Privacy policy

Introduction

The protection of your personal data is very important to Common. With this data protection declaration, we explain to you the type, scope and purpose of the processing of your personal data (hereinafter referred to as “data”) within our services (hereinafter referred to as “online offer”). All used terms are for the better clarity neutral held.

I. Data processing overview

1. Description of our services

1.1. Common Measurement Service

The Common Measurement Service measures employee journeys to and from work by bicycle, public transport, carpooling and electric two-wheelers on behalf of the employer in accordance with Common’s terms and conditions.

1.2. Common Loyalty program
The user can participate in the Common Loyalty program to obtain Greencents according to the savings in CO2 emissions they generated through their activities, according to the principle: 1 kg of non-emitted CO2 = 1 Greencent. The calculation of the Greencents to be allocated is done as follows: number of km traveled x (0.138 – emissions generated by the mode of transport used by the user), where 0.138 is the emission level of a car in an urban environment in kg of CO2 per km according to the European Environmental Agency. Greencents are managed through the Common app and can be redeemed by the user for rewards from our partners in accordance with Common’s terms and conditions. Payments are not made through Common. Common simply issues vouchers or proofs of purchase to be used online or in physical locations to obtain benefits such as products, services or discounts. The provision of your personal data is necessary for the contractual use of the Common loyalty program, in order to determine the allocation in Greencents to which you are entitled for each of your journeys.

2. Types of data collected

  • Civil status (for example, name, address)
  • Contact details (e.g. email address, phone number)
  • Content data (e.g. information on mobility offers, rental of bicycles and scooters)
  • Location data (e.g. route information)
  • Contract data (e.g. usage and billing data for self-service bicycles, transmission of billing data)
  • Usage data (e.g. websites visited, interest in content, access times)
  • Communication meta/data (e.g. device information, IP addresses)

3. Categories of recipients

  • Mobility providers (e.g. local public transport operators, Die Bahn, Transilien, Tier etc.)
  • Business partners to provide rewards under the Common Loyalty Program: restaurants, cafes, bars, shops, municipal services etc.

Processing of special categories of data (Art. 9 para. 1 GDPR): no special categories of data in accordance with Art. 9 GDPR (Germany) are processed.

4. Categories of data subjects whose data are processed

  • Individuals
  • Employees

In the following, we refer to the data subjects as “users”.

5. Details of the services provided by Common to its customers

  • Supervision and invoicing of employer-sponsored offers, in particular bike rental and cost subsidies within the framework of the mobility budget
  • Provision of the online offer, its content and its functionalities
  • Provision of contractual services and customer support
  • Response to contact requests and communication with users
  • Marketing, advertising and market research
  • Security measures

II. Your rights, relevant regulation and general information on data processing

1. Rights of data subjects

Your data protection rights are regulated in Chapter III (Art. 12 et seq.) of the GDPR. In accordance with these regulations, you have the right to obtain information about the personal data stored about you, the purposes of the processing, any transmissions to other locations and the duration of the storage.

You may also receive extracts or copies to exercise your right to information. If the data is incorrect or no longer necessary for the purposes for which it was collected, you can request the correction, deletion or limitation of processing. If provided for in the processing procedures, you can also consult your data yourself and correct it if necessary.

If your particular personal situation makes it impossible or undesirable to process your personal data, you can object to the processing if your refusal is based on a legitimate interest. In such a case, we will only process your data if there are specific compelling interests to do so.

If you have any questions about your rights and how to exercise them, please do not hesitate to contact us at: privacy@co2mmon.eu

You also have the right, in accordance with Art. 77 GDPR, to lodge a complaint with the competent supervisory authority:

Bavarian State Office for Data Protection Supervision

Promenade 18

91522 Ansbach

Telephone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800

Email: poststelle@lda.bayern.de

2. Right to retract

You have the right to revoke your consent at any time with immediate effect in accordance with Article 7(3) of the GDPR.

3. Right of objection

You can object to the future processing of data concerning you at any time in accordance with Article 21 of the GDPR.

4. Cookies and right of opposition in direct marketing

We install temporary and permanent cookies, i.e. small files stored on the user’s devices (for an explanation of the term and function, see the section “Definitions of Terms” of this Privacy policy). Some of the cookies are used for security or are necessary for the proper functioning of our online offer (e.g. for the presentation of the website) or to support user decisions, e.g. save changes with his consent. Additionally, we or our technology partners use cookies for reach measurement and marketing purposes, as detailed below.

If you do not want cookies to be stored on your computer, you will be asked to disable the corresponding option in your browser’s system settings. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies may lead to functional restrictions.

5. Deletion of data and archiving obligations

The Processed data by us will be deleted or their processing restricted in accordance with Art. 17 and 18 of the European GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as they are no longer necessary for their intended purpose and the deletion does not conflict with the legal requirements of storage. If the data is not deleted because it is necessary for other permitted purposes, its processing will be restricted. This applies e.g. for data that must be retained for commercial or tax reasons.

In accordance with legal requirements, retention is six years in accordance with § 257 (1) HGB (books, inventories, opening balance sheets, annual financial statements, business letters, accounting documents, etc.) and ten years in accordance with Article 147 (1) AO (books, registers, management reports, accounting documents, commercial and business letters, documents relating to taxation, etc.).

6. Privacy policy changes and updates

We reserve the right to adapt this data protection declaration. If any changes require your participation (e.g. consent) or other individual notification, we will also notify you.

7. Relevant legal bases

In accordance with Art. 13 GDPR, we inform you about the legal basis of our data processing. Unless the legal basis is expressly indicated for a specific processing, the following applies: the legal basis for processing based on consent is Article 6 (1) (a) and Article 7 of the GDPR, the legal basis to perform our services and the implementation of measurement services as well as answering inquiries is GDPR Article 6(1)(b), the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) GDPR.

8. Security of data processing

In accordance with Art. 32 GDPR, taking into account the state of advancement of IT techniques, the costs of implementation and the type, scope, circumstances and purposes of the processing as well as the probability of occurrence and the seriousness of the risk for the rights and freedoms of natural persons, appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical access to data, as well as access, input, transfer, securing availability and their separation. In addition, we have implemented procedures that ensure the exercise of the rights of data subjects, the deletion of data and the reaction to threats of loss or theft of data. In addition, we already consider the protection of personal data when developing and selecting hardware, software and processes, in accordance with the principle of data protection by technological design (Art. 25 GDPR). The security measures include in particular the encrypted transmission of data between your browser and our server.

With regard to data protection, our employees are bound to secrecy and informed of the possible consequences of data leakage.

9. Data disclosure and transfer

If, in the course of our processing, we disclose data to other persons or companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this is always based on a legal authorization. For example, if a transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 para. 1 lit. b GDPR is necessary for the fulfillment of the contract, if you have consented, then a legal obligation provides for it or on the basis of our legitimate interests (for example when using agents, hosts, etc.).

10. Transfers to third countries

A transfer of data to third countries only takes place if there is sufficient security for the data in accordance with Art. 44 et seq. GDPR.

III. Treatment processes

This part gives you an overview of the processing activities we carry out, which we have divided into several business areas. Please note that the business areas are for guidance only and processing activities may overlap (e.g. the same data may be processed in multiple processes).

1. Core area of ​​data processing

In this area you will find information about our basic services and tasks, in particular the provision of our contractual services and the associated ancillary tasks.

1.1. Administration of home-office journeys as part of the Common Measurement Service

We process employee data on behalf of the employer for administrative purposes, including accounting for home office trips as part of the administration of the Common Measurement Service. There is an order processing contract with the employer pursuant to Art. 28 GDPR, which governs our processing obligations on the instructions of the employer.

1.2. Common Loyalty Program

We process the data transmitted by users within the framework of the Common loyalty program for the purpose of offering, establishing, implementing and, if necessary, terminating contracts with partners. The user data is passed on to the respective partner within the scope of the user mediation. This service is free for the user. The services of the partners are invoiced directly to the user.

To use the services of Common’s partners, users are invited to use the Greencents they have received following their journeys. These Greencents can be used to obtain rewards from our partners.

We store your data in order to maintain the contractual relationship and the necessary consents in accordance with legal liability (Article 5 (2) GDPR).

  • Processed data: civil status, communication data, contract data, content data, usage/metadata; as part of the reservation of a mobility service, the time of activation and the IP address are recorded
  • Affected parties: interested parties, online users or website visits
  • Purpose of the processing: provision of contractual services, customer service, logging
  • Basis of processing: Article 6, paragraph 1, point b (contract for brokerage partner offers, management of Greencents) and c (compulsory logging/archiving) of the GDPR
  • Necessity/interest of the processing: the data is necessary to justify and perform the contractual services and to fulfill the legal obligations to provide evidence
  • External disclosure and purpose: mobility providers for the purpose of making offers; partners to offer rewards for Greencents
  • Processing in third countries: no
  • Data deletion: data is stored in accordance with legal requirements and contractual agreements (Art. 18 GDPR). They will initially only be kept for the time necessary to achieve the contractual purposes. The data is necessary in particular to process standard and regular service requests or contract status information in the context of business activities, for the purpose of which it is stored in Common’s IT system for up to six months. In addition, the data is stored within the usual statutory limitation period (§§ 195, 199 BGB) within three years from the end of the contractual relationship, provided that this data is based on previous business experience and common in the industry.

Business developments may become necessary in order to be able to process any warranty and damage claims or comparable claims as well as queries, and to be able to provide the necessary evidence, in particular with regard to the admissibility of data processing under the European data protection framework. In this case, the processing of the data is limited to the aforementioned purposes only in accordance with Art. 18 GDPR. Furthermore, the data is stored in accordance with the legal archiving requirements in accordance with Article 6 (1) (c) GDPR, i.e. for 10 years in accordance with §§ 147 paragraph 1 AO, 257 paragraph 1 no. 1 and 4, paragraph 4 HGB (books, registers, management reports, accounting documents, trading books, documents relating to taxation, etc.) and 6 years in accordance with § 257 paragraph 1 no. 2 and 3 paragraph 4 HGB (commercial letters). Even in the event of legally required archiving, the processing is limited to this sole purpose. The need to store data is implemented in continuous processes and is checked regularly.

2. Client area

We offer a specific user area that requires verified registration and allows users to manage their data within the technical functions available.

  • Processed data: civil status, communication data, contract data, content data, usage data, metadata
  • Persons concerned: interested parties, existing customers
  • Purpose of the processing: provision of contractual services, customer service, use of contractual services
  • Basis of processing: Article 6, paragraph 1, letter a, Article 6, paragraph 1, letter b. GDPR
  • Necessity/interest of the processing: the data is necessary to justify and perform the contractual services and to obtain rewards
  • External disclosure and purpose: mobility providers for the purpose of making offers; partners to offer rewards for Greencents
  • Processing in third countries: no
  • Deletion of data: we keep the data until the user opposes the use of his data; in the case of legal archiving obligations, the deletion takes place after their expiry.

3. Responses to inquiries

Information contained in inquiries we receive via our contact form and by other means, e.g. by e-mail, are processed in order to respond to requests for information. For these purposes, requests may be stored in our customer relationship management system (CRM system) or similar processes that we use to manage requests.

  • Processed data: civil status, communication data, contract data, content data, usage data, metadata
  • Affected parties: interested parties, online users, website visitors, business partners
  • Purpose of the processing: to respond to requests for information
  • Basis of processing: Article 6, paragraph 1, letter b. GDPR
  • Necessity/interest for processing: necessary to respond to inquiries
  • External disclosure and objective: no
  • Processing in third countries: no
  • Deletion of data: the storage of data of interested parties corresponds to the information on the deletion of data within the scope of the aforementioned processing activity “Common Measurement Service”. In other cases, we delete requests if their storage is no longer necessary, which is generally the case 6 months after the last contact; in the case of legal archiving obligations, the deletion takes place after their expiry.

4. Business analysis and market research

In order to operate our business economically, to be able to recognize market trends, interested parties and user requests, we analyze the data available to us on business transactions, inquiries, etc. For this purpose, we merge the personal data of interested parties from registrations and comparison requests with customer usage data.

  • Processed data: civil status, communication data, contract data, content data, usage data, metadata
  • Basis of processing: Article 6 (1) (f) GDPR
  • Affected parties: interested parties, users, business partners, visitors to the online offer
  • Purpose of processing: business analysis, marketing, advertising, market research
  • Nature, scope, operation of processing: profiling, proprietary cookies
  • Necessity/interest of the processing: improvement of user-friendliness, optimization of the offer, commercial efficiency
  • External disclosure and purpose: analytics are provided by Common and are not disclosed externally, except for anonymous aggregate value analytics
  • Processing in third countries: no
  • Deletion of data: the storage of data of interested parties corresponds to the information on the deletion of data within the scope of the aforementioned processing activity “comparison and brokerage services”; otherwise, business analyzes and general trend determinations are created anonymously.

5. External online presence

In this area, you will obtain information about our data processing in the context of the exploitation of user visits to third-party sites and applications, for example on social networks.

5.1. Online presence on social networks

We maintain channels in several social networks in order to have several means of communication with customers, interested parties and users active there, and to be able to inform them about our services through these channels. When visiting networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply. Unless otherwise stated in our data protection declaration, we process user data if they communicate with us within social networks and platforms, e.g. write messages on our online presence or send us messages.

The links/buttons used within our online offer to social networks and platforms (hereinafter referred to as “social media”) establish contact between social networks and users only when users click on the links/buttons allowing access to respective networks or sites. This procedure corresponds to the operation of a classic online link. We draw your attention to the fact that user data may be processed outside the European Union. This can lead to risks for users, because for example the enforcement of user rights could be made more difficult. With regard to US providers certified under the Privacy Shield, we draw your attention to the fact that they undertake to comply with EU data protection standards.

In addition, user data is generally processed for market research and advertising purposes. For example, usage profiles are created from the resulting user behavior and interests. Usage profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of users. For these purposes, cookies are usually stored on the computers of the users, in which the usage behavior and the interests of the users are saved. Furthermore, data may also be stored in usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in there).

The processing of users’ personal data takes place on the basis of our legitimate interests in effective user information and communication with users in accordance with Article 6(1) lit. f GDPR. If users are asked by the respective providers to consent to the data processing (i.e. to declare their consent, for example by ticking a box or confirming a button), the legal basis for the processing is Article 6, paragraph 1, letter a, article 1 lit. 7 GDPR. For a detailed description of the respective processing and the possibility of objection (opt-out), we refer to the information of the providers.

In the event of requests for information and the assertion of rights of use, we also draw your attention to the fact that these can be asserted more effectively directly from the providers. Only providers have access to user data and can directly take action and provide information. If you need further assistance, you can contact us nonetheless.

5.2. Social networks we use

  • Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Privacy policy: https://www.facebook.com/about/privacy/, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
  • Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Data Protection Statement: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated
  • Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Privacy policy/opt-out: http://instagram.com/about/legal/privacy/
  • Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland) – Privacy policy: https://twitter.com/de/privacy, opt-out: https://twitter.com/ personalization
  • Pinterest (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) – Privacy policy/opt-out: https://about.pinterest.com/de/privacy-policy
  • LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy policy https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
  • Xing (XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany) – Privacy policy/opt-out: https://privacy.xing.com/de/datenschutzerklaerung

5.3. Impact of the use of personal data via social networks

  • Necessity/interest of the processing: expectations of users active on the platforms, economic interests
  • Processed data: civil status, communication data, content data, usage data, metadata
  • Special categories of personal data: generally, no, unless users specify otherwise
  • Basis of processing: Article 6 (1) (f) GDPR
  • Affected: Social media presence users
  • Purpose of processing: information and communication
  • Type, scope, operation of the processing: the operators of the respective platforms bear their own responsibility: permanent cookies, tracking, targeting, remarketing, content and behavioral advertising
  • Necessity/interest of the processing: expectations of users active on the platforms, commercial interests
  • External disclosure and purpose: to social networks
  • Processing in third countries: no
  • Data deletion: The data deletion rules of the respective platforms apply.

5.4. Web server and security hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, measurement and computing capacity, storage space and database services, security services, technical maintenance.

  • Processed data: civil status, contact data, content data, contract data, usage data, meta/communication data
  • Special categories of personal data: no
  • Basis of processing: Article 6 (1) (f) & Article 28 GDPR
  • Affected: customers, interested parties, visitors to the online offer
  • Special protective measures: order processing contract
  • Processing in third countries: no
  • External disclosure and purpose: yes (web host); name, address, web hosting
  • Necessity/interest of processing: security, commercial interests, provision of contractual services
  • Deletion of data: the storage of the data of the interested parties corresponds to the general deadlines for the deletion of data within the framework of the aforementioned processing activity.

5.5. Server temporary files

The server on which this online offer is located collects so-called temporary files in which user data is stored each time the online offer is accessed. The data is used both for statistical analysis, in order to maintain and optimize the operation of the server and for security purposes, for example to detect possible unauthorized access attempts.

  • Processed data: usage data and metadata: name of the website visited, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, operating system of the user, referring URL (the previously visited page), IP address.
  • Special categories of personal data: no
  • Basis of processing: Article 6 (1) (f) GDPR
  • Data subjects: interested parties, users, visitors to the online offer
  • Purpose of processing: optimization of server operation and security monitoring
  • Necessity/interest for processing: security, commercial interests
  • Processing in third countries: no
  • Deletion of data: thirty days.

6. Integrated content and features

In this section we inform you about content, software or functions (in short “content”) of other providers that we integrate within our online offer on the basis of Article 6 paragraph 1 letter f of the GDPR (so-called “integration”). The integration takes place to make our online offer more interesting for our users or for legal reasons, for example to be able to present videos or social media posts as part of our online offer. The integration can also be used to improve the speed or security of the online offer, for example if software elements or fonts are obtained from other sources. In any case, the Processed data includes the use and metadata of the users as well as the IP address which is necessarily transmitted to the provider for the integration of the content. Data subjects are visitors to our online offer. The categories of data subjects include users of our online offer, customers and interested parties. Further explanations can be found in the definitions of terms, in particular on functions and protective measures, and can be found at the end of this data protection declaration. Deletion of data is determined by the data protection terms of the provider of the embedded content.

6.1. Google services and content

We use the following services and content from the provider Google: YouTube – videos, Google Maps – maps, Google Fonts – fonts, Google – Recaptcha (detection of bots when entering forms).

  • Processed data: usage data, metadata
  • Type, scope, functionality of processing: permanent cookies, third-party cookies, interest-based marketing, tracking
  • Special protection measures: pseudonymization, opt-out
  • Deactivation: http://tools.google.com/dlpage/gaoptout?hl=de, https://adssettings.google.com/authenticated
  • External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Privacy policy: https://www.google.com/policies/privacy/
  • Processing in third countries: no
  • Data deletion: in accordance with Google regulations.

6.2. Facebook features and content

Functions and content of the Facebook service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like, subscribe to content creators or our posts.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, remarketing
  • Opt-out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU)
  • External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Privacy policy: https://www.facebook.com/policy.php
  • Processing in third countries: no
  • Data deletion: data will be deleted in accordance with Facebook regulations.

6.3. Instagram features and content

Functions and content of the Instagram service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like content, subscribe to content creators or our posts.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, remarketing
  • External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
  • Privacy policy: http://instagram.com/about/legal/privacy/
  • Processing in third countries: no
  • Data deletion: Data will be deleted in accordance with Instagram’s provisions.

6.4. Pinterest features and content

Functions and content of the Pinterest service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like content, subscribe to content creators or our posts.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, remarketing
  • External disclosure: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
  • Data protection declaration: https://about.pinterest.com/de/privacy-policy
  • Processing in third countries: no
  • Data deletion: Data will be deleted in accordance with Pinterest regulations.

6.5. Twitter features and content

Functions and content of the Twitter service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to express their liking for the content, the authors of the content or to subscribe to our publications.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, re-marketing
  • Deactivation: https://twitter.com/personalization
  • External disclosure: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
  • Data protection declaration: https://twitter.com/de/privacy
  • Processing in third countries: no
  • Data deletion: the data will be deleted in accordance with the provisions of Twitter.

6.6. Functions and contents of Xing

Functions and content of the Xing service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to express their liking for the content, the authors of the content or to subscribe to our publications.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, re-marketing
  • External disclosure: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany
  • Data Protection Statement: https://www.xing.com/app/share?op=data_protection
  • Processing in third countries: no
  • Data deletion: the data will be deleted in accordance with the provisions of Xing.

6.7. LinkedIn features and content

Functions and content of the LinkedIn service can be integrated into our online offer. For content such as images, videos or text, and buttons that allow users to like content, subscribe to content creators or our posts.

  • Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status)
  • Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, re-marketing
  • Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
  • External disclosure: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
  • Privacy policy: https://www.linkedin.com/legal/privacy-policy
  • Processing in third countries: no
  • Data deletion: data will be deleted in accordance with the provisions of LinkedIn.

7. Marketing

In this section you will find information about the data processing we carry out with the aim of optimizing our marketing and market research services.

7.1. Sending information via personalized newsletters

We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”), provided that we have your consent or legal authorization. Subscriber data is recorded because we are required to provide proof of consent. The content of the newsletter is not expressly described when registering for the newsletter; it contains information about our company and our services and offers, in particular for the service areas that the recipient has declared to be relevant for them (for example, if a user shows an interest in urban mobility services as part of a consent process).

On the other hand, notifications sent within the framework of contractual or commercial relations are not part of advertising information. This includes, for example, the sending of service emails, technical or organizational information within the scope of our service provision, information on technical and legal changes, inquiries about orders, etc. If we have received your consent to personalized information, we will record your user behavior on our website and in your user profile that we manage. We continue to store information about the devices used, the opening, clicking and reading behavior in e-mails, as well as the sections that have been visited on the website. For technical reasons, this information is stored personally for each user, but is not used to monitor individual users, but rather to tailor content and offers to users. The information collected by us in addition to the e-mail address (e.g. name) is used to address the user personally or to adapt the content of the newsletter.

7.2. Impact of the use of personal data via the newsletter

  • Content of the newsletter: as specified in the registration form, otherwise information about our services and our company
  • Data processed: civl status (e-mail address), usage data (registration time, double opt-in confirmation time, IP address, opening of the e-mail, time and place, time and click on a link in the newsletter)
  • Special categories of personal data: no
  • Basis of processing: Article 6 paragraph 1 letter a, Article 7 GDPR and Article 7 paragraph 2 point 3-3 (shipment and performance measurement), Article 6 paragraph 1 letter c in conjunction with Article 7(1) GDPR (archiving, performance measurement, unless covered by consent)
  • Parties concerned: newsletter recipients, e-mail recipients
  • Purpose of the processing: sending the newsletter, optimization, proof of consent
  • Type, scope, functionality of processing: market analysis
  • Necessity/interest of processing: only the e-mail address is necessary for sending; other information is voluntary and is used to personalize and optimize the content according to the interests of the user. The obligation to prove the consent is the reason for the archiving of the corresponding data. The measurement of success is carried out for users whose consent includes the measurement of success, on the basis of consent, otherwise on the basis of legitimate interests in the optimization of content for users and on the basis of commercial interests
  • Opt-out: there is an unsubscribe link in every newsletter.

7.3. Newsletter features and content

We use “Mailchimp” to send our newsletters.

  • Processed data: civil status (email address), usage data (registration time, double opt-in confirmation time, IP address, opening of the e-mail, time and place, time and click on a link in the newsletter)
  • Special categories of personal data: no
  • Basis for the processing: Article 6, paragraph 1, letter a, Article 7 GDPR and Article 7, paragraph 2, number 3, paragraph 3 (dispatch and performance measurement), Article 6, paragraph 1, letter c in connection with GDPR Art. 7(1) (archiving, performance measurement, unless covered by consent)
  • Purpose of the processing: sending the newsletter, optimization, proof of consent
  • Parties concerned: newsletter recipients, e-mail recipients
  • Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract, opt-out
  • Opt-out: there is an unsubscribe link in each newsletter
  • External disclosure: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA
  • Privacy policy: https://mailchimp.com/fr/gdpr/
  • Processing in third countries: Yes, USA (security via EU-US Privacy Shield).

8. Communication via Messenger

We use email services for communication purposes and therefore ask that you respect the following information about email functionality, encryption, use of communication metadata and your opt-out options. You can also contact us by other means, for example by telephone or e-mail. Please use the contact options provided to you or use the contact options provided in our online offering. In the case of end-to-end encryption of the content (i.e. the content of your message and attachments), please note that the content of the communication (i.e. the content message and attached images) will be end-to-end encrypted. This means that the contents of the messages cannot be viewed, not even by the email providers themselves. You should always use a current version of email with encryption enabled to ensure that message content is encrypted. However, we also point out to our communication partners that the providers of the messengers do not see the content, but can find out when the communication partner is communicating with us, what device the communication partner is using and, depending on the settings of the device, where it is (metadata). If we seek permission from communication partners before communicating via Messenger, the legal basis is consent. Therefore, if we do not ask for your consent and you contact us e.g. of your own free will, we use Messenger in connection with our contractual partners and within the framework of the initiation of the contract as a contractual measure in the event other interested parties and communication partners on the basis of our legitimate interests in prompt and efficient communication. We will not pass the contact data provided to us to Messenger without your consent.

9. Revocation, objection and deletion

You can revoke your consent or object to communication with us via Messenger at any time. In this case, we delete the messages in accordance with our general deletion policy (as described above after the end of the contractual relationship and depending on archiving requirements, etc.) and otherwise as soon as we can assume that we have responded to any information from the communication partner, if no reference to a previous conversation is to be expected and if the deletion does not conflict with legal retention requirements.

  • Processed data: civil status, contact data, usage data, contract data, content data
  • Processing bases: Art. 6 (1) lit.a, Art. 7 GDPR in case of consent, Art. 6 (1) lit GDPR in relation to legal requirements for advertising communications
  • Data subjects: interested parties, users, business partners
  • Purpose of processing: commercial communication
  • Type, scope, functionality of processing: contact is only established with the consent of the contact partner or within the scope of legal permissions
  • Necessity/interest for processing: information and business interests
  • External disclosure and purpose: Facebook Messenger: Facebook Messenger with end-to-end encryption
  • Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA
  • Website: https://www.facebook.com
  • Privacy policy: https://www.facebook.com/about/privacy
  • Privacy Shield (guaranteeing the level of data protection when processing data in the United States): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
  • Possibility of opposition (opt-out): https://www.facebook.com/settings?tab=ads
  • Note: Facebook Messenger end-to-end encryption requires activation
  • Processing in third countries: United States
  • Data deletion: with opposition/revocation or omission of the authorization basis for contacting; the storage of the data of the interested parties corresponds to the information on the deletion of the data within the framework of the aforementioned processing activity.

10. Communication by post, e-mail, fax or telephone

  • Processed data: civil status, contact data, contract data, content data
  • Special categories of personal data: no
  • Processing bases: Art. 6 (1) lit.a, Art. 7 GDPR in case of consent, Art. 6 (1) lit GDPR in relation to legal requirements for advertising communications
  • Data subjects: interested parties, business partners
  • Purpose of processing: commercial communication
  • Type, scope, functionality of processing: contact is only established with the consent of the contact partner or within the scope of legal permissions
  • Necessity/interest for processing: information and business interests
  • External disclosure and objective: no
  • Processing in third countries: no
  • Data deletion: with opposition/revocation or omission of the authorization basis for contacting; the storage of the data of the interested parties corresponds to the information on the deletion of the data within the framework of the aforementioned processing activity.

11. Partners for measuring distances, times and means of transport, online marketing and technology

In this section, we inform you about the services of technological partners that we use to measure distances, times and means of transport and for online marketing purposes. They are used on the basis of Art. 6(1)(f) GDPR. Our interest lies in improving user-friendliness, optimizing our offer and its profitability. In all cases, the data to be processed includes usage and metadata. Further explanations can be found in the definitions of terms, in particular on functions and protective measures at the end of this data protection declaration. Unless otherwise specified, the deletion of data is determined in accordance with the data protection declarations of the respective providers.

11.1. Facebook Pixel

We use the Facebook pixel to form target groups and measure the success of the advertisements we place on Facebook.

  • Processed data: usage data, metadata; if users are registered with Facebook, the data will be linked to their Facebook profiles and the data associated with them (in particular their civil status)
  • Type, scope, functionality of processing: persistent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling, website custom audiences
  • Special protective measures: encrypted communication between Facebook and our online offer
  • Opt-out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choice (US)
  • External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Privacy policy: https://www.facebook.com/policy.php
  • Processing in third countries: no
  • Data deletion: Data is deleted by Facebook and takes place when customer data is deleted as part of termination.

11.2. Google Analytics

We use Google Analytics for the purpose of measuring reach and creating target groups.

  • Processed data: usage data, metadata, customer ID from us (Google only receives the customer ID as pseudonymous data without the associated civil data, such as name, address or customer’s email address)
  • Type, scope, functionality of processing: persistent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing
  • Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract, opt-out
  • Opt-out: http://tools.google.com/dlpage/gaoptout?hl=de (Google Analytics browser add-on), https://adssettings.google.com/, https://adssettings.google.com/authenticated (ad parameter)
  • External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Privacy policy: https://www.google.com/policies/privacy/
  • Processing in third countries: no
  • Data deletion: within 14 months.

11.3. Google AdWords

We use Google AdWords to measure the success of the advertisements we place on Google.

  • Processed data: usage data, metadata, customer ID from us (Google only receives the customer ID in the form of a pseudonymous date without the associated civil data, such as name, address or customer email)
  • Type, scope, operation of processing: permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling
  • Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract, opt-out
  • Opt-out: http://tools.google.com/dlpage/gaoptout?hl=de (Google Analytics browser add-on), https://adssettings.google.com/, https://adssettings.google.com/authenticated (ad parameter)
  • External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Privacy policy: https://www.google.com/policies/privacy/
  • Processing in third countries: no
  • Data deletion: within 14 months.

11.4. Google Double Click

We use Google Double Click to measure the success of the advertisements we place on Google.

  • Processed data: usage data, metadata, customer ID from us (Google only receives the customer ID in the form of a pseudonymous date without the associated civil data, such as name, address or customer email)
  • Type, scope, operation of processing: permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling
  • Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract, opt-out
  • Opt-Out: http://tools.google.com/dlpage/gaoptout?hl=de (Google Analytics browser add-on), https://adssettings.google.com/, https://adssettings.google.com/authenticated (ad parameter)
  • External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Privacy policy: https://www.google.com/policies/privacy/
  • Processing in third countries: no
  • Data deletion: within 14 months.

11.5. Google Maps API

We use the cartographic service of the Google Maps platform on this website and in our app.

  • Processed data: usage data, metadata, IP address
  • Type, scope, functionality of processing: permanent cookies, third-party cookies
  • Opt-out: if you do not want Google Maps to collect, process or use data about you via our website, you can deactivate JavaScript in your browser settings. In this case, however, you cannot use the map display
  • External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Privacy policy: https://maps.google.com/help/terms_maps.html
  • Processing in third countries: no
  • Data deletion: data will be deleted in accordance with Google regulations.

Common does not use your data for advertising purposes and will not sell your data to third parties. Your data is solely used to allocate you Greencents.

IV. Additional information

This data protection declaration applies to the provision of our range of services, in particular the modules “Common Measurement Service” and “Common Loyalty Program”. Insofar as we refer to third-party websites via links, our data protection declaration does not apply to these. Please inform yourself on the respective pages about the data protection regulations applicable there.

Due to the further development of our website and our offers as well as due to changed legal or official requirements, it may become necessary to amend this data protection declaration. You can view and print out the currently valid data protection declaration at any time on the app or on our website co2mmon.eu.

Further information about our company can be found in our imprint: co2mmon.eu/impressum

We are always at your disposal for any questions, suggestions and/or additions, for example by sending an e-mail to privacy@co2mmon.eu

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to denes@co2mmon.eu with subject line “enquiry”.