(Last updated: December 2018)
We, the German Energy Agency (dena), are pleased to provide you with information on the processing of your personal data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act.
‘Personal data’ is defined as all information pertaining to an identified or an identifiable, natural person (e.g., name, address, telephone number, date of birth, e-mail address or user behaviour).
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose of processing, categories of data and legal basis
Online service provision (including functions and content)
When using the website for purely informational purposes, i.e., if you are not registered or transmit information otherwise, we collect the data that is required to display our website to you and guarantee stability and security (legal basis: Art. 6(1), sentence 1(b)(f) GDPR. This includes:
- IP address (anonymised)
- Browser type and version
- Operating system
- Date and time of the server request
- Number of visits to the site
- Time spent on the website
- Previously visited website
This data (and log files) will not be attributed to specific persons. For security and troubleshooting purposes, this data will be saved for a maximum of six months and then deleted. Should the storage of this information be required for evidentiary purposes, such as to investigate acts of fraud or improper use, it will not be deleted until the matter at hand has been resolved.
Website forms (contact forms, surveys, etc.)
Personal data that you provide to us voluntarily, such as you first name and surname, e-mail address and telephone number, is used to process and complete your contact enquiry or survey (legal basis: Art. 6(1) sentence 1(b) GDPR).
Types of data processed
We process the following personal data from the contacts of collaborative partners, contracting authorities, project partners, contractors, public authorities and other business contacts (one business contact from each):
- contact details such as first name and surname, business address/telephone number/fax/e-mail address;
- information that must be processed for a project, the drawing up of a contract or the establishment of a contractual relationship with dena (including payment details), or which is provided voluntarily by business contacts, e.g., when submitting enquiries; and
- personal data obtained from publicly available sources, information databases or credit reference agencies
Purposes of and legal basis for processing
We process personal data in order to
- plan, conduct, manage and conclude contractual relationships
- communicate with business contacts about our events, services and products
- maintain and safeguard the security of our products and services (including our web pages)
- meet legal requirements (particularly obligations to comply with tax law and commercial law)
- fulfil existing contracts and assert, exercise and defend legal claims
- conduct satisfaction surveys, marketing campaigns, market analyses and run contests
Unless otherwise expressly stated during the collection of personal data, processing occurs
- with your express consent (Art. 6(1) sentence 1(a) GDPR)
- because of your need for information when entering into a contract (Art. 6(1) sentence 1(b) GDPR).
- in order to perform and execute contracts (Art. 6(1) sentence 1(b) GDPR).
- in order to meet legal requirements (Art. 6(1) sentence 1(c) GDPR)
- or to protect dena’s legitimate interests (business contact management and marketing, Art. 6(1), sentence 1(b)(f) GDPR.
Your personal data will be only disclosed, transferred or otherwise made accessible to third parties where this is permitted under law (e.g., to fulfil contractual obligations, where you have given your consent, on the basis of our legitimate interests or where there is a legal obligation to do so).
Should third parties be commissioned with the processing of data on the basis of a commissioned data processing agreement, they may only do so according to our instructions pursuant to Art. 28 of the GDPR.
Transfer to third countries
It will be ensured that prior to passing on personal data, either an adequate level of data protection exists or the EU standard contractual clauses have been agreed with the recipient and/or the data subject has given adequate consent.
If you have consented to your personal data being processed, you can withdraw this consent at any time with future effect. To do so, simply send an e-mail to firstname.lastname@example.org. The withdrawal of consent will not affect the legitimacy of the data processed on the basis of the consent given prior to consent being withdrawn. Once consent has been withdrawn, we shall only be permitted to continue processing your personal data if there is another legal basis for doing so.
You have the following rights regarding your personal data subject to statutory regulations:
- the right of access pursuant to Art. 15 GDPR
- the right to rectification or erasure pursuant to Art. 16+17 GDPR
- the right to restriction of processing pursuant to Art. 18 GDPR
- the right to object to processing pursuant to Art. 21 GDPR
- the right to data portability pursuant to Art. 20 GDPR
Additionally, you have the right to lodge a complaint to a data protection supervisory authority regarding our processing of your personal data.
Your data will only be stored for as long as is necessary for the provision of our services and online offering and unless there is statutory retention period to the contrary. Data that is subject to a statutory retention period is blocked until the corresponding retention period has expired. This data is no longer available for further use.
You can contact our company data protection officer at email@example.com or by post at our company address. Please add the following line to your message: z.H. betriebliche Datenschutzbeauftragte (attn: company data protection officer).