Data protection information for business partners

pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

For reasons of better readability only, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

Preliminary remark

With this data protection information, we, e-mobilio GmbH (hereinafter also referred to as "e-mobilio", "we" or "us"), inform our business partners about the processing of their personal data and the rights to which they are entitled as data subjects under the data protection regulations.

With regard to the processing of personal data, the data subjects of our data processing activities and addressees of this data protection information are in particular the employees of our (potential) business partners, our (potential) project, cooperation and contractual partners, our (potential) service providers, suppliers and other companies that interact with us (hereinafter also referred to as "business partners" or "data subjects")

Personal data that e-mobilio processes on behalf of a controller is not part of this data protection information.

1. controller for data processing & data protection officer

1.1 Joint controllers for data processing are

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing Directors: Ralph Missy, Denis ReichelResponsibleB

Name: co2.auto GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

1.2 Data protection officer

Responsible person A

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@e-mobilio.de

Responsible person B

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@co2.auto

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact our management or the supervisory authority responsible for us below:

Bavarian State Office for Data Protection Supervision (BayLDA)
P.O. Box 1349
91504 Ansbach
Telephone: +49 981 180093 0 | e-mail: poststelle@lda.bayern.de

2 Purposes and legal basis of processing
We process personal data in compliance with data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

a) On the basis of consent (Art. 6 para. 1 lit. a) GDPR)

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Consent given can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent given to us before the GDPR came into force. Please note that the revocation only takes effect for the future; processing that took place before the revocation is not affected.

Processing based on your consent is carried out, for example, to conduct customer surveys, marketing campaigns, market analyses, web tracking, competitions, contests or similar promotions and events or to send newsletters.

We may wish to collect further data from you at a later date or use it in other ways. Should this occur, we will ask for your consent in accordance with Art. 6 para. 1 lit. a in conjunction with Art. 7 GDPR and inform you accordingly. If you give us this consent, it can be revoked informally at any time.

b) In the context of the performance of a contract or in order to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR)

We process your personal data primarily for the establishment, execution and termination of the business relationship, i.e. for the fulfillment of contractual obligations and the provision of the associated services or in the context of a corresponding contract initiation, e.g. for contract negotiations, for the preparation of offers or for electronic payment transactions via e.g. online banking or PayPal for the settlement of liabilities. The specific purposes depend on the respective service or product to which the business relationship or contract initiation relates.

c) For the fulfillment of a legal obligation (Art. 6 para. 1 lit. c) GDPR)

We process your data to fulfill legal obligations, e.g. to fulfill tax control and reporting obligations, to fulfill obligations under corporate, data protection and civil law, in the event of audits by authorities and to comply with statutory retention periods. In addition, the disclosure of personal data may become necessary due to official or judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.

d) As part of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)

Where necessary, we process your personal data within our business relationships on the basis of a balancing of interests, according to which processing is permitted if it is necessary to safeguard the legitimate interests of us or third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. This applies in particular to

Assertion of legal claims and defense in legal disputes;
measures to optimize our business processes, such as maintaining a supplier or customer relationship management database
Measures to ensure operational security and business management;
Ensuring IT security and IT operations
Checking creditworthiness via corresponding credit agencies to assess the risk of default in business relationships
For the limited storage of your data if deletion is not possible or only possible with disproportionate effort due to the special type of storage.
Internal administrative purposes
Measures to improve our internal business processes and for product optimization
Carrying out audits and company controls
Managing and using customer, supplier and business partner directories

3. categories of personal data

We mainly process the data that we receive directly from you in connection with the establishment, implementation and/or termination of the business relationship (e.g. as part of a request for a quote, order placement or contractual relationship as well as through other contact via our website, by email or telephone, at trade fairs or comparable events).

If we receive data via a third party (e.g. via a colleague of the data subject who names them as a contact person), we will inform you of the source during the initial communication.

In addition, we process - where necessary - personal data that we legitimately obtain from publicly accessible sources (e.g. commercial and association registers, press, internet) or that are legitimately transmitted to us by companies affiliated with us or by other third parties (e.g. a credit agency).

The personal data processed by us includes

Personal/contact data (e.g. title, first name, surname, company if applicable, (company) address, (mobile) telephone number, fax, e-mail, profession, position, title, academic degree)
For office holders: Information on the mandate, commercial register entry, date of birth, private address
Participation data in internal Group events
Records of business transactions, business partner history, project details and communication data in connection with correspondence (e-mails, correspondence, telephone calls)
Contract and billing data (e.g. bank details, credit card information if applicable, tax number/USt ID, invoice data, order data)
Data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions)
transactions)
Identification data (e.g. identity documents) and authentication data (e.g. specimen signature)
Information about your financial situation (e.g. creditworthiness data)
Information from publicly available sources and information databases (e.g. extract from the commercial register)
Marketing information (contact and product preferences)
Depending on the business purpose, possibly also user IDs for protected areas on systems
As well as other data comparable to the above categories

4. recipients or categories of recipients of the personal data

Within our company, only those persons have access to your data who need it to establish, implement and terminate our business relationship or to fulfill our contractual and legal obligations and to carry out our internal processes (e.g. sales, purchasing, logistics, financial accounting). This may also involve several departments in our company, depending on which services or products you purchase from us. Furthermore, our IT department has access to your data exclusively for technical processing.

Service providers and vicarious agents employed by us may also receive data from you for this purpose as part of order processing in accordance with Art. 28 GDPR.

As part of the processing of your orders or for the fulfillment of contracts, it is sometimes necessary for us to transfer certain data to our respective suppliers, manufacturers or distributors based in Germany, other European countries or the European Economic Area. This includes, for example, your surname, your first name and your organizational affiliation as well as your contact details in your organization.

Insofar as electronic payment transactions take place in order to record any payment orders still submitted in paper form on IT media and to process clearing transactions between the credit institutions or payment service providers using the paperless data carrier exchange procedure, the responsible employees/departments in the company (accounting), the responsible financial institution or various payment service providers such as PayPal will receive your data required for this purpose.

Furthermore, your data will be passed on within our affiliated companies as part of a joint responsibility if necessary. Detailed information on this can be found inAppendix 1.

Otherwise, data will only be passed on outside the company if this is required by law or if you have given your consent. For example, we may have to disclose certain data to authorized (public) bodies and institutions such as the tax authorities as part of our legal obligations.

5 Transfers to a third country

In principle, your personal data will only be processed within Germany, the European Union and the European Economic Area ("EEA"), where the provisions of the GDPR apply. As a rule, data is not transferred to countries, states or international organizations outside the EEA ("third country").

However, insofar as one of our service providers or the service providers may also use service providers that have their registered office, parent company or data centers in a third country, e-mobilio may transfer your personal data to a so-called third country in which the GDPR provisions do not apply. In such cases, data will only be transferred to third countries if the conditions of Chapter 5 (Art. 44 - 50) of the GDPR and the other provisions of the GDPR are implemented and complied with.

This applies in particular to the providers of the cloud applications we use for our company-wide communication system and for our CRM system.

Although we ensure that servers within Germany and the EU are used to store the data wherever possible, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) and processed there in this context.

We have concluded corresponding contracts with all our service providers of this kind and have also contractually agreed that guarantees in accordance with Chapter 5 (Art. 44 - 50) of the GDPR on data protection must always be in place with their contractual partners in compliance with the European level of data protection. We will provide you with a copy of these guarantees on request.

6 Duration of data storage

We process and store your data for as long as it is necessary to fulfill the purposes mentioned in section 2 and as long as it is necessary for the establishment, implementation and termination of our business relationship or for the fulfillment of our (pre-)contractual and legal obligations. It should be noted that many of our business relationships are long-term. If the data is no longer required for these contractual or legal obligations, it is regularly deleted or destroyed, unless its - temporary - further processing is required for the following purposes:

Fulfillment of retention obligations under commercial and tax law, which may arise, for example, from: German Commercial Code (HGB), German Fiscal Code (AO), German Money Laundering Act (GwG). The retention and documentation periods specified there are generally two to ten years. The retention and documentation periods are, for example, ten years for accounting records and six years for commercial or business letters.
Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists and provided that there are no storage and documentation obligations to the contrary.

Personal data collected on the basis of consent will be processed until consent is withdrawn. The withdrawal of consent does not affect the lawfulness of the data processed until the withdrawal.

7 Your rights

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to notification under Art. 19 GDPR and the right to data portability under Art. 20 GDPR.

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The data protection supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, telephone +49 (0) 981 180093-0.

If your personal data is processed on the basis of your consent, you are entitled under Art. 7 GDPR to revoke your consent at any time and without giving reasons for the future. This does not affect processing that took place before you withdrew your consent. Please also note that we may have to retain certain data for a certain period of time in order to comply with legal requirements (see section 6).

Insofar as your personal data is processed in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR to safeguard legitimate interests, you also have the right to object to the processing of this personal data at any time in accordance with Art. 21 GDPR for reasons arising from your particular situation. We will then no longer process this personal data unless there are compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defense of legal claims.

To assert your rights or if you have further questions about data processing, you can contact our data protection officer using the contact details provided in section 1 of this data protection information.

8 Voluntary provision of data

The provision of your personal data for the establishment and execution of the business relationship is neither legally nor contractually required, nor are you obliged to provide this data.

However, if you are in a direct business relationship with us, you must provide the personal data that is necessary for the establishment and implementation of a business relationship and the fulfillment of the associated contractual obligations.

Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.

If it is a business relationship with a company that you represent, you must provide us with the personal data that is required for the commencement and execution of a representation/authorization and the fulfillment of the associated contractual obligations. Without this data, we will generally have to reject you as an authorized representative/authorized representative or cancel an existing authorization/authorization.

9 Automated decision-making / profiling

We do not use automated decision-making in accordance with Art. 22 GDPR to establish, implement and terminate the business relationship. We also do not use profiling.

Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.

10. changes to this data protection information

e-mobilio reserves the right to change this data protection information at any time.

Attachments:

Annex 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

Appendix 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

1. preamble

There is a cooperation between the controllers in the areas of marketing, customer service and finance & controlling or the entire accounting processes, such as financial accounting including accounts receivable and accounts payable and electronic payment transactions and payment of bonuses to end customers and commissions to affiliated companies and business partners, in accordance with Art. 26 GDPR in conjunction with Art. 4 No. 7 GDPR (cooperation between two or more controllers in the processing of personal data). As it is possible or necessary for the joint controllers to gain access to your personal data as part of this collaboration, they are jointly responsible for the protection of your personal data with regard to the processes described below. The main contents of the agreement between the controllers to fulfill their obligations under the GDPR are also described below.

2 Joint controllers

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Gisela-Stein-Str. 21, 81671 Munich, Germany
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing directors: Ralph Missy, Denis Reichel

Responsible B

Name: co2.auto GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing Directors: Ralph Missy, Denis Reichel

3. purposes and description of the processing

The processing serves the purpose of the proper, legally prescribed financial accounting of the companies. Financial accounting as a sub-area of business accounting determines the overall operating result within the meaning of Section 239 HGB by recording all business transactions and thus fulfills the legally prescribed documentary function.

The parties cooperate closely in all relevant areas of finance and controlling, including but not limited to: payment of CO2 bonuses to end customers, payment of commissions for sales to e-mobilio or business partners, controlling, accounts receivable or accounts payable invoices, electronic payment transactions (instant invoice, direct debit, PayPal, online banking, Klarna, Amazon), granting bank authorization, financial accounting, credit cards, accounts payable or accounts payable invoices, insurance claims, prepayment and dunning.

However, it should be noted that there is no overarching central Finance & Controlling department for the parties together. The parties each have their own Finance & Controlling department. There is no strict separation in the cooperation. For various reasons, areas are also processed by the respective partner.

In this respect, controlling performs planning, coordination and control tasks in order to provide company management with relevant information. This forms the basis for the optimal and rational management of the company. The KPIs (Key Performance Indicators) are processed across all locations for this purpose. Using Microsoft's Excel and PowerBI software, company data from any source is analyzed and compiled into reports with key performance indicators for company management and investors.

4. groups of people affected

The groups of data subjects of controllers A and B are employees pursuant to Section 26 (8) BDSG, contractual partners, customers, suppliers and service providers.

5. categories of personal data

Within the scope of joint controllership, only data related to the processing of Finance & Controlling (see section 3) is processed. This may include the following personal data or categories of data:

Contractual partners, customers, suppliers and service providers: first and last name, private contact data, business contact data, address data, telecommunications data such as e-mail, telephone, etc., customer type, customer number, industry, contract data, sales data, cost unit data, invoice data, bank details, credit card data, delivery and payment terms, contact history, creditworthiness data, performance data, ID data.

Employees: First and last name, private contact data, business contact data, address data, telecommunications data such as e-mail, telephone, etc., personnel number, contract data, sales data, cost unit data, invoice data, bank details, credit card data, delivery and payment conditions, contact history, performance data, ID card data.

6. joint responsibility and assignment of responsibilities for process sections

Even if there is joint responsibility, the data controllers must fulfill the data protection obligations in accordance with their respective responsibilities for the individual process steps described below.

6.1In the context of joint controllership,Controller A is responsible forthe processing of personal data in the following process stages:

Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
Storage of the data: Storage of the data in our own systems.
Processing / use of the data: Collection and processing / evaluation of the data of the groups of persons named above; forwarding of the data to the relevant departments of the responsible parties (Finance & Controlling; management of the parties in accordance with the existing rights and roles concept) or to third parties in the form of tax consultants and auditors and authorities to be involved such as tax offices; printing, copying, archiving, deletion and destruction of the data and documents within the framework of the legal requirements.
Deletion of data: In accordance with the deletion concept.

6.2 Within the scope of joint controllership,Controller B is responsible forthe processing of personal data in the following process stages:

Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
Storage of the data: Storage of the data in the applicant management system or in our own data storage systems.
Processing / use of the data: Collection and processing / evaluation of the data of the groups of persons named above; forwarding of the data to the relevant departments of the responsible parties (Finance & Controlling; management of the parties in accordance with the existing rights and roles concept) or to third parties in the form of tax consultants and auditors and authorities to be involved such as tax offices; printing, copying, archiving, deletion and destruction of the data and documents within the framework of the legal requirements.
Deletion of data: In accordance with the deletion concept.

6.3Thepersons responsible arejointly responsiblefor the process sections described below:

Determining the purpose of data processing, determining the categories of personal data concerned, guaranteeing the rights of data subjects in accordance with Art. 15, 16, 17, 18, 19, 20 and 21 GDPR, documenting the technical and organizational measures in accordance with Art. 32 GDPR, risk assessment and (if necessary) carrying out data protection impact assessments in accordance with Art. 35 GDPR, as well as coordination with the supervisory authorities, evaluation and monitoring of processors in accordance with Art. 28 GDPR, provision and documentation of records of processing activities in accordance with Art. 30 GDPR, evaluation and communication in the event of data breaches in accordance with Art. 33, 34 GDPR.

7. agreements of the controllers regarding their data protection obligations

7.1 Information obligations pursuant to Art. 13 and 14 GDPR

In accordance with the contractual agreements, the controllers shall provide the data subjects with the information required under Art. 13 and 14 GDPR in a transparent and easily understandable form. Each controller shall provide the other controller with all necessary information from its sphere of activity.

7.2 Contact point for the assertion of data subject rights in accordance with the GDPR

The controllers may designate a contact point to which data subjects can turn to assert their rights under the GDPR. Irrespective of this agreement, data subjects can always assert their rights under Art. 26 (3) GDPR against each of the controllers. The controllers shall inform each other immediately of any claims asserted by data subjects and provide each other with all information necessary for processing.

7.3 Technical and organizational measures

The controllers have agreed to comply with all legal requirements in accordance with Art. 32 GDPR with the help of suitable technical and organizational measures in order to ensure an appropriate level of protection for the processing of personal data.

7.4 Further data protection obligations under the GDPR

The controllers have undertaken to support each other in complying with the contractually agreed provisions and all applicable data protection regulations and to coordinate accordingly. This applies in particular to the following areas

Measures in the event of any data protection breaches;
Cooperation with the competent data protection authorities;
Creation and maintenance of processing directories;
Coordination in the event of any deletion of personal data (statutory retention periods, etc.);
Involvement of contract processors;
Cooperation with the respective data protection officers;
Obligation of all persons involved in data processing to maintain confidentiality.