Data protection information on joint responsibility

pursuant to Art. 26 para. 2 GDPR

1. preamble

There is a cooperation between e-mobilio GmbH and ADAC SE as data controllers for marketing purposes and to increase the efficiency of ADAC's advertising activities in accordance with Art. 26 GDPR in conjunction with Art. 4 No. 7 GDPR (cooperation between two or more data controllers in the processing of personal data). As it is possible or necessary for the joint controllers to gain access to your personal data as part of this cooperation, they are jointly responsible for the protection of your personal data with regard to the processes described below. The main contents of the agreement between the controllers to fulfill their obligations under the GDPR are also described below.

2 General information

2.1 Joint controllers

Controller A Controller B
Name: e-mobilio GmbH Name: ADAC SE
Address: 
Gisela-Stein-Str. 21
81671 Munich

Address: Hansastr. 19 80686 Munich

E-Mail: info@e-mobilio.de 

E-Mail: adac@adac.de 

Phone: +49 89 / 25555560

Phone: +49 89 / 7676 0

Managing Director:

See extract from the commercial register under 4 b) (HRB 251000, Munich Local Court, available at www.handelsregister.de)

Managing Director:

See commercial register excerpt under 4 b) (HRB 225321, Munich Local Court, available at www.handelsregister.de)

(hereinafter also referred to as "e-mobilio") (hereinafter also referred to as "ADAC")

e-mobilio and ADAC are hereinafter also referred to individually as "Party" and jointly as the "Parties".

2.2 Description of the processing

ADAC calls up a tracking script on the ADAC website (https://www.adac.de/rund-ums-fahrzeug/e-angebote/wallbox/) in advance of the jointly responsible processing operation, which sets a cookie (by its processor Piwik Pro GmbH ("Piwik"), which registers statistical data on user behavior on the ADAC website until the user jumps to the e-mobilio website (https://www.adac.wallbox-kaufen.shop).

The ADAC is responsible for setting and processing the data collected by the cookie on the ADAC website. Likewise, the further processing of the data collected by means of Piwik tracking by ADAC is the sole responsibility of ADAC, which in this respect alone decides on the purposes and means of processing.

The jointly responsible processing procedure is as follows:

e-mobilio sets a second tracking script on its website, which is called as soon as e-mobilio registers the user's switch from the ADAC website to the e-mobilio website (using a URL with "client=adac").

A cookie (by the processor Piwik) collects information on the e-mobilio website, on the booking route marked for the ADAC by means of the URL parameter "client=adac", during the order process. The information that a request has been made is transmitted to ADAC together with product-related data ("conversion data") and behavioral information of the user ("analytics data").

Following the jointly responsible processing procedure, ADAC then combines the two parts of the data packets using cross-domain tracking in Piwik's analytics system. On the basis of the combined data packages, the efficiency of ADAC's advertising activities is to be evaluated in relation to the actual visits to the e-mobilio website and, in future, possibly also the orders actually placed there.

Both parties have the following technical options:

  • ADAC provides e-mobilio with the tracking script. The script activates a tag manager container on the e-mobilio website, which ADAC can use to activate and configure tracking. ADAC can terminate tracking immediately (e.g. in the event of a breach of responsibility by e-mobilio).
  • The data collected on the e-mobilio website is stored exclusively in the ADAC's analytics system (Piwik). The e-mobilio does not receive access to the data; the ADAC shares information derived from the collected data with the e-mobilio in the form of statistical evaluations, presentations of results or verbal formats at most.
  • e-mobilio only implements the tracking script on the application pages marked with "client=adac" in the URL after the user has given effective consent to e-mobilio. In the event of a breach of responsibility by ADAC, e-mobilio may remove the ADAC tracking script from its pages and thereby immediately prevent access to the user's data.
  • e-mobilio may only carry out data processing in connection with the ADAC tracking script (through its processor Piwik) with the effective consent of the user. For this purpose, e-mobilio uses a consent management platform on its websites, on which Piwik is listed as a technology in the advertising/advertising category.

The recipient of the processed data is ADAC and its affiliated companies (ADAC SE, ADAC Finanzdienste GmbH, ADAC Autovermietung GmbH, ADAC IT Service GmbH). ADAC only passes on the processed data to the following recipients or categories of recipients: Piwik Pro and, if applicable, other processors authorized by the partner.

2.3 Purpose of the processing

The parties have the common goal of increasing the efficiency of ADAC's advertising activities on the ADAC website. To this end, ADAC and e-mobilio carry out cross-domain conversion tracking with Piwik Pro from Piwik Pro GmbH from the ADAC website (https://www.adac.de/rund-ums-fahrzeug/e-angebote/wallbox/) to the e-mobilio website (https://www.adac.wallbox-kaufen.shop).

The processing is carried out for the following marketing purposes:

  • ADAC processes the data received from e-mobilio for statistical product analysis, optimization and increasing ad and campaign efficiency, e.g. to see which marketing campaigns on the ADAC website have led to how many leads on the e-mobilio website.
  • e-mobilio collects and transmits the data to ADAC in order to enable ADAC to carry out the statistical product analyses, optimization and increase in ad and campaign efficiency described above.

2.4 Legal basis

The basis for the processing of personal data for the processing procedure described under 2.2 and 2.3 is the consent of the user in accordance with Art. 6 para. 1 lit. a) of the General Data Protection Regulation (GDPR).

3Affectedgroups of persons

The processing operation concerns the following categories of data subjects

  • Users of the ADAC and e-mobilio website

4. categories of personal data

Within the scope of joint controllership, only data related to processing is processed. These may include the following personal data or categories of data:

  • Conversion data: Product-specific data, such as: Product; product category, type and variant (wallbox) and forms of advertising; order status, conclusion or lead; total sales/leasing rate
  • Analytics data: Session; timestamp; origin (ADAC website); user behavior on the e-mobilio website (interactions such as page views, clicks, scroll depth, dwell time).

The personal data processed does not contain any special personal data within the meaning of Art. 9 GDPR.

5 Assignment of responsibilities in accordance with the GDPR

Even if there is joint responsibility, the parties must fulfill the data protection obligations according to their respective responsibilities for the individual process stages described below.

Requirement of the GDPR Assignment of responsibility
Art. 5 para. 1 lit. a) (principle of lawfulness, fairness and transparency) Each party is responsible for compliance with the principles of lawfulness, fairness and transparency in relation to its sphere of influence.
Art. 5 para. 1 lit. b) (Principle of purpose limitation) Each party is responsible, with regard to its sphere of influence, for ensuring that the data transmitted to it is processed in accordance with the purpose limitation principle.
Art. 5 para. 1 lit. c) (Principle of data minimization) Each party is responsible for compliance with the principle of data minimization within its sphere of influence.
Art. 5 para. 1 lit. d) (Principle of accuracy) Each party is responsible for compliance with the principle of accuracy within its sphere of influence.
Art. 5 para. 1 lit. e) (Principle of storage limitation) Each party shall be responsible for compliance with the principle of storage limitation in relation to its sphere of influence.
Art. 5 para. 1 lit. f) (Principle of integrity and confidentiality) Each party is responsible for compliance with the principle of integrity and confidentiality within its sphere of influence.
Art. 5 para. 2 (Accountability) Each party is accountable for its respective responsibilities under Art. 5 para. 1 GDPR in accordance with Art. 5 para. 2 GDPR.
Art. 6 - 11

e-mobilio is obliged to obtain effective consent from the user for the collection of data collected via Piwik tracking on the e-mobilio website and its transmission to ADAC. In particular, e-mobilio must specify the type of data, ADAC and its affiliated companies as recipients of the data and the purposes described in section 2.3 in the consent text.

e-mobilio is obligated to document any consents granted and to provide ADAC with documentation of consents granted at any time upon request.

With regard to each user, e-mobilio undertakes to only and exclusively process analytics data and conversion data.

Art. 12 - 14 (Transparency) With regard to its sphere of influence, each party is responsible for informing the data subjects of the processing in accordance with Art. 12 to 14 GDPR.
Art. 15 (Right of access) The parties shall assist each other in responding to any requests for information and shall provide the other party with the information necessary to respond.
Art. 16 (Right to rectification) The parties shall assist each other in responding to any claims of data subjects and shall provide the other party with the information necessary to respond in accordance with the law.
Art. 17 (Right to erasure) including any additional obligations arising from applicable data protection laws The parties shall assist each other in responding to any claims by data subjects and shall provide the other party with the information necessary to respond in accordance with the law.
Art. 18 (Right to restriction of processing) including any additional obligations arising from applicable data protection laws The parties shall assist each other in responding to any claims from data subjects and shall provide the other party with the information necessary to respond in accordance with the law.
Art. 19 (Notification obligation in connection with the rectification or erasure of personal data or the restriction of processing) Each party shall fulfill any notification obligations within its sphere of influence.
Art. 20 (Right to data portability) including any additional obligations arising from applicable data protection laws The parties shall support each other in responding to any claims by data subjects and shall provide the other party with the information required to respond in accordance with the law.
Art. 21 (Right to object)

Each party is responsible for the legally compliant response to any objections (in particular compliance with Art. 21 para. 1 sentence 2 GDPR) in accordance with Art. 21 GDPR within its sphere of influence, if applicable.

The parties shall inform each other immediately of any objections received pursuant to Art. 21 GDPR and shall support each other in dealing with the objections in accordance with the law (in particular with regard to compliance with Art. 21 para. 1 sentence 2 GDPR).

Art. 22 (Automated decisions in individual cases including profiling) Each party is responsible for compliance with Art. 22 GDPR within its sphere of influence (if applicable).
Art. 24 (Responsibility of the controller) Each party is obliged to obligate its employees who have access to personal data to confidentiality in writing and to provide regular training with regard to applicable data protection laws, in particular the GDPR.
Art. 25 (Data protection through technology design and data protection-friendly default settings) Each party is responsible for compliance with Art. 22 GDPR within its sphere of influence.
Art. 28 (Processor) If a party uses a processor, it must impose obligations on the processor regarding data protection, confidentiality and data security that meet the requirements of Art. 28, 29 GDPR.
Art. 30 (record of processing activities) Each party is responsible for mapping the processing operation in its record of processing activities.
Art. 32 (Security of processing) Each party is responsible, within its sphere of influence, for the security of processing in the context of the processing operation.
Art. 33 (Notification of personal data breaches to the supervisory authority) Each party shall be responsible, within its sphere of influence, for any necessary notifications of personal data breaches in the context of the processing operation to the supervisory authority in accordance with Art. 33 GDPR.
Art. 34 (Notification of a personal data breach to the data subject) Each party is responsible, within its sphere of influence, for any necessary notifications to data subjects in accordance with Art. 34 GDPR.
Art. 35 (Data protection impact assessment) The parties assume that a data protection impact assessment is not required. Should they change this assessment, they will jointly carry out a data protection impact assessment.
Art. 36 (Prior consultation) See above point.
Chapter V (Transfers of personal data to third countries or international organizations) Each party is responsible, within its sphere of influence, for compliance with the provisions of Chapter V of the GDPR if a third country transfer takes place.