VTC Energy

These Privacy Rules will enter into force as of 02/08/2022 (“Effective Date”).

 

VTC ENERGY PRIVACY RULES (GDPR)

Introduction

We aim to ensure that you feel safe on our website, so your privacy and the   protection of your personal rights are important to us. Therefore, we would ask you to carefully read the summary below about how our website works. You can trust that your data will be processed transparently and fairly, and we will make every effort to handle your data carefully and responsibly.

The VTC Energy General Business Principles and Code of Conduct express our commitment to conduct our business in accordance with high ethical standards and in accordance with applicable laws and VTC Energy policies, including with respect to the protection of Personal Data. These Privacy Rules explain how VTC Energy will protect the personal data of current, former and future VTC Energy employees, individuals who are engaged or employed by customers, suppliers and business partners, investors as well as any other individuals whose personal data is Processed by VTC Energy in the course of

its activities.

The following Privacy Policy aims to inform you about how we use your personal data, for which we comply with the strict requirements of the German Data Protection Act and the requirements of the General Data Protection Regulation (GDPR).

Any questions concerning these Privacy Rules may be directed to the:

Address

Or via: E-mail

 Capitalized terms that are not defined in these Privacy Rules have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

1. SCOPE

These Privacy Rules apply to the Processing of Personal Data by VTC Energy  and its wholly or majority-owned affiliates (each, a “VTC Energy Group Company,” and collectively, “VTC Energy”).

These Privacy Rules address the global Processing of Personal Data by VTC Energy with respect to Customers, Suppliers, Business Partners, and other individuals in the context of VTC Energy’s activities (“Individual” and “Individual Data,” respectively) and (b) Employees in the context  of their employment relationship with VTC Energy, unless and to the extent such Employee is a customer of VTC Energy (“Employee” and “Employee Data,” respectively). Such Individuals and

Employees will collectively be referred to as “Persons These Privacy Rules provide supplemental rights and remedies to Persons only. Nothing in these Privacy Rules will be construed to take away any rights or remedies that Persons may have under applicable local law.

1.1 Electronic and Paper-Based Processing

These Privacy Rules apply to the Processing of Personal Data by electronic means and in

systematically accessible paper-based filing systems.

2. PURPOSES FOR PROCESSING PERSONAL DATA

We collect, process and use your personal data for the following purposes:

∙        The establishment and performance of contracts

∙        Customer service and customer support

∙        Provision of broadcast media services, e.g. for processing orders for the goods and services we offer online

Your personal data may be processed on the basis of the following legal principles:

∙        Art. 6, para. 1, letter a of the GDPR serves as the legal basis for processing activities for which we acquire your consent for a certain processing purpose.

∙        Art. 6, para. 1, letter b of the GDPR states that personal data may be processed for the performance of a contract, e.g. when purchasing a product. The same applies to any processing activities that are necessary for the performance of pre-contractual activities such as handling enquiries regarding products or services.

∙        Art. 6, para. 1, letter c of the GDPR applies in cases where we are bound by a legal obligation that requires personal data to be processed, for instance for compliance

with tax obligations.

∙        Art. 6, para. 1, letter d of the GDPR states that personal data may be processed in order to protect the vital interests of yourself or other natural person.

∙        Art. 6, para. 1, letter f of the GDPR applies in relation to our legitimate interests, for instance when employing service providers for the purpose of performing orders (e.g. delivery services), when performing statistical surveys and analyses or when logging login attempts. Our interest lies in providing a user-friendly, appealing and secure website and optimising the same in order to both serve our business interests and meet your expectations.

VTC Energy may Process a Person’s Personal Data for one or more of the following business purposes (Business Purposes):

Business process execution, internal management and management reporting. This purpose addresses activities such as scheduling work, recording time, managing company and Employee assets (including the IT systems and

infrastructure), risk management, conducting (internal) audits and investigations, finance and accounting, implementing business and IT security controls, provision of central processing facilities for efficiency purposes, management reporting and

analysis, and managing and using Employee directories; managing mergers, acquisitions and divestitures; Archive and insurance purposes; legal or business

consulting; and preventing, preparing for or engaging in dispute resolution;

Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector in which VTC Energy operates. This

purpose includes the protection of the interests of VTC Energy and its Employees and Customers and the sector in which VTC Energy operates, including the screening and monitoring of Persons before and during employment or other engagements, including the screening against publicly available government and/or law enforcement agency sanctions lists and other third-party data sources, the detecting, preventing, investigating and combating (attempted) fraud and other criminal or objectionable conduct directed against VTC Energy, its Employees or Customers, including the use of and participation in VTC Energy’s incident

registers and sector warning systems, and activities such as those involving health and safety, the protection of VTC Energy and Employee assets (including IT systems and infrastructure), and the authentication of Customer, Supplier, Business Partner, or Employee status and access rights (such as required screening activities

for access to VTC Energy’s premises or systems);

Compliance with law. This purpose addresses Processing of Personal Data necessary for the performance of a task carried out to comply with a legal obligation to which VTC Energy is subject, and the disclosure of Personal Data to government institutions and supervisory authorities, including tax and other competent authorities for the sector in which VTC Energy operates, including for the prevention of money laundering, financing of terrorism and other crimes, customer due diligence and the duty of care towards Customers (e.g., credit

monitoring); or

∙   Protecting the vital interests of Persons. This purpose addresses Processing necessary to protect the vital interests of a Person such as making arrangements to protect the vital interest of Persons in the event of health, safety and security situations.

Individual Data only:

∙  Assessment and acceptance of a Customer, conclusion and execution of

agreements with a Customer. This purpose includes Processing of Individual Data that is necessary in connection with the assessment and acceptance of Customers, including confirming and verifying the identity and credit status and creditworthiness of relevant Customers (this may involve the use of a credit reference agency or other Third Party), conducting due diligence, and screening against publicly available government and/or law enforcement agency sanctions lists and other third-party data sources, the use of and participation in VTC Energy’s incident registers and sector warning systems and/or third party verification services. This purpose also includes Processing of Individual Data in connection with the execution of agreements;

∙  Development and improvement of products and/or services. This purpose includes Processing of Individual Data that is necessary for the development and improvement of VTC Energy products and/or services, research and development. This may include collecting and analyzing customer feedback and analyzing Individuals’ use of VTC Energy’s products and/or services;

∙  Performance of customer services. This purpose addresses Processing of Individual Data necessary for the performance of services provided by VTC Energy to Customers to support VTC Energy products and services offered to or in use with their Customers (e.g., of energy products). These services may include the maintenance, upgrade, replacement, inspection and related support activities aimed at facilitating continued and sustained use of VTC Energy products and services.

∙  Conclusion and execution of agreements with Customers, Suppliers and Business Partners. This purpose addresses the Processing of Individual Data necessary to conclude and execute agreements with Customers, Suppliers and Business Partners, including required screening activities (e.g., for access to VTC Energy’s premises or systems), performing credit checks and to record and financially settle delivered services, products and materials to and from VTC Energy;

Relationship management and marketing. This purpose includes activities such as maintaining and promoting contact with Customers, Suppliers, Business Partners, and Persons (including profiling in so far that the consequences of such profiling do not disproportionately impact the privacy of Individuals), account management, customer service, recalls, collection of Individual Data through websites, applications and other customer interaction and engagement channels and the development, execution and analysis of market surveys and marketing strategies and campaigns;

Employee Data only:

Human resources and personnel management. This purpose includes Processing that is necessary for the performance of an employment or other contract with an Employee (or taking necessary steps at the request of an Employee prior to entering into a contract), activities of the human resources department (e.g. management and administration of recruiting, outplacement, employability, leave and other absences), compensation and benefits (including pensions), payments, tax issues, career and talent development, performance evaluations, management of grievances and complaints, training, international mobility (including travel and relocation) and expenses, and Employee communications;

Organizational analysis and development, management reporting and  acquisition and divestitures. This purpose addresses various activities, such as conducting Employee surveys, managing mergers, acquisitions and divestitures, and Processing Employee Data for management reporting and analysis;

We only process and store your personal data for as long as it is necessary to fulfil the purpose for which it is stored or while we are required to do so according to law or regulation. Once the purpose ceases to apply or is fulfilled, your personal data will be erased or restricted. Where data is restricted, the data will be erased as soon as retention periods imposed by law, articles of association or contract no longer prevent this erasure from being performed, as long as there is no reason to assume that erasure would jeopardise your legitimate interests, and provided that this erasure would not involve a disproportionately high amount of effort due to the specific nature of the storage.VTC Energy shall only Process Personal Data in so far as this is reasonably adequate for, relevant and limited to its Business Purpose(s). VTC Energy shall only retain Personal Data for as long as needed   for such Business Purposes, including in particular as needed to comply with retention requirements under applicable law. VTC Energy shall take reasonable steps to delete, de-identify or destroy (e.g., by scrambling) Personal Data that is not required for the applicable Business Purpose. VTC Energy maintains data and records retention schedules that define the appropriate retention periods.When the applicable storage period has ended, the Personal Data will be promptly deleted, destroyed, de-identified or (if appropriate) transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

2.2 Where required or permitted by applicable law, VTC Energy will or may obtain consent from the Person before Processing Personal Data. When seeking consent, VTC Energy will inform the Person about the purposes of the Processing, and the VTC Energy Group Company that is responsible for the processing. With regard to EEA Personal Data, VTC Energy will also inform the Person about the right to withdraw consent at any time (and for Employee Data, without consequence to the Employee’s employment relationship), and that withdrawal of consent does not affect the lawfulness of the relevant Processing before such withdrawal.

Upon withdrawal of consent, VTC Energy will discontinue Processing as soon as reasonably practical. The withdrawal of consent shall not affect (i) the lawfulness of the Processing based on such consent before its withdrawal and (ii) the lawfulness of Processing for Business Purposes not based on consent, after withdrawal.

Where Processing is undertaken at the request of a Person (e.g., he or she subscribes to a service or seeks a benefit), the Person is deemed to have provided consent to the Processing.

3.RIGHTS OF PERSONS (YOUR RIGHTS)

∙  Of course, you have rights in connection with the collection of your data, which we are pleased to inform you about here. If you wish to make use of any of the following rights free of charge, simply send us a message. You can use the following contact details without incurring any costs other than those charged by your communications provider for transmitting the message:

By email: e-mail

By post: address

∙ If Personal Data is incorrect, incomplete, or not Processed in compliance with these Privacy Rules, the Person has the right to have his or her Personal Data rectified, deleted or the Processing thereof restricted (as appropriate). If Personal Data has been made public by VTC Energy, and the Person is entitled to deletion of Personal Data, in addition to deleting the relevant Personal Data, VTC Energy shall take commercially reasonable steps to inform Third Parties that are Processing the relevant Personal Data or linking to the relevant Personal Data, that the Person has requested the deletion of Personal Data by

such Third Parties.

∙     The Person has the right to object to:

  • the Processing of his or her Personal Data on the basis of compelling grounds related to his or her particular situation, unless VTC Energy can demonstrate a prevailing legitimate interest for the Processing; and
  • receiving marketing communications on the basis of Article 2.6 (including any

profiling related thereto).

∙ The rights of Persons set out in Articles 5 above do not apply in one or more of the following circumstances:

a-  the Processing is required or allowed for the performance of a task carried out to

comply with a legal obligation of VTC Energy; b- the Processing is required by or allowed for a task carried out in the public interest, including in the area of public health and for archiving, scientific or historical

research or statistical purposes; c- the Processing is necessary for exercising the right of freedom of expression and information; d- for dispute resolution purposes;

e- the exercise of the rights by the Persons adversely affects the rights and freedoms of VTC Energy  or others; or f- in case a specific restriction of the rights of Persons applies under applicable Data  Protection Law.

3. DATA TRANSFER TO THIRD PARTIES

Each VTC Energy Group Company may transfer Personal Data to third parties or other VTC Energy Group Companies for Processing as needed for the Business Purpose or with the Person’s consent.

Data    Transfers    to    Third    Party    Controllers. VTC Energy may transfer Personal Data to a third-party Controller (other than a government agency) only if it has a valid contract in which VTC Energy shall seek to protect the data protection interests of Persons. This provision does not apply in case of incidental transfers of Personal Data to a Third Party Controller, such as, when a reference is provided for an Employee or where details are shared for purposes of ordering (semi) public services (e.g. making reservations for transport services or hotel bookings).

Data    Transfers    to  Third  Party    Processors. VTC Energy may transfer EEA Personal Data to third- party Processors (“Third Party Processors” or “Processors”) only if it has a valid contract with the Processor (a “Processor Contract”). The Processor Contract must in any event include the following provisions:

  • the Processor shall Process Personal Data only for the purposes authorized by VTC Energy and in accordance with VTC Energy’s documented instructions, including on transfers of EEA Personal Data to any Processor not covered by an Adequacy Decision, unless the Processor is required to do so under mandatory requirements applicable to the Processor and notified to VTC Energy.
  • the Processor shall keep Personal Data confidential and shall impose confidentiality obligations on Staff with access to Personal Data;
  • the Processor shall take appropriate technical, physical and organizational security measures to protect Personal Data and shall promptly inform VTC Energy of a Data Security Breach involving Personal Data;
  • the Third Party Processor shall assist VTC Energy in ensuring compliance with the obligations of article 32 – 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor;
  • the Processor shall only permit subcontractors to Process Personal Data in connection with its obligations to VTC Energy (a) with the prior specific or generic consent of VTC Energy and (b) based on a validly entered into written or electronic contract with the subcontractor, which imposes similar privacy protection-related Processing terms as those imposed on the Processor under the Processor Contract and provided that the Processor remains liable to VTC Energy for the performance of the subcontractor in accordance with the terms of the Processor Contract. If VTC Energy provides generic consent for involvement of subcontractors, the Processors shall provide notice to VTC Energy of any changes in its subcontractors and will provide VTC Energy the opportunity to object to such changes based on reasonable grounds;
  • the Processor shall assist VTC Energy in responding to requests from Individuals for exercising their rights under EEA Data Protection Law
  • the Processor shall make available to VTC Energy the information necessary to demonstrate compliance with its obligations under the Processor Contract and further allow for and contribute to audits, including inspections, conducted by VTC Energy or another auditor mandated by VTC Energy; and
  • Upon termination of the Processor Contract, or earlier if directed by VTC Energy, the Processor shall, at the option of VTC Energy, return the Personal Data and copies thereof to VTC Energy or shall securely delete such Personal Data, except to the extent the Processor Contract or applicable law provides otherwise.

Internal Processors may Process EEA Personal Data only if they have a validly entered into written or electronic contract with the Group Company being the Controller of the relevant EEA Personal Data, which contract must in any event include the provisions set out above.

∙ Without prejudice to Article 2.2, Personal Data that is subject to a Transfer Restriction may be transferred to a Third Party that is located outside the country in which the Personal Data was collected if:

  • The Third Party is covered by an Adequacy Decision;
  • the transfer is necessary for the performance or management of a contract with the Person, or for taking necessary steps at the request of the Person prior to entering into a contract, e.g., for processing orders, for processing job applications;
  • a contract has been concluded between VTC Energy and the relevant Third Party requiring that

(a) such Third Party shall be bound by the terms of these Privacy Rules as were it a VTC Energy Group Company; (b) provides for safeguards at a similar level of protection as that provided by these Privacy Rules; or (c) that is recognized under applicable Data Protection Law as providing an “adequate” level of privacy protection (e.g., for the EEA: a model contract approved by the European Commission);

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Person between VTC Energy and a Third Party (e.g., booking an airline ticket);
  • the Third Party has been certified under a ‘safe harbor’ program that is recognized under applicable Data Protection Law as providing an ‘adequate’ level of privacy protection;
  • the Third Party has implemented Binding Corporate Rules or a similar transfer control mechanism that is recognized under applicable Data Protection Law as providing an ‘adequate’ level of privacy protection;
  • the transfer is necessary to protect a vital interest of the Person;
  • the transfer is necessary for the establishment, exercise or defense of a legal claim;
  • the transfer is necessary to satisfy a pressing need to protect the public interests of a democratic society; or the transfer is necessary for the performance of a task carried out to comply with a legal obligation to which the relevant VTC Energy Group Company is subject.

The last two items above require the prior approval of the Chief Privacy Officer.

The requirements set out in Article 2.2 apply to the requesting, denial or withdrawal of the Person’s consent.

  1. For your own security, we want to remind your rights basically again;

1.You have the right to demand information from us on the personal data stored about you.

  1. You have the right to demand immediate rectification and/or completion of the personal data stored about you.
  2. You have the right to demand that processing of your personal data be restricted if you dispute the accuracy of the data stored about you, if processing is unlawful and we no longer require the data, but you do not wish the data to be deleted and require it to assert, exercise or defend legal entitlements, or if you have disclosed your objection to its processing.
  3. You have the right to demand erasure of your personal data stored by us, unless the retention of the data is necessary for freedom of expression, for freedom of information, for compliance with a legal obligation, for reasons in the public interest, for asserting or defending against legal claims or for exercising legal rights.
  4. If you have asserted your right to rectification, to erasure or to place restrictions on processing, we will notify all recipients of the your personal data of how this data has been rectified, erased or is now subject to restrictions on processing, unless it is impossible to do so or involves disproportionate effort.
  5. You have the right to have a copy of the data that you have provided us with sent to you or a third party in a structured, standardised and machine-readable format. If you demand that the data be sent directly to another data controller, this will only be done if it is technically feasible.

7. If your personal data is being processed on the basis of legitimate interests in accordance with Art. 6, para. 1, letter f of the GDPR, you have the right to object to processing at any time in accordance with Art. 21 of the GDPR.

8. You have the right to withdraw your consent for the collection of data at any time with future effect. The data collected until the withdrawal takes legal effect remains unaffected by this. We hope that you understand that it may take some time to process your withdrawal for technical reasons and that you may continue to receive messages from us during this time.

5. LAW APPLICABLE TO THESE PRIVACY RULES

These Privacy Rules shall be governed by and interpreted in accordance with EEA Data protection law