EWE TRADING Statement on Data Protection

Use of our website and creation of log files

When you visit our website, EWE will automatically record data and information provided by your computer or terminal. The following data will be collected:

• IP address or the domain name of the computer submitting the request
• time and date of your visit
• web pages visited
• name of your internet provider
• where applicable, your computer’s operating system and browser software
• the website from which you reach EWE

This data is collected and processed in order to safeguard the security of our system. Your IP address will be deleted within 7 days at the latest. EWE reserves the right to process your data further in anonymised form.

Data is processed in accordance with Art. 6 (1f) of the General Data Protection Regulation (GDPR).

Getting in touch

If you have a request or an issue you would like to notify us of, you can use our contact form to get in touch with us. EWE will collect the following data when you contact us: your title, first name, last name, address, email address, customer number (if you are a customer) and your reason for contacting us. This data will be used in order to process and respond to the issue which you have contacted us about. Deletion of this data will depend on the nature of your concern.

Data is processed in accordance with Art. 6 (1f) GDPR.

We use cookies and similar technologies (e.g. Web Storage objects) on our website. These are stored on your device if you have given consent for services that require it pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG, or where such services are strictly necessary for operating the website pursuant to Art. 6(1)(f) GDPR in conjunction with § 25(2) no. 2 TDDDG. A list of all services used can be found further below in this Privacy Notice.

Cookies are text files stored by your browser on your device and transmit certain information to the party setting the cookie (in this case to us or our partners). Web Storage is a technical means of storing data in the browser. Unlike cookies, the data are not transmitted to the server but stored by the user’s browser.

Cookies may be used on our website for the following purposes:

“Essential”

Essential cookies are strictly necessary for the operation and basic functions of our website. They enable, for example, navigation across our site and the use of the login area. The following categories of personal data may be processed, for example:

• Technical user data (including IP address, browser data, language settings)
• IP address
• Timestamp

Essential cookies do not store personal data for analytics, marketing or tracking purposes.

Processing is carried out pursuant to Art. 6(1)(f) GDPR in conjunction with § 25(2) no. 2 TDDDG on the basis of our legitimate interest in providing a functional and user-friendly website. No consent is required for these cookies.

“Tracking: Marketing”

Marketing cookies are used to analyse user behaviour on our website and to draw conclusions for serving personalised advertising. Technologies are used that record information about page views, click behaviour, demographic characteristics and interests, and link these to existing user profiles. The following categories of personal data may be processed, for example:

• Technical user data (including IP address, browser data, language settings)
• IP address
• Timestamp
• User behaviour (including click path)

This processing enables us to target advertising campaigns at specific audiences, measure their effectiveness and improve the user experience through relevant content. The data collected may also be disclosed to third-party providers and processed by them.

Processing takes place on the basis of consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

“Tracking: Measurement”

To improve user friendliness and optimise our online offering, we use web analytics tools. These enable statistical evaluation of user behaviour on our website, for example by recording page views, dwell time, referrers and interactions. The following categories of personal data may be processed, for example:

• Technical user data (including IP address, browser data, language settings)
• IP address
• Timestamp
• User behaviour (including click path)

Your data are not shared with third parties. Processing takes place on the basis of consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

“Settings/external content”

To provide multimedia content such as videos, we integrate external services. In doing so, content is loaded and displayed directly from third-party providers. Retrieving such content may transmit personal data (e.g. IP address, device information) to the respective providers. Cookies may be set and connections to advertising networks may be established. The following categories of personal data may be processed, for example:

• Technical user data (including IP address, browser data, language settings)
• IP address
• Timestamp
• User behaviour (including click path)

These contents are displayed after consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

Further information about all cookies used can be found here.

You can adjust the consent you have given and withdraw it at any time via our consent management platform “consentmanager” using the icon in the lower left-hand corner of this page.

Online job applications

If you submit a job application to the EWE Group, we will process your personal data in order to handle your application. Your applicant data will only used be for this purpose and as permitted by law. Your data is always handled confidentially. We only collect personal data from you that is required for the application process. Your data will be made available to the managers of the respective Group company.

EWE will collect the following data if you apply for a job:

Mandatory fields: title, first name, last name, email address, password, postcode, telephone number

Voluntary details: date of birth, address, alternative telephone number, whether you are disabled, application documents submitted

Your data will be deleted, at the latest, three months after the application process has been concluded. Irrespective of this, as part of your online application you can view, edit or delete your data and your attached documents (e.g. your CV) at any time. The controller within the meaning of Art. 4 of the GDPR is the Group company named in the respective job advertisement. In the case of speculative applications, the Group company receiving the speculative application is the organisation responsible.

Data is processed in accordance with Art. 6 (1f) GDPR.

Meta Pixel

We use the Meta Pixel on our websites to optimise our advertising offering, provided you have given the corresponding consent to Meta. Further information about this service and Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), as well as Facebook’s privacy information, is available at:  https://www.facebook.com/privacy/explanation. The information collected is stored on Facebook servers, including in the United States. Since 10 July 2023 there has been an adequacy decision (“Transatlantic Data Privacy Framework”) between the EU and the USA. In addition, Meta’s parent company is certified under the Transatlantic Data Privacy Framework. More information on the adequacy decision can be found at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en?prefLang=de.

If you use a Facebook user account, this can be recognised for the Meta Pixel on our websites via the cookie that is set, through which the usage data collected for analytics and marketing purposes are transmitted to Facebook/Meta. You can review and/or deactivate this data collection and the further processing and use of the data by Meta directly with Meta. The Meta Pixel is a JavaScript code that transmits the following data to Meta: HTTP header information (including IP address, information about the web browser, page location, document, URL of the website and the browser’s user agent, as well as the date and time of use); pixel-specific data, including the pixel ID and Meta cookie data, including your Facebook ID (these data are used to link events to a particular Meta advertising account and to assign them to a Facebook user). If you wish to object to the use of the Meta Pixel, you can set an opt-out cookie with Facebook or disable JavaScript in your browser. If you do not want Meta to associate the information collected directly with your Facebook user account, you can deactivate the remarketing function “Custom Audiences” at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen (you must be logged in to Facebook). Further information is available at https://www.facebook.com/policy.php.

Processing of the data takes place pursuant to Art. 6(1)(a) GDPR. The legal basis for setting the cookie is your consent under § 25(1) TDDDG. You can also withdraw your consent for data processing and/or the use of cookies at any time via the icon at the bottom left of the visited website. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For further information about our consent management platform “Consentmanager”, please refer to the section “Consentmanager”.

Google Analytics

This website uses Google Analytics, a web analysis service provided by Google Inc. (Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA). Google Analytics uses “cookies”, i.e. text files which are stored on your computer and which make it possible to analyse your use of this website. The information generated by the cookie on your use of this website is normally transferred to a Google server in the USA and stored there. For the web analysis services provided by Google Analytics, we use the add-on “gat._anonymizelp”. Through this add-on, Google shortens and anonymises the IP address for an internet connection if our website is accessed from a member state of the European Union or other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google will not pool this IP address with other data in this respect. Google will analyse this information on behalf of the website operator in order to produce reports on website activities and to provide the website operator with further related services on this basis. These cookies will be automatically deleted following a period of 14 months.

More information: Terms of Service | Google Analytics – Google

The processing of data takes place pursuant to Art. 6(1)(a) GDPR. The legal basis for setting the cookie is your consent under § 25(1) TDDDG. You can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

You can also withdraw your consent to data processing and/or the use of cookies at any time via the icon in the lower left-hand corner of the page you are visiting. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For further information about our consent management platform “Consentmanager”, please refer to the section “Consentmanager”.

You can subscribe to receive so-called push notifications. For this we use the “CleverPush” service (CleverPush GmbH, Nagelsweg 22, 20097 Hamburg).

Through our push notifications you will regularly receive information on selected topics as well as other content that is likely to be of interest to you.

To subscribe to push notifications, you must confirm your browser’s and/or device’s prompt to allow notifications. This process is documented and stored by CleverPush. The time of subscription and a push token and/or device ID are stored. These data serve, on the one hand, to enable us to send you push notifications and, on the other, as proof of your subscription. The legal basis for this processing is your consent pursuant to Art. 6(1)(a) GDPR.

CleverPush also provides statistical analysis of our push notifications. CleverPush can recognise whether and when our push notifications were displayed and clicked. This allows us to determine which notifications interest recipients so that we can tailor future messages to the presumed interests of all recipients and thereby increase interest in our offering. In addition to the push token and/or device ID, we also store the thematic focus of the app on which push notifications were enabled. We likewise use this information to send push notifications that are likely to be in the relevant subscribers’ interests. The legal basis for this processing is Art. 6(1)(f) GDPR. A push token and/or device ID will only be linked to a specific person if we are legally obliged to do so, to defend claims against us, where required as evidence, or to pursue potential breaches of the law.

You may withdraw your consent to the storage and use of your personal data for receiving our push notifications at any time with future effect. You may also object at any time to the processing of personal data described above on the basis of Art. 6(1)(f) GDPR. To do so, please withdraw your consent. You can withdraw consent in the relevant settings for receiving push notifications in your device and/or browser.

Your data will be erased as soon as they are no longer required for the purpose for which they were collected. Your data will therefore be stored for as long as your subscription to our push notifications is active.

The unsubscription process is explained in detail at: https://cleverpush.com/faq.

To speed up the retrieval of content (e.g. images) and to mitigate attacks, CleverPush uses, under a processing agreement based on the Standard Contractual Clauses, services from cloudflare.com, an offering of Cloudflare, Inc.

CleverPush does not store data containing personal data on Cloudflare’s servers, but only general content such as text or images. When such content is retrieved, your device establishes a connection to Cloudflare and your device’s IP address is processed.

Consentmanager

We use Consentmanager (consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg) to obtain consent for data processing and/or the use of cookies or comparable functions. With “Consentmanager” you can grant or refuse consent for certain functionalities on our website, e.g. for the integration of external elements, statistical analysis, reach measurement and retargeting. Using “Consentmanager” you can give or refuse consent for all functions, or give consent for individual purposes or individual functions.

A pseudonymised cookie is used to store your cookie consent, in which your cookie preferences are saved. The cookie is necessary for controlling the website. The provider collects and/or stores the following data:

• Your anonymised IP address
• An anonymised, randomly generated encrypted key
• Date and time of consent
• Consent status
• Where applicable, your computer’s operating system and browser software
• The website from which you visit EWE.

Further information is available at https://www.consentmanager.de/datenschutz/.

Processing is carried out pursuant to Art. 6(1)(c) GDPR, Art. 6(3) sentence 1(a) GDPR, Art. 25 GDPR, Art. 5(2) GDPR and, on a subsidiary basis, Art. 6(1)(f) GDPR. Our legitimate interests in processing that goes beyond obtaining and demonstrating consent lie in the analysis of consent rates. We store the cookie required to record your consent on the basis of § 25(2) no. 2 TDDDG.

A list of all cookies set on the website can be found at the very end of this Privacy Notice.

Google Tag Manager

This website uses Google Tag Manager, a cookie-less domain that does not collect personal data. The provider is Google Inc. (Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA). The tool triggers other tags that may themselves collect data. Google Tag Manager does not access these data. If you have deactivated something at domain or cookie level, this remains in place for all tracking tags implemented via Google Tag Manager. Use of Google Tag Manager is in the interest of the simple administration and development of our website. Google Tag Manager enables efficient control of content across different pages, reduces the potential for errors, prevents outdated processes and thereby also contributes to secure user experiences. The legal basis is Art. 6(1)(f) GDPR.

Since 10 July 2023 there has been an adequacy decision (“Transatlantic Data Privacy Framework”) between the EU and the USA. Google is also certified under the Transatlantic Data Privacy Framework. More information on the adequacy decision is available at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_de.

Further information: https://www.google.de/intl/de/policies/privacy.

Who EWE discloses data to

We disclose your data to processors pursuant to Art. 28 GDPR. Your data are processed by the processor only within the legal framework and on our instructions. We are responsible for data processing carried out by the processor.

For the provision of our services, we may disclose your data to cooperation partners. This occurs either on the basis of a legal permission or where you have given your consent.

In certain cases, we are also obliged to disclose your data to public authorities.

Data transfers to third countries

In some cases we transfer personal data to a third country outside the EU, e.g. to the USA. Since 10 July 2023 there has been an adequacy decision (“Transatlantic Data Privacy Framework”) between the EU and the USA. We only use services that are certified under the Transatlantic Data Privacy Framework or provide appropriate safeguards. More information on the adequacy decision is available at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_de. Further information on the respective services can be found above.

Automated individual decision-making

We do not use solely automated decision-making within the meaning of Article 22 GDPR. Should we use such procedures in individual cases in future, we will inform you separately, where required by law.

Security measures

We implement extensive technical and organisational security measures to protect the personal data we manage against misuse, accidental or intentional manipulation, and unauthorised access. Our security procedures are continuously improved in line with technological developments.

Your rights

Where we process personal data relating to you, we will, upon request, provide information on the categories of data concerned, the purposes of use, any recipients or categories of recipients, and the planned storage period.

You have the right to request the rectification and/or completion of inaccurate and/or incomplete data.

If data processing is based on consent you have given, you have the right to withdraw that consent at any time with future effect.

If data processing is based on our legitimate interests, you have the right to object to processing on grounds relating to your particular situation (Art. 21 GDPR).

In certain circumstances, you have the right to request erasure of the data, in particular where the data are no longer necessary for the processing, you have withdrawn consent, or you have objected to processing on grounds relating to your particular situation.

Under certain conditions you may request restriction of processing of your personal data, where erasure is not possible and/or the obligation to erase is disputed.

You also have the right to data portability. This means that, upon request, we will provide your data in a machine-readable format.

You have the right to lodge a complaint with the competent supervisory authority—i.e. the State Commissioner for Data Protection of Lower Saxony.