Privacy statement
The protection of personal data is an important concern to us at the German Structured Securities Association (Bundesverband für strukturierte Wertpapiere, BSW).
This document is a privacy statement and explains to you the type, scope and purpose of the processing of personal data (hereinafter referred to as ‘data’) in our online service and the websites/services connected with it.
In the privacy statement we use terminology such as ‘processing’ and ‘controller’. The definition of these terms can be found in Article 4 of the EU General Data Protection Regulation (GDPR).
Our websites include the following:
www.derbsw.de
www.derbsw.com
www.der-bsw.de
www.der-bsw.com
www.thebsw.de
www.thebsw.eu
https://onlineschulung.derbsw.de
www.bsw-preis-wirtschaftsjournalismus.de
This privacy statement applies only to the websites listed above. These websites may contain links to third-party websites, to which our privacy statement does not extend. When you leave our websites, we recommend that you read carefully the data protection policy of each website that collects personal data.
Controller
The operator of the websites,
Bundesverband für strukturierte Wertpapiere e.V.
Pariser Platz 3
10117 Berlin
Germany
presse@derbsw.de
is the controller for the personal data of users of the websites in accordance with Article 4, paragraph 7 of the GDPR.
Type of data processed
We collect data and process it for specific purposes. The different types of personal data that may be collected include the following:
- user data (for example first name, surname, email address);
- usage data (for example websites visited, interest in content, access times);
- metadata/communications data (for example information on terminal equipment, IP addresses).
Categories of data subjects
Visitors and users of the online service (data subjects will hereinafter also be referred to as ‘users’).
There are three categories:
- users with access to the members’ area;
- users with access to online training;
- others.
The different categories of users have access to different areas of our online service. However, for many areas it is not necessary to be allocated to a specific category.
Purpose of processing
We collect and process data for the following purposes:
- providing the online service, its functions and specific content;
- answering enquiries through our contact page;
- communicating with users;
- security measures.
Terminology used
‘Personal data’ means all information relating to an identified or identifiable natural person (hereinafter ‘data subject’).
‘Processing’ is any operation (automated or manual) or set of operations performed on personal data.
‘Pseudonymisation’ is the processing of personal data in such a way that any data that identifies the data subject is kept separately and cannot be technically brought together.
‘Profiling’ means any form of automated processing of personal data consisting of the use of this personal data to evaluate certain personal aspects relating to a natural person, especially to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable legal bases
In accordance with Article 13 of the GDPR, we, the German Structured Securities Association (Bundesverband für strukturierte Wertpapiere, BSW), inform you of the legal bases for our processing of data.
If the legal basis is not mentioned explicitly in the privacy statement, the legal basis for the obtaining of consent is Article 6, paragraph 1 (a) and Article 7 of the GDPR. The legal basis for processing, when this is necessary for the performance of our services and to implement measures provided for in a contract, in addition to responding to enquiries, is Article 6, paragraph 1 (b) of the GDPR.
The legal basis for the processing of data in order to comply with our legal obligations is Article 6, paragraph 1 (c) of the GDPR.
The legal basis for processing for the purposes of pursuing our legitimate interests is Article 6, paragraph 1 (f) of the GDPR.
Security measures
In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the current state of technological development, the costs of implementation and upkeep and the nature, scope, context and purposes of processing as well as the different probability and severity of the risk for the rights and freedoms of natural persons.
The measures include, in particular:
- safeguarding confidentiality;
- ensuring the integrity and availability of data by controlling physical access to that data;
- controlling access to, and entry and dissemination of, the data and ensuring its availability and its separation.
Working with processors and third parties
If, when processing data, we disclose data to other persons and business enterprises (processors or third parties), or transfer this data to these persons or business enterprises or grant access to this data, this will only take place on the basis of statutory authorisation (for example, if transmission to third parties is necessary to perform a contract, in accordance with Article 6, paragraph 1 (b) of the GDPR), or if you have given your consent, or if we are legally required to do so, or if it is for the purpose of our legitimate interests (for instance when using agents, web hosts etc.).
Sometimes we use external service providers to process your personal data. These are carefully selected and appointed by us. They are obliged to follow our instructions and are monitored on a regular basis. The data passed on to our service provider can only be used to carry out the tasks that it is engaged to perform. Specifically, we use an IT service provider (see also ‘Applicable legal bases’).
If we engage third parties to process data on the basis of a processing contract, we do so on the basis of Article 28 of the GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this occurs when we use the services of third parties or disclose or transfer data to third parties, this will only be done if it is necessary for the performance of our contractual or pre-contractual obligations, with your consent, on the basis of a legal obligation or for the purposes of our legitimate interests. Subject to statutory or contractual authorisation, we will only leave the data in a third country if the special conditions of Article 44 et seq. of the GDPR are met. In other words, data is processed, for instance, on the basis of special guarantees, such as the official recognition of a level of data protection equivalent to that of the EU (for example via the Privacy Shield, for the United States) or compliance with officially recognised special contractual obligations (‘standard contractual clauses’).
Rights of data subjects
In accordance with Art. 15 of the GDPR, you have the right to request confirmation as to whether data is being processed. In addition, you have the right to information about this data and to further information and a copy of the data.
Under Article 16 of the GDPR, you have the right to have incomplete data concerning you completed and inaccurate data rectified.
In accordance with Article 17 of the GDPR you have the right to demand the erasure of data concerning you without undue delay. Alternatively, in accordance with Article 18 of the GDPR you have the right to obtain the restriction of processing of the data.
Under Article 20 of the GDPR you have the right to receive the data concerning you, which you have provided us with, and to obtain its transfer to another controller.
You also have the right under Article 77 of the GDPR to lodge a complaint with the competent supervisory authority.
Right of withdrawal of consent
In line with Article 7, paragraph 3 of the GDPR, you have the right to withdraw your consent with future effect. A withdrawal of consent will have immediate effect on the lawfulness of the processing of your personal data.
Right to object
Under Article 21 of the GDPR you can object at any time to the future processing of data concerning you.
If the processing of your personal data by us is based on a balancing of interests, you can lodge an objection to its processing. If you exercise your right to object, we request that you state the reasons why we should not process your personal data. If your objection is well-founded, we will investigate the circumstances and cease or customise the processing of the data; otherwise we will inform you if there are compelling and legitimate grounds for continuing to process the data.
Cookies and the right to object in the case of direct marketing
Cookies are small files that are stored on a user’s computer. Various data can be stored in the cookies. The main purpose of a cookie is to store a user’s data (or that of the terminal device on which the cookie is stored) during or after the user’s visit to an online service. Temporary, session or transient cookies are cookies that are erased when a user leaves an online service and closes the browser. These cookies can store data such as the content of a shopping basket in an online shop or a login status. Permanent or persistent cookies are those that continue to be stored after the browser is closed. For instance, the login status can be saved when the user visits a site after several days. The user’s interests can also be stored in such a cookie; these are then used for measuring reach or for marketing purposes. Third-party cookies are those placed by providers other than the controller who operates the online service (whereas cookies placed by the controller are first-party cookies).
We may use temporary and permanent cookies, and we provide information on them in our privacy statement.
If users do not wish cookies to be stored on their computers, they should disable the relevant option in their browser settings. Stored cookies can be deleted from the browser’s settings. However, deleting cookies can limit the effectiveness of this online service for the user.
A general objection to the use of cookies for the purpose of online marketing can be lodged for many websites, particularly in the case of tracking, through the US website
http://www.aboutads.info/choices/
or the EU website
http://www.youronlinechoices.com/
. The storage of cookies can also be achieved by disabling them in the browser’s settings. Please note that disabling cookies may result in you not being able to use all the functions of this online service.
The legal basis for processing your data using cookies is Article 6, paragraph 1 (f) of the GDPR.
Erasure of data
The data processed by us is erased or its processing is restricted in accordance with Article 17 and 18 of the GDPR. Unless specifically stated in this privacy statement, the data stored by us is erased as soon as it is no longer needed for its purpose provided that there are no legal requirements to retain it. If the data is not erased because it is needed for other legally permissible purposes, its processing is restricted. This means the data is blocked and not processed for other purposes. This applies, for instance, to data that has to be retained for reasons relating to commercial or tax law.
According to the legal requirements in Germany, data is retained for ten years in line with Section 147, paragraph 1 of the German Tax Code (Abgabenordnung, AO), Section 257, paragraph 1, nos. 1 and 4 and paragraph 4 of the German Commercial Code (Handelsgesetzbuch, HGB) (books, accounting records, management reports, journal vouchers, account books, tax-related documents etc.) and six years in line with Section 257, paragraph 1, nos. 2 and 3, and paragraph 4 of the German Commercial Code (business letters).
According to the legal requirements in Austria, data is retained for seven years in line with Section 132, paragraph 1 of the Austrian Federal Tax Code (Bundesabgabenordnung, BAO) (accounting documents, receipts/invoices, ledgers, supporting documents, business papers, statement of income and expenditure etc.), for 22 years in relation to property and for ten years for documents connected with services provided electronically, and telecommunications, radio and television broadcasting services rendered to non-business enterprises in EU member states, for which the Mini-One-Stop-Shop (MOSS) scheme is used.
Making contact
When a user makes contact with us (for example, through the contact form, or by email, phone or social media) the user’s data is processed to handle and manage the enquiry in line with Article 6, paragraph 1 (b) of the GDPR. The user’s data may be stored in a customer relationship management (CRM) system or comparable enquiry management system.
We delete the enquiries when they are no longer needed. We review the necessity for retention every two years; the statutory archiving requirements also apply.
The legal basis for the processing is Article 6, paragraph 1 (f) of the GDPR. Our legitimate interest consists in answering your enquiry.
Hosting
The hosting services we use are for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services, which we use to operate this online service.
In relation to this we – or our hosting service provider – process user data, contact data, content data, usage data, metadata and communications data on users, potential customers and visitors to this online service on the basis of our legitimate interests in efficient and secure provision of this online service in accordance with Article 6, paragraph 1 (f) and Article 28 of the GDPR (processing under contract).
Collection of access data and log files
We – or our hosting services provider – collect data about each access to the server on which this service is located (server log files) on the basis of our legitimate interests within the meaning of Article 6, paragraph 1 (f) of the GDPR. The access data includes the name of the website accessed, the file, the date and time of access, the quantity of data transferred, the notification of successful access, the browser type and version, the user’s operating system, the referrer URL (the web page from which the user first arrived at the site), the IP address and the enquiring provider.
Log file information is stored for security reasons (for instance, to resolve cases of abuse or fraud) and for billing purposes.
This connection data is not used to determine the identity of the user or merged with data from other sources. It is only used to provide the website. The legal basis for the processing is Article 6, paragraph 1 (f) of the GDPR.
Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC (‘Google’), to pursue our legitimate interests (the analysis, optimisation and cost-effective operation of our online service within the meaning of Article 6, paragraph 1 (f) of the GDPR). Google uses cookies. The information generated by the cookie about the use of the online service by the user is generally transmitted to and stored by Google on servers in the United States.
Google is certified under the Privacy Shield agreement, which provides a guarantee that it complies with European data protection law (
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
).
Google will use this information on our behalf to analyse the use of our online service by users, to compile reports on their activities within this website and to provide further services to us related to their use of this online service and of the internet. Pseudonymised user profiles may be created for users from the processed data.
We only use Google Analytics with enabled IP anonymisation. This means that users’ IP addresses are abbreviated within a member state of the European Union or in another state party to the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the United States and abbreviated there in exceptional cases.
The IP address transmitted by the user’s browser will not be merged with other Google data. Users can prevent cookies from being stored by changing the settings in their browser software; they can also prevent Google’s collection of the data generated by the cookie relating to their use of the online service and its processing of this data, by downloading and installing the browser plugin available through this link:
http://tools.google.com/dlpage/gaoptout?hl=de
.
Further information on the use of data by Google and on your options in relation to settings and objections can be found in Google’s privacy policy at
https://policies.google.com/technologies/ads
and in the ad settings for Google (
https://adssettings.google.com/authenticated
).
Users’ personal data is deleted or anonymised after 14 months.
Online presence in social media
We maintain an online presence on social networks and platforms to communicate with customers, potential customers and users who are active in these media and to enable us to inform them about our work, but also to enable us to offer a wider range of information. The terms and conditions of business and the data processing policy of the relevant operator apply when users are accessing the relevant networks and platforms.
If not otherwise stated in our privacy statement, we process users’ data if these users are communicating with us within the social networks and platforms, for example writing articles on our online services or sending us messages.
Embedding of third-party services and content
To pursue our legitimate interests (the analysis, optimisation and cost-effective operation of our online service within the meaning of Article 6, paragraph 1 (f) of the GDPR) we embed content and services such as videos (hereinafter referred to collectively as ‘content’) from third-party providers in our online service.
This is only possible if the third-party providers of this content can detect the user’s IP address, as without the IP address they could not send the content to the user’s browser. The IP address is thus necessary for the content to be displayed. We endeavour only to use content from providers that only use the IP address to deliver the content. Third-party providers may also use pixel tags (invisible graphics also known as web beacons) for statistical or marketing purposes. Information such as visitor traffic on the pages of this website can be analysed by the pixel tags. The pseudonymised information can also be stored in cookies on the user’s terminal device and contain details such as technical information on the browser and the operating system, referring websites, the time of the visit and other details on the use of our online service, and be linked to such information from other sources.
Youtube
We use videos from the YouTube platform, which is owned by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We have embedded YouTube videos in our online service, which are stored at
http://www.YouTube.com
and can play directly from our website. When you visit the website, YouTube receives the information that you have accessed the relevant subpage of our website. Access data is also transmitted. This takes place regardless of whether or not you are logged into a user account provided by YouTube. If you are logged in to Google, your data will be associated directly with your account. If you do not wish this data to be associated with your profile at YouTube, you have to log out before enabling the button. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research and/or customised design of its website. Such analysis takes place particularly (even for users who are not logged in) for the provision of customised advertising and to inform other users of the social network about your activities on our website. You are entitled to object to the creation of these user profiles, but you have to contact YouTube to exercise this right.
Additional information on the purpose and scope of the data collection and its processing by YouTube can be found in YouTube’s privacy policy, where you will also find other information on your rights and the options with regard to your privacy settings. Google also processes your personal data in the United States and is subject to the EU-US Privacy Shield (
https://www.privacyshield.gov/EU-US-Framework
).
Privacy policy:
https://www.google.com/policies/privacy/
Opt-Out:
https://adssettings.google.com/authenticated
.
Google Maps
Our online service has embedded maps from Google Maps, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may include users’ IP addresses and location data, but these are not collected without their consent (generally arranged through the settings of their mobile devices).
When you visit the website, Google receives the information that you have loaded the relevant subpage of our website. Access data is also transmitted. This takes place regardless of whether or not you are logged into a user account provided by Google. If you are logged into Google, your data will be directly associated with your account. If you do not wish this data to be associated with your profile at Google, you have to log out before enabling the button. Google stores your data as user profiles and uses it for the purposes of advertising, market research and/or customised design of its website. Such analysis takes place particularly (even for users not logged in) for the provision of customised advertising and to inform other users of the social network about your activities on our website. You are entitled to object to the creation of these user profiles, but you have to contact Google to exercise this right.
Further information on the purpose and scope of the data collection and its processing by the plugin provider can be obtained from the provider’s privacy policy, where you will also find other information on your rights in this respect and the options with regard to your privacy settings.
The legal basis for the processing of your data is Article 6, paragraph 1 (f) of the GDPR. The data may be processed in the United States. Google is subject to the EU-US Privacy Shield (
https://www.privacyshield.gov/EU-US-Framework
).
Privacy policy:
https://www.google.com/policies/privacy/
Opt-Out:
https://adssettings.google.com/authenticated
.
Amendment of privacy statement
We reserve the right to amend this privacy statement at any time with future effect. The current version is available on the website. Please visit the website regularly for information about the current privacy statement.
Contact details
If you have any questions, comments or queries about the collection, processing and use of your personal data by us, please contact us using the contact details provided.
Annette Abel
Bundesverband für strukturierte Wertpapiere e.V.
Pariser Platz 3
10117 Berlin
Germany
presse@derbsw.de
The German version of this privacy statement is the governing version and shall prevail whenever there is any discrepancy between the German version and the English version. The company cannot be held responsible for any misunderstanding or misinterpretation arising from the convenience translation in English language.