Tixxt Data protection declaration

We are pleased that you are using our portal.

Data protection is particularly important for the management bodies, the executive management and employees of VGB PowerTech e.V. (hereinafter: VGB or “we”).

The processing of personal data is performed exclusively in accordance with the statutory conditions. Significant for this is Regulation (EU) 2016/679 (General Data Protection Regulation). With this data protection declaration we want to inform you about the type, extent and purpose of the personal data processed by us in conjunction with our eNet service. Further, your rights as data subject are explained in this data protection declaration.

We have taken measures to protect your data but in principle, and also for purely practical reasons, absolute protection is not possible. For this reason, we regularly adjust the measures taken, even if there are no gaps in the protection, solely to remain start-of-the-art and to fulfill our responsibility for your data.

1. Definitions

The definitions come from the General Data Protection Regulations referred to above.

In this data protection declaration we use, among others, the following terms:

“Personal data” or “your data” is all information relating to an identified or identifiable natural person (hereinafter: “data subject” or “you”); a natural person is considered identifiable if they can be identified directly or indirectly, in particular by allocation of an identifier such as a name, to an ID number, to location data, or an online ID or to one or more specific features, the expression of physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

“Processing” is any process with or without help from an automated process, or any such series of processes, connected with personal data, such as the collection, recording, organization, ordering, storage, adjusting or changing, reading, querying, using, disclosing by transmission, dissemination or other form of provision, comparison or linking, restriction, deletion or destruction.

“Restriction of processing” is the marking of stored personal data with the aim of restricting its future processing.

“Profiling” is any kind of automated processing of personal data, in which this personal data is used in order to assess specific personal aspects that relate to a natural person, in particular in order to analyze or predict aspects relating to performance, economic situation, health, personal preferences, interests, reliability, conduct, home or change of location of this natural person.

“Pseudonymization” is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without adding additional information, provided this additional information is stored separately and is subject to technical and organizational measures guaranteeing that the personal data is not assigned to an identified or identifiable natural person.

“Responsible person” is the natural or juridical person, authority, institution or other agency, that alone or with others decides on the purposes and means of processing the personal data; if the purposes and means of this processing are prescribed by Union law or the law of the member states, the responsible person or the specific criteria of their appointment can be required according to Union law or the law of the member states.

“Contract processor” is a natural or juridical person, authority, institution or other agency that processes personal data for the responsible person.

“Recipient” is a natural or juridical person, authority, institution or other agency to whom personal data is disclosed, irrespective of whether they are a third party or not. Authorities, which possible receive personal data within the framework of a specific investigation order under Union law or the law of the member states are not considered recipients however; the processing of this data by the named authorities is performed in accordance with the applicable data protection provisions according to the purposes of the processing.

“Third party” is a natural or juridical person, authority, institution or other agency that apart from the data subject, the responsible person, the contract processing and persons authorized to process the personal data under the direct responsibility of the responsible person or the contract processor.

2. Name and address of the responsible person for the processing

Responsible person as defined in the GDPR, other data protection legislation applicable in member states of the European Union and other conditions relevant for data protection is:

VGB PowerTech e.V.
Deilbachtal 173
45257 Essen
Germany
Phone: +49 201 8128 0
E-Mail: info@vgb.org
Website: www.vgb.org

3. Data protection inquiries

The data protection officer of the responsible person for the processing is:

Nataly Schroeder
SystemDatenschutzConsulting
Rebenlaube 12
45133 Essen
Germany
Phone: 0172/ 6443194
E-Mail: schroeder-dsc@web.de
Website: www.rs-datenschutzconsulting.de

Each data subject can contact our data protection officer directly at any time in respect of all data protection matters.

4. Group of affected categories of processed data and purpose

Users of the eNet members’ portal.

Master data:

  • Usage data (e.g. Websites visited, interest in content, access times),
  • Technical data (e.g. browser, IP addresses, operating system)
  • Forename
  • Surname
  • Title
  • Form of address
  • Company / organization
  • Address (work)
  • Email (work)
  • Language

Voluntary information:

  • Other profiles (Linked In, Xing, Twitter)
  • Specialist subjects
  • Position
  • Department/area
  • Mobile number
  • My blog / website
  • Profile picture
  • Date of birth
  • Consents

The purpose of the processing is the operation and security of the members’ portal, contractual performance the compliance with statutory provisions. In addition, these can be used in order to optimize the members’ portal and to provide assistance to customers and users.

5. Grounds of permission for the processing

With active participation in a VGB committee, use of the eNet is mandatory and serves the internal communication with the VGB committees. Your master data is processed by us on the basis of a justified interest according to Art. 6 (1) lit. f GDPR. When providing, carrying out and managing our services, if applicable we also transmit your personal data within the framework of the company's internal working process to companies inside and outside the responsible agency. The transmission takes place on the basis of the contract processing contracts concluded according to Art. 28 GDPR. To this end, we use the contract processor mixxt GmbH, Adenauerallee 134, 53113 Bonn.

You agree to this data protection declaration by starting your committee work, or at the latest with your first use of eNet. We collect and process additional personal data, including usage data, on the basis of consent (Art. 6 (1) lit. a and Art. 7 GDPR).

Other grounds of permission are also our legal obligations towards our members (Art. 6 (1) lit. c GDPR).

6. Cookies

The members’ portal uses cookies. Cookies are text files, which are stored and saved on a computer system via an internet browser. Your selected browser manages them.

Cookies are ubiquitous on the internet. Many cookies contains a co-called Cookie-ID. A Cookie-ID is a unique identifier for the cookie. It comprises a string of characters, through which websites and servers can be allocated to the actual browser where the cookie was stored. This allows the visited websites and servers to identify your browser from other browsers. A specific browser can be recognized and identified from the unique Cookie-ID.

We use this technology so that we do not have to repeatedly ask for your login data after you login. However, cookies expire after some time. The option “Stay logged in” increases the period that such a cookie remains valid.

We only use technically necessary cookies that serve to recognize you. The purpose of this recognition is to make it easier for you to use the members’ portal. We do not use cookies in the members’ portal for any other purpose.

Cookies already saved can be deleted at any time via the browser or by other software programs. This is possible in all common browsers. If you disable the saving of cookies in your browser, most of the functions of the members’ portal are no longer reasonably useful.

7. Contact possibility via the members’ portal

The members’ portal contains information about how you can also contact us by email. If you contact us by email or by using the contact form, your data is processed. A retention period of 6 years applies to business documents, from the end of the calendar year in which they were sent. For connected communications, this period starts after the last message. They are then deleted unless important reasons prevent this (see Deletion).

This personal data is not transmitted to third parties.

8. Use of the mobile App

For the optimum eNet experience on mobile end devices, we also provide mobile Apps, with which you can use the members’ portal. Data is already provided corresponding to the rules of the respective APP stores when using and installing these Apps. The respective operators of the App stores are the responsible persons. Personal data provided here is typically processed in the USA. For more information, contact the respective operator of the App stores.

Use of the eNet-App is optional. All contents can also be used without an App.

9. Routine deletion and blocking of personal data

We routinely delete your data if the purpose of the processing no longer exists and any retention periods have expired. Exercising your rights, and other legal obligations, can also lead to a deletion.

Deletion is prevented if processing is necessary

  • To exercise the right of freedom of expression and information;
  • To fulfill a legal obligation, which requires processing according to the law of the European Union or the member states, we are subject to, or in order to perform a task that is in the public interest or to exercise official powers assigned to us;
  • On grounds of public interest in the area of public health according to Article 9 (2) lit. h) and i) and Article 9 (3) GDPR;
  • For archiving purposes, scientific or historical research purposes in the public interest or for statistical purposes according to Article 89 (1) GDPR, provided the right named in paragraph 1 is expected to make the realization of the aims of this processing impossible or seriously difficult, or
  • To assert, exercise or defend against legal claims.

10. Rights of the data subject and your rights

a) Right of confirmation

European legislation gives each data subject the right to demand confirmation from the person responsible for the processing as to whether they are processing relevant personal data. If a data subject wishes to exercise this right of confirmation, they can contact an employee of the person responsible for the processing at any time.

b) Right to information

European legislation gives each data subject the right to receive information free of charge from the person responsible for the processing about their stored personal data and a copy of this information. Furthermore, European legislation gives the data subject the right to the following information:

» Processing purposes

» Categories of personal data processed

» Recipients or categories of recipients, to which the personal data has been disclosed or will be disclosed, notably recipients in third countries or in international organization

» If possible, the planned duration, for which the personal data is to be stored, or if this is not possible the criteria for determining this duration

» The existence of a right or correction or deletion of the data subject’s personal data or the right to restrict the processing by the responsible person or a right of objection to this processing

» The existence of a right to complain to a regulatory authority

» If the personal data is not collected from the data subject: All available information about the origin of the data

» The existence of automatic decision-making, including profiling, according to Article 22 (1) and (4) GDPR and — at least in these cases — useful information about the logic involved and the range and desired effects of such processing for the data subject

Further, the data subject has the right to information about whether personal data has been transmitted to a third country or an international organization. If this is the case, the data subject also has the right to information about the suitable guarantees connected with the transmission.

If a data subject wishes to exercise this right of information, they can contact an employee of the person responsible for the processing at any time.

c) Right of correction

European legislation gives each data subject the right to demand the immediate correction of their incorrect personal data. Further, the data subject has the right to demand the completion of incomplete data – also by means of a supplemental declaration – taking into account the purposes of the processing.

If a data subject wishes to exercise this right of correction, they can contact an employee of the person responsible for the processing at any time.

d) Right of deletion (right to be forgotten)

European legislation gives each data subject the right to demand from the responsible person that their personal data immediately be deleted, provided one of the following reasons applies and the processing is not required:

» The personal data has been collected for purposes or is processed in other ways, for which it is no longer needed.

» The data subject revokes their consent, on which the processing according was based according to Art. 6 (1) lit a) GDPR or Art. 9 (2) lit. a) GDPR, and there is no other legal basis for the processing.

» The data subject objects to the processing according to Art. 21 (1) GDPR and there are no higher-ranking justified grounds for the processing, or the data subject objects to the processing according to Art. 21 (2) GDPR.

» The personal data was processed unlawfully.

» Deletion of the personal data is necessary in order to fulfill a legal obligation according to Union law or the law of the member states, to which the responsible person is subject.

» The personal data was collected in respect of services offered by the information company according to Art. 8 (1) GDPR.

If one of the above grounds applies and a data subject wishes to demand deletion of personal data stored by, they can contact an employee of the person responsible for the processing at any time. The VGB employee will arrange the fulfillment of the deletion request without delay.

If the personal data has been disclosed by VGB and if our company as person responsible according to Art. 17 (1) GDPR is required to delete the personal data, taking into account the available technology and the implementation costs VGB shall take appropriate measures, also technical ones, to inform other persons responsible for the data processing, which process the disclosed personal data, that the data subject has demanded the deletion of all links to this personal data or copies of reproductions of this personal data, provided the processing is not required. In this case, VGB employee shall arrange what is necessary for this.

e) Right to restriction of processing

European legislation gives each data subject the right to demand that the responsible person restrict the processing if one of the following conditions is met:

» The accuracy of the personal data is disputed by the data subject, and for the duration necessary to allow the responsible person to check the accuracy of the personal data.

» The processing is unlawful, the data subject rejects the deletion of the personal data and instead demands the restriction of use of the personal data.

» The responsible person no longer needs the personal data for the purposes of the processing, but the data subject needs it to assert, exercise or defend against legal claims.

» The data subject has objected to the processing according to Art. 21 (1) GDPR and it is not yet certain whether the justified grounds of the responsible person outweigh those of the data subject.

If one of the above conditions exists and a data subject wishes to demand the restriction of personal data stored by, they can contact an employee of the person responsible for the processing at any time. The VGB employee will arrange the restriction of processing.

f) Right to data transferability

European legislation gives each data subject the right to receive their personal data, which has been provided to the responsible person, in a structured, common and machine-readable format. They also have the right to transmit this data to another responsible person without impairment by the responsible person the personal data was provided to, insofar as the processing is based on the consent according to Art. 6 (1) lit. a) GDPR or Art. 9 (2) lit a) GDPR or is based on a contract according to Art. 6 (1) lit. b) GDPR and the processing is performed using automated processes, provided the processing is not required for a task that is in the public interest or to exercise official powers assigned to the responsible person.

Further, when exercising their right to data transferability according to Art. 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one responsible person to another responsible person, provided this is technically feasible and the rights and freedoms of other persons are not affected by this.

To assert this right to data transferability, the data subject can contact a VGB employee at any time.

g) Right to object

European legislation gives each data subject the right to object at any time to the processing of their personal data, which is taking place on the basis of Art. 6 (1) lit. e) or f) GDPR for reasons deriving from their specific situation. This also applies to profiling based on these conditions.

In the case of objection, VGB no longer processes the personal data unless we can demonstrate urgent, protected grounds for the processing, which outweigh the interests, rights and freedoms of the data subject, or if the processing serves the assertion, exercise or defense against legal claims.

If VGB processes personal data in order to operate direct marketing, the data subject has the right at any time to object to the processing of personal data for the purposes of such marketing. This also applies to profiling, insofar as it is connected with such direct marketing. If the data subject objects to the processing by VGB for purposes of direct marketing, VGB shall no longer process the personal data for this purpose.

In addition, the data subject has the right to object to the processing of their personal data, for grounds deriving from their specific situation, which is performed by VGB for scientific or historic research purposes according to Art. 89 (1) GDPR, unless such processing is necessary in order to fulfill a task in the public interest.

To exercise the right to object, the data subject can directly contact any employee of VGB or another employee. In conjunction with the use of services from the information company, irrespective of Directive 2002/58/EC, the data subject is also free to exercise their right to object using automated processes, in which technical specifications are used.

h) Automatic decision-making in specific cases, including profiling

European legislation gives each data subject the right not to be subject of a decision based exclusively on automated processing — including profiling — that has legal effect for them or that considerably affects them similarly, provided the decision (1) is not necessary for conclusion or fulfillment of a contract between the data subject and the responsible person, or (2) is permitted on the basis of legal provisions of the Union or the member states, to which the responsible person is subject, and these legal provisions contain reasonable measures for safeguarding the rights, freedoms and justified interests of the data subject, or (3) is made with the express consent of the data subject.

If the decision (1) is necessary for conclusion or fulfillment of a contract between the data subject and the responsible person or (2) is made with the express consent of the data subject, VGB shall take reasonable measures to safeguard the rights, freedoms and justified interests of the data subject, which include at least the right to obtain the intervention of a person from the responsible person, to represent one’s own standpoint and to contest the decision.

If the data subject wishes to assert rights in respect of automated decisions, they can contact an employee of the person responsible for the processing at any time.

i) Right to revoke consent under data protection legislation

European legislation gives each data subject the right to revoke consent to the processing of personal data at any time.

If the data subject wishes to assert their right to revoke consent, they can contact an employee of the person responsible for the processing at any time.

11. Duration and location of storage of the personal data

After deletion of an eNet access, the user's data is also deleted. However, this does not apply to documents and content that the respective user has saved to the eNet portal. This content remains saved even after deletion of the user's account. Personal data may also remain stored in our backups and log files after deletion. If nothing important prevents this, this data is also deleted one year after deletion at the latest. For customer data, the duration is also determined according to the statutory retention periods for business and commercial documents (6 years) and the retention periods under tax law (10 years). After expiration of the period, the corresponding data is routinely deleted provided it is no longer needed for contractual fulfillment or contract initiation.

II. Server location Germany

(Source: tixxt Department, Business & Enterprise, as at 09.15.2018)

Any infrastructure for providing tixxt products and the data processing performed therein is located in the Federal Republic of Germany. mixxt GmbH operates servers for this in closed server racks in the computer center of QSC AG in Feucht, Nuremberg. This computer center is a “sister computer center” of the main DATEV e.G. Computer center.

For testing, staging and other peripheral systems (e.g. for storage of encrypted backups or for mailing), mixxt GmbH reserves the right to operate other locations in Germany, provided the level of protection corresponds to the standards.

Special regulations, e.g. for the storage of backups, can be concluded with mixxt GmbH upon request.

III. Main server location

mixxt operates servers in closed server racks / cabinets inside the computer center of QSC AG. The computer center is ISO 27001-certified, a corresponding certificate can be provided upon request.

The entire computer center has a fully redundant structure. Since 2007, mixxt GmbH has had only positive experiences regarding security standards, data protection standards, care, the high reliability and transparent communication with the operating company of the computer center.

12. Existence of automatic decision-making

We do not use automatic decision-making or profiling.

13. Data protection conditions relating to social share buttons

We do not use social share buttons to external networks in the members’ portal.

14. Changes and additions to this declaration

We reserve the right to update this data protection declaration, especially if the legal or technical circumstances change. Also to correct errors or to make clarifying additions.

As at: 08.13.2020