StromGedacht Privacy Statement

Introduction

Thank you for visiting our website, your interest in our company and our StromGedacht products and services. Protecting your personal data is important to us. The following text describes which personal data we process, and what rights you have in connection with your personal data. These provisions apply when you use our website and our services, including the API and app. This statement also applies whenever you visit or take part in events which refer or include a link to this privacy information.

If we provide you with additional information on processing your personal data, this will also apply.

We process your data only if we have obtained your consent to process it, or if processing is permitted by law. We guarantee that we use all personal data only for its intended purpose.

The following provides some general information that applies to all our StromGedacht products and services. This is followed by a compilation of information relating to specific products and services only.

1. Contact information and responsibilities

The party responsible for processing your data (the data controller) is:

TransnetBW GmbH
Pariser Platz
Osloer Straße 15 - 17
70173 Stuttgart
Tel.: +49 711 21858-0
[email protected]

Our privacy officer can be reached at [email protected] and will be happy to assist with any questions you may have on privacy.

2. Recipients of your personal data

We treat your data as confidential. Within TransnetBW, only the departments and employees that need your data for the above purposes are given access to your data.

We disclose personal data to third parties only if this is necessary for the above purposes and is legally authorised, or if you have given your prior consent. If service providers are brought in to assist with the performance of our obligations, e.g. IT service providers, specialists in analysis or the destruction of documents and data media, such contract processing will be subject to the conditions of Art. 28 ff. GDPR.

3. Links

Our websites, the API service, its documentation and the StromGedacht data made available via the API may contain links to other providers that are not covered by our privacy provisions, and for whose content and privacy compliance TransnetBW is not responsible.

4. Security

TransnetBW GmbH has state-of-the-art technical and organisational security measures in place to protect your data as supplied to us against accidental or deliberate manipulation, loss, destruction or access by unauthorised parties. Our security measures are constantly being improved in line with technological developments.

5. Children

We expressly encourage parents or guardians to monitor their children's online activities. Unless they have permission from their parents or guardians, children should not send personal details to us. We do not request personal details from children, do not deliberately gather such details, and do not disclose them to third parties without authorisation.

6. User rights and deletion of data

You are entitled to receive, upon request and at no cost, information about the personal details about you that are saved in our system as per Art. 15 GDPR. You also have the right to correct inaccurate details (Art. 16 GDPR), to restriction of processing (Art. 18 GDPR), and to deletion of your personal data (Art. 17 GDPR). You may also withdraw any consent at any time with future effect.

If we process your data on the basis of legitimate interests (Art. 6 para 1 (f) GDPR) or to perform a task in the public interest (Art. 6 para 1 (e) GDPR), or if your particular situation gives rise to grounds opposing such processing, you have the right to object to processing of your data in accordance with Art. 21 para 1 GDPR.

Pursuant to Art. 21 paras 2 and 3 GDPR, you have the unrestricted right to object to any form of processing for the purposes of direct marketing.

Moreover, you have the right to data portability in accordance with Art. 20 GDPR, depending on the legal basis for the processing.

If there are grounds to assume data is being processed illegally, you are entitled to lodge a complaint with the competent supervisory authority.

7. Length of data storage

We process and store your personal data for as long as it is needed to fulfil the purposes for which it was gathered. If the data is no longer needed to fulfil these purposes, it will be deleted after no more than seven days, or following the expiry of the period set by the provider of the integrated technologies in question. This does not affect legal requirements regarding the storage and deletion of personal data, especially data that we must retain for tax reasons.

8. Updates to this privacy statement

This Privacy Statement will be updated if TransnetBW GmbH introduces new products or services or changes its internet procedures, or in response to changes in security technology relating to the internet and electronic data processing. We will publish any such changes here and in the StromGedacht app.

I. Website

1. Data processing when you use our website

1.1 Data processing based on a legitimate interest

Data required for technical reasons

When you visit our website, we collect data that we require for technical reasons which is transmitted to us by your browser: your IP address or the IP address of your Internet Service Provider; the website that directed you to us; the type of browser you use; your operating system and platform; the pages that you called up at www.stromgedacht.de; and the dates and times you accessed them. This log data is necessary for technical purposes; we process it, in addition to information about the search expressions you used and the time spent on individual web pages, without reference to the identity of the user or other profiling, on the basis of Art. 6 para 1 (f) GDPR and only to the extent necessary for us to perform statistical analyses for the operation, security and optimisation of our online content. This helps to manage the connection while you visit websites and to save your settings so you can use our website more easily. Our legitimate interest is derived from the above purposes.

If an IP address is saved, it will be deleted or anonymised after no more than 30 days. It is essential for this data to be collected and stored in log files when the website is used. Some functions on our website will not work without the use of these cookies, which are necessary for technical reasons, and it would not otherwise be possible to offer them. Users therefore have no right of objection in this regard.

Matomo

This website uses Matomo, an open-source web analysis service.

Matomo enables us to record and analyse data on the use of our website by its visitors. For example, we can find out which pages were accessed and when, and the region in which these accesses were initiated. We also record various log files (e.g. IP address, referrer, the browser and operating system used), and can measure whether our website visitors perform specific actions (such as clicks or purchases).

The use of this analysis tool is based on Art. 6 para 1 (f) GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its web services and its advertising. If the relevant consent has been requested, processing will take place exclusively on the basis of Art. 6 para 1 (a) GDPR and Section 25 para 1 of the German Telecommunications-Telemedia Data Protection Act (TTDSG), if the consent includes the storage of cookies or access to information in the user’s device (e.g. device fingerprinting) as defined in the TTDSG. This consent may be revoked at any time.

IP anonymisation

We use IP anonymisation for analysis with Matomo. This abbreviates your IP address prior to analysis to prevent it from being clearly linked to you.

Cookie-free analysis

We have configured Matomo so that it will not save cookies in your browser.

Hosting

A service provider bound by our instructions operates the Matomo instance on our behalf. That ensures that all analytical data is used solely by TransnetBW and is not disclosed to third parties.

1.2 Data processing based on your consent

If you make use of elements on our website that require registration or explicitly require your details to be entered, additional data will be saved. Personal details such as your name, address, telephone number and email address are saved only when you provide them to us voluntarily, as part of a registration process, for example, or for a survey, to execute a contract, or to order information material or display a newsletter, or if you otherwise actively make contact with us, e.g. via email. In other words, it is entirely your decision whether you make any details available to us, and which details you choose to provide. You will find advice about this in the following text.

2. Contacting us

If you contact us using a form on www.transnetbw.de, or www.stromgedacht.de this will use encryption as a matter of course. If you use your private email account rather than the TransnetBW forms, please note that you must ensure your own security measures are in place to guarantee the security of your transmission.

We therefore recommend you use the encrypted TransnetBW forms. If the form is not encrypted, this will be the result of a technical problem, and we cannot assume liability for the security of your data transmission. The closed “lock” symbol in your browser window will show whether the form is encrypted. The legal basis for data processing is Art. 6 para 1 (a) GDPR. The data that you send us with your enquiry is saved for the purpose of processing your enquiry, and will be deleted once the result has been achieved.

3. Newsletter for information on API updates

If you subscribe to our newsletter for information on API updates, we will regularly contact you with the latest information about our projects and services. To subscribe to the newsletter, you must provide us with a valid email address and register to receive the newsletter. You can provide your surname and given name on an optional basis. We will then check your email address to determine whether you have access to the specified email account (known as a “double opt-in process”). We will use your email address only to send our newsletter, and will not disclose it to third parties. If you register for our newsletter, we will log your IP address and the date and time of registration for the record. The data collected when the newsletter is supplied will not be combined with other data collected via our website unless you give us your consent to do so. The legal basis for data processing is your voluntarily given consent to receive the newsletter, as per Art. 6 para 1 (a) GDPR. If you no longer want to receive the newsletter, you can withdraw your consent with future effect at any time by clicking on the link provided.

4. Brevo

This website uses Brevo to send out the newsletter. The provider is Sendinblue GmbH, Köpenicker Strasse 126, 10179 Berlin, Germany. Brevo is a service whose functions include organising and analysing newsletter distribution. The data you enter in order to receive the newsletter is stored on the servers of Sendinblue GmbH in Germany.

4.1 Data analysis by Brevo

Brevo enables us to analyse our campaigns. That means we can see, for example, whether the newsletter has been opened and which links may have been clicked on. In this way we can determine which links were clicked on most often.

We can also see whether previously defined actions were performed after opening or clicking (“the conversion rate”). Brevo also lets us cluster newsletter recipients into various categories. We can group them by age, sex or place of residence, for example. This way, the newsletter can be better adapted to the respective target groups. If you do not want analysis by Brevo, you will have to unsubscribe from the newsletter. We provide the appropriate link with every newsletter for this purpose.

For detailed information on the functions of Brevo, see the following link: https://www.brevo.com/de/newsletter-software/.

4.2 Legal basis

Your consent provides the basis for data processing (Art. 6 para 1 (a) GDPR). You may revoke this consent at any time. Revocation does not affect the legality of any data processing already performed.

4.3 Length of storage

We store the data that you supply us for the purpose of receiving the newsletter until you are removed from the list of newsletter recipients that we or the newsletter service provider maintains, and it will be deleted from the list of recipients after you unsubscribe. This has no effect on data stored with us for other purposes. When you have been removed from the list of newsletter recipients, your email address will be saved in a blacklist maintained by us or the newsletter service provider if necessary to prevent your receiving further mailings. The data on the blacklist is used only for this purpose and is not combined with other data. This serves both your interest and ours in observing legal requirements in connection with the dispatch of the newsletter (legitimate interest as defined in Art. 6 para 1 (f) GDPR). Inclusion of data in the blacklist is not subject to any time limitation. You can object to storage if your interests outweigh our legitimate interest.

For more details on the privacy provisions of Brevo, see: https://www.brevo.com/de/datenschutz-uebersicht/ and https://www.brevo.com/de/legal/privacypolicy/.

II. Stromgedacht-App

Introduction

To enable machine-readable processing of StromGedacht data, we make available a publicly accessible programming interface (Application Programming Interface, referred to below as “API”). The API is freely accessible, in other words, no registration is needed, and we do not charge users a fee for the service.

Thank you for using the API and for your interest in the StromGedacht ecosystem. Protecting your personal data is important to us. The following text describes which personal data we collect, how we process it, and what rights you have in connection with your personal data. These provisions apply whenever you use the StromGedacht API.

Data processing when you use the API

1. Processing technically necessary data based on legitimate interests

When you use the API, we collect data that we require for technical reasons which is transmitted to us by your API client software: your IP address or the IP address of your Internet Service Provider; the API endpoints you queried and the associated parameters; and the dates and times you accessed them. This log data is necessary for technical purposes; we process it, in addition to information about the parameters used and the number of enquiries, without reference to the identity of the user or other profiling, in order to perform statistical analyses for the operation and security of our API service. The legal basis is to safeguard our legitimate interest in accordance with Art. 6 para 1 (f) GDPR. Our legitimate interest is derived from the above purposes. No analysis of IP addresses or other personal data is performed to optimise our API service.

If an IP address is saved, it will be deleted or anonymised after no more than 30 days. It is essential for this data to be collected and stored in log files when the API is used. Users therefore have no right of objection in this regard.

For reasons of security and load minimisation, only six read accesses per minute are possible. When you send an enquiry to the API, you must state your location in the form of a post code. This is necessary to enable us to provide data that is correct for your location. We would also like to learn more about which post code areas the StromGedacht API is used in.

2. Forwarding and transmission of data, use of necessary technologies

Except for the cases expressly mentioned in this Privacy Statement, we will not disclose your personal data without your express prior consent.

If necessary to investigate an illegal or improper use of the API or for the purpose of prosecution, personal data will be forwarded to the law enforcement agencies or other authorities, and as appropriate to any third parties that have suffered losses, or their legal representatives. This will happen, however, only if there are grounds to believe that illegal or improper actions have taken place. Disclosure may also take place if this is helpful in terms of implementing the Terms of Service or other legal claims. We are also legally obliged to supply information to specific official bodies upon request. These are the law enforcement agencies, authorities responsible for prosecuting offences punishable by fines, and the tax authorities.

Any disclosure of personal data is justified by the fact that processing is necessary to fulfil a legal obligation to which we are subject in accordance with Art. 6 para 1 (c) GDPR in conjunction with requirements to supply data to law enforcement agencies under national legislation, and also in accordance with Section 24 para 1 (1) of the German Federal Data Protection Act (BDSG). This data may also be disclosed to these third parties to safeguard our legitimate interest in accordance with Art. 6 para 1 (f) GDPR if there are grounds for suspicion or in execution of our Terms of Service, other conditions or legal claims.

The legal basis for the integration of the following technologies is Section 25 para 2 of the German Telecommunications-Telemedia Data Protection Act (TTDSG) in conjunction with Art. 6 para 1 (b) and/or (f) GDPR. Processing serves to make it easier for you to use our API and for us to make our service available to you as desired. Some functions would not be possible without the use of these technologies, and it would not otherwise be possible to offer them. Our legitimate interest is based on these purposes.

3. Microsoft Azure

In order to provide our API service we rely on the third-party service provider “Microsoft Azure”. When you call up the service, and to respond to your API enquiries, your IP address will be processed by Microsoft Azure; this is necessary for technical reasons in order to provide the service. For security reasons and for load minimisation, the Azure Web Application Firewall will store your IP address. We have no influence over the further processing and/or storage of your IP address and other data by the provider. In principle, the data centre is located in Germany, and there is no intention to transmit personal data to the US. Contract processing takes place in compliance with legal requirements as per Art. 28 ff. GDPR. All our service providers are carefully selected, regularly checked and contractually obliged to process all personal data solely in accordance with our instructions.

Further-reaching information from Microsoft on the subject of privacy and Azure is available from https://privacy.microsoft.com/de-de/privacystatement and https://azure.microsoft.com/de-de/support/legal/.

Last updated: 26.04.2023