SEFE

Privacy Policy for the Vendor Portal

PRIVACY POLICY FOR THE VENDOR PORTAL OF THE SEFE GROUP

Status: September 2023

This privacy policy applies to the processing of your personal data when using our vendor portal at https://vendorportal.sefe-group.com.

While using our vendor portal, your personal data will be processed by us as the data controller and stored for the period of time required to fulfil the specified purposes and legal obligations. In the following, we inform you about what data is involved, how it is processed and what rights you have in this regard.

According to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person.


1. RESPONSIBILITY FOR DATA PROCESSING AND CONTACT DETAILS

This privacy policy applies to data processing on the website https://vendorportal.sefe-group.com by the data controller:

SEFE Securing Energy for Europe GmbH, Markgrafenstraße 23, 10117 Berlin, Germany
Phone: +49 30 20195 0
Email: presse@sefe.eu

You can reach our data protection officer or our data protection team at the following contact details: SEFE Securing Energy for Europe GmbH, Data Protection, Markgrafenstraße 23, 10117 Berlin, Germany; email: dataprivacy@sefe.eu.


2. DATA PROCESSING AND PURPOSES OF PROCESSING

Which personal data we process in detail and how it is used depends on whether you only visit our website or use the vendor portal as a business partner of the SEFE Group.


WEB HOSTING AND APPLICATION DEPLOYMENT

For the provision of this vendor portal website and application, we use the web hosting service of HCM CustomerManagement GmbH, Schwieberdinger Straße 60, 70435 Stuttgart, Germany, www.hcm.company (hereinafter "HCM").

The provision of the vendor portal requires the commissioning of a web hosting service as well as the provision and support of the application. These services are used in accordance with Art. 6 (1) sentence 1 lit. f GDPR on the basis of our legitimate economic interest in making our offer available on this website. In relation to hosting, HCM processes on our behalf personal data that is collected through the use of the vendor portal website.

We have concluded a data processing agreement with HCM. Through this agreement, the service provider assures that it processes the data in accordance with the GDPR and ensures the protection of the rights of the data subjects.


WHEN VISITING THE WEBSITE OF THE VENDOR PORTAL

You can access our vendor portal website without having to disclose any information about your identity. The browser used on your end device only automatically sends information to our website server (e.g. browser type and version, date and time of access) to enable the website to establish a connection. This also includes the IP address of your requesting end device. This data is temporarily stored in a so-called log file and automatically deleted after less than 30 days, with the exception of IP addresses, which are not logged.

The log file data is processed for technical and administrative purposes of connection establishment and stability, in order to ensure the security and functionality of our website and to be able to pursue any illegal attacks on it if necessary. Only authorised personnel of our service provider who deal with the support of the web service and the application are entitled to access the data.

The legal basis for the processing of the logged data is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the aforementioned security interest and the necessity of a trouble-free provision of our vendor portal website.


WHEN CONTACTING US

On various pages of the vendor portal you will find contact information (email address and telephone number) which can be used to contact us. If you contact us directly via email, we collect your email address as well as any personal data resulting from the text of the email. We also store your telephone number, your contact details and the necessary data provided if you use the telephone numbers to call us.

The processing is based on Article 6 (1) lit. b and f GDPR. The purpose of the data processing and our legitimate interest lie in the care of our business partners and in being able to answer the messages sent to us with your enquiries.


WHEN REGISTERING AS A PORTAL USER

Our portal requires at least one contact person or portal user to be specified as part of the vendor registration process. If only one contact person is specified, this person will also be the so-called vendor administrator, who can create additional portal users or enter information as required, as well as receive email notifications from the portal.


The following data is collected during registration:

Company data of the vendor

  • Company name (mandatory);
  • Company address (mandatory);
  • D-U-N-S® ID, HRB number, tax number (optional);
  • Telephone number (mandatory);
  • Fax number (optional);
  • Internet address (mandatory);
  • Email of the vendor (mandatory);
  • Business address, if different (optional);
  • Main activities. e.g. main products and services (optional);
  • Email address for orders (mandatory);
  • Email address for payment transactions (mandatory);
  • Commodity groups (mandatory);
  • Other fields of activity/comment (optional);
  • Standardised QM systems (mandatory);
  • Bank details (optional);
  • Year of foundation (optional);
  • Company form (optional);
  • Group (optional);
  • Subsidiaries (optional);Company data per year (number of employees, turnover, investment volume, export share, R & D expenditure p.a., management, import share, turnover p.a. last 3 years) (optional).


Personal data of the portal users

  • Salutation (mandatory);
  • First name, last name (mandatory);
  • Function name (optional);
  • Business email address (mandatory);
  • Business telephone number (mandatory);
  • Business Mobile phone number (optional);
  • Fax number (optional);
  • Administrator flag (the administrator receives all Orders and Payment Remittances e-mails by the portal).


Access data of the portal users

  • User ID;
  • User password.

Your personal data is processed on the basis of Article 6 (1) lit. a and b GDPR for the purpose of registration in the vendor portal for you as a portal user in the context of initiating or executing a contract as a business partner of the SEFE Group.

Generally, your account will be kept for as long as necessary to fulfil the purposes for which it was created. After 2 years of inactivity, your account will be deleted. However, you/your company can deactivate your account at any time if you wish.


WHEN USING THE VENDOR PORTAL

When using the vendor portal - after registration as a portal user - we process, depending on the transaction, various personal data from your user account and company information, such as data from credit agencies or market information, which may not be personal:

  • Performed "clicks" in the vendor portal;
  • All settings made in the vendor portal;
  • All entries made in the vendor portal;
  • Login time, session data;
  • False registrations;
  • Pages accessed.

The data is processed in the form of server log files, which are regularly deleted (the duration is less than 30 days) and in which the IP addresses of the users are not logged. Without these log files, it is not possible to use the vendor portal.

The processing of personal data is based on Article 6 para. 1 lit. b and f GDPR. The purpose of the data processing and our legitimate interest lies in the documentation of the contract-relevant actions as well as the audit-proof documentation of the procedure.


3. RECIPIENTS OR CATEGORIES OF RECIPIENTS

Your personal data may be disclosed to the following recipients or categories of recipients.


DATA PROCESSOR

We use service providers who process personal data on our behalf (so-called processors, cf. Art. 4 No. 8, Art. 28 GDPR). These include service providers in the areas of IT, telecommunications and business services. In these cases, we have concluded data processing agreements with the service provider.

The web host and application provider of our vendor portal website is HCM CustomerManagement GmbH. The use of the service by HCM as a processor is carried out in accordance with Art. 6 (1) sentence 1 lit. f GDPR due to our legitimate economic interest in providing our vendor portal for contract customers on this website.


DISCLOSURE TO THIRD PARTIES

Except in the aforementioned cases of commissioned processing, we disclose your personal data to third parties if:

  • you have given your express consent to this pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR,
  • this is necessary for the fulfilment of a contract with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR,
  • there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR.

The data disclosed may be used by the third party exclusively for the purposes stated.


4. TRANSFER OF DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION

A transfer of your personal data to a third country or an international organisation will only take place if this is necessary within the framework of order processing and the conditions according to Art. 44 et seq. GDPR are given.

We only transmit your personal data when

  • sufficient guarantees are provided by the recipient in accordance with Article 46 (1) of the GDPR for the protection of the personal data,
  • you have expressly consented to the transfer in accordance with Art. 49 (1) lit. a GDPR after we have informed you of the relevant risks,
  • the transfer is necessary for the performance of contractual obligations between you and us (Art. 49 (1) lit. b GDPR)
  • or another derogation from Art. 49 GDPR applies.

Guarantees according to Art. 46 GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR.

A "third country" is a state outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered "unsafe" if the EU Commission has not issued an adequacy decision for that country pursuant to Art. 45 (1) GDPR confirming that adequate protection for personal data exists in the country.


5. COOKIES

We use so-called cookies on our vendor portal website to make it technically available and to make its use more pleasant for you.

Cookies are data records that your browser automatically creates and that are stored on your end device (laptop, tablet, mobile or similar) when you visit our site. Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware. With the help of cookies, information is stored that is related to the specific end device used. However, this does not mean that we gain direct knowledge of your identity.

We only use technically necessary cookies. The so-called session cookies help us to recognise that you have already visited individual pages of our vendor portal during your session. These cookies are deleted when you log off or the session expires. The cookies used are classified as technically necessary in accordance with § 25 Paragraph 2 No. 2 of the German Telecommunications Telemedia Data Protection Act (TTDSG). They may therefore be stored on your device or the information stored therein accessed without your consent. The data collected through the technically necessary cookies are not used to create user profiles or analyses.

We base the processing of your data through the cookies used for the aforementioned technically necessary purposes pursuant to Art. 6 (1) lit. f GDPR on our legitimate interest in making our vendor portal website technically available and making its use more convenient for you.


6. AUTOMATIC DECISION-MAKING AND PROFILING

We do not use your personal data for automated decision making including profiling.


7. DATA SECURITY

We use technical and organisational security measures to protect your personal data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. In the case of collection and processing of personal data, the information is transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in line with technological developments.

All data transmitted by you is encrypted using the generally accepted and secure standard TLS (Transport Layer Security). TLS is a tried and tested standard that is also used, for example, for online banking. You can recognise a secure TLS connection by the appended "s" at the http (i.e. ...) in the address bar of your browser or by the lock symbol in the lower area of your browser.


8. YOUR RIGHTS

You have the right:

  • revoke your consent at any time in accordance with Art. 7 (3) GDPR. This has the consequence that we may no longer continue the data processing based on this consent for the future;
  • to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art. 16 GDPR;
  • pursuant to Art. 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
  • to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
  • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller; and
  • complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

In addition, you have a right to object in accordance with Art. 21 GDPR:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling based on this provision within the meaning of Article 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If you wish to exercise your right of objection or object to data processing, please write to us at Procurement@sefe.eu.


9. UPDATE AND AMENDMENT OF THIS PRIVACY NOTICE

This privacy policy is currently valid and has the status of September 2023.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this privacy policy.

SEFE