Privacy Policy
1. Contact Person
The contact person and controller in accordance with the EU General Data Protection Regulation (GDPR) for the processing of your personal data when visiting this website is Markus Rosenthal, Federal Association for Carbon Management Solutions (BVCMS), Spielhagenstr. 7, 10585 Berlin. If you have any questions, we are happy to help. You can find our full contact details in our legal notice. You are also welcome to send your data protection inquiries via email to our data protection officer at mrosenthal@bvcms.org or by post to the postal address listed in the legal notice (please include the note: “Attn: Data Protection Officer”).
2. Data Processing on Our Website
a. Accessing our website / connection data. Each time you use our website, we collect the connection data that your browser automatically transmits to enable your visit to the website. This connection data includes the so-called HTTP header information, including the user agent, and specifically includes:
IP address of the requesting device,
Method (e.g., GET, POST), date and time of the request,
Address of the accessed website and path of the requested file,
If applicable, the previously visited or requesting website/file (HTTP referer),
Information about the browser and operating system used,
Version of the HTTP protocol, HTTP status code, size of the delivered file,
Request information such as language, content type, content encoding, character sets.
In addition, we store the security cookie “csrf_https-contao_csrf_token” for the duration of the session on your device in order to prevent cyberattacks within the scope of so-called Cross-Site-Request-Forgery (CSRF).
The processing of this connection data and the storage of the security cookie is strictly necessary to enable your visit to the website, to ensure the ongoing functionality and security of our systems, and to generally maintain our website administratively. The connection data is also temporarily stored in internal log files, limited in scope to what is necessary for the purposes described above—for example, in the case of repeated or criminally motivated access attempts that could endanger the stability and security of our website, in order to identify the source and take action.
The legal basis is Art. 6 (1) lit. b GDPR, insofar as the page visit occurs in the context of initiating or fulfilling a contract; otherwise, the legal basis is Art. 6 (1) lit. f GDPR due to our legitimate interest in enabling access to the website and maintaining the permanent functionality and security of our systems. Access to and storage of information on the user's device is strictly necessary in this case and is based on the national implementations of the EU ePrivacy Directive, in Germany pursuant to § 25 (2) No. 2 TDDDG.
For data protection reasons, log files are not stored or analyzed permanently by us.
b. Contacting us. You have several options for contacting us, including through the contact form, by phone, or by email using the addresses provided above. In this context, we process data solely for the purpose of communicating with you. If you send us messages directly via a contact form or register for our events via the form, it is necessary to provide an email address at which we can reach you. We also ask for your name so we can address you appropriately. Required fields are marked accordingly.
We process the information you provide in order to respond to your inquiry. The legal basis for this data processing is Art. 6 (1) lit. b GDPR, to the extent that your information is necessary to respond to your request or to initiate or fulfill a contract; otherwise, the legal basis is Art. 6 (1) lit. f GDPR, based on our legitimate interest in being able to respond to your inquiries. The data collected during contact will be automatically deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations.
c. Hosting by STRATO and Use of Technical Services
Our website is hosted by STRATO AG, Pascalstraße 10, 10587 Berlin. When accessing our website, STRATO collects certain technical data in so-called log files. This data includes in particular:
IP address of the requesting device,
Date and time of access,
Amount of data transferred,
Browser type and version,
Operating system used,
Referrer URL (the previously visited page),
Hostname of the accessing computer.
This data is stored to ensure the security and stability of the website, especially to detect and prevent attacks. The data is stored for a maximum of seven days and then automatically deleted.
In addition, STRATO uses so-called session cookies, which are technically necessary to enable the operation of the website. These session cookies do not contain any personal data and are automatically deleted after your visit ends. No further processing of personal data via cookies takes place on this website.
We have concluded a data processing agreement with STRATO AG in accordance with Art. 28 GDPR. STRATO processes personal data exclusively on our instructions and in compliance with applicable data protection laws.
Further information on data processing by STRATO can be found at:
https://www.strato.de/datenschutz
Use of Session Cookies
Our website uses only so-called session cookies. These cookies are technically necessary to ensure the functionality of the website and are automatically deleted as soon as you close your browser. They do not contain any personal data and are used solely for the technical operation of the site. The legal basis for the use of these cookies is § 25 (2) No. 2 TTDSG in conjunction with Art. 6 (1) lit. f GDPR.
Integration of Third-Party Services and Content
We use map material from Bing Maps, a service of Microsoft Corporation, on our website. When using Bing Maps, your IP address is transmitted to Microsoft. This is technically necessary to display the content correctly. Further information on data processing by Microsoft can be found in Microsoft's privacy policy:
https://privacy.microsoft.com/de-de/privacystatement
Locally Hosted Fonts (Google Fonts)
To ensure a consistent display of fonts, we use Google Fonts that are hosted locally on our server. No connection is made to Google's servers. No personal data is transmitted to third parties in connection with the display of fonts.
3. Online Meetings via „WebEx“
a. Participation in Meetings:
We use “WebEx” to conduct online meetings, conference calls, and/or webinars (collectively referred to as “meetings”). WebEx is a software product of Cisco Systems, Inc., 170 West Tasman Dr, San Jose, CA 95134, USA (“Cisco”), available as a desktop, web, and mobile app. We primarily use it to conduct digital consultation hours and breakfast workshops.
The legal basis for processing data in the context of WebEx meetings is our legitimate interest in the effective and easy execution of online meetings, discussion groups, and presentations pursuant to Art. 6 (1) lit. f GDPR. Where meetings are conducted as part of an existing contractual relationship with you, the legal basis is Art. 6 (1) lit. b GDPR. We are not responsible for any further data processing that takes place on the product website of WebEx, where the desktop software can be downloaded and the web app can be used.
The following data may be processed during a meeting:
Participant information: display name, first name, last name, phone number, email address, password (encrypted for authentication), profile picture (if provided);
Metadata: subject and description of the meeting, IP address, participant's phone number, device/software type (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of last activity on WebEx, number of chat messages and meetings, duration of audio, video, and screen sharing usage;
For chat use: text data for display and optional logging;
For audio use: microphone recording data;
For video use: webcam recording data;
For recordings: audio, video, and screen sharing data for storage;
For phone usage: incoming and outgoing phone numbers, country name, start and end time, and possibly additional connection data such as the device's IP address.
Before a meeting, you register via our website or by email. We process your registration data. Prior to the meeting, you will receive a confirmation email with an invitation link or calendar entry.
To join a meeting, you must provide at least your name and – if joining via phone – your phone number, unless we allow anonymous participation. You can disable microphone and camera transmission at any time via the relevant settings. We only record meetings or log chat data with your consent and prior notice. Cisco stores and uses metadata to enable us to analyze and report on WebEx usage.
As part of data processing on our behalf, Cisco may gain access to the aforementioned data. All data traffic is encrypted (MTLS, TLS, or SRTP), and encrypted data is generally stored on servers within the European Economic Area (EEA). Wherever possible, we also enable end-to-end encryption. If data is exceptionally processed in the USA, the adequacy decision for the USA applies due to Cisco Systems, Inc.’s certification under the EU-U.S. Data Privacy Framework.
Further information can be found in Cisco’s Privacy Policy, available at:
https://www.cisco.com/c/de_de/about/legal/privacy-full.html
b. Survey on Meetings:
We use “WebEx Polls” to conduct voluntary, anonymous online surveys related to our meetings (see section 5.a). Participation in the surveys is voluntary and providing personal data is not required. A link to the online survey is provided at the end of the meeting or afterward via follow-up communication.
When accessing the webpage with the WebEx poll, the following data may be processed:
Connection data: IP address, HTTP header, user agent;
Cookie information;
Duration to complete the survey;
Selected response options (checkboxes);
Optional: individual responses in free-text fields.
Answering the free-text fields is optional. Please do not enter any data in the free-text fields that could personally identify you unless you wish to do so.
Cisco stores the survey data to analyze participant satisfaction and measure reach. We have concluded a data processing agreement with Cisco for the use of WebEx Polls. All data traffic is encrypted (TLS), and encrypted data is generally stored on servers within the European Economic Area (EEA). If data is exceptionally processed in the USA, the adequacy decision for the USA applies due to Cisco Systems, Inc.’s certification under the EU-U.S. Data Privacy Framework.
Further information can be found in Cisco’s Privacy Policy, available at:
https://www.cisco.com/c/de_de/about/legal/privacy-full.html
4. Disclosure of Data
We only disclose the data we collect if one of the following applies:
- You have given your explicit consent in accordance with Art. 6 (1) lit. a GDPR,
- The disclosure is necessary in accordance with Art. 6 (1) lit. f GDPR for the establishment, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
- We are legally obliged to disclose the data pursuant to Art. 6 (1) lit. c GDPR, or
- The disclosure is legally permissible and required under Art. 6 (1) lit. b GDPR for the performance of a contract with you or for pre-contractual measures taken at your request.
In addition, data may be disclosed in connection with official requests, court orders, and legal proceedings if necessary for legal prosecution or enforcement.
5. Data Transfers to Third Countries
s explained in this privacy policy, we use services whose providers are partly located in so-called third countries (such as the USA), i.e., countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include, among others, the European Union’s standard contractual clauses or binding corporate rules.
Where this is not possible, we base the data transfer on the exceptions under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract.
If a transfer to a third country is intended and neither an adequacy decision nor appropriate safeguards are in place, it is possible—and there is a risk—that authorities in the respective third country (e.g., intelligence services) may gain access to the transmitted data, for the purpose of collection and analysis, and that the enforcement of your data subject rights cannot be guaranteed. If your consent is obtained via the consent banner, you will also be informed of this.
6. Data Retention Period
As a rule, we store personal data only for as long as necessary to fulfill the purposes for which we collected the data. After that, we delete the data without delay, unless we still need it until the end of the statutory limitation period for evidence purposes in civil claims or due to legal retention obligations.
For evidence purposes, we must retain contract data for three years after the end of the year in which the business relationship with you ends. Any claims expire at the earliest after this statutory limitation period.
Even after that, we may need to retain your data for accounting reasons. We are legally obligated to do so due to documentation requirements that may arise from the German Commercial Code (HGB), the Fiscal Code (AO), the Banking Act (KWG), and the Anti-Money Laundering Act (GwG). The statutory retention periods for such records range from two to ten years.
7. You Rights
You have the right at any time to request information about the processing of your personal data by us. As part of this disclosure, we will explain how the data is processed and provide you with an overview of the data stored about you. If the data we have stored is incorrect or no longer up to date, you have the right to request that it be corrected. You may also request the deletion of your data. If deletion is not possible in exceptional cases due to legal obligations, the data will be blocked so that it is only available for that legal purpose. You can also request that the processing of your data be restricted—for example, if you believe that the data we have stored is incorrect.
You also have the right to data portability, meaning we will provide you with a digital copy of the personal data you have provided to us, upon request.
To exercise your rights as described here, you can contact us at any time using the contact details provided above in Section 1. This also applies if you wish to receive copies of safeguards demonstrating an adequate level of data protection. If the legal requirements are met, we will comply with your data protection request.
Your requests regarding the exercise of data subject rights and our responses to them will be stored for documentation purposes for up to three years, and in individual cases beyond that if necessary for the establishment, exercise, or defense of legal claims. The legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR, based on our legitimate interest in defending against potential civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR, and fulfilling our accountability obligations under Art. 5 (2) GDPR.
Finally, you have the right to lodge a complaint with a data protection supervisory authority. You may exercise this right with a supervisory authority in the Member State of your residence, your place of work, or the place of the alleged infringement. In Berlin, the responsible supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59–61, 10555 Berlin.
8. Right of Withdrawal and Objection
In accordance with Art. 7 (3) GDPR, you have the right to revoke any consent you have given at any time with effect for the future. As a result, we will no longer continue any data processing that was based on this consent. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.
If we process your data based on legitimate interests pursuant to Art. 6 (1) lit. f GDPR, you have the right, in accordance with Art. 21 GDPR, to object to the processing of your data on grounds relating to your particular situation. If the objection concerns data processing for direct marketing purposes, you have a general right to object, which will be implemented by us without the need to state any reasons.
If you wish to exercise your right of revocation or objection, a simple informal notification to the contact details provided above is sufficient.
Last updated: February 2025