2. What does GREEN PASSION use my data for?
GREEN PASSION processes your data in accordance with all applicable data protection laws. Of course, we observe the principles of data protection law for the processing of personal data. We therefore generally only process your data for the purposes explained to you in this Data Protection Declaration or shared when we collect the data. These are mainly purchase processing and the provision, personalisation and development as well as security of our services. We also use your data within the framework of the strict Swiss, Spanish and EU data protection laws, but also for other purposes such as product development, scientific research (especially in the areas of machine learning, artificial intelligence and deep learning) and market research, for the optimisation of business processes, the needs-based design of our services and personalised advertising.
In this chapter, we also inform you of the legal basis on which we process data for the individual purposes. Depending on the legal basis for our processing of your data, you may have additional data protection rights alongside your permanent rights such as the right to information. For example, in individual cases you have the right to object to the processing of your data. You can find further information under “Which data protection rights do I have?”
2.1 Purchase processing and provision of online, local and personalised services
– The provision, personalisation and needs-based design of our services such as the GREEN PASSION webshop (including their respective websites, apps and cross-device and cross-platform functions).
– The execution of customer programmes.
– The execution of purchase agreements and customer service including dispatch and payment processing, claim management as well as the processing of returns, complaints and warranty claims.
– The provision of messages, reports, newsletters and other direct communication, insofar as these are an integral component of our contractual services or the services requested by you.
– You can request email information on the availability of out-of-stock items in the GREEN PASSION webshop.
– If applied, you will regularly receive our GREEN PASSION newsletter with information on current promotions.
– The guarantee of the general security, operability and stability of our service including defence from attacks.
– Non-promotional communication with you on technical, security-related and contractually relevant subjects (e.g. fraud warnings, account blocking or contractual changes).
– The issuing, redemption and delivery of GREEN PASSION vouchers.
– The execution of campaigns and competitions.
Insofar as the purpose relates to the execution of a contract agreed with you or the provision of a service requested by you, the legal basis is Article 6 (1) b GDPR. Otherwise, the legal basis is Article 6 (1) f GDPR, whereby we may use your personal data for the above purposes if we deem it necessary to do so for our legitimate interests.
2.2 Shopping personalisation
We process your data for the provision of comfortable and useful services which correspond as well as possible to your needs and interests.
To personalise shopping in the GREEN PASSION webshop, we may use device and access data which we collect for usage analysis. Alongside this, we also use device and access data which we receive from advertising partners while you visit the GREEN PASSION webshop. If you are logged in with your customer account while visiting the GREEN PASSION webshop, we also use profile data, interest data and shopping data to personalise your shopping experience. We refer to this form of shopping personalisation as on-site optimisation. Only such shopping personalisation allows us to present you with suitable search results, product suggestions, and other content corresponding to your actual interests. Without such shopping personalisation, as carried out today by many online shops as standard, your search for relevant products would be less convenient and more protracted and the utility of our range for you would be lower. Shopping personalisation does not, of course, prevent you from accessing all content. It does, however, allow you to see content which is more relevant to you more quickly.
The legal basis for the processing of your data for shopping personalisation within the framework of personalised services is Article 6 (1) b GDPR. The legal basis for the processing of your data within the framework of on-site optimisation is Article 6 (1) f GDPR, whereby our legitimate interests are in the above purposes.
2.3 Research, machine learning and artificial intelligence
We process the data collected on our customers for scientific research in the areas relevant to GREEN PASSION. This includes in particular the research areas of machine learning, artificial intelligence, natural language processing and deep learning. Research at GREEN PASSION concentrates on solutions to real, everyday online shopping problems and is meant to serve the improvement and development of the existing services range.
In doing this, of course, we observe recognised scientific data protection standards. This also means that we only process your data in summarised, anonymised or pseudonymised form for research purposes, for example by replacing all identifiable data such as your name with other values.
2.4 Fraud prevention, selection of payment methods and credit checks
Prevention of fraud
In order to combat the risk of data security breaches, data pertaining to users of our services is encrypted in transmission. This applies both to ordering and to registering for a customer account. For this we may use the coding system SSL (Secure Socket Layer). Encryption prevents third parties from viewing the data. To provide additional protection from external attacks, we rely on special security technologies which constantly check our systems and identify and report anomalies. We also use technical and organisational measures to secure our systems against loss, destruction, unauthorised access or distribution of customer data by unauthorised persons. In this manner we wish to keep the risk of unauthorised access as low as possible, because protecting your data is our top priority. However, we – like other companies – cannot guarantee absolute protection.
We also use technical and manual procedures for fraud prevention in order to protect us and our users from misuse of data, especially by fraudulent orders. To this end, GREEN PASSION may summarise and evaluate your device and access data (including IP address, identifiers, user behaviour), shopping data and payment details (including address and other creditworthiness data from external credit agencies) as well as the change history of your profile information (e.g. when your delivery address was last changed) under a pseudonym when executing an order. The record is also compared with your previous usage and order habits. We may also compare it to general records from all GREEN PASSION orders involving confirmed or suspected fraudulent actions. This comparison allows us to identify fraud patterns and to prevent fraud and identity theft by comparing patterns.
Following registration for a customer account, GREEN PASSION may transmit your name and your addresses as given in the profile to external credit agencies. This serves to ensure that you are actually registered and can be reached at the disclosed addresses. Typical indicators which – usually in combination – may increase the probability of attempted fraud include:
– Your delivery address was changed shortly before the submission of the order and/or is in a region with increased risk of fraud.
– Your order is particularly large and/or includes products which are subject to particularly high demand at present and/or are carried out at an unusual time for your region (e.g. at night).
– The payment methods invoice or direct debit are used for the order.
– There were suspicious login attempts on your account before the order was submitted, the pattern of which suggests automation.
– Your customer account is used from a suspicious IP address.
– Your customer account is used by an unknown or suspicious device.
If our security system suspects attempted fraud or an increased risk of fraud, the relevant procedure may be forwarded for manual investigation. Appropriate preventative measures will be taken in view of the risk of fraud (e.g. temporary blocking of the customer account or restriction of payment methods offered).
These providers collect and process data, with help from cookies and other tracking technology, to establish the end device used by the user as well as further data on the use of the website. There is therefore no assignment to a specific user.
Over the course of the order process on our website, we may request a risk assessment for the user’s end device from the database of providers. This risk assessment on the likelihood of attempted fraud considers, amongst other things, whether the end device has logged on using different service providers, whether the end device has a geo-reference which frequently changes, how many transactions were effected on the end device and whether a proxy connection is used.
If your data is processed to prevent fraud at your expense, the legal basis is Article 6 (1) b GDPR. This processing of your data otherwise occurs on the basis of Article 6 (1) f GDPR, based on our legitimate interest and that of other users in the identification and prevention of fraud and clarification of criminal offences.
Choice of payment methods
Before we show you the payment methods available for a purchase, GREEN PASSION may carry out a risk assessment and include the total costs for an order with GREEN PASSION. Your previously collected purchase data, payment details, creditworthiness data, data on your previous payment behaviour as well as your profile information (such as surname, first name, delivery and billing address, email address, date of birth) may be used to carry out the risk assessment. The assessment and evaluation will be carried out automatically using statistically justified estimates of the default risk in relation to the payment methods we offer. Within the framework of a risk assessment, GREEN PASSION may also transmit your data to external credit agencies to receive general information from these on the evaluation of the payment-specific default risks (e.g. on whether your address is plausible and up-to-date) as well as, in individual cases, creditworthiness data, perhaps on open invoices and circumstances directly resulting in a risk of payment default (e.g. insolvency, deferral due to inability to pay). Which specific creditworthiness data is taken into account in the course of the risk assessment may vary from country to country.
When deciding on the payment types offered, the total costs for the specific payment type for GREEN PASSION as well as the availability of the payment type in the relevant country are considered. It may be the case that we no longer offer certain payment types, which are associated with higher costs or other risks. The modification of available payment types contributes to lower return rates, which is more sustainable and more economic. At the same time, our customers continue to have the option of using our services, as every customer is offered at least one possible payment type and can then complete the purchase.
The default risk is assessed separately for each payment method in the form of an estimate. If the risk assessment yields a positive result, we can offer all the payment methods we generally offer. Otherwise, we will only offer you particular payment methods. Factors which may influence the availability of a payment method include:
– The combination of name and address could not be found. This may result from typing errors, moves, marriage or a change of district.
– You have given a delivery address, packing station or company address differing from the billing address.
– There are still open claims against you.
– There have been payment disruptions with particular payment methods in the past.
– The risk assessment will not mean that you are not offered any payment method. If you are not in agreement with the payment methods offered, you can inform us of this in writing by letter or email to [email protected] We will then check the decision again, taking your viewpoint into account.
If you have given consent to the processing of your data as described above for the choice of payment methods, the legal basis is Article 6 (1) a GDPR (Consent). Otherwise, the legal basis is Article 6 (1) f GDPR, based on our legitimate interest in avoiding default risks.
Notice of withdrawal
You have the right to withdraw consent to the collection of creditworthiness data for selection of the payment method. You can find more information under “Which data protection rights do I have?”
In addition to the risk assessment, GREEN PASSION may process your data before showing you the payment methods we make available for a purchase from us, in the course of an automated credit check. This check serves to prevent payment defaults and to ensure our security, as it allows us to recognise attempted fraud and other offences.
Along with data already in GREEN PASSION’s possession, creditworthiness data from external credit agencies in the form of score values is also used. Score values are statistically justified estimates of the future risk of a person defaulting and are represented as a numerical value, such as a percentage. To this end, GREEN PASSION transmits on our behalf the personal data required for a credit check (generally your first and last name, your address and if necessary your date of birth) to the external agency. Address data may also be taken into account when calculating your score. The credit agency uses the data transmitted by us to correspondingly assess your creditworthiness on the basis of mathematical-statistical procedures.
If you are not in agreement with this, you can inform us of this in writing or by email to [email protected] We will then check the decision again, taking your viewpoint into account.
The legal basis for the credit check described above is Article 6 (1) b GDPR, because it is necessary for the execution of necessary pre-contractual measures. This processing of your data otherwise occurs on the basis of Article 6 (1) f GDPR, based on our legitimate interest and that of other users in the avoidance of payment defaults, the identification and prevention of fraud and the clarification of criminal offences.
2.5 Transfer of data on outstanding debts to collection service provider
In the event that outstanding invoices are not settled despite repeated reminders, we may transfer the data required to commission a collection service provider to a collection service provider for the purpose of collecting the debt. Alternatively, we may sell the debt to a collection service provider which is then able to file a claim in its own name.
The legal basis for transferring data within the framework of fiduciary collection services is Article 6(1)(b) GDPR; data is transferred within the framework of selling debt on the basis of Article 6(1)(f) GDPR.
2.6 Advertising and market research, data analysis
We use your data, also within the framework of data analysis, for advertising and market research, in particular for the following purposes:
– Classification into various target and user groups within the framework of market research (user segmentation).
– Findings on various target groups and their respective usage habits and shopping interests.
– The production of findings on demography, interests, our users’ shopping and usage habits as well as the marketing on these findings within the framework of advertising services provided to third parties.
– The early identification of trends in the areas of fashion and online shopping.
– The execution of advertising to existing customers.
– The execution of direct marketing, e.g. in the form of newsletters.
– The planning, execution and success monitoring of advertising corresponding to the interests of the target groups being addressed (personalised advertising).
– Findings as to how our services are used (usage analysis).
– The marketing of the above findings within the framework of advertising services for advertising customers.
Depending on the purpose, GREEN PASSION may use the data we have stored for data analysis. For example, we use summarised (aggregated), statistical, depersonalised (anonymised) profile information or data which can only be assigned to persons via further intermediate steps (pseudonymised profile information) as well as shopping and device and access data in order to understand and analyse purchasing processes using data analysis. This gives us anonymous or pseudonymised findings on our users’ general usage behaviour.
We process your data on the basis of balancing of interests to protect our legitimate interests or those of third parties. GREEN PASSION’s legitimate interest or that of third parties in data processing derives from the relevant purposes and is, unless otherwise indicated, of a competitive and economic nature.
If data processing for the above purposes occurs with your consent, the legal basis is Article 6 (1) a GDPR (consent). This data processing data otherwise occurs on the basis of Article 6 (1) f GDPR, whereby the legitimate interests are for the above purposes.
2.7 Product and technology development
We may use your data for product and technology development including the development and improvement of personalised services. In doing this we use aggregated, pseudonymised or anonymised data and machine learning algorithms, perhaps from our research, which facilitate estimates, prognoses and analysis in the interests of our users. In this way, for example, we can develop apps which can suggest products targeted to your interests and needs and assign products which correspond to your actual interests. Data is processed in relation to product and technology development particularly for the following purposes:
– The development and improvement of personalised services and technologies for data analysis, advertising and personalised online shopping.
– The development of technologies and concepts to improve IT security, prevent fraud and improve data protection e.g. by pseudonymisation, encryption and anonymisation technologies.
– The development and testing of software solutions for the optimisation of necessary business and logistics processes.
The legal basis for the processing of your data for product and technology development purposes is Article 6 (1) f GDPR, whereby our legitimate interests are in the above purposes.
2.8 Business management and business optimisation
We transmit and process your data where necessary for administrative and logistical processes and to optimise business processes within GREEN PASSION Group in order to design these in a more efficient and legally secure way and to fulfil our contractual and legal obligations (e.g. retention obligations under commercial and tax law). Many systems and technologies are shared within GREEN PASSION Group. This allows us to offer a more economical, secure, unified and personalised service. Therefore, various companies within GREEN PASSION Group have access to your data in so far as this is necessary for the fulfilment of the purposes named in this Data Protection Declaration.
Data processing for business management and business optimisation also includes, for example, the following purposes:
– The execution and improvement of customer service.
– The prevention and clarification of criminal offences.
– Guaranteeing the security and operability of our IT systems.
The legal basis for the processing of your data for business management and optimisation is Article 6 (1) f GDPR, whereby our legitimate interests are in the above purposes. Where we process your data on the basis of legal specifications, e.g. retention obligations and money laundering tests under tax law, the legal basis is Article 6 (1) c GDPR.
2.9 On the basis of your consent
If you have given us your consent for the processing of personal data, your consent is the primary basis of our data processing. Which of your data we process on the basis of your consent depends on the purpose of your consent. Typical purposes include:
– Subscription to a newsletter.
– Participation in surveys and market research studies.
– The processing of particularly sensitive data, containing e.g. your political opinions, religious or ideological convictions or state of health.
– The recording of telephone conversations which you have e.g. with our hotline.
– The transmission of your data to third parties or to a country outside the European Union.
– The execution of a credit check (if it is not necessary for contractual fulfilment or precontractual measures).
– Notices of withdrawal
– You can withdraw consent at any time with effect for the future, e.g. by e-mail, letter or fax.
– If the relevant service supports this function, you can adjust and withdraw consent to receive newsletters and other notifications in the preference centre. You can find the link to the preference centre in each newsletter. Each newsletter also contains a corresponding unsubscribe link.
– You can find further instructions under “Which data protection rights do I have?”
2.10 Other purposes
If data protection law allows it, we can use your data for new purposes such as carrying out data analyses and developing our services and content without your consent. It is a prerequisite for this that these new purposes which the data is to be used for were not fixed or foreseeable when the relevant data was collected and the new purposes are compatible with the purposes for which the relevant data was originally collected. For example, new developments in the legal or technical sphere and new business models and services may lead to new processing purposes.