Version dated: December 2020 (older versions)

It is an important issue for us, the ALBA Group, to protect your data and keep your data safe and secure, and we take this goal into consideration throughout our business processes. In this data privacy statement, we would therefore like to give you an overview of the data protection-related aspects of our online offer. In the following we will explain:

• Which data we collect when you use the ALBA Group’s website.
• The purposes for which this data is processed by the ALBA Group undertakings as well as third-party companies.
• Which rights and options you have when it comes to us processing your data.
• How you can contact us in relation to matters of data protection.

This data privacy statement applies to the online offers of the ALBA Group in the domains albagroup.de and alba.info including possible subdomains (such as berlin.alba.info,nisa.alba.info, alba-energiemanagement.de or inside (at) albagroup.de), the website recycling-funktioniert.de, langedacht.de, alba-bs.de, recyclingnews.de, ebk-berlin.de and resources-saved.com (hereinafter referred to as “websites") as well as the social media presentations of ALBA Group on Facebook, Instagram, Xing, LinkedIn, YouTube and Twitter (hereinafter referred to as ”social media profiles“), the customer portal ALBAclick, our online store myALBA as well as the apps ”ALBA Group Inside“, ”ALBA Abfuhrkalender“ and ”recyclingnews“.

Websites of ALBA Group undertakings not detailed above are subject to separate data privacy statements. Please check the respective website for the applicable data privacy statement. Please note that offline business will also be governed by separate privacy statements.

The following is the controller for data processing on our website within the meaning of the General Data Protection Regulation (GDPR):

ALBA Group plc & Co KG
Knesebeckstr. 56-58
10719 Berlin

ALBA Group plc & Co. KG is the management company and provider of services to ALBA Group undertakings. It is this function that it is also accountable for and manages and organises the online presentations of the ALBA Group undertakings specified above with their websites (e.g. for ALBA Berlin GmbH in the subdomain berlin.alba.info) as well as the employee magazine Inside at the subdomain inside.albagroup.de.

Any mention of "we", "us" or the "ALBA Group" in this data privacy statement exclusively relates to ALBA Group plc & Co. KG.

To reach the data protection officer of the ALBA Group write an e-mail message to datenschutz (at) albagroup.de or send a letter to:

ALBA Group plc & Co KG
Attn. The Data Protection Officer
Mr Malte Wilhelm-Humpke
Knesebeckstr. 56-58
10719 Berlin

You can visit our websites without having to provide any personal information. In this case, only the access data sent to us by your browser automatically will be collected. This, for example, includes your online identifiers (e.g. IP address, session IDs, device IDs), information on the web browser and operating system used, possibly the website from which you accessed our websites (i.e. if you accessed our website via a link), the names of the requested files (i.e. of the texts, videos, images etc. you looked at on our websites), the language settings of your browser, possibly error reports, and the timing of the individual access events.

The access data needs to be processed to make it possible for you to visit and operate our websites with ease and to ensure continuous functionality and security of our website.

Access data is also temporarily stored in internal log files to provide statistical information about the use of our website. This makes it possible for us to continuously optimise and develop our websites with a view to the patterns of usage and technical equipment of users, and it helps to eliminate faults, malfunctions and security risks. It is not possible to directly deduce your identity from the information stored in the log files – in particular, we will only store the IP address in truncated, anonymised form. The log files are stored for 30 days and then archived after anonymisation.

The lawful basis for processing such data is GDPR, Art. 6.1.f (reconciling your right to protection of personal data with our legitimate interests detailed above).

On our websites we use our own cookies as well as third-party provider cookies. A cookie is a standardised text file that is stored by your browser for a definite period. Cookies make it possible to store information such as language settings and temporary identification features locally on your terminal device; the server which installed the cookie locally on your device can access such information when you visit the website again. Check your browser security settings to view and delete the cookies used. You can change your browser settings according to your needs, for example it would be possible for you to disable third-party cookies only or cookies in general. Please note that you may not be able to use all the functions of our website if you disable cookies.

The reason why we use our own cookies is to make it more convenient for you to use our website and to make it secure. The lawful basis for the associated processing of anonymised data through absolutely necessary cookies is GDPR, Art. 6.1.f. Other data will be processed only to the extent you have given your consent, in which case GDPR, Art. 6.1.a will be the lawful basis for processing.

We use third-party cookies for web analysis as well as promotional purposes. Please see sections 2.7 and 4 of this data privacy statement for more information.

We collect all information and data you communicate by way of our websites. At our websites we offer various contact options, including the "Contact form”, for sending us messages and, in part, also data (e.g. PDF documents). The mandatory information absolutely required for providing these functions, if any, is generally highlighted.

We will only use the information you provide for the purpose of processing your request. We will delete the data collected in the process as soon as it is no longer necessary to store it, or, alternatively, we will restrict processing where statutory retention periods apply.

Your message will only be disclosed to another ALBA Group undertaking or external third party insofar as this is required for the purpose of processing your request (we will, for example, forward your message to another ALBA Group undertaking if such undertaking is in charge of processing your request). If you do not agree with your message potentially being disclosed to another company or third party, please inform us directly in your message – naturally it would also be possible for you to do so as a precautionary measure. In this case, we will disclose your message to the other company excluding the data that could be used to identify you (e.g. your name, customer number or contact details). Your personal data in connection with messages and communication may also be processed beyond the scope specified above after you have given your consent.

The lawful basis for processing data as detailed above is GDPR, Art. 6.1.b. If you have consented to disclosure and other processing of the data communicated by you, the lawful basis is GDPR, Art. 6.1.a.

Some of our websites include functions provided by the Facebook social network which are referred to as plug-ins. These plug-ins are operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). This means that Facebook is the controller in charge for operating the plug-ins in keeping with data protection requirements.

If you visit a website containing a plug-in that you previously enabled, your browser will directly connect to Facebook servers which will, in turn, send the plug-in content (e.g. "like" or share buttons) to your browser and then integrate it into our websites. This means that Facebook will know that you have visited our website. If you are signed into Facebook with your personal user account details when visiting our website, Facebook will also be able to link the website visit to your Facebook account. In case of plug-in interaction, e.g. if you click the "like" button or write a comment, the respective information will be collected directly by Facebook and stored by them. If you would like to prevent this from happening, you need to log out of your Facebook account before enabling plug-ins.

Further information on the purpose and scope of the data collected by Facebook, additional processing and use of your data by them, your associated rights and settings for protecting your privacy, is available from Facebook's data privacy policy at (http://facebook.com/privacy/explanation.php). 

The lawful basis for processing the data detailed above, insofar as we are the controller, is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with on our legitimate interest in making our contents available to a larger number of users).

We have embedded YouTube videos in parts of our websites. YouTube is a video platform operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), which is part of Google. You can watch embedded YouTube videos directly on our websites. The “enhanced data protection mode” is used to embed them. This means that no data about you, the user, will be sent to YouTube for as long as you do not watch the video. Data will only be transmitted to YouTube once you start watching any of the videos. Such data transmission is beyond our control.

When you visit a website with embedded YouTube videos, YouTube and Google will be provided with the access data collected in the process, along with the information that you have visited the respective sub-page of our website. This happens regardless of whether you are logged into YouTube or Google or not. If you are logged into your Google account, your data will be linked with your Google account directly. If you do not wish them to be linked with your YouTube profile, you will have to log out before watching a video. YouTube and Google may use your access data for creating user profiles for the purpose of promotion, market research and developing a user-friendly YouTube and Google website design. You have the right to object to the creation of these user profiles; you will have to address any such objection directly to YouTube or Google, respectively. For more information, please see Google data privacy statement for YouTube.

The lawful basis for processing the data detailed above, insofar as we are the controller, is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with our legitimate interest in embedding video content). In addition, all parties involved in data processing have committed themselves to transferring personal data to third countries subject to appropriate safeguards (GDPR, Art. 44 f.).

Our websites use the Google Maps service operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google"). In order for the Google map material we use to be integrated and displayed in your web browser, your web browser must connect to a Google server, which may also be located in the USA, when you click on the contact page. This is how Google will be informed that the IP address of your device clicked on the contact page of our websites. The lawful basis for data processing detailed above is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with our legitimate interest in embedding online maps for contact purposes). In addition, all parties involved in data processing have committed themselves to transferring personal data to third countries subject to appropriate safeguards (GDPR, Art. 44 f.).

If you call up Google maps on our website whilst being logged into your Google profile, Google will be able to link this event to your Google profile. If you do not wish the event to be linked to your Google profile, you will have to log out of your Google profile before clicking on our contact page. Google will store your data and use it for the purpose of advertising, market research and personalised presentation of Google Maps. You have the right to object to the collection of this data by Google by contacting Google directly.

The following information has been included without warranty, express or implied: You will find more information in Google’s privacy statement at https://policies.google.com/privacy and the additional terms of use for Google Maps at https://www.google.com/intl/de_US/help/terms_maps.html. You have the right to opt-out of the service at: https://adssettings.google.com/authenticated.

Our websites use the Google Analytics web analysis service operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies for collecting your access data when visiting our websites. Google will compile the access data into pseudonymous user profiles at our behest and send them to a Google server in the USA. This does not enable us to link user profiles to a specific user. We will not be able to identify you based on the data collected by Google, nor will we be able to determine how you use our websites.

Google will use the information obtained through the cookies at our behest to analyse the use of our websites, to compile reports about website activities and to provide us with other services in connection with website and Internet use. Further information on this topic is also available from the data privacy statement of Google Analytics.

You have the right to object, at any time, to the creation and analysis of pseudonymous user profiles by Google as described above. You have several options for doing so (the following information has been included without warranty, express or implied):

(1) You can adjust browser settings to block Google Analytics cookies;

(2) You can change Google Ads Settings on Google.

(3) You can disable cookies by clicking here: Disable Google Analytics

(4) You can install the disable plug-in provided by Google at http://www.google.com/settings/ads/plugin in your Firefox, Internet Explorer or Chrome browser (this option will not work on mobile devices).

The lawful basis for processing such data is GDPR, Art. 6.1.a (reconciling your right to the protection of personal data with our legitimate interest in analysing the general pattern of usage). In addition, all parties involved in data processing have committed themselves to transferring personal data to third countries subject to appropriate safeguards (GDPR, Art. 44 f.).

We operate a page (Facebook fan page) on the social network of Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA ("Facebook") in joint responsibility with Facebook to communicate with our followers (such as our customers and interested parties) and to provide information about our products and services.

In doing so, we may receive Fan Page-related statistics from Facebook (e.g., information about numbers, names, interaction such as likes and comments, and aggregate demographic and other information or statistics). For more information on the nature and scope of these statistics, please see Facebook Page Insights. For more information on page controller, please see Facebook page controller addendum. The lawful basis for processing such data is GDPR, Art. 6.1.f (reconciling your right to protection of personal data with our legitimate interests detailed above). In addition, we entered into a joint controller addendum with Facebook for processing your data in accordance with GDPR, Art. 26.

We have no control over data that is processed by Facebook as controller in accordance with Facebook's terms of use. However, we would like to point out to you that when you visit the Fan Page, data about both your Facebook and Fan Page patterns of usage will be transmitted to Facebook. Facebook itself processes the aforementioned information to create more detailed statistics and for its own market research and advertising purposes, over which we have no control. You will find more detailed information about this in Facebook's data policy.

Insofar as we receive personal data from you by operating the Fan Page, you have the rights stated in this data privacy statement. If you would also like to assert your rights against Facebook, the easiest way to do so is to contact Facebook directly. Facebook is familiar with both the technical operating details of the platform and the associated data processing as well as the specific purposes of data processing and will be able to implement appropriate measures upon request when you exercise your rights. We will be happy to assist you in exercising your rights to the extent possible and will forward your requests to Facebook.

Social media profiles of the ALBA Group are available in the following social networks:

• Instagram
• Xing
• LinkedIn
• YouTube
• Twitter

We use these social media platforms to inform you about the latest news and activities of the ALBA Group and use the options provided by social networks to communicate with members directly.

Please note, however, that we have no control over data processing by social networks. You should therefore carefully review the personal information and messages you communicate to us via social networks; if you are not sure, you should use other means to contact us because we are unable to accept any liability for the policy of social network operators and the behaviour of other members of the social network.

When you communicate with us by way of our social media profiles, we will process the information provided to us in this regard via the respective social network (e.g. your name, profile page and contents of the messages you send us) in keeping with the purpose of your message (e.g. service requests, suggestions and/or criticism).

We will delete the data collected in the process as soon as it is no longer necessary to store it, or, alternatively, we will restrict processing where statutory retention periods apply. In case of public posts on our social media profiles, we take the liberty of deciding if and when to delete them on a case-by-case basis, reconciling your and our interests with each other.

The lawful basis for processing the data described above depends on the purpose of your message. If the purpose is to avail yourself of our customer service or to enquire about the services of the ALBA Group, the lawful basis is GDPR, Art. 6.1.b. The lawful basis in all other respects is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with our legitimate interest in processing your message). If you have consented to processing of the aforementioned data, the lawful basis is GDPR, Art. 6.1.a.

We use the access data obtained from visits of our website for advertising on other providers' websites (retargeting). The reason is that we would like to present you with personalised advertising, i.e. ads that cater to your interests and that you will hence find more relevant. This is also why we take part in the Google advertising network to place personalised ads on the websites of other providers who are also part of the Google advertising network. Further information on Google's online advertising network and data privacy statement is available at http://www.google.com/privacy/ads/.

The following data will be processed with GDPR, Art. 6.1.a as lawful basis if you have given your consent. In addition, all parties involved in data processing have committed themselves to transferring personal data to third countries subject to appropriate safeguards (GDPR, Art. 44 f.).

DoubleClick is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). DoubleClick uses cookies and pseudonymised identification features to collect your access data when visiting our and other websites included in the Google advertising network and to deduce your interests from them. Such pseudonymised user profiles enable Google to present you with personalised advertising in the advertising space included in the Google advertising network. Every website included in the Google advertising network is allocated a different cookie by Google, which means that these cookies cannot be tracked by other websites.

Google may also send the access data collected by way of DoubleClick to a server in the USA for analysis. In addition, all parties involved in data processing have committed themselves to transferring personal data to third countries subject to appropriate safeguards (GDPR, Art. 44 f.).

Furthermore, we also use the Audience function of Google Analytics in our websites. This function enables Google to provide you with personalised advertising at our behest when you visit the websites of other providers that are also included in the Google advertising network. Google uses cookies and the pseudonymous user profiles created by Google Analytics (see section 2.6) when you visit our website to draw conclusions about your interests. Based on these pseudonymous user profiles, Google will be able to provide you with personalised ads in the advertising space included in the Google advertising network (Google can thus, for example, show you a promotion for an ALBA Group service that you previously inquired about on one of our websites).

You can disable processing of your data for personalised advertising in the Google advertising network at any time. There are several options (the following information has been included without warranty, express or implied):

1. You can adjust browser settings to block cookies from the domain www.googleadservices.com;
2. You can change Google Ads settings on Google at https://www.google.de/settings/ads.
3. You can install Google’s free disable plug-in in your Firefox, Internet Explorer or Google Chrome browser from the link http://www.google.com/settings/ads/plugin( this will not work with browsers for mobile devices).
4. In addition to this, there is also a website for centrally disabling personalised advertising from Google and many other providers which take part in the self-regulation campaign "Your Online Choices" on the website http://www.youronlinechoices.eu .

Please note that Google will only show you general advertising that has not been selected on the basis of the access data collected about you if you disable personalised advertising.

As a matter of principle, we will only disclose your data if:

• You have explicitly given your consent as per GDPR, Art. 6.1.a;
• This is required as per GDPR, Art. 6.1.f for an ALBA Group undertaking to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in the data not being disclosed;
• We are required by law to disclose it as per GDPR, Art. 6.1.c; or
• Disclosure thereof is permitted by law and required as per GDPR, Art. 6.1 for the performance of a contract with you or to take specific steps before entering into a contract at your request.

Some data processing described in this data privacy statement may be performed by external service providers at our behest. Besides the ones mentioned in this data privacy statement, the list of such service providers may, in particular, include computer centres that store our websites and data bases, IT service providers that service our systems, as well as consultancy firms.

Insofar as we disclose data to our service providers, they are only permitted to use this information to perform their tasks. We have selected and contracted these service providers with great care. They are contractually bound by our instructions, have suitable technical and organisational measures in place for protecting the rights of data subjects, and are regularly monitored by us.

In the event of disclosure of data beyond this data privacy statement to a service provider based in a country outside the European Economic Area (EEA), we will separately inform you of this fact and the specific safeguards subject to which data may be transferred, as the case may be. If you require copies of safeguards to substantiate an adequate level of data protection, please contact our data protection officer (see section 1).

You can register in our customer portal (www.albaclick.de/login) to place orders using a password-protected user account. In addition, you can order goods offered in our store (www.alba-bs.de/service/shop) without creating a user account. Regardless of whether you register with a user account in one of our stores or not, personal data will be processed for the purpose of performance of the contract when you place an order. These include, in particular: Last name, first name, e-mail address, billing/delivery address, payment data and, if applicable, company details if you are a business customer placing an order with us.

Depending on the payment method used, your data may be processed by a payment service provider so that the payment may be made and linked to you as a person. Further information on data processing by the payment service providers may be found in the duty to inform section of the respective payment service provider. If you have any questions, we will be happy to help.

The service providers we mainly use for processing payments are BS PayOne by PayOne GmbH, Lyoner Straße 9, 60528 Frankfurt am Main (Privacy policy of PayOne GmbH) and PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg (Privacy policy of PayPal).

We process the aforementioned data on the basis of GDPR, Art. 6.1.b in order to handle the orders you place with us.

You can apply for a vacancy in our company by sending an e-mail to the e-mail address provided at https://alba.info/karriere. We will collect the following data for the purpose of receiving and processing your job application: First and last name, e-mail address, job application documents (e.g. references, resume), date of earliest possible date of employment, expected salary. The purpose of collection of data is to select job applicants for possibly employing them. The lawful basis of processing your job application documents is GDPR, Art. 6.1.b and Art. 88.1 in conjunction with Section 26 para. 1 sentence 1 of the German Data Protection and Privacy Act (Bundesdatenschutzgesetz, BDSG). Job applicant data will be deleted after the job application process has been completed, however, at the latest after three (3) months. If you have consented to processing of the aforementioned data, the lawful basis is GDPR, Art. 6.1.a.

If you would like to receive a newsletter we offer via our websites (e.g. Career News or Alba Group Inside), we will need your e-mail address as well as information that allows us to verify that you are the owner of the e-mail address provided and that you consent to receiving the newsletter. No other data will be collected; more data only be collected on a voluntary basis only. We will use such data exclusively for sending you the requested information and will not pass it on to third parties.

Data entered in the newsletter registration form will only be processed based on your consent (GDPR, Art. 6.1.a). You have the right to withdraw your consent to the storage of data and the e-mail address as well as use thereof for sending you the newsletter, at any time, for example by using the "unsubscribe" link included in the newsletter. The lawfulness of data processing operations already performed will not be affected by such subsequent withdrawal of consent.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and it will be deleted after you unsubscribed from the newsletter.

We use OneSignal push service on inside.albagroup.com and recyclingnews. Push notifications are messages that can be displayed on your device without you having to open the website or the respective app.

No unique user data such as IP addresses or similar information, which could be used to directly deduce information about the respective user, are stored. When opting-in to the notification distribution list, only a kind of identifier key and the user's GeoIP (country and state) will be transmitted and stored in OneSignal's database. This identifier key is assigned to users by the respective browser (Google, Mozilla, Apple, etc.) and it makes it possible to subsequently send the notifications to the respective browser. If you opt-out by withdrawing your push notification consent, data stored by OneSignal will be deleted. You will find browser-specific information about push notification opt-out on the browser website: Google Chrome, Mozilla Firefox and Apple Safari.

The lawful basis for data processing detailed above is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with our legitimate interest in embedding content interesting for our users).

To download and install our apps from an app store (such as Google Play Store or Apply App Store), you will first have to register for a user account with the provider of the app store and enter into a user agreement with the provider. We have no control over this, and, in particular, we are not a party to such a user agreement. When downloading and installing the apps, the necessary information will be transferred to the respective app store, including, but not limited to, your user name, your e-mail address and the customer number of your account, the time you downloaded the app and the specific device identification number. Such data collection is beyond our control and we are not the controller of this information. We process such data provided only to the extent necessary to download and install the apps on your mobile device (e.g. smartphone, tablet).

The lawful basis for processing such data detailed above is GDPR, Art. 6.1.b.

When you use our apps, various technical details will be transmitted to our servers. This includes, for example, the IP address of your device, installation data (e.g. app version and time of installation), information about the content and functions you use, the content you enter (e.g. form input and click data), the duration of use, and information about your device (e.g. device model and operating system).

We will use this information so that you can use our apps and to provide the services used, to safeguard technical security including, but not limited to counter and prevent attacks and fraud as well as analyse malfunctions.

The lawful basis for processing such data detailed above is GDPR, Art. 6.1.b.

As a user of iOS, the apps can send you messages (e.g. individual product recommendations) through push notifications even if you are not currently using the apps in the foreground. Push notification means that sound or other types of alert (e.g. custom message banners being displayed) and/or symbols (an image or a number on the app icon) pop up in your device. To prevent this, you can disable push notifications in your device settings at any time by opening the iOS “settings" application and selecting the "Notifications" menu item. In the following menu you will find an overview of all apps installed on your device where push notifications are enabled. Choose our apps. Here you can enable or disable the push notifications. The lawful basis for processing such data is GDPR, Art. 6.1.f (reconciling your right to protection of personal data with our legitimate interest of offering you personalised advertising).

For push notifications on Android devices see section 8.2.

In order for you to benefit from all functions of the apps, the apps will have to access certain functions of your device. Depending on which operating system you use on your device, you may have to give your explicit permission. You can adjust the permission settings in the system settings of your device at any time. Below we will explain which permissions the apps ask for and for which functions such permissions are required when using the iOS operating system:

• "Siri & Search”: Give us permission for the apps to use the search function of your device. Siri is used for implementing the search function. If you do not give the app such permission, the search function may not be available or may only work to a limited extent.
• “Background App Refresh”: Give us permission for the apps to update automatically in the background. This will eliminate long loading times when you restart an app after a while of not using it. If you do not give permission, this function will not be available.

Below we will explain which permissions the apps ask for and for which functions such permissions are required when using the Android operating system:

• “Positioning Services / Location Data": Permission to access your device's positioning services is required for an app to access the location detected by your device. If you do not give the app such permission, the location-based display of content may not be available or may only work to a limited extent.
• “Memory”: The app needs to be given such permission to enable the apps to store data in the memory or, if necessary, on an additional memory used on your device or to read data from there. If you do not give the app such permission, this function will not work.
• “Phone": The permission is required for the apps to establish a telephone connection, to change the telephone status, to read and edit the call log. If you do not give the app such permission, this function will not work.

The lawful basis for processing such data detailed above is GDPR, Art. 6.1.a. Consent given can be withdrawn at any time by changing the settings of your terminal device.

We use various technologies for collecting statistics and analysing general patterns of usage based on access data in order to enhance the functionality our apps. In this way, we learn, for instance, which areas and functions of an app are particularly popular, at which times our apps are accessed particularly frequently, from which regions (down to city level) our apps are used, and which devices our users use.

We also use various technologies for interest-based advertising. By analysing and evaluating such access data, we will be able to present you with personalised advertising. This is advertising that matches your actual interests and needs. In this context, we collect and process the following information, for example:

• the Apple advertising ID (IDFA) on iOS devices
• the Google Advertising ID on Android devices

Advertising IDs are unique, but non-personalised and non-permanent identification numbers for a specific terminal device provided by operating systems.

If you do not consent to data processing for analysis and advertising purposes, you have the right to object to processing of data at any time. You will find the disabling function in the settings or info area in the app.

The lawful basis for processing such data detailed above is GDPR, Art. 6.1.f. Such data is processed based on our legitimate interest. On the one hand, we intend to make it possible for you to use our apps more conveniently and in a more customised way, and on the other hand, we intend to provide you with personalised and customised advertising.

Unless stated otherwise in this data privacy statement, we will only store and use your data for as long as this is required to fulfil our contractual or statutory obligations or to perform the purposes the data was collected for. We will, however, restrict processing of such data after expiry of the statutory limitation purposes, which means that your data will hence only be used to comply with statutory obligations.

Thereafter, we will delete the data without undue delay unless we still need to retain such information until expiry of statutory limitation periods as proof for civil claims, or to comply with statutory obligations as to data retention. Even thereafter, we may still be required to store your data for accounting purposes. We are required to do so by statutory documentation obligations that may arise from the German Commercial Code, Fiscal Code, Banking Act, Anti-Money-Laundering Act and Securities Trading Act. The document retention periods specified in these laws range from two to ten years.

The lawful basis for processing such data for the purpose of compliance with statutory documentation and retention obligations is GDPR, Art. 6.1.c. The lawful basis in all other respects is GDPR, Art. 6.1.f (reconciling your right to the protection of personal data with our legitimate interests).

Please contact our data protection officer (see section 1) at any time should you wish to assert any of the statutory data privacy rights detailed below:

• You have the right to request access to information about processing of your personal data by us at any time (GDPR, Art. 15). We will give you access by explaining the data processing and giving you an overview of the personal data stored about you.
• If the data we store is incorrect or no longer up-to-date, you have the right to have inaccurate personal data rectified (pursuant to GDPR, Art. 16).
• You also have the right to demand that your data be deleted (right to be forgotten). Should deletion or erasure of information be prevented by conflict with other statutory requirements in exceptional cases, use of the data will be restricted to make it available only for the purpose of complying with the specific statutory purpose (pursuant to GDPR, Art. 17).
• You also have the right to demand restriction of processing of your data, e.g. if you believe that the data we store is not correct (pursuant to GDPR, Art. 18).
• You have the right to data portability which means that we have the duty to provide you with a digital copy of the personal data provided by you upon request (pursuant to GDPR, Art. 20).

You also have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority in charge for ALBA Group is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin. You also have a right to lodge a complaint with a supervisory authority for data protection in charge for where you live. They will forward your request to the supervisory authority in charge for us.

GDPR, Art. 7.3 give you the right to withdraw a previously given consent at any time; as a consequence of such withdrawal, we will refrain from processing the data based on this consent in the future. Withdrawal of consent will not affect the lawfulness of processing of data based on this consent prior withdrawal of consent, however.

Insofar as we process your data based on our legitimate interests, GDPR, Art. 21 gives you the right to object to such processing of your data on grounds relating to your particular situation. If the objection to processing relates to direct marketing, you have a general right to prevent processing which we will implement even without you stating any reasons for your objection.

If you wish to exercise your right to prevent processing and to withdraw consent below, all you have to do is to send an informal message to the contact details above.

The technical measures we maintain for our online services are adequate to ensure data security and, in particular, protect your data from being exposed to risks in terms of data transmission and from unauthorised access by third parties. These measures are constantly adapted to evolution of the state of the art. We rely on Transport Layer Security (TLS), which encrypts the information you enter, to protect the personal data disclosed by you on our website.

This data privacy statement will be updated from time to time, e.g. whenever we adapt our website or changes in the statutory or official requirements occur.