Sustainanle Finance Taxonomy Mapper brand logo
Mobile menu toggle
close-menu
d none

Data protection policy

Controller

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
Friedrich-Ebert-Allee 36+40, 53113 Bonn, Germany
Dag-Hammarskjöld-Weg 1–5, 65760 Eschborn, Germany
E-mail: info@giz.de


Data Protection Officer
E-mail: datenschutzbeauftragter@giz.de

About

The Sustainable Finance Taxonomy Mapper is a multi-party collaboration, implemented by by the German development agency Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH on behalf of the German Federal Ministry for Economic Cooperation and Development (BMZ) and co-financed by the European Union under the Sustainable Finance Advisory Hub. The Taxonomy Mapper is executed in cooperation with the United Nations Environment Programme – Finance Initiative (UNEP FI), Climate Bonds Initiative (CBI), Principles for Responsible Investment (PRI), University of Edinburgh, Dublin City University, University College Dublin and Singapore Management University.

As a German federal enterprise under private law, GIZ processes personal data exclusively in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

Use of Cookies

For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands.
Website: https://cookiefirst.com referred to as CookieFirst.

When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.

CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR).

Data processing agreement

We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.

Server log files

Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected:

  • Your consent status or the withdrawal of consent

  • Your anonymised IP address

  • Information about your Browser

  • Information about your Device

  • The date and time you have visited our website

  • The webpage url where you saved or updated your consent preferences

  • The approximate location of the user that saved their consent preference

  • A universally unique identifier (UUID) of the website visitor that clicked the cookie banner

Reference to user rights

Visitors to the website have the right:

  • to obtain information about their data stored by us (Article 15 GDPR).

  • to have their data stored by us rectified (Article 16 GDPR).

  • to have their data stored by us erased (Article 17 GDPR).

  • to obtain restriction of processing of their data stored by us (Article 18 GDPR).

  • to object to the storage of their data if personal data are processed on the basis of the first sentence of Article 6 (1) 1 f and e GDPR (Article 21 GDPR).

  • to receive their personal data in a commonly used and machine-readable format from the controller such that they can be potentially transmitted to another controller (right to data portability, Article 20 GDPR).

  • To withdraw their consent to the extent that the data has been processed on the basis of consent (Article 6 (1) a GDPR). The lawfulness of the processing on the basis of the consent given remains unaffected until receipt of the withdrawal.

Users also have the right in accordance with Article 77 GDPR to lodge a complaint with the competent data protection supervisory authority. The competent authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

User registration for data export

To enable the data export feature, users may register for an account.

  • Mandatory data: e-mail address and password ⟨or SSO identity provider⟩. Optional: name and organisation/role.

  • Purpose: providing the export functionality, managing access, preventing misuse, and communicating important service messages (e.g. security or service notices).

  • Legal basis: Art. 6(1)(b) GDPR (contract-like performance of the export feature); Art. 6(1)(f) GDPR (security, misuse prevention).

  • Authentication & security: passwords are stored using industry-standard hashing; access is restricted to authorised personnel.

  • Retention: account data are retained while the account is active. Inactive accounts are deleted or anonymised after ⟨e.g. 24 months⟩ of inactivity unless statutory retention applies. You may request deletion at any time (see “Reference to user rights”).

  • Recipients/Processors: hosting and IT service providers engaged by GIZ under Art. 28 GDPR.

  • No third-country transfers: account data are processed in the EU/EEA; no transfers to third countries unless explicitly stated otherwise.

[If exporting creates files that are temporarily queued/logged, add: “Operational logs related to export jobs (timestamp, file size, success/failure, user ID) are stored for ⟨e.g. 90 days⟩ for troubleshooting and security (Art. 6(1)(f) GDPR).”]

Processing of personal data through our contact form

When you submit a message via the contact form, we process your message and, if provided, your name and e-mail address solely to handle your enquiry. Providing a name/e-mail is optional; without it, we may be unable to reply directly. Legal basis: Art. 6(1)(b) GDPR (handling your enquiry) and/or Art. 6(1)(a) GDPR (consent). Data are deleted once your enquiry is resolved, unless statutory retention applies.

Storage periods

We retain personal data only as long as necessary for the stated purposes or as required by law. Usage data for anonymised statistics may be retained beyond that in aggregated form.

Complaints

If you have any questions or complaints about this website, please contact us or get in touch with the GIZ data protection officer at datenschutzbeauftragter@giz.de.

This project is co-funded by the European Union (EU) and the German Federal Ministry for Economic Cooperation and Development (BMZ) under the EU Sustainable Finance Advisory Hub. Its contents are the sole responsibility of the authors and do not necessarily reflect the views of the European Union or the BMZ.

This website contains links to external websites. Responsibility for the content of the listed external sites always lies with their respective publishers. When the links to these sites were first posted, GIZ checked the third-party content to establish whether it could give rise to civil or criminal liability. However, the constant review of the links to external sites cannot reasonably be expected without a concrete indication of a violation of rights. If GIZ itself becomes aware or is notified by a third party that an external site to which it has provided a link gives rise to civil or criminal liability, it will remove the link to this site immediately. GIZ expressly dissociates itself from such content.

About the Mapper
Resources

© 2025 Sustainable Finance Taxonomy Mapper. All rights reserved. | Supported by GIZ, EU and partners.