Data Protection Declaration for the processing of personal data EEX Group
The European Energy Exchange AG informs you within the scope of this data protection declaration about how we and our companies listed below (hereinafter "EEX", "we" or "us") process your personal data, with special attention to the processing of personal data according to the general data protection regulation EU 2016/679 ("GDPR") and the applicable national data protection laws.
Within the scope of this data protection declaration, EEX informs the public about the type, scope and purpose of the personal data collected, used and processed. Furthermore, by means of this data protection declaration, you will be informed about the rights to which you are entitled.
Within EEX, a consistently high level of data protection is guaranteed. We have implemented numerous technical and organizational measures to ensure the most complete possible protection of personal data processed via the websites, IT systems and applications. Nevertheless, internet-based data transmissions can have security gaps, so that complete protection cannot be guaranteed. For this reason, every person concerned is free to transmit personal data to us by alternative means, for example by telephone.
European Energy Exchange AG (EEX)
European Commodity Clearing AG (ECC AG)
Agricultural Commodity Exchange GmbH (ACEX)
EEX Link GmbH (EEX Link)
EEX Power Derivatives GmbH (EPD)
European Commodity Clearing Luxembourg S.à.r.l. (ECC Lux)
Global Environmental Exchange GmbH (GEEX)
Our data protection declaration is based on the concepts used by the European Commission in the adoption of the GDPR and the national data protection laws. The data protection declaration should be easy to read and to understand for the public as well as our customers, business and trade partners. To ensure this, we would like to explain the terms used in advance.
We use the following terms, among others, in this data protection declaration:
2.1 Personal data
Personal data are all information relating to an identified or identifiable natural person (hereinafter "data subject"). Identifiable is a natural person who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
2.2 Data subject
Data subject is any identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or series of operations carried out with or without the aid of automated procedures in relation to personal data, such as the collection, recording organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction.
2.4 Restriction of processing
Restriction of processing is the labelling of stored personal data to allow the restriction of their future processing.
Profiling is any form of automated processing of personal data which consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.
2.6 Data controller or controller
The data controller or controller is the natural or legal person, public authority, institution or other body which at its sole discretion / solely or jointly with others decides on the purposes and means of processing personal data
A Processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller
A Recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, authorities which may receive personal data under European Union law or the law of the Member States within the framework of a particular investigation mandate shall not be regarded as recipients.
2.9 Third party
A third party is a natural or legal person, authority, institution or other body other than the data subject, the data controller, the data processor and the persons authorized to process the personal data under the direct responsibility of the data controller or the data processor.
Consent shall mean any informed and unequivocal expression of will voluntarily given by the data subject in the particular case in the form of a declaration or other clear affirmative act by which the data subject indicates his or her consent to the processing of personal data concerning him or her.
For the sake of better legibility, there is no explicit differentiation between the female and the male form. However, both are always meant.
3. Name and address of the controller
The person responsible within the meaning of the GDPR, within other data protection laws in force in the Member States of the European Union and within other provisions of a data protection nature is:
European Energy Exchange AG Augustusplatz 9 04109 Leipzig Germany
If you have any questions or comments on the subject of data protection, please contact the data protection officer.
5. Legal basis for the processing of personal data
We process your personal data in compliance with the applicable data protection regulations.
We only process the data that we require as part of our range of services.
The legal basis for such processing of personal data for pre-contractual and contractual purposes is Art. 6 para. 1 b) GDPR.
In addition, we process your personal data to fulfil legal obligations (e.g. regulatory requirements, commercial and tax storage obligations). In this case, the legal basis for processing is the respective legal regulations in conjunction with Art. 6 Para.1 c) GDPR.
We also process your data if required by Art.6 Para.1 f) GDPR to protect the legitimate interests of us or third parties. This may be necessary in particular to ensure IT security and operation and to advertise our own products and other products of the EEX Group and cooperation partners, as well as for customer satisfaction surveys.
Should we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the framework of the statutory provisions.
6. Data-Processing in third countries
We process your data on servers and IT systems within the European Union (EU) or within the European Economic Area (EEA). In individual cases, your personal data may also be processed in third countries, which may not offer the same level of protection as the places where you first provided the data. However, we will only transfer your personal data to contractors to companies in third countries if we have agreed with the relevant contractors a standard data protection clause adopted by the European Commission as adequate protection for your personal data.
7. Collecting general data and information about our websites
Our websites collect a series of general data and information each time a person or an automated system accesses the websites. These general data and information (s. chapter 8) are stored in the log files of the server.
This information is required to (1) correctly deliver the content of our website, (2) optimize the content of our website and, if necessary, the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. These anonymously collected data and information are therefore evaluated statistically and additionally evaluated with the aim of increasing data protection and data security whitin EEX in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
8. Categories of personal data and purposes of our processing
We process the following categories of your personal data for the following purposes:
8.1 Users of the websites and SFTP Servers:
For users of the websites and/or SFTP Server, we record the country of origin, the address of your internet service provider (IP or URL) or the server name, the name of the website from which you are visiting us, the name of our websites that you have visited, which operating system and which browser you use, which search term you have entered and the date and duration of your visit for statistical purposes in anonymised form. We use this personal data for the operation of the website, in particular:
for the technical support of the users / for the answering of inquiries
for the operation and administration of our website
for the guarantee of network and data security, insofar as these interests are in accordance with the applicable law and with the rights and freedom of the user in each case
for the prevention and detection of fraud and criminal offences and/or
if we are legally obliged to do so.
Access to info products files.
Some of our websites or SFTP Server also offer the possibility of user registration. If you are registered with us, you can access content and services that we only offer to registered users. In the course of the respective registration process, you provide us with further personal data. Registered users also have the option of changing or deleting the personal data provided during registration at any time if required. Of course, we will also provide you with information about the personal data we have stored about you at any time. We will be happy to correct or delete them at your request, provided that there are no legal storage obligations to the contrary.
8.2 User enquiries by email or contact form:
If you contact us by e-mail or contact form, the information you have provided will be stored for the purpose of processing your inquiry and for possible follow-up questions. In this context, you provide us with the following personal data, for example: Name, company, contact details such as business e-mail address, telephone number and business address, request. We use this personal data to process your inquiries and/or to provide the requested information.
8.3 Recipients of newsletters and advertising:
On our websites you are given the opportunity to subscribe to various newsletters. For legal reasons, a confirmation e-mail in the double opt-in procedure is sent to the e-mail address entered by the person concerned for the first time for sending the newsletter. This confirmation e-mail serves to check whether the owner of the e-mail address has authorized the receipt of the newsletter as the person concerned. The subscription to our newsletter as well as the consent to the storage of personal data, which the person concerned has given us for the newsletter dispatch, can be revoked at any time. For the purpose of revoking your consent, you will find a corresponding link in every newsletter. For the subscription of newsletters we collect personal data such as title, first name, surname, company, e-mail address, telephone, address and newsletter type. We use this data to send you newsletters and advertising for our services and our websites and, if necessary, also to contact you by telephone or by post, insofar as this is legally permissible and provided that you have not objected to the sending of advertising.
8.4 Registration for events:
To be able to invite you to events, we record the title, first name, surname, e-mail address, company and participation in the event.
8.5 Applications and application procedures:
EEX collects and processes the personal data of applicants for the purpose of handling the application procedure. Processing can take place by post or electronically. Please note that application documents sent by email are transmitted unencrypted. To protect your application documents during the transfer, you can contact our human resources department. We then offer you the opportunity to transmit your data to us via secure access. If the person responsible concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents shall be automatically deleted six months after notification of the decision of rejection, provided that no other legitimate interests of the controller stand in the way of deletion. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (“AGG”).
8.6 Social media:
If we integrate social media in our communication and you access their services, the data protection conditions of the social media service used apply.
We use external service providers for the processing and storage of their personal data. For example, our service providers support us in operating our websites, IT systems and applications as well as in carrying out marketing measures (e.g. sending newsletters). Our service providers process data only in accordance with the instructions and under the control of EEX AG and exclusively for the purposes described in this data protection information. We ensure that appropriate technical and organisational precautions are taken to protect your personal data from unauthorised access. We regularly review our security policies, procedures and service providers to ensure the security of our websites, IT systems and applications.
10. Use of website analysis services and cookies as well as profiling
Your personal data may be disclosed both within Deutsche Börse Group and within the EEX Group, for example to fulfil contractual obligations. Should further group mergers with other companies occur in the future or should individual companies belonging to the group decide to establish further subsidiaries, their declaration of consent to this data protection declaration shall continue to apply insofar as compliance with a data protection level comparable with this data protection declaration is ensured.
We may also disclose your personal data to public authorities if required by applicable law. A passing on of your personal data is also permitted if there is suspicion of a criminal offence or the misuse of the services offered on our website. In this case we are entitled to transfer your personal data to the law enforcement authority.
11. Use of website analysis services and cookies as well as profiling
In the case of newsletters, all customer interaction data is also analysed (successful delivery of e-mails, rejected e-mails, opening of e-mails, clicks, conversion, subscription).
For events we save your answer for participation or non-participation.
Under no circumstances will the data we collect be passed on to unauthorized third parties or linked to personal data without your consent.
12. Deletion and blocking of personal data
We adhere to the principles of data avoidance and data economy. We only store your personal data for as long as necessary to achieve the aforementioned purposes or as provided for by the various storage periods provided for by law. After the respective purpose or expiry of the statutory retention periods and insofar as they are no longer required for contract performance or contract initiation, the personal data will be blocked or deleted in accordance with the statutory provisions and state of the art technology.
13. Your rights as a data subject
You have the right to object to the processing of your personal data at any time. If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
We process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising.
If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.
14. Recipient of an objection
The objection can be made form-free with the subject "objection" stating your name, your address and your date of birth and should be addressed to:
European Energy Exchange AG Augustusplatz 9 04109 Leipzig Germany
We have a period of four weeks to process your objection, which in exceptional cases will be extended by a further two months if this is necessary in view of the complexity and number of applications.
15. Your rights as a data subject
As a person affected by the processing of your data, you have the following individual rights:
Right to correct and, if necessary, supplement your personal data processed by us
Right to transparent information about the handling of your personal data processed by us
Right to information about your personal data processed by us
Right of blocking or deletion and the right to be forgotten
Right to limitation of processing
Right to data transferability
Right of objection
Right to revoke consent already given with future effect
Right of appeal to the competent supervisory authority for data protection
If our processing of your personal data is based on your consent, you also have the right to revoke your consent without affecting the legality of our processing on the basis of your consent before its revocation.
Please note that due to legal storage periods we may still be obliged to store certain personal data of yours even after an application for deletion or "right to be forgotten".
The supervisory authority responsible for data protection is:
Sächsischer Datenschutzbeauftragter Herr Andreas Schurig Bernhard-von-Lindenau-Platz 1 01067 Dresden Germany
16 Changes to the data protection regulations
This data protection declaration continues to apply indefinitely from its publication. The validity of this data protection declaration is cancelled by the announcement of a subsequent data protection declaration.