Please note: This English version is a convenience translation – the German version shall prevail

Privacy policy

 

Contents

 

I. Privacy policy: general section
 

  1. Data protection at a glance
  2. General notes and mandatory information about using the website
  3. Data Protection Officer
  4. Data collection on our website
  5. Analysis tools
  6. Newsletter
  7. Plugins and tools


II. Privacy policy: use of LUCID
 

  1. Login area for producers
  2. Login for auditors
  3. System operator login
  4. Login for automatic data reconciliation
  5. Login for system auditors
  6. Appointed third party login

 

I. Privacy policy: general section

1. Data protection at a glance

Our website
You visited the website www.verpackungsregister.org ('website') of the Stiftung Zentrale Stelle Verpackungsregister (Foundation Central Agency Packaging Register – ZSVR) as website operator. Our website also includes the packaging register under the name LUCID.

General notes
The following notes provide a basic overview of what happens to your personal data when you visit our website. Personal data is all data by means of which you can be personally identified.

Data collection on our website
Who is responsible for data collection on this website? Data processing on this website is carried out by the 'website operator'. The website operator is the ZSVR. You can find the ZSVR's contact details in section I.2 of this privacy policy.

How do we collect your data?
One way we collect your data is by you providing it to us. This can be, for example, data that you enter into a contact or other form (e.g. during producer registration or registration as an auditor pursuant to section 27 VerpackG (Packaging Act); for more information, refer to section II of the privacy policy regarding the use of LUCID). Other data is collected automatically by our IT systems during a visit to our website. Above all this is IT-related data (e.g. internet browser, operating system or time the site is accessed).

What do we use your data for?
Some of the data is collected in order to ensure fault-free provision of the website and to guarantee the security of the collected data against attacks. That includes data that will be used to analyse the behaviour of users of our website. We require this data to improve our services for the purpose of optimum implementation of our tasks under the Verpackungsgesetz (Packaging Act).

What rights do you have regarding your data?
You have the right at any time – within the scope of the applicable statutory provisions – to receive information free of charge about the origin, recipient and purpose of your stored personal data. In addition, you have the right to demand correction, restriction of processing or deletion of this data in accordance with statutory provisions. Under statutory provisions, you also have the right to object to processing of your personal data. You can contact us at any time on this matter and any further questions relating to data protection using the address given in the legal notice. In addition, you have the right to complain to the competent regulatory authority.

Analysis tools and tools from third-party providers
After the user has provided consent, visits to our website can be used to statistically analyse surfing behaviour. Analysis of surfing behaviour is carried out anonymously; the surfing behaviour cannot be traced back to the user. You can find detailed information about this below in section I.5.


2. General notes and mandatory information about using the website

Data protection
The ZSVR takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data by means of which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this takes place. Please note that the transmission of data on the internet (e.g. during communication via e-mail) may involve security vulnerabilities. Complete protection of data from access by third parties is not possible.

Note regarding the controller
The controller for data processing on this website in the meaning of data protection law is:

Stiftung Zentrale Stelle Verpackungsregister
(Foundation Central Agency Packaging Register)
Represented by Gunda Rachut
Öwer de Hase 18
49074 Osnabrück
Germany

Telephone: +49 541 201971-10
Fax: +49 541 201971-98
E-Mail: info@verpackungsregister.org

Registered with the Amt für regionale Landesentwicklung Weser-Ems (Office for Regional State Development Weser-Ems), no. 16/085 in the foundations register.

Withdrawal of your consent to data processing
Many data processing operations are only possible with your explicit consent. You can withdraw at any time consent that you have previously given. An informal e-mail to us, for example, is sufficient for this purpose. The lawfulness of the data processing that has taken place prior to the withdrawal remains unaffected by the withdrawal.

Right to complain to the competent regulatory authority
In the event of data protection law infringements, the data subject has the right to complain to the competent regulatory authority. The competent regulatory authority for data protection issues is the Landesbeauftragte für den Datenschutz Niedersachsen (State Office for Data Protection in Lower Saxony).


Right to data transferability
You have the right to have data that we process in an automated manner on the basis of your consent or in order to fulfil a contract delivered to you or to a third party in a customary, machine-readable format. If you request direct transmission of the data to another responsible person, this will only take place if it is technically feasible.

SSL and/or TLS encryption
This site uses SSL and/or TLS encryption for security reasons and to protect the transmission of confidential content, for example orders or inquiries which you send to us as site operators. You can recognise an encrypted connection by the fact that the address line of the browser changes from 'http://' to 'https://' and by the padlock symbol in your browser line. If SSL or TLS is activated, the data that you send to us cannot be read by third parties.


Information, correction, restriction of processing, deletion
You have the right at any time – within the scope of the applicable statutory provisions – to receive information free of charge about your stored personal data, its origin and recipient and the purpose of the data processing and, as applicable, a right to the correction, restriction of processing or deletion of this data. You can contact us at any time on this matter and any further questions on the subject of personal data using the address given above.

Advertising e-mails opt-out of the ZSVR
The use of contact data published by us within the scope of the obligation to provide a legal notice (or imprint) for the sending of unsolicited advertising and information material is hereby opted out of. The operators of the web pages expressly reserve the right to take legal action in the case of unsolicited sending of advertising information, such as through spam e-mails. 


3. Data Protection Officer

You may contact our Data Protection Officer using the following address:

Stiftung Zentrale Stelle Verpackungsregister
(Foundation Central Agency Packaging Register)
Data Protection Officer
Öwer de Hase 18
49074 Osnabrück
Germany

Telephone: +49 541 201971-10
Fax: +49 541 201971-98
E-mail: datenschutz@verpackungsregister.org


4. Data collection on our website

Cookies
In some cases, the website uses what are known as cookies. Cookies do not harm your computer and do not contain viruses. Cookies help to make our offering more user-friendly, more effective and more secure. Cookies are small text files that are placed on your computer and stored by your browser. Most of the cookies we use are session cookies. They are automatically deleted after the end of your visit to the website. Other cookies remain stored on your end device until you delete them. These cookies make it possible for us to recognise your browser the next time you visit the site.

You can set your browser in such a way that you are informed about the setting of cookies, and permit cookies only in individual cases, block the acceptance of cookies for certain cases or in general, and activate automatic deletion of cookies on closing of the browser. Deactivation of cookies may limit the functionality of this website. Cookies that are required for carrying out electronic communication or for providing certain functions that you desire (e.g. changing master data using the dashboard in the login area, cf. section II) are processed on the basis of article 6 (1) (e), (1) (f) GDPR (General Data Protection Regulation) in conjunction with section 3 BDSG (Federal Data Protection Act) and section 26 VerpackG (Packaging Act).

Server log files
Der Provider der Seiten erhebt und speichert automatisch Informationen in so genannten Server-Log-Dateien, die Ihr Browser automatisch an uns übermittelt. Dies sind:The provider of the web pages automatically collects and stores information in 'server log files', which your browser automatically transfers to us. These are:

  •      type and version of browser;
  •      operating system used;
  •      request sent by the user, consisting of an HTTP method and the requested resource (URL);
  •      website from which the user accessed our website (referrer URL);
  •      host name of the computer accessing the site;
  •      date and time of the server request;
  •      public IP address;
  •      size of the object sent back to the user

No merging of this data with other personal data of the user is performed.

Temporary storage of the IP address is necessary to enable delivery of our website to the user's end device. For this, the IP address of the user must remain stored for the duration of the session. Storage beyond this serves the purpose of optimising the website and ensuring the security of our information technology systems. The data processing activities serve the purpose of fulfilling our statutory tasks and duties pursuant to article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.

The personal data stored in the log files is deleted regularly, at the latest after seven days. Above and beyond that, we store data only to the extent we are legally obliged or entitled to. Collection of the data for provision of the website and storage thereof in the log files is essential for operation of the website. If you do not accept this, you cannot use our website.


5. Analysis tools

Matomo (formerly Piwik)
After the user has provided consent, our website uses the open source web analysis service Matomo (formerly Piwik) to analyse how our website is used. For Matomo to work, the software stores a cookie on the user's end device. Cookies are text files that are stored on the user's end device and which enable the analysis of user behaviour on the website. To this end, the information generated by the cookie about the use of our website (cf. below) is stored exclusively on our server in Germany.
When web pages of our website are accessed, the following information is stored:

  • public IP address of the end device used to access the page, shortened to two bytes and hence anonymised;
  • randomly generated visitor ID;
  • website from which the user accessed our website (referrer URL), including its top key words (the most frequently used search terms);
  • date and time the website is accessed;
  • subpages that are accessed from the website (including URL);
  • clicked-on and downloaded files;
  • web links to other websites that are used;
  • loading time of a web page or a download;
  • how long the visitor stays on the website and its subpages;
  • how frequently the website was accessed;
  • further information transmitted by the user's browser (user location: country, region, town/city; screen resolution, language settings of the browser, browser used, user agent header, time in the time zone of the user).

Matomo is set in a way that the collected public IP addresses are not entirely saved. Instead, two bytes of the IP addresses are masked (e.g.: 192.168.xxx.xxx). After masking, it is no longer possible to assign the stored IP address to the aforementioned further information collected via Matomo on the used end device, and to you as a user. A full IP address will not be stored, neither will the collected information be connected to other personal data.
The information will not be disclosed to third parties.

Data processing: purpose and legal basis
Storage of and access to Matomo cookies and the processing of the above-mentioned data allows us to analyse user behaviour on our website. The findings resulting from this provide for a continuous optimisation of the information offered on our website and its usability, and thus help to duly inform the public within the framework of our statutory tasks and duties. Anonymising the IP addresses captured, and thus the data mentioned above processed by Matomo, serves the interests of users pertaining to the protection of their personal data. The basis for storing and accessing Matomo cookies as well as the processing of the above-mentioned personal data using Matomo is your consent (cf. article 6 (1) (a) GDPR).

Withdrawal
You have the right to withdraw your consent to storing and accessing Matomo cookies, and to processing of your personal data using Matomo, at any time with forward-looking effect. This will have no effect on the lawfulness of the data processing that occurred on the basis of your consent prior to the withdrawal.

To withdraw consent, the user can delete any Matomo cookies that have been stored on their end device and prevent Matomo cookies from being stored in future by denying the request to use of Matomo cookies when the user next visits our website. Alternatively, the user can click on the link below to opt out of the analysis of their behaviour on our website:

https://www.verpackungsregister.org/tracking-opt-out

In both cases, this will result in another cookie (a so-called 'opt-out cookie') being stored on the user's system, that will signal our system not to store the data of the user's end device. If the user deletes the opt-out cookie from their end device, they will be asked again to consent to the use of cookies next time they visit our website.


6. Newsletter

Newsletter data
If you wish to receive the newsletter offered on the website, we require an e-mail address from you. You then receive, via the e-mail address provided, a confirmation link (double opt-in process). If you are in agreement, you confirm your wish to receive the newsletter by activating the link. We use the e-mail address solely for sending the newsletter and do not pass this on to third parties.

Processing of the data entered into the newsletter registration form takes place solely on the basis of your consent (article 6 (1) (a) GDPR). You can withdraw your consent to the storage of the data, e-mail address and to the use thereof for sending the newsletter at any time, for example via the 'Unsubscribe' link in the newsletter. The lawfulness of the data processing that has already taken place remains unaffected by the withdrawal. The data provided to us by you for the purposes of obtaining the newsletter is stored by us regularly until your withdrawal, and will be deleted thereafter. Above and beyond that, we store data only to the extent we are legally obliged or entitled to. Data that we have stored for other purposes (e.g. e-mail addresses for the members area) remains unaffected by this.

MailChimp
This website uses the services of MailChimp for sending newsletters. The provider is the Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service by means of which, among other things, the dispatch of newsletters can be organised and analysed. If you enter data for the purpose of obtaining the newsletter (e.g. e-mail address), this is stored on the MailChimp servers in the USA.

MailChimp is certified in accordance with the 'EU-US Privacy Shield'. The Privacy Shield is an agreement between the European Union (EU) and the USA, which is intended to ensure compliance with European data protection standards in the USA.

With the aid of MailChimp, we can analyse our newsletter campaigns. When you open an e-mail sent with MailChimp, a file contained within the e-mail (a 'web beacon') is linked to the MailChimp servers in the USA. By this means it can be established whether a newsletter message has been opened and which links clicked on if applicable. In addition, IT-related information is collected (e.g. time accessed, IP address, type of browser and operating system). Without any additional information, this information cannot be matched to the particular newsletter recipient. It serves the sole purpose of the statistical analysis of newsletter campaigns. The results of these analyses can be used to adapt future newsletters better to the interests of the recipients.

If you do not wish an analysis by MailChimp to take place, you must cancel the newsletter. We provide a relevant link for this purpose in every newsletter message. In addition, you can also cancel the newsletter directly on the website.

This data processing takes place on the basis of your consent (article 6 (1) (a) GDPR). You can withdraw this consent at any time by cancelling the newsletter. The lawfulness of the data processing that has already taken place remains unaffected by the withdrawal. The data on you collected through MailChimp is stored by us until you have cancelled been removed from the newsletter mailing list and deleted regularly both from our servers and from the MailChimp servers after subscription has been cancelled. Above and beyond that, we store data only to the extent we are legally obliged or entitled to. Data that we have stored for other purposes (e.g. e-mail addresses for the members area) remains unaffected by this.

You can find more details in the MailChimp data provisions at: https://mailchimp.com/legal/terms/

Conclusion of a data processing agreement with MailChimp (Newsletter)
We have concluded a data processing agreement with MailChimp in which we require MailChimp to protect our customers' data and to not pass them on to third parties.


7. Plugins and tools

YouTube
Our website uses plugins of the YouTube website. The operator of such website is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit one of our pages equipped with a YouTube plugin, a link is created to the YouTube servers. In the process, the YouTube server is informed which of our sites you have visited. If you are logged into your YouTube account, you are enabling YouTube to directly allocate your surfing behaviour to your personal profile. You can prevent this by logging out of your YouTube account.


YouTube is used in order to incorporate videos into our online offerings. Insofar as it is accessible via our website, YouTube is certified according to the 'EU-US Privacy Shield'. The Privacy Shield is an agreement between the European Union (EU) and the USA, which is intended to ensure compliance with European data protection standards in the USA. The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG. Videos are included in order to optimise both the website and the information offering, so as to adequately inform the public in the interest of fulfilling our statutory tasks and duties.


You can find additional information about the handling of user data in YouTube's privacy policy at: https://www.google.com/intl/en/policies/privacy/

Google Maps
When the user clicks on the button 'calculate journey with Google Maps', the website www.google.com/maps ('Google Maps') opens in a window. We are not the provider of Google Maps; the provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ('Google'). By accessing Google Maps, map data is provided directly from Google to the user. Google is responsible under data protection law for the processing of your personal data via Google Maps.

Google Web Fonts
This website uses so-called 'web fonts' provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to display fonts uniformly. When you access a site or page, your browser loads the web fonts you need into its browser cache to display text and fonts correctly. For this purpose, the browser you use must establish a connection to Google's servers. As a result of this, Google finds out that our website was called up via your IP address. The use of Google web fonts takes place in the interest of a uniform and attractive presentation of our online offerings. This serves the purpose of the ZSVR fulfilling tasks and duties in the public interest, pursuant to article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.


Google is certified according to the 'EU-US Privacy Shield'. The Privacy Shield is an agreement between the European Union (EU) and the USA, which is intended to ensure compliance with European data protection standards in the USA. If your browser does not support web fonts, a standard font from your computer is used. Further information about Google web fonts and Google's privacy policy can be found at: https://developers.google.com/fonts/faq and https://www.google.com/intl/en/policies/privacy/

 

II. Privacy policy: use of LUCID

1. Login area for producers

The following information provides you with an overview of what happens to your personal data when you apply for and use a producer login on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy (section I).

Applications for a producer login
We collect the following data as part of the producer login application process:

  • company name/name of the producer;
  • language for e-mail communication with the producer (German/English);
  • title, academic title, first and last name of the 'authorised person';
  • first and last name of a 'contact person' within the company at the level of the producer (if not the same as the authorised person);
  • e-mail addresses as user IDs, and a login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a producer login if the mandatory fields are left blank.

We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for a producer login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for a producer login without this session cookie.

After completing the producer login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the producer login application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new producer login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

In technical terms, the producer login enables producer registration, the notification of changes to the registration data, as well as notification of the decision to permanently abandon the producer activities pursuant to section 9 VerpackG in each case, the submission of volume reports pursuant to section 10 VerpackG, as well as the submission of declarations of completeness pursuant to section 11 VerpackG, which are mandatory under the statutory requirements for producers as of 1 January 2019. Without the producer login, you cannot fulfil these statutory obligations for technical reasons.

The data is processed in order to make the producer login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google'). reCAPTCHA is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft. Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Producer registration
We collect the following data as part of the producer login application process:

  • title, academic title (if indicated), first and last name of the 'authorised person';
  • first and last name as well as e-mail address of up to three other 'contact persons' of the producer (if not the same as the authorised person);
  • address (street address, postcode and town/city, country, additional address details), telephone number and fax number (if indicated) of the producer;
  • VAT ID, or alternatively national taxpayer reference number; national identification number (type, e.g. commercial register number; number, authority, date of issue);
  • producer's brand(s) and brand exit date(s);
  • 'segment' of the producer's business activity (choice of four segments), if indicated;
  • declaration that the producer has fulfilled their return obligations by virtue of participation in one or more systems as defined in section 3 (16) VerpackG ('system(s)'), or one or more sector-specific solutions as defined in section 8 VerpackG ('sector-specific solution(s)');
  • declaration that the information is accurate;
  • previous registration number, if indicated.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to register as a producer if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to register as a producer. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to register as a producer without this session cookie.

Once the producer registration process is completed, and provided that the statutory requirements are met, the registration administrative act, together with your registration number, will be sent to the e-mail address specified as the user ID in the login application. The following data will be stored for this purpose: IP address, date, time at which the link was confirmed, browser language, operating system version, browser version. If the producer registration is not successfully completed within seven days of applying for the producer login, the records in the database will be deleted. A new application for producer login and inclusion in the register of producers must be made, from scratch.

The producer registration, the notification of changes to the registration data and notification of the decision to permanently abandon the producer activities pursuant to section 9 VerpackG are mandatory under the statutory requirements for producers. They are technical requirements for the submission of volume reports pursuant to section 10 VerpackG and for the submission of declarations of completeness pursuant to section 11 VerpackG, which are also mandatory under the statutory requirements for producers. The data is processed in order to allow for the registration of producers. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area
In order to use the login area, you have to log in using the primary e-mail address and the password you provided during the application process. You can use the login area as a technical tool to inform us of changes to the registration data and any decision to permanently abandon the producer activities pursuant to section 9 VerpackG, as well as to submit volume reports in accordance with section 10 VerpackG and declarations of completeness pursuant to section 11 VerpackG, as is mandatory under the statutory requirements for producers.We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The data is processed to enable the use of the producer login and producer registration. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Declaration of completeness submission
In legally required cases, declarations of completeness (hereinafter 'DoC') as per section 11 VerpackG must be submitted in the login area of LUCID ('Declaration of completeness submission' tile).

DoCs for the year 2018 must be submitted through LUCID and relate to the specific registration number of the producer in question. They do not yet require the information as set forth in section 11 (2) VerpackG, but rather the information set forth in section 10 (2) VerpackV (Packaging Ordinance). In addition, the audit certificate as well as the audit reports, all bearing a qualified electronic signature, must be submitted using the login (section 10 (1), (5) VerpackV).

DoCs for the year 2019 and beyond must be submitted through LUCID and relate to the specific registration number of the producer in question. They do require the information as set forth in section 11 (2) VerpackG. In addition, the corresponding audit reports as well as the audit confirmation, all bearing a qualified electronic signature, must be submitted using the login (section 11 (1), (3) VerpackG).

Furthermore, every DoC submission requires a reason as well as the ID and name of an auditor registered with the ZSVR (cf. section II.2 of this privacy policy); where the reason for the submission is by individual order, the file reference must also be included.

All the data that a producer files in LUCID in the context of their DoC is summarised in a so-called 'producer declaration'. LUCID sends an e-mail to the producer, with a link to download the producer declaration. The producer may than pass the producer declaration on to a registered auditor, who will audit the DoC (cf. section II.2 of this privacy policy). To make this easier, during the DoC submission process, LUCID also gives producers the option of consenting to the transmission of the information they provided in the context of the DoC to the registered auditor that they have specified. If producers have consented to this, their auditor also receives an e-mail with a link for downloading the producer declaration.

The data is processed for the purposes of submitting the DoC, based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 11 VerpackG. For the year 2018, section 10 VerpackV shall also apply. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties. As concerns the transmission of data provided by a producer who has given consent to a registered auditor, data processing is based on article 6 (1) (a) GDPR. The transmission of data in this case thus makes it easier for producers to submit their declaration of completeness.

Data reporting, section 10 VerpackG
Producers registered in LUCID are under obligation to provide the same information about packaging to the ZSVR that they provided to their system, without delay, and personally. When doing so, they must also provide at least the following information:

  • registration number;
  • type of material and mass of the participating packaging;
  • The producer can choose from the following options to specify the nature of the report:
    • initial planned volume report;
    • intra-year volume report;
    • year-end volume report;
    • supplementary volume report (where applicable);
  • name of the system in which the packaging participates;
  • period of system participation;
  • changes to the above-mentioned information;
  • where applicable, returns as per section 7 (3) VerpackG ('deduction volumes').

The reports are submitted through LUCID, under the 'Data report' option in the menu. The data is processed in order to make it possible for producers to submit their data reports. The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 10 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Transmission of data reports to systems
We give the systems the option of electronically retrieving the producer data reports relating to their specific system on our website. This data is processed in the context of the use of the producer login and producer registration. The legal basis for this is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 10 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Publication of producer data
In the interest of fulfilling our statutory tasks and duties, we publish the following producer data on our website:

  • name, address and contact details of the producer (in particular street address, postcode and town/city, country, telephone number, fax number if indicated, and e-mail address);
  • brand names under which the producer places packaging subject to system participation onto the market;
  • registration date:
    • for applications for registration received before 1 January 2019: the date on which the ZSVR received the full registration information, this date being set by default to 1 January 2019; for brand names registered prior to 1 January 2019, the date of registration is also set to 1 January 2019;
    • for applications for registration received on or after 1 January 2019 and for corresponding brand information: the date on which the ZSVR received the full registration information;
  • date of market exit in cases involving the termination of registration or, for specific brands, in the event that the brand is deleted.

The published producer data can be searched for and found on our website by third parties using the search functions provided on the website. The data will be published until a period of three years has passed starting at the end of the year in which the producer registration ends. The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 9 (4) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

With your separate consent, third parties can also query whether you are registered (yes/no) on the basis of your VAT ID no./taxpayer reference number provided during registration. The VAT ID no./taxpayer reference number will not be made accessible to third parties on the basis of this consent. This query based on your VAT ID/taxpayer reference number can be performed at the latest until the end of your registration (market exit date). This information can also only be queried if consent has been given, i.e. can no longer be accessed after its withdrawal. The legal basis for this query based on your VAT ID/taxpayer reference number is your consent pursuant to article 6 (1) (a) GDPR.

Publication of list of producers who have submitted a declaration of completeness
As from 16 May in the year following the reference year, a list of producers who have fully filed a declaration of completeness ('DoC') in the LUCID Packaging Register for a given year ('reference year') will be published on our website with the following details per reference year:

  • company name;
  • registration number;
  • postcode and city/town, country.

A declaration of completeness is deemed to be fully filed in LUCID if all documentation queried in the course of submitting the declaration of completeness has been successfully filed and if the auditor's confirmation pursuant to section 11 (1) VerpackG has not been declined. Each publication is subject to further verification of content-related accuracy.

The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 (1) no. 6 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Transmission of producer data to supervisory and law enforcement authorities
To the extent permitted by law, we will also transmit your data to the responsible supervisory authorities and law enforcement authorities, for example if there is a suspected administrative offence pursuant to section 34 VerpackG. The legal basis for this transmission is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.  In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. We use the service sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the sendinblue functions at:  https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG.


Storage period
We store producer data (including the data of the declaration of completeness, as well as the data reports provided by the producers) for at least three years after the end of the year in which the producer registration ends (market exit date), and thereafter for another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.


2. Login for auditors

The following information provides you with an overview of what happens to your personal data when you apply for and use an auditor login on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Applications for an auditor login
We collect the following data as part of the auditor login application process:

  • company name of the auditor (optional);
  • language for e-mail communication with the auditor (German/English);
  • title, academic title, first and last name of the auditor;
  • e-mail address as a user ID;
  • login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for an auditor login if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to apply for your auditor login. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for an auditor login without this session cookie. After completing the auditor login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the auditor login application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new auditor login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The auditor login is a requirement for your registration as an auditor in the register of auditors pursuant to section 27 (1) (registered experts pursuant to section 3 (15) VerpackG) and section 27 (2) VerpackG (auditors, tax advisers and sworn accountants).

The data is processed in order to make the auditor login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 26 (1) no. 27, 27 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google').reCAPTCHA is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place. The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 27, 27 VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Inclusion in the register of auditors
We collect the following data as part of the application for inclusion in the register of auditors:

  • address (street address, postcode and town/city, country, and up to three optional additional address details), telephone number (mobile or land line) and fax number (if indicated);
  • type of auditor pursuant to sections 3 (15), 27 (1) (2) VerpackG (type of expert within the meaning of section 3 (15) VerpackG: in particular a publicly appointed expert, environmental verifier or environmental verifier organisation, accredited expert, auditor, sworn accountant, tax adviser or expert in another state);
  • when selecting the environmental verifier field within the meaning of section 3 (15) no. 2 VerpackG, indication of the NACE codes; information in the document submitted by you as evidence regarding the auditor's professional certification;
  • information to prove the auditor's professional certification (e.g. date of issue of an admission or appointment notice and certifying institution).

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to register as an auditor if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to register as an auditor. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to register as an auditor without this session cookie. If the auditor registration is not successfully completed within seven days of applying for the auditor login, the records in the database will be deleted. A new application for auditor login and inclusion in the register of auditors must be made, from scratch.

Once the application for registration has been reviewed and the ZSVR has confirmed the application's readiness for approval, notice on your inclusion in the public register of auditors will be sent to the e-mail address specified as the user ID in the login application.

If you are not included in the register of auditors, you cannot legally audit or confirm any volume flow records (sections 8 (3), 17 VerpackG), certify notifications/notifications of changes for sector-specific solutions (sections 8 (1), 8 (2) VerpackG) and you are not legally authorised to audit or confirm any declarations of completeness pursuant to section 11 VerpackG. The auditing and confirmation of declarations of completeness are also not feasible from a technical perspective. The ZSVR publishes detailed instructions on the electronic filing procedure and on communication with the ZSVR on its website at www.verpackungsregister.org.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27 VerpackG. The data is processed in order to allow for the registration of auditors. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area
In order to use the login area, you have to log in using the primary e-mail address and the password you provided during the application process. You can use the login area to inform us of changes to the following master data concerning you:

  • company name of the auditor, if indicated;
  • language for e-mail communication with the auditor (German/English);
  • title, academic title, first and last name of the auditor;
  • e-mail address as a user ID;
  • login password;
  • address (street address, postcode and town/city, country, and up to three optional additional address details), telephone number (mobile or land line) and fax number (if indicated);
  • when selecting the environmental verifier (within the meaning of section 3 (15) no. 2 VerpackG) field, indication of the NACE codes;
  • transmission of document proving the auditor's professional certification;
  • information to prove the auditor's professional qualification (e.g. date of issue of an admission or appointment notice and certifying body).

You can also notify us that you have ceased your auditing activities, use your login in the future to view the producer information about which the declarations of completeness pursuant to section 11 VerpackG are based, and deposit the further audit documents relating to the declarations of completeness pursuant to section 11 VerpackG.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27 VerpackG. The data is processed to enable the use of the auditor login and auditor registration requested by you. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

You can also notify us that you have ceased your auditing activities; you can use your login to view the producer information about which the declarations of completeness pursuant to section 11 VerpackG are based; and you can deposit further audit documents relating to the declarations of completeness pursuant to section 11 VerpackG (audit confirmation with a qualified electronic signature, audit reports). We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The data is processed to enable the use of the auditor login and auditor registration requested by you. The legal basis for this is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27, 11 VerpackG. The data is processed to enable the auditor in question to perform an audit on the declaration of completeness. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Publication of your data as an auditor
Based on your consent to the publication of your auditor data prior to 1 January 2019 or, as of 1 January 2019, on the basis of the statutory obligation to maintain a public register of auditors pursuant to section 26 (1) no. 27, section 27 VerpackG, the following data concerning you will be published in the register of auditors on the website of ZSVR:

  • your full name, with title and academic title;
  • company name, if indicated;
  • your preliminary auditor ID;
  • type of auditor specified by you;
  • registration date;
    • for applications for registration received before 1 January 2019: the date on which the ZSVR received the full registration information, this date being set by default to 1 January 2019;
    • for applications for registration received on or after 1 January 2019: the date on which the ZSVR received the full registration information;
  • date of change;
  • postcode and city/town, country.

The published auditor data can be found on our website by third parties using the search functions provided on our website via a filter (last name, company name, auditor ID, type of auditor, postcode, town/city and country). The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 GDPR as well as section 26 (1) no. 27, section 27 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors

We make use of processors, in particular IT service providers, to make the login area available. We use the service sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the sendinblue functions at:  https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.


Storage period
We store auditor data in the public register of auditors for the duration of your registration and thereafter for another ten years.


3. System operator login

The following information provides you with an overview of what happens to your personal data when you apply for and use a login for an operator of a system pursuant to section 3 (16) VerpackG on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Application for a login as system operator
We collect the following data when we grant logins for system operators:

  • company name of the system operator;
  • title, academic title, first and last name of the 'main contact';
  • address of the system operator;
  • e-mail address of the main contact;
  • password (encrypted).

Mandatory fields are marked accordingly (*) in the form fields. The system operator login will facilitate mandatory data reporting pursuant to section 20 VerpackG and the retrieval of producer data reports relating to your system. Without the login, you cannot fulfil these statutory obligations for technical reasons.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR, section 3 BDSG, section 26 (1) nos. 3, 8 VerpackG, section 10 (3) VerpackG, section 20 VerpackG. The data is processed in order to make the system operator login requested by you available and to facilitate its use. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google'). reCAPTCHA is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google. The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed based on article 6 (1) (c), (1) (e) GDPR, section 3 BDSG, section 26 (1) nos. 3, 8 VerpackG, sections 10 (3) VerpackG, 20 VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft. Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Use of the login area
In order to use the login area, the contact person of the system operator must log in using the primary e-mail address specified in the login application and provided to them for this purpose by the ZSVR, as well as the password that they have chosen themselves. You can use the login area as a technical tool to enter additional data as master data, change this master data, and transfer a login to one of the contact persons.

The master data of the system operator includes:

  • company name of the system operator;
  • address of the system operator;
  • title, academic title, first and last name of the 'main contact';
  • e-mail address of the main contact;
  • details of an expert contact for technical questions, if indicated, and the following information, which is optional in each case: first and last name, title, academic title, telephone number, e-mail address, fax number, street address, postcode and town/city, and up to three optional additional address details;
  • details of an infrastructure contact for technical questions, if indicated, and the following information, which is optional in each case: first and last name, title, academic title, telephone number, e-mail address, fax number, street address, postcode and town/city, country, and up to three optional additional address details.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie. The legal basis for this data processing is article 6 (1) (c), (1) (f) GDPR in conjunction with section 3 BDSG and section 20 VerpackG. The data is processed in order to allow you to use the login as requested by you. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. We use the service sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the sendinblue functions at:  https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Storage period
We will store the data specified under section II.3 until the termination of the login and thereafter for another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.


4. Login for automatic data reconciliation

The following is an overview of what happens with your personal data when you apply for and use a login for automatic data reconciliation on our website, www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

The ZSVR offers automatic data reconciliation upon request. The VAT ID or taxpayer reference number provided by producers during registration can be used to search for their registration status (yes/no); the number itself is not disclosed during the automatic data reconciliation process. Retailers and other business partners can use this automated search function to find a producer's registration status to ensure that said producer's products/goods are registered in the LUCID Packaging Register and that there is no bar to distribution. Only producers that have voluntarily consented to automatic data reconciliation ('consent') are contained.

Automatic data reconciliation is a voluntary service offered by the ZSVR.

Application for login – part I
You must apply for login to use automatic data reconciliation (for information about how users can access the login area for automatic data reconciliation, cf. below). We collect the following data as part of the login application process:

  • user name;
  • company name (optional);
  • title, academic title, first and last name of the user;
  • e-mail address as user ID, and a login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a login if the mandatory fields are left blank. We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.

After completing the login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google'). reCAPTCHA is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (b), (1) (f) GDPR, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Application for login – part II
After the activation link is confirmed, we collect the following data as part of the application for login:

  • address (street address, postcode and town/city, country, and up to three optional additional address details).

To complete the process of applying for login, click on the 'Send application' button. You will then receive an email about your application for login. The ZSVR will subsequently decide on the application. You will be notified of the decision (login approved or rejection) by e-mail. Automatic data reconciliation requires a VAT ID or taxpayer reference number. Only the status (yes/no) of those producers that have consented (cf. above) – and have not terminated their registration (market exit date) – can be searched.

The legal basis for this data processing is article 6 (1) (b), (1) (f) GDPR. The data is processed for the purposes of the automatic data reconciliation requested by you.

Use of the login area
In order to use the login area after the login has been approved, you have to log in using the primary e-mail address and the password you provided during the application process. There you can:

  • edit the data you provided in the application;
  • enter an end date (for the end of the use of the login for automatic data reconciliation);
  • execute automatic data reconciliation by uploading an XML ('upload file') or entering the VAT IDs or taxpayer reference numbers available to you. The download file will then show the VAT IDs/taxpayer reference numbers with a yes or no regarding (registration) status;
  • cancel your login.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the sendinblue service to send e-mails. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the sendinblue servers in Germany. We use this service to log the delivery of e-mails to you.

You can find detailed information about the sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (b) GDPR.

Storage period
The files you upload will not be stored. The download file (XML output file) will be saved in LUCID until the next query for automatic data reconciliation. We will retain data pertaining to the automatic data reconciliation user for up to ten years following the query. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.


5. Login for system auditors

The following is an overview of what happens with your personal data when you apply for and use a login for system auditors on our website, www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy. Data collection for the purposes of setting up a login is handled only by employees of the ZSVR (cf. a) below). Following this, the system auditor can request the login / have the login transferred (cf. b) below).

a) System auditor data to be compiled
The clearing house for dual systems (Gemeinsame Stelle dualer Systeme Deutschlands GmbH) notifies the ZSVR of the four system auditors the clearing house has appointed for a maximum of five years. The system auditors have agreed to the transfer of data collected with the clearing house and required to set up a login.

We collect the following data when we grant logins for system auditors:

  • company name;
  • title, academic title, first and last name of the system auditor;
  • address (street address, postcode and town/city, country, and up to three optional additional address details);
  • telephone and fax number of the system auditor;
  • e-mail address of the system auditor;
  • start and end date for the period during which the system auditor will audit the system operator, and have access to system operator data and corresponding producer data to exercise auditing activities.

b) Requesting a system auditor login
System auditors can inform the ZSVR via e-mail to have their login transferred. To complete the login application and for verification purposes, the system auditor will receive an e-mail, sent to the e-mail address provided at the time the system auditor data was entered into the system. The confirmation link contained in this e-mail must be followed within 24 hours to confirm the application for the login. If the link is not accessed within 24 hours, a new link must be requested from the ZSVR. Once the link has been confirmed, the system auditor will be prompted to set a password.

Following a successful login, the system auditor will have to review, update and/or complete their master data as well as to agree to the terms of use to be able to use the login area.

We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The legal basis for this data processing is article 6 (1) (b) GDPR. The data is processed in order to make the login available.

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google'). reCAPTCHA is designed to check whether any data entered during the process of producer login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the sendinblue service to send e-mails. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the sendinblue servers in Germany. We use this service to log the delivery of e-mails to you.
You can find detailed information about the sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go​​​​​​​

The legal basis for this data processing is article 6 (1) (b), (1) (e) GDPR in conjunction with section 3 BDSG and section 20 (2) VerpackG.

Storage period
If no login transfer is requested, we will store the data relating to any given system auditor until the termination of the relevant login, and thereafter for up to another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

6. Appointed third party login

The following is an overview of what happens with your personal data when you apply for and use an appointed third party (section 33 VerpackG) login to submit the declaration of completeness on our website, www.verpackungsregister.org.

Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Pursuant to section 33 VerpackG, the entries for the declaration of completeness within the meaning of section 11 VerpackG can also be filed by an appointed third party for a producer. In order to carry out the filing, the appointed third party needs a login of their own to the LUCID Packaging Register (LUCID), which they apply for with the ZSVR, cf. the following. Producers can instruct an appointed third party with a login to file their declaration of completeness for them. Please refer to II.1 above – under 'Use of the login area', 'Declaration of completeness submission' – for more information.

Applications for an appointed third party login
The appointed third party's login application is carried out in two steps.

First step
At first, we collect the following data as part of the login application process:

  • company name;
  • title, academic title, first and last name of the appointed third party;
  • e-mail address of the appointed third party as the user ID;
  • login password.

Furthermore, the appointed third party will be asked to consent to the processing of the personal data they entered through the ZSVR, and to accept the terms of use. Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a login if the mandatory fields are left blank.

We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.

After completing the login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The login is a technical requirement for the appointed third-party to submit a producer declaration of completeness electronically via LUCID, as the producer's appointed third party. Without a login, an appointed third party cannot submit a declaration of completeness for a producer. The data is processed in order to make the appointed third party login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (1) to 11 (3), 33 VerpackG. 

Google reCAPTCHA
We use Google reCAPTCA ('reCAPTCHA') as part of providing the login area. The operator of reCAPTCHA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google').

reCAPTCHA is designed to check whether any data entered during the process of appointed third party login application emanates from a human or from an automated programme. To do this, reCAPTCHA analyses a website visitor's behaviour based on a variety of different criteria before ending the application for login with a picture identification procedure. The analysis begins automatically as soon as the website visitor starts to identify the pictures. As part of the analysis, reCAPTCHA evaluates a range of information (e.g. IP address, how long the visitor stays on the website or the visitor's mouse movements). Data collected during the analysis is shared with Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 4, 11 (3), 33 VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft. Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

Second step
After clicking the verification link and logging onto LUCID, we process the following data, in order to finalise the login process:

  • address (street address, postcode and town/city, country, additional address details) of the appointed third party;
  • telephone number and fax number (if indicated) of the appointed third party.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for login if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.

Once the login application is concluded, you will receive an e-mail confirming your LUCID registration. Subsequently, an employee of the ZSVR will check your data. You will be informed via another e-mail about acceptance or rejection of the login you applied for. In the event that your application is rejected, the login data filed in LUCID are deleted; the user will no longer be able to log onto the portal. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area as appointed third party
In order to use the login area, you have to log onto LUCID using the e-mail address and the password provided during the application process. You can use the login area as a technical tool to inform us of changes to the data provided during the login application process; you can also terminate your login there. In addition, you can file the data of the declarations of completeness (section 11 (1) to 11 (3) VerpackG) for one or more producers in LUCID, provided that this producer / these producers have instructed you to submit a declaration of completeness for them.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie. You will receive an e-mail via LUCID, informing you when a producer requests to instruct you to submit the declaration of completeness. After logging onto LUCID, you will see the following information below the 'Consent for appointed third party filing of declaration of completeness' button:

 

  • submission schedule of the declaration of completeness to which the request relates;
  • date of the request;
  • company name of the requesting producer;
  • first and last name of the requesting party;
  • address (street, address, postcode, town/city, country) of the requesting producer;
  • e-mail address of the requesting party.

You will then have the choice to accept the assignment or to reject the producer's request to file the declaration of completeness. You, and the producer, will both receive an e-mail on this for your information. Please refer to II.1 above for more information about declaration of completeness submission. The appointed third party's data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the sendinblue service to send e-mails. This service is provided by sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the sendinblue servers in Germany. We use this service to log the delivery of e-mails to you. You can find detailed information about the sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.


Storage period
After an appointed third party has terminated their login, we will store the login data for ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.