skip to main content

Privacy policy

Contents

I. Privacy policy: general section

II. Privacy policy: use of LUCID

I. Privacy policy: general section

1. Data protection at a glance

Our website
You visited the website www.verpackungsregister.org ('website') of the Stiftung Zentrale Stelle Verpackungsregister (Foundation Central Agency Packaging Register – ZSVR) as website operator. Our website also includes the packaging register under the name LUCID.

General notes
The following notes provide a basic overview of what happens to your personal data when you visit our website. Personal data is all data by means of which you can be personally identified.

Data collection on our website
Who is responsible for data collection on this website? Data processing on this website is carried out by the 'website operator'. The website operator is the ZSVR. You can find the ZSVR's contact details in section I.2 of this privacy policy.

How do we collect your data?
One way we collect your data is by you providing it to us. This can be, for example, data that you enter into a contact or other form (e.g. during producer registration or registration as an auditor pursuant to section 27 VerpackG (Packaging Act); for more information, refer to section II of the privacy policy regarding the use of LUCID). Other data is collected automatically by our IT systems during a visit to our website. Above all this is IT-related data (e.g. internet browser, operating system or time the site is accessed).

What do we use your data for?
Some of the data is collected in order to ensure fault-free provision of the website and to guarantee the security of the collected data against attacks. That includes data that will be used to analyse the behaviour of users of our website. We require this data to improve our services for the purpose of optimum implementation of our tasks under the Verpackungsgesetz (Packaging Act).

What rights do you have regarding your data?
You have the right at any time – within the scope of the applicable statutory provisions – to receive information free of charge about the origin, recipient and purpose of your stored personal data. In addition, you have the right to demand correction, restriction of processing or deletion of this data in accordance with statutory provisions. Under statutory provisions, you also have the right to object to processing of your personal data. You can contact us at any time on this matter and any further questions relating to data protection using the address given in the legal notice. In addition, you have the right to complain to the competent regulatory authority.

Analysis tools and tools from third-party providers
After the user has provided consent, visits to our website can be used to statistically analyse surfing behaviour. Analysis of surfing behaviour is carried out anonymously; the surfing behaviour cannot be traced back to the user. You can find detailed information about this below in section I.5.

2. General notes and mandatory information about using the website

Data protection
The ZSVR takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data by means of which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this takes place. Please note that the transmission of data on the internet (e.g. during communication via e-mail) may involve security vulnerabilities. Complete protection of data from access by third parties is not possible.

Note regarding the controller
The controller for data processing on this website in the meaning of data protection law is:

Stiftung Zentrale Stelle Verpackungsregister
(Foundation Central Agency Packaging Register)
Represented by Gunda Rachut
Öwer de Hase 18
49074 Osnabrück
Germany

Telephone: +49 541 201971-10
Fax: +49 541 201971-98
E-Mail: info@verpackungsregister.org

Registered with the Amt für regionale Landesentwicklung Weser-Ems (Office for Regional State Development Weser-Ems), no. 16/085 in the foundations register.

Withdrawal of your consent to data processing
Many data processing operations are only possible with your explicit consent. You can withdraw at any time consent that you have previously given. An informal e-mail to us, for example, is sufficient for this purpose. The lawfulness of the data processing that has taken place prior to the withdrawal remains unaffected by the withdrawal.

Right to complain to the competent regulatory authority
In the event of data protection law infringements, the data subject has the right to complain to the competent regulatory authority. The competent regulatory authority for data protection issues is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).

Right to data transferability
You have the right to have data that we process in an automated manner on the basis of your consent or in order to fulfil a contract delivered to you or to a third party in a customary, machine-readable format. If you request direct transmission of the data to another responsible person, this will only take place if it is technically feasible.

SSL and/or TLS encryption
This site uses SSL and/or TLS encryption for security reasons and to protect the transmission of confidential content, for example orders or inquiries which you send to us as site operators. You can recognise an encrypted connection by the fact that the address line of the browser changes from 'http://' to 'https://' and by the padlock symbol in your browser line. If SSL or TLS is activated, the data that you send to us cannot be read by third parties.

Information, correction, restriction of processing, deletion
You have the right at any time – within the scope of the applicable statutory provisions – to receive information free of charge about your stored personal data, its origin and recipient and the purpose of the data processing and, as applicable, a right to the correction, restriction of processing or deletion of this data. You can contact us at any time on this matter and any further questions on the subject of personal data using the address given above.

Advertising e-mails opt-out of the ZSVR
The use of contact data published by us within the scope of the obligation to provide a legal notice (or imprint) for the sending of unsolicited advertising and information material is hereby opted out of. The operators of the web pages expressly reserve the right to take legal action in the case of unsolicited sending of advertising information, such as through spam e-mails.

3. Data Protection Officer

You may contact our Data Protection Officer using the following address:

Stiftung Zentrale Stelle Verpackungsregister
(Foundation Central Agency Packaging Register)
Data Protection Officer
Öwer de Hase 18
49074 Osnabrück
Germany

Telephone: +49 541 201971-10
Fax: +49 541 201971-98
E-mail: datenschutz@verpackungsregister.org

4. Data collection on our website
 

Cookies
In some cases, the website uses what are known as cookies. Cookies do not harm your computer and do not contain viruses. Cookies help to make our offering more user-friendly, more effective and more secure. Cookies are small text files that are placed on your computer and stored by your browser. Most of the cookies we use are session cookies. They are automatically deleted after the end of your visit to the website. Other cookies remain stored on your end device until you delete them. These cookies make it possible for us to recognise your browser the next time you visit the site.

You can set your browser in such a way that you are informed about the setting of cookies, and permit cookies only in individual cases, block the acceptance of cookies for certain cases or in general, and activate automatic deletion of cookies on closing of the browser. Deactivation of cookies may limit the functionality of this website. Cookies that are required for carrying out electronic communication or for providing certain functions that you desire (e.g. changing master data using the dashboard in the login area, cf. section II) are processed on the basis of article 6 (1) (e), (1) (f) GDPR (General Data Protection Regulation) in conjunction with section 3 BDSG (Federal Data Protection Act) and section 26 VerpackG (Packaging Act).

Server log files
The provider of the web pages automatically collects and stores information in 'server log files', which your browser automatically transfers to us. These are:

  • type and version of browser;
  • operating system used;
  • request sent by the user, consisting of an HTTP method and the requested resource (URL);
  • website from which the user accessed our website (referrer URL);
  • host name of the computer accessing the site;
  • date and time of the server request;
  • public IP address;
  • size of the object sent back to the user
  • no merging of this data with other personal data of the user is performed.

Temporary storage of the IP address is necessary to enable delivery of our website to the user's end device. For this, the IP address of the user must remain stored for the duration of the session. Storage beyond this serves the purpose of optimising the website and ensuring the security of our information technology systems. The data processing activities serve the purpose of fulfilling our statutory tasks and duties pursuant to article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.

The personal data stored in the log files is deleted regularly, at the latest after seven days. Above and beyond that, we store data only to the extent we are legally obliged or entitled to. Collection of the data for provision of the website and storage thereof in the log files is essential for operation of the website. If you do not accept this, you cannot use our website.

5. Analysis tools

Matomo (formerly Piwik)
After the user has provided consent, our website uses the open source web analysis service Matomo (formerly Piwik) to analyse how our website is used. For Matomo to work, the software stores a cookie on the user's end device. Cookies are text files that are stored on the user's end device and which enable the analysis of user behaviour on the website. To this end, the information generated by the cookie about the use of our website (cf. below) is stored exclusively on our server in Germany.

When web pages of our website are accessed, the following information is stored:

  • public IP address of the end device used to access the page, shortened to two bytes and hence anonymised;
  • randomly generated visitor ID;
  • website from which the user accessed our website (referrer URL), including its top key words (the most frequently used search terms);
  • date and time the website is accessed;
  • subpages that are accessed from the website (including URL);
  • clicked-on and downloaded files;
  • web links to other websites that are used;
  • loading time of a web page or a download;
  • how long the visitor stays on the website and its subpages;
  • how frequently the website was accessed;
  • further information transmitted by the user's browser (user location: country, region, town/city; screen resolution, language settings of the browser, browser used, user agent header, time in the time zone of the user).

Matomo is set in a way that the collected public IP addresses are not entirely saved. Instead, two bytes of the IP addresses are masked (e.g.: 192.168.xxx.xxx). After masking, it is no longer possible to assign the stored IP address to the aforementioned further information collected via Matomo on the used end device, and to you as a user. A full IP address will not be stored, neither will the collected information be connected to other personal data.
The information will not be disclosed to third parties.

Data processing: purpose and legal basis
Storage of and access to Matomo cookies and the processing of the above-mentioned data allows us to analyse user behaviour on our website. The findings resulting from this provide for a continuous optimisation of the information offered on our website and its usability, and thus help to duly inform the public within the framework of our statutory tasks and duties. Anonymising the IP addresses captured, and thus the data mentioned above processed by Matomo, serves the interests of users pertaining to the protection of their personal data. The basis for storing and accessing Matomo cookies as well as the processing of the above-mentioned personal data using Matomo is your consent (cf. article 6 (1) (a) GDPR).

Withdrawal
You have the right to withdraw your consent to storing and accessing Matomo cookies, and to processing of your personal data using Matomo, at any time with forward-looking effect. This will have no effect on the lawfulness of the data processing that occurred on the basis of your consent prior to the withdrawal.

To withdraw your consent, you can delete any Matomo cookies stored on your end device. You can also prevent future cookies from being stored by rejecting the 'Statistics' cookies in the cookie banner.

Please note: This English version is a convenience translation – the German version shall prevail

You can edit your cookie settings by clicking the following button:

Storage period
If the user has given their consent, we will store the data recorded by Matomo for 15 months. 

6. Newsletter

Newsletter data
If you wish to receive the newsletter offered on the website, we require an e-mail address from you. You then receive, via the e-mail address provided, a confirmation link (double opt-in process). If you are in agreement, you confirm your wish to receive the newsletter by activating the link. We use the e-mail address solely for sending the newsletter and do not pass this on to third parties.

Processing of the data entered into the newsletter registration form takes place solely on the basis of your consent (article 6 (1) (a) GDPR). You can withdraw your consent to the storage of the data, e-mail address and to the use thereof for sending the newsletter at any time, for example via the 'Unsubscribe' link in the newsletter. The lawfulness of the data processing that has already taken place remains unaffected by the withdrawal. The data provided to us by you for the purposes of obtaining the newsletter is stored by us regularly until your withdrawal, and will be deleted thereafter. Above and beyond that, we store data only to the extent we are legally obliged or entitled to. Data that we have stored for other purposes (e.g. e-mail addresses for the members area) remains unaffected by this.

rapidmail
This website uses the services of rapidmail for sending newsletters. This service is provided by rapidmail GmbH, Wentzingerstrasse 21, 79106 Freiburg im Breisgau, Germany. rapidmail is a service that can be used, among other things, to organise the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored exclusively on rapidmail servers in Germany.
 
With the help of rapidmail, it is possible to see whether a newsletter message has been opened and which links, if any, have been clicked on. In addition, IT-related information is collected (e.g. time the newsletter is accessed, mobile terminal's IP address, browser type and operating system). This information is used exclusively for statistical analysis of newsletter usage. The results of these analyses can be used to adapt future newsletters better to the interests of the recipients.
You can find detailed information about the rapidmail functions at: https://www.rapidmail.de/newsletter-funktionen

The data on you collected through rapidmail is stored by us until you have cancelled your newsletter subscription and will be deleted both from our servers and from the rapidmail servers after you have unsubscribed. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.
You can find more details in the rapidmail data provisions at: https://www.rapidmail.de/newsletter-marketing-dsgvo-und-datenschutz-konform


Conclusion of a data processing agreement with rapidmail (Newsletter)
We have concluded a data processing agreement with rapidmail in which we require rapidmail to protect the newsletter subscriber’s data and to not pass the data on to third parties.

7. Social media and plugins

LinkedIn. Twitter
We run LinkedIn and Twitter accounts to inform users on that platform about our work and current statutory changes. The terms and conditions of LinkedIn, Twitter and their operators are not subject to our control. We handle your data carefully on the platform, but assume no liability for the conduct of LinkedIn’s and Twitter's operator.

We expressly draw your attention to the fact that LinkedIn’s and Twitter's operators permanently stores your data outside of Germany and uses it for business purposes. The extent to which the data is stored and for how long is not apparent to us. However, you have the right to request access to this data from the social network’s operators.

Information concerning what data is processed by LinkedIn and for what purposes can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
Information concerning what data is processed by Twitter and for what purposes can be found in Twitter’s privacy policy: https://twitter.com/en/privacy

The protection of your privacy with regard to the processing of personal data is an important concern for us. We follow the discussions and reviews by the competent authorities and regularly review how we can improve our social media presence under the conditions set by data protection law. 

Google Maps
When the user clicks on the button 'calculate journey with Google Maps', the website www.google.com/maps ('Google Maps') opens in a window. We are not the provider of Google Maps; the provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ('Google'). By accessing Google Maps, map data is provided directly from Google to the user. Google is responsible under data protection law for the processing of your personal data via Google Maps.

Google Web Fonts
This website uses so-called 'web fonts' provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to display fonts uniformly. When you access a site or page, your browser loads the web fonts you need into its browser cache to display text and fonts correctly.

The web fonts are hosted locally, i.e. your browser does not connect to Google servers. The use of Google web fonts takes place in the interest of a uniform and attractive presentation of our online offerings. This serves the purpose of the ZSVR fulfilling tasks and duties in the public interest, pursuant to article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.

If your browser does not support web fonts, a standard font from your computer is used.

Further information about Google web fonts and Google's privacy policy can be found at: https://developers.google.com/fonts/faq and https://www.google.com/intl/en/policies/privacy/

II. Privacy policy: use of LUCID

Cookie notice

The LUCID Packaging Register (https://lucid.verpackungsregister.org) and the public register (https://oeffentliche-register.verpackungsregister.org and https://oeffentlicheregister.verpackungsregister.org) only use cookies that are technically necessary (cookie information). Cookies are used in order to temporarily save a file of information connected with a website locally on your computer and send this information to the server upon request. Your consent is not required for cookies that are technically necessary.

Strictly necessary cookies are essential for providing basic functions and ensure that the website functions accurately.

The legal basis for the processing of personal data using cookies that are technically necessary is article 6 (1f) GDPR.
 

1. Login area for producers

The following information provides you with an overview of what happens to your personal data when you apply for and use a producer login on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy (section I).

Applications for a producer login
We collect the following data as part of the producer login application process:

  • company name/name of the producer;
  • language for e-mail communication with the producer (German/English);
  • title, academic title, first and last name of the 'authorised person';
  • first and last name of a 'contact person' within the company at the level of the producer (if not the same as the authorised person);
  • e-mail addresses as user IDs, and a login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a producer login if the mandatory fields are left blank.

We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for a producer login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for a producer login without this session cookie.

After completing the producer login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the producer login application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new producer login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

In technical terms, the producer login enables producer registration, the notification of changes to the registration data, as well as notification of the decision to permanently abandon the producer activities pursuant to section 9 VerpackG in each case, the submission of volume reports pursuant to section 10 VerpackG, as well as the submission of declarations of completeness pursuant to section 11 VerpackG, which are mandatory under the statutory requirements for producers as of 1 January 2019. Without the producer login, you cannot fulfil these statutory obligations for technical reasons.

The data is processed in order to make the producer login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.
 

friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.

Producer registration
We collect the following data as part of the producer login application process:

  • title, academic title (if indicated), first and last name of the 'authorised person';
  • first and last name as well as e-mail address of up to three other 'contact persons' of the producer (if not the same as the authorised person);
  • address (street address, postcode and town/city, country, additional address details), phone number of the producer;
  • for international producers: information about their authorised representative, as applicable;
  • VAT number, or alternatively national taxpayer reference number; national identification number (type, e.g. commercial register number; number, authority, date of issue);
  • producer's brand(s) and brand exit date(s);
  • 'segment' of the producer's business activity (choice of four segments), if indicated;
  • declaration that the producer has fulfilled their return obligations by virtue of participation in one or more systems as defined in section 3 (16) VerpackG ('system(s)'), or one or more sector-specific solutions as defined in section 8 VerpackG ('sector-specific solution(s)');
  • declaration that the information is accurate;
  • previous registration number, if indicated.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to register as a producer if the mandatory fields are left blank.

For international producers who have appointed an authorised representative, the information about their authorised representative is taken from the latter's login.

We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to register as a producer. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to register as a producer without this session cookie.

Once the producer registration process is completed, and provided that the statutory requirements are met, the registration administrative act, together with your registration number, will be sent to the e-mail address specified as the user ID in the login application. The following data will be stored for this purpose: IP address, date, time at which the link was confirmed, browser language, operating system version, browser version. If the producer registration is not successfully completed within seven days of applying for the producer login, the records in the database will be deleted. A new application for producer login and inclusion in the register of producers must be made, from scratch.

The producer registration, the notification of changes to the registration data and notification of the decision to permanently abandon the producer activities pursuant to section 9 VerpackG are mandatory under the statutory requirements for producers. They are technical requirements for the submission of volume reports pursuant to section 10 VerpackG and for the submission of declarations of completeness pursuant to section 11 VerpackG, which are also mandatory under the statutory requirements for producers. The data is processed in order to allow for the registration of producers. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area
In order to use the login area, you have to log in using the primary e-mail address and the password you provided during the application process. You can use the login area as a technical tool to inform us of changes to the registration data and any decision to permanently abandon the producer activities pursuant to section 9 VerpackG, as well as to submit volume reports in accordance with section 10 VerpackG and declarations of completeness pursuant to section 11 VerpackG, as is mandatory under the statutory requirements for producers.We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The data is processed to enable the use of the producer login and producer registration. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Declaration of completeness submission
In legally required cases, declarations of completeness (hereinafter 'DoC') as per section 11 VerpackG must be submitted in the login area of LUCID ('Declaration of completeness submission' tile).

DoCs for the year 2018 must be submitted through LUCID and relate to the specific registration number of the producer in question. They do not yet require the information as set forth in section 11 (2) VerpackG, but rather the information set forth in section 10 (2) VerpackV (Packaging Ordinance). In addition, the audit certificate as well as the audit reports, all bearing a qualified electronic signature, must be submitted using the login (section 10 (1), (5) VerpackV).

DoCs for the year 2019 and beyond must be submitted through LUCID and relate to the specific registration number of the producer in question. They do require the information as set forth in section 11 (2) VerpackG. In addition, the corresponding audit reports as well as the audit confirmation, all bearing a qualified electronic signature, must be submitted using the login (section 11 (1), (3) VerpackG).

Furthermore, every DoC submission requires a reason as well as the ID and name of an auditor registered with the ZSVR (cf. section II.2 of this privacy policy); where the reason for the submission is by individual order, the file reference must also be included.

All the data that a producer files in LUCID in the context of their DoC is summarised in a so-called 'producer declaration'. LUCID sends an e-mail to the producer, with a link to download the producer declaration. The producer may than pass the producer declaration on to a registered auditor, who will audit the DoC (cf. section II.2 of this privacy policy). To make this easier, during the DoC submission process, LUCID also gives producers the option of consenting to the transmission of the information they provided in the context of the DoC to the registered auditor that they have specified. If producers have consented to this, their auditor also receives an e-mail with a link for downloading the producer declaration.

The data is processed for the purposes of submitting the DoC, based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 11 VerpackG. For the year 2018, section 10 VerpackV shall also apply. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties. As concerns the transmission of data provided by a producer who has given consent to a registered auditor, data processing is based on article 6 (1) (a) GDPR. The transmission of data in this case thus makes it easier for producers to submit their declaration of completeness.

Data reporting, section 10 VerpackG
Producers registered in LUCID are under obligation to provide the same information about packaging to the ZSVR that they provided to their system, without delay, and personally. When doing so, they must also provide at least the following information:

  • registration number;
  • type of material and mass of the participating packaging;
  • The producer can choose from the following options to specify the nature of the report:
    • initial planned volume report;
    • intra-year volume report;
    • year-end volume report;
    • supplementary volume report (where applicable);
  • name of the system in which the packaging participates;
  • period of system participation;
  • changes to the above-mentioned information;
  • where applicable, returns as per section 7 (3) VerpackG ('deduction volumes').

The reports are submitted through LUCID, under the 'Data report' option in the menu. The data is processed in order to make it possible for producers to submit their data reports. The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 10 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Transmission of data reports to systems
We give the systems the option of electronically retrieving the producer data reports relating to their specific system on our website. This data is processed in the context of the use of the producer login and producer registration. The legal basis for this is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 10 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Publication of producer data
In the interest of fulfilling our statutory tasks and duties, we publish the following producer data on our website:

  • name, address and contact details of the producer (in particular street address, postcode and town/city, country, telephone number, fax number if indicated, and e-mail address);
  • brand names under which the producer places packaging subject to system participation onto the market;
  • registration date:
    • for applications for registration received before 1 January 2019: the date on which the ZSVR received the full registration information, this date being set by default to 1 January 2019; for brand names registered prior to 1 January 2019, the date of registration is also set to 1 January 2019;
    • for applications for registration received on or after 1 January 2019 and for corresponding brand information: the date on which the ZSVR received the full registration information;
  • date of market exit in cases involving the termination of registration or, for specific brands, in the event that the brand is deleted;
  • authorised representative, as applicable, with their name, address and contact details as well as information about their written appointment.

The published producer data can be searched for and found on our website by third parties using the search functions provided on the website. The data will be published until a period of three years has passed starting at the end of the year in which the producer registration ends. The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 9 (4) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

With your separate consent, third parties can also query whether you are registered (yes/no) on the basis of your VAT number/taxpayer reference number provided during registration. The VAT number/taxpayer reference number will not be made accessible to third parties on the basis of this consent. This query based on your VAT number/taxpayer reference number can be performed at the latest until the end of your registration (market exit date). This information can also only be queried if consent has been given, i.e. can no longer be accessed after its withdrawal. The legal basis for this query based on your VAT number/taxpayer reference number is your consent pursuant to article 6 (1) (a) GDPR.

Publication of list of producers who have submitted a declaration of completeness
As from 16 May in the year following the reference year, a list of producers who have fully filed a declaration of completeness ('DoC') in the LUCID Packaging Register for a given year ('reference year') will be published on our website with the following details per reference year:

  • company name;
  • registration number;
  • postcode and city/town, country.

A declaration of completeness is deemed to be fully filed in LUCID if all documentation queried in the course of submitting the declaration of completeness has been successfully filed and if the auditor's confirmation pursuant to section 11 (1) VerpackG has not been declined. Each publication is subject to further verification of content-related accuracy.

The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 (1) no. 6 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Transmission of producer data to supervisory and law enforcement authorities
To the extent permitted by law, we will also transmit your data to the responsible supervisory authorities and law enforcement authorities, for example if there is a suspected administrative offence pursuant to section 34 VerpackG. The legal basis for this transmission is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and section 26 VerpackG.  In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. We use the service Sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the Sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG.


Storage period
We store producer data (including the data of the declaration of completeness, as well as the data reports provided by the producers) for at least three years after the end of the year in which the producer registration ends (market exit date), and thereafter for another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

2. Login for auditors

The following information provides you with an overview of what happens to your personal data when you apply for and use an auditor login on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Applications for an auditor login
We collect the following data as part of the auditor login application process:

  • company name of the auditor (optional);
  • language for e-mail communication with the auditor (German/English);
  • title, academic title, first and last name of the auditor;
  • e-mail address as a user ID;
  • login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for an auditor login if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to apply for your auditor login. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for an auditor login without this session cookie. After completing the auditor login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the auditor login application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new auditor login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The auditor login is a requirement for your registration as an auditor in the register of auditors pursuant to section 27 (1) (registered experts pursuant to section 3 (15) VerpackG) and section 27 (2) VerpackG (auditors, tax advisers and sworn accountants).

The data is processed in order to make the auditor login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 26 (1) no. 27, 27 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.


friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.
 

Inclusion in the register of auditors
We collect the following data as part of the application for inclusion in the register of auditors:

  • address (street address, postcode and town/city, country, and up to three optional additional address details), telephone number (mobile or land line) and fax number (if indicated);
  • type of auditor pursuant to sections 3 (15), 27 (1) (2) VerpackG (type of expert within the meaning of section 3 (15) VerpackG: in particular a publicly appointed expert, environmental verifier or environmental verifier organisation, accredited expert, auditor, sworn accountant, tax adviser or expert in another state);
  • when selecting the environmental verifier field within the meaning of section 3 (15) no. 2 VerpackG, indication of the NACE codes; information in the document submitted by you as evidence regarding the auditor's professional certification;
  • information to prove the auditor's professional certification (e.g. date of issue of an admission or appointment notice and certifying institution).

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to register as an auditor if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to register as an auditor. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to register as an auditor without this session cookie. If the auditor registration is not successfully completed within seven days of applying for the auditor login, the records in the database will be deleted. A new application for auditor login and inclusion in the register of auditors must be made, from scratch.

Once the application for registration has been reviewed and the ZSVR has confirmed the application's readiness for approval, notice on your inclusion in the public register of auditors will be sent to the e-mail address specified as the user ID in the login application.

If you are not included in the register of auditors, you cannot legally audit or confirm any volume flow records (sections 8 (3), 17 VerpackG), certify notifications/notifications of changes for sector-specific solutions (sections 8 (1), 8 (2) VerpackG) and you are not legally authorised to audit or confirm any declarations of completeness pursuant to section 11 VerpackG. The auditing and confirmation of declarations of completeness are also not feasible from a technical perspective. The ZSVR publishes detailed instructions on the electronic filing procedure and on communication with the ZSVR on its website at www.verpackungsregister.org.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27 VerpackG. The data is processed in order to allow for the registration of auditors. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area
In order to use the login area, you have to log in using the primary e-mail address and the password you provided during the application process. You can use the login area to inform us of changes to the following master data concerning you:

  • company name of the auditor, if indicated;
  • language for e-mail communication with the auditor (German/English);
  • title, academic title, first and last name of the auditor;
  • e-mail address as a user ID;
  • login password;
  • address (street address, postcode and town/city, country, and up to three optional additional address details), telephone number (mobile or land line) and fax number (if indicated);
  • when selecting the environmental verifier (within the meaning of section 3 (15) no. 2 VerpackG) field, indication of the NACE codes;
  • transmission of document proving the auditor's professional certification;
  • information to prove the auditor's professional qualification (e.g. date of issue of an admission or appointment notice and certifying body).

You can also notify us that you have ceased your auditing activities, use your login in the future to view the producer information about which the declarations of completeness pursuant to section 11 VerpackG are based, and deposit the further audit documents relating to the declarations of completeness pursuant to section 11 VerpackG.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27 VerpackG. The data is processed to enable the use of the auditor login and auditor registration requested by you. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

You can also notify us that you have ceased your auditing activities; you can use your login to view the producer information about which the declarations of completeness pursuant to section 11 VerpackG are based; and you can deposit further audit documents relating to the declarations of completeness pursuant to section 11 VerpackG (audit confirmation with a qualified electronic signature, audit reports). We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

The data is processed to enable the use of the auditor login and auditor registration requested by you. The legal basis for this is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG, sections 26 (1) no. 27, 27, 11 VerpackG. The data is processed to enable the auditor in question to perform an audit on the declaration of completeness. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Publication of your data as an auditor
Based on your consent to the publication of your auditor data prior to 1 January 2019 or, as of 1 January 2019, on the basis of the statutory obligation to maintain a public register of auditors pursuant to section 26 (1) no. 27, section 27 VerpackG, the following data concerning you will be published in the register of auditors on the website of ZSVR:

  • your full name, with title and academic title;
  • company name, if indicated;
  • your preliminary auditor ID;
  • type of auditor specified by you;
  • registration date;
    • for applications for registration received before 1 January 2019: the date on which the ZSVR received the full registration information, this date being set by default to 1 January 2019;
    • for applications for registration received on or after 1 January 2019: the date on which the ZSVR received the full registration information;
  • date of change;
  • postcode and city/town, country.

The published auditor data can be found on our website by third parties using the search functions provided on our website via a filter (last name, company name, auditor ID, type of auditor, postcode, town/city and country). The legal basis for this publication is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 GDPR as well as section 26 (1) no. 27, section 27 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors

We make use of processors, in particular IT service providers, to make the login area available. We use the service Sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the Sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.


Storage period
We store auditor data in the public register of auditors for the duration of your registration and thereafter for another ten years.

3. System operator login

The following information provides you with an overview of what happens to your personal data when you apply for and use a login for an operator of a system pursuant to section 3 (16) VerpackG on our website at www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Application for a login as system operator
We collect the following data when we grant logins for system operators:

  • company name of the system operator;
  • title, academic title, first and last name of the 'main contact';
  • address of the system operator;
  • e-mail address of the main contact;
  • password (encrypted).

Mandatory fields are marked accordingly (*) in the form fields. The system operator login will facilitate mandatory data reporting pursuant to section 20 VerpackG and the retrieval of producer data reports relating to your system. Without the login, you cannot fulfil these statutory obligations for technical reasons.

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR, section 3 BDSG, section 26 (1) nos. 3, 8 VerpackG, section 10 (3) VerpackG, section 20 VerpackG. The data is processed in order to make the system operator login requested by you available and to facilitate its use. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.
 

friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.


Use of the login area
In order to use the login area, the contact person of the system operator must log in using the primary e-mail address specified in the login application and provided to them for this purpose by the ZSVR, as well as the password that they have chosen themselves. You can use the login area as a technical tool to enter additional data as master data, change this master data, and transfer a login to one of the contact persons.

The master data of the system operator includes:

  • company name of the system operator;
  • address of the system operator;
  • title, academic title, first and last name of the 'main contact';
  • e-mail address of the main contact;
  • details of an expert contact for technical questions, if indicated, and the following information, which is optional in each case: first and last name, title, academic title, telephone number, e-mail address, fax number, street address, postcode and town/city, and up to three optional additional address details;
  • details of an infrastructure contact for technical questions, if indicated, and the following information, which is optional in each case: first and last name, title, academic title, telephone number, e-mail address, fax number, street address, postcode and town/city, country, and up to three optional additional address details.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie. The legal basis for this data processing is article 6 (1) (c), (1) (f) GDPR in conjunction with section 3 BDSG and section 20 VerpackG. The data is processed in order to allow you to use the login as requested by you. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. We use the service Sendinblue to log the dispatch and delivery of e-mails to you. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the Sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Storage period
We will store the data specified under section II.3 until the termination of the login and thereafter for another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

4. Login for register excerpt

The following is an overview of what happens with your personal data when you apply for and use a login on our website, www.verpackungsregister.org, for the purposes of creating a register excerpt. Further information about us, the ZSVR as the 'controller' for data protection purposes, and about the processing of your data each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

The ZSVR offers a register excerpt function upon request. Following registration, users can choose to either manually download an XML file containing data from the public register of producers (see below) or download this data automatically using an API. Processing and/or data reconciliation will then take place independently, on the user's own systems. The register excerpt allows retailers and other business partners to verify if producers are registered in the LUCID Packaging Register.
The register excerpt function is a voluntary service offered by the ZSVR.

Applications for a register excerpt login
To use the register excerpt, you need to apply for a login. We collect the following data as part of the login application process: 

  • user name;
  • company name (optional);
  • title, academic title, first and last name of the user;
  • user address (country, postcode and town/city, street address, additional address details);
  • e-mail address as user ID, and a login password.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a login if the mandatory fields are left blank. We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. Cookies are text files that are stored on your computer and enable us to analyse your use of our website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.
After completing the login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.


friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.


The legal basis for this data processing is article 6 (1) (b), (1) (f) GDPR. The data is processed for the purposes of the register excerpt requested by you. 

Use of the login area

In order to use the login area after the login has been approved, you have to log in using the e-mail address and the password you provided during the application process. There you can:

  • download the register excerpt as an XML file;
  • download the register excerpt automatically via an API and load it into your system;
  • cancel your login.

The XML file for download includes the version number of the interface, date and time of the data set as well as the following producer data: 

  • company name; 
  • registration number; 
  • VAT number or taxpayer reference number; 
  • the so-called 'PackagingDetailCode' (10 = only packaging subject to system participation, 20 = only packaging not subject to system participation, 30 = both). 
     

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the Sendinblue service to send e-mails. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the Sendinblue servers in Germany. We use this service to log the delivery of e-mails to you. You can find detailed information about the Sendinblue functions at: de.sendinblue.com/newsletter-software/;

The legal basis for this data processing is article 6 (1) (b) GDPR.
 

Storage period
We will retain data pertaining to a register excerpt for up to ten years following the creation of this excerpt. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

5. Login for system auditors

The following is an overview of what happens with your personal data when you apply for and use a login for system auditors on our website, www.verpackungsregister.org. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy. Data collection for the purposes of setting up a login is handled only by employees of the ZSVR (cf. a) below). Following this, the system auditor can request the login / have the login transferred (cf. b) below).

a) System auditor data to be compiled
The clearing house for dual systems (Gemeinsame Stelle dualer Systeme Deutschlands GmbH) notifies the ZSVR of the four system auditors the clearing house has appointed for a maximum of five years. The system auditors have agreed to the transfer of data collected with the clearing house and required to set up a login.

We collect the following data when we grant logins for system auditors:

  • company name;
  • title, academic title, first and last name of the system auditor;
  • address (street address, postcode and town/city, country, and up to three optional additional address details);
  • telephone and fax number of the system auditor;
  • e-mail address of the system auditor;
  • start and end date for the period during which the system auditor will audit the system operator, and have access to system operator data and corresponding producer data to exercise auditing activities.

b) Requesting a system auditor login
System auditors can inform the ZSVR via e-mail to have their login transferred. To complete the login application and for verification purposes, the system auditor will receive an e-mail, sent to the e-mail address provided at the time the system auditor data was entered into the system. The confirmation link contained in this e-mail must be followed within 24 hours to confirm the application for the login. If the link is not accessed within 24 hours, a new link must be requested from the ZSVR. Once the link has been confirmed, the system auditor will be prompted to set a password.

Following a successful login, the system auditor will have to review, update and/or complete their master data as well as to agree to the terms of use to be able to use the login area.

We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The legal basis for this data processing is article 6 (1) (b) GDPR. The data is processed in order to make the login available.
 

friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.


Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the Sendinblue service to send e-mails. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the Sendinblue servers in Germany. We use this service to log the delivery of e-mails to you.
You can find detailed information about the Sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (b), (1) (e) GDPR in conjunction with section 3 BDSG and section 20 (2) VerpackG.

Storage period
If no login transfer is requested, we will store the data relating to any given system auditor until the termination of the relevant login, and thereafter for up to another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

6. Appointed third party login

The following is an overview of what happens with your personal data when you apply for and use an appointed third party (section 35 (1) VerpackG) login to submit the declaration of completeness on our website, www.verpackungsregister.org.

Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of whether you are applying for or using your login, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy.

Pursuant to section 35 (1) VerpackG, the entries for the declaration of completeness within the meaning of section 11 VerpackG can also be filed by an appointed third party for a producer. In order to carry out the filing, the appointed third party needs a login of their own to the LUCID Packaging Register (LUCID), which they apply for with the ZSVR, cf. the following. Producers can instruct an appointed third party with a login to file their declaration of completeness for them. Please refer to II.1 above – under 'Use of the login area', 'Declaration of completeness submission' – for more information.

Applications for an appointed third party login
The appointed third party's login application is carried out in two steps.

First step
At first, we collect the following data as part of the login application process:

  • company name;
  • title, academic title, first and last name of the appointed third party;
  • e-mail address of the appointed third party as the user ID;
  • e-mail communication language;
  • login password.

Furthermore, the appointed third party will be asked to consent to the processing of the personal data they entered through the ZSVR, and to accept the terms of use. Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for a login if the mandatory fields are left blank.

We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.

After completing the login application, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the application. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to complete a new login application from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The login is a technical requirement for the appointed third-party to submit a producer declaration of completeness electronically via LUCID, as the producer's appointed third party. Without a login, an appointed third party cannot submit a declaration of completeness for a producer. The data is processed in order to make the appointed third party login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (1) to 11 (3), 33 VerpackG. 
 

friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.


Second step
After clicking the verification link and logging onto LUCID, we process the following data, in order to finalise the login process:

  • address (street address, postcode and town/city, country, additional address details) of the appointed third party;
  • telephone number and fax number (if indicated) of the appointed third party.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to apply for login if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.

Once the login application is concluded, you will receive an e-mail confirming your LUCID registration. Subsequently, an employee of the ZSVR will check your data. You will be informed via another e-mail about acceptance or rejection of the login you applied for. In the event that your application is rejected, the login data filed in LUCID are deleted; the user will no longer be able to log onto the portal. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area as appointed third party
In order to use the login area, you have to log onto LUCID using the e-mail address and the password provided during the application process. You can use the login area as a technical tool to inform us of changes to the data provided during the login application process; you can also terminate your login there. In addition, you can file the data of the declarations of completeness (section 11 (1) to 11 (3) VerpackG) for one or more producers in LUCID, provided that this producer / these producers have instructed you to submit a declaration of completeness for them.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie. You will receive an e-mail via LUCID, informing you when a producer requests to instruct you to submit the declaration of completeness. After logging onto LUCID, you will see the following information below the 'Consent for appointed third party filing of declaration of completeness' button:

  • submission schedule of the declaration of completeness to which the request relates;
  • date of the request;
  • company name of the requesting producer;
  • first and last name of the requesting party;
  • address (street, address, postcode, town/city, country) of the requesting producer;
  • e-mail address of the requesting party.

You will then have the choice to accept the assignment or to reject the producer's request to file the declaration of completeness. You, and the producer, will both receive an e-mail on this for your information. Please refer to II.1 above for more information about declaration of completeness submission. The appointed third party's data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. For example, we use the Sendinblue service to send e-mails. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Sendinblue is a service that can be used, among other things, to organise and analyse the dispatch of newsletters. The data entered by you when you subscribe to the newsletter will be stored on the Sendinblue servers in Germany. We use this service to log the delivery of e-mails to you. You can find detailed information about the Sendinblue functions at: https://de.sendinblue.com/newsletter-software/?rtype=n2go

The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 11 (3), 33 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.


Storage period
After an appointed third party has terminated their login, we will store the login data for ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

7. Login for state enforcement authorities

The following is an overview of what happens with your personal data when we provide you – as a designated person or other user from a state enforcement authority – with access to the login area for state enforcement authorities on our website www.verpackungsregister.org and you use this access. Further information about us, the ZSVR as the controller under data protection law, and about how your data is processed each time you visit our website, regardless of the provision or use of access to the login area for state enforcement authorities, as well as information about your rights in connection with data processing, can be found in the general section of this privacy policy (section I).

Login creation for a designated person
When we create a login for you as a designated person of a state enforcement authority to access the login area, we process the following personal data:

  • state enforcement authority*; organisational unit;
  • title*, academic title, first and last name*;
  • work telephone number* and fax number;
  • e-mail address as a user ID*.

Mandatory fields (*) must be filled in for us to be able to create a login.

We receive the above-mentioned personal data either from yourself or from another competent employee of your state enforcement authority.

When creating the login, we check your e-mail address against a list of permitted e-mail addresses that a competent employee of your state enforcement authority has provided us with, for security reasons.

After the login has been created, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 4 weeks to confirm the login. If the link is not accessed within 4 weeks, the records in the database will be deleted and you will have to create a new login from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

Once you have accessed the confirmation link, you will be prompted to create a password for your login. Only then will you be able to access the login area for state enforcement authorities.

The data processing described above serves the purpose of enabling you to use your login. This in turn enables the exchange of information between us and you as a representative of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. Further to this, it enables other users to gain access for the purpose of exchanging information between us and them as representatives of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. The data is processed based on article 6 (1) (e) GDPR in conjunction with section 3 BDSG as well as section 26 (1) nos. 20-21 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory duties.

Designated persons using their login
For security reasons, our login area for state enforcement authorities can only be accessed from permitted IP addresses that have been communicated to us by the state enforcement authorities. When registering an access attempt, we will check your IP address against the list of permitted IP addresses.

In order to use your login, you have to log in to LUCID using the e-mail address and the password provided during the login creation process. After five failed attempts of entering your password, your login will be blocked for five minutes for security reasons.
Also for security reasons, when your login data has been entered correctly, an e-mail will be sent to the corresponding address with a login link that will be valid for 30 minutes. Only by clicking on this link can you log in. The link expires after 30 minutes; if you have not clicked on it by then, you will have to repeat the login process. For security reasons, you will be logged out after 30 minutes of inactivity.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

When logging in for the first time, you are asked to consent to the processing of your data. If you do not consent, you will not be able to use your login.

Your login allows you to change your own data – with the exception of your state enforcement authority, your e-mail address and the declarations you submitted when you first logged in.

You can also use your login to create, manage or terminate further logins for your state enforcement authority.

The data processing described above serves the purpose of enabling you to use your login. This in turn enables the exchange of information between us and you as a representative of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. Further to this, it enables other users to gain access for the purpose of exchanging information between us and them as representatives of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. The data is processed based on article 6 (1) (e) GDPR in conjunction with section 3 BDSG as well as section 26 (1) nos. 20-21 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory duties.

Creating a login for other users
Designated persons of a state enforcement authority can use their login to create further logins for other users from their state enforcement authority.

When a designated person of your state enforcement authority creates a login for you as a user to access the login area, we process the following personal data:

  • state enforcement authority*; organisational unit;
  • title*, academic title, first and last name*;
  • work telephone number* and fax number;
  • e-mail address as a user ID*.

Mandatory fields (*) must be filled in for the designated person to be able to create a login.

When creating the login, we check your e-mail address against a list of permitted e-mail addresses that a competent employee of your state enforcement authority has provided us with, for security reasons.

We receive the above-mentioned personal data from the designated person of your state enforcement authority creating the login for you.

After the login has been created, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 4 weeks to confirm the login. If the link is not accessed within 4 weeks, the records in the database will be deleted and you will have to create a new login from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

Once you have accessed the confirmation link, you will be prompted to create a password for your login. Only then will you be able to access the login area for state enforcement authorities.

The data processing described above serves the purpose of creating your login. This in turn enables the exchange of information between us and you as a representative of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. The data is processed based on article 6 (1) (e) GDPR in conjunction with section 3 BDSG as well as section 26 (1) nos. 20-21 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory duties.

Using the login for other users
For security reasons, our login area for state enforcement authorities can only be accessed from permitted IP addresses that have been communicated to us by the state enforcement authorities. When registering an access attempt, we will check your IP address against the list of permitted IP addresses.

In order to use your login, you have to log in to LUCID using the e-mail address and the password provided during the login creation process. After five failed attempts of entering your password, your login will be blocked for five minutes for security reasons.

For security reasons, when your login data has been entered correctly, an e-mail will be sent to the corresponding address with a login link that will be valid for 30 minutes. Only by clicking on this link can you log in. The link expires after 30 minutes; if you have not clicked on it by then, you will have to repeat the login process. For security reasons, you will be logged out after 30 minutes of inactivity.

We store a cookie on your end device so that our server can verify that your end device is logged in to the login area. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to use the login area without this session cookie.

When logging in for the first time, you are asked to consent to the processing of your data. If you do not consent, you will not be able to use your login.
Your login allows you to change your own data – with the exception of your state enforcement authority, your e-mail address and the declarations you submitted when you first logged in.

The data processing described above serves the purpose of enabling you to use your login. This in turn enables the exchange of information between us and you as a representative of your state enforcement authority pursuant to section 26 (1) nos. 20-21 VerpackG. The data is processed based on article 6 (1) (e) GDPR in conjunction with section 3 BDSG as well as section 26 (1) nos. 20-21 VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory duties.

Involvement of IT service providers and other processors
We make use of processors, in particular IT service providers, to make the login area available. We use the service Sendinblue for the dispatch and delivery of e-mails to you. This service is provided by Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. You can find detailed information about the Sendinblue functions at: de.sendinblue.com/newsletter-software/ The legal basis for this data processing is article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 9 (3), 10 (2), 11 (3) VerpackG.

Storage period
Your data will be stored for ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.

8. Login for authorised representatives

The following is an overview of what happens with your personal data when you apply for and use a login for authorised representatives pursuant to section 35 (2) VerpackG on our website, www.verpackungsregister.org.

Login creation for authorised representatives
Creating a login for an authorised representative is a two-step process.

First step
Initially we collect the following data as part of the login creation process as carried out by the authorised representative:

  • company name;
  • title, academic title, first and last name of the appointed third party;
  • e-mail address as a user ID;
  • e-mail communication language;
  • login password.

Furthermore, the authorised representative will be asked to consent to the ZSVR processing the personal data they entered.
Mandatory fields are marked accordingly (*) in the form fields. It is not possible to create a login if the mandatory fields are left blank.

We store a so-called 'cookie' on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. To this end, the information generated by the cookie about the use of this website is stored on our server. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to apply for login without this session cookie.
After the login has been created, you will receive an e-mail for verification purposes, sent to the e-mail address provided, with a confirmation link that must be accessed within 24 hours to confirm the creation. If the link is not accessed within 24 hours, the records in the database will be deleted and you will have to create a new login from scratch. We log the successful completion of the verification process for evidentiary purposes, and store the following data for this purpose:

  • IP address;
  • date;
  • time the link was confirmed;
  • browser language;
  • operating system;
  • browser version.

The login is a technical requirement for the authorised representative to be able to carry out duties on behalf of the producer in LUCID. The data is processed in order to make the authorised representative login available and to facilitate its use. The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (1) to 11 (3), 35 (2) VerpackG.


friendlycaptcha

We use Friendly Captcha as part of providing the login area. This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is designed to check whether any data entered during the process of login application emanates from a human or from an automated programme. To do this, Friendly Captcha analyses a website visitor's behaviour based on a puzzle that must be completed before ending the application for login. The analysis begins automatically as soon as the website visitor starts to work on the puzzle. Friendly Captcha stores an anonymised counter per IP address for dynamic puzzle difficulty on the edge network to detect malicious users and minimise blocking legitimate users. This data is stored entirely separately from the rest of the data and cannot be correlated to specific websites. Friendly Captcha anonymises IP addresses using a one-way hash so that users cannot be personally identified.

The Friendly Captcha analyses run completely in the background. Website visitors are not notified that the analysis is taking place.

The data is processed on the basis of article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG and sections 26 (1) no. 1, 9 (3) VerpackG, to ensure that LUCID functions smoothly, and to prevent the misuse of LUCID and any potential illicit automated data theft.

More information about Friendly Captcha and Friendly Captcha GmbH’s privacy policy can be found under https://friendlycaptcha.com  and https://friendlycaptcha.com/legal/privacy-end-users/.

Second step
After clicking the verification link and logging onto LUCID, we process the following data, in order to finalise the login process:

  • address (street address, postcode and town/city, country, additional address details) of the authorised representative;
  • VAT number, or alternatively national taxpayer reference number; national identification number (type, e.g. commercial register number; number, authority, date of issue);
  • phone number of the authorised representative;
  • the following declaration: 'At least one producer without a branch within the jurisdiction of the Verpackungsgesetz (Packaging Act) has appointed me/us as a natural or legal person or a joint partnership with legal capacity in writing and in the German language to perform all obligations in my/our own name in order to fulfil the producer obligations under the Verpackungsgesetz with the exception of the registration under section 9 (section 3 (14a) in conjunction with section 35 (2) VerpackG).' *.

Mandatory fields are marked accordingly (*) in the form fields. It is not possible to create a login if the mandatory fields are left blank. We store a cookie on your end device so that our server can remember your details as you work your way through the individual web pages to apply for login. It is a 'session cookie' that is deleted when you close the browser window on your end device. Unfortunately, it is not possible to create a login without this session cookie.
Once the login creation is concluded, you will receive an e-mail confirming your LUCID registration.
The data is processed based on article 6 (1) (c), (1) (e) GDPR in conjunction with section 3 BDSG as well as sections 11 (3), 35 (2) VerpackG. In this, the ZSVR acts in the interest of fulfilling its statutory tasks and duties.

Use of the login area
In order to use the login area, you have to log in using the primary e-mail address and the password you provided during the application process.
You can use the login area to inform us of changes to the following master data concerning you:

  • company name;
  • title, academic title, first and last name of the authorised representative;
  • e-mail communication language;
  • login password;
  • address (street address, postcode and town/city, country, additional address details) of the authorised representative;
  • VAT number, or alternatively national taxpayer reference number; national identification number (type, e.g. commercial register number; number, authority, date of issue);
  • phone number of the authorised representative.

You can also use your login to view the status and details of your authorisation. Furthermore, you can access the 'data reporting' and 'declaration of completeness' dashboards of the international producers who have appointed you.
Terminating your login as an authorised representative is possible under the following conditions:

1) There are no further requests to appoint you on your LUCID dashboard.
2) You are not displayed as the authorised representative of any producer in the public register.
3) The last change in status of any of your appointments was made at least four weeks ago.

International producers can find an authorised representative's login data by using the search function available during the registration process, while international producers who have registered already can use the search function available on their LUCID dashboard. The search function allows for filters (last name, first name, authorised representative's ID).

Storage period
We store the data of authorised representatives in connection with an international producer for at least three years after the end of the year in which the producer registration ends (market exit date), and thereafter for another ten years. Above and beyond that, we store data only to the extent we are legally obliged or entitled to.