Data Protection Policy

1. Scope and purpose

This Data Protection and Privacy Policy (’’Policy’’) applies to The Generation Forest eG (The Generation Forest), Große Elbstraße 42; 22767 Hamburg (’’Company’’) when it processes personal data of Clients, Members, Prospects, Contacts, Website Visitors and business partners (’’Clients”).

This Policy sets out the obligations of the Company regarding data protection and the rights of the Clients in respect of their personal data under the German Bundesdatenschutzgesetz (BDSG) and EUs General Data Protection Regulation (’’GDPR’’), as amended from time to time (collective ’’Regulation’’).

The Regulation defines ’’personal data’’ as any information relating to an identified or identifiable natural person: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic,cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed by the Company when dealing with personal data of Clients.

2. Company’s contact

Since the company does not:

process data on a large scale

process data systematically

process special categories of data (data on ethnic origins, sex, religion, etc.) or criminal data

it has not assigned a Data Protection Officer. However, in the event of questions relating to this Policy or the personal data processed, the Company can be contacted by email to [email protected].

3. Legal basis for processing

The Company processes personal data in order to perform its obligations under the respective contract concluded with the Client, or for the purpose of other legitimate interest, or in order to comply with a legal duty imposed on the Company in connection with the applicable laws.

4. Information collected by the Company

The follwing personal data may be collected, held, and processed by the Company:

the Client’s name, ID or passport, telephone number(s), mailing address, email address and any other information (including KYC information) relating to the Client which the Client has provided to the Company;

name, ID or passport, telephone number(s), mailing address, email address and any other information (including KYC information) relating to employees, agents, officers, managers, owners, beneficial owners or other natural persons relating to the entity the Client represents or works for or other third parties, which the Client has provided to the Company.

5. Ways of collecting personal data

Generally, the Company may collect personal data in the following ways:

when the Client submits forms or applications to the Company;

when the Client submits requests to the Company;

when the Client uses the Company’s IT infrastructure (e.g. website);

when the Client asks to be included in an email or other mailing list;

when the Client responds to our initiatives; and

when the Client submits personal data to the Company for any other reason.

6. The data protection principles

This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:

processes lawfully, fairly, and in a transparent manner in relation to the Client;

collected for specified, explicit, and legimate purpose and not further processed in a manner that is incompatible with those purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, is erased or rectified without delay;

kept in a form which permits identification of the Client for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the Client;

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

7. Privacy impact asessments

The Company shall carry out Privacy Impact Asessments when and as required under the Regulation.

8. Client’s rights

The Client has the following rights under the Regulation:

the right to be informed about the collection and use of the personal data by the Company;

the right of access to the personal data the Company holds about the Client;

the right to rectification if any personal data the Company holds about the Client is inaccurate or incomplete;

the right to be forgotten – i.e. the right to ask the Company to delete any personal data it holds about the Client;

the right to restrict (i.e. prevent) the processing of the personal data;

the right to data portability (obtaining a copy of the personal data to re-use with another service or organization);

the right to object to the Company using the personal data for particular purposes; and

rights with respect to automated decision making and profiling (where applicable).

To exercise any or all of these rights, the Client must contact the Company through the email address [email protected] or in writing, such mail sent to its business adress.

9. Data protection measures

The Company shall ensure that all its Employees, agents, freelancers, contractors, or other parties working on its behalf when processing data, will apply and implement the appropriate technical (e.g use of passwords; encryption of sensitive personal data; regular back-ups of secure networks, etc.) and organizational (e.g. access only on on a need to know basis; signing of NDAs by Employees where necessary, etc.) measures.

10. Transferring personal data to a country outside the EEA

The Company does not transfer any personal data to countries outside of the EEA. However, webservers that collect personal data and cloud backup servers might not be located in the EEA, but the Company will make sure these are GDPR compliant.

11. Data breach notification 

All personal data breaches must be reported immediately to the Company by written notice or by email to [email protected].  If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of the Client (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Company must ensure that the Federal Commissioner for Data Protection and Freedom of Information („BfDI”) and where applicable the competent Information Commissioner’s Office in the EU is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. With regard to data security breaches the BfDI must be informed immediately. In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of the Client, the Company must ensure that all affected Clients are informed of the breach directly and without undue delay.

12. Withdrawal of consent 

In the event consent was given, Clients have the right to withdraw such consent given at any time by sending a written notice or email to the Company to [email protected]

13. Specific stipulations regarding the use of our website

At The Generation Forest, accessible at, one of our main priorities is the privacy of our visitors. This paragraph contains types of information that are collected and recorded by and how we use it.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us through email at [email protected]

We are a Data Controller of your information

Log Files follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.

Cookies and Web Beacons

Like any other website, uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Website analytics

Our website uses Google Analytics, a service which transmits website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and webpage usage.

By using this website, you consent to the processing of data about you by Google in the manner described in Google’s Privacy Policy (external site) and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google (external site).

Children’s Information

Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity. does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.

Other Sites

Our website may contain links to other websites. Please be aware that we are not responsible for the privacy practices of such other sites. When you go to other websites from here, we advise you to be aware and read their privacy policy. also uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. If you choose to “like” or “share” information from this website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your visits to this site with other Personal Information

Online Only

This paragraph applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or is collected in . This paragraph is not applicable to any information collected offline or via channels other than this website.

14. Implementation of policy

This Policy shall form part of the respective contract concluded between the Company and the Client.