Version dated 01.05.2019

Data protection

Our use of your data and your rights – Information in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

We at SEFE Energy GmbH (hereinafter referred to as “we” or “SEFE Energy”) would like to thank you for visiting our Internet platform “SEFE Energy Customer Portal“ (hereinafter referred to as the “Portal”) and your interest in our company. We take the protection of your data very seriously. We will treat your data confidentially and in compliance with statutory data protection regulations and these Data Protection Policy.

Therefore, we would like to inform you here about how we implement data protection in our company, what types of information we collect during your visit to the Portal, how we use it, and what rights you have.

I.      General information

1.     Controller

The controller responsible for processing your personal data is:

SEFE Energy GmbH, Königstor 20, 34117 Kassel, Germany; Phone: +49 561 99858 0; Fax: +49 561 99858 1798; E-mail: info@wingas.de

2.     Data Protection Officer

You can contact our Data Protection Officer at:

SEFE Energy GmbH, Datenschutzbeauftragter (Data Protection Officer), Königstor 20, 34117 Kassel, Germany; E-mail: datenschutz@wingas.de

3.     What data do we process and from what sources?

We process personal data you provide voluntarily or is gathered as part of use of our Portal.

You can find more information on this subject in Section II “Processing of personal data.”

4.     For what purpose do we process your data and what is the legal basis for that?

We process your personal data in compliance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR) and German Data Protection Act (BDSG), for various purposes. In principle, the purposes for which we process your data are: to perform contractual obligations (Article 6 paragraph 1 point (b) GDPR), to safeguard legitimate interests (Article 6 paragraph 1 point (f) GDPR), for processing subject to your prior consent (Article 6 paragraph 1 point (a) GDPR) and/or to comply with statutory obligations (Article 6 paragraph 1 point (c) GDPR).

You can find more information on this subject in Section II “Processing of personal data.”

5.     Who obtains my data?

Service providers whom we engage to work on our behalf (termed “processors”; cf. Article 4 No. 8 GDPR) may obtain personal data. We use IT service providers as processors.

SEFE Energy can transfer personal data to affiliated companies within the meaning of Section 15 of the German Stock Corporation Act (AktG) inside the European Economic Area to a permissible extent, provided there are legitimate interests for doing so and statutory regulations are complied with. Those companies are: Gazprom Germania GmbH, Wingas Sales GmbH, Wingas Holding GmbH and Gazprom Marketing & Trading Ltd. Personal data is transferred to OOO Gazprom Export in Russia or PAO Gazprom in Russia as affiliated companies within the meaning of Section 15 of the German Stock Corporation Act (AktG) outside the European Economic Area (third country) on the basis of a standard data protection clause within the meaning of Article 46 GDPR. You can obtain a copy of that to inspect. To do so, please contact the controller or your Data Protection Officer specified in Section I, No. 1 and 2.

6.     Data retention

We process your personal data only for as long as required to fulfill the purpose for which it is processed.

Moreover, we are subject to various retention and documentation obligations under legislation such as the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention periods under the law may be up to 10 years.

Finally, the storage duration is also governed by the statutory limitation periods, such as defined in Sections 195 et seq. of the German Civil Code (BGB), which may be up to thirty years, with the standard limitation period being three years.

7.     Your rights

Every data subject has the right to access personal data and obtain information (Article 15 GDPR), the right to rectification of data (Article 16 GDPR), the right to erasure of data (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), and the right to data portability (Article 20 GDPR). You can get in touch with us under the contact data specified in Section I “General information”, No. 1 and No. 2, to exercise the aforementioned rights.

If you have given us consent to process your data, you can revoke it at any time without using a special form. Where possible, notice of revocation should be sent to us using the contact data specified in Section I “General information”, No. 1 or No. 2.

Furthermore, you have a right to issue a complaint with a data protection supervisory authority (Article 77 GDPR). The supervisory authority responsible for SEFE Energy is:

        The Hessian Data Protection Commissioner (HDSB)

You also have a right to object to the processing of your data, as explained in more detail at the end of these Data Protection Policy.

II.     Processing of personal data

1.     Cookies

We use cookies on various pages to make your visit to our website appealing and enable you to use certain functions. Cookies are small text files that are stored on your device. They can be sent to a page when it is accessed and thus allow identification of the user. Cookies help make Internet sites more user-friendly. Some of the cookies used are deleted when the browser session is over, i.e. when you close your browser. They are termed session cookies. Other cookies remain on your device and enable us to recognize your browser again the next time you visit the website. They are termed persistent cookies.

You can set your browser so that you are notified when cookies are placed and can decide whether to accept them on a case-by-case basis or to exclude acceptance of cookies for specific cases or in general. You can delete cookies that have already been placed. If you do not accept cookies, the features of our website may be restricted.

Personal data is processed using cookies on the basis of Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to enhance the features of our website.

2.     Automated collection of access data/server log files

Whenever you access our Portal, general information in the form of personal data is collected automatically. By default, the web servers we use store the follow usage data, if it is transmitted by your computer or Internet provider:

• The name of your Internet service provider
• Your IP address
• The referrer URL, i.e. the site from which you visit us, unless you enter the Portal URL directly
• The individual pages you visit on our Portal
• The amount of data transferred
• The time and duration of your visit
• Your browser type and version and the operating system you use

This data is automatically stored by the web server in server log files and usually erased after seven days. This data is not combined with data from other sources. We reserve the right to save this data longer than seven days if there are facts that indicate there has been any illegal access (such as attempted hacking or a DoS attack). The server log files are then used to review such incidents subsequently.

Personal data is processed on the basis of Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to simplify administration of our website and to enable us to detect and prosecute hacking.

3.     Matomo (formerly Piwik)

SEFE Energy deploys the tool Matomo (cf. https://matomo.org/), which utilizes cookies stored on your device to analyze use of the Portal. The information regarding use of the Portal generated by the cookies is transferred to our server and stored. We process the following information pertaining to your use of the Portal:

• The search terms your entered
• The filters you used
• Your actions in the Portal (events)
• The pages and/or documents you called
• Your technical user ID in Liferay
• The company reference and assignment to SEFE Energy’ internal division
• Your IP address

IP address data is always only analyzed in truncated form, meaning it cannot be used to identify a person.

A web analytics cookie for Matomo is stored in your browser so that we can record and analyze various items of statistical data with Matomo. This cookie is only stored if you have actively consented to the use. The positive consent is stored for one year, in case of rejection you will be asked for consent again after one month. You can reset your consent at the top of this page.

Processing of personal data using Matomo is based on Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to optimize our online offering.

4.     Logging of user behavior in relation to conclusion of contracts

After you log into the Portal as a user, we save information regarding your user behavior on the Portal. The following data is processed as part of that:

• Your IP address
• The clicks you made in the Portal
• All settings you made in the Portal
• All entries you made in the Portal
• The times you log in and session data
• Faulty log-ins
• Company context
• The pages you called

Processing of personal data is based on Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to document initiation and conclusion of a contract and any acts relating to a contract, as well as to document actions and events for use as evidence in the case of legal disputes.

We cannot make the features of the Portal available to you without logging this data.

5.     User account

The following data is collected from users when a user account is created:

• Surname and first name
• Salutation
• Title (optional)
• E-mail address
• Postal address
• Telephone and fax numbers
• Date of birth (optional)
• Language
• Date of last login
• Company reference

Data is processed on the basis of Article 6 paragraph 1 points (b) and (f) GDPR. The purpose of processing your data and our legitimate interests are to provide the services of the Portal, initiate and perform contracts, as well as for internal purposes (data analysis, research, optimization and further development of products).

6.     E-mail subscriptions, Portal messages and notifications

Registered users regularly receive Portal messages containing information on the contents specified in the item “Notifications” (e.g. newsletters or a price alert). Users also receive e-mail notification on every Portal message.

The personal data specified in No. 5 is processed in connection with this. The legal basis for that is Article 6 paragraph 1 point (f) GDPR. The purpose of processing your data and our legitimate interests are to enhance customer loyalty, as well as to conduct direct marketing.

You can object at any time to being sent e-mail notifications about Portal messages without incurring costs other than the basic costs of transmission. To do so, change the default settings for sending information in the Customer Portal under the item “Notifications”.