Version dated July 2024

Data protection

This Privacy Policy applies to the processing of your personal data when using our customer portal under https://portal.sefe-energy.eu/. Within the use of the customer portal, your personal data will be processed, collected and stored by us, as the data controller for the time necessary to fulfil the specified purposes and legal obligations. In the following we will inform you about what data is involved, how it is processed and what rights you have in this respect.

According to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person.

1. RESPONSIBILITY FOR DATA PROCESSING AND CONTACT DETAILS

This Privacy Policy applies to the data processing on the website https://portal.sefe-energy.eu/ by the data controller:

SEFE Energy GmbH

Königstor 20

34117 Kassel

Email: info@sefe-energy.de 

Telephone +49 561 99858 049

(hereinafter “SEFE Energy” or “we”)

You can contact our data protection team or our data protection officer at any time if you have any questions regarding data protection law or your rights as a data subject at the above address, for the attention of the data protection officer, or at dataprivacy@sefe.eu.

2. PROCESSING OF PERSONAL DATA AND PURPOSES OF PROCESSING

Which personal data we process in detail and how it is used depends on whether you only visit our customer portal website or use the customer portal on behalf of a SEFE Energy customer.

WEBHOSTING AND APPLICATION MANAGEMENT

For the hosting of this customer portal website, we use the web hosting service of SEFE Marketing & Trading Ltd, 20 Triton Street, London NW1 3BF, United Kingdom, www.sefe-mt.com (hereinafter “SM&T”). For the application provision and support we engage our IT service provider PRODYNA SE, Domhofstraße 38A, 63263 Neu-Isenburg, Germany, www.prodyna.com/ (hereinafter "PRODYNA").

To offer a website, it is necessary to commission a web hosting service. In accordance with Art. 6 para. 1 sentence 1 lit. f GDPR the web hosting service is used because of our legitimate economic interest in making our services available on this website. In connection with the hosting service, SM&T processes personal data on our behalf, which are generated while using the website.

In order to offer a customer portal application website, it is necessary to commission an application provision and support service. In accordance with Art. 6 para. 1 sentence 1 lit. f GDPR this service is used because of our legitimate economic interest in providing our customer portal available to the customers. In connection with the application management service, PRODYNA processes personal data on our behalf, which are generated while using the website.

We have concluded a data processing agreement with SM&T and PRODYNA. Through these agreements, the service providers assure that they process the data in accordance with GDPR and guarantee the protection of the rights of the data subject.

WHEN VISITING THE CUSTOMER PORTAL WEBSITE

You can access our customer portal website without revealing your identity. The browser used on your end device wiII automatically send information to our web server (e.g., browser type and version, date and time of access) to enable the website to establish a connection. This also includes the IP address of your requesting end device. This data is temporarily stored in a so-called log file and automatically deleted after 7 days at the latest.

The IP address is processed for technical and administrative purposes of establishing and maintaining the connection, in order to ensure the security and functionality of our website and to be able to trace any illegal attacks on it if necessary. Only authorized personnel of our service providers involved in webhosting and application management are authorized to access the data.

The legal basis for the processing of the IP address is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest follows from the aforementioned security interest and the need to ensure that our customer portal website is available without disruption.

WHEN REGISTERING AS A PORTALUSER

When you register personally in our customer portal, a user account is created. The following data will be collected from you and subsequently authorizations assigned to you:

Company data

• Company name;
• Company address.

Personal data

• First name, last name, title, form of address;
• Business telephone number;
• Business mobile phone number;
• Business email address;
• Language;
• Your company context;
• Function

Access data

• User name or login name;
• User password.

Authorizations

• Authorization to view contract data (contract overview);
• Authorization to retrieve reports (reporting);
• Authorization to submit nominations (nomination),

Your personal data is processed based on Art. 6 (1) (b) GDPR. The purpose of the data processing is the registration in the customer portal for you as a portal user within the scope of contract execution on behalf of the SEFE Energy customer.

WHEN USING THE PORTAL

When using the customer portal - after successful registration by you as a portal user - we process, depending on the transaction, various personal data from you user account and transaction related information, such as:

• Your login- and logout times;
• Date of the last login;
• Your missed logins;
• Your IP address;
• Your session data;
• The pages of the portal that you visited;
• The amount of data transferred;
• The settings made in the portal;
• All entries made in the portal;
• Login time and duration of your visit;
• Your browser type, browser version and operating system used;
• Missed logins;
• Pages viewed.

The data is processed in database log flies and stored for the duration of three years. You cannot use the portal without this logging. This data will not be merged with other data sources. We reserve the right to store this data for up to three years after the regular limitation period of Sections 195 and 199 of the German Civil Code (BGB).

The legal basis for the data processing is Art. 6 (1)(b) GDPR. The purpose of the data processing and our legitimate interest lie in the documentation of the contract-relevant actions and the audit-proof documentation of the course of action.

The use of bots, scripts and automation is not prohibited. SEFE Energy GmbH reserves the right to make unannounced changes to the application.

3. RECIPIENTS AND CATEGORIES OF RECIPIENTS

Your personal data may be disclosed to the following recipients or categories of recipients.

1. DATA PROCESSORS

We use service providers who process personal data on our behalf (so-called data processors, cf. Art. 4 (8) and 28 GDPR). These include service providers in the areas of IT, telecommunications, and business services.

The web host of this website is SEFE Marketing & Trading. The application management is provided by our IT service provider PRODYNA The use of the service by SM&T and PRODYNA as data processors is carried out in accordance with Art. 6 (1) (f) GDPR due to our legitimate economic interest in providing our customer portal for SEFE Energy customers on this website.

2. DISCLOSURE TO THIRD PARTIES

Except in the before mentioned cases of processing on our behalf, we disclose your personal data to third parties if:

• you have given your express consent to this pursuant to Art. 6 (1) (a) GDPR;
• this is necessary for the fulfilment of a contract with you pursuant to Art. 6 (1) (b) GDPR,
• there is a legal obligation for the disclosure pursuant to Art. 6 (1) (c) GDPR. The data disclosed may be used by the third party exclusively for the purposes stated.

4. TRANSFER OF DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION

A transfer of your personal data to a third country or an international organisation will only take place if this is necessary within the framework of commissioned processing and the conditions according to Art. 44 et seq. GDPR are given.

We only transmit your personal data when

• sufficient guarantees are provided by the recipient in accordance with Article 46(1) of the GDPR for the protection of the personal data,

• you have expressly consented to the transfer in accordance with Art. 49 (1) (a) GDPR, after we have informed you of the respective risks,
• the transfer is necessary for the performance of contractual obligations between you and us (Art. 49 (1) (b) GDPR) or

• another exception from Art. 49 GDPR applies.

Guarantees according to Art. 46 GDPR can be so called standard contractual clauses. In these standard contractual causes, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR.

A "third country” is a country outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered" insecure• if the EU Commission has not issued an adequacy decision for that country pursuant to Art. 45 (1) GDPR confirming that adequate protection for personal data exists in the country.

5. COOKIES

We use so-called cookies on our customer portal website to make it technically available and convenient to use for you.

Cookies are data flies that are automatically created by your browser and stored on your end device (laptop, tablet, smartphone or similar) when you visit our website. Cookies do not cause any damage to your end device and do not contain viruses, Trojans or other malware. With the help of cookies, information is stored that arises in each case in connection with the specific end device used. However, this does not mean that we gain direct knowledge of your identity.

We only use technically necessary cookies. The so-called session cookies help us to recognize that you have already visited individual pages of our customer portal during your session. These cookies are automatically deleted after you leave our customer portal site. The cookies used are classified as technically necessary in accordance with § 25 Paragraph 2 No. 2 of the Telecommunications Telemedia Data Protection Act (TTDPA). They may therefore be stored on your device, or the information stored therein accessed without your consent. The data collected by the technically necessary cookies is not used to create user profiles.

The processing of your data through the cookies used for the before mentioned technically necessary purposes is based pursuant to Art. 6 (1)

(f) GDPR on our legitimate interest in making our customer portal website technically available and convenient to use you.

6. MATOMO

SEFE Energy deploys the tool Matomo, while utilizes cookies stored on your device to analyze use of the Portal. The information regarding use of the Portal generated by the cookies is transferred to our server and stored. We process the following information pertaining to your use of the Portal:

• The search terms your entered

• The filters you used

• Your actions in the Portal (events)

• The pages and/or documents you called

• Your technical user ID in Liferay

• The company reference and assignment to SEFE Energy's intemal division

• Your IP address

IP address data is always only analyzed in truncated form, meaning it cannot be used to identify a person.

A web analytics cookie for Matomo is stored in your browser so that we can record and analyze various items of statistical data with Matomo. This cookie is only stored if you have actively consented to the use. The positive consent is stored for one year, in case of rejection you will be asked for consent again after one month. You can reset your consent at the top of this page.

Processing of personal data using Matomo is based on Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to optimize our online offering.

7. DATA SECURITY

We use technical and organizational security measures to protect your personal data from accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. In the case of collection and processing of personal data, the information is transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in line with technological developments.

All data transmitted by you is encrypted using the generally accepted and secure standard TLS (Transport Layer Security). TLS is a tried and tested standard that is also used, for example, for online banking. You can recognize a secure TLS connection, among other things, by the appended s at the http (i.e. https:/1...) in the address bar of your browser or by the lock symbol in the lower area of your browser.

8. DATA SUBJECT RIGHTS

You have the right:

• to withdraw your consent at any time in accordance with Art. 7 (3) GDPR. This has the consequence that we may no longer continue the data processing based on this consent for the future;
• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a light to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as wen as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• to demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art. 16 GDPR;
• to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
• to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;

• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine­ readable format or to request the transfer to another controller; and
• to complain to a supervisory authority in accordance with Art. 77 GDPR, as a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

9. ACTUALITY AND CHANGES TO THIS PRIVACY POLICY

This Privacy Policy is currently valid and was last amended as of July 2024.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this Privacy Policy.

In addition, pursuant to Art. 21 GDPR you have a right to object:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling based on this provision within the meaning of Article 4 (4) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
To exercise your data subject rights or to object to data processing by us please contact us at dataprivacy@sefe.eu