1. Controller for data processing
Controller responsible for the protection of your data pursuant to . Art. 4 (7) GDPR is SWM Versorgungs GmbH, Emmy-Noether-Straße 2, 80992 Munich, Germany, firstname.lastname@example.org.
You can contact our data protection officer by post at the aforementioned address, citing the reference “Data Protection Officer”, or via email to email@example.com.
2. Data categories as well as purpose and legal basis of data processing
2.1 Data processing for performing your contract (Art. 6 (1) GDPR)
We process personal data for the purpose of fulfilling existing contractual relations or pre-contractual measures (e.g. preparing offers). To this end, we process the following data:
- Personal information (name, date of birth, address, telephone, telefax, email, power of attorney as well as the personal information of the authorized representative and/or alternative invoice recipient)
- Bank details (IBAN, BIC, bank, account holder) and payment information
- Consumption meter details (meter number, current meter reading, contract account number, consumption, address of the point of use, date of start to delivery)
- Data of your former supplier (consumption, address data, delivery date)
- Data of your grid operator (address data, forecast consumption)
- Data of your metering point operator
- Visual display of consumption figures and costs on the online portal (after installation of an intelligent metering system)
Furthermore, we collect data on payment patterns in order to recover open amounts and, if necessary, to block accounts or terminate a contract.
2.2 Data processing in the context of the balancing of interests (Art. 6 (1 f) GDPR)
Where required, we process your data beyond the actual performance of the contract in a reliable manner with a view to safeguarding the justifiable interests of ourselves or of third parties in order:
- to provide you with information on products and services from the areas of water, energy production, supply, energy efficiency, electro-mobility and other energy -related products and services.
- to carry out measures to improve and develop services and products in order to submit offers and products to you tailored to your needs
- to conduct market and opinion research or to have this carried out by market and opinion research institutes. This enables us to gain an overview of the transparency and quality of our products, services and communication, and to align them to and design them for our customers.
- in consultation and with the exchanging of data with credit agencies (e.g. Schufa, Creditreform) to ascertain the credit standing and/or the default risks, particularly the existence of preconditions according to Section 31 of the German Federal Data Protection Act (BDSG)
- to assert legal claims and for defense in litigation
- to carry out an identity check and/or to match the data against sanctions lists
- to investigate or prevent punishable offenses
- to find out addresses (e.g. with relocations)
- to use data anonymously for analysis purposes
- to ensure IT security and IT operations
- to manage risks
2.3 Data processing based on consent (Art. 6 (1 a) GDPR)
If you have given us your consent to the processing of personal data for certain purposes (e.g. participation in the SEPA direct debit scheme, advertising, quality assurance, relaying of data within the group), the lawfulness of this processing is effective on the basis of your consent.
You can revoke any consent granted for the processing of personal data at any time. This also applies to the declarations of consent that we were granted before the GDPR took effect, i.e. before May 25, 2018. Please note that any revocation applies just to the future.
You can direct your revocation to the point of contact responsible (see item 1).
2.4 Data processing based on statutory requirements (Art. 6 (1c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)
We are subject to various different statutory obligations for the purpose of which we process personal data. Among other obligations, this includes retention obligations under commercial and tax law, identity checking, the prevention of fraud and money laundering, and obligations under the law to release and provide information and to testify, as well as obligations under the law on the operation of metering points. The legal basis for processing in these cases is the respective statutory provision in conjunction with Art. 6 (1 c) GDPR.
Furthermore, we process personal data in the context of fulfilling duties in the public interest, an example being the area of fresh water supply. The legal basis for the processing in these cases is the respective statutory provision in conjunction with Art. 6 (1 e) GDPR.
3. Data sources
We process the personal data we receive from you in the context of our business relations. In addition, we process the personal data that we are authorized to collect from publicly accessible sources (debtor register, land registry, registers of companies and associations, Internet, press) or that are sent to us by authorized third parties (e.g. address service providers) or other parts of the SWM Group.
4. Required providing of data
Providing the name, address of the point of consumption, meter number and status, consumption as well as, if appropriate, former suppliers is, if not expressly indicated otherwise, necessary for the conclusion of contracts as they cannot be completed without these personal data.
5. Data recipients
Within SWM Versorgungs GmbH, the units that are given access to your data are the ones that need these data for the purposes described under item 2. In as far as is legally permissible (such as in the context of processing a contract) we pass on personal data to third companies in the following categories:
- Energy-related services
- Credit agencies
- IT services
- Grid operators, meter operators and suppliers
- Logistics companies
- Credit institutes and payment service providers
- Print service providers
- Sales partners
- Debt collection service providers and lawyers
- Public agencies and institutions (e.g. social insurance agencies, financial authorities, police, public prosecutor’s office, supervisory authorities) in the event of the respective obligation/entitlement
6. Data transfer to a non-EU country or to an international organization
For certain tasks we use (IT) service providers that, in turn, also use (IT) service providers that may have their headquarters, parent company or computer centers in a non-EU country (outside the European Union and outside the European Economic Area).
The following must apply: The transfer is permissible as there is a legal basis or because you have expressly given your consent to the transfer, and the special preconditions exist for transfer to a non-EU country. This means in particular that the European Commission has decided that an appropriate level of data protection has been set in place in the respective non-EU country (Art. 45 GDPR) or a suitable guarantee (e.g. through the so-called EU standard agreement clause prescribed by the European Commission or the supervisory authority) has been provided, along with establishing enforceable rights and effective legal remedies.
7. Retention period
We delete your personal data as soon as they are no longer necessary for the purpose for which they were collected unless further processing is temporarily required for:
- compliance with statutory archiving obligations that may arise, under the German Commercial Code (Handelsgesetzbuch – HGB) and the General Fiscal Law (Abgabenordnung AO), for instance. The periods prescribed under these laws run for up to ten years.
- Preservation of proof in the context of statutes of limitations. According to Sections 195 et seq. of the German Civil Code (BGB), the statutes of limitations may run for up to thirty years though the regular statute of limitation is three years.
8. Rights of the data subject
Under Art. 15 GDPR, you have the right to request information at any time about which personal data we hold. This also concerns the recipients or categories of recipients to which these data are relayed and the purpose of storage. Under the preconditions specified by Art. 16 GDPR, you can request the correction and/or under the preconditions of Art. 17 GDPR the deletion and/or under the preconditions of Art. 18 GDPR a restriction on the scope of processing. Moreover, pursuant to Art. 20 GDPR, you may request a data transfer at any time.
You have the right to object to the processing of your personal data when the preconditions specified under Art. 21 GDPR exist.
Furthermore, under Art. 77 GDPR, you have the option of filing a complaint with the data advisory authority.
Right to revocation of consent: You can revoke your consent to the processing of your data at any time for the future. This also applies to the declarations of consent that we were granted before the GDPR took effect, i.e. before May 25, 2018. Please send your revocation to: SWM Versorgungs GmbH, Emmy-Noether-Straße 2, 80992 Munich, Germany, firstname.lastname@example.org.
9. Automated decision making
On principle we do not use any automated decision-making pursuant to Art. 22 GDPR. If, in individual cases, we use this procedure we will inform you by way of a separate notification within the context of the statutory provisions.
10. Revision clause