The protection of your personal data is very important to Common. With this data protection declaration, we explain to you the type, scope and purpose of the processing of your personal data (hereinafter referred to as “data”) within our services (hereinafter referred to as “online offer”). All used terms are for the better clarity neutral held.
1.1. Common Measurement Service
The Common Measurement Service measures employee journeys to and from work by bicycle, public transport, carpooling and electric two-wheelers on behalf of the employer in accordance with Common’s terms and conditions.
1.2. Common Loyalty programThe user can participate in the Common Loyalty program to obtain Greencents according to the savings in CO2 emissions they generated through their activities, according to the principle: 1 kg of non-emitted CO2 = 1 Greencent. The calculation of the Greencents to be allocated is done as follows: number of km traveled x (0.138 – emissions generated by the mode of transport used by the user), where 0.138 is the emission level of a car in an urban environment in kg of CO2 per km according to the European Environmental Agency. Greencents are managed through the Common app and can be redeemed by the user for rewards from our partners in accordance with Common’s terms and conditions. Payments are not made through Common. Common simply issues vouchers or proofs of purchase to be used online or in physical locations to obtain benefits such as products, services or discounts. The provision of your personal data is necessary for the contractual use of the Common loyalty program, in order to determine the allocation in Greencents to which you are entitled for each of your journeys.
Processing of special categories of data (Art. 9 para. 1 GDPR): no special categories of data in accordance with Art. 9 GDPR (Germany) are processed.
In the following, we refer to the data subjects as “users”.
Your data protection rights are regulated in Chapter III (Art. 12 et seq.) of the GDPR. In accordance with these regulations, you have the right to obtain information about the personal data stored about you, the purposes of the processing, any transmissions to other locations and the duration of the storage.
You may also receive extracts or copies to exercise your right to information. If the data is incorrect or no longer necessary for the purposes for which it was collected, you can request the correction, deletion or limitation of processing. If provided for in the processing procedures, you can also consult your data yourself and correct it if necessary.
If your particular personal situation makes it impossible or undesirable to process your personal data, you can object to the processing if your refusal is based on a legitimate interest. In such a case, we will only process your data if there are specific compelling interests to do so.
If you have any questions about your rights and how to exercise them, please do not hesitate to contact us at: privacy@co2mmon.eu
You also have the right, in accordance with Art. 77 GDPR, to lodge a complaint with the competent supervisory authority:
Bavarian State Office for Data Protection Supervision
Promenade 18
91522 Ansbach
Telephone: +49 (0) 981 180093-0
Fax: +49 (0) 981 180093-800
Email: poststelle@lda.bayern.de
You have the right to revoke your consent at any time with immediate effect in accordance with Article 7(3) of the GDPR.
You can object to the future processing of data concerning you at any time in accordance with Article 21 of the GDPR.
We install temporary and permanent cookies, i.e. small files stored on the user’s devices (for an explanation of the term and function, see the section “Definitions of Terms” of this Privacy policy). Some of the cookies are used for security or are necessary for the proper functioning of our online offer (e.g. for the presentation of the website) or to support user decisions, e.g. save changes with his consent. Additionally, we or our technology partners use cookies for reach measurement and marketing purposes, as detailed below.
If you do not want cookies to be stored on your computer, you will be asked to disable the corresponding option in your browser’s system settings. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies may lead to functional restrictions.
The Processed data by us will be deleted or their processing restricted in accordance with Art. 17 and 18 of the European GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as they are no longer necessary for their intended purpose and the deletion does not conflict with the legal requirements of storage. If the data is not deleted because it is necessary for other permitted purposes, its processing will be restricted. This applies e.g. for data that must be retained for commercial or tax reasons.
In accordance with legal requirements, retention is six years in accordance with § 257 (1) HGB (books, inventories, opening balance sheets, annual financial statements, business letters, accounting documents, etc.) and ten years in accordance with Article 147 (1) AO (books, registers, management reports, accounting documents, commercial and business letters, documents relating to taxation, etc.).
We reserve the right to adapt this data protection declaration. If any changes require your participation (e.g. consent) or other individual notification, we will also notify you.
In accordance with Art. 13 GDPR, we inform you about the legal basis of our data processing. Unless the legal basis is expressly indicated for a specific processing, the following applies: the legal basis for processing based on consent is Article 6 (1) (a) and Article 7 of the GDPR, the legal basis to perform our services and the implementation of measurement services as well as answering inquiries is GDPR Article 6(1)(b), the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) GDPR.
In accordance with Art. 32 GDPR, taking into account the state of advancement of IT techniques, the costs of implementation and the type, scope, circumstances and purposes of the processing as well as the probability of occurrence and the seriousness of the risk for the rights and freedoms of natural persons, appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical access to data, as well as access, input, transfer, securing availability and their separation. In addition, we have implemented procedures that ensure the exercise of the rights of data subjects, the deletion of data and the reaction to threats of loss or theft of data. In addition, we already consider the protection of personal data when developing and selecting hardware, software and processes, in accordance with the principle of data protection by technological design (Art. 25 GDPR). The security measures include in particular the encrypted transmission of data between your browser and our server.
With regard to data protection, our employees are bound to secrecy and informed of the possible consequences of data leakage.
If, in the course of our processing, we disclose data to other persons or companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this is always based on a legal authorization. For example, if a transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 para. 1 lit. b GDPR is necessary for the fulfillment of the contract, if you have consented, then a legal obligation provides for it or on the basis of our legitimate interests (for example when using agents, hosts, etc.).
A transfer of data to third countries only takes place if there is sufficient security for the data in accordance with Art. 44 et seq. GDPR.
This part gives you an overview of the processing activities we carry out, which we have divided into several business areas. Please note that the business areas are for guidance only and processing activities may overlap (e.g. the same data may be processed in multiple processes).
In this area you will find information about our basic services and tasks, in particular the provision of our contractual services and the associated ancillary tasks.
We process employee data on behalf of the employer for administrative purposes, including accounting for home office trips as part of the administration of the Common Measurement Service. There is an order processing contract with the employer pursuant to Art. 28 GDPR, which governs our processing obligations on the instructions of the employer.
We process the data transmitted by users within the framework of the Common loyalty program for the purpose of offering, establishing, implementing and, if necessary, terminating contracts with partners. The user data is passed on to the respective partner within the scope of the user mediation. This service is free for the user. The services of the partners are invoiced directly to the user.
To use the services of Common’s partners, users are invited to use the Greencents they have received following their journeys. These Greencents can be used to obtain rewards from our partners.
We store your data in order to maintain the contractual relationship and the necessary consents in accordance with legal liability (Article 5 (2) GDPR).
Business developments may become necessary in order to be able to process any warranty and damage claims or comparable claims as well as queries, and to be able to provide the necessary evidence, in particular with regard to the admissibility of data processing under the European data protection framework. In this case, the processing of the data is limited to the aforementioned purposes only in accordance with Art. 18 GDPR. Furthermore, the data is stored in accordance with the legal archiving requirements in accordance with Article 6 (1) (c) GDPR, i.e. for 10 years in accordance with §§ 147 paragraph 1 AO, 257 paragraph 1 no. 1 and 4, paragraph 4 HGB (books, registers, management reports, accounting documents, trading books, documents relating to taxation, etc.) and 6 years in accordance with § 257 paragraph 1 no. 2 and 3 paragraph 4 HGB (commercial letters). Even in the event of legally required archiving, the processing is limited to this sole purpose. The need to store data is implemented in continuous processes and is checked regularly.
We offer a specific user area that requires verified registration and allows users to manage their data within the technical functions available.
Information contained in inquiries we receive via our contact form and by other means, e.g. by e-mail, are processed in order to respond to requests for information. For these purposes, requests may be stored in our customer relationship management system (CRM system) or similar processes that we use to manage requests.
In order to operate our business economically, to be able to recognize market trends, interested parties and user requests, we analyze the data available to us on business transactions, inquiries, etc. For this purpose, we merge the personal data of interested parties from registrations and comparison requests with customer usage data.
In this area, you will obtain information about our data processing in the context of the exploitation of user visits to third-party sites and applications, for example on social networks.
We maintain channels in several social networks in order to have several means of communication with customers, interested parties and users active there, and to be able to inform them about our services through these channels. When visiting networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply. Unless otherwise stated in our data protection declaration, we process user data if they communicate with us within social networks and platforms, e.g. write messages on our online presence or send us messages.
The links/buttons used within our online offer to social networks and platforms (hereinafter referred to as “social media”) establish contact between social networks and users only when users click on the links/buttons allowing access to respective networks or sites. This procedure corresponds to the operation of a classic online link. We draw your attention to the fact that user data may be processed outside the European Union. This can lead to risks for users, because for example the enforcement of user rights could be made more difficult. With regard to US providers certified under the Privacy Shield, we draw your attention to the fact that they undertake to comply with EU data protection standards.
In addition, user data is generally processed for market research and advertising purposes. For example, usage profiles are created from the resulting user behavior and interests. Usage profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of users. For these purposes, cookies are usually stored on the computers of the users, in which the usage behavior and the interests of the users are saved. Furthermore, data may also be stored in usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in there).
The processing of users’ personal data takes place on the basis of our legitimate interests in effective user information and communication with users in accordance with Article 6(1) lit. f GDPR. If users are asked by the respective providers to consent to the data processing (i.e. to declare their consent, for example by ticking a box or confirming a button), the legal basis for the processing is Article 6, paragraph 1, letter a, article 1 lit. 7 GDPR. For a detailed description of the respective processing and the possibility of objection (opt-out), we refer to the information of the providers.
In the event of requests for information and the assertion of rights of use, we also draw your attention to the fact that these can be asserted more effectively directly from the providers. Only providers have access to user data and can directly take action and provide information. If you need further assistance, you can contact us nonetheless.
The hosting services we use serve to provide the following services: infrastructure and platform services, measurement and computing capacity, storage space and database services, security services, technical maintenance.
The server on which this online offer is located collects so-called temporary files in which user data is stored each time the online offer is accessed. The data is used both for statistical analysis, in order to maintain and optimize the operation of the server and for security purposes, for example to detect possible unauthorized access attempts.
In this section we inform you about content, software or functions (in short “content”) of other providers that we integrate within our online offer on the basis of Article 6 paragraph 1 letter f of the GDPR (so-called “integration”). The integration takes place to make our online offer more interesting for our users or for legal reasons, for example to be able to present videos or social media posts as part of our online offer. The integration can also be used to improve the speed or security of the online offer, for example if software elements or fonts are obtained from other sources. In any case, the Processed data includes the use and metadata of the users as well as the IP address which is necessarily transmitted to the provider for the integration of the content. Data subjects are visitors to our online offer. The categories of data subjects include users of our online offer, customers and interested parties. Further explanations can be found in the definitions of terms, in particular on functions and protective measures, and can be found at the end of this data protection declaration. Deletion of data is determined by the data protection terms of the provider of the embedded content.
We use the following services and content from the provider Google: YouTube – videos, Google Maps – maps, Google Fonts – fonts, Google – Recaptcha (detection of bots when entering forms).
Functions and content of the Facebook service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like, subscribe to content creators or our posts.
Functions and content of the Instagram service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like content, subscribe to content creators or our posts.
Functions and content of the Pinterest service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like content, subscribe to content creators or our posts.
Functions and content of the Twitter service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to express their liking for the content, the authors of the content or to subscribe to our publications.
Functions and content of the Xing service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to express their liking for the content, the authors of the content or to subscribe to our publications.
Functions and content of the LinkedIn service can be integrated into our online offer. For content such as images, videos or text, and buttons that allow users to like content, subscribe to content creators or our posts.
In this section you will find information about the data processing we carry out with the aim of optimizing our marketing and market research services.
We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”), provided that we have your consent or legal authorization. Subscriber data is recorded because we are required to provide proof of consent. The content of the newsletter is not expressly described when registering for the newsletter; it contains information about our company and our services and offers, in particular for the service areas that the recipient has declared to be relevant for them (for example, if a user shows an interest in urban mobility services as part of a consent process).
On the other hand, notifications sent within the framework of contractual or commercial relations are not part of advertising information. This includes, for example, the sending of service emails, technical or organizational information within the scope of our service provision, information on technical and legal changes, inquiries about orders, etc. If we have received your consent to personalized information, we will record your user behavior on our website and in your user profile that we manage. We continue to store information about the devices used, the opening, clicking and reading behavior in e-mails, as well as the sections that have been visited on the website. For technical reasons, this information is stored personally for each user, but is not used to monitor individual users, but rather to tailor content and offers to users. The information collected by us in addition to the e-mail address (e.g. name) is used to address the user personally or to adapt the content of the newsletter.
We use “Mailchimp” to send our newsletters.
We use email services for communication purposes and therefore ask that you respect the following information about email functionality, encryption, use of communication metadata and your opt-out options. You can also contact us by other means, for example by telephone or e-mail. Please use the contact options provided to you or use the contact options provided in our online offering. In the case of end-to-end encryption of the content (i.e. the content of your message and attachments), please note that the content of the communication (i.e. the content message and attached images) will be end-to-end encrypted. This means that the contents of the messages cannot be viewed, not even by the email providers themselves. You should always use a current version of email with encryption enabled to ensure that message content is encrypted. However, we also point out to our communication partners that the providers of the messengers do not see the content, but can find out when the communication partner is communicating with us, what device the communication partner is using and, depending on the settings of the device, where it is (metadata). If we seek permission from communication partners before communicating via Messenger, the legal basis is consent. Therefore, if we do not ask for your consent and you contact us e.g. of your own free will, we use Messenger in connection with our contractual partners and within the framework of the initiation of the contract as a contractual measure in the event other interested parties and communication partners on the basis of our legitimate interests in prompt and efficient communication. We will not pass the contact data provided to us to Messenger without your consent.
You can revoke your consent or object to communication with us via Messenger at any time. In this case, we delete the messages in accordance with our general deletion policy (as described above after the end of the contractual relationship and depending on archiving requirements, etc.) and otherwise as soon as we can assume that we have responded to any information from the communication partner, if no reference to a previous conversation is to be expected and if the deletion does not conflict with legal retention requirements.
In this section, we inform you about the services of technological partners that we use to measure distances, times and means of transport and for online marketing purposes. They are used on the basis of Art. 6(1)(f) GDPR. Our interest lies in improving user-friendliness, optimizing our offer and its profitability. In all cases, the data to be processed includes usage and metadata. Further explanations can be found in the definitions of terms, in particular on functions and protective measures at the end of this data protection declaration. Unless otherwise specified, the deletion of data is determined in accordance with the data protection declarations of the respective providers.
We use the Facebook pixel to form target groups and measure the success of the advertisements we place on Facebook.
We use Google Analytics for the purpose of measuring reach and creating target groups.
We use Google AdWords to measure the success of the advertisements we place on Google.
We use Google Double Click to measure the success of the advertisements we place on Google.
We use the cartographic service of the Google Maps platform on this website and in our app.
Common does not use your data for advertising purposes and will not sell your data to third parties. Your data is solely used to allocate you Greencents.
This data protection declaration applies to the provision of our range of services, in particular the modules “Common Measurement Service” and “Common Loyalty Program”. Insofar as we refer to third-party websites via links, our data protection declaration does not apply to these. Please inform yourself on the respective pages about the data protection regulations applicable there.
Due to the further development of our website and our offers as well as due to changed legal or official requirements, it may become necessary to amend this data protection declaration. You can view and print out the currently valid data protection declaration at any time on the app or on our website https://co2mmon.eu.
We are always at your disposal for any questions, suggestions and/or additions, for example by sending an e-mail to privacy@co2mmon.eu.
Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to denes@co2mmon.eu with subject line “enquiry”.