The policy gives you an overview of how we guarantee data protection and what kind of data is collected and processed for what purpose and on what legislative basis. Your personal data will be processed in accordance with the provisions of the EU General Data Protection Regulation (hereinafter: “GDPR”), the national data protection laws and other data protection regulations.
1. Data controller
Digital Energy Solutions GmbH & Co. KG
Email: firstname.lastname@example.org (see also our Legal details).
are the data controller pursuant to Art. 4 (7) GDPR
You can reach our data protection officer at the above address by addressing your correspondence “For the attention of: Data Protection Officer” or by addressing an email message to email@example.com.
2. Definitions of terms
- Personal data is all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). A natural person is identifiable if he can be identified in particular by assignment to an identification such as a name, an identification number, to location data, to an online identification or to one or more special characteristics which are an expression of his identity.
- Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, readout, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s statement of intent by which he or she, by declaration or clear confirmatory act, signifies agreement to the processing of personal data relating to him or her.
3. Processing of data
- In cases where we seek your consent, the legislative basis shall be Art. 6 (1) subpara. a) and Art. 7 GDPR.
- In cases where we process data with a view to providing services in the future, implementing contractual arrangements, or responding to your inquiries, the legislative basis shall be Art. 6 (1) subpara. b) GDPR.
- In cases where processing is necessary for us to fulfill our legal obligations, the legislative basis for processing data shall be Art. 6 (1) subpara. c) GDPR.
- In cases where the processing serves to protect our legitimate interests, the legislative basis for processing data shall be Art. 6 (1) subpara. f) GDPR.
- In cases where processing is necessary for the protection of vital interests, the legislative basis for processing data shall be Art. 6 (1) subpara. d).
3.1 General information about the collection of personal data
We undertake to process only the data received from you while visiting our website or using our portals or any of the services offered by us. Below you will find detailed information as to the nature, scope and purpose of the collection, the duration of storage and the legislative basis for processing your personal data.
3.2 Data collected when visiting our websites
Every time you visit any of the websites for which we are responsible, the following information will be transmitted via the respective Internet browser and automatically stored in log files:
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Data volume transmitted at any given time
- Website sending the request
- Operating system and its interface, resolution
- Language and version of browser software.
This data cannot be attributed by us to individual persons. The users’ IP addresses will be deleted or anonymized after the use. This data is not merged with other data sources. The log files will be anonymized and analyzed for statistical purposes with a view to improving the use and stability of our or the website in question. Where data is processed for that purpose, the legislative basis for processing data shall be Art. 6 (1) 1st sentence, subpara. f) GDPR, it being understood that our legitimate interests derive from the purpose stated. The data will be automatically deleted after three (3) months. No data will be disclosed to third parties. However, we may be required in individual cases by an order of a competent government authority to disclose personal data where deemed necessary for danger prevention, criminal prosecution, or for other reasons stipulated by law.
3.3 Data processing for the provision of contractual and pre-contractual services
We process your data for the purpose of entering into a contractual relationship with you and to perform our services and provide you with suitable contractual offerings. The data is collected in particular for the conclusion of electricity supply contracts and for the conclusion of contracts for our other energy-related products and services.
We enable you to conclude contracts for the supply of electricity via online forms on our website. On any of these forms, you need to enter only the personal data absolutely necessary for performing the contractual obligations or for processing your requests for information. This information has been marked with an asterisk. It is up to you decide if and what additional information to provide us with which we may use to improve our products.
The mandatory data required to process your order include: correct name, address, meter data and payment data. The reason we ask for your e-mail address and telephone number is to confirm receipt of your order and to be able to contact you in the event of difficulties in service performance. We also require this data for identification in our portals. Processing of this data is based on Art. 6 (1) 1st sentence, subpara. b) GDPR.
3.4 Data processing in our exchange and customer portals
Our portals allow you to access, manage and edit your contractual data password-protected. To use our portals, you need to register by entering your e-mail address, a password of your choice and a user name of your choice. We use the so-called double-opt-in process for registration, i.e. your registration will not be complete until you have confirmed your registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If your confirmation is not received within 48 hours, your registration will be automatically deleted from our database.
When you use our portal, we will store your data needed for contract performance, including information about the method of payment, until such time as you delete your account. We will also store the data voluntarily provided by you for the duration of your use of the portal, unless you delete such data beforehand. You may manage and edit all information within the protected customer area. The legislative basis applicable in this case is Art. 6 (1) 1st sentence, subpara. b) GDPR.
To prevent unauthorized third-party access to your personal data, especially financial data, the connection is protected by TLS 1.2 encryption.
3.5 Data processing for communication purposes (e.g. contact form)
When contacting us by e-mail or via contact form, we will store the data provided by you (your e-mail address, name, telephone number and, where applicable, your energy-related data) to respond to your questions. In order to do so, we require your valid e-mail address. The provision of any additional information is entirely voluntary. Where data is processed for that purpose, the legislative basis for processing data shall be Art. 6 (1) 1st sentence, subpara. b) GDPR and your consent to our processing of your personal data for that purpose which you have given us by returning the contact form. We will delete the data without undue delay once storage is no longer necessary for responding to your inquiry provided that statutory storage obligations do not exist.
3.6 Data processing for advertising purposes
We use your postal and e-mail address for direct marketing communications for our products and those of our group companies and subsidiaries. The group companies and subsidiaries involved are:
- Viessmann Werke GmbH & Co. KG
- Viessmann Deutschland GmbH
- Viessmann PV + E-Systeme GmbH
- VC/O GmbH
- Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
- ATHION GmbH
Our motivation is to provide you with product recommendations from our service and product portfolio and that of our group companies and subsidiaries which might be of interest to you, based on your recent purchases. The legislative basis applicable to processing data is Art. 6 (1) subpara. f) GDPR.
You have the right to object at any time if you do not wish to receive product recommendations from us. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
For advertising our products or those of our cooperation partners we will inform you by telephone or in a different way beyond that only if you have given us your prior consent expressly. When obtaining your consent, we will inform you which data we are using for our own advertising purposes and which of our cooperation partners are authorized to use this data for their advertising purposes.
The legislative basis for processing your personal data in this case is Art. 6 (1) subpara. a GDPR.
If you have expressly given us your consent to us or our cooperation partners being able to contact you by telephone or otherwise for advertising purposes, you may revoke this consent at any time. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
3.7 Market research and opinion polling
We use your postal and e-mail address for market research and opinion polling. The reason we do this is to improve our mutual business relationship as well as our service and product portfolio to even better dovetail it to your needs and wishes.
Your survey responses will not be disclosed to any third party or published.
The legislative basis for processing your personal data is Art. 6 (1) subpara. f GDPR which permits the processing of data to protect the legitimate interests of the data controller provided that the data subject’s interests or fundamental rights and freedoms do not prevail.
You have the right to object at any time if you do not want your data to be used for the above market and opinion research purposes. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
By telephone or otherwise we will contact you for the purpose of market and opinion research only if you have expressly given us your consent. When obtaining your consent, we will inform you which data we are using for our own market and opinion research and which of our cooperation partners are authorized to use this data for their market and opinion research.
The legislative basis for processing your personal data is Art. 6 (1) subpara. a) GDPR.
If you have expressly given us your consent to us or our cooperation partners being able to contact you by telephone or otherwise for market and opinion research purposes, you may revoke this consent at any time. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
3.8 Credit assessment
We are offering you to purchase electricity from us against non-reliable methods of payment (e. g. purchase on account). You will surely understand that given the non-reliability of such payment methods we have a legitimate interest in obtaining the best protection against payment defaults. That is why we will in such cases assess your credit before allowing that payment method. As part of this credit assessment, we obtain credit rating information from external sources.
We cooperate with credit reporting agency CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich and receive the information required from CRIF Bürgel GmbH. For this purpose we will transmit your name and contact data to the above-mentioned credit service provider. The information referred to in Art. 14 GDPR in reference to the data processing operations carried out by CRIF Bürgel GmbH is available at: https://www.crifbuergel.de/de/datenschutz.
Processing is carried out in accordance with Art. 6 (1) subpara. b GDPR and the legislative basis referred to in Art. 6 (1) subpara. f GDPR.
3.9 Cookies and the right to object
We use so-called cookies on a number of pages to make your visits to this website even more attractive and to enable the use of certain features. Cookies are small text files stored on your end device. Some of the cookies used will be deleted at the end of the browser session, i.e. after closing your browser (the so-called session cookies). Other cookies will remain on your end device, allowing us to recognize your browser at your next visit (persistent cookies). You can set your browser to inform you about cookies being set and to give you a choice of accepting or declining cookies in the individual case or declining them in general. Declining the acceptance of cookies may lead to a restriction of the features of this website.
We also use HTML5 storage objects which are stored on your end device. These objects store the required data independently of the browser you are using and do not have an automatic expiry date. You can prevent the use of HTML5 storage objects by setting your browser to the private mode. We also recommend that you regularly delete your cookies and browser history manually.
3.10 Google Analytics
This web page uses Google Analytics, a web analysis service by Google Inc. (hereinafter: “Google”). Google Analytics uses so-called “cookies”, i.e. text files saved on your computer to help us analyze how you use the website. The information generated by the cookie about your use of this website are generally transmitted to and stored by Google on servers in the United States.
However, if IP anonymization was activated on this website, your IP address will first be truncated by Google within the member states of the European Union and the other contracting states of the Treaty on the European Economic Area (EEA). Only in exceptional cases will the complete IP address be transmitted to a Google server in the USA and truncated there. Google will use this information by order and on behalf of the operator of this website for the purpose of evaluating your use of the website, for compiling reports on website activities and for providing other services related to the use of the website and the internet to the website’s operator.
Google will not associate the IP address transmitted by your internet browser in the context of Google Analytics with any other data held by Google.
You may refuse the installation of cookies by selecting the appropriate settings on your browser software; However, please note that if you do this you may not be able to use the full functionality of this website. Additionally, you may prevent Google from sharing the data generated by the cookie and related to your use of this website (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
This website uses Google Analytics with the extension “_anonymizeIp()“. Consequently IP addresses are only used in shortened form in order to prevent direct personal references. Insofar as the data collected about you have a direct personal reference, such personal reference will be excluded immediately and the personal data will be deleted immediately.
We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained allow us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legislative basis for using Google Analytics is Art. 6 (1) subpara. f GDPR.
This website uses Google Analytics for cross-device analysis of user visits, which is carried out via a user ID. You may deactivate the cross-device analysis of your usage in your customer account under “My data”, “Personal data”.
The data generated with eTracker is processed and stored by eTracker exclusively in Germany on behalf of the provider of this website and is subject to strict German and European data protection laws and standards. eTracker has been independently audited, certified and awarded the ePrivacyseal data protection seal of approval (https://www.eprivacy.eu/kunden/vergebene-siegel/firma/etracker-gmbh/).
The legislative basis for processing data is Art. 6 (1) subpara. f) (legitimate interest) of the EU General Data Protection Regulation (GDPR). Our legitimate interest consists in the optimization of our online offering and our website. As we are strongly committed to protecting the privacy of our visitors, eTracker anonymizes IP addresses as soon as possible and converts login or device IDs into a unique key which cannot be attributed to an individual. eTracker does not use your data for any other purpose, combine it with other data, or disclose it to third parties.
You have the right to object to the outlined data processing at any time provided it is related to your person. Your objection has no detrimental consequences for you.
I hereby object to the processing of my personal data by eTracker on this website.
For further information about data protection by eTracker, please go to (https://www.etracker.com/datenschutz/).
3.12 Google Maps
Our website uses the offerings of Google Maps. This allows us to offer you interactive maps directly on the website while giving you maximum convenience when using the map feature.
By visiting the website, Google receives the information that you have accessed the relevant sub-page of our website. In addition, the data mentioned under paragraph 3.2 will be transmitted. This is regardless of whether Google provides a user account you are logged into or whether no such user account exists. If you are logged in to Google, your information will be directly attributed to your account. If you do not wish to have your data attributed to your profile on Google, be sure to log off before activating the button. Google stores your data as user profiles and uses them for purposes of advertising, market research and/or need-based design of its website. This kind of evaluation is performed (even for users who are not logged in) especially to provide need-based advertising and to inform other social network users about your activities on our website. You have the right to object to the creation of these user profiles, for which purpose you need to contact Google to exercise this right.
3.13 Inclusion of YouTube videos
Our site uses YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, for the inclusion of video, represented by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. We have included YouTube videos in our online offering, which are stored on http://www.YouTube.com and are directly playable from our website. Usually, when you visit an embedded video page, your IP address will be sent to YouTube and cookies will be installed on your machine. However, we have included our YouTube videos in the “Advanced Privacy Mode”, which means that we do not transfer data about you as a user to YouTube if you are not playing the videos. Only when you play the videos, the data mentioned in paragraph 2 will be transmitted. We have no influence on this data transfer.
By visiting the website, YouTube receives the information that you have accessed the corresponding sub-page of our website. In addition, the data referred to in point 3.2 of this declaration will be transmitted. This happens regardless of whether YouTube provides a user account that you are logged in to, or if there is no user account. When you’re logged in to Google, your data will be assigned directly to your account. If you do not wish to associate with your profile on YouTube, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for purposes of advertising, market research and / or custom design of its website. Such an evaluation is done in particular (even for users who are not logged in) to provide appropriate advertising and to inform other users of the social network about their activities on our website. You have a right to object to the creation of these User Profiles, and you must be directed to YouTube to use them.
4. Disclosure of information
There will be no transmission of your personal data to third parties for purposes other than those specified in the following. We will only pass on your personal data to third parties in the following cases.
- You have given your explicit consent in accordance with Art. 6 (1), subpara. a GDPR.
- The disclosure of data in accordance with Art. 6 (1), 1) subpara. f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest requiring protection against the transfer of your data.
- There is a legal duty to disclose the data in accordance with Art. 6 (1), subpara. c GDPR in the case at hand.
- The disclosure is legally permissible and, pursuant to Art. 6 (1), subpara. b GDPR, required for the processing of our mutual contractual relationships.
4.1 Disclosure to group companies and subsidiaries
The transfer of personal data to Group companies and subsidiaries is generally not carried out. Anything else applies only in the cases in which you have given us your express consent (for example, for the purpose of direct mailing). The legal basis for disclosure in this case is Article 6 (1) lit. a; 7 GDPR. In this case, we will inform you when to give consent to whom we pass on your data for what purpose. You may revoke your consent to the disclosure of your data in this case at any time.
To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
4.2 Cooperation with data processors and third parties
When processing data, we will only disclose, transfer, or otherwise grant access to data to other persons and companies (data processors or third parties) if a legal permission was obtained. This is the case, for example, as part of the credit assessment required for contract performance in accordance with Art. 6 (1) subpara. b) GDPR. This is also the case if you have given your consent to the disclosure, if a legal obligation provides for the transmission of data or if data is disclosed on the basis of our legitimate interests.
If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 GDPR.
4.3 Transfers to third countries
Data will only be processed by us in third countries (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or disclosed, transmitted or used in the context of the use of services of third parties if this is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. We only allow data to be processed in a third country if the special requirements of Art. 44 et seqq. GDPR are met. In that case, data will be processed, e.g. on the basis of special guarantees, such as the officially recognized establishment of a data protection level commensurate with EU standards (e.g. the “Privacy Shield” in the USA) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
5. Deletion and storage of data
As a general rule, we delete your data immediately once it is no longer required for the above-mentioned purposes. Anything to the contrary applies only if temporary storage continues to be necessary. We store your data in accordance with legal proof and storage obligations resulting from, inter alia, the German Commercial Code and the German Fiscal Code. Under these laws, the storage periods are up to ten (10) full years. We also keep your data for as long as claims can be asserted against our company (statutory limitation periods of between three (3) and thirty (30) years). For direct marketing and market research purposes, your personal data will be stored for as long as we have a predominant legal interest compliant with the relevant legal provisions, but not longer than for a maximum period of two (2) years.
6. Your rights
You are entitled to the following rights:
- Right of access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not your personal data is processed by us.
- Right to rectification (Art. 16 GDPR): You have the right to immediately request us to rectify or complete your inaccurate personal data.
- Right to deletion (Art. 17 GDPR): You have the right to demand the immediate deletion of your personal data and we are obliged to delete this personal data immediately unless one of the following reasons pursuant to Art. 17 (1) subparas. a) through f) GDPR applies.
- Right to restriction of processing (Art. 18 GDPR): You have the right to request us to restrict the processing of your personal data if one of the conditions set forth in Art. 18 (1) GDPR applies.
- Right to data portability (Art. 20 GDPR): You have the right to receive your personal data which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit this data to another controller without impediment from us, provided the conditions set forth in Art. 20 GDPR are met.
- Right to object (Art. 21 GDPR): You have the right to object at any time, for reasons relating to your particular situation, to the processing of your personal data which is based on Article 6 (1) subpara. f) GDPR. In this case we no longer process your personal data unless we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
- Revocation of the declaration of consent under data privacy law: You have the right to revoke your declaration of consent under data privacy law at any time. This also applies to declarations of consent issued to us prior to May 25, 2018. The revocation applies to the future. Your revocation of consent shall not affect the lawfulness of the processing based on the consent before its revocation.
In the above-mentioned cases, please contact the controller in accordance with paragraph 1.
In addition, you always have the option of contacting the responsible data protection supervisory authority.
Our competent data protection supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
7. Data security
While visiting our website, you will be protected by standard SSL security technology (Secure Socket Layer) combined with the highest level of encryption supported by your browser. Whether a page of our website is transmitted in encrypted form is indicated by a closed key or lock symbol in the status bar at the bottom of your browser. We also use suitable technical and organizational security precautions to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. The security precautions are subject to continuous improvement in line with technological progress. It is impossible to guarantee complete data security for e-mail communication, which is why we recommend you to send confidential information by post.