The policy gives you an overview of how we guarantee data protection and what kind of data is collected and processed for what purpose and on what legislative basis. Your personal data will be processed in accordance with the provisions of the EU General Data Protection Regulation (hereinafter: “GDPR”), the national data protection laws and other data protection regulations.
1. Data controller
Digital Energy Solutions GmbH & Co. KG
Email: firstname.lastname@example.org (see also our Legal details).
are the data controller pursuant to Art. 4 (7) GDPR
You can reach our data protection officer at the above address by addressing your correspondence “For the attention of: Data Protection Officer” or by addressing an email message to email@example.com.
We point out that when using this e-mail address, the contents are not exclusively taken note of by our data protection officer. If you would like to exchange confidential information, we ask that you first contact us at the e-mail address firstname.lastname@example.org with a request for confidential feedback. Our data protection officer will get back to you.
2. Definitions of terms
- Personal data is all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). A natural person is identifiable if he can be identified in particular by assignment to an identification such as a name, an identification number, to location data, to an online identification or to one or more special characteristics which are an expression of his identity.
- Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, readout, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s statement of intent by which he or she, by declaration or clear confirmatory act, signifies agreement to the processing of personal data relating to him or her.
3. Processing of data
- In cases where we seek your consent, the legislative basis shall be Art. 6 (1) subpara. a) and Art. 7 GDPR.
- In cases where we process data with a view to providing services in the future, implementing contractual arrangements, or responding to your inquiries, the legislative basis shall be Art. 6 (1) subpara. b) GDPR.
- In cases where processing is necessary for us to fulfill our legal obligations, the legislative basis for processing data shall be Art. 6 (1) subpara. c) GDPR.
- In cases where the processing serves to protect our legitimate interests, the legislative basis for processing data shall be Art. 6 (1) subpara. f) GDPR.
- In cases where processing is necessary for the protection of vital interests, the legislative basis for processing data shall be Art. 6 (1) subpara. d).
3.1 General information about the collection of personal data
We undertake to process only the data received from you while visiting our website or using our portals or any of the services offered by us. Below you will find detailed information as to the nature, scope and purpose of the collection, the duration of storage and the legislative basis for processing your personal data.
3.2 Data collected when visiting our websites
Every time you visit any of the websites for which we are responsible, the following information will be transmitted via the respective Internet browser and automatically stored in log files:
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Data volume transmitted at any given time
- Website sending the request
- Operating system and its interface, resolution
- Language and version of browser software.
This data cannot be attributed by us to individual persons. The users’ IP addresses will be deleted or anonymized after the use. This data is not merged with other data sources. The log files will be anonymized and analyzed for statistical purposes with a view to improving the use and stability of our or the website in question. Where data is processed for that purpose, the legislative basis for processing data shall be Art. 6 (1) 1st sentence, subpara. f) GDPR, it being understood that our legitimate interests derive from the purpose stated. The data will be automatically deleted after three (3) months. No data will be disclosed to third parties. However, we may be required in individual cases by an order of a competent government authority to disclose personal data where deemed necessary for danger prevention, criminal prosecution, or for other reasons stipulated by law.
3.3 Data processing for the provision of contractual and pre-contractual services
We process your data for the purpose of entering into a contractual relationship with you and to perform our services and provide you with suitable contractual offerings. The data is collected in particular for the conclusion of electricity supply contracts and for the conclusion of contracts for our other energy-related products and services.
We enable you to conclude contracts for the supply of electricity via online forms on our website. On any of these forms, you need to enter only the personal data absolutely necessary for performing the contractual obligations or for processing your requests for information. This information has been marked with an asterisk. It is up to you decide if and what additional information to provide us with which we may use to improve our products.
The mandatory data required to process your order include: correct name, address, meter data and payment data. The reason we ask for your e-mail address and telephone number is to confirm receipt of your order and to be able to contact you in the event of difficulties in service performance. We also require this data for identification in our portals. Processing of this data is based on Art. 6 (1) 1st sentence, subpara. b) GDPR.
3.4 Data processing in our exchange and customer portals
Our portals allow you to access, manage and edit your contractual data password-protected. To use our portals, you need to register by entering your e-mail address, a password of your choice and a user name of your choice. We use the so-called double-opt-in process for registration, i.e. your registration will not be complete until you have confirmed your registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If your confirmation is not received within 48 hours, your registration will be automatically deleted from our database.
When you use our portal, we will store your data needed for contract performance, including information about the method of payment, until such time as you delete your account. We will also store the data voluntarily provided by you for the duration of your use of the portal, unless you delete such data beforehand. You may manage and edit all information within the protected customer area. The legislative basis applicable in this case is Art. 6 (1) 1st sentence, subpara. b) GDPR.
To prevent unauthorized third-party access to your personal data, especially financial data, the connection is protected by TLS 1.2 encryption.
3.5 Data processing for communication purposes (e.g. contact form)
When contacting us by e-mail or via contact form, we will store the data provided by you (your e-mail address, name, telephone number and, where applicable, your energy-related data) to respond to your questions. In order to do so, we require your valid e-mail address. The provision of any additional information is entirely voluntary. Where data is processed for that purpose, the legislative basis for processing data shall be Art. 6 (1) 1st sentence, subpara. b) GDPR and your consent to our processing of your personal data for that purpose which you have given us by returning the contact form. We will delete the data without undue delay once storage is no longer necessary for responding to your inquiry provided that statutory storage obligations do not exist.
3.6 Data processing for advertising purposes
We use your postal and e-mail address for direct marketing communications for our products and those of our group companies and subsidiaries. The group companies and subsidiaries involved are:
- Viessmann Werke GmbH & Co. KG
- Viessmann Deutschland GmbH
Our motivation is to provide you with product recommendations from our service and product portfolio and that of our group companies and subsidiaries which might be of interest to you, based on your recent purchases. The legislative basis applicable to processing data is Art. 6 (1) subpara. f) GDPR.
You have the right to object at any time if you do not wish to receive product recommendations from us. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
For advertising our products or those of our cooperation partners we will inform you by telephone or in a different way beyond that only if you have given us your prior consent expressly. When obtaining your consent, we will inform you which data we are using for our own advertising purposes and which of our cooperation partners are authorized to use this data for their advertising purposes.
The legislative basis for processing your personal data in this case is Art. 6 (1) subpara. a GDPR.
If you have expressly given us your consent to us or our cooperation partners being able to contact you by telephone or otherwise for advertising purposes, you may revoke this consent at any time. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
3.7 Market research and opinion polling
We use your postal and e-mail address for market research and opinion polling. The reason we do this is to improve our mutual business relationship as well as our service and product portfolio to even better dovetail it to your needs and wishes.
Your survey responses will not be disclosed to any third party or published.
The legislative basis for processing your personal data is Art. 6 (1) subpara. f GDPR which permits the processing of data to protect the legitimate interests of the data controller provided that the data subject’s interests or fundamental rights and freedoms do not prevail.
You have the right to object at any time if you do not want your data to be used for the above market and opinion research purposes. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
By telephone or otherwise we will contact you for the purpose of market and opinion research only if you have expressly given us your consent. When obtaining your consent, we will inform you which data we are using for our own market and opinion research and which of our cooperation partners are authorized to use this data for their market and opinion research.
The legislative basis for processing your personal data is Art. 6 (1) subpara. a) GDPR.
If you have expressly given us your consent to us or our cooperation partners being able to contact you by telephone or otherwise for market and opinion research purposes, you may revoke this consent at any time. To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
3.8 Credit assessment
We are offering you to purchase electricity from us against non-reliable methods of payment (e. g. purchase on account). You will surely understand that given the non-reliability of such payment methods we have a legitimate interest in obtaining the best protection against payment defaults. That is why we will in such cases assess your credit before allowing that payment method. As part of this credit assessment, we obtain credit rating information from external sources.
We cooperate with credit reporting agency CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich and receive the information required from CRIF Bürgel GmbH. For this purpose we will transmit your name and contact data to the above-mentioned credit service provider. The information referred to in Art. 14 GDPR in reference to the data processing operations carried out by CRIF Bürgel GmbH is available at: https://www.crifbuergel.de/de/datenschutz.
Processing is carried out in accordance with Art. 6 (1) subpara. b GDPR and the legislative basis referred to in Art. 6 (1) subpara. f GDPR.
3.9 Cookies and the right to object
Visiting this website does not currently require any cookies. Therefore, no cookie banner is displayed when the page is accessed.
We generally recommend that you regularly delete cookies and browser histories manually.
3.10 Inclusion of YouTube videos
Our site uses YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, for the inclusion of video, represented by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. We have included YouTube videos in our online offering, which are stored on https://www.YouTube.com and are directly playable from our website. Usually, when you visit an embedded video page, your IP address will be sent to YouTube and cookies will be installed on your machine. However, we have included our YouTube videos in the “Advanced Privacy Mode”, which means that we do not transfer data about you as a user to YouTube if you are not playing the videos. Only when you play the videos, the data mentioned in paragraph 2 will be transmitted. We have no influence on this data transfer.
By visiting the website, YouTube receives the information that you have accessed the corresponding sub-page of our website. In addition, the data referred to in point 3.2 of this declaration will be transmitted. This happens regardless of whether YouTube provides a user account that you are logged in to, or if there is no user account. When you’re logged in to Google, your data will be assigned directly to your account. If you do not wish to associate with your profile on YouTube, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for purposes of advertising, market research and / or custom design of its website. Such an evaluation is done in particular (even for users who are not logged in) to provide appropriate advertising and to inform other users of the social network about their activities on our website. You have a right to object to the creation of these User Profiles, and you must be directed to YouTube to use them.
4. Disclosure of information
There will be no transmission of your personal data to third parties for purposes other than those specified in the following. We will only pass on your personal data to third parties in the following cases.
- You have given your explicit consent in accordance with Art. 6 (1), subpara. a GDPR.
- The disclosure of data in accordance with Art. 6 (1), 1) subpara. f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest requiring protection against the transfer of your data.
- There is a legal duty to disclose the data in accordance with Art. 6 (1), subpara. c GDPR in the case at hand.
- The disclosure is legally permissible and, pursuant to Art. 6 (1), subpara. b GDPR, required for the processing of our mutual contractual relationships.
4.1 Disclosure to group companies and subsidiaries
The transfer of personal data to Group companies and subsidiaries is generally not carried out. Anything else applies only in the cases in which you have given us your express consent (for example, for the purpose of direct mailing). The legal basis for disclosure in this case is Article 6 (1) lit. a; 7 GDPR. In this case, we will inform you when to give consent to whom we pass on your data for what purpose. You may revoke your consent to the disclosure of your data in this case at any time.
To lodge your objection, it is sufficient to send a short message (e-mail or letter) to the data controller listed under paragraph 1.
The lawfulness of any data processing previously carried out will remain unaffected by such revocation.
4.2 Cooperation with data processors and third parties
When processing data, we will only disclose, transfer, or otherwise grant access to data to other persons and companies (data processors or third parties) if a legal permission was obtained. This is the case, for example, as part of the credit assessment required for contract performance in accordance with Art. 6 (1) subpara. b) GDPR. This is also the case if you have given your consent to the disclosure, if a legal obligation provides for the transmission of data or if data is disclosed on the basis of our legitimate interests.
If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 GDPR.
4.3 Transfers to third countries
Data will only be processed by us in third countries (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or disclosed, transmitted or used in the context of the use of services of third parties if this is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. We only allow data to be processed in a third country if the special requirements of Art. 44 et seqq. GDPR are met. In that case, data will be processed, e.g. on the basis of special guarantees, such as the officially recognized establishment of a data protection level commensurate with EU standards (e.g. the “Privacy Shield” in the USA) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
5. Deletion and storage of data
As a general rule, we delete your data immediately once it is no longer required for the above-mentioned purposes. Anything to the contrary applies only if temporary storage continues to be necessary. We store your data in accordance with legal proof and storage obligations resulting from, inter alia, the German Commercial Code and the German Fiscal Code. Under these laws, the storage periods are up to ten (10) full years. We also keep your data for as long as claims can be asserted against our company (statutory limitation periods of between three (3) and thirty (30) years). For direct marketing and market research purposes, your personal data will be stored for as long as we have a predominant legal interest compliant with the relevant legal provisions, but not longer than for a maximum period of two (2) years.
6. Your rights
You are entitled to the following rights:
- Right of access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not your personal data is processed by us.
- Right to rectification (Art. 16 GDPR): You have the right to immediately request us to rectify or complete your inaccurate personal data.
- Right to deletion (Art. 17 GDPR): You have the right to demand the immediate deletion of your personal data and we are obliged to delete this personal data immediately unless one of the following reasons pursuant to Art. 17 (1) subparas. a) through f) GDPR applies.
- Right to restriction of processing (Art. 18 GDPR): You have the right to request us to restrict the processing of your personal data if one of the conditions set forth in Art. 18 (1) GDPR applies.
- Right to data portability (Art. 20 GDPR): You have the right to receive your personal data which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit this data to another controller without impediment from us, provided the conditions set forth in Art. 20 GDPR are met.
- Right to object (Art. 21 GDPR): You have the right to object at any time, for reasons relating to your particular situation, to the processing of your personal data which is based on Article 6 (1) subpara. f) GDPR. In this case we no longer process your personal data unless we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
- Revocation of the declaration of consent under data privacy law: You have the right to revoke your declaration of consent under data privacy law at any time. This also applies to declarations of consent issued to us prior to May 25, 2018. The revocation applies to the future. Your revocation of consent shall not affect the lawfulness of the processing based on the consent before its revocation.
In the above-mentioned cases, please contact the controller in accordance with paragraph 1.
In addition, you always have the option of contacting the responsible data protection supervisory authority.
Our competent data protection supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
7. Data security
While visiting our website, you will be protected by standard SSL security technology (Secure Socket Layer) combined with the highest level of encryption supported by your browser. Whether a page of our website is transmitted in encrypted form is indicated by a closed key or lock symbol in the status bar at the bottom of your browser. We also use suitable technical and organizational security precautions to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. The security precautions are subject to continuous improvement in line with technological progress. It is impossible to guarantee complete data security for e-mail communication, which is why we recommend you to send confidential information by post.