This Privacy Policy applies to the establishment and use of a service contract with us, including the use of our online customer portal, as well as to all other services that expressly refer to this Privacy Policy. This Privacy Policy also applies to the use of the online customer portal.

The entity responsible for data processing is: Grünwelt Wärmestrom GmbH, Girmes-Kreuz-Str. 55, 41564 Kaarst. The name and address of our data protection officer is: Grünwelt Wärmestrom GmbH, Data Protection Officer, Girmes-Kreuz-Str. 55, 41564 Kaarst, Email: datenschutz@gruenwelt.net

We (the respective “controller”) are committed to protecting your personal data. That is why we are providing you with this information regarding our handling of your data and our data protection principles. We process personal data collected within the scope of this Privacy Policy in accordance with the applicable legal provisions on data protection and data security in the Federal Republic of Germany. As of May 25, 2018, data protection is governed in particular by the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

1.1. Data Collection and Source of Data
We collect and process the data that you provide to us when making a product inquiry or placing an order for a product, or that we receive in the context of a customer relationship or your login to our “Online Customer Portal,” as well as in the context of a contact relationship or for a job application; or that we— to the extent necessary or appropriate under Article 6(f) of the GDPR—collect from publicly accessible sources (e.g., commercial registers, your websites, press articles, etc.). Such data is stored only if you provide it to us for the aforementioned occasions and purposes, and, for example, also when you order informational materials, subscribe to an email newsletter, apply for a job online, or participate in a survey or a contest.

1.2. Use and Disclosure of Personal Data in General
We generally use your personal data to respond to your inquiry, process your order, or provide you with access to specific information or offers, as well as to establish and fulfill a concluded supply or usage contract. In addition, we use data that has been lawfully disclosed to us for the purpose of advertising by mail and also by email or telephone, provided that you have given your specific and valid consent to this.

To this end, it may also be necessary for us to share your data with external service providers as part of data processing on our behalf, or to exchange data with other providers (e.g., when switching electricity or gas providers). We will neither sell your personal data to third parties nor market it in any other way.

Data transfers to third countries occur in connection with the administration, development, and operation of IT systems, and only to the extent that a) the transfer is generally permissible and b) the specific requirements for a transfer to a third country are met, in particular that the data importer ensures an adequate level of data protection in accordance with the EU Standard Contractual Clauses for the transfer of personal data to processors in third countries. The basis for this is the provisions of the GDPR and the Federal Data Protection Act.

We process the aforementioned personal data in accordance with the provisions of the GDPR and the Federal Data Protection Act (BDSG), as well as—where applicable—the TMG (effective December 1, 2021, the TTDSG):

2.1. To fulfill contractual or pre-contractual obligations (Art. 6(1)(b) GDPR
Personal data is processed to fulfill a customer contract, contact relationship, or employment application, or to enable your use of our online customer portal. The purposes of data processing and the necessity thereof are primarily determined by the specific purposes defined by the aforementioned legal relationships. Within the context of a customer relationship, this includes, in particular, the establishment, structuring, fulfillment, consultation and billing of a customer relationship, as well as the exchange of personal data with necessary business partners (e.g., the transferring or receiving utility provider when switching providers, data exchange with metering point operators).

This also includes storing data regarding payment history. We need this data to process payment reminders, suspend service, and, if necessary, terminate the contract. We also process this data to handle your inquiries and to establish customer relationships or similar contact arrangements.

To this end, it may also be necessary for us to share your data with group companies or external service providers, in each case within the scope of data processing on behalf of the controller. Personal data that we collect and store when establishing or fulfilling a customer relationship, a contact relationship, or in connection with job applications may include:

• Name and address, as well as other contact information (phone numbers, email address, fax number, etc.), registration numbers, names and addresses of authorized representatives, account information, and the corresponding contact details of the customer’s designated representatives.
• Additional account or product data within a customer relationship, such as selected products and plans, and payment information.
• Factual information regarding a customer relationship (meter readings and consumption, locations of consumption points, meter information, information about the metering point operator).
• IP address and usage data when accessing the online customer portal on our website; setting and reading cookies that are necessary for the provision of services (so-called “service cookies” or “essential cookies”); we do not set or use any tracking and/or analytics cookies without your consent.
• Name and email address provided when subscribing to the newsletter, as well as delivery information for each newsletter.

2.2. Processing based on a balancing of interests (Art. 6(1)(f) GDPR)
To the extent necessary for our purposes, we process your data beyond the actual performance of the preliminary agreement or contract to safeguard the legitimate interests of ours or of third parties, unless your interests in refraining from data processing prevail:

• Management of the customer relationship as appropriate
• Processing of applications as appropriate
• The fulfillment and continuation of contractual relationships within the bounds of reasonableness
• Collection of outstanding receivables; we work with reliable partners in this area; see section 7.
• Direct mail, unless you opt out.
• Anonymization of IP addresses when using our online customer portal on our website for statistical purposes and data security
• Possible data security measures when using the online customer portal on our website, such as, in particular, the storage of IP addresses, provided that the specific threat situation makes this appropriate.

2.3. Processing Based on Your Consent (Art. 6(1)(a) of the GDPR)
If you give us your consent to process personal data for a specific purpose in accordance with applicable regulations, we will process this data within the scope of that consent.

• Consent to receive marketing communications via email, newsletters, or other channels regarding specific products from us or third parties;
• Participation in a contest and consent to receive advertising for certain products from us or third parties via certain communication channels (e.g., email, phone, mail, etc.)

2.4. Processing based on legal requirements (Art. 6(1)(c) of the GDPR)
We process your personal data to the extent that we are subject to a legal obligation, such as statutory retention requirements or obligations to provide information to government agencies in accordance with the law.

2.5 Data Processing Using AI-Based Systems
We always use artificial intelligence (AI) responsibly. In doing so, we take into account the requirements of the EU Artificial Intelligence Regulation (AI Regulation), all other relevant legal provisions (GDPR), and ethical principles. In addition, we implement technical and organizational measures that reflect the current state of the art. Our employees and contracted third parties possess the necessary expertise in handling AI systems. This includes education, practical experience, training, and an understanding of the application context. AI-supported services may involve the processing of personal data, but this is not mandatory. A risk assessment is conducted prior to deployment in accordance with the AI Regulation. We use only systems classified up to the “medium risk” category. If messages are generated without additional human review, we clearly label them as AI-generated. We do not use systems classified as high risk under the AI Regulation. Our systems are configured so that no data is transferred back to external providers. Should this become unavoidable in the future for certain applications, we will inform you separately. AI-supported processing may also take place in connection with the stated purposes. The goal is to use these technologies to make processes more efficient and improve service quality for our customers. The legal basis is derived from the aforementioned standards, in particular Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest). Our interest here lies in increasing efficiency and optimizing the handling of customer inquiries. Examples of the use of our AI-supported solutions include:

• Optimizing customer service, for example by automatically analyzing incoming communications for classification and forwarding,
• Assistance in responding to customer inquiries,
• Expansion of features such as image analysis, automatic alignment, text recognition (e.g., of meter readings or documents), and transfer to our systems.
• Pattern analysis in data, e.g., for process improvement, market research, or to detect fraud attempts.

When developing new AI-based methods, we ensure that the training, validation, and test data used are relevant, representative, and accurate. Quality assurance procedures ensure that biases are identified and mitigated. As a rule, we rely on anonymized or pseudonymized data for this purpose. Personal data is only used for development and training purposes if there is no alternative and it is legally permissible. The legal basis here is our legitimate interest pursuant to Art. 6(1)(f) GDPR. This includes, in particular, the improvement of customer services, the further development of existing functions, the development of new applications, and the data-driven optimization of our business processes.

Within our company, access to your data is granted to those individuals who are entrusted with processing it to the extent that it is necessary or reasonably appropriate. Service providers and vicarious agents engaged by us may also be granted access to personal data for these purposes provided that they comply with our written data protection instructions and maintain general data confidentiality within the scope of order processing and—where applicable—maintain telecommunications secrecy.

In addition, under the terms of a supply contract, data may be exchanged with the participating suppliers, particularly when switching providers, as well as the necessary data exchange with metering point operators. This transfer takes place only to the extent that it is necessary or reasonably appropriate to protect the legitimate interests of us, you, or third parties.

We work with third parties to obtain financial and credit information; see Section 6. When collecting debts, we work with third parties; see Section 7. Furthermore, we will not, in particular, transfer any personal data to third parties for the purposes of advertising or address trading.

Data will only be transferred to countries outside the EU or the EEA (“third countries”) if this is necessary for the performance of the contractual relationship or, in exceptional cases, is appropriate for the fulfillment of a legitimate interest, or if we have entered into a data processing agreement.

We process and store your data under a service contract for as long as the contract remains in effect. After the service contract ends, we are legally required to store the data (in an archived state) for a period of 10 years, calculated from the end of the year in which the contract is terminated. We store your invoices only until the expiration of the statutory retention periods (10 years from the end of the respective calendar year).

When you use the online customer portal on our website, we store your IP address and usage data for the duration of your session. In addition, the IP address is stored to the extent that this is appropriate for data security and for investigating or preventing security or data protection breaches, with the appropriateness being determined by the specific threat situation.

In this case, IP addresses are stored only for as long as is reasonable for the aforementioned purposes, generally not exceeding three months . In the event of a criminal complaint, criminal prosecution, or the enforcement of claims against individuals who have committed security or data protection violations , the data may be stored and used until the claims have been conclusively clarified or enforced. When using our website, anonymized data may also be collected to measure the reach of the pages or to “measure the web audience.”

In the context of a business relationship, contact information and communication data are stored and used to the extent necessary for the respective purpose of communication or to the extent appropriate for that purpose.

In the context of a job application, contact information and application data are stored and used to the extent necessary for the respective purpose of the application or to the extent appropriate for that purpose. If the application is unsuccessful, the data will be deleted within two months after notification of the rejection, provided that no other legitimate interests of the data controller preclude such deletion. Other legitimate interests in this context include, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

When you sign up for our newsletter or enter a contest, your data will be stored and used until you unsubscribe from the newsletter or we discontinue the newsletter. Your consent and information regarding previous mailings will remain stored until any potential claims for injunctive relief on your part become time-barred, but we will no longer use the data to send you further newsletters. Details regarding data processing are provided in the respective contest.

We will forward your information (name, address, and, if applicable, date of birth) to one of the following credit reporting agencies for the purpose of a credit check:

• Individual customers: SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden
• Business customers: Creditreform Düsseldorf / Neuss Roumen, Waterkamp & Coll. KG, Heesenstraße 65, D-40549 Düsseldorf

The legal basis for these transfers is Article 6(1)(b) and Article 6(1)(f) of the GDPR. Transfers based on these provisions may only take place to the extent that this is necessary to safeguard the legitimate interests of our company or third parties and does not override the interests of the fundamental rights and freedoms of the data subject that require the protection of personal data. Detailed information pursuant to Article 14 of the GDPR, i.e., information regarding the business purpose, the purposes of data storage, the recipients of the data, the right of access, the right to erasure or rectification, etc., can be found at the following links:

Schufa Holding AG: https://www.meineschufa.de
Creditreform: https://www.creditreform.de/index.html

Based on the information provided to us, we reserve the right to decide whether to enter into a contract. This decision is made automatically pursuant to Article 22(2)(a) of the GDPR. In the event of an automated decision regarding the conclusion of a contract, you have the right under Article 22(3) to have our automated decision reviewed by a natural person within our company, to communicate your point of view to us, and to challenge our decision . In the latter case as well, we will review our automated decision. You may exercise your rights informally by contacting the persons listed under Section 1 .

As part of the payment processing, we transmit your required payment data to the payment service provider Novalnet AG (Feringastr. 4, 85774 Unterföhring) (Art. 6(1)(b) GDPR). To process the payment, Novalnet AG requires certain information from you, including personal data. This includes your name and address, your IBAN and BIC, your invoice or installment amount, and the transaction number. Novalnet AG is permitted to use this information for the purpose of payment processing. It is obligated to handle the information in accordance with the GDPR and the BDSG. For more information on the processing and security of your personal data in relation to payment data, please visit https://www.novalnet.de/datenschutz

To the extent that the collection of an outstanding debt is necessary under the contractual relationship or for other reasons in order to protect our legitimate interests — and provided that this does not override the interests of the data subject’s fundamental rights and freedoms, which require the protection of personal data — we will alternatively engage one of the following legal entities to collect the debt:

• Tesch Inkasso Forderungsmanagement GmbH, 51 Ahlefelder Straße, 51645 Gummersbach
• Creditreform Düsseldorf / Neuss Roumen, Waterkamp & Coll. KG, Heesenstraße 65, D-40549 Düsseldorf

The data necessary for debt collection will be transmitted to the respective authorized entity. The legal basis for this is Article 6(1)(b) and Article 6 (1)(f) of the GDPR. For further information regarding data processing by the entities mentioned, please contact them at the respective addresses provided.

We use the review system provided by Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark. Trustpilot offers users of our online service the opportunity to review our services. Users who have used our services are asked to consent to receiving the review request. If users have given their consent (for example, by clicking a checkbox or a link), they will receive a review request with a link to a review page. To ensure that users have actually used our services , we transmit the necessary data regarding the user and the service used to Trustpilot (this includes the name, email address, and a reference number). This data is used to verify the authenticity of the review and to contact the user.

The legal basis for processing the user’s data as part of the review process is the user’s consent pursuant to Article 6(1)(a) of the GDPR. To submit a review, you must create a customer account with Trustpilot. In this case, Trustpilot’s terms and conditions and privacy policy apply. To ensure the neutrality and objectivity of the reviews, we have no direct influence on the reviews and cannot delete them ourselves. If users wish to have individual reviews or their Trustpilot account deleted, they must contact Trustpilot directly. In this case, Trustpilot acts as the data controller. You can reach Trustpilot at privacy@trustpilot.com

We may also embed the Trustpilot widget on our website. A widget is a functional and content element integrated into our online platform that displays dynamic information. Although the corresponding content is displayed within our online platform, it it is retrieved from Trustpilot’s servers at that moment. This is the only way to ensure that the current content is always displayed, particularly the most recent rating. To do this, a data connection must be established from the website accessed within our online offering to Trustpilot, and Trustpilot receives technical data (access data, e.g., IP address). This data is necessary to display the content . Furthermore, Trustpilot receives information indicating that users have visited our online offering . This information may be stored in a cookie and used by Trustpilot to identify which online services participating in the Trustpilot review process have been visited by the user . The information may be stored in a user profile and used for advertising or market research purposes.

The legal basis for processing the user’s data in connection with the integration of the widget is our legitimate interest in informing our users about the quality of our services pursuant to Article 6(1)(f) of the GDPR. If we ask users for consent to the processing of their data through the use of cookies, the legal basis for the processing is Article 6(1)(a) GDPR. We have entered into a data processing agreement with Trustpilot. Users can find further information regarding the processing of their data by Trustpilot, as well as their rights to object and other data subject rights, in Trustpilot’s privacy policy: https://de.legal.trustpilot.com/end-user-privacy-terms.

Every data subject has the right of access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. With regard to the right of access and the right to erasure, the restrictions under Sections 34 and 35 of the BDSG apply. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR in conjunction with Section 19 of the BDSG).

You may withdraw your consent to the processing of personal data at any time. This also applies to the withdrawal of consent given to us prior to the entry into force of the EU General Data Protection Regulation, i.e., before May 25, 2018. Please note that the revocation only takes effect for the future. Processing that took place prior to the revocation is not affected.

You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
i. is necessary for the conclusion or performance of a contract between you and us
ii. is permitted by European Union or Member State law to which we are subject, and that law provides for appropriate measures to safeguard your rights and freedoms as well as your legitimate interests
iii. is based on your explicit consent
However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests. With regard to the cases mentioned in i) and iii), we take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain human intervention on our part, to present your own point of view, and to contest the decision.

In accordance with the provisions of Article 21 of the GDPR, we would like to draw your attention once again to your right to object as follows: