Privacy Notice
The European Commodity Clearing AG informs you within the scope of this privacy notice about how we (hereinafter "ECC", "We" or "Us") process your personal data, with special attention to the processing of personal data according to the general data protection regulation EU 2016/679 ("GDPR") and the applicable national data protection laws.
1. Name and address of the controller
The person responsible within the meaning of the GDPR, within other data protection laws in force in the Member States of the European Union and within other provisions of a data protection nature is:
European Commodity Clearing AG
Augustusplatz 9
04109 Leipzig
Germany
Phone: +49 341 24680 0
Fax: +49 341 24680 409
E-Mail: info@ecc.com
Link to imprint: https://www.ecc.de/en/imprint
2. Contact details of our Data Protection Officer
Our Data Protection Officer is:
European Commodity Clearing AG
Data Protection Officer
Augustusplatz 9
04109 Leipzig
Germany
E-Mail: dataprotection@eex.com
If you have any questions or comments on the subject of data protection, please contact the data protection officer.
3. Purpose, categories of personal data legal basis and retention
3.1 Purpose, categories of personal data legal basis
3.1.1 General contact by e-mail, post or telephone
In the course of any request of information, your personal data may be collected by ECC. This includes any type of personal data within the meaning of GDPR, such as contact details (surname, first name, company, position, e-mail, postal address and telephone number). The personal data that we collect from you will only be used to answer and fulfil your specific enquiries. The legal basis is Article 6 para. 1 lit. (f) GDPR, which permits the processing of personal data for the purpose of our legitimate interest in processing and answering your enquiry. Your personal data processed in this respect will be stored by us for as long as it is necessary to carry out our relationship (communication) with you and in accordance with the applicable legal storage regulations
If you contact us by telephone, we record some conversations based on legitimate interest of a proper handling of telephone transactions. You will be informed of the recording beforehand. You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, as well as to exercise any other data subjects right as mentioned in this privacy policy. The conversation records will be deleted ten years after recording.
3.1.2 Sales, Marketing:
We may use your personal data (surname, first name, company, position, e-mail, postal address and telephone number) to send you information about our services, promotions and events similar to services you are already receiving that we think may be of interest to you. We may contact you by e-mail based on our legitimate interests under Article 6 para. 1 lit. (f) GDPR if we have a direct business relationship with you or with the company for which you work, and if you have not objected. We may contact you by telephone if you have given your consent (Article 6 para. 1 lit. (a) GDPR) or on the basis of a presumed consent on the condition that you will welcome the call. We may contact you by post on the basis of our legitimate interests under Article 6 para.1 lit. (f) GDPR as long as you do not object. Your personal data processed in this respect will be stored by us for as long as it is necessary to carry out our relationship (communication) with you and in accordance with the applicable legal storage regulations
3.1.3 Newsletter:
We offer circulars, readiness newsflashes and product newsletters to keep you regularly informed about ongoing initiatives and upcoming projects and any future updates or news about products and events. You can register for the categories you would like to subscribe to on our websites by entering your email address. After entering your data, you will receive an e-mail in which you can confirm your registration in order to activate the newsletter. The prerequisite for sending the newsletter is your e-mail address. The provision of additional, separately marked data is voluntary and will be used to address you personally and to improve our newsletter content. Your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected. You can unsubscribe from this service in every newsletter and withdraw your consent with effect for the future. Regarding the processing of your personal data, the relevant legal basis is your consent in accordance with Article 6 Paragraph 1 lit. a in connection with Article 7 GDPR. The opening and click rates of the newsletters are measured exclusively anonymously. It is not possible to assign them to individual newsletter recipients.
Double opt-in
Your registration is carried out using the double opt-in process in order to document your consent and prevent any misuse of your personal data. After submitting the registration form, you will receive an email to the email address you provided asking you to confirm your subscription. The legal basis is Art. 6 para. 1 lit. c) GDPR in conjunction with Art. 7 para. 1 GDPR. We are legally obliged to document your consent to receive newsletters (Art. 7 para. 1 GDPR).
If you do not confirm your subscription within 24 hours, your personal data will be deleted by us after one month.
Blacklist
If you unsubscribe from our newsletter, we will process your data, in particular your email address, as part of a "blacklist" to ensure that you do not receive any further newsletters. The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interests are based on compliance with our legal obligation to no longer send you newsletters in the future.
3.1.4 Events:
We may use your personal data (surname, first name, company, position, e-mail, postal address and telephone number) to send you an invitation to one of our events based on our legitimate interest. If you participate in our events, we collect your participant data (e.g. name, contact details, e-mail address, billing data) for the organisation and execution of the respective event. In order to carry out and organise the event, your data may also be passed on to other parties involved in the event if this is necessary (e.g. for admission control). The legal basis is Article 6 para. 1 lit. (b) GDPR, permitting the processing of personal data for the purposes of the performance of a contract. Further information may be provided in a privacy notice for the specific event, if this is necessary. Your personal data processed in this respect will be stored by us as long as it is necessary to maintain our relationship (participation in the event) with you and as long as it is necessary in accordance with the legal retention periods.
3.1.5 Applications and application procedures:
ECC collects your personal data within the recruitment process for the assessment of your application and, if an employment relationship is established, also for the execution of the employment relationship. Processing can take place by post or electronically. Please note that application documents sent by email are transmitted unencrypted. To protect your application documents during the transfer, you can contact our human resources department. We then offer you the opportunity to transmit your data to us via secure access. If the person responsible concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents shall be automatically deleted in accordance with the legal retention periods. The legal basis for processing this personal data is Article 6 para. 1 lit (b) and Article 88 GDPR in conjunction with local data protection laws.
3.1.6 Performance of contracts and services:
If you or your company want to be authorized as a customer of one of our services, we collect your personal data (first name, last name, contact details, company) to register you to our services and for the usage of our services. The sole responsible body is the respective EEX Group company with which a contract is concluded or occurs in the case of pre-contractual measures. The purposes of personal data processing are determined by the specific service or product. This may include especially assessments, consultation, trading activities, and the execution of business accounting and tolls. The legal basis for processing this personal data is Article 6 para. 1 lit. (b) GDPR, as processing is necessary to fulfill a contract or for pre-contractual measures between us and the customer. If the user is not the customer who concluded the contract with us, but an employee of the customer or otherwise authorized by the customer to use our services, the legal basis for processing is Article 6 para. 1 lit. (f) GDPR, as the processing is in the legitimate interest of the customer. The legitimate interest of the customer is to enable the user to use our services in accordance with the contract. Your personal data processed in this regard will be stored by us as long as it is necessary to carry out our relationship (registration and use of our service) with you and required by applicable statutory retention laws.
3.1.7 General use of our websites:
When you use our websites and online platforms, we will automatically log information about the browser that is used to access the website, such as your IP address, session time, pages viewed from that address and the website from which you are visiting the website. We may also collect device-specific information, such as your hardware model and operating system.
This information is required to (1) correctly deliver the content of our website, (2) optimize the content of our website and, if necessary, the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. These anonymously collected data and information are therefore evaluated statistically and additionally evaluated with the aim of increasing data protection and data security within ECC in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
For users of the SFTP Server, we record the country of origin, the address of your internet service provider (IP or URL) or the server name, the name of the website from which you are visiting us, the name of our websites that you have visited, which operating system and which browser you use, which search term you have entered and the date and duration of your visit for statistical purposes in anonymised form.
Some of our websites or online platforms also offer the possibility of user registration. If you are registered with us, you can access content and services that we only offer to registered users. In the course of the respective registration process, you provide us with further personal data. Registered users also have the option of changing or deleting the personal data provided during registration at any time if required.
We use this personal data for the operation of the website, in particular:
- for the technical support of the users / for the answering of inquiries
- for the operation and administration of our SFTP Server
- for the guarantee of network and data security, insofar as these interests are in accordance with the applicable law and with the rights and freedom of the users in each case
- for the prevention of malpractice and crime and to investigate improper conduct and detection of fraud and/or
- if we are legally obliged to do so.
The legal basis for the processing of your personal data for these purposes is Article 6 para. 1 lit. (c) GDPR in fulfilling our legal obligation to take technical and organisational measures to ensure secure data processing in accordance with Article 32 GDPR and Article 6 para. 1 lit. (f) GDPR in order to pursue our legitimate interests in data processing for network and information security. After the specified period of 30 days, the above data will be deleted. If data is processed for a longer period of time, we will anonymise or delete the data as soon as their storage no longer serves the respective purposes.
3.2 Do you have to provide personal data to us?
The provision of your personal data is necessary in order to access the protected areas of the website, which are restricted to members of our customer groups, to contact us directly or to receive a newsletter. This means that it is necessary that you give us your personal data in the context of e.g. to provide a user registration process or contract.
3.3 Do We make automated decisions on you?
We do not make any automated decisions solely on automatic processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
3.4 Retention periods
The retention periods for personal data depend on the purpose of the processing. We will store the personal data mentioned under 3.1 above as long as (i) this is necessary for the respective purpose and / or (ii) this is required in accordance with the applicable statutory retention laws. We will keep personal data that you provide us for as long as our business relationship with you or with your company exists, plus all applicable retention periods that are in accordance with the statutory provisions (e.g. based on tax regulations) or to the extent they are necessary to pursue our legitimate interests after the end of the business relationship (e.g. to assert claims within the statutory limitation periods).
4. Transfer of personal data
We will not disclose your personal data to third parties unless such disclosure is permitted by law or you have explicitly consented to the transfer.
To provide our contractual services, we use selected service providers (data processing providers) and vicarious agents of the categories listed below who have access to your personal data to the extent necessary and can use it to process the orders placed by us.
We may transfer your personal data to public authorities where this is required by applicable law (e.g. the German Stock Exchange Act (Börsengesetz) or the German Securities Trading Act (Wertpapierhandelsgesetz)). A transfer of your personal data is also permitted if there is suspicion of a criminal offence or the abuse of the services offered on our website. In this event, we shall be entitled to transfer your Personal Data to the criminal prosecution authority.
Otherwise, your personal data will be stored exclusively in our database and on our servers or on those of our commissioned data processing providers. We will only share your Personal Data with other controllers for their own purposes such as cooperation or advertising partners under the condition that you explicitly and voluntarily agreed to such transfer of your Personal Data; in this case, we will obtain your consent separately from this Notice.
Sometimes the recipients to whom we transfer your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data.
Under these conditions, recipients of your personal data can be for example:
- public bodies and institutions in the presence of a legal or regulatory obligation (e.g. financial authorities),
- other companies and service providers (processors) / vicarious agents in the following areas:
- print service providers
- telecommunications service provider
- billing service provider
- financial institutions
- collection agencies
- management consultancies as well as business and tax audit companies
- provider of the online platform
- newsletter provider
5. Cookies and similar technologies
When you visit the websites and our online platforms, information is stored on your terminal device in the form of a "cookie." Cookies are small files that are stored on your terminal device and save certain settings and data to exchange with our websites via your browser.
For example, cookies enable us to tailor a website to better match your interests or to store your password so that you do not have to re-enter it every time. As a general rule, we never collect personal data via cookies, unless you have given us your express permission to do so.
If you do not want us to recognize your terminal device, please configure your Internet browser to erase all cookies from your device, to block all cookies or to receive a warning before a cookie is stored. You will find brief instructions on how to do this below.
Please note that certain functions of our website may no longer work, or not correctly, without cookies.
5.1 Types of cookies
Cookies can be assigned to four categories, depending on their function and intended purpose: absolutely necessary cookies, performance cookies, functional cookies, and cookies for marketing purposes.
5.1.1 Absolutely necessary cookies
This category of cookies is needed for you to navigate within websites and operate basic website functions, such as the issuance of anonymous session IDs for bundling several related queries to a server.
5.1.2 Performance cookies
This category of cookies collects information on the usage of our websites, including for example the internet browsers and operating systems used, the domain name of the websites previously visited, the number of visits, the average duration of each visit, and pages called up. These cookies do not store any information that would make it possible to personally identify the user. The information collected with the aid of these cookies is aggregated and is therefore anonymous. Performance cookies serve the purpose of improving the user friendliness of a website and therefore enhancing the user’s experience. You can block the use of such cookies by creating an exclusion cookie (see “managing cookies” below).
5.1.3 Functional cookies
This category of cookies enables our websites to store information the user has already entered (such as user ID, language selection, or the user’s location), in order to offer improved, personalized functions to the user. Functional cookies are also used to enable requested functions such as playing videos and to make a user’s decision to block or disable a certain function (e.g. web analysis) - “opt-out cookies”.
5.1.4 Cookies for marketing purposes
This category of cookies is used to offer more relevant content to users, based on their specific interests. They are also used to limit the display frequency of an ad and to measure and control the effectiveness of advertising campaigns. They register whether users have visited a website or not, and which contents were used. This information may possibly also be shared with third parties, such as advertisers, for example. These cookies are often linked to the functions of third-party websites. You can block the use of such cookies by creating an opt-out cookie (see “Managing cookies” below).
5.2 Cookies on our websites and online platforms
5.2.1 Absolutely necessary cookies
Cookies-Name | Description | Retention period |
uo_id | The cookie sets an ID so that the user's consent to the use of cookies and their cookie settings can be stored in the uo_settings cookie. The cookie is technically necessary. | 1 year |
uo_settings | This cookie stores the user's consent to the use of cookies and the user's cookie settings. These are then linked to the ID from the cookie uo_id. The cookie is technically necessary. | 1 year |
SMSS_Extern-GUI | Session cookie to handle user login on ECC member area website. | Duration of the session |
oam.Flash.RENDERMAP.TOKEN | Session cookie to handle user login on ECC member area website. | Duration of the session |
atlassian.xsrf.token | Helps prevent XSRF attacks. Ensures that during a user's session, browser requests sent to a Jira server originated from that Jira server. For more information about XSRF checking by Jira, see Form Token Checking on the Atlassian Developers site. | At the end of every session or when the browser is closed. |
jira.issue.navigator.type | Tracks which type of search view was last used (i.e. simple or advanced searching). | Approximately 10 years from the date it is set or was last updated. |
AJS.conglomerate.cookie | Tracks which general tabs were last used (e.g. in Jira's plugin manager) or expansion elements were last opened or closed. | One year from the date it is set or was last updated. |
UNSUPPORTED_BROWSER_WARNING | Acknowledges that the user has read a message displayed by Jira indicating that the user's browser is not supported by Jira. | At the end of every session or when the browser is closed. |
AJS.thisPage | Indicates that the user's browser does not support local storage. This relates to a mechanism used by Jira to store field information in search views when the user clicks their browser's back button. | At the end of every session or when the browser is closed. |
5.2.2 Webanalytics
Our webanalytics (cookieless) does not set a cookie within your browser. It enables us to capture the following data:
- Capture of origin with referrer URL and campaign parameters, if applicable.
- Page views and assignment to areas based on the URL structure
- Mailto and telephone link calls, downloads and individual click events
- Scroll events per page
- Form interactions including errors per form field
- Devices and browsers used including language settings
5.3 Managing cookies
You can change your cookie preferences at any time by using the ‘Cookies Settings Manager’ at the top of this pages. You may need to refresh your page for your settings to take effect. Please note: Not all of the cookies mentioned above will necessarily be used when you browse our website using a mobile terminal device.
In the following you will find a summary of links that provide detailed information on the deactivation of cookies in commonly used browsers.
- Mozilla Firefox (https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored)
- Internet Explorer (https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies)
- Google Chrome (https://support.google.com/accounts/answer/61416?hl=en)
- Safari (https://support.apple.com/en-en/guide/safari/sfri11471/mac)
5.4 Social media
If we integrate social media in our communication and you access their services, the data protection conditions of the social media service used apply.
For a detailed description of the respective forms of data processing and your possibilities of objection (opt-out), please refer to the privacy policy information provided by social network provider as listed below.
Our option to access profiles of specific users is limited by the privacy settings of the respective social media platform of each user following one of our social media channels. The information provided on your social media profile is presumed to have been intentionally disclosed. Thus, we may use your profile information for internal report on certain campaigns. Usage of your profile information is limited to the information you have set to be publicly available on the social media site. Furthermore, we store your username as personal data every time you send us a direct message.
Legal basis for processing is Article 6 para. 1 lit. (f) GDPR, our legitimate interest.
- X: Twitter International Unlimited Company., One Cumberland Place, Fenian Street Dublin 2, D02 AX07 IRELAND; privacy policy https://x.com/en/privacy
- YouTube: Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://www.google.com/policies/privacy
- LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland; privacy policy: https://www.linkedin.com/legal/privacy-policy;
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Instagram: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; privacy policy: https://instagram.com/about/legal/privacy.
- Xing: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland; privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
6. Disclosure of personal data
Your personal data may be disclosed both within Deutsche Börse Group and within the EEX Group, on a need-to-know basis, to ensure the performance of our services. Should further group mergers with other companies occur in the future or should individual companies belonging to the group decide to establish further subsidiaries, their declaration of consent to this data protection declaration shall continue to apply insofar as compliance with a data protection level comparable with this data protection declaration is ensured.
We may also disclose your personal data to public authorities if required by applicable law. A passing on of your personal data is also permitted if there is suspicion of a criminal offence or the misuse of the services offered on our websites. In this case we are entitled to transfer your personal data to the law enforcement authority.
Otherwise, we will only pass on your personal data to others such as cooperation partners or advertising partners for their own purposes if you have expressly and voluntarily consented to the passing on of your personal data. In this case, we will request your consent separately from this privacy policy.
7. Your rights as a data subject
Under applicable data protection laws, you have rights
- of access to, rectification of, and/or erasure of your Personal Data;
- to restrict or object to its processing;
- to tell Us that you do not wish to receive marketing information; and
- (in some circumstances) to require certain of your Personal Data to be transferred to you or a third party, which you can exercise by contacting Us at the details set out at the beginning of this Notice.
To the extent Our processing of your Personal Data is based on your consent, you also have the right to withdraw your consent, without affecting the lawfulness of Our processing based on your consent before its withdrawal.
To exercise your rights, you can contact Us as set out in Section 2 above. You can also lodge a complaint about Our processing of your Personal Data with a data protection authority. A list and contact details of the local data protection authorities can be found here.
Announced in: June 2024
Downloads | |||||
---|---|---|---|---|---|
Publishing date | Title | File | |||
2024-06-28 | Privacy Notice - German | pdf (206 KB) | |||
2023-10-20 | Privacy Notice for External Suppliers (German & English) | pdf (209 KB) |