Privacy statement
Institut Bauen und Umwelt e.V. (IBU), Hegelplatz 1, 10117 Berlin, Germany, is the operator of this website and the respective services on offer. IBU takes data protection very seriously. Access to EPD-Online requires your prior registration. Where the processing of personal data is required and there is no legal basis for such, IBU will generally obtain the consent of the user (data subject) in question.
The processing of personal data, such as the name, address, email address or telephone number of a data subject, is carried out in line with the General Data Protection Regulation in all cases and in accordance with specific regional data protection provisions incumbent upon IBU. The aim of this privacy statement is to inform users of our website of the nature, extent and purpose of the personal data that is collected, used and processed by IBU. In addition, this privacy statement also explains the rights afforded to data subjects.
As the processing controller, Institut Bauen und Umwelt e.V. has implemented numerous technical and organisational measures to ensure the most comprehensive protection possible for personal data processed via this website. Notwithstanding this, Internet-based data transmissions may present security vulnerabilities, with the result that absolute protection cannot be guaranteed. For this reason, any data subject may choose to convey personal data to IBU using alternative methods such as by telephone or by post.
1. Definitions
The Institut Bauen und Umwelt e.V. privacy statement draws on terminology used by European regulators in enacting the General Data Protection Regulation (GDPR). Our privacy statement is intended to be easy to read and understandable for the public and our members and business partners alike. In the interests of achieving this, we wish to clarify the terms used in advance.
Amongst others, the following terms are used in this privacy statement:
§ a) Personal data
Personal data means information regarding an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
§ b) Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the processing controller.
§ c) Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
§ d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
§ e) Controller or processing controller
Controller or processing controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
§ f) Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
§ g) Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients.
§ h) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
§ i) Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the processing controller
Controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in Member States of the European Union and other provisions of a data protection nature is:
Institut Bauen und Umwelt e.V.
Hegelplatz 1
10117 Berlin
Germany
Tel.: +49 (0) 30 30 87 74 8 – 0
E-Mail: info@ibu-epd.com
Website: https://epd-online.com/
3. What data will be recorded during my visit to EPD Online?
Every time a user accesses a page at www.epd-online.com, access data relating to this event is stored in a log file on our server:
· IP address of the requesting computer
· Website from which the file was requested
· Date and time of access
· Browser type and settings
· Operating system
· Pages accessed by you
· Data volume transferred
· Access status (file transfer, file not found etc.)
IBU cannot identify the data subject through the use of this general data and information. Rather, this information is required for the purpose of (1) correctly delivering the content of our website, (2) optimising our website content, (3) safeguarding the permanent functionality of our IT systems and our website technology and (4) providing law enforcement agencies with the requisite information for criminal prosecution in the event of cyber attack.
This anonymously collected data and information is consequently analysed by IBU for statistical purposes and also with the aim of enhancing data protection and data security in order to ultimately secure an optimum level of protection for personal data processed by IBU. Anonymous data on server log files is stored separately from all personal data provided by a data subject.
4. Contact via email
In line with statutory requirements, the IBU website contains information to allow swift electronic contact as well as direct communication with IBU, which also covers the use of a general electronic mail address (email address). Personal data transmitted by the data subject when contacting the processing controller via email is automatically stored. Such personal data voluntarily sent by a data subject to the processing controller is stored for the purposes of processing or contacting the data subject. This personal data is not disclosed to any third parties.
5. Routine erasure and blocking of personal data
The processing controller will process and store personal data relating to the data subject solely for the period necessary to achieve the intended purpose of storage or insofar as provided for by European regulators or other legislative bodies in laws or regulations incumbent upon the processing controller.
Personal data will be routinely blocked or erased in accordance with the pertinent statutory provisions where the intended purpose of storage no longer applies or the applicable storage period prescribed by European regulators or other competent legislative authorities has expired.
6. Processing of personal data
Access to EPD-Online requires your prior registration. This data is provided by the user on an expressly voluntary basis. Your personal data is not forwarded to any third parties.
6.1 Free registration at epd-online.com
You are requested to provide the following personal data on the contact form:
· Title (gender)
· Surname
· First name
· Email address
· Occupation
To successfully register, you must provide the aforestated information and click on 'Register'. You will then receive an email with a confirmation link (so-called ' double opt-in ' procedure). After clicking on this link, the user simply needs to enter a user name and password.
6.2 Creating own EPDs
Users wishing to create an EPD with IBU will need to complete an additional form. This function is opened by clicking on 'Create own EPDs', whereupon the following personal data is requested:
· Title (gender)
· Surname
· First name
· Email address
· Occupation
By clicking on the 'Send application' button, the user's request is sent to IBU. The request will then be processed by a member of IBU staff and either accepted or rejected.
6.3 Stored data
a) The following data specified under 3.1 and 3.2 in EPD-Online is visible to IBU staff:
· Surname
· First name
· Email address
· Telephone number
· Company affiliation
b) Third-party personal data is not visible to other users; one exception being in the case of the same company affiliation with other users under the menu option 'Overview' (this will only first be visible following acceptance of the EPD creator information request, see 6.2). This overview shows all the EPDs of a manufacturer and its commensurately responsible staff and details:
· First name
· Surname
· Email address
· Company (for example, in the event of support by external service providers/consultants)
· Status (in progress, for verification, awaiting verification, for post-processing, for approval, approved, published, due to expire, expired) and
· Language.
7. Statistics
Statistics drawn from certain data are generated in the background of EPD-Online, which are then used and/or analysed internally by IBU. These statistics can only be accessed by IBU staff. No information is forwarded to any third parties.
7.1 EPD status report
The status report provides a general overview of all EPDs entered in EPD-Online, including information regarding their commensurate status (in progress, for verification, awaiting verification, for post-processing, for approval, approved, published, due to expire, expired), as well as details of whether and which life cycle assessment modules are included in the LCA table.
The following personal data is stored accordingly:
· First name and surname of person responsible
· Contact data (street, house number, post code and town/city)
· Date EPD last accessed (date, time).
7.2 VeWa report ( IBU’s software for EPD accounting =Vereinsverwaltungs-Software)
This is used for member and declaration owner invoicing. The following personal data is stored accordingly:
· First name and surname of person responsible
· First name and surname of last EPD processor
· Last saved change to EPD (date, time)
· Contact data (street, house number, post code and town/city)
· Telephone number
· Fax number
· Email address provided by the manufacturer in the respective EPD.
8. Rights of the data subject
§ a) Right of confirmation
Every data subject has the right granted by the European regulators to require confirmation from the processing controller as to whether or not personal data concerning the respective data subject is being processed. Any data subject wishing to exercise this right of confirmation may submit a commensurate request to a member of the IBU staff at any time.
§ b) Right of access
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to require the processing controller to provide free-of-charge access at any time to personal data stored in relation to the data subject and also obtain a copy of such information. Moreover, the European regulators have afforded the data subject a right to the following information:
§ The purposes of the processing
§ The categories of personal data concerned
§ The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
§ Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
§ The right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
§ The right to lodge a complaint with a supervisory authority
§ Where the personal data is not collected from the data subject: all available information regarding its source
§ The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
In addition, the data subject also has the right to know whether personal data has been transferred to a third country or international organisation. Where this is indeed the case, the data subject has the residual right to be informed of the appropriate safeguards relating to the transfer.
Any data subject wishing to exercise this right of access may submit a commensurate request to a member of the IBU staff at any time.
§ c) Right to rectification
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to require rectification without delay of inaccurate personal data relating to the data subject. Moreover, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Any data subject wishing to exercise this right of rectification may submit a commensurate request to a member of the IBU staff at any time.
§ d) Right to erasure (right to be forgotten)
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to require the controller to erase personal data concerning the data subject without undue delay where one of the following grounds applies and processing is unnecessary:
§ The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
§ The data subject withdraws consent on which the processing is based according to Article 6 (1) (a) or Article 9 (2) (a) GDPR and there is no other legal ground for the processing
§ The data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR
§ The personal data has been unlawfully processed
§ Erasure of the personal data is required for compliance with a legal obligation in accordance with European Union or Member State law to which the controller is subject
§ The personal data has been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR
Wheresoever one of the above-stated grounds applies, any data subject wishing to arrange for the erasure of personal data stored by IBU may request such from a member of the IBU staff at any time, whereupon IBU will duly carry out commensurate erasure without delay.
§ e) Right to restriction of processing
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to require the restriction of processing by the controller of personal data concerning the data subject where one of the following conditions applies:
§ The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
§ The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead
§ The controller no longer needs the personal data for the purposes of processing; however, the data is required by the data subject for the establishment, exercise or defence of legal claims
§ The data subject has objected to processing pursuant to Article 21 (1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject
Wheresoever one of the above-stated grounds applies, any data subject wishing to facilitate restriction of personal data stored by IBU may request such from a member of the processing controller's staff at any time, whereupon IBU will arrange for restriction of processing.
§ f) Right to data portability
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to receive the respective personal data which they have provided to a controller, in a structured, commonly used and machine-readable format. In addition, the data subject has the right to transmit such data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means, provided the processing is not required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Moreover, in exercising their right to data portability pursuant to Art 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another where technically feasible and insofar as not adversely affecting the rights and freedoms of others.
To exercise the right to data portability, the data subject may request such from a member of IBU staff at any time.
§ g) Right to object
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to object at any time on grounds relating to their particular situation to the processing of personal data concerning the data subject based on Article 6 (1) (e) or (f) GDPR.
In the event of objection, IBU will no longer process the personal data, save for where IBU demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
To exercise the right of objection, the data subject may request such directly from a member of IBU staff. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.
§ h) Right to withdraw data protection consent
Any data subject in respect of whom personal data is being processed has the right granted by the European regulators to withdraw their consent for the processing of personal data at any time.
Data subjects wishing to exercise this right of withdrawal of consent may submit a commensurate request to a member of the IBU staff at any time.
9. Period for which personal data will be stored
The criterion determining the period for which personal data may be stored is the respective statutory period of storage. Following expiry of this period, the corresponding data will be routinely erased provided it is no longer required for the purposes of initiating or performing a contract.
10. Cookies
IBU uses session cookies on its website. The respective data is not permanently stored. The use of temporary cookies offers you the advantage of not having to re-enter your personal data every time you fill out one of the various forms on our website. The cookies are automatically deleted upon closing down the browser.
Cookies do not damage your computer hard-drive and cannot be used to transfer personal data to IBU.
The default setting on most browsers automatically accepts cookies. Nevertheless, you can deactivate the storage of cookies or set your browser to notify you whenever cookies are sent.
Where cookies have been deactivated, a so-called session ID is used to identify the respective person during corresponding access to our website. No data is stored on your computer. The session ID is deleted upon terminating your access.
11. Transfer of personal data to third parties
IBU uses personal data solely for internal purposes within the course of customer relations. Personal data is not forwarded to third parties without your required consent.
Personal data will only be collected and transferred to state institutions and authorities entitled to receive such data within the scope of applicable law or where we are obliged to do so by court order. IBU requires that all employees and service provider companies maintain secrecy and comply with data protection provisions.
