Privacy Policy - THG

Privacy Policy  THG-Quote Marketing by eQuota GmbH for e-Mobilists

Only the German version of these Plan Terms shall apply.The English version is only a convenience translation.

Version: August 2022

Within the framework of the THG-Quote procedure, personal data (hereafter"personal data" or "data") is processed. Pursuant to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), personal data are any information relating to an identified or identifiable natural person (hereinafter "data subject" or "e-mobilist").In the following, we will inform you about what data is involved, how it is processed and what rights you have in this regard.

1. Name and contact details of the controller and of the data protection officer

The data controller pursuant to Art. 4 No. 7 DSGVO is:

eQuota GmbH
Harzer Str. 39
12059 Berlin

Phone: +49 (0) 30 235 935 800

(hereinafter "eQuota", "we" or "us").

You can contact our data protection officer directly at any time with questions about data protection law or your data subject rights by emailing

Further information on data protection at eQuota can be found at

2. Processing of Personal data and purposes of processing

a) General information on the procedure and the functioning

When the greenhouse gas reduction quota (THG-Quote) procedure is carried out, the personal data of the e-mobilists required for the conclusion and implementation of the contract is first collected via a web form. The uploaded scan or copy of the registration certificate Part I is checked in real-time using text recognition software and AI software to determine eligibility for participation in the greenhouse gas reduction quota (THG-Quote) procedure.

Subsequently, the necessary personal data is transmitted to the Federal Environment Agency in order to register the greenhouse gas reduction quota (THG-Quote). The final quota bundling and marketing for THG-Quote trading takes place without processing the personal data.

b) Processing of personal data

The following personal data are processed as part of the implementation of the greenhouse gas reduction quota (THG-Quote) procedure:

- First name(s) and last name,
- E-mail address,- Account details (account holder, IBAN, bank),
- Vehicle data (registration number, vehicle identification number, owner details/address and photograph, scan or copy of registration certificate part I),
- Log files (date, time, browser, operating system, IP address, referrer URL),
- If applicable, customer number or contract account number of the e-mobilist at theCooperation partner.

Personal data is processed in order to fulfil the contract concluded between eQuota and the e-mobilists on the greenhouse gas reduction quota procedure, to verify eligibility to participate in THG-Quote trading and to carry out THG-Quote registration with the Federal Environment Agency.

The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. b DSGVO, as the processing is necessary for the performance of the contract.

The processing of log files also serves fraud prevention and prevention,error identification and the prevention of spam attacks. The legal basis of the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. The aforementioned interests of eQuota are to be regarded as legitimate within the meaning of the provision.

The data will be stored by eQuota in compliance with the relevant statutory retention periods (usually three years) and then automatically deleted without the need for a separate request for deletion.

c) Disclosure of personal data

For the registration of the THG-Quote, eQuota submits the required information andpersonal data to the Federal Environment Agency, Wörlitzer Platz 1, 06844 Dessau-Roßlau. The Federal Environment Agency then carries out a conformity check and registers the THG-Quote.

For data processing, eQuota uses the services of so-called processors. These include processors for hosting the eQuota applications, storing data, sending transactional emails, error reporting and monitoring on web forms and DDoS protection and defence against DDoS attacks.

These processors are contractually bound by eQuota in accordance with the requirements of the GDPR (Art. 28 (3) GDPR). In these agreements, the processors undertake to process the personal data in question exclusively on instruction and to comply with the provisions of EU data protection law. Some of the processors transfer personal data to a third country (see below under e)).

eQuota also enables the cooperation partner to access information on the status of the THG-Quote procedure in order to enable the response to and processing of enquiries from e-mobilists addressed to cooperation partners. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO, whereby the reasons listed are to be regarded as legitimate interests within the meaning of the provision.

Any further disclosure or transfer of your personal data to the cooperation partner is only possible if you have given your express consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. This consent can be revoked at any time with effect for the future.

d) Provision of the personal data and automated decision making including profiling

The provision of your personal data for the implementation of the greenhouse gas reduction quota (THG-Quote) procedure is necessary for the conclusion of the contract in order to be able to carry out the prerequisites and the THG-Quote registration. Without provision, the conclusion and implementation of the contract is not possible.

There is no automated decision making including profiling.

e) Transfer of personal data to third countries

A transfer of personal data to a third country only takes place if the requirements of Art. 44 et seq. GDPR are met. A third country is a country outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered unsafe if the EU Commission has not issued an adequacy decision for this country in accordance with Art. 45 (1) GDPR, confirming that adequate protection for personal data exists in the country.

The USA is a so-called unsafe third country. This means that the USA does not offer a level of data protection comparable to that in the EU. When personal data is transferred to the USA, there is a risk that US authorities could gain access to the personal data transferred on the basis of legal provisions and powers. EU citizens do not have effective legal protection against such access in the US or the EU.

In this data protection information, we inform you when and how we transfer personal data to the USA or other unsecure third countries. We only transfer your personal data when

       - sufficient guarantees are provided by the recipient in accordance with Art. 46 GDPR for the            protection of the personal data,

        - you have expressly consented to the transfer, after which we have informed you of the risks, in            accordance with Art. 49 (1) a) DSGVO,

        - the transfer is necessary for the performance of contractual obligations between you and us  

        - or another exception from Article 49 of the GDPR applies.  

Guarantees according to Art. 46 GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR.

3. Data subject rights

You have the right:

    - revoke your consent at any time in accordance with Art. 7 (3) DSGVO. This has the consequence        that we may no longer continue the data processing based on this consent for the future;

    - to request information about your personal data processed by us in accordance with Art. 15       DSGVO. In particular, you can request information about the processing purposes, the category of       personal data, the categories of recipients to whom your data has been or will be disclosed, the       planned storage period, the existence of a right to rectification, erasure, restriction of processing or       objection, the existence of a right of complaint, the origin of your data if it has not been collected       by us, as well as the existence of automated decision-making, including profiling, and, if       applicable, meaningful information about its details;

    - demand the correction of incorrect or incomplete personal data stored by us without delay in             accordance with Art. 16 DSGVO;

    - pursuant to Art. 17 DSGVO to request the erasure of your personal data stored by us, unless the      processing is necessary for the exercise of the right to freedom of expression and information, for      compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or      defence of legal claims;

   - to request the restriction of the processing of your personal data in accordance with Art. 18      DSGVO, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you      object to its erasure and we no longer require the data, but you need it for the assertion, exercise      or defence of legal claims, or you have objected to the processing in accordance with Art. 21      DSGVO;

   - in accordance with Art. 20 DSGVO, to receive your personal data that you have provided to us in a      structured, common and machine-readable format or to request the transfer to another controller;      and

  - complain to a supervisory authority in accordance with Art. 77 DSGVO. As a rule, you can contact      the supervisory authority of your usual place of residence or workplace or our company      headquarters.
Information about your right to object according to Art. 21 DSGVO

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you, which is carried out on the basis of Article 6 (1) sentence 1 lit. f DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on this provision of Article 4 No. 4 DSGVO.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your objection is directed against the processing of data for the purpose of direct marketing, we will immediately stop the processing. In this case, it is not necessary to specify a particular situation. This also applies to profiling, insofar as it is connected with such direct advertising.

If you wish to exercise your right to object, simply send an e-mail to

4. Data security

All data transmitted by you is encrypted using the generally accepted and secure standard TLS (Transport Layer Security). TLS is a secure and proven standard that is also used in online banking, for example. You can recognise a secure TLS connection, among other things, by the appended s at the http (i.e. https://...) in the address bar of your browser or by the lock symbol in the lower area of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

5. Up-to-dateness and amendment of this privacy policy

This privacy policy is valid as of August 2022.