+++ New: Flexibly BUY or RENT your Enpal solar solution. +++
At Enpal B.V. ("Enpal"), data protection is a top priority. We are delighted that you want to help shape the future of green energy with us and firmly believe that protecting your data plays an extremely important role in this. The following information is therefore intended to explain what types of personal data we process, for what purposes and to what extent in connection with your use of and provision of data via the Enpal website https://www.enpal.de/ and in the context of contract negotiations and the implementation of pre-contractual measures.
If you become a customer of Enpal, we will inform you about further data processing in connection with our provision of services when the contract is concluded.
We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Personal data in this sense is all individual information about the personal or factual circumstances of an identified or identifiable natural person, such as name, address, date of birth, contact details, customer data, offer and contract data, etc.
The responsible body is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
The responsible body for data processing in connection with the use and provision of your data via the Enpal website in accordance with Art. 4 No. 7 GDPR is:
Enpal B.V.
Bödikerstr. 25, 10245 Berlin
Email: info@enpal.de
If you have any questions about data protection in connection with our products and services or the use of our website, you can also contact our data protection officer at any time. They can be reached at the postal address provided above and at the email address below.
You can contact our data protection officer at:
Enpal B.V.
Data Protection Officer
Bödikerstr. 25, 10245 Berlin
Email: datenschutz@enpal.de
Every time you use our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data includes the so-called HTTP header information, including the user agent, and in particular:
The processing of this connection data is technically necessary to enable you to visit the website, to ensure the long-term functionality and security of our systems, and to perform general administrative tasks related to our website. The connection data is also stored in internal log files for the purposes described above, whereby it is limited to the minimum necessary in terms of time and content. This serves to identify and take action against the cause of repeated or criminal access that jeopardises the stability and security of our website.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, provided that the page is accessed in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f GDPR based on our legitimate interest in enabling the website to be accessed and in the long-term functionality and security of our systems.
On the Enpal website, you have the option of calculating the savings you can achieve by using an Enpal solar power system. The following personal data is processed as part of this calculation:
The legal basis for processing is Art. 6 (1) lit. b GDPR, as the calculation is made in the course of initiating a contract. Based on this data, your solar system will be planned and a virtual roof layout will be created. This will be presented to you in a subsequent sales meeting. Failure to provide the aforementioned data may make it impossible to carry out the calculation and subsequently prepare an offer.
In addition, we may process your data on the basis of Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in advertising or market and opinion research, in testing and optimising procedures for needs analysis and direct customer contact, in measures for business management and the further development of services and products, as well as in connection with these processes, provided that you have not objected to the use of your data in this sense.
You have the option of contacting us via various contact forms on the Enpal website.
1) The following data is collected via the mandatory fields for trade partners (https://www.enpal.de/partner-werden):
2) The following data is collected via the mandatory fields for heat pump partners (https://www.enpal.de/jobs/handwerkspartner-fur-waermepumpen):
3) The following data is collected via the mandatory fields for recommendation partners (https://www.enpal.de/empfehlungspartner):
4) The following data is collected via the mandatory fields for sales partners (https://www.enpal.de/vertriebspartner-formular):
The data collected via the contact forms is processed for the following purposes:
The legal basis for this processing is Art. 6 (1) lit. b GDPR, as you are contacting us in the course of initiating the partner agreement with Enpal, and otherwise Art. 6 (1) lit. f GDPR based on our legitimate interest in you contacting us and us being able to respond to your enquiry.
The personal data mentioned will be transferred to the following parties to the extent necessary for the performance of the task:
You have the option of subscribing to our newsletter, in which we regularly inform you about innovations relating to our products and services in the field of renewable energies offered by the Enpal Group. We also conduct market and opinion research as part of our newsletter.
To receive the newsletter, you must provide your email address, without which we cannot send you the newsletter. If you have also provided us with your name, we will use it to address you personally.
When you subscribe to our newsletter, we use the double opt-in procedure: after registering, you will receive an email in which you must confirm your subscription. The newsletter will only be sent after this confirmation. This ensures that no one can use your email address without your permission. The legal basis for processing your data when sending the newsletter is your consent in accordance with Art. 6 para. 1 lit. a GDPR .
If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage serves solely for the purpose of sending you the newsletter and proving your registration. The legal basis for storage is Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with Art. 7 GDPR and/or Art. 6 para. 1 lit. f GDPR based on our legitimate interest in being able to prove in cases of doubt that consent was given to receive our newsletter.
You can revoke your consent to receive the newsletter at any time with future effect by unsubscribing from the newsletter. A corresponding unsubscribe link is included in every newsletter. A message to abmelden@enpal.de or to the contact details provided in the newsletter is of course also sufficient for this purpose.
We measure whether our newsletter can be delivered at all. The legal basis for measuring success is your consent in accordance with Art. 6 para. 1 lit. a GDPR. We also analyse pseudonymised opening and click rates to improve our offering. The legal basis for this is our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
To measure success, we use the customer engagement platform Braze from Braze, Inc. (hereinafter "Braze"; 63 Madison Avenue, 12th Floor, New York, NY 10016, USA). The tool records deliveries, openings, clicks and unsubscriptions for each newsletter campaign and provides us with these metrics in both aggregated and user-specific form (max. 30 days). tracking pixels in the newsletter header ("open tracking") and personalised redirect links for click measurement are used , but no cookies. IP tracking does not take place either.
We use the data obtained in this way to create a user profile in order to tailor the newsletter to your individual interests. We record when you read our newsletters, which links you click on and deduce your personal interests from this. This is used to control and evaluate newsletter campaigns and to improve deliverability and content through KPI analyses. Braze stores the data on servers in the EU. Support access from the USA is also possible. For the USA, there is an adequacy decision by the EU Commission (EU-US Data Privacy Framework, or "DPF" for short) that applies to certified companies. Braze is DPF-certified. This ensures that a level of protection comparable to that in the EU is in place. Braze also protects such transfers via standard contractual clauses (SCC) in accordance with Art. 46 (2) lit. c GDPR. Further information can be found in Braze's privacy policy. We have concluded a data processing agreement with Braze in accordance with Art. 28 GDPR.
When sending press releases and event invitations, we process your first and last name, the organisation you belong to and your email address.
We use the double opt-in procedure to order our press newsletter, i.e. we will only send you newsletters by email if you confirm in our notification email by clicking on a link that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage serves solely to send you the newsletter and to verify your registration. The legal basis for storage is Art. 6 para. 1 lit. f GDPR based on our legitimate interest in being able to prove in cases of doubt that consent to receive our newsletter has been given. In addition, we measure whether our newsletter can be delivered at all.
To receive the press newsletter, you must provide your email address, without which we cannot send you the newsletter. The legal basis for processing in the course of sending the press newsletter is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time with future effect by unsubscribing from the newsletter. A corresponding unsubscribe link is included in every newsletter. Of course, you can also send a message to the contact details provided above or in the newsletter.
You have the option of participating in one of our surveys. We use the results of these surveys to improve our service.
The legal basis for sending the survey is Art. 6 para. 1 lit. f GDPR in conjunction with § 7 para. 3 UWG, based on our legitimate interest in designing our services in line with the needs of our customers in the sales process and our existing customers and continuously improving them.
If we ask you to participate in a survey as part of the sales process, we will obtain your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR in conjunction with § 7 (2) no. 2 UWG. You can revoke this consent at any time with future effect. To do so, simply send an informal message todatenschutz@enpal.de .
You can object to the sending of a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by notifying us using the contact details above (e.g. by email or letter).
You have the option of participating in our competitions.
In the context of competitions, we use your data for the purpose of conducting the competition and notifying the winners. You will find detailed information in the terms and conditions of participation for the respective competition. The legal basis for processing is the competition contract in accordance with Art. 6 para. 1 lit. b GDPR. Data processing for other or further purposes, in particular for advertising , is carried out on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.
In addition, we may process your data on the basis of Art. 6 para. 1 lit. f GDPR, on the basis of our legitimate interest in advertising or market and opinion research, in testing and optimising procedures for needs analysis and direct customer contact, in measures for business management and the further development of services and products, as well as related processes, provided that you have not objected to the use of your data in this sense.
We base the sending of the offer to participate in the competition on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided that you have given us this consent, and otherwise on Art. 6 para. 1 lit. f GDPR in conjunction with § 7 para. 3 UWG (German Unfair Competition Act), based on our legitimate interest in offering competitions and strengthening customer loyalty.
You can object to the sending of an offer to participate in competitions and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by notifying us at the above contact details (e.g. by email or letter) with effect for the future.
We use the Typeform service provided by Typeform S.L. (hereinafter "Typeform"), Calle de Pallars 108, 08018 Barcelona, Spain, on our website to provide an online form for event registration. Interested parties can register for our events using the embedded Typeform form. Depending on your input, your name, email address and, if applicable, the name of your organisation are collected as personal data and transmitted to Typeform. When you access and fill out the form, Typeform also collects certain technical usage data (e.g. IP address, device and browser information, and the date and time of access) using cookies to ensure the display and functionality of the form.
We process the data provided exclusively for the purpose of registering, managing and organising the respective event, i.e. in particular to receive your event registration, to send you confirmation of participation or information about the event and to carry out the event. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b GDPR, as the provision of the aforementioned data is necessary for the organisation and participation in the event.
Typeform acts as a processor for us and may only use the data in accordance with our instructions. We have concluded a data processing agreement with Typeform in accordance with Art. 28 GDPR. Please note that Typeform stores the collected data on servers of the cloud provider Amazon Web Services (AWS); the main servers are located in the USA. Insofar as data is transferred to the USA in this context, we have agreed EU standard contractual clauses with Typeform as an appropriate guarantee in accordance with Art. 46 GDPR to ensure an adequate level of data protection.
We process and store your personal data only for as long as is necessary for the preparation, implementation and follow-up of the event. After the event has ended or as soon as the purpose of processing has been fulfilled, the data will be deleted, unless longer storage periods are required by law (e.g. under commercial or tax law). Apart from this, the data will be deleted at the latest after the end of our contractual relationship with Typeform, unless further storage is required by law.
The provision of the aforementioned personal data is voluntary, but necessary for the event registration. It is neither required by law nor contractually stipulated; without this information, we cannot accept and process your event registration. In this case, participation in the event is not possible.
If you apply for our Future Scholarship at Enpal, you have the option of submitting your application documents to Enpal on our website at https://www.enpal.de/stipendium#ueberblick (Apply now) by clicking on the "Apply now" button. You can provide the following personal data:
The legal basis for the processing of your data is Art. 6 para. 1 lit. a and Art. 6 para. 1 lit. b GDPR.
You have the right to withdraw your consent to the processing of your data at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You can send your withdrawal of consent todatenschutz@enpal.de , for example. Please note, however, that upon revocation, we may be required to delete your personal data in accordance with the provisions of Art. 17 GDPR and will then no longer be able to consider you in the further application process.
The Enpal website uses various services and applications that are either provided by us or by third parties. These include, in particular, cookies and similar technologies that are used to store information on your device or to access it:
Cookies are pieces of information stored on your device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
We use certain cookies to enable the basic functions of our website ("basic services"). These include, for example, cookies for preparing and displaying website content, for managing and integrating cookies, and for preventing and ensuring the security of our website. Without these cookies, we would not be able to provide our service. Therefore, basic services are used without consent.
In addition to these basic services, we also use marketing and analysis cookies. Marketing and analysis cookies include cookies that we use to analyse your interaction with our website or for marketing purposes. We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is aggregated and allows us to understand the usage habits of our visitors. This serves to adapt and optimise the design of our website and to make the user experience more enjoyable.
Web storage (local storage/session storage): information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storage of local storage with time entry). Information in local and session storage can also be removed manually.
JavaScript: programming codes (scripts) embedded in or called up by the website that, for example, set cookies and web storage or actively collect information from the end device or about the usage behaviour of visitors. JavaScript may be used for "active fingerprinting" and the creation of usage profiles. JavaScript can be blocked by a setting in the browser, but most services will then no longer function.
Pixels: Tiny graphics automatically loaded by a service that can enable visitors to be recognised by automatically transmitting the usual connection data (in particular IP address, information about the browser, operating system, language, address accessed and time of access) and, for example, determine whether an email has been opened or a website visited. Pixels can be used to carry out "passive fingerprinting" and create usage profiles. The use of pixels can be prevented, for example, by blocking images in emails, although this will severely restrict the display.
With the help of these cookies and comparable technologies, and also by simply establishing a connection to a page, so-called "fingerprints" can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognise visitors. Fingerprints based on the connection establishment cannot be completely prevented manually.
Most browsers are set by default to accept cookies, execute scripts and display graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services will probably not work or will not work properly.
The cookie settings list the cookies and similar technologies we use, sorted by category, and provide you with information about the providers of the technologies, the storage duration of the cookies or information in local storage and session storage, and the transfer of data to third parties. It also explains in which cases we obtain your voluntary consent to the use of cookies and similar technologies and how you can revoke this consent. A detailed list of the cookies used can be found in the cookie settings.
The data processing essential for the operation of the website is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to provide the basic functions of our website. In these cases, access to and storage of information on the end device is absolutely necessary and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany pursuant to Section 25(2)(2) TDDDG. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR.
We use all other non-necessary (optional) cookies and comparable technologies that provide additional functions on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the end device is then based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany pursuant to Section 25 (1) TDDDG. Data processing using these tools only takes place if we have obtained your prior consent.
If personal data is transferred to third countries, we refer you to Section F "Data transfer to third countries", also with regard to the risks that may be associated with this. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we will (also) transfer the data processed during the use of the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 lit. a GDPR.
We use the "Usercentrics" tool to obtain and manage your consent. It generates a banner that informs you about data processing on our website and gives you the option to consent to all, individual or no data processing by optional tools. This banner appears when you first visit our website and when you revisit your settings to change them or withdraw your consent. The banner also appears on subsequent visits to our website if you have disabled the storage of cookies or if the cookies or information in local storage have been deleted or have expired.
During your visit to our website, your consents or revocations, your IP address, information about your browser, your device and the time of your visit are transferred to Usercentrics. In addition, necessary information is stored on your device to document your consents and revocations ("Cookie_Name" (x years)).
Data processing is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis is Art. 6 para. 1 lit. f GDPR, justified by our interest in complying with the legal requirements for consent management. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25(2)(2) TDDDG.
You can withdraw your consent for certain tools, i.e. for the storage of and access to information on your end device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. To do so, click on the following link: Cookie settings. There you can also change the selection of tools you wish to consent to, and find additional information about the tools used. Alternatively, you can withdraw your consent for certain tools directly from the provider.
This website uses technology from our partner Awin AG, Otto-Ostrowski-Straße 1A, 10249 Berlin. Awin operates an affiliate network and connects website operators who want to advertise for other companies with companies that want to sell their products and services. If you have given your consent in accordance with Art. 6 para. 1 lit. a GDPR, cookies and similar technologies are used to collect information about how you, as a user, arrive at a company such as ours from a website and, if applicable, purchase products there. Further information on the technology used and Awin can be found in the cookie settings and in Awin's privacy policy, which you can find here.
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
We use social media buttons (Facebook, Instagram, Google+, YouTube) from Meta Inc. and Google Inc. etc. ("providers") on our website. These social media buttons are not integrated as plugins via a so-called iFrame, but are stored as links. By clicking on the social media buttons, you will be redirected directly to the page of the respective provider. No data is transferred from the Enpal website to the providers. The respective provider is then responsible for compliance with data protection regulations and for the accuracy, timeliness and completeness of the information provided there regarding data processing within the meaning of Art. 4 No. 7 GDPR.
If you enter your data via the questionnaire on our website (e.g. the solar planner), we will process your personal data in order to contact you and provide you with a personalised offer, arrange appointments and send you information as part of the sales process. We will also contact you by telephone to explain your personal solar offer or to clarify any queries if you have provided your telephone number.
In addition, we will send you advertising information about our products and services before you enter our sales process and beyond, if you have given your consent. Communication may take place by email, telephone call, SMS text message, push message or by sending you our newsletter. For this purpose, we process your name, title, email address and telephone number, among other things.
You can object to the use of your contact details for advertising purposes at any time or withdraw your consent.
Further information on this can be found in Section G "Data subject rights".
Various tools may be used to communicate with you.
We offer you the option of contacting us via the WhatsApp messenger service. We use the services of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. When using WhatsApp Business, the terms of use and privacy policy of WhatsApp apply.
When using WhatsApp, personal data (e.g. metadata) is processed and may also be transferred to servers outside the European Union, in particular to the USA.
The use of WhatsApp Business is solely for the purpose of customer communication and responding to enquiries and is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. By contacting us via WhatsApp, you agree to communication via this messenger service.
The data collected by us when you contact us will be automatically deleted after your enquiry has been processed in full, unless we still require your enquiry to fulfil contractual or legal obligations (see section F).
Our company uses the customer engagement platform Braze, Inc., 63 Madison Building, 28 East 28th Street, Floor 12, New York, New York 10016 USA, to automatically send emails, SMS, push and in-app messages to customers and interested parties. Braze allows the creation of journey workflows (canvas), cross-channel delivery management and the evaluation of key metrics (deliveries, opens, clicks, unsubscribes, conversions). Personal data is processed for the purpose of sending personalised marketing, service and transaction messages, for lifecycle automation (onboarding, retention, re-engagement), for performance measurement and optimisation using event tracking and A/B testing, and for managing consents and unsubscriptions.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as the respective service and transaction messages are necessary for the fulfilment of the contract, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interest in you contacting us and us being able to respond to your enquiry, and our legitimate interest in direct marketing to existing customers and in optimising our communication.
In this context, the following categories of personal data of customers and interested parties are processed:
· Contact and identification data: email address, telephone number, user ID;
· Device-specific identifiers: push tokens, device ID, app ID, browser cookie ID;
· Communication history: campaigns sent, sending times, delivery and error codes;
· Event and interaction data: openings, clicks, unsubscribes, conversions including timestamps (30-day detailed view);
· Profile data & attributes: language, country, opt-in status, customer status, segments;
· Content of sent messages (subject, body, links).
With regard to data transfers to third countries, the information provided in Section E regarding Braze applies.
Detailed event data (e.g. opens, clicks) is automatically deleted after 30 days. User profiles and attributes are stored for the duration of the business relationship or until revocation or deletion requests are made, and are then deleted.
We use Demodesk as a service provider for video conferencing and automated appointment scheduling to enable efficient and secure communication within our customer processes. The provider is Demodesk GmbH, Isartorplatz 8, 80331 Munich, Germany.
The purpose of processing is to provide, host and maintain the Demodesk video conferencing tool and a tool for automated appointment scheduling. Under certain conditions, we also use a tool to record video conferences or telephone calls.
The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in enabling us to provide our customers with efficient and secure customer service and smooth appointment scheduling. Where consent is required (e.g. for recordings), processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR.
In this context, Demodesk processes the following categories of personal data from customers and interested parties:
· Personal master data,
· Contact and communication data (e.g. telephone, email),
· technical data (e.g. session URL, screen resolution, names and email addresses of session participants) and
· audio and video recordings and the associated metadata.
The data will be deleted as soon as the purpose for which it was collected no longer applies and there are no legal storage obligations. Further information is available in the provider's privacy policy at https://demodesk.com/de/rechtliches/datenschutzerklaerung.
We use telli technologies GmbH for AI-supported telephone services to enable efficient communication within the scope of customer processes. The provider is telli technologies GmbH, Knaackstraße 78, 10435 Berlin. The provider processes usage data (e.g. duration and time of calls, call history), content data (e.g. customer enquiries, caller data) and meta/communication data (e.g. device information, IP addresses) within and outside the EU.
The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in offering our customers efficient and secure customer service and providing you with the best possible assistance with your enquiries. Furthermore, we obtain. The legal basis for processing in this case is Art. 6 para. 1 sentence
The data will be deleted as soon as the purpose for which it was collected no longer applies and there are no legal storage obligations. Further information is available in the provider's privacy policy at https://hi.telli.so/datenschutz.
As part of the contract initiation process, we also check the creditworthiness and payment history of the interested party in order to decide whether to conclude a contract. This serves to protect against payment defaults and is necessary for the implementation of pre-contractual measures, as Enpal enters into a long-term contractual relationship with you as a customer and installs our products in full at the beginning of the contractual relationship.
For this purpose, we obtain information from SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, and receive details of the identity and creditworthiness of the interested party. In doing so, we transfer your name, address and date of birth to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. After conclusion of the contract, we will also transmit data on non-contractual behaviour or fraudulent behaviour to SCHUFA. Conversely, we receive data from SCHUFA as part of the credit check and additionally process your place of birth, your SCHUFA score, your score range, your risk ratio and your rating level. Your creditworthiness will only be checked after you have had an initial consultation with an Enpal customer advisor and the next steps have been outlined to you. We carry out the credit check in connection with the agreement of an installation preparation appointment.
The personal data and information we receive from SCHUFA is one of several criteria used to decide whether we enter into a business relationship with you. No automated decision-making takes place. We also process the personal data and information received from SCHUFA to verify your ownership of the property in question.
The SCHUFA score is transmitted to the respective company of the Enpal Group that concludes a contract with you. The scoring is based on a mathematically and statistically recognised and proven procedure. Further information on scoring can be found under "Scoring at SCHUFA: Information on the procedure".
The legal basis for this transfer is Art. 6 para. 1 lit. b GDPR.
Transfers based on Art. 6 (1) lit. f GDPR may only be made if this is necessary to safeguard the legitimate interests of Enpal or third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. Enpal's interest in conducting credit checks is to minimise the financial risk of default associated with the long-term sales financing it offers. At the same time, credit checks are also carried out to protect potential customers from excessive debt. Data processing is therefore also in the interest of the data subjects, so that there is no overriding interest or fundamental rights and freedoms of the data subjects.
The exchange of data with SCHUFA also serves to fulfil legal obligations to carry out credit checks on customers (Sections 505a and 506 of the German Civil Code). The legal basis for data processing is then Art. 6 para. 1 lit. c GDPR.
We store the personal data and information received from SCHUFA for as long as this is necessary for the conclusion of a contract with you and there are no legal retention or storage periods that prevent deletion (see also Section F).
If you decide to conclude a consumer loan agreement with Enpal to finance the product you desire, we will transmit your name and date of birth to SCHUFA in order to comply with our legal obligations under the Money Laundering Act (GwG) and for the purpose of preventing money laundering. SCHUFA compares this data with various databases and checks whether there are any entries relating to you on terrorist and embargo lists or whether the entries relate to a politically exposed person. The legal basis for such processing operations is Art. 6 (1) lit. c GDPR.
SCHUFA processes the data it receives and also uses it for profiling (scoring) purposes in order to provide its contractual partners in the European Economic Area and Switzerland, as well as other third countries where applicable (provided that an adequacy decision has been made by the European Commission or standard contractual clauses have been agreed, which can be viewed at www.schufa.de), to provide information, among other things, for the assessment of the creditworthiness of natural persons. Further information on the activities of SCHUFA and data protection (in particular storage periods and your rights as a data subject vis-à-vis SCHUFA) can be found under "Data protection | SCHUFA".
In addition, personal data is collected from notaries who provide Enpal with the land register extract required for the conclusion of the contract. The processing for the purpose of verifying ownership is carried out on the basis of Art. 6 para. 1 lit. b GDPR, as this is necessary for the further initiation of the contract and for the conclusion of the contract.
The data we collect will only be passed on if there is a legal basis for doing so in a specific case, in particular if:
· You have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR
· the disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest in the non-disclosure of your data,
· we are legally obliged to disclose the data in accordance with Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court orders and legal proceedings, or
· this is legally permissible and necessary in accordance with Art. 6 para. 1 lit. b GDPR for the performance of contractual relationships with you or for the implementation of pre-contractual measures taken at your request.
Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy and in the cookie banner, these may include, in particular, data centres that store our website and databases, software providers, IT service providers who maintain our systems, CRM systems, agencies, communication service providers, market research companies, group companies and consulting firms. Personal data is also transferred to the following service providers:
· Public authorities that receive data on the basis of legal provisions (e.g. tax authorities or the Federal Network Agency);
· Internal departments of Enpal B.V. insofar as this is necessary for the performance of tasks;
· Companies affiliated with Enpal B.V. in accordance with Section 15 et seq. of the German Stock Act (AktG), insofar as this is necessary for the implementation of pre-contractual measures or within the framework of the conclusion of the contract. The joint controllers have concluded a corresponding agreement in accordance with Art. 26 (1) GDPR.
· Third parties involved in measures to ensure the usability of the respective energy solution (e.g. trade partners, suppliers, network operator portals) or who need to be informed by Enpal Energy for the organisation of the supplier change (previous electricity supplier, metering point operator, network operator);
· Insurance companies with which your solar system and, if applicable, other products are insured;
· Refinancing credit institutions that refinance the solar systems pre-financed by Enpal for the duration of the contract term, and their advisors;
· Notaries who grant access to the land register;
· Trading partners in the context of marketing the GHG quota;
· Auditors who audit the Enpal Group with regard to its commercial due diligence obligations (e.g. audits of financial statements and balance sheets, accounting, etc.).
· Processors: Partners of the Enpal Group who are responsible for providing you with a corresponding offer or taking further steps towards concluding a contract within the scope of your brokerage enquiry to us. These are:
- Salesforce
salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany
- Microsoft
Microsoft Deutschland GmbH, Walter-Gropius-Strasse 5, 80807, Munich, Germany
- Tableau
salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany
- Pipedrive
Pipedrive OU, Mustamäe tee 3a, Tallinn, Harjumaa 10615, Estonia
- Typeform
Typeform, S.L., Can Rabia, 3 -5, 4th floor, Barcelona, Catalonia, Spain
- Braze
Braze, Inc., 63 Madison Building, 28 East 28th Street, Floor 12, New York, New York 10016 USA
- Demodesk
Demodesk GmbH, Isartorplatz 8, 80331 Munich, Germany
- Telli
telli technologies GmbH, Knaackstraße 78, 10435 Berlin
If we pass on data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions in accordance with Art. 28 GDPR, have appropriate technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.
In connection with data processing, data may be transferred to third countries, i.e. to recipients outside the EU or the European Economic Area (EEA). If Enpal transfers personal data to countries outside the scope of the GDPR, Enpal shall ensure that the recipient of the data guarantees an adequate level of data protection.
If the European Commission has issued a decision on the existence of an adequate level of protection in relation to the third country (cf. Art. 45 (3) GDPR), no additional measures are required for the transfer of data.
In the event of data transfer to recipients based in the USA, the data transfer shall be based on the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided that the recipient has the appropriate certification. A list of currently certified companies is available here.
In other cases, as well as in the case of data transfers to other so-called non-secure third countries, data will only be transferred if the requirements of Art. 46 ff. GDPR are met. Specifically, this means that a transfer to third countries will only take place if
· the recipient offers sufficient so-called guarantees for the protection of personal data in accordance with Art. 46 GDPR,
· you have expressly consented to the transfer after we have informed you of the risks in accordance with Art. 49 (1) lit. a GDPR,
· the transfer is necessary for the performance of contractual obligations between you and us, or
· another exception under Article 49 GDPR applies.
Data transfers to recipients based in the USA who do not have DPF certification and for whom an adequate level of data protection cannot be established by means of guarantees within the meaning of Art. 46 GDPR will only take place with your consent within the meaning of Art. 49 (1) lit. a GDPR. We would like to point out that no adequate level of data protection comparable to that in the EU can be guaranteed for recipients based in the USA without DPF certification. Such transfers of personal data therefore entail the following risks: There is a risk that US authorities may gain access to personal data on the basis of the PRISM and UPSTREAM surveillance programmes based on Section 702 of the FISA (Foreign Intelligence Surveillance Act) and on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal remedies in the US or the EU against such access.
We process your personal data for as long as this is necessary for the establishment, implementation or fulfilment of the contractual relationship between you and Enpal or for the exercise or fulfilment of the rights and obligations arising from the contractual relationship.
The data we process will be deleted in accordance with Art. 17 GDPR or restricted in its processing in accordance with Art. 18 GDPR as soon as it is no longer necessary for its intended purpose and there are no legal storage obligations or other reasons specified in Art. 17 (3) GDPR that prevent its deletion.
We are subject to various storage and documentation obligations, which arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods for storage and documentation prescribed therein are between two and ten years. Finally, the storage period also depends on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.
The storage serves as evidence for civil law claims, due to legal storage obligations, or there is another legal basis for the continued processing of your data in specific individual cases under data protection law.
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
You are entitled to the rights of data subjects set out in Art. 7(3) and Art. 15–21 of the GDPR at any time if the respective legal requirements are met:
If you have given your consent as the legal basis for the processing of your data by us, for example in accordance with Art. 6 para. 1 sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR, you may revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. If you do so, we will stop processing your data, but the lawfulness of the processing remains unaffected by the withdrawal until the withdrawal is effective.
In accordance with Art. 15 GDPR, you have the right to request information from us at any time about all data we have stored about you. This includes, in particular, information about
· the purposes for which we process your data,
· the categories of data we process about you,
· the specific recipients or, if these are not known, the categories of recipients to whom we transfer your data,
· the duration for which we store your data or, if this cannot be determined, the criteria under which we store your data, and
· where applicable, the origin of the data if we did not collect it from you.
With regard to the right to information, the restrictions set out in Sections 34 and 35 of the Federal Data Protection Act must be observed.
If your data processed by us is incorrect or incomplete, you can request that we correct or complete this data at any time in accordance with Art. 16 GDPR.
If the original legal basis for data processing no longer applies, or if you have revoked your consent or objected to processing, or if we are not permitted to continue processing your data for any of the other reasons specified in Art. 17 para. 1 GDPR, you may request that we delete your personal data in accordance with Art. 17 GDPR.
You are not entitled to this right if the processing is necessary for the exercise of freedom of expression and information or for the protection of public interests, if there is a legal obligation to do so or if it is necessary for the assertion, exercise or defence of legal claims.
The restrictions under Sections 34 and 35 of the Federal Data Protection Act must be taken into account with regard to the right to erasure.
In accordance with Art. 18 GDPR, you may also request the restriction of processing. You are entitled to this right if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data for the specified purposes or you have objected to the processing and we are not permitted to continue processing the data in the latter two cases.
According to Art. 21 GDPR, you have the right to object to the processing of your personal data if we process your personal data solely on the basis of our legitimate interests and there are reasons for this arising from your particular situation. If your objection is directed against direct marketing, you have a general right to object without specifying reasons.
In addition, pursuant to Art. 20 GDPR, you may request that we transfer your data to you or to another controller in a structured, commonly used and machine-readable format.
Furthermore, you have the right to lodge a complaint with the data protection supervisory authority pursuant to Art. 77 GDPR in conjunction with § 19 BDSG. You can exercise this right, for example, with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for longer if necessary for the assertion, exercise or defence of legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending ourselves against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 para. 2 GDPR.
You have the right to withdraw your consent at any time. This means that we will no longer continue the data processing based on this consent in the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If the objection is directed against data processing for direct marketing purposes, you have a general right to object, which we will implement without requiring you to state reasons.
If you wish to exercise your right of revocation or objection, an informal notification todatenschutz@enpal.de is sufficient.
Within the scope of the operation of the Enpal website or the initiation and execution of contracts, there is no automated decision-making or profiling within the meaning of Art. 22 GDPR that has legal effect on you or significantly affects you in a similar manner.
We occasionally update this privacy policy, for example when we modify our website or when legal or regulatory requirements change.