standard Contractual Clauses (Art. 46(2) and (3) GDPR). Standard Contractual Clauses (SCCs) are model templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards when transferred to and stored in third countries (such as the USA). By means of these clauses, Cloudinary undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

More information on Cloudinary’s Standard Contractual Clauses can be found at: https://cloudinary-res.cloudinary.com/image/upload/Cloudinary-Customer-Data-Processing-Addendum-DPA-November-2020.pdf

You can find out more about the data processed through the use of Cloudinary in the Privacy Policy at: https://cloudinary.com/privacy

Audio and video elements

Audio and video elements are embedded on our website so that you can watch and listen to videos directly via our website. The content is provided in part by third-party providers. All content is therefore also retrieved from the respective providers’ servers. If you use audio or video elements on our website, personal data may also be transmitted to, processed by, and stored by the service providers. You will be asked for your consent before use.

YouTube

We have embedded YouTube videos on our website. This allows us to present interesting videos to you directly on our site. When you access a page on our website that has an embedded YouTube video, your browser automatically connects to the servers of YouTube and/or Google. Various data are transmitted in the process (depending on settings). Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for all data processing in the European region.

If you are logged into your YouTube account, YouTube can usually assign your interactions on our website to your profile using cookies. These include data such as session duration, bounce rate, approximate location, technical information such as browser type, screen resolution, or your internet provider. Other data may include contact details, any ratings, sharing content via social media, or adding videos to your favorites on YouTube.

If you are not logged into a Google or YouTube account, Google stores data with a unique identifier that is linked to your device, browser, or app. For example, your preferred language setting is retained. However, many interaction data cannot be stored because fewer cookies are set.

The data that YouTube receives from you and processes is stored on Google servers. Most of these servers are located in America. You can see exactly where Google’s data centers are located at https://www.google.com/about/datacenters/inside/locations/?hl=de. Your data is distributed across the servers. This makes the data accessible more quickly and better protected against manipulation.

Google stores the collected data for varying lengths of time. Some data can be deleted by you at any time; other data is automatically deleted after a limited period; and still other data is stored by Google for longer periods. Some data (such as items from “My Activity,” photos or documents, products) that is stored in your Google account remains stored until you delete it. Even if you are not logged into a Google account, you can delete some data linked to your device, browser, or app.

In principle, you can delete data in your Google account manually. With the automatic deletion function for location and activity data introduced in 2019, information—depending on your decision—is stored for either 3 or 18 months and then deleted.

Regardless of whether you have a Google account, you can configure your browser so that Google cookies are deleted or deactivated. Depending on which browser you use, this works in different ways. In the “Cookies” section you will find the corresponding links to the respective instructions for the most well-known browsers.

If you do not want cookies at all, you can set your browser to always inform you when a cookie is to be set. This way you can decide on a case-by-case basis whether to allow each individual cookie.