Privacy Statement
StromGedacht Website

Introduction

Thank you for visiting our website and for your interest in our company. Protecting your personal data is important to us. The following text describes which personal data we collect, how we process it, and what rights you have in connection with your personal data. These provisions apply whenever you visit our website or use our services, including events, which refer or include a link to this privacy information. Any further information that may be provided to you regarding the processing of personal details will apply in addition to these provisions.

The party responsible for processing your data (the “data controller”) is:

TransnetBW GmbH
Pariser Platz
Osloer Straße 15 - 17
70173 Stuttgart
Tel.: +49 711 21858-0
info@transnetbw.de

Our privacy officer can be reached at datenschutz@transnetbw.de, and will be happy to assist with any questions you may have on privacy.

We collect and process your data only if we have obtained your permission to process it, or if processing is permitted by law. We guarantee that we use all incoming data only for its intended purpose.

1. Data processing when you use our website

1.1. Processing technically necessary data based on legitimate interests

When you visit our website, we collect data that we require for technical reasons which is transmitted to us by your browser: your IP address or the IP address of your Internet Service Provider; the website that directed you to us; the type of browser you use; your operating system and platform; the pages that you called up at www.stromgedacht.de; and the dates and times you accessed them. This log data is necessary for technical purposes; we process it, in addition to information about the search expressions you used and the time spent on individual web pages, without reference to the identity of the user or other profiling, on the basis of Art. 6 para 1 (f) GDPR and only to the extent necessary for us to perform statistical analyses for our business, for security and to optimise our online content. This helps to manage the connection while you visit websites and to save your settings so you can use our website more easily. Our legitimate interest is derived from the above purposes.

If an IP address is saved, it will be deleted or anonymised after no more than 30 days. It is essential for this data to be collected and stored in log files when the website is used. Some functions on our website will not work without the use of these cookies, which are necessary for technical reasons, and it would not otherwise be possible to offer them. Users therefore have no right of objection in this regard

1.2. Data use based on your consent

If you make use of elements on our website that require registration or explicitly require your details to be entered, additional data will be saved. Personal details such as your name, address, telephone number and email address are saved only when you provide them to us voluntarily, as part of a registration process, for example, or for a survey, to execute a contract, or to order information material or display a newsletter, or if you otherwise actively make contact with us, e.g. via email. In other words, it is entirely your decision whether you make any details available to us, and which details you choose to provide. You will find advice about this in the following text.

Matomo

We use Matomo, a form of cookieless technology, for web analysis. This is a service of InnoCraft Ltd., 150 Willis St, Wellington 6011, New Zealand, NZBN 6106769. To protect your data, we have also configured Matomo to ensure your IP address is collected only in abbreviated form. Your personal usage data is therefore anonymised when we process it. We are not able to identify you based on the data. For further detail about the terms of use of Matomo and the associated privacy provisions, see https://matomo.org/privacy/

2. Contacting us

If you contact us using a form on www.transnetbw.de, this will use encryption as a matter of course. If you use your private email account rather than the TransnetBW forms, please note that you must ensure your own security measures are in place to guarantee the security of your transmission.

We therefore recommend you use the encrypted TransnetBW forms. If the form is not encrypted, this will be the result of a technical problem, and we cannot assume liability for the security of your data transmission. The closed “lock” symbol in your browser window will show whether the form is encrypted. The legal basis for data processing is Art. 6 para 1 (a) GDPR. The data that you send us with your enquiry is saved for the purpose of processing your enquiry, and will be deleted once the result has been achieved.

3. Recipients of your personal data

We treat your data as confidential. Within TransnetBW, only the departments and employees that need your data for the above purposes are given access to your data.

We disclose personal data to third parties only if this is necessary for the above purposes and is legally authorised, or if you have given your prior agreement. If service providers are brought in to assist with the performance of our obligations, e.g. IT service providers, specialists in analysis or the destruction of documents and data media, the performance of such contracts will be subject to the stringent conditions of Art. 28 ff. GDPR.

4. Links

Our websites may contain links to other providers that are not covered by our privacy provisions.

5. Security

TransnetBW GmbH has state-of-the-art technical and organisational security measures in place to protect the data that has been supplied to us against accidental or deliberate manipulation, loss, destruction or access by unauthorised parties. Our security measures are constantly being improved in line with technological developments.

6. Children

We expressly encourage parents or guardians to monitor their children’s online activities. Unless they have permission from their parents or guardians, children should not send personal details to us. We do not request personal details from children, do not deliberately gather such details, and do not disclose them to third parties without authorisation.

7. User rights and deletion of data

You are entitled to receive, upon request and at no cost, information about the personal details about you that are saved in our system as per Art. 15 GDPR. You also have the right to correct inaccurate details (Art. 16 GDPR), to restriction of processing (Art. 18 GDPR), and to deletion of your personal data (Art. 17 GDPR). You may also withdraw any consent at any time with future effect.

If we process your data on the basis of legitimate interests (Art. 6 para 1 (f) GDPR) or to perform a task in the public interest (Art. 6 para 1 (e) GDPR), or if your particular situation gives rise to grounds opposing such processing, you have the right to object to processing of your data in accordance with Art. 21 para 1 GDPR.

Pursuant to Art. 21 paras 2 and 3 GDPR, you have the unrestricted right to object to any form of processing for the purposes of direct marketing.

If there are grounds to assume data is being processed illegally, you are entitled to lodge a complaint with the competent supervisory authority.

8. Updates to this privacy statement

This privacy statement will be updated if TransnetBW GmbH introduces new products or services or changes its internet procedures, or in response to changes in security technology relating to the internet and electronic data processing. We will publish any such changes here.

Last updated: 20.04.2023

Introduction

The StromGedacht app is an app that enables the public to adapt its electricity consumption in line with current generation levels based on information and simple recommendations. In this way, the public can make a valuable contribution towards stabilising the power grid.

We collect and process your data only if we have obtained your permission to process it, or if processing is permitted by law. We act in compliance with privacy requirements and apply the principle of data minimisation. That means we gather, process and save only the personal data that is absolutely necessary to operate the app.

The following text describes which personal data we collect, how we process it, and what rights you have in connection with the processing of your personal data.

The party responsible for processing your data (the “data controller”) is:

TransnetBW GmbH
Pariser Platz
Osloer Straße 15 - 17
70173 Stuttgart
Tel.: +49 711 21858-0
info@transnetbw.de

Our privacy officer can be reached at datenschutz@transnetbw.de.

1. Processing personal data

Some information is automatically processed as soon as you use the app. In the following text we explain which personal data is processed, and what the purpose of processing is:

1.1. Data gathered when downloading

When you download the app, specific required information is transmitted to the app store you selected (e.g. Google Play or Apple App Store); in particular, your username, email address, the customer number of your account, the time of download, payment information and the individual device ID number may be processed at that point. This data is processed only by the app store in question, and is outside our area of influence.

1.2. Data that is automatically gathered during use

Specific data needed to enable the use of the app is collected when you use the app. This includes your IP address, the URLs accessed, browser and operating system information, and the time of access. This data is collected automatically in order to make the service and the associated functions available to you, to improve the functions and features of the app, to be able to prevent misuse and malfunctions, and to rectify any malfunctions that occur. The processing of data in this way is justified by the fact that processing is necessary for the performance of the User Agreement between you as the data subject and ourselves in accordance with Art. 6 para 1 (b) GDPR to enable the use of the app. There is also a legitimate interest in guaranteeing the functionality and the error-free operation of the app and being able to offer a service that is in the interests of the market and all parties involved in accordance with Art. 6 para 1 (f) GDPR.

2. Forwarding and transmission of data, use of necessary technologies

Except for the cases expressly mentioned in this Privacy Statement, we will not disclose your personal data without your express prior approval.

If necessary to investigate an illegal or improper use of the app or for the purpose of prosecution, personal data will be forwarded to the law enforcement authorities or other authorities, and to any third parties that have suffered losses, or their legal representatives. This will happen, however, only if there are grounds to believe that illegal or improper actions have taken place. Disclosure may also take place if this is helpful in terms of implementing the Terms of Service or other legal claims. We are also legally obliged to supply information to specific official bodies upon request. These are the law enforcement authorities, authorities responsible for prosecuting offences punishable by fines, and the tax authorities.

Any disclosure of personal data is justified by the fact that processing is necessary to fulfil a legal obligation to which we are subject in accordance with Art. 6 para 1 (c) GDPR in conjunction with requirements to supply data to law enforcement authorities under national legislation, and also in accordance with s. 24 para 1 (1) of the German Federal Data Protection Act (BDSG). This data may also be disclosed to these third parties to safeguard our legitimate interest in accordance with Art. 6 para 1 (f) GDPR if there are grounds for suspicion or in execution of our Terms of Service, other conditions or legal claims.

The legal basis for the integration of the following technologies is Section 25 para 2 of the German Telecommunications-Telemedia Data Protection Act (TTDSG) in conjunction with Art. 6 para 1 (b) and/or (f) GDPR. Processing serves to make it easier for you to use our app and for us to make our service available to you as desired. Some functions would not be possible without the use of these technologies, and it would not otherwise be possible to offer them. Our legitimate interest is based on these purposes.

For reasons of security and to ensure the proper operation of the StromGedacht app, we make use of the Google technologies “Firebase”, “Firestore” and “Firebase Remote Config”. The Firebase user agent, the Firebase installation ID and an authentication token are recorded when these technologies are used. In addition, an enquiry is sent to https://firestore.googleapis.com before every access to StromGedacht data. These accesses are performed under the IP address of the terminal, and therefore the IP address is processed on Google’s IT infrastructure. Further information on the above data can be obtained here: https://firebase.google.com/docs/reference/android/com/google/firebase/installations/FirebaseInstallations, https://firebase.google.com/docs/android/play-data-disclosure?hl=de and https://firebase.google.com/docs/ios/app-store-data-collection?hl=de.

2.1. Matomo

We are optimising our app through the collection and analysis of anonymised usage data using the tool "Matomo". Collection of data and analyses using Matomo are carried out without storing cookies on your device. For the purpose of usage analysis, we are only collecting the first two bytes of your IP address (e.g. 196.168.xxx.xxx) as well as your page views, so that the data is anonymous and there cannot be any inference made regarding your person.

2.2. Microsoft Azure

In order to provide our services we rely on the third-party service provider “Microsoft Azure”. When you use the StromGedacht app, the end users’ devices call up the grid status data and specific app content (stories and image material) from the Microsoft Azure infrastructure. For reasons of security and load minimisation, the Azure Web Application Firewall will store your IP address. We have no influence over the further processing and/or storage of your IP address and other data by the provider. In principle, the data centre is located in Germany, and there is no intention to transmit personal data to the US. Order processing takes place in compliance with legal requirements as per Art. 28 ff. GDPR. All our service providers are carefully selected, regularly checked and contractually obliged to process all personal data solely in accordance with our instructions.

Further-reaching information from Microsoft on the subject of privacy and Azure is available from https://privacy.microsoft.com/de-de/privacystatement and https://azure.microsoft.com/de-de/support/legal/.

2.3. Push notifications

The StromGedacht app uses push notifications to inform users of important events regarding the status of the power grid. The use of push notifications is voluntary. If you wish to make use of push notifications, you must give your express permission. Data processing for push notifications is described below.

Push notifications are short messages that are displayed directly on the screen of your device if an event occurs (e.g. tight electricity grid situation in your control area). The mechanism of generating, delivering and displaying push notifications is based on the corresponding services from the operating system manufacturer (Google Android and Apple iOS). For the StromGedacht app, the Google service “Firebase Cloud Messaging Service (FCM)” is also used. This involves communicating messages via Google’s FCM infrastructure. In addition, the messages are delivered via the transport layers at an operating system manufacturer platform level (Android Transport Layer and Apple Push Notification service). FCM registration tokens and Firebase installation IDs are automatically recorded on the end users’ devices. This data can potentially include personal data. Likewise, the IP addresses of the terminals are processed on the operating system manufacturers’ infrastructure in order to be able to deliver push notifications. In addition, data on the application (application version and application ID) and on the firebase user agent is automatically recorded. The Firebase user agent includes device metadata (operating system version, language, time zone, name, model, brand and form factor), the name of the app with which the StromGedacht app was installed, and the name of the Firebase SDKs used in the StromGedacht app, including version numbers. Also included here are the app bundle ID and the developer platform. Under the Apple iOS platform, the Apple Push Notification service (APNs) token is recorded and assigned to the FCM registration token.

We cannot rule out the possibility that personal data will be processed in countries outside the European Economic Area (EEA) as part of the Firebase Cloud Messaging Service (FCM) and the transport layers at operating system manufacturer platform level, since Apple and Google are US-based providers.

Further detailed information on “Firebase and Data Disclosure” is available on the service provider’s websites at https://firebase.google.com/docs/android/play-data-disclosure for the Google Android platform and https://firebase.google.com/docs/ios/app-store-data-collection for the Apple iOS platform.

You can deactivate push notifications for the app again at any time via the operating system settings on your device. By doing this, you withdraw your consent for data processing in connection with push notifications.

2.4. Google Firebase Crashlytics (crash reporting)

To support the software quality of the StromGedacht app, we use the Google product “Firebase Crashlytics”. Crashlytics is a crash reporting tool, which provides software developer teams with data on software problems in real time. Using Crashlytics in this way, we can better detect software errors and rectify them. The use of Crashlytics involves collecting and transmitting a range of data from the terminal in question: Crashlytics installation UUIDs, Firebase installation ID, crash tracks and breakpad minidump formatted data. This may potentially involve data that refers to people. Firebase Crashlytics is deactivated by default. It can be activated and begin collecting and transmitting the relevant data (see above) only with your express approval. We cannot rule out the possibility that personal data will be processed in countries outside the European Economic Area (EEA) as part of “Firebase Crashlytics”, since Google is a US-based provider.

Further information on the subject of “Firebase Crashlytics and privacy” can be found here: https://firebase.google.com/products/crashlytics/, https://firebase.google.com/docs/crashlytics?hl=de and https://firebase.google.com/support/privacy?hl=de#examples_of_end-user_personal_data_processed_by_firebase.

2.5. Friendly Captcha (bot/spam protection)

Our app makes use of the „Friendly Captcha“. service, provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is an innovative, privacy-friendly protection solution that makes it difficult for automated programs and scripts (bots) to use our app.

We have integrated a program code from Friendly Captcha into our app to enable the user’s device to establish a connection to the Friendly Captcha servers to source a puzzle. The user’s device solves the puzzle, which makes use of specific system resources, and sends the solution to our server. This contacts the Friendly Captcha server via an interface and receives a reply that confirms whether the device correctly solved the puzzle. Depending on the result, we may add security rules to enquiries via our app, and either process them further or decline them on that basis.

The data is used exclusively to protect against spam and bots as described above. Friendly Captcha does not place or read cookies on or from the user’s device. IP addresses are saved only in hashed (one-way encrypted) form, which does not enable us or Friendly Captcha to determine the identity of any individual person. If personal data is saved, it is deleted again within 30 days.

The legal basis for processing is our legitimate interests in protecting our app against abusive access by bots, thus spam protection and protection against attacks (e.g. denial-of-service attacks), in accordance with Art. 6 para 1 (f) GDPR.

For further information about privacy with the use of Friendly Captcha, see https://friendlycaptcha.com/legal/privacy-end-users/.

3. Length of data storage

We process and store your personal data for as long as it is needed to fulfil the purposes for which it was gathered. If the data is no longer needed to fulfil these purposes, it will be deleted after no more than seven days, or following the expiry of the period set by the provider of the integrated technologies in question. This does not affect legal requirements regarding the storage and deletion of personal data, especially data that we must retain for tax reasons.

4. Rights of the user

You are entitled to receive, upon request and at no cost, information about the personal details about you that are saved in our system as per Art. 15 GDPR. You also have the right to correct inaccurate details (Art. 16 GDPR), to restriction of processing (Art. 18 GDPR), and to deletion of your personal data (Art. 17 GDPR). You may also withdraw any consent at any time with future effect.

If we process your data on the basis of legitimate interests (Art. 6 para 1 (f) GDPR) or to perform a task in the public interest (Art. 6 para 1 (e) GDPR), or if your particular situation gives rise to grounds opposing such processing, you have the right to object to processing of your data in accordance with Art. 21 para 1 GDPR.

Pursuant to Art. 21 paras 2 and 3 GDPR, you have the unrestricted right to object to any form of processing for the purposes of direct marketing.

Moreover, you have the right to data portability in accordance with Art. 20 GDPR.

If there are grounds to assume data is being processed illegally, you are entitled to lodge a complaint with the competent supervisory authority.

5. Amendments to this privacy statement

We keep this privacy statement up to date at all times. We therefore reserve the right to amend it from time to time and to work in changes regarding the collection, processing or use of your data. The current version of the privacy statement can be accessed at all times from within the app under “Privacy Statement”.

Last updated: 20.04.2023