Privacy Statement for Mein-SENEC and the SENEC app
In the following, we – SENEC GmbH – would like to inform you about the processing of your personal data in the context of use of our My SENEC customer portal and our app.
We take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with legal data protection requirements.
1. Contact partner
The contact partner and data controller responsible for the processing of your personal data in the context of visits to the customer portal in accordance with the provisions of the General Data Protection Regulation (GDPR) is:
You can contact our Data Protection Officer at any time with all questions regarding data protection in relation to our products or the use of our website and/or customer portal. You can contact them by writing to the above postal address (marking your letter “FAO Data Protection Officer”) or via email to the above email address.
2. Data processing in relation to SENEC.Home
We provide you with information regarding the use of your SENEC.Home at all times in our Mein-SENEC portal and in our app. They show you how much electricity your system is producing, how much you are consuming and the charge level of your SENEC.Home.
2.1. Setting up SENEC.Home
The centrepiece of the SENEC systems is our battery energy storage system, SENEC.Home. Your SENEC.Home will be registered with us upon installation. Your SENEC.Home must be registered to function properly. We record your master data upon registration (for example, your name, address, contact details, model number and serial number). In addition, we will give you access to our “Mein-SENEC” portal. You can find information in Mein-SENEC about your system, electricity production and consumption, SENEC products and much more. The legal basis for this is Article 6(1)(b) GDPR.
2.2 Data transfer between SENEC.Home and SENEC GmbH
When your SENEC.Home is active and connected to the internet, it will transmit different information to us. This includes
- information about your SENEC.Home, such as the status of the installed operating system,
- information about your use of the SENEC system, such as electricity generation, the charge level and your consumption, and
- information about the status of the SENEC.Home, such as the temperature.
Based on the data transmitted by your SENEC.Home, we can assess whether your SENEC.Home is functioning properly. If we notice any abnormalities, we can then react and inform you or your specialist partner. The legal basis for this monitoring is our legitimate interest in accordance with Article 6(1)(f) GDPR in ensuring the security and functionality of our products.
In addition, the above information you transmit to us is used to display this information in Mein-SENEC or in the app.
The legal basis for this visualisation is the customer’s legitimate interest in accordance with Article 6(1)(f) GDPR in having electricity generation, charge level and consumption displayed in a transparent and comprehensible way.
2.3 Accessing our website/access data
Every time you use our customer portal or the app, we collect the access data that your browser or the app automatically transmits in order to enable you to visit the website. Access data includes in particular:
- the IP address of the device sending the request,
- the date and time of the request,
- the address of the accessed website and the requesting website,
- information about the browser and operating system used,
- the language and version of your browser software,
- the time-zone difference to Greenwich Mean Time (GMT),
- the contents of the request (specific page),
- the access status/HTTP status code,
- the volume of data transferred, and
- online identifiers (e. g. device identifiers, session IDs).
The processing of this data is necessary in order to enable the visit to the customer portal and ensure the long-term functionality and security of our systems. In addition, access data is temporarily stored in internal log files for the purposes described above in order to produce statistical information about the use of our customer portal, develop our website in response to our visitors’ usage habits (e. g. if the proportion of mobile devices used to access the page increases) and generally conduct administrative maintenance of our website. The legal basis for this is Article 6(1)(b) GDPR.
2.4 Customer support
In addition to your specialist partner, our Service team will be happy to support you as a contact partner for all issues relating to our products. If you have an issue you would like addressed, you can contact us by telephone, email or using the contact form.
When you contact our Service team, we will record your contact details (email address, telephone number or, if you contact us using our contact form, the contact details your provide) depending on your chosen communication method. Regardless of your chosen communication method, we will create an internal ticket for your enquiry containing relevant information for subsequent processing. The legal basis for this is Article 6(1)(b) GDPR.
2.5 Participation in surveys
You also have the opportunity to take part in surveys from us at various points. We work with a processor for this purpose: zenloop GmbH, Brunnenstrasse 196, 10119 Berlin, Germany. Your feedback helps us to improve our service. In addition to your answers, we record data about your Senec system, as well as device and browser data. The legal basis for this processing in the context of participation in surveys is your consent in accordance with Article 6(1)(a) GDPR. Your consent also includes the transfer of data to the USA, which does not have a comparable level of data protection to the EU. If personal data is transferred to the USA, there is a risk that the authorities could record and analyse this data and it may not be possible to exercise your data subject rights. We have concluded standard contractual clauses with Google for cases in which personal data is transferred to the USA and will obtain your express consent for this data transfer in accordance with Article 49(1)(a) GDPR. Please see Clause 5 “Transfer to third countries” for the risks associated with this. Please see Clause 8 “Your rights” for information regarding revocation of your consent.
2.6 Use of essential cookies
- for login authentication,
- for load distribution,
- to save your language settings, and
- to note that an information notice on our website has been displayed to you – and thereby prevent the same notices being displayed again in future.
Most browsers are configured to accept cookies as standard. However, you can configure your browser’s settings so that it rejects cookies or only saves them following your prior approval. If you reject cookies, it is possible that not all functions of our website will function as intended.
If we process your personal data from cookies, the legal basis for this is our legitimate interest in making these functions on our website available to you in accordance with Article 6(1)(f) GDPR.
2.7 Use of analytical technologies
We use various functionalities of Google Firebase, a service provided by Google LLC (Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA), in order to improve our app. Firebase Analytics enables us to analyse the use of our app. Pseudonymised information about the use of our app is recorded using ad IDs for end devices. Your data is deleted on a regular basis after 14 months. The legal basis for this data processing in these cases is your consent in accordance with Article 6(1)(a) GDPR.
The following data is processed in this context:
- App Store ID
- App version
- Device model, device operating system
- Device language and country settings
- App activities: session duration, stability assessment, engagement time, app crush, app removal, app update, first open count
The legal basis for this is your consent in accordance with Article 6(1)(b) GDPR.
Your consent also includes the transfer of data to the USA, which does not have a comparable level of data protection to the EU. If personal data is transferred to the USA, there is a risk that the authorities could record and analyse this data and it may not be possible to exercise your data subject rights. We have concluded standard contractual clauses with Google for cases in which personal data is transferred to the USA and will obtain your express consent for this data transfer in accordance with Article 49(1)(a) GDPR. Please see Clause 5 “Transfer to third countries” for the risks associated with this. Please see Clause 8 “Your rights” for information regarding revocation of your consent.
3. Disclosure of data
We only disclose your personal data when permitted or required to do so by law. The basis for this disclosure is the contract concluded with you, consent given to us, an existing legal requirement (Article 6(1)(c) GDPR) or a legitimate interest, such as in asserting, exercising or defending legal entitlements.
Insofar as we are able, we implement the principle of privacy by design (Article 25 GDPR) in the transfer of data and therefore favour transferring data that has been pseudonymised or anonymised.
If you wish, your specialist partner can access the data from your SENEC system via our customer portal. You can prevent this in the Mein-SENEC settings.
As a company of EnBW Energie Baden-Württemberg AG, we work closely with our parent company. In order to offer you the best possible service and in the interest of smooth processes, we transfer data to EnBW in the context of our SENEC.Cloud and SENEC.Cloud To Go electricity supply contracts. This serves controlling and billing purposes. You can find more information about this in the privacy statements for your electricity product. If you do not purchase an electricity supply product from us, we will not transfer any functional or usage data to EnBW.
4. Cooperation with processors
In the context of providing our services, we sometimes rely on a service provider to process data on our behalf. This service provider only acts for us on a contractual basis, is obligated to follow our instructions and must take suitable technical and organisational measures that ensure the security of data processing and implement your rights (Article 28 GDPR).
Insofar as we are able, we engage service providers within Germany and the European Economic Area (EEA). For data transfers to countries outside of the EEA, in order to ensure an adequate level of protection, an adequacy decision (Article 45 GDPR) or other suitable guarantees (Article 46 GDPR) are required for this transfer.
The most important data processing service providers if you use a SENEC.Home and are in contact with our Serve team are Microsoft Inc. for various Office applications and Faber Network GmbH for server hosting.
5. Transfer to third countries
In the context of our activities, it is possible that we or our service providers may transfer data to service providers in a third country (i.e. a country outside the European Union (EU) and the European Economic Area (EEA)).
In principle, we only transfer personal data to third countries for which the EU Commission has issued an adequacy decision or on the basis of adequate guarantees, such as contractual obligations through the EU Commission’s standard contractual clauses, corresponding certifications or data protection regulations (Articles 44 to 49 GDPR; EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en), potentially in conjunction with other measures to ensure a comparable level of data protection.
In exceptional cases, data may be transferred to a third country for which there is neither an adequacy decision or adequate guarantees. We will inform you of this in advance and obtain corresponding consent from you.
The level of data protection in the USA is not equal to that in the EU. This means that, in the case of a data transfer to the USA, the US authorities and in particular the intelligence services could access and analyse personal data. For you as the data subject in the context of this processing, there is no effective legal protection against this access, meaning that it may not be possible to exercise rights under European Union law. In giving your consent to the transfer of data to third countries, you hereby consent to this.
6. Data retention and data security
Your data is stored exclusively on servers in Germany. If your data is not on SENEC servers, it will be stored on the servers of a service provider in Germany (Faber Network GmbH). Data is stored and processed in accordance with stringent security standards. The servers are protected against DDoS (distributed denial of service) attacks so that your data is always available to you. We also use a next generation firewall to protect our systems against viruses, worms and spyware. The transfer of data between our systems is always encrypted.
7. Storage duration
We only store your data for as long as necessary to fulfil the purposes for which it was collected. We then delete the data immediately unless we require the data until the expiry of the statutory period of limitation for evidential purposes in relation to civil claims or due to legal retention requirements.
For evidential purposes, we must retain contractual data for three years starting from the end of the year in which the contractual relationship with you ends. Any potential claims become statute-barred at this point in time at the earliest in accordance with the statutory limitation period.
Even after this point, we still need to store some of your data for bookkeeping reasons. We are obligated to do so by statutory documentation requirements set out in the German Commercial Code (HGB), the German Fiscal Code (AO), the German Credit Services Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The document retention periods set out therein are two to ten years.
8. Your rights
You have the right of access to information regarding our processing of your personal data. In this case, we will explain the data processing to you and give you an overview of the data we have stored about you. If the data we have stored is incorrect or no longer up to date, you have the right to instruct us to correct this data. You can also demand the deletion of your data. In principle, deletion of your data is only possible when certain preconditions are met/if the data is no longer needed, the processing is illegal or in other cases pursuant to Article 17 GDPR. If, in exceptional cases, deletion is not possible due to other legal provisions, the data will be blocked – subject to fulfilment of the relevant preconditions – so that it only remains available for the statutory purpose. You can also instruct us to restrict the processing of your personal data if, for example, you have doubts as to the accuracy of this data. Subject to certain conditions, you also have the right to data portability, which means that, upon request, we will give you a digital copy of the personal data you provided to us.
You can contact us using the contact details above to assert your rights as described above at any time. This also applies if you would like copies of guarantees to demonstrate an adequate level of data protection.
We will store your enquiries regarding assertion of data protection rights and our responses for documentation purposes for a period of three years and, in individual cases, to exercise, asset or defend legal entitlements beyond this. The legal basis is Article 6(1)(f) GDPR based on our interest in defending against any civil claims in accordance with Article 82 GDPR, avoiding fines in accordance with Article 83 GDPR, and fulfilling our duty of accountability as set out in Article 5 GDPR.
You have the right to revoke previously issued consent at any time. This will result in the data processing that was based on your consent not continuing in future. Revocation of consent will not affect the lawfulness of the processing conducted prior to revocation based on your consent.
If we process your data on the basis of legitimate interests, you have the right to lodge an objection to the processing of your data at any time based on reasons arising from your specific situation. In the case of an objection to data processing for the purpose of direct marketing, you have a general right to object that we will implement without the need for you to specify reasons.
If you would like to assert your right of revocation or right to object, an informal message sent to the above contact details is sufficient.
You ultimately have the right to file a complaint with the competent data protection supervisory authority. You can exercise this right with a supervisory authority in the member state in which you reside, in which you work, or in which the alleged violation was committed.
9. Amendments to the Privacy Statement
We update this Privacy Statement from time to time, such as when we make changes to our customer portal or app, or when statutory or official requirements and regulations change.
Version: 1.3 / Date: November 2021