Data protection

§ 1 Information on the processing of personal data

(1) The protection of your personal data is our top priority and is taken into account by us. The following data privacy policy provides an overview of how we process your personal data. Personal data refers to all information relating to an identified or identifiable natural person.

Below, we provide information about the type, scope and purpose of the processing of personal data and how we handle this data. You will also learn about your rights regarding the processing of your personal data.

(2) The controller pursuant to Article 4 (7) of the General Data Protection Regulation (GDPR) is

DGNB GmbH
represented by Johannes Kreißig and Markus Kelzenberg
Tübinger Str. 43
70178 Stuttgart
E: gmbh@dgnb.de
T: +49 711722322-0

You can contact our data protection officer at

or our postal address with the addition "the data protection officer".

(3) When you contact us by e-mail or via a contact form, the data you provide (such as your e-mail address, name and telephone number) will be stored by us in order to respond to your enquiry. We delete the data collected in this context once storage is no longer necessary, or restrict processing if there are legal retention obligations. The legal basis for the processing of data transmitted in an email is Article 6 (1) point (f) of the GDPR. If the email contact is aimed at concluding a contract, the additional legal basis for the processing of the data is Article 6 (1) point (b) of the GDPR.

(4) For certain technical and organisational processes, we use the services of external service providers who have access to personal data in order to provide these services. These are service providers bound by instructions who are obliged to comply with data protection regulations and may not use the data for any other purpose.

§ 2 Your rights

(1) You have the following rights with regard to your personal data:

Right to information pursuant to Article 15 GDPR,
Right to rectification or erasure pursuant to Article 16 and Article 17 GDPR,
Right to restriction of processing pursuant to Article 18 GDPR,
Right to object to processing pursuant to Article 21 GDPR,
Right to data portability pursuant to Article 20 GDPR.

(2) If we process your personal data on the basis of your consent, you can revoke this consent at any time with effect for the future. The revocation of consent initially granted has no effect on the lawfulness of data processing up to the point of revocation.

(3) You also have the right to complain to a data protection supervisory authority about our processing of your personal data.

§ 3 Processing of personal data during a visit to our website

(1) When using the website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to browse on our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (the legal basis is Article 6 (1) sentence 1 point (f) of the GDPR):

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred
Website from which the request originates
Browser
Operating system and its interface
Language and version of the browser software

The log files are deleted after one month. They are not stored for longer than this. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the client making the request.

(2) The website was created by the web agency Mosaiq and is continuously maintained by them.

This website is hosted by gridscale GmbH, Oskar-Jäger-Str. 173 in 50825 Cologne.

§ 4 Use of cookies

In addition to the information mentioned above, cookies are stored on your computer when you use our website. Cookies are small text files that are stored in
the Internet browser or by the Internet browser on the user's computer system.
When a user accesses a website, a cookie may be stored on the user's operating system. Cookies cannot execute programmes or transfer viruses to your computer. They serve to make the Internet offering more user-friendly and effective overall.

Our website uses the following types of cookies, the scope and functionality of which are explained below:

Session cookies

Session cookies are automatically deleted when you close your browser. They store a so-called session ID, which can be used to assign various requests from your browser to the shared session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.

Permanent cookies

Permanent cookies are automatically deleted after a specified period, which may
vary depending on the cookie. You can delete cookies at any time in your browser's security settings.

We use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you would have to log in again for each visit.

§ 5 Google Maps

Google Maps is integrated into our website to show you our location. Google Maps is a service provided by Google Ireland Limited, Gordon House Barrow Street Dublin 4, Ireland (hereinafter: Google). To ensure that you retain control over your data, we use the privacy-friendly two-click solution for integration. This ensures that when you simply visit our website, no connection is established with Google's servers and your data is not transmitted to Google. The integration is initially deactivated by default and is only activated and loaded by the platform after you click on the button. After activating the link, your personal data relating to your use of the platform will be automatically processed, meaning that your data will be transferred to Google and stored on Google's servers.

If consent is given, processing is carried out exclusively on the basis of Article 6 (1) point (a) of the GDPR and § 25 (1) of the TDDDG. Consent can be revoked at any time.

For the purpose and scope of data collection and the further processing and use
of the data by Google, as well as your rights in this regard and setting options for protecting your privacy, please refer to Google's date privacy policy at https://policies.google.com/technologies/partner-sites?hl=en-GB.

It cannot be ruled out that data collected by Google services may also be transferred to a Google server in a third country, to a server of Google's parent company, Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California, USA ("Google LLC"), and stored there. Data transfers to the USA are permitted on the basis of an adequacy decision by the EU Commission, provided the US company is certified under the “EU-US Data Privacy Framework”. This is an agreement between the EU and the USA that is intended to ensure compliance with European data protection standards in the USA. Google LLC is certified under the EU-US Data Privacy Framework. Further information on this can be found at https://www.dataprivacyframework.gov/list

§ 6 Matomo

This website uses the open-source web analytics service Matomo offered by InnoCraft Ltd. (150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769; representative in the EU: ePrivacy Holding GmbH, Große Bleichen 21, 20354 Hamburg; privacy policy: https://matomo.org/matomo-cloud-privacy-policy/ ).

With the help of Matomo, we can collect and analyse data about how visitors use our website. This allows us to find out, among other things, when page views were made and which region they came from. We also collect various log files (e.g. anonymised IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g. clicks, etc.).

The use of this analysis tool is based on Article 6 (1) point (f) of the GDPR. The website operator has a legitimate interest in analysing user behaviour to optimise both its website and its advertising. If consent has been requested, processing is carried out exclusively based on Article 6 (1) point (a) of the GDPR and § 25 (1) of the TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

IP anonymisation
We use IP anonymisation for analysis with Matomo. This means that your IP address is truncated before analysis so that it can no longer be clearly assigned to you.

Cookie-free analysis
We have configured Matomo to ensure that it does not store any cookies in your browser.

Hosting
The collected information is sent to a Matomo server in Germany (Frankfurt) and stored there. This means that no technical transfer to third countries takes place. Insofar as data is transferred to InnoCraft's headquarters outside the European Economic Area, this is covered by an EU adequacy decision for New Zealand.

Order processing
We have concluded a contract for order processing (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.

Withdrawal of consent:
You can revoke your consent to the storage and evaluation of your data by Matomo at any time via the link below. A so-called opt-out cookie will then be stored on your device, which is valid for two years. As a result, Matomo will not collect any session data. Please note, however, that the opt-out cookie will be deleted if you delete all cookies.

Further information on the privacy settings of the Matomo software can be found at the following link: matomo.org/docs/privacy/.

You have the option to prevent your actions here from being analysed and linked. This will protect your privacy but will also prevent the owner from learning from your actions and improving the usability for you and other users.

Your visit to this website is currently being tracked by Matomo web analytics. Deselect this checkbox to opt out.

§ 7 Application process

We offer you the opportunity to apply for a job with us. Below, we provide information about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with the principles of the GDPR and all other legal provisions, and that your data will be treated as strictly confidential.

When you apply for a job with us, we need some information about you. The following application data is collected and processed:

Title
Surname, first name
Email address
Address
Telephone / mobile number
Date of birth
Upload attachments for application documents (e.g. cover letter, CV, references)

As part of the selection process, applications received are reviewed, queries are made using the above information if necessary, invitations to interviews are sent out and further personal data is collected during interviews as part of the selection process in order to make a decision.

The legal basis for the processing of this data is Article 88 (1) GDPR in conjunction with § 26 BDSG (Federal Data Protection Act) or Article 6 (1) point (b) GDPR. The purpose of collecting and processing your data is to handle the application process.

If no employment relationship is established following the application process, the application documents will be deleted six months after notification of the rejection decision. If your application is followed by the conclusion of an employment contract, your data will be stored and used in accordance with the relevant legal provisions.

Your personal data collected during the application process will be transferred to our service provider for order processing:

Personio GmbH

Rundfunkplatz 4

80335 Munich

Tel.: +49 89 1250 1005

Personio GmbH is a personnel administration and applicant management software provider. We ensure that your data is treated confidentially and securely in accordance with the applicable data protection regulations https://dgnb.jobs.personio.de/privacy-policy?language=de.

§ 8 Additional functions and offers on our website

(1) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. To do so, you will usually need to provide additional personal data, which we will use to provide the respective service and to which the previously mentioned principles for data processing apply.

(2) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.

(3) Furthermore, we may pass on your personal data to third parties if contracts or similar services are offered by us together with partners. You will receive more detailed information on this when you provide your personal data or in the description of the offer below.

(4) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of the consequences of this in the description of the offer.

§ 9 Objection or revocation of the processing of your data

(1) If you have given your consent to the processing of your data, you can revoke this consent. Such revocation affects the permissibility of the processing of your personal data after you have notified us of your revocation.

(2) If we base the processing of your personal data on the balancing of interests, you can object to the processing. This is the case if the processing is not necessary to fulfil a contract with you, which is explained by us in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons for continuing the processing.

(3) You can, of course, object to the processing of your personal data for advertising and data analysis purposes at any time.

You can inform us of your objection using the following contact details:

DGNB GmbH

Tübinger Str. 43, 70178 Stuttgart

Email:

§ 10 Use of blog functions

You can post public comments on our blog, where we publish various articles on topics related to our activities. Your comment will be published with the username you provided. We recommend using a pseudonym instead of your real name. You must provide a username and email address; all other information is voluntary. When you post a comment, we also store your IP address, which we delete after one week. We need to store this information to defend ourselves against liability claims in cases of possible publication of illegal content. We need your email address to contact you if a third party complains that your comment is illegal.

The legal basis for this is Article 6 (1) point (a) and (f) GDPR. Comments are not checked before publication. We reserve the right to delete comments if they are reported as illegal by third parties.

When writing your comment, you can tick the box for our email service. This will notify you when other users leave a comment on the post. We use the double opt-in procedure for this service, which means you will receive an email asking you to confirm that you are the owner of this email address and wish to receive notifications. You can unsubscribe from these notifications at any time by clicking on the link contained in the email. We store your personal data, including your email address, the time you registered for the service and your IP address, until you unsubscribe from the notification service. The legal basis for this is Article 6 (1) point (a) GDPR

§ 11 Use of our web shop

When you place an order in our web shop, you must provide the personal data we need to process your order in order to conclude the contract. Mandatory information required for the execution of the contract is marked separately; further information is voluntary. The legal basis for this is Article 6 (1) point (b) GDPR. We forward the data you provide to our contract processor for invoice processing in order to process your order.

We may also process the data you provide to inform you about other products in our portfolio or to send you emails with technical information.

We are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, after two years, we restrict processing, i.e. your data will only be used to comply with legal obligations.

To prevent unauthorised access to your personal data by third parties, the order process is encrypted using SSL or equivalent TLS technology.

§ 12 Use of the DGNB Navigator

We operate the Navigator product database, in which manufacturers can list their products and services in order to inform planners, builders and other interested parties. However, the products and services cannot be purchased via the DGNB Navigator. We therefore only mediate contact between buyers and sellers/contractors and clients. The actual transaction takes place outside our sphere of influence.

We only conclude a respective user agreement (see our General Terms and Conditions) with the licensed DGNB Certification expert and the manufacturer. In order to conclude the user agreement, both the DGNB auditor/DGNB consultant and the manufacturer must register or log in using a two-step process. The title, first and last name, email address and, for manufacturers, company name and company address are mandatory information; further information is voluntary. You will then receive an email to activate your access. The legal basis for this is Article 6 (1) point (b) GDPR.

If you register using the registration form on the website and your confirmation is not received within 24 hours, your registration will be automatically deleted from our database.

We store the aforementioned personal data for the duration of the user agreement. Manufacturers can terminate the user agreement with six months' notice to the end of the respective calendar year (Section 6.1 of the General Terms and Conditions of the user agreement with manufacturers). DGNB auditors/DGNB consultants can terminate the user agreement at any time without notice (Section 7.1 of the General Terms and Conditions of the user agreement with auditors/consultants). No later than 30 days after the complete termination of the user agreement, the stored personal data of the DGNB auditor/DGNB consultant will be deleted, provided that there is no threat of legal dispute, no waiver of legal recourse has been declared and there is no legal obligation to store the data due to an official order.

Due to commercial and tax law requirements, we are obliged to store the address and contract data of manufacturers for a period of 10 years. However, after 2 years, we restrict processing, i.e. the manufacturers' data is only used to comply with legal obligations.

As a matter of principle, we do not pass on your personal data to third parties, unless we have been given exceptional consent to do so.

To prevent unauthorised access to your personal data by third parties, the connection is encrypted using SSL or equivalent TLS technology.

§ 13 Use of our internal portal for members and DGNB Certification experts

(1) If you wish to use our portal, you must register by providing your email address,
a password of your choice and a username of your choice. We use a two-step registration process, i.e. your registration is only complete once you have completed the membership application form and this has been accepted by the responsible party, or once you have signed the DGNB Certification expert licensing agreement. The login details for the internal area will then be stored in the system for members or DGNB Certification experts. You will then receive a link by email as a member or DGNB Certification expert. You can use the details contained in this link to log in.

(2) When you use our portal, we store the data required to fulfil the contract, including payment method details, until you permanently delete your account. We also store the voluntary data you provide for the duration of your use of the portal, unless you delete it beforehand. You can manage and change all information in the protected member or DGNB Certification expert area. The legal basis is Article 6 (1) point (b) GDPR.

(3) In order to prevent unauthorised access to your personal data by third parties, the connection is encrypted using SSL or equivalent TLS technology.

§ 14 Use of our Auditor Forum

(1) Our Auditor Forum serves to facilitate networking and scientific exchange between licensed DGNB Auditors and DGNB ESG Managers. If you would like to actively participate in the forum, you must register by providing your first and last name, your email address, a password of your choice, and your first and last name as your user name. We use a two-step registration process, which means that your registration is only complete once you have confirmed your registration by clicking on the link in the confirmation email sent to you for this purpose. If you do not confirm your registration, your registration will be deleted from our database.

(2) When you register a forum account, we store all the information you provide in the forum, i.e. public posts, wall posts, private messages, etc., in addition to your registration data, until you deregister, in order to operate the forum. The legal basis for this is Article 6 (1) point (b) GDPR.

(3) If you delete your account, your public statements, in particular posts to the forum, will remain visible to all readers, but your account will no longer be accessible and will be marked in the forum with a placeholder "[Deleted user]". All other data will be deleted.

(4) To prevent unauthorised access to your personal data by third parties, the connection is encrypted using SSL or equivalent TLS technology.

§ 15 Participation in online events via "GoToMeeting" and/or "GoToWebinar"

(1) We use the products "GoToMeeting" and "GoToWebinar" to hold certain online events. The provider of these products is LogMeIn Ireland Limited, based at Bloodstone Building, Block C, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
If you would like to register as a participant for an online event via our website, you will need to provide your personal data, which we require for the organisation, implementation and follow-up of your participation (the legal basis is Article 6 (1) point (b) GDPR).
To register for an online event organised by the Academy, please use the registration form on our website. Required fields are marked separately; additional information is voluntary. For online events via GoToMeeting, we will send you an access link that you can use to participate in the online event. It is not necessary to enter personal data on GoToMeeting.
For online events organised by the association, you will be redirected to the GoToWebinar website via a link. There you can register as a participant. Mandatory fields are marked separately; additional information is voluntary.
Please note: When you visit the GoToMeeting or GoToWebinar website, the provider is responsible for data processing. You must visit the website to register with GoToWebinar. However, visiting the website is only necessary in order to download the software for using "GoToMeeting" or "GoToWebinar". If you do not want to or cannot use the "GoToMeeting" or "GoToWebinar" app, the basic functions can also be used via a browser version.

(2) When registering via the GoToWebinar website, the data from the registration form is transmitted to LogMeIn. The date and time of registration are also collected. In addition, the following meeting metadata is processed via "GoToMeeting" and "GoToWebinar": topic, description (optional), participant IP addresses, device/hardware information. Furthermore, the following data is processed for recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
You may have the option of using the chat, question or survey functions in an online event. In this respect, the text entries you make are processed in order to display them in the online event and, if necessary, to log them. To enable the display of video and the playback of audio, data from the microphone of your end device and from any video camera of the end device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the "GoToMeeting" applications.
If we wish to record online events, we will inform you in advance and ask for your consent. For the purposes of recording and following up on online events, questions asked by participants may also be processed.

(3) The personal data processed by us will be stored by us for as long as is necessary for the respective purpose – in particular the execution of the online event – in compliance with the statutory retention periods (e.g. ten years for tax-relevant documents and six years for other business letters in accordance with the German Commercial Code and the German Fiscal Code) (Article 6 (1) point (c) GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Article 6 (1) point (a) GDPR or if the purpose of data processing has not yet ceased to apply.

(4) "GoToMeeting" or "GoToWebinar" is a service provided by GoTo Technologies Ireland Unlimited Company, 77 Sir John Rogerson's Quay, Block C, Suite 207, Grand Canal Docklands Dublin 2, D02 VK60, Ireland. It cannot be ruled out that data collected by GoTo services may also be transferred to and stored on a server belonging to GoTo's parent company, GoTo Group, Inc., located at 333 Summer Street, Boston, MA 02210, USA.

Data transfers to the USA are permitted on the basis of an adequacy decision by the EU Commission, provided that the company in the USA is certified under the EU-US Data Privacy Framework. This is an agreement between the EU and the USA that is intended to ensure compliance with European data protection standards in the USA. GoTo Group, Inc. is certified under the EU-US Data Privacy Framework. Further information on this can be found at https://www.dataprivacyframework.gov/list.

We do not receive any information about the data collected in this way or its use.

Further information on data processing by GoTo can be found at: https://www.goto.com/company/legal/privacy ("GoTo Privacy Policy").

§ 16 Participation in online events via "Zoom X"

(1) We use "Zoom X" to hold certain online events. Zoom X is a service provided by Telekom Deutschland GmbH, based in Bonn, Germany. The company Zoom Video Communications Inc., 55 Almaden Blvd., 6th Floor, San José, 95113 CA, is a subcontractor of Telekom.

If you would like to register as a participant for an online event via our website, you will need to provide your personal data, which we require for the organisation, implementation and follow-up of your participation (the legal basis is Article 6 (1) point (b) GDPR).

To register for an online event, please use the registration form on our website. Required fields are marked separately; additional information is voluntary.
You will be redirected to the Zoom X website via a link. There you can register as a participant. Mandatory fields are marked separately; additional information is voluntary.

Please note: When you visit the Zoom X website, the provider is responsible for data processing. You must visit the website in order to register with Zoom X. However, visiting the website is only necessary in order to download the software for using Zoom X. If you do not want to or cannot use the Zoom app "Zoom Desktop Client", the basic functions can also be used via a browser version.

(2) When you log in with a Zoom account, the personal data stored there is processed (e.g. unique Zoom user ID, display name, profile picture (optional), customer authentication data (unless single sign-on is used). If you connect to a Zoom room as a guest without logging in with a Zoom account, you have the option of entering your personal data. If you join via telephone dial-in, your telephone number will be processed.

Zoom X also processes the following meeting metadata: Duration of the meeting, number of participants, start and end of participation, name and description of the meeting, scheduled date/time of the meeting, IP addresses of the end devices used to participate, and other device/hardware information (device type, other device IDs (UDID), type and version of the operating system and client version, camera type, microphone or speaker), etc. In addition, the following data is processed for recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.

You may have the option of using the chat, question or survey functions in an online event. In this respect, the text entries you make will be processed in order to display them in the online event and, if necessary, to log them. To enable the display of video and the playback of audio, data from the microphone of your end device and from any video camera of the end device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the Zoom applications.
If we wish to record online events, we will inform you in advance and ask for your consent. For the purposes of recording and following up on online events, questions asked by participants may also be processed.

Video and audio data contain an image and voice as personal data within the meaning of Article 4 No. 1 GDPR, as the data relates to you as an identified or identifiable natural person. In addition, the content of your contributions could allow conclusions to be drawn about your person. IP addresses and device/hardware information also allow conclusions to be drawn about your person and must therefore be treated as personal data.

(3) The personal data processed by us will be stored by us for as long as is necessary for the respective purpose – in particular the implementation of the online event – in compliance with the statutory retention periods (e.g. ten years for tax-relevant documents and six years for other business letters in accordance with the German Commercial Code and the German Fiscal Code) (Article 6 (1) point (c) GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Article 6 (1) point (a) GDPR or if the purpose of data processing has not yet ceased to apply. With the recording, the data from the audio and video stream as well as the messages in the chat, question and survey functions, etc. are stored and remain stored beyond the end of the meeting.

If you are logged in with a Zoom X account, reports on online meetings (e.g. meeting metadata, telephone dial-in data, questions and answers) can be stored at Zoom X. The deletion of data from the provision of telecommunications is the responsibility of Zoom X, Telekom Deutschland GmbH and Zoom Communications, Inc.

(4) In certain cases, Zoom X processes personal data outside the EU/EEA on a
pro rata basis, for example to handle support cases. In these cases, the EU Commission's standard contractual clauses have been agreed between Telekom Deutschland GmbH and the sub-processor as an appropriate guarantee of an adequate level of data protection in accordance with Article 46 (2) point (c) GDPR.

Further information on data processing when using Zoom X can be found at https://www.zoom.com/en/trust/privacy/privacy-statement/ . Please note that this is an external website operated by Zoom Communications, Inc.

Despite these contractual and technical measures, it is possible that the level of data protection in the third country may not be equivalent to that of the European Union. There is a particular risk, especially in the case of data transfers to the USA, that
your personal data could be processed by authorities for control and surveillance purposes, even without sufficient legal remedies, without us/Telekom as the data exporter or you as the data subject being aware of this.

§ 17 Participation in on-demand offers

(1) To provide on-demand services, we use the reteach learning platform from Susell GmbH, Rosenthaler Str. 38, 10178 Berlin (hereinafter "reteach"), with whom we have concluded a contract for order processing.

Live courses are also part of the on-demand offerings via reteach. The live courses are conducted using Microsoft Teams, a service provided by Microsoft Ireland Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

(2) When you book on-demand offers with us, you are required to provide personal data that we need to create your user account on the learning platform. Required mandatory information is marked separately (Article 6 (1) point (b) GDPR); further information is voluntary. In order to provide the learning platform, the provider reteach, which is bound by our instructions, has access to the personal data stored when using the learning platform.

(3) reteach provides us with software for the provision of learning content and the processing of learning activities and learning progress. The software is used for digital training, education, further education and continuing professional development of our customers, as well as for communication between users and reteach. To prevent unauthorised access to your personal data by third parties, the data carriers are encrypted. Data processing takes place exclusively in a member state of the European Union or another signatory state to the Agreement on the European Economic Area.

(4) Further information on data protection at reteach is available in German: www.reteach.com/datenschutz/

Data protection information for Microsoft Teams is available at: https://www.microsoft.com/en-us/privacy/privacystatement

(5) Due to technical reasons, the integration of the Streamdiver video player in reteach results in calls to the Streamdiver servers (Section 25 (2) No. 2 TDDDG and Article 6 (1) point (b) GDPR). For further information on data processing by the Streamdiver video player, please refer to the data protection information provided by the provider of Streamdiver, Streamdiver GmbH, Lakeside B06, 9020 Klagenfurt am Wörthersee, Austria, which is responsible for the corresponding data processing. Streamdiver's data protection information can be found at: https://streamdiver.com/en/privacy

§ 18 Participation in online events via the Go.Control platform

(1) We use the online service "Go.Control platform" as digital support for certain online events. The provider of the "Go.Control platform" is Go.Control GmbH, Max-Planck Straße 34, 61184 Karben, with whom we have concluded a contract for order processing. The link to the data privacy policy for the "Go.Control platform" can be found here: Annual Congress

(2) If you would like to register for an online event that takes place via the "Go.Control platform", you must create an account on the platform and provide your personal data, which we require for the organisation, implementation and follow-up of your participation (legal basis is Article 6 (1) point (b) GDPR). Required mandatory information is marked separately; further information is voluntary. If you register via our website, you will receive a link to the "Go.Control platform" by email so that you can register as a participant on the "Go.Control platform" and create an account. Alternatively, as soon as registration is possible directly via the "Go.Control platform", our website will link directly to the "Go.Control platform".

When you register via the Go.Control platform, we conclude a contract with you as a participant (see our General Terms and Conditions). In order to conclude the contract, you must register in a two-step process. Your first and last name, email address, company and job title/position are mandatory fields; other information is optional. You will then receive an email to activate your access. If you do not receive confirmation within 24 hours, your registration will be automatically deleted from our database.

(3) The following data is processed via the "Go.Control platform": the personal data specified in the previous paragraph as well as registration data (participant number), usage data (in particular access times) and device/hardware information, IP address. This data is processed exclusively for the provision and use of the "Go.Control platform". You have the option of using the chat and Q&A functions via the "Go.Control platform" during an event. In this respect, the text entries you make are processed in order to display and log them.

(4) The personal data processed by us will be stored by us for the duration of the contract. You can terminate the contract by deleting your access data. The account remains stored on the "Go.Control platform" with your login details and the information you have entered into your account yourself until you deregister your account. Your stored personal data will be deleted no later than 3 months after the contract has been terminated in full, provided that no legal dispute is imminent or a waiver of legal recourse has been declared and there is no legal storage obligation due to an official order and provided that no legal retention periods (e.g. ten years for tax-relevant documents or six years for other business letters in accordance with the German Commercial Code and Tax Code) are required (Article 6 (1) sentence (1) point (c) GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Article 6 (1) point (a) GDPR or if the purpose of data processing has not yet ceased to apply.

§ 19 Newsletter

(1) With your consent (Article 6 (1) point (a) GDPR), you can subscribe to DGNB newsletters, which we use to inform you about developments, news and events at DGNB GmbH, depending on the format. The respective contents of the formats are described as information in the subscription management section.

(2) To subscribe to DGNB newsletters, you need a DGNB User Account, as the subscription management is located there under the "Subscribe to DGNB Newsletters" tab. Under this tab, you will see an overview of all the newsletters available to you. You can use the controls to manage your subscriptions according
to your preferences. We use a double opt-in procedure for newsletter subscriptions. This means that after you register, we will send an email to the email address specified in your DGNB user account asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, the confirmation link contained in the email will expire. If you still wish to subscribe to the newsletter, you must re-trigger your registration in your DGNB user account using the controls.

In addition, we store the times of your registration, confirmation and deregistration. The purpose of this procedure is to verify your registration and, if necessary, to investigate any possible misuse of your personal data (legal basis: Article 6 (1) point (f) GDPR).

(3) We use the email address you provided in your DGNB user account to send you the DGNB newsletter. In order to address you personally, we also use your name and title, which you also provided in your DGNB user account.

(4) We use the online service "Newsletter2Go" as a tool for sending the DGNB newsletter. The provider of "Newsletter2Go" is Sendinblue GmbH (formerly Newsletter2Go GmbH), Köpenicker Straße 126, 10179 Berlin. This is a service provider bound by instructions, which is obliged to comply with data protection regulations and may not use the data for any other purpose.

(5) You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can revoke your consent via your subscription management directly in your DGNB user account, to which a link is included in every newsletter email, or by sending an email to widerspruch@dgnb.de or by sending a message to the contact details provided in the legal notice.

§ 20 Data protection information for certification support

(1) As part of the support and implementation of the certification process, we process personal data of

applicants and their employees and board members (e.g. board members, managing directors, supervisory board members, advisory board members),
and third parties whose personal data we require to process the application. This includes, among others, shareholders, partners, members of governing bodies or employees of the applicant, business and contractual partners, project managers, DGNB Certification experts, architects, landscape planners, urban planners, builders and owners, as well as other consultants of the applicant,
employees of authorities and courts,
experts and
interested parties.

In particular, we process the following categories of personal data:

Contact information, in particular title, first and last name, title if applicable, company if applicable, address, telephone number (landline and/or mobile), email address,
details of professional activities,
bank account details,
other personal data required for the certification process.

If we do not receive personal data directly from the persons concerned (e.g. in the course of correspondence with contact persons at the applicant's premises), the data originates from the following sources:

Applicant,
DGNB Certification experts,
publicly accessible sources (public registers, internet searches),
other third parties (e.g. parties involved in the proceedings).

(2) We process personal data to the extent necessary for processing the respective application for certification and for fulfilling obligations under the certification agreement; in particular for preparing the property assessment and certification document, corresponding with applicants, authorities and other parties involved, and for invoicing. The legal basis for this is Article 6 (1) point (b) GDPR. We use AI systems to assist in the structuring of project documents.

Furthermore, we also process the certification documents for the purpose of training our own AI systems. We have a legitimate interest in this within the meaning of the relevant legal basis under Article 6 (1) sentence (1) point (f) GDPR. No personal data is passed on to third parties in this respect. At most, the provider of the respective AI system may be given access to the personal data. However, this provider is a service provider bound by instructions with whom a data processing agreement has been concluded in accordance with Article 28 GDPR and who is not permitted to use the data for its own purposes.

We will use individual, previously anonymised certification documents for evaluations, sample documentation and system enhancements. The anonymisation of data for the purpose of evaluating our processes, creating sample documentation and further developing our systems constitutes a legitimate interest within the meaning of the relevant legal basis, Article 6 (1) sentence (1) point (f) of the GDPR.

We may process personal data for the purpose of advertising our own services; this is a legitimate interest pursuant to Article 6 (1) sentence (1) point (f) GDPR.

(3) Within DGNB GmbH, only those persons and departments receive personal data that they need for the certification decision and to fulfil our (pre-)contractual and legal obligations.

The data is transferred to the German Sustainable Building Council (DGNB e.V.). Within the DGNB Group, the German Sustainable Building Council (DGNB e.V.) performs certain tasks centrally for the Group, such as marketing for the preparation of certification documents and the organisation of the awarding of the preliminary/certificate, as well as commercial areas for contract and invoice preparation. We have a legitimate interest in such centralisation, in particular for the standardisation of processes and the protection of the data collected and stored, and the associated data processing, within the meaning of the relevant legal basis for the transfer of personal data to the DGNB e.V. in accordance with Article 6 (1) sentence (1) point (f) GDPR.

Insofar as this is necessary for the performance of the certification contract, personal data will also be passed on to the certification experts (e.g. DGNB Auditor, ESG Manager), the auditors and other third parties involved in the audit process (Article 6 (1) sentence (1) point (b) GDPR). For the purpose of monitoring the use of the quality seal and the evaluation and further development of QNG-PLUS and QNG-PREMIUM by the seal issuer (the Federal Government), we report each quality seal awarded (seal notification) to the Federal Government (currently: "Sustainable Building" office) in pseudonymised form. The monitoring of the use of our quality seal and its evaluation and further development constitutes a legitimate interest within the meaning of the relevant legal basis Article 6 (1) sentence (1) point (f) GDPR.

We also use external service providers for our activities. These are service providers who are bound by instructions, with whom a data processing agreement has been concluded in accordance with Article 28 GDPR and who are not permitted to use the data for their own purposes.

Where necessary, we also engage external lawyers. We have a legitimate interest in obtaining sound legal advice within the meaning of the relevant legal basis under Article 6 (1) sentence (1) point (f) GDPR.

Furthermore, we disclose information to the extent necessary if we are legally obliged to do so (Article 6 (1) point (c) GDPR) or if requested to do so by the German Accreditation Body (DAkkS), other authorities or courts (Article 6 (1) sentence (1) point (f) GDPR).

There is no intention to transfer personal data to a third country or an international organisation, provided that the certification project is not located in the third country.

(5) We store personal data for as long as is necessary for the respective purpose of processing, in particular for the administration of the certification contract, in compliance with the statutory retention periods (e.g. ten years for tax-relevant documents and six years for other business letters in accordance with the German Commercial Code and the German Fiscal Code) (Article 6 (1) sentence (1) point (c) GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Article 6 (1) point (a) GDPR or if the purpose of data processing has not yet ceased to apply.

§ 21 Data protection information for DGNB Certification experts

(1) We process your personal data to the extent necessary for admission, listing and activity as a DGNB Certification expert (Article 6 (1) sentence (1) point (b) GDPR). This includes the following categories of personal data in particular:

Contact information, in particular title, first and last name, title if applicable, company if applicable, address, telephone number (landline and/or mobile), email address,
details of your professional activity,
bank account details.

If you have consented to being included in the online directory on our website as a licensed DGNB Certification expert (Article 6 (1) sentence (1) point (a) GDPR), we will also publish your name and your (professional) address in the corresponding directory.

Furthermore, the personal data of licensed DGNB Certification experts is processed within the scope of the certification procedures they supervise. In this regard, please refer to the explanations in §19 of this data protection information.

(2) Within DGNB GmbH, only those persons and departments that require the personal data for the supervision and administration of DGNB Auditors will receive it.

The data is also transferred to the German Sustainable Building Council (DGNB e.V.). Within the DGNB Group, the German Sustainable Building Council (DGNB e.V.) performs certain tasks, such as commercial activities relating to contract and invoice creation, centrally for the Group. We have a legitimate interest in such centralisation, in particular for the standardisation of processes and the protection of the data collected and stored, and the associated data processing, within the meaning of the relevant legal basis for the transfer of personal data to the DGNB e.V. in accordance with Article 6 (1) sentence (1) point (f) GDPR.

Furthermore, we disclose information to the extent necessary if we are legally obliged to do so (Article 6 (1) sentence (1) point (c) GDPR) or if requested to do so by authorities or courts (Article 6 (1) sentence (1) point (f) GDPR).

(3) We will store your personal data for as long as you are listed as a DGNB Certification expert, in compliance with the statutory retention periods (e.g. ten years for tax-related documents and six years for other business correspondence in accordance with the German Commercial Code and Tax Code; Article 6 (1) sentence (1) point (c) GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Article 6 (1) sentence (1) point (a) GDPR or if the purpose of data processing has not yet ceased to apply.

§ 22 Information on data processing on our social media company pages

We operate a so-called "company page" on these social media platforms:

Facebook: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta")
LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
YouTube: Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland
Xing: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany

Here we provide information about data processing when you visit one of our company websites.

1. General information about company websites, legal basis

As the owner of an online presence on a social media platform, we process personal data when you contact us directly in a personal message or via the public comment function on the platform. The data collected depends on the information you provide and the contact details you specify or share.

This data is processed on the basis of Article 6 (1) sentence (1) point (b) GDPR, insofar as this is necessary to carry out a measure requested by you. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Article 6 (1) sentence (1) point (f) GDPR).

When you visit a company page, the respective operator of the platform ("provider") collects information that enables them to recognise users and comprehensively analyse user behaviour. The provider of the social media platform can also create user profiles based on the data collected in this way. If you are logged in with your corresponding social media account when visiting a company page, the respective provider can also assign this visit to your account.

The respective provider only provides us with an anonymised statistical evaluation of the use of our company page based on the information obtained. This enables us to make our posts even more targeted in the future. In this respect, we have a legitimate interest in collecting and processing this information. In addition, we have a legitimate interest in using as many communication channels as possible in order to reach as many interested parties as possible personally. The legal basis for the data processing associated with the operation of a company website is Article 6 (1) sentence (1) point (f) GDPR.

We do not pass on any personal data that we collect via our company pages to third parties. However, we cannot influence or exclude the possibility that the aforementioned providers may transfer the collected data to third parties, in particular to their partner companies, which may also be based in other EU countries. In particular, data transfers to the USA are permitted on the basis of an adequacy decision by the EU Commission if the company in the USA is certified under the EU-US Privacy Framework (e.g. Meta Platforms Inc., Google LLC and LinkedIn Corporation).

You can assert your rights as a data subject with regard to data processing by our company websites both against us and against the respective provider. However, we would like to point out that these rights can be most effectively asserted against the respective provider. This is because only the respective provider has access to the user data and can take appropriate measures and provide information directly.

Further information on data processing by the respective provider can be found at:

Facebook: https://engb.facebook.com/privacy/policy/?entry_point=facebook_page_footer
LinkedIn: https://www.linkedin.com/legal/privacy-policy
YouTube: https://policies.google.com/privacy?hl=en-GB&gl=de
Xing: https://privacy.xing.com/en/your-privacy

2. Agreements pursuant to Article 26 GDPR

Some social media platform providers offer an agreement in accordance with Article 26 GDPR, in which the data protection obligations arising from the operation of our company page are divided between us and the respective provider. The providers have assumed a large part of the data protection obligations, such as fulfilling the rights of data subjects in accordance with Article 12 and following of the GDPR, the obligation to provide suitable technical and organisational measures to protect the security of personal data, and the reporting and notification obligations in the event of a data breach. If you contact us regarding your rights as a data subject, we will forward your request to the respective provider immediately. We are obliged to do so in accordance with the agreement with the respective provider.

Further information on the agreement between us and the respective provider can be found at: