Data Privacy | Sunnic Lighthouse

Thank you for your interest in our company. Data protection and data security are a high priority for us. Below, we would like to provide you with comprehensive information about how we process personal data within our company and on our website.

How to contact us and our data protection officer.

We are

Sunnic Lighthouse GmbH
Kirchenpauerstraße 26
20457 Hamburg
T: +49 40 756 64 49 - 444
F: +49 40 756 64 49 - 699
Email: info@sunnic.de
Management: Christoph Koeppen, Arved von Harpe

We have appointed an external data protection officer. They can be contacted at the above address with the addition "personal – confidential for the data protection officer" and at datenschutz@enerparc.com.

What rights you have.

Provided that certain conditions are met, you have the right to

information about your data, to have incorrect data corrected,
to have your data deleted if there is no longer any reason to store it,
restriction of processing,
data portability, to object to processing based on our legitimate interest (Article 6(1)(f) GDPR),
to withdraw your consent with effect for the future, and
to lodge a complaint with the competent supervisory authority.

Of course, these rights are subject to conditions set out in the relevant laws, in particular the General Data Protection Regulation (GDPR).

What you need to know about transfers to third countries.

If we transfer your data to countries that are not part of the European Union (third countries), we need additional safeguards, which are regulated in Articles 44 et seq. GDPR. These include, in particular

Adequacy decisions, whereby the EU Commission has decided that a country or sector has an adequate level of data protection (Article 45 GDPR)
standard contractual clauses whereby data recipients from third countries contractually undertake to observe an adequate level of data protection (Article 46 GDPR),
binding internal data protection regulations that have been reviewed by EU supervisory authorities and by which data recipients from third countries undertake to observe an adequate level of data protection (Article 47 GDPR),
Declarations of consent in which you accept in individual cases that your data may be transferred to a third country (Article 49(1)(a) GDPR). Any risk notices can be found in the glossary.

What else you need to know.

We have the following additional information:

When we process your data, no automated decision-making and, in particular, no profiling takes place.
We are only legally obliged to process your data if we expressly indicate this in the following privacy policy.

What you need to know if you are a customer.

Contact
First, we collect your data to establish initial contact. It is possible that we will contact you first or vice versa. In any case, we process all data that you voluntarily provide to us. This often includes your contact details (name, email address, postal address, telephone number) and communication data (e.g., description of the content of the conversation, conversation notes, form entries). On this basis, we will submit an offer to you and store the relevant data. The purpose of this processing is to initiate or establish a contract. The legal basis for this is Article 6(1)(b) GDPR.

Credit check
In some cases, we will transfer your contact details to Creditreform Hamburg by Decken KG and, on this basis, also request and store information about your creditworthiness/credit rating from them. The purpose is to assess your creditworthiness. We will also transfer data about your payment behavior, including both positive data (fulfillment of claims) and negative data (payment defaults). In the case of negative data, however, this will only be done if the interests of the data subject do not prevent this. The legal basis for the aforementioned processing operations is Article 6(1)(f) GDPR. The legitimate interest required for this follows from the fact that credit checks are necessary for services such as those owed under this contract in order to minimize any risks of advance performance on the part of the controller. We would like to point out that Creditreform Hamburg von der Decken KG uses the above-mentioned data, among other things, to calculate a probability value for certain future behavior of our customers (score). The controller may request such a score from Creditreform Hamburg von der Decken KG in order to use it itself for credit checks.

Video conferences
In some cases, you can communicate with us via video conference. In doing so, we process the image and sound data collected and any transcripts made. The purpose of this processing is either to negotiate a contract with you or, later, to fulfill it. The legal basis for this is Article 6(1)(b) GDPR.

Recordings will only be made if we suggest this and you give your consent. In order to fulfill a legal obligation (Article 7(1) GDPR), we first store the information as to whether you have given your consent. The legal basis for this is Article 6(1)(c) GDPR. We then record the conversation and store the image and sound data generated during the conversation for documentation purposes. The legal basis for this is Article 6(1)(a) GDPR. The prohibition under Article 9(1) GDPR does not preclude this, as the exception under Article 9(2)(a) GDPR applies.

Contract fulfillment
If a contract is actually concluded between us, we will communicate with you, make payments, etc., and in doing so process communication and billing data (e.g., for the delivery of services and responding to inquiries) in order to fulfill the contract to the best of our ability. The purpose of this processing is the execution of the contract. The legal basis for this is Article 6(1)(b) GDPR.

Notification of changes to data processing
If we change the way we process your data (e.g., use new tools), we will inform you of the changes, e.g., by email. As a rule, we will send you updated privacy information. The processing is intended to fulfill a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6(1)(c) GDPR.

Data processing when asserting rights
If you assert your rights under the GDPR or other legal provisions, we will process your data in order to review these claims and, if necessary, fulfill them. The purpose of this processing is to fulfill a legal obligation. The legal basis for this is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.

Data retention/storage period
We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

We retain booking documents for eight years. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
We retain other internal records (e.g., annual financial statements) for ten years or longer. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
We retain business communications (e.g., customer letters) and other tax-relevant documents for six years. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 ( ) (1) (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.
If you assert your rights under the GDPR, communication data (correspondence by email, post, etc.) will be generated. We store this data for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and, in addition, on the statute of limitations under administrative offense law (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
If you assert other, non-GDPR rights, communication data will also be generated, which we will retain for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove in the event of a dispute that we have handled your claims correctly. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199(1) BGB).
If you consent to data processing,
- we will store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs first. In doing so, we are protecting our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199(1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations under administrative offense law (Section 31(2)(1) of the German Administrative Offenses Act (OWiG) in conjunction with Article 83 of the GDPR).
- We store the data that we process on the basis of your consent until you revoke your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) GDPR.

Deletion of data
We will delete your data as soon as the above-mentioned retention periods expire. In doing so, we comply with a legal obligation (Article 5(1)(a) and (e) GDPR). The legal basis is Article 6(1)(c) GDPR.

Recipients
The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

Providers of backup tools
Software hosting companies
Video conferencing system providers,
Law firms, tax and auditing firms
Project management tools
Whistleblower platform providers,
Accounting solution providers
Providers of Microsoft assistance tools
Providers of translation tools
Enerparc AG
Creditreform Hamburg von der Decken KG

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

Microsoft: Various applications from Microsoft Corporation (USA) are used, which has been commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365 Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
New Relic: The website monitoring tool "New Relic" from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
Lacework: The IT security tool "Lacework" from Lacework, Inc. (USA) is used. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 GDPR.
ShareFile: The IT tool "ShareFile" from Citrix Systems Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Monday.com: We use the collaboration tool "Monday.com" from Monday.com Ltd. (Israel). The transfer of data to a third country (in this case Israel) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
Atlassian: We use the project management tool provided by Atlassian Pty Ltd (Australia), which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case Australia) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Autodesk: We use the project management tool "Autodesk" from Autodesk, Inc. (USA), which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR for employee data and in accordance with Article 45 of the GDPR for all other data.

What you need to know if you are a supplier.

Contact
First, we collect your data in order to establish initial contact. It is possible that we will contact you first. It is also possible that you will contact us first. In any case, we process all data that we have researched in advance and/or that you voluntarily provide to us. This often includes your contact details (name, email address, postal address, telephone number) and communication data (e.g., description of the content of the conversation, conversation notes, form entries). On this basis, we review your offer and store the relevant data. The purpose of this processing is to initiate or establish a contract. The legal basis for this is Article 6(1)(b) GDPR.

Contract fulfillment
If a contract is actually concluded between us, we will communicate with you, make payments, etc., and in doing so process communication and billing data (e.g., for the delivery of services and responding to inquiries) in order to fulfill the contract. The purpose of this processing is the performance of the contract. The legal basis for this is Article 6(1)(b) GDPR.

Notification of changes to data processing
If we change the way we process your data (e.g., use new tools), we will inform you of the changes, e.g., by email. As a rule, we will send you updated privacy information. The purpose of the processing is to fulfill a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6(1)(c) GDPR.

Data retention/storage period
We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

We retain booking documents for eight years. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
We retain other internal records (e.g., annual financial statements) for ten years or longer. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
We retain business communications (e.g., customer letters) and other tax-relevant documents for six years. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
If you assert your rights under the GDPR, communication data (correspondence by email, post, etc.) will be generated. We store this data for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and, in addition, on the statute of limitations under administrative offense law (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
If you assert other, non-GDPR rights, communication data will also be generated, which we will retain for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove in the event of a dispute that we have handled your claims correctly. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199(1) BGB).
If you consent to data processing,
- we will store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs first. In doing so, we are protecting our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and, in addition, on the statute of limitations under administrative offense law (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
- We store the data that we process on the basis of your consent until you revoke your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) GDPR.

Recipients
The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

Providers of backup tools
Software hosting companies
Video conferencing system providers,
Law firms specializing in legal, tax, and auditing services
Project management tools,
Whistleblower platform providers,
Accounting solution providers
Providers of Microsoft assistance tools
Providers of translation tools
Enerparc AG

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

Microsoft: Various applications from Microsoft Corporation (USA) are used, which has been commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365 Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
New Relic: The website monitoring tool "New Relic" from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
Lacework: The IT security tool "Lacework" from Lacework, Inc. (USA) is used. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 GDPR.
ShareFile: The IT tool "ShareFile" from Citrix Systems Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Monday.com: We use the collaboration tool "Monday.com" from Monday.com Ltd. (Israel). The transfer of data to a third country (in this case Israel) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
Atlassian: We use the project management tool provided by Atlassian Pty Ltd (Australia), which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case Australia) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Autodesk: We use the project management tool "Autodesk" from Autodesk, Inc. (USA), which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR for employee data and in accordance with Article 45 of the GDPR for all other data.

What you need to know when visiting the website www.sunnic.de.

Special features regarding responsibilities
Insofar as we maintain company pages on social media/networks, we would like to point out that

if we analyze your use of our company page, we and the respective provider are jointly responsible for data protection in accordance with Article 26 GDPR.
we have commissioned the providers in all other cases in accordance with Article 28 GDPR.

Presentation of the website
You have the option of using our website for informational purposes only. This means that you only visit the site without clicking on anything or entering any information. Even then, we process the following data from you so that you can view the website in your browser:

IP address,
Date and time of the request,
time zone difference from Greenwich Mean Time (GMT),
Content of the request (specific page),
access status/HTTP status code,
Amount of data transferred,
the page from which the request originates,
browser,
operating system and its interface,
language and version of the browser software.

The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.

Web hosting
We use an external web host to make our website available. The web host processes all data mentioned in the previous section (presentation of the website). The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.

Cookie consent
We give you the option to consent to the use of cookies and use a cookie consent tool for this purpose. In doing so, we process all data already mentioned in the previous section (presentation of the website) as well as information about whether, in what form, and when you have given your consent. The purpose of this processing is to fulfill a legal obligation (Article 7(1) GDPR). The legal basis is Article 6(1)(c) GDPR.

Recruiting
You can apply for a job with us via our website in the recruitment section or via other contact channels. We collect this data to check whether we can enter into an application process or not. The legal basis is Article 6(1)(b) GDPR. In all other respects, our data protection information for employees applies.

Analysis of usage behavior
We use cookies to analyze how you arrive at our website and what you do there. Cookies are text files that are stored on your computer and enable us to perform this analysis (reports on your activities and interactions on the website, e.g., sequence of interactions, length of stay).

We use this data and analysis to improve our website and the user experience and to tailor it to you and other affected parties. Further details can be found in the information on the tools (see below).

The purpose of processing is to optimize our website. The legal basis is Article 6(1)(a) GDPR.

Social media/networks
We are active on social media and networks. If you access our company pages on social media/networks from our website, some of your data will be processed. This also applies if you access these pages via other means rather than our website.

We would like to make it clear that we have no influence over which data is processed, how it is processed, or how long it is stored. It is always possible that the providers of these platforms store your data and use it for advertising purposes, market research, and/or to tailor their services to your needs. Further details can be found below in the information on the providers.

The following data is processed:

cookie- or pixel-based data about your interactions with our company websites,
Your email address,
your name,
Your communication details

The processing serves to present our company. The legal basis is Article 6(1)(a) GDPR.

Playback of videos
Videos are displayed on our website that are integrated via plugins from video and streaming portals. Each time a subpage/page with a video clip is accessed, a direct connection to a server of the video portal is established. Further details can be found in the information provided by the providers.

The following data is processed:

cookie-based data about your interactions with the video subpages,
information about which video you clicked on

The purpose of processing is to display videos and optimize our website. The legal basis is Article 6(1)(a) GDPR.

Data processing when asserting rights
If you assert your rights under the GDPR or other legal provisions, we will process your data in order to review these claims and, if necessary, fulfill them. The purpose of this processing is to fulfill a legal obligation. The legal basis for this is Article 6(1)(c) GDPR in conjunction with the respective legal provision from which your right or claim arises.

Data retention/storage period
We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

If you exercise your rights under the GDPR, communication data (correspondence by email, post, etc.) will be generated. We store this data for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and, in addition, on the statute of limitations under administrative offense law (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
If you assert other, non-GDPR rights, communication data will also be generated, which we will retain for three years. This period begins on December 31 of the calendar year in which we responded to your request. In doing so, we are pursuing our own legitimate interests. This is because we want to be able to prove in the event of a dispute that we have handled your claims correctly. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199(1) BGB).
If you consent to data processing,
- we will store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs first. In doing so, we are protecting our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199(1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations under administrative offense law (Section 31(2)(1) of the German Administrative Offenses Act (OWiG) in conjunction with Article 83 of the GDPR).
- We store the data that we process on the basis of your consent until you revoke your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) GDPR.

Deletion of data
We will delete your data as soon as the above-mentioned retention periods expire. In doing so, we are fulfilling a legal obligation (Article 5(1)(a) and (e) GDPR). The legal basis is Article 6(1)(c) GDPR.

Recipients

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

Hosting providers
Providers of cookie consent tools
Social networks
Law firms, tax and auditing firms
Project management tools
Whistleblower platform providers,
Accounting solution providers
Providers of Microsoft assistance tools
Providers of translation tools

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

Google: Various applications from Google Ireland Ltd. (Ireland - EU) are used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case to Google LLC in the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR. The following Google tools are used:
- We use Google Analytics. Google generally processes IP addresses only within the European Union or the signatory states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a server of the provider in the USA and shortened there. To the best of our knowledge, the IP address transferred is not merged with other data. We also use Google Analytics for cross-device analysis of visitor flows, which is carried out using a user ID.
- We use Google Remarketing and Google Ads. This works as follows: When you interact with us online, for example by visiting our website, you may be identified as a suitable recipient of advertisements (so-called "ads") through the use of cookies (so-called ad server cookies). These cookies also enable us to measure and evaluate the success of an advertising campaign. If you then visit Google pages (YouTube, Google search engine, etc.), you will be recognized by these cookies and our "ads" will be displayed to you (so-called "remarketing"). This happens by your browser automatically establishing a direct connection to the Google server. The "ads" are then delivered via so-called Google Ad Servers. The ad server cookies used for this purpose are usually valid for 30 days and are not used for personal identification. Typically, the following analysis values are stored: a unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions), and opt-out information (indicating that you do not wish to receive further ads).
- You can restrict or prevent tracking, for example (a) by making the appropriate settings in your browser software (in particular, blocking third-party cookies prevents you from receiving advertisements) or (b) by deactivating cookies for conversion tracking by setting your browser to block cookies from the provider's domain. However, this setting will be deleted when you delete the cookies in your browser.
- The purpose of this processing is to present our company, analyze usage behavior in relation to interaction with our website, and communicate with you via social media, including for advertising purposes where applicable.
- We use Google Tag Manager. This works as follows: The tool enables us to integrate various codes and services into our website in a structured and simplified manner. The tool implements so-called tags or triggers the integrated tags. When a tag is triggered, Google may also process personal data.
- We use DoubleClick. This works as follows: DoubleClick uses cookies to show you relevant ads, improve reports on campaign performance, or prevent you from seeing the same ads multiple times. Google uses a cookie ID to track which ads have been displayed in which browser in order to avoid duplicate ads. The use of cookie IDs also enables the recording of so-called conversions in connection with ad requests. This is the case, for example, if you see a DoubleClick ad and later visit our company's website using the same browser and make a purchase there. The marketing tools used automatically establish a direct connection between your browser and Google's server. Through the integration of DoubleClick, Google receives information that you have accessed the corresponding part of our website or clicked on one of our ads. If you are registered with a Google service, Google can associate the visit with your respective account. Even if you are not registered or logged in, it is possible that Google may collect and store your IP address.
- Google Maps: We use Google Maps. Please note the following: Google Maps is a map display tool. Which specific data is transferred depends, among other things, on whether the data subjects use this website as logged-in users of a Google account or not.
X (formerly Twitter): The social network "X" of Twitter International Company (Ireland - EU) is used. Further information on how this provider processes data can be found here: twitter.com/de/privacy. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 GDPR. The controller uses this social network as follows: Operation of a company page. The terms used here are explained in the glossary at the end of the declaration.
LinkedIn: The social network "LinkedIn" of LinkedIn Ireland Unlimited Company (Ireland - EU) is used. The transfer of data to a third country (in this case the USA) cannot be excluded and is justified in accordance with Article 46 GDPR. The controller uses this social network as follows: Operation of a company page. The terms used here are explained in the glossary at the end of the declaration.

Data protection information for employees and applicants

Initial contact in the application process
During the application process, we receive and review your application documents. This includes all data that you disclose about yourself. If we are interested in your application, we will invite you to an interview, during which we will collect, store, and use data (contact details, usually name, telephone number, email address) to arrange an appointment. If you are still interested, we will make you an offer of employment, whereby your contact details (usually your name, telephone number, and email address) and the data from the employment contract (usually your job title, vacation times, and salary) will be processed. In each of the aforementioned processing steps, it is also possible that your application will be rejected. The purpose of the aforementioned processing operations is to carry out the application process. The legal basis is Article 6(1)(b) GDPR.

Active recruiting
Before the application process, we research data about potential employees from publicly available sources. We will contact you. In doing so, we process the data necessary for establishing contact (e.g., name, address, email address) as well as job-specific data about your qualifications (e.g., degrees, certificates, etc.). The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6(1)(b) GDPR.

Request for references and evidence
We request specific references and qualifications that are essential for the performance of the job. In doing so, we process the data contained in the references and other documents provided in this context. The purpose of the aforementioned processing operations is to initiate the application process or, at a later stage, to execute the employment relationship. The legal basis is Article 6(1)(b) GDPR.

Trial work day
You will complete a trial work day and we will note our findings, which we will then use to decide on your application. In doing so, we process the data required to contact you (e.g., name, address, email address) as well as any notes taken during the trial work day. The purpose of the aforementioned processing operations is to initiate the application process. The legal basis is Article 6(1)(b) GDPR.

Performance of the employment relationship
During the active employment relationship, all access and/or communication data related to the fulfillment of the employment contract (e.g., emails) will be processed. The purpose of the aforementioned processing operations is to carry out the employment relationship. The legal basis is Article 6(1)(b) GDPR.

Recording of driving license data
Only if you receive a company car from us for the fulfillment of your employment obligations will we collect your driver's license data in advance with the help of an external provider, with whom you can digitally register your driver's license. All driver's license data will be processed in this process. The purpose is to fulfill our traffic safety obligations and our obligations to insurers, namely to ensure that you are authorized to drive a company car. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest arises from the aforementioned purposes.

Employee benefits (with legitimate interest)
(1) In some selected cases, we offer you the opportunity to take advantage of so-called employee benefits. (2) We transfer the contact data required for the provision of the benefits to external third-party providers (usually your name, address, and information that you are employed by us). The purpose is to grant benefits in order to retain employees and increase our attractiveness as an employer. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest arises from the above-mentioned purpose. Whether and, if so, which benefits are granted is the subject of an agreement under labor law, which may still need to be concluded separately from this privacy policy. The mere mention of this possibility does not constitute a claim on your part.

Handing over keys (with logging)
In some cases, you will receive keys and/or chip cards for access to company premises, and the handover will be logged. In this context, we process the following data: name, status of the handover of the above-mentioned items. The purpose of the aforementioned processing operations is to fulfill a data protection obligation, namely that of taking adequate organizational security measures. The legal basis is Article 6(1)(c) GDPR in conjunction with Article 32 GDPR.

Handing over access data (along with logging)
In some cases, you will receive access data for company software and hardware, whereby both this access data and its assignment to you will be recorded and stored. The assignment itself will also be logged. In doing so, we process the following data: name, access data, status of the assignment of the access data. The purpose of the aforementioned processing operations is to fulfill a data protection obligation, namely that of taking adequate organizational security measures. The legal basis is Article 6(1)(c) GDPR in conjunction with Article 32 GDPR.

Issuing company equipment (including logging)
In some cases, you will receive company hardware, the handover of which will be logged. In this context, we process the following data: name, status of hardware allocation. The purpose of the aforementioned processing operations is the internal organization of the services owed under the employment contract. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest arises from the aforementioned purpose.

Mental health coaching
(1) In some selected cases, we offer you the opportunity to participate in mental health coaching. (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time, and status of the consent. The purpose is to fulfill a legal obligation. The legal basis is Article 6(1)(c) GDPR in conjunction with Article 7(1) GDPR. (3) We do not process any data about your participation in the coaching and/or its content ourselves, but only receive an invoice. The legal basis is Article 6(1)(a) GDPR.

Changes to data processing
If we change the processing, in particular if we use new recipients, we will inform you of the change by email by sending you the updated data protection information by email. The purpose is to fulfill the transparency obligations under the GDPR (Articles 12 to 14 GDPR). The legal basis is Article 6(1)(c) GDPR.

Exercising rights
If you assert your rights under the GDPR or other legal provisions, we will process the data in order to review these claims and, if necessary, fulfill them. The purpose is to fulfill a legal obligation. The legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the standard from which the legal obligation arises.

Conflicts in the employment relationship
In the event of a (labor) legal conflict between you and us, the data will be processed in order to issue appropriate statements and, if necessary, to obtain external legal advice. The following data will be processed in this context: name, contact details, all processes related to the labor law conflict. The processing serves to obtain external advice/support under labor law and to exercise our own rights. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest arises from the aforementioned purposes. Insofar as data is processed externally, this does not constitute order processing (see DSK Short Paper 13), but rather a data transfer, which is justified by Article 6(1)(f) GDPR. This is therefore a case of other outsourcing.

Receipt and processing of whistleblower reports
We offer you the opportunity to contact us as a whistleblower/informant. Whistleblower reports received from employees are acknowledged and processed. Personal data is only processed if the report is not submitted anonymously. This includes the following: name(s), content of the report. The purpose of the processing is to fulfill a legal obligation under Sections 12 et seq. HinSchG. The legal basis is Article 6(1)(c) GDPR.

Production of media recordings
(1) In some selected cases, we allow you to make media recordings (photo, film, sound). (2) If you decide to do so, we will obtain the necessary consent. For this purpose, we process the name, time, and status of the consent. The purpose is to fulfill a legal obligation. The legal basis is Article 6(1)(c) GDPR in conjunction with Article 7(1) GDPR. (3) Media recordings will be made of you and, if consent is given, also published in certain cases to be determined by us. In doing so, we process the image, film, and sound data. The purpose is to present our company to the public. The legal basis is Article 6(1)(a) GDPR. This is not precluded by the prohibition in Article 9(1) GDPR, as the exception in Article 9(2)(a) GDPR applies here.

Fulfilment of further legal obligations
In the employment relationship, data is processed to fulfill further legal obligations not yet mentioned here. This includes the following situations:

Processing of all data relating to participation in training courses and instruction, including in particular first aid training (Section 14 SGB VII in conjunction with DGUV Regulation 1), conducting data protection training for employees (Article 32 GDPR), training for EuP (Section 14 SGB VII in conjunction with DGUV Regulation 3), Driver safety training (Section 3 ArbSichV), fire extinguishing training (Section 14 SGB VII in conjunction with DGUV Regulation 1), IT training (BSI-Kritisverordnung, Article 32 GDPR). The following data is processed: Name, company contact details, communication data, status and, if applicable, time of participation (day, time).
Processing of all data when ordering hardware or software that must be provided for occupational health and safety reasons, e.g., computer glasses (§ 3 ArbSchG). The following data is processed: name, company contact details, communication data, proof of the necessity of the hardware or software, time of order, time of delivery, time of commissioning, costs.
Processing of all data when keeping a first aid log, in particular storage of the completed first aid log pages (Section 14 SGB VII in conjunction with DGUV Regulation 1, Section 24 (6)). The following data is processed: name, company contact details, communication data, data on all first aid incidents, in particular the type of incident, time, measures taken, identity of the employees/persons who provided assistance and those affected.
Processing of all data collected in the course of occupational medical examinations (§ 3 ArbSchG). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment.
Processing of all data collected during occupational eye examinations (Section 3 of the German Occupational Safety and Health Act (ArbSchG)). The following data is processed: name, company contact details, communication data, time of appointment, status of appointment attendance.
Other training courses for which training obligations currently exist or will exist in the future. The following data is processed: name, company contact details, communication data.

All processing steps serve to fulfill the legal obligations specified in the respective parenthetical additions. The legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the standards specified in the respective parenthetical addition.

Fulfillment of other obligations under the employment contract
During the employment relationship, data is processed for the purpose of performing the employment relationship. This includes, in particular, but is not limited to, the following situations:

The filing of planning documents and documentation with station suppliers is recorded, stored, and further used. The following data is processed in this context: name, company contact details, communication data, status and time of entry, identity of the employee making the entry.
The documentation of the filing of planning documents and the documentation with substation installers is recorded, stored, and further used. The following data is processed: name, company contact details, communication data, status and time of entry, identity of the employee making the entry.
Absences due to parental leave, illness, vacation, special leave, educational leave, and unpaid leave are recorded, stored, and further used for the purposes of compliance with tax and social security laws ( ). The following data is processed: name, company contact details, communication data, period, reason, proof of the reason for the absence.
In the case of procurements/purchases, including the ordering of work clothing that affects you, the following data is collected, stored, and used: name, company contact details, communication data, clothing size, assignment of work clothing, condition of work clothing.
Internal communication takes place regarding the management of work clothing. The following data is processed: name, company contact details, communication data, clothing size, allocation of work clothing, condition of work clothing.
In certain cases, electronic signatures are obtained. The following data is processed in this context: name, business contact details, communication data, signature image, time of signature, content of the signed document.
Hotel reservations are made and documented for you. The following data is processed: name, company contact details, communication data, status of the business trip, duration of the business trip, costs of the business trip.
The reimbursement of other travel expenses incurred during business trips is recorded, stored, and used. The following data is processed: name, company contact details, communication data, status of the business trip, period of the business trip, costs of the business trip.

All processing steps serve the purpose of internal communication and the fulfillment of obligations under employment contracts. The legal basis is Article 6(1)(b) GDPR.

Video recordings on the premises of the solar parks
Our solar parks are monitored by video, and the video surveillance data (image data, recording period, location of recording) is processed to protect our property rights, our property and possessions, and to fulfill legal obligations (Article 32 GDPR: access control, Section 8a BSI Act: special security measures). Furthermore, still images are recorded several times a day in order to measure and statistically evaluate any environmental impacts (e.g., hail, snowfall). Insofar as the processing serves to protect our property rights, our property, and possessions, Article 6(1) sentence 1 lit. f GDPR is the legal basis, whereby the legitimate interest follows from the aforementioned purposes. Insofar as the processing serves to fulfill legal obligations, Article 6(1)(c) GDPR is the legal basis. Insofar as the processing serves to measure and evaluate any environmental impacts, Article 6(1)(f) GDPR is the legal basis, whereby the legitimate interest follows from the aforementioned purpose.

Data retention/storage period
We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:

We retain booking documents for eight years. This period begins on December 31 of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
Other internal records (e.g., annual financial statements), business communication data (e.g., customer letters), and other tax-related documents must be retained for six years, beginning on December 31 of the calendar year in which the respective document was created. The processing serves to fulfill a legal obligation and is based on Article 6(1)(c) GDPR in conjunction with Section 147 AO, Section 257 HGB.
Data from the documentation of working hours must be retained for two years, beginning on December 31 of the calendar year in which the respective document was created. The processing serves to fulfill a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with § 16 ArbZG, § 17 MiLoG.
Data from the payroll account must be retained for 6 years, beginning on December 31 of the calendar year in which the last recorded wage payment is made. The processing serves to fulfill a legal obligation and is based on Article 6 (1) sentence 1 lit. c GDPR in conjunction with § 41 EStG.
Data on health insurance status and sick notes are retained for 5 years. Processing is necessary to fulfill a legal obligation and is based on Article 6(1)(c) GDPR in conjunction with Section 198 SGB V and Section 165 SGB VII.
Data that arises when you assert data protection claims will be retained for three years, beginning on December 31 of the calendar year in which we responded to your claim. The processing serves to protect the interest in defending ourselves against claims and is based on Article 6(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and, in addition, from the statute of limitations provisions of the Administrative Offenses Act ( , OWiG) (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
Data that arises when you assert other claims will be stored for three years, beginning on December 31 of the calendar year in which we responded to them. The processing serves to protect the interest in defending against claims and is based on Article 6(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199(1) BGB).
Data based on consent shall be retained until consent is revoked or until the purpose for which the data was processed ceases to apply, whichever occurs first. The retention serves the purpose associated with the consent and is based on Article 6(1)(a) GDPR.
Data proving that consent has been given must be retained for three years from the date of withdrawal of consent or from the date on which the purpose ceases to apply, whichever is earlier. The processing serves to protect the interest in defending against claims and is based on Article 6(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the statute of limitations provisions of the law on administrative offenses (Section 31 (2) No. 1 OWiG in conjunction with Article 83 GDPR).
Data from an application will be stored for 6 months, starting from the date of receipt of the rejection. The processing serves to protect the interest in defending against claims under the AGG and is based on Article 6(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purpose. The duration of the legitimate interest follows from the time limit provision in Section 15 (4) UWG plus the period after which the receipt of a complaint can no longer be expected.
Video recordings on the solar park premises are generally only stored for 48 hours. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest follows from the above-mentioned purposes (protection of our domestic authority, our property, and possessions). If these purposes are impaired (e.g., trespassing, theft, damage to property), we will retain the data for as long as necessary to pursue our rights (e.g., claims for damages), but will delete it at the latest after the facts have been legally clarified.
We store still images taken from the video recordings and used to measure and evaluate any environmental impacts for a maximum of 5 years, with the al period beginning on December 31 of the calendar year in which the recordings were made. The legal basis is Article 6(1)(f) GDPR, whereby the legitimate interest arises from the aforementioned purpose.

Deletion of data
The data will be deleted after the retention periods have expired. The deletion is intended to fulfill a legal obligation and is based on Article 6(1)(c) GDPR in conjunction with Article 5(1)(a) and (e) GDPR.

Recipients
The following recipients and other external bodies process your data:

Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:

Providers of backup tools
Software hosting companies
Providers of video conferencing systems and remote working tools,
Law firms, tax and auditing firms,
Password management system providers,
Project management tools,
Whistleblower platform providers,
Providers of compliance and training solutions,
Providers of (payroll) accounting solutions,
Providers of Microsoft assistance tools,
Translation tool providers,
Providers of work equipment (e.g., work clothing) provision and management
HR system providers,
Providers of employee benefits,
Providers of security and surveillance services.
Providers of social networks (for recruiting purposes)
Enerparc AG

Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):

Microsoft: Various applications from Microsoft Corporation (USA) are used, which has been commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365 Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
New Relic: The website monitoring tool "New Relic" from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.
Lacework: The IT security tool "Lacework" from Lacework, Inc. (USA) is used. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
ShareFile: The IT tool "ShareFile" from Citrix Systems Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Monday.com: The collaboration tool "Monday.com" from Monday.com Ltd. (Israel) is used. The transfer of data to a third country (in this case Israel) cannot be ruled out and is justified in accordance with Article 45 GDPR.
Atlassian: The project management tool from Atlassian Pty Ltd (Australia) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case Australia) cannot be ruled out and is justified in accordance with Article 46 of the GDPR.
Autodesk: The project management tool "Autodesk" from Autodesk, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 of the GDPR for employee data and in accordance with Article 45 of the GDPR for all other data.
Adobe: In connection with the use and creation of documents, software offerings from Adobe Systems Software Ireland Limited (Ireland - EU) are used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case to Adobe Inc., USA) cannot be ruled out and is justified for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
LinkedIn (social network): The social network "LinkedIn" of LinkedIn Ireland Unlimited Company (Ireland - EU) is used. However, it cannot be ruled out that data may be transferred to or integrated with the parent company, LinkedIn Corporation (USA). A transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 46 GDPR. The following tools are used: LinkedIn (company page), LinkedIn (recruiting)
Dropbox: The cloud service "Dropbox" from Dropbox, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out and is justified in accordance with Article 45 of the GDPR.

Last updated: 01/07/2025