I. Who is responsible and how can I contact the Data Protection Representative?
The data controller within the meaning of the GDPR (General Data Protection Regulation) is the
NABU (Nature and Biodiversity Conservation Union Germany) e.V.
Tel. +49 (0) 30-28 49 84-0
Fax +49 (0) 30-28 49 84-20 00
Register court: Amtsgericht Stuttgart | Register number: VR 2303
VAT identification-No.: DE 155765809
President: Jörg-Andreas Krüger, Managing Director: Leif Miller
If you have any questions about the processing of your personal data by us or about data protection in general, please contact our data protection representative at the following e-mail address: datenschutz@NABU.de.
The easiest way to exercise your rights of objection is to contact widerspruch@NABU.de. If you would like to have a secure transmission, please contact us by post. For all other data protection concerns, especially confidential ones, you can contact our external data protection officer, Dr. Stefan Drewes, directly via the e-mail address dsb@NABU.de.
II. Your rights as person concerned
Each affected person has the following rights:
• Right of access by the data subject (Art. 15 GDPR),
• Right of rectification (Art. 16 GDPR),
• Right of erasure, or better, a „right to be forgotten“ (Art. 17 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Right for data portability (Art. 20 GDPR).
• You can object to the processing of personal data for advertising purposes including an analysis of customer data for advertising purposes at any time without stating reasons.
In addition, the person concerned also has a general right to object (cf. Art. 21 (1) GDPR). In this case, the objection against data processing must be substantiated. If the data processing is based on consent, your consent can be revoked at any time with effect for the future.
The easiest way to exercise the rights of a person concerned is to contact widerspruch@NABU.de. In addition, you have the right to lodge a complaint with the data protection supervisory authority responsible for you.
III. Processing of personal data by NABU
Following, we would like to give you an overview of the personal data that we as the responsible party process from you as a member, donor, interested party and business partner.
This includes the types of personal data processed, the purposes and the scope. Insofar as data processing takes place when you visit the website, we refer to our „Cookie-Policy “.
1. Types of personal data
The categories of personal data processed by the controller depend to a large extent on the occasion and the context in which a contact or contractual relationship with you is or will be established. For instance, a distinction must be made between members, donors, sponsors, interested parties and business partners. Within the context of a membership, a donation, a participation campaign (e.g. petitions, competitions, animal/insect observation data), an inquiry or any other contract, the data controller generally processes the following categories of data depending on the specific relationship:
• Surname, first name, address, contact details (telephone, e-mail), date of birth, place of birth, marital status, branch/occupation, member and donor ID; other data on family members (in the case of family memberships);
• Company name, if necessary also including surname, first name, address, contact data (telephone, e-mail), branch of industry, contact person in the company with surname, first name, function, contact data (telephone, e-mail);
• Identification data (for example ID card data), Authentication data (for example signature specimen), tax ID;
• Payment transaction and contract data (e.g. bank connection/credit card data, payment orders), credit rating score (payment behaviour of business partners);
• Contract history and turnover with business partners;
• Member and donor histories, interested party histories with regard to bequests;
• Data from animal/insect monitoring notifiers, where necessary for scientific validation purposes.
Further data such as information on the contact channel, date, occasion and result and copies of correspondence can be processed. This is especially the case when direct contact is made with you during membership, service for donors and interested parties, in particular during participatory activities, or during a business relationship.
2. Data processing purposes and legal basis
The data controller processes your aforementioned personal data and categories of personal data for the purpose of fulfilling the respective contract (e.g. membership, donation, join-in campaign, other business relationship) or for carrying out pre-contractual measures (e.g. (chargeable) information orders) with you in accordance with Art. 6 Para. 1 lit. b) GDPR. For these purposes, your contact data will also be used, for example, in the context of specific information and queries.
The data controller is also subject to various legal requirements (e.g. Money Laundering Act, tax laws) and in this respect processes your data also on the basis of legal requirements according to Art. 6 Para. 1 lit. c) or in the public interest according to Art. 6 Para. 1 lit. e) GDPR. The purposes of the processing include:
• the application and evidence requirements in the context of grants from public bodies;
• the control and verification obligations within the framework of the allocation of fines and monetary conditions;
• the obligations to provide evidence in the context of the execution of wills and legacies;
• the fulfilment of obligations under social insurance law (e.g. statutory accident insurance);
• the reporting obligations to regulatory and investigative authorities if the data controller becomes aware of violations of legal regulations (e.g. Animal Protection Act and other species protection regulations) (e.g. from the reporting of animal/insect observation data);
• the prevention of fraud and money laundering;
• the fulfilment of fiscal control and reporting obligations and auditing requirements;
• the fulfilment of official and judicial directives and orders;
• as well as the assessment and management of risks on the part of the data controller.
If necessary, the data controller processes your data within the framework of the consideration of legitimate interests in accordance with Art. 6 Para. 1 lit. f) GDPR to safeguard the legitimate interests of the data controller or third parties. For example:
• Measures for business management and further development of statutory activities, also in connection with other NABU organisations (e.g. divisions and foundations at federal and state level) on the basis of the joint data protection regulations;
• Transfer of contact data between the inquirers and internal and external environmental/animal protection experts of the data controller;
• free information orders and contact requests;
• Participation in petitions (online or via signature lists);
• the publication of images on the website, in print products and on social media channels in connection with reporting on events of the data controller;
• measures for the management of the association and the further development of tasks in accordance with the statutes;
• Exchange of experience with other national and international environmental protection organisations in the context of global strategies and global environmental protection; assertion of legal claims and defence in legal disputes;
• Ensuring the IT security and IT operation of the data controller;
• prevention of criminal offences;
• Measures for building and plant security (e.g. access controls);
• use of the guest WLAN;
• Data exchange with credit agencies to determine creditworthiness or default risks of business partners.
Also within the framework of the consideration of legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR for the purpose of pursuing the legitimate interests of the data controller, the data controller processes your data, for example, on the basis of membership, the donation relationship, participation actions, existing contracts or requests for needs-based information within the framework of the purposes of the data controller in accordance with the articles of association (self-advertising) in accordance with the following provisions:
• postal advertising, provided that you have not objected to this processing; you can object to this advertising use at any time with effect for the future by using the contact data listed above (see Item 1.) (see Item 7.);
• telephone advertising to companies in the event of your presumed consent to such processing, provided you have not objected to such processing; you may object to such advertising use at any time with effect for the future by using the contact data listed above (see Item 1.) (see Item 7.);
• Receipt of subsidies/third party funds, provided that the action, event or similar in which you have participated is financed by subsidies/third party funds;
• improvement of our own offers;
The data controller does not transfer your data to third parties for advertising purposes.
Insofar as you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent in accordance with Art. 6 para. 1 lit. a) GDPR. A granted consent can be revoked at any time with effect for the future under the contact details listed above (see item 1.). Consent may be given for, among other things
• the sending of a newsletter tailored to your interests (for example in the context of information requests) to your e-mail address and all related processing, for more information see the section "Subscription to an e-mail newsletter" below;
• the use of the occasion/content of a participation in petitions for the design of the newsletter in line with your interests and content, whereby, depending on the content of the petition, this may involve special categories of personal data pursuant to Art. 9 GDPR;
• telephone advertising within the scope of the statutory purposes of the data controller also for donations in favour of the data controller;
3. Recipients and categories of recipients of the data
Within the organisation of the data controller, only those entities that need access to your data will be given access to your data in order to fulfil their tasks. The need derives from our contractual and legal obligations as well as on the basis of the consideration of interests, taking into account the respective data category. Service providers employed by the responsible party may also receive data for these purposes if they are commissioned as processors in accordance with Art. 28 GDPR.
Possible recipients of personal data are for example:
• within the framework of the statutory, graduated membership in NABU, the NABU national associations and regional divisions responsible for your place of residence;
• within the framework of the statutory, graduated membership of NABU members up to the age of 27, the NAJU (Naturschutzjugend im NABU) as well as the NAJU Federal Associations and regional divisions responsible for your place of residence;
• within the framework of the common data protection regulations of other NABU organisations (e.g. federal and state level divisions and foundations);
• national and international environmental protection organisations within the framework of global strategies and global environmental protection;
• Cooperation partners with whom joint actions and projects (e.g. participatory campaigns) are carried out online or by means of print products;
• public bodies and institutions (e.g. regulatory and investigative authorities, financial authorities, Federal Central Tax Office) when there is a legal or official obligation or cooperation;
• Funding/third-party funding bodies, provided that the action, event or similar is financed by funds/third-party funding;
• other credit and financial services institutions;
• Contract processors, for example for member and donation recruitment, for the support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening in accordance with legal requirements, printing and sending personalised letters, sending e-mails, data destruction, auditing services and payment transactions;
• Credit inquiry agencies within the scope of a creditworthiness inquiry on companies;
• other data recipients on the basis of a consent given by you.
4. Transfer of data to a third country or international organisation
A data transfer to countries outside the EU or the EEA (so-called third countries) is only carried out if this is necessary for the execution of your orders, if it is required by law (e.g. tax reporting obligations), if you have given us your consent or within the scope of a commissioned data processing. If third country service providers are used, in addition to written instructions, they must take appropriate measures (e.g. agreement on the EU standard contractual clauses, EU-US Privacy Shield certification) to comply with the level of data protection in Europe.
5. Duration of data storage
The data controller processes and stores your personal data for as long as it is necessary for the fulfilment of his contractual and legal obligations and on the basis of the consideration of interests, taking into account the respective data category. If the data is no longer required for this purpose, it is regularly deleted, unless its - temporary - further processing is necessary, for example in a separate archive with restricted access rights, for the following purposes:
• Fulfilment of commercial and tax law retention periods (e.g. Commercial Code and Fiscal Code with the retention or documentation periods specified therein for a period of two to ten years, e.g. for business letters, contracts, orders, invoices and grant certificates)
• Preservation of evidence for a period of 30 years in accordance with § 197 of the German Civil Code (BGB), e.g. in the context of claims that have been legally established, claims from enforceable settlements or enforceable deeds;
• Preservation of evidence for the duration of 3 years according to § 195 BGB for evidentiary purposes and any necessary clarification of judicial or extrajudicial claims (e.g. correspondence in the context of processing the rights of the persons concerned, data in connection with a terminated membership, unless longer retention periods exist).
6. Obligation to provide data
In the context of a business relationship (for example, memberships, donation processing, other contracts), you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or for the collection of which we are legally obliged to provide. Without this data, we will usually have to refuse to conclude the contract or execute the order, or we will no longer be able to execute an existing contract and may have to terminate it.
We reserve the right to adapt this data protection declaration so that it always corresponds to the current legal requirements or to implement changes to our services in the data protection declaration, e.g. when introducing new services. Your renewed visit will then be subject to the new data protection declaration.