Data Protection Statement of Naturvel PTE. LTD.

Data protection is especially important to us - Naturvel PTE. LTD. (hereinafter referred to as “Naturvel/us/we”), 26 Eng Hoon Street, Singapore 169776 and represented by Managing Director, Wai Siew Peng. As the authority responsible for the scope, type and purpose of any form of personal data collection, storage, communication and/or use, in accordance with the EU General Data Protection Regulation (GDPR), we would like to ensure that you will be provided with all necessary information. You can reach us at any time, either by post to the above address, or by email to info@naturvel.com.

Our data protection officers are available to you at the following address: privacy@naturvel.com.

With this declaration, we wish to provide you with information about the data protection relevant aspects of the services we offer and in particular:

According to Art. 27 EU-GDPR we are obliged to have a representative of Naturvel PTE. LTD. established in the EU. Appointed as representative is:

Naturvel PTE. LTD., c/o Talk2 GmbH, Rheinstraße 22, 64283 Darmstadt, Germany.

1. Which personal data we collect and store

If you utilise our offering and/or use our website by filling out the entry fields and/or contact us and/or merely visit our website, we may collect personal data as follows:

Further data – such as, in particular, local times, time zones, and usage data – may also be stored in addition to the data specified above.

Statistical data may be collected and used in the case of a visit to our website. “Statistical data” means, among other things, data regarding the use of a particular Internet browser and the browser version.

2. How and why we process and transfer your personal data, and what it is used for

The data collected during registration to the prize draw is used to conduct the prize draw, determine the winner, handle the awarding of prizes and notify the winner and transmit the prize (Article 6(1)(b) GDPR).

If, after the conclusion of the prize draw, declarations of intent for purchase, service, or other contracts with external companies are received, the data collected, where applicable, and further data collected on a contract-specific basis will be disclosed to the external company or companies in question. Otherwise those companies cannot use the data to establish or perform a contract or contracts (Article 6(1)(b) and (f) GDPR).

Based on the participation agreement that is entered and in the event of an online participation in a prize draw, Naturvel will collect and process your personal data. This agreement requires that you provide your personal data if and insofar as you wish to participate in our prize draw offering. The data processing takes place for both our own direct marketing (Article 6(1)(b) GDPR) as well as for our sponsors to also enable them to engage in individual, demand-driven direct marketing that is tailored to you via the channels of email, push notifications, post, phone and text message (Article 6(1)(b) GDPR).

Processing your personal data would be in accordance with declaration of consent for advertising and marketing purposes, via phone, text messages, email, push notifications, post and/or the disclosure of data for direct marketing purposes for the mentioned sponsors of the prize draw that may be issued separately. This takes place within the scope of our legitimate interests as established by your relevant consent (Article 6(1)(f) GDPR).

Naturvel assumes that the consent to receive advertising by phone, text message, email, push notifications and post from us and our sponsors, which is to be declared separately, also constitutes consent for purposes of data protection and privacy law to the processing of your personal. In addition, the relevant aforementioned data processing is also permitted pursuant to (Article 6(1)(a) GDPR).

Possible sectors that you may expect to receive advertisement about are:

Industry Sector include, but not limited to
Charity e.g. animal welfare, disaster relief, children’s medical, elderly, environmental, health
Gaming e.g. bingo, betting, competitions, lottery
Leisure e.g. food & drink, events, museums, cinema
Financial Products e.g. pensions, banking, credit cards, investments, loans, mortgages
Insurance e.g. car, home, life, medical, pet, income protection, travel, warranty products
Health / Lifestyle e.g. fitness, beauty, opticians, hearing, care homes, mobility, leisure, pharmaceuticals
Home Improvements e.g. house moving, blinds & curtains, insulation, boilers, conservatories, doors & windows, extensions, gardens, solar panels.
Funeral Plans e.g. to arrange and pay for a funeral in advance
Legal Services e.g. claims, will writing, will reviews
Mail Order e.g. catalogues, online retailers
Market Research e.g. to gather information about consumers' opinions and preferences
Media e.g. online, television, radio, newspapers, magazines
Retail e.g. online retail, electrical goods, comparison sites, discounts, FMCG, automotive, home improvement
Telecoms e.g. landline, mobile phones, broadband, digital TV
Travel e.g. holidays, city breaks, airlines, UK breaks, accommodation
Utilities e.g. gas & electricity switching, other household utilities such as water

It may be the case that an analysis of your affinities, interests, and preferences will be performed before the data is used for direct marketing and/or disclosed to sponsors. To this end, the answers that you will provide after registering to the prize draw may also be analysed, and a profile may be established in order to enable more targeted performance of direct marketing measures by us and our sponsors, if any (Article 6(1)(f) GDPR).

By using the data obtained, particularly those from our surveys following the prize draw registration page, we will create a “user profile” with your information in order to be able to offer you an interest-driven service that is geared towards your individual needs and requirements. By creating this profile, we may categorise personal aspects, such as your interests and preferences, through automated processing of your data in order to make it possible for both us and our sponsors to send you exclusive advertising and offers that match you profile.

Naturvel frequently receives – provided that your end device supports this function – confirmation of which emails from us you open and how you proceed with the email. This helps us to understand your interests and supports us in making the offers more useful interesting, tailor-made to you in the future (Article 6(1)(f) GDPR).

Assertion, if any, of your rights (Article 6(1)(c) and (f) GDPR) as provided in Sec. 5 of this data protection and privacy statement also leads to collection and processing of your personal data.

Disclosure of your personal data may take place in cases in which we are under a legal obligation of disclosure (Article 6(1)(c) GDPR) or to the extent that disclosure should be necessary to enforce other rights/demands or for purposes of legal defence, if and insofar as these are based on the legitimate interests of the organiser or other third parties (Article 6(1)(f) GDPR). The same applies in the event of (also partially) purchase or sale of business assets and/or other assets, in the event that our business is otherwise acquired by a third party, in the event of initiation of insolvency proceedings, or if a request for initiation of insolvency proceedings is denied for lack of sufficient assets (Article 6(1)(f) GDPR).

3. Where we store your personal data and for how long; and to where your data may be exported

a) We store your personal data within the European Economic Area

However, in agreement with the sponsors named in the prize draw sponsor list, which also shows the respective country of the establishment as the destination location for any transfer of data, it is also possible that data will be transferred to “third countries.” Third countries are countries located outside the European Union. With regard to such data transfers, we point out that with regard to all destination countries mentioned in the sponsor list, a secure transfer within the scope of EU specifications on data protection and privacy is ensured. The European Commission has issued corresponding adequacy decisions for the third countries of Andorra, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, Canada (commercial organisations), and Switzerland. These decisions confirm that based on their own domestic legal provisions or international obligations, the aforementioned third countries ensure an adequate level of protection of personal data. To the extent that datasets are transferred to third countries, for which an adequacy decision has not yet been issued, we have entered into contracts based on the standard clauses issued by the EU. These standard clauses were published by the EU to ensure the relevant level of protection - with the corresponding partners that are based or headquartered in these countries. These agreements ensure adequate and uniform protection of data at the level provided by European specifications. You can review the content of these agreements here. Regarding companies based in the UK and to which we likewise transfer personal data, the legal situation is currently not clear on whether we are already now obligated to enter into contracts based on the standard clauses issued by the EU, since the UK will withdraw from its EU-membership by January 31, 2020 so that guarantees as provided in Art. 44 et seq. GDPR must be in place for data transfers to the UK as of February 1, 2020. However, there will be a transition period during which the commercial relations of the EU will remain the same with the UK. Also, if in 2020 the EU-Commission issues an adequacy decision for the data protection level of the UK under Art. 45 GDPR or if the EU enters into respective bilateral contracts with the UK, the requirement to enter into contracts under Art. 46 GDPR no longer applies. In each case, we (will) guarantee the compliance of our data transfers to UK and vice versa.

In addition, we would like to draw your attention to the fact that, after registration, it is possible to accept offers provided by Sovendus GmbH. However, a data transfer in this context arises out of so-called prefilling. In this regard, the information you provide during the registration process will be used to fill in the information fields on the Sovendus website. However, data transfer to Sovendus GmbH will not take place until you confirm it by clicking on the appropriate button and submit it yourself. In this context, the following privacy notices apply:

Voucher offers of Sovendus GmbH: In order to select a currently interesting voucher offer for you, we will transmit your pseudonymised hash value of your email address and your IP-address in encrypted form to Sovendus GmbH, Moltkestrasse 11, D-76133 Karlsruhe (Sovendus) (Art. 6 par. 1 f GDPR). The pseudonymised hash value of your email address is used to consider a possibly existing objection to receive offers from Sovendus (Art. 21 par.3, Art. 6 par. 1 c GDPR). The IP-address will be exclusively used for data security purposes and as a rule the same will be anonymised after seven days (Art. 6 Abs.1 f DSGVO). Furthermore, we will transmit order number, order value with currency, session ID, coupon code, and time stamp in pseudonymised form to Sovendus for billing purposes (Art. 6 Abs.1 f DSGVO). If you are interested in a voucher offer of Sovendus, while there is no objection existing to receive such offers, and if you click on the voucher banner, we will transmit your form of address, your name and your email address in encrypted form to Sovendus to prepare a voucher (Art. 6 par. 1 b, f GDPR). You will find further information about the processing of your data by Sovendus in their Online Data Protection Notice at www.sovendus.co.uk/privacy_policy.

b) Unless the data is erased or blocked pursuant to your exercise of the rights specified in Sec.°5, your data will be stored permanently for the purposes mentioned above.

After you have revoked any consent to the processing of data that may have been issued and/or have objected thereto, we will put you on our “blocking list.” This means that we will no longer use your personal data for marketing purposes, nor will we disclose them any longer. We will then only store your data for legal purposes (e.g. documentation obligations, defending against and asserting claims, etc.), and will erase the data after a further period of four years unless compelling reasons argue against our doing so or the processing of this data is permitted for other reasons, for example by way of new consent.

Furthermore, we will proceed in the same manner if we have not used your personal data for a period of 24 months, meaning that we have not used the data for our own marketing purposes or disclosed them to sponsors.

4. Protection of your personal data

We take corresponding precautions – administrative/organisational, technical, and physical – to protect your personal data against loss, theft, abuse, unauthorised access, unauthorised disclosure, unauthorised modification, and destruction. Your data is protected within the scope of physical access control (secure location of servers, to which physical access is granted only following to a defined security procedure), systems access control (128-bit encryption of data transfers, individual assignment of passwords, menus, and authorisations for employees, up-to-date virus software), information access control (individual access authorisation for employees through personal accounts, identification and authentication requirements), transmission control (ongoing monitoring and notifications to authorised parties, no local storage of data, logging of all data exports and transfers), input control (account-linked reviews, logging with time stamps and host), job control (continuous monitoring by managing director(s) and data protection officer, clear drafting of contracts with regard to the specifications pursuant to 28 GDPR in coordination with the data protection officer and executive management and availability control (general safeguarding measures by the hoster constant power supply (UPS), halon gas system, etc. backup streaming involving other general safeguarding measures by the hoster [e.g. UPS, halon gas system, etc.], backup streaming at another location [with all security precautions; see physical access control] every night, mirroring on two additional hard drives, virus protection programs).

Despite these precautions, the insecure nature of the Internet means that we cannot guarantee in any event and under each and not foreseeable circumstances the security of your data transfer to our website. Therefore, any and all transfers of data by you to our website take place at your own risk.

5. Your rights

You have the right to obtain information regarding the personal data stored regarding you, including the origin and recipients of your data and the purpose of data processing, at any time pursuant to Article 15 GDPR.

You also have the right to demand, at any time, that we correct inaccurate personal information concerning you (Article 16 GDPR). You can restrict the processing of data if any of the prerequisites mentioned in Article 18(1) GDPR are met, e.g. in the event of a dispute concerning the accuracy of your personal data.

Moreover, you have the right to revoke any declaration(s) of consent to the processing of your personal data that may have been issued, with effect for the future (Article 7(3) GDPR). Such a revocation does not however affect the legality of the processing that has taken place up until then.

In addition, you are entitled to demand that we provide the personal data transferred to us in a format that permits the transfer thereof to another body (Art. 20 GDPR).

Subject to the prerequisites set out in Article 21(1), (2), and (3) GDPR, you can object to the processing of data for reasons that arise from your particular personal situation.

Furthermore, you have the right to demand the erasure of your data and assert your right to be forgotten, pursuant to Article 17 GDPR. If the statutory prerequisites are met, we will proceed in this regard even without such a request having been issued on your part and will erase your personal data.

To assert your rights as enumerated above in this section, please contact us at Naturvel PTE. LTD., c/o Talk2 GmbH, Rheinstraße 22, 64283 Darmstadt, Germany, or write to us by email at info@naturvel.com.

If you have a complaint, you can contact the supervisory authority with jurisdiction over Naturvel PTE. LTD., c/o Talk2 GmbH, the Data Protection Official for the State of Hesse (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit) (Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Postfach 31 63, 65021 Wiesbaden, Germany), or any other supervisory authority.

6. Server log files

Information is automatically collected and stored by the Internet site provider in so-called server log files. These files are automatically communicated to us by the browser. The files contain information on browser type and version, the operating system used, the referrer URL, the hostname of the accessing computer and the time of the server request. This data cannot be matched to any given individual. Furthermore, the said data is not merged with data from any other source. In the event that concrete indications exist in respect of wrongful use, we reserve the right to subsequently examine the said data.

7. Usage data and cookies

We do not store usage data and neither do we install cookies.

8. Underage persons

This website, including the data protection and the general terms and conditions of business, is not aimed at underage persons. Consequently, we do not intentionally collect, use, and/or share personal data relating to underage individuals.

Current as of: January 2020