General Data Protection Regulation
Data protection statement
Welcome to the website of Erneuerbare Energien Hamburg Clusteragentur GmbH (below: EEHH).
For us, data protection is a priority. The EEHH website can in general be used without entering any personal data. However, if the individual concerned wishes to use specific services offered by our company via our website, it may be necessary to process personal data. If such processing of personal data is required, and if there is no statutory basis for such processing, we obtain permission from the person concerned on principle.
The processing of personal data, such as the name, address, e-mail address or phone number of the individual, is conducted in conformity with the General Data Protection Regulation, and with the other data protection regulations that apply to EEHH. By means of this data protection declaration, we wish to inform you about the type, scope and purpose of the personal data collected, used and processed by us. Further, the individual concerned is clarified regarding their rights in this data protection declaration.
As the company responsible, EEHH has taken technical and organisational measures to secure the most comprehensive protection possible of the personal data processed via this website. Even so, Internet-based data transmissions can in general have safety loopholes, so that absolute protection can unfortunately not be guaranteed. For this reason, each individual concerned is free to transfer personal data to us by alternative means, such as by telephone.
1. Definition of terms
The EEHH data protection declaration is based on the terms used by the European regulatory body in the General Data Protection Regulation (GDPR). Our data protection declaration should be as easy to read and as comprehensible as possible. For this reason, we shall explain the most important terms used here:
- 1.1 Personal data
This is all information that relates to an identified or identifiable natural entity (below: 'individual concerned'). A natural entity is regarded as being identifiable who can be directly or indirectly identified, in particular via assignment to an identifier such as a name, an identification number, location data, online identification or one or more special features, which express the physical, physiological, genetic, psychological, financial, cultural or social identity of this natural entity.
- 1.2 Individual concerned
This is any identified or identifiable or natural entity whose personal data is processed by the organisation responsible for the processing.
- 1.3 Processing
This is any procedure, conducted with or without automated methods, or any such series of procedures in connection with personal data, such as the collection, recording, organisation, ordering, storage, adjustment or modification, sorting, querying, utilisation, disclosure through transmissions, dissemination or other form of provision, comparison or linking, limiting, deletion or destruction.
- 1.4 Limitation on processing
This is the marking of stored personal data with the goal of limiting its future processing.
- 1.5 Profiling
This is any type of automated processing of personal data, which consists in using this personal data in order to evaluate certain personal aspects that relate to a natural entity, in particular in order to analyse and predict aspects with regard to work performance, financial situation, health, personal preferences, interests, reliability, behaviour, place of abode or change of location of this natural person.
- 1.6 Pseudonymisation
This is the processing of personal data in a manner in which the personal data can no longer be assigned to a specific individual concerned, insofar as this additional information is separately stored and is subject to technical and organisational measures that guarantee that the personal data cannot be assigned to an identified or identifiable natural entity.
- 1.7 Entity responsible or entity responsible for the processing
This is the natural or legal entity, authority, institution or other body that solely or jointly with others makes decisions regarding the purposes and means of processing personal data. If the purposes and means of this processing are specified by Union law or the law of the member states, the responsible entity and/or the determined specific criteria of their designation can be provided according to Union law or the law of the member states.
- 1.8 Order processor
This is a natural or legal entity, authority, institution or other body, that processes personal data on behalf of the entity responsible.
- 1.9 Recipient
This is a natural or legal entity, authority, institution or other body to which personal data is disclosed, regardless of whether they are a third party or not. Authorities that potentially receive personal data within the scope of a specific study mandate according to Union law or the law of the member states are not defined as recipients, however.
- 1.10 Third party
This is a natural or legal entity, authority, institution or other body aside from the individual concerned, the entity responsible, the order processor and the persons who are authorised under the direct responsibility of the responsible entity or the order processor to process the personal data.
- 1.1 Consent
This is each clear declaration of intent issued voluntarily by the individual concerned for the specific case in an informed manner, in the form of a declaration or other clear affirmatory action with which the individual concerned expresses the fact that they agree to the processing of the personal data relating to them.
2. Name and contact data of the entity responsible for the processing
The entity responsible in the sense of the General Data Protection Regulation, other data protection regulations applicable in the member states of the European Union and other stipulations relating to data protection is:
Erneuerbare Energien Hamburg Clusteragentur GmbH (EEHH)
Phone: +49 (0)40 69 46 73 - 10
Fax: +49 (0)40 69 45 73 - 29
3. Purposes and legal basis of data processing
Art. 6 I lit. a of the GDPR serves our company as the legal basis for processing procedures in which we obtain consent for a specific processing purpose. Insofar as the processing of personal data is required for the fulfilment of a contract, the contractual party of which is the individual concerned, as is e.g. the case for processing procedures required for supplying goods or providing another service or counter-service, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing procedures that are required for the implementation of pre-contractual measures, such as in cases of enquiries relating to our products or services. If our company is subject to a legal obligation through which a processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data might be necessary in order to protect interests of the individual concerned or of another natural entity that are of importance to life. This would be the case when a visitor is injured on the premises of EEHH and their name, age or other information important to life must be given to a doctor or hospital. Then, the processing would be based on Art. 6 I lit. d GDPR. Finally, the processing could also be based on Art. 6 I lit. f GDPR. This legal framework is the basis for processing procedures that are covered by none of the above legal frameworks, when processing is required to preserve an authorised interest of our company or of a third party, insofar as the interests, basic rights and basic freedoms of the individual concerned do not predominate. We are permitted to apply such processing procedures in particular since they are separately mentioned by the European legislator. The view of the legislator was that an authorised interest could be assumed when the individual concerned is a customer of the responsible entity (recital 47, sentence 2 GDPR).
4. Authorised interests in processing that are pursued by the responsible entity or by a third party
Based on the processing of personal data on Art. 6 I lit. f GDPR, it is our authorised interest to conduct our commercial activity for the benefit of our company, our staff and our shareholders.
5. Recording of general data and information
The EEHH website records a series of general data and information each time an individual concerned or an automated system retrieves the website. This general data and information is stored in the log files of the server. The following can be recorded: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website ('referrer'), (4) the sub-websites approached via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol (IP) address, (7) the Internet service provider of the accessing system, and (8) other similar data and information that serve to avert risk in the case of attacks on our information technology systems.
When this general data and information is used, the EEHH draws no conclusions regarding the individual concerned. This information is to a far greater extent required in order to (1) correctly deliver the content of our website, (2) to optimise this content of our website and its advertising, (3) to guarantee the ongoing functioning of our information technology systems and the technology of our website, and (4) to provide prosecution authorities with necessary information for prosecution in cases of a cyber attack. This data and information, which are collected anonymously, are therefore evaluated by EEHH statistically, and additionally with the goal of increasing data protection and data security in our company, in order to ultimately secure an optimum level of protection for the personal data processed by us. The anonymous data on the server log files is stored separately from all other personal data given by an individual concerned.
We use the web analysis service provided by Google Analytics on the EEHH website. This service uses so-called 'cookies'. Cookies are text files that are deposited and stored on a computer system via an Internet browser.
The information generated by the cookie is transmitted to a Google server in the US and stored there. EEHH uses Google Analytics in conformity with the data protection legislation, with the 'anonymizeIp()' extension. Through the activation of IP anonymisation on the EEHH websites, the IP address of the users of Google is previously truncated within member states of the European Union or in other EEA states, in order to preclude direct assignment to an individual.
On behalf of EEHH, Google uses this information to evaluate the use of the websites by users, to compile reports on website activities, and to provide further services to the website operator that relate to website use and Internet use. The IP address transferred to Google Analytics from the user's browser is not compiled with other Google data.
You can prevent cookies from being stored by making the corresponding setting in your Internet browser software; however, we wish to inform you that in this case, you may not be able to use all functions of this website in full. You can additionally prevent the recording of the data generated by the cookie and relating to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available via the link below.
For further information on the conditions of use and data protection, see http://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/.
7. Subscription to our newsletter
On the EEHH website, users are given the opportunity of subscribing to our company newsletter containing information on all areas of 'renewable energies'. The personal data transferred to the entity responsible for the processing when ordering the newsletter results from the input mask used here.
Through the newsletter, EEHH informs its customers and business partners about offers made by the company at regular intervals. Our company newsletter can in general only be received by the individual concerned when (1) the individual concerned has a valid e-mail address, and (2) the individual concerned has registered for the newsletter. For legal reasons, for the first time the newsletter is sent, a confirmation e-mail is sent using the double opt-in procedure. This confirmation e-mail serves to check whether the owner of the e-mail address has authorised the receipt of the newsletter as the individual concerned.
When registering for the newsletter, we furthermore store the IP address issued by the Internet service provider (ISP) of the individual concerned of the computer system used at the point in time of the registration, as well as the date and time of registration. This data must be collected in order to be able to trace back any (possible) misuse of the e-mail address of an individual concerned at a later point in time, and is therefore used for the legal protection of the entity responsible for the processing.
The personal data collected when registering for the newsletter is solely used for the dispatch of our newsletter. Furthermore, subscribers to the newsletter can be informed via e-mail, insofar as this is necessary for the operation of the newsletter service or a related registration, as is the case when changes are made to the newsletter offer or when the technical conditions are altered. There is no forwarding to third parties of the personal data collected within the scope of the newsletter service. The subscription to our newsletter can be cancelled by the individual concerned at any time. The consent to the storage of personal data, which has been granted to us by the individual concerned, can be revoked at any time. A link is included with every newsletter for the purpose of revoking consent. Further, the option is also available of unsubscribing from the newsletter at any time directly on the website of the entity responsible for the processing, or of informing the entity responsible for the processing of this intent in another manner.
8. Contact options via our website
Due to the statutory requirements, the EEHH website contains information that enables rapid electronic contact to be made with our company, and direct communication with us, which also comprises a general 'electronic mail' (e-mail) address. Insofar as an individual concerned makes contact with the entity responsible for the processing via a contact form, the personal data transferred by the individual concerned is automatically stored. Such personal data, which is transferred voluntarily by an individual concerned to the entity responsible for the processing is stored in order to process or make contact with the individual concerned. This personal data is not forwarded to third parties.
9. Data protection with regard to entries in the job market, applications and during the application procedure
The entity responsible for the processing collects and processes personal data for posting open positions on the EEHH website and among applicants at EEHH for the purpose of processing the application procedure. Processing can be conducted using electronic means. This is particularly the case when an applicant transfers their application documents to the entity responsible for the processing electronically, for example via e-mail or via an online form on the website. If the entity responsible for the processing concludes an employment contract with an applicant, the transferred data is used to process the employment agreement, taking into account the statutory regulations. If no employment contract is concluded with the applicant for the entity responsible for the processing, the application documents are automatically deleted two months after announcement of the rejection decision, unless a deletion does not contravene any other authorised interests of the entity responsible for the processing. Another authorised interest in this sense can be an obligation to provide evidence in proceedings in accordance with the General Law on equal treatment ('AGG').
10. Duration for which personal data is stored
The criterion for the duration of storage of personal data is the respective statutory retention period. Following expiry of the period, the corresponding data is routinely deleted, unless it is still required for the fulfilment of the contract or preparation of contract.
11. Routine deletion and blockage of personal data
The entity responsible for the data processing only processes and stores personal data of the individual concerned for the period of time required to achieve the purpose of storage, or, if appropriate, for the period specified by the European regulator or another legislator in laws or regulations to which the entity responsible for the processing is subject.
Should the purpose of storage no longer apply, or if a period specified by the European directive body or regulator or another legislator responsible expire, the personal data is routinely blocked or deleted in accordance with the statutory regulations.
12. Rights of the individual concerned
- 12.1 The right to information
Any individual affected by the processing of personal data has the right granted by the European directive body and regulator to receive information at any time from the entity responsible for the processing regarding the data stored that relates to their person, and to receive a copy of this information. Further, the European regulator has granted the individual concerned information regarding the following:
- The purposes of processing
- The categories of personal data that is being processed
- The recipients or categories of recipients to whom the personal data has been disclosed or is due to be disclosed, in particular among recipients in third countries or international organisations
- If possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for determining this duration
- The existence of the right to correct or delete the personal data relating to them or to restrict processing by the entity responsible or the right to object to this processing
- The existence of a complaint lodged with a supervisory authority
- If the personal data is not collected from the individual concerned: All available information regarding the origin of the data
- The existence of an automated decision-making process, including profiling, in accordance with Article 22, Sections 1 and 4 GDPR and - at least in such cases - clear information regarding the logic involved and the scope and intended impact of such processing for the individual concerned
Further, the individual concerned has a right to information regarding whether personal data has been transferred to a third country or to an international organisation. If this is the case, the individual concerned additionally has the right to receive information regarding the appropriate guarantees in connection with the transfer.
If the individual concerned wishes to make use of this right to information, they can contact our data protection officer or another member of staff of the entity responsible for the processing at any time.
- 12.2 The right to correction
Any individual affected by the processing of personal data has the right granted by the European regulator to demand the immediate correction of incorrect personal data relating to them. Further, the individual concerned has the right, taking into account the purposes of the processing, to demand the completion of incomplete personal data - including by means of a supplementary explanation.
If an individual concerned wishes to make use of this right to correction, they can contact our data protection officer or another member of staff of the entity responsible for the processing at any time.
- 12.3 Right to deletion (= right to be forgotten)
Any individual affected by the processing of personal data has the right granted by the European regulator to demand from the entity responsible that it immediately delete the personal data relating to them, insofar as one of the following reasons applies, and insofar processing is not required:
- The personal data was collected or otherwise processed for purposes for which it is no longer required.
- The individual concerned revokes their consent on which the processing was based in accordance with Art. 6, Section 1, letter a GDPR or Art. 9, Section 2, letter a GDPR, and there is a lack of other legal basis for the processing.
- The individual concerned submits an objection to the processing in accordance with Art. 21, Section 1 GDPR and there are no overriding authorised reasons for the processing, or the individual concerned submits an objection to the processing in accordance with Art. 21, Section 2 GDPR.
- The personal data was illegally processed.
- The deletion of personal data is required for the fulfilment of a legal obligation in accordance with Union law or the law of the member states, to which the entity responsible is subject.
- The personal data was collected in relation to services of the information company offered in accordance with Art. 8, Section 1 GDPR.
Insofar as any one of the above reasons applies and an individual concerned wishes to request the deletion of personal data stored at EEHH, they can contact our data protection officer or another member of staff at the entity responsible for the processing at any time. The data protection officer at EEHH or another member of staff will arrange for the deletion request to be met with immediate effect.
If personal data has been made public by EEHH and if our company as the entity responsible in accordance with Art. 17, Section 1 GDPR is obliged to delete personal data, the EEHH takes appropriate measures, including of a technical nature, taking into account the available technology and implementation costs, in order to inform others who are responsible for the data processing, who process the published personal data, that the individual concerned has demanded from these others responsible for the data processing that all links to this personal data or copies or replications of this personal data be deleted, insofar as the processing is not necessary. The data protection officer at EEHH or another member of staff will arrange for the necessary measures to be taken in individual cases.
- 12.4 The right to restriction of processing
Any individual affected by the processing of personal data has the right granted by the European regulator to demand from the responsible entity the restriction of processing when one of the following prerequisites applies:
- The correctness of the personal data is contested by the individual concerned, and for a duration that enables the responsible entity to check the correctness of the personal data.
- The processing is illegal, the individual concerned rejects the deletion of personal data and instead demands the restriction of use of the personal data.
- The responsible entity no longer requires the personal data for the purposes of processing, although the individual concerned requires it for the assertion, exertion or defence of legal claims.
- The individual concerned has submitted an objection to the processing in accordance with Art. 21, Section 1 GDPR, and it is not yet clear whether the authorised reasons of the responsible entity predominate over those of the individual concerned.
Insofar as any one of the above prerequisites applies and an individual concerned wishes to request the restriction of personal data stored at EEHH, they can contact our data protection officer or another member of staff at the entity responsible for the processing at any time. The data protection officer at EEHH or another member of staff will arrange for the processing to be restricted.
- 12.5 The right to objection
Any individual affected by the processing of personal data has the right granted by the European regulator, for reasons that arise from their particular situation, to submit an objection at any time against the processing of personal data relating to them, which is conducted on the basis of Art. 6, Section 1, letters e or f of the GDPR. This also applies to profiling based on these conditions.
EEHH would no longer process personal data in the case of objection, unless we were able to produce compulsory reasons that are worthy of protection for the processing, which override the interests, rights and freedoms of the individual concerned, or the processing serves the assertion, exertion or defence of legal claims.
If EEHH processes personal data in order to conduct direct marketing, the individual concerned has the right to submit an objection at any time against the processing of the personal data for the purposes of such advertising. This also applies to profiling, insofar as it is directly connected to such direct advertising. If the individual concerned presents an objection to EEHH against the processing of their data for the purposes of direct advertising, EEHH shall no longer process the personal data for such purposes.
Additionally, the individual concerned has the right, for reasons arising from their particular situation, to submit an objection to the processing of personal data relating to them, which is conducted at EEHH for scientific or historical research purposes or for statistical purposes in accordance with Art. 89, Section 1 GDPR, unless such processing is required for the fulfilment of a task that is in the public interest.
In order to exert their right to objection, the individual concerned can contact the data protection officer at EEHH or another member of staff. Directive 2002/58/EC notwithstanding, the individual concerned is also free to exert their right to objection using automated procedures in connection with the use of services of the information company, in which technical specifications are used.
- 12.6 The right to data transferability
Any individual affected by the processing of personal data has the right granted by the European regulator to receive, in a structured, standard format that can be read electronically, the personal data relating to them which has been provided by the individual concerned to a responsible entity. They also have the right to transfer this data to another responsible entity without hindrance by the responsible entity for whom the personal data was provided, insofar as the processing is based on consent in accordance with Art. 6, Section 1, letter a GDPR or Art. 9, Section 2, letter a GDPR, or a contract in accordance with Art. 6, Section 1, letter b GDPR, and the processing is conducted with the aid of automated methods, insofar as the processing is not required for another task that is in the public interest, or is conducted in the exercise of official authority transferred to the responsible entity.
Further, the individual concerned also has the right in exerting their right to data transferability in accordance with Art. 20, Section 1 GDPR to arrange for their personal data to be transferred directly from one responsible entity to another responsible entity, insofar as this is technically feasible and insofar as the rights and freedoms of other persons are not impaired as a result.
In order to assert their right to objection, the individual concerned can contact the data protection officer employed at EEHH or another member of staff at any time.
- 12.7 Automated decisions in individual cases, including profiling
Any individual affected by the processing of personal data has the right granted by the European regulator not to be subject to a decision based solely on automated processing - including profiling - that develops a legal effect in relation to them, or which has a considerable negative impact on them in a similar manner, insofar as the decision (1) is not required for the conclusion of a contract between the individual concerned and the responsible entity, or (2) is permissible due to statutory regulations of the Union or the member states, to which the responsible entity is subject, and these statutory regulations contain reasonable measures for preserving the rights and freedoms and authorised interests of the individual concerned, or (3) is conducted with the express consent of the individual concerned.
As a company that is aware of its responsibilities, EEHH refrains, however, from the use of automatic decision-making processes or profiling.
- 12.8 The right to revocation of consent required by the data protection legislation
Any individual affected by the processing of personal data has the right granted by the European regulator to revoke the consent to the processing of personal data relating to them.
If the individual concerned wishes to make use of this right to revocation of consent, they can contact our data protection officer or another member of staff of the entity responsible for the processing at any time.
The legality of the processing of personal data conducted on the basis of the consent until revocation is not affected by the revocation.
- 9 The right of appeal
Regardless of any other administrative or legal remedy, the individual concerned has the right to appeal to a supervisory authority, in particular in the member state of their place of abode, their workplace or the place of the alleged infringement, when the individual concerned is of the view that the processing of the personal data relating to them is in infringement of the GDPR.
13. Statutory or contractual stipulations regarding the provision of personal data; necessity for conclusion of contract; obligation of the individual concerned to provide personal data; potential consequences of non-provision
We wish to clarify here that the provision of personal data is prescribed by law in some cases (e.g. tax regulations) or can also arise from contractual conditions (e.g. information on the contract partner). It may occasionally be necessary for the completion of contract for the individual concerned to provide us with personal data which must then subsequently be processed by us. The individual concerned is for example obliged to provide us with personal data when our company concludes a contract with them. A non-provision of personal data results in the inability to conclude the contract with the individual concerned. Before the individual concerned provides personal data, they should contact our data protection officer. Our data protection officer clarifies to the individual concerned in relation to each individual case whether the provision of personal data is legally or contractually prescribed, or whether it is necessary for the conclusion of contract, whether an obligation applies for the provision of personal data, and what consequences the non-provision of personal data would be.