Online Data Protection Policy for
pf4ee-webcheck.eib.org and eequest.eib.org

We appreciate your interest in our online tools, i.e. the PF4EE WebCheck (the Private Finance for Energy Efficiency WebCheck) or the EEQuest (the Energy Efficiency Quick Estimator), and want you to feel secure about the protection of your personal data when visiting this website. We take the protection of your personal data seriously. We want you to know when we collect particular data, and how we use it. In the following, we explain the type, scope and purpose of data collection and the use of your personal data. This information can be retrieved at any time from our website.

In order to guarantee the security of your personal data, such data will be assiduously protected against unauthorised access and unauthorised disclosure, and will not be conveyed to third parties without authorisation.

Please direct any questions regarding this Statement of Online Data Protection Policy or regarding our Privacy Policy more generally to our (external) data protection officer (contact details see below).

 

Name and address of controller

The controller as defined in the General Data Protection Regulation and other data protection laws nationally applicable in the EU member states or other regulations related to data protection is:

adelphi
Alt-Moabit
10559 Berlin
Germany

Phone +49 30 8900068-0
Fax +49 30 8900068-10
email: office@adelphi.de
Website: https://www.adelphi.de

 

Name and address of data protection officer

The controller’s data protection officer is:

Sema Karakas
c/o Althammer & Kill GmbH & Co. KG
Thielenplatz 3
30159 Hanover
Germany

Phone: +49 (511) 330603-26
email: privacy@adelphi.de
Website: https://www.althammer-kill.de

 

Purpose of the website and respective data processing

The use of our site is possible without disclosing personal data. Different terms and conditions can apply in respect to the various services on our website, as will be discussed separately below. The voluntary entry of your personal details (for example, your name, address, email, phone number and the like) will only be processed by us according to the provisions of Germany’s data protection laws and will not be passed on to a third party without your express consent. Data will be considered personal if they can be clearly associated with a specific person.

The following will inform you of the type, scope and purpose of the collection, use and processing of personal data by the service provider. Further, the following lines out the type, scope and purpose of the collection of non-personal data which the user can enter in the PF4EE WebCheck and EEQuest online tool to use these tools functionality.

Data entered in the PF4EE WebCheck online tool (www.pf4ee-webcheck.eib.org)

The PF4EE WebCheck is intended to be used by (economic) entities who are interested in implementing an energy efficiency measure and in the respective financing possibilities through PF4EE. The main purposes of the PF4EE WebCheck are the following:

  1. Give users a feedback on the potential eligibility of their investment project for a Private Finance for Energy Efficiency (PF4EE) loan.
  2. Provide users the possibility to obtain an estimate on energy, CO2 and cost savings that can be implied by several standard energy efficiency measures.
  3. Summarize the tool’s estimate on energy, CO2 and cost savings, the indication on PF4EE eligibility and the user’s data input in a pdf summary which the user can download on the last page of the tool. The user can use this pdf summary to present the planned investment to a relevant bank (i.e. a bank participating in the PF4EE instrument).

To facilitate these purposes, the user of the PF4EE WebCheck is asked to enter personal as well as non-personal data into the tool. Whether data is considered personal or non-personal depends on the type of user (i.e. private individual vs. legal entity). For example, the tool requests the following information from the user:

  • Technological details of the planned energy efficiency measure (non-personal data)
  • Energy consumption in the previous year (personal data if private individuals are concerned, non-personal in the case of legal entities)
  • Estimated energy savings from an energy audit or similar, if available (personal data if private individuals are concerned, non-personal in the case of legal entities)
  • Investment costs of the project planned for implementation (non-personal data)
  • Contact details of the person filling in the PF4EE WebCheck (personal data)
  • Address and type of the concerned entity (personal data if private individuals are concerned, non-personal in the case of legal entities)

All personal and non-personal data which is entered by the user in this web-tool is only stored temporarily. This temporary storage of data is necessary in order to process the data and hence provide direct feedback to the user (e.g. estimated CO2 savings) and to produce the pdf summary at the end of the web-tool. The data entered by the user is not stored permanently and is not passed on to third parties.

The pdf summary which can be produced on the last page of the tool is only available to the user. That is, the pdf summary/the information contained there-in will only be conveyed to a third-party if the user pro-actively shares this pdf summary (e.g. if the user sends an email with the pdf summary to a bank participating in PF4EE).

Data entered in the EEQuest online tool (www.eequest.eib.org)

The Energy Efficiency Quick Estimator (EEQuest) is intended to be used by (economic) entities who are interested in implementing an energy efficiency measure. The main purposes of the EEQuest online tool are the following:

  1. Provide users the possibility to obtain an estimate on energy, CO2 and cost savings that can be implied by several standard energy efficiency measures.
  2. Summarize the tool’s estimate on energy, CO2 and cost savings and the user’s data input in a pdf summary which the user can download on the last page of the tool. This summary can, for example, be used to present the planned investment to a potential financer.

To facilitate these purposes, the user of the EEQuest online tool is asked to enter personal as well as non-personal data into the tool. Whether data is considered personal or non-personal depends on the type of user (i.e. private individual vs. legal entity). For example, the tool requests the following information from the user:

  • Technological details of the planned energy efficiency measure (non-personal data)
  • Energy consumption in the previous year (personal data if private individuals are concerned, non-personal in the case of legal entities)
  • Investment costs of the project planned for implementation (non-personal data)
  • Contact details of the person filling in the EEQuest online tool (personal data)
  • Address and type of the concerned entity (personal data if private individuals are concerned, non-personal in the case of legal entities)

All personal and non-personal data which is entered by the user in this web-tool is only stored temporarily. This temporary storage of data is necessary in order to process the data and hence provide direct feedback to the user (e.g. estimated CO2 savings) and to produce the pdf summary at the end of the web-tool. The data entered by the user is not stored permanently and is not passed on to third parties.

The pdf summary which can be produced on the last page of the tool is only available to the user. That is, the pdf summary/the information contained there-in will only be conveyed to a third-party if the user pro-actively shares this pdf summary (e.g. if the user sends an email with the pdf summary to a potential financer).

Processing of your personal data in countries outside the EU and the EEA

Processing of your personal data in countries outside the European Union and the European Economic Area does not take place.

 

General information about data processing

Extent of personal data processing

We process our users’ personal data only to the extent required for providing a functional website and supplying our content and services. We process our users’ personal data regularly only if the respective users have given their consent. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed.

Legal basis for processing personal data

Where we obtain the corresponding data subjects’ consent for processing their personal data, art. 6 paragraph 1 point a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

Where we need to process personal data for the purposes of fulfilling a contract, and the data subject is party to the contract, art. 6 paragraph 1 point b of the GDPR serves as the legal basis. This also applies to processing necessary to accommodate preparations for entering into a contract.

Where processing of personal data is necessary for our company to fulfil a legal obligation, art. 6 paragraph 1 point c of the GDPR serves as the legal basis.

Where processing of personal data is necessary for protecting the vital interests of the data subject, or those of another individual, art. 6 paragraph 1 point d of the GDPR serves as the legal basis.

Where processing is necessary to protect our company's or a third party’s legitimate interests, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, art. 6 paragraph 1 point f of the GDPR serves as the legal basis.

Deletion of data and data storage period

The data subject’s personal data will be deleted or blocked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation from European Union Regulations, laws or other provisions to which the controller is subject. Data will also be deleted if a storage period specified in the above standards expires unless conclusion or fulfilment of a contract requires the data to remain on record further.

 

Provision of website and creation of log files

Details and extent of data processing

Any time our website is accessed, our system automatically records data and information concerning the accessing computer.

The following data is recorded:

  1. Information on the browser type and version used
  2. The user’s operating system
  3. The user’s Internet service provider
  4. The user’s IP address
  5. Date and time of access
  6. Websites from which the user’s system reaches our website
  7. Websites the user’s system accesses from our website

This data is also recorded in our system’s log files. This data is not stored together with any of the user’s other personal data.

Legal basis for data processing

The legal basis for temporary recording of this data in our log files is art. 6 paragraph 1 point f GDPR.

Purpose of data processing

Our system needs to temporarily record the IP address in order to provide the website to the user’s computer. This also requires that the user’s IP address remains logged throughout the session.

Recording the data in log files is necessary to ensure that the website operates correctly. The data further helps us optimise the website and ensure that our computer systems remain secure. No data is processed for marketing purposes in this context.

The above purposes also constitute our legitimate interests in data processing under art. 6 paragraph 1 point f GDPR.

Data storage period

The data is deleted as soon as it is no longer required for achieving the purpose for which it was recorded. With respect to data being recorded in order to provide the website, the data is no longer required as soon as the respective session ends.

With respect to data being recorded in log files, the data is no longer required after fourteen days at the latest. Data may remain on record for longer. If so, the users’ IP addresses are deleted or rendered untraceable to make identification of the accessing client impossible.

Right to object and options for avoidance

The website cannot be provided without recording the data and the operation of the site in the Internet is impossible without storing the data in log files. There is correspondingly no option for the user to object.

 

Use of cookies

Details and extent of data processing

Our website uses cookies. Cookies are text files saved in the Internet browser or by the Internet browser on the user’s computer. When a user accesses a website, a cookie may be stored in the user’s operating system. This cookie contains a unique character string that allows the website to identify the browser when it accesses the website again.

We use cookies to improve the user experience when accessing our website. Some of our website’s elements need to be able to identify the accessing browser even after it has left the site.

The following data is recorded and transferred in the cookies:

  1. Availability of JavaScript in the browser

Our website further employs cookies that facilitate analysis of the users’ web-surfing behaviour.

This can entail transfer of the following data:

  1. Randomly generated user ID
  2. Time of first access
  3. Time of last access
  4. Number of visits

User data recorded this way is pseudonymised through technical measures. It cannot be used to identify the accessing user. This data is not stored together with any of the user’s other personal data.

Legal basis for data processing

The legal basis for using cookies to process personal data is art. 6 paragraph 1 point f GDPR.

Purpose of data processing

The purpose of using technically necessary cookies is to make using our website easier for users. Several of our website’s functions will not work without using cookies. These functions require the browser to be recognised again after leaving and returning to our website.

The following functions require cookies:

  1. Detection of JavaScript support

The user data recorded in technically necessary cookies is not used to create user profiles.

We use analysis cookies to improve the quality of our website and its contents. The analysis cookies tell us how the website is being used and this way allow us to keep on improving it.

For further details on the analysis cookies used, refer to the section on web analysis by Matomo below.

The above purposes also constitute our legitimate interests in processing personal data under art. 6 paragraph 1 point f GDPR.

Data storage period, right to object and options for avoidance

Cookies are stored on the user’s computer and transferred to us by that computer. As the user, you therefore have complete control over the use of cookies. You can restrict or prevent your computer from sending cookies by adjusting your Internet browser’s settings. You can delete any saved cookies at any time. You can even automate deletion. If you disable cookies for our website, you may no longer be able to use the site’s full range of functions.

 

Encryption

To keep your data secure during transmission, we use the latest state of the art in encryption technology (e.g. TLS/SSL) via HTTPS.

 

Contact by email

Details and extent of data processing

You have the option to contact us under the email address provided. If you do so, we will store the personal user data included in the email.

We will not give this data to anybody else. The data will be used solely for handling our conversation.

Legal basis for data processing

The legal basis for processing data received as part of email communication is art. 6 paragraph 1 point f GDPR. If email communication pursues conclusion of a contract, the legal basis shall further be art. 6 paragraph 1 point b GDPR.

Purpose of data processing

Where users contact us via email, this also constitutes the legitimate interest in processing the data.

Data storage period

The data is deleted as soon as it is no longer required for achieving the purpose for which it was recorded. In terms of the personal data received by email, this applies when the respective conversation with the user has concluded. The conversation has concluded when the circumstances indicate that the respective subject has been fully resolved.

Right to object and options for avoidance

All users can at any time withdraw their consent to our processing their personal data. If a user contacts us by email, they can object at any time to our storing their personal data. If they do so, the conversation cannot be pursued further.

You can withdraw your consent and object to our storing data by phone (name and address of controller) or by sending an email to withdrawal@adelphi.de.

If you do so, we will delete all personal data recorded as part of our contact.

 

Web analysis by Matomo (formerly PIWIK)

Extent of personal data processing

We use the open-source tool Matomo (formerly PIWIK) on our website to analyse our users’ surfing behaviour. The software stores a cookie on the user’s computer (see above for more on cookies). When any part of our website is accessed, the following data is stored:

  1. Two bytes of the accessing system’s IP address
  2. Date and time the site was accessed
  3. Website accessed (name and URL)
  4. Website from which the user has reached the accessed website (referrer)
  5. Subdomains accessed from the accessed website
  6. Duration of the visit to website
  7. How often the website is accessed
  8. Screen resolution
  9. Time as in user’s time zone
  10. Files clicked and downloaded
  11. Links clicked to external websites
  12. Page build-up time (time required for the page to be generated and displayed)
  13. User’s location: country, region, town, approximate latitude and longitude (geoposition) based on Internet access point
  14. Browser’s principal language
  15. Browser’s user agent
  16. Information about the selected measures (type, entered investment amounts and eligibility)

This software runs only on the servers hosting our website. Users’ personal data is saved there and nowhere else. The data is not made accessible to third parties.

The software is set so that it does not save the full IP address but instead masks 2 bytes of the IP address (example: 192.168.xxx.xxx). This makes it impossible to associate the truncated IP address with the accessing computer.

Legal basis for processing personal data

The legal basis for processing the users’ personal data is art. 6 paragraph 1 point f GDPR.

Purpose of data processing

Processing the users’ personal data allows us to analyse their surfing behaviour. By analysing the obtained data, we can compile information on how the various components of our website are used. This helps us keep on improving our website and its user experience. The above purposes also constitute our legitimate interests in processing the data under art. 6 paragraph 1 point f GDPR. Anonymising the IP addresses adequately satisfies the users’ interests in protecting their personal data.

Data storage period

The data is deleted as soon as we no longer need them for our records.

In our cases, this corresponds to six months later.

Right to object and options for avoidance

Cookies are stored on the user’s computer and transferred to us by that computer. As the user, you therefore have complete control over the use of cookies. You can restrict or prevent your computer from sending cookies by adjusting your Internet browser’s settings. You can delete any saved cookies at any time. You can even automate deletion. If you disable cookies for our website, you may no longer be able to use the site’s full range of functions.

We offer our users the option to opt out of the analysis process. To do so, follow the corresponding link. This will save another cookie to your system which tells our system not to store your user data. If you delete this cookie from your system later, you will need to set the opt-out cookie again.

[piwik-optout]

If your personal data is processed, you are a data subject as defined in the GDPR and consequently have the following rights:

 

Data subject’s rights

If your personal data is processed, you are a data subject as defined in the GDPR and consequently have the following rights:

Right of access

You are entitled to request information from the controller on whether we are processing any personal data related to yourself.

If we do, you can further request information from the controller on the following:

  1. the purposes to which the personal data is being processed;
  2. the categories of personal data processed;
  3. the recipients or categories of recipients to whom the personal data relating to yourself is or will be disclosed;
  4. the period for which the personal data relating to yourself is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period;
  5. whether you are entitled to demand correction or deletion of the personal data relating to yourself, to demand limitation of processing by the controller or to object to processing;
  6. whether you are entitled to file a complaint with a supervisory authority;
  7. everything available on the data’s source if the entity you are enquiring with did not obtain it themselves;
  8. whether there was any automated decision-making and profiling as per art. 22 paragraphs 1 and 4 GDPR and – at least where such was the case – useful information on the underlying logic and the impact and pursued effects of this processing on the data subject.

You are entitled to request information on whether the personal data relating to yourself will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to art. 46 GDPR related to the transmission.

Right to rectification

You are entitled to request that the controller corrects and/or completes the personal data relating to yourself if this data is incorrect or incomplete. The controller is obliged to do so without delay.

Right to restriction of processing

You can request limits to the processing of personal data relating to yourself if the following applies:

  1. If you contest the correctness of the personal data relating to yourself for a period that allows the controller to check the data's correctness;
  2. Processing of the data is illegal and you object to deletion of the data in favour of restricting the personal data’s use;
  3. The controller no longer requires the personal data for the purposes of processing, but you need them to legitimise, exercise or defend a legal claim;
  4. You have objected to processing in accordance with art. 21 paragraph 1 GDPR and it has not yet been established whether the controller’s legitimate interests outweigh your own.

If processing the personal data relating to yourself has been limited, the data can without your consent be used neither to assert, exercise or defend legal claims nor to enforce protection of another individual’s or legal entity’s rights nor can it be processed in the public interest of the European Union or one of its member states. This does not apply to the storing of the data.

If processing has been restricted in accordance with the above conditions, you will be notified by the controller before any restrictions are lifted.

Right to erasure

a) Obligation to delete

You can request that the controller delete the personal data relating to yourself immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies:

  1. The personal data relating to yourself is no longer required to achieve the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent, under which processing became legitimate as per art. 6 paragraph 1 point a or art. 9 paragraph 2 point a GDPR, and there is no other legal basis for processing.
  3. You object to processing as per art. 21 paragraph 1 GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per art. 21 paragraph 2 GDPR.
  4. The personal data relating to yourself have been processed unlawfully.
  5. Deletion of the personal relating to yourself is necessary for the controller to fulfil a legal obligation imposed upon them by European Union law or the national laws of European Union member states.
  6. The personal data relating to yourself has been collected in connection with the offer of information society services as per art. 8 paragraph 1 GDPR.

b) Notification of third parties

If the controller has published personal data relating to yourself and has become obliged to delete it as per art. 17 paragraph 1 GDPR, the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof.

c) Exceptions

The right to erasure becomes void if processing is necessary

  1. to exercise of the right to free expression and information;
  2. to fulfil a legal obligation requiring the controller to process the data imposed upon them by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the controller;
  3. in the interests of public health and safety as per art. 9 paragraph 2 points h and i and art. 9 paragraph 3 GDPR;
  4. for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per art. 89 paragraph 1 GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes;
  5. to assert, exercise or defend legal claims.

Notification obligation

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is under obligation to notify all recipients to whom the personal data relating to yourself has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The controller is exempted from this obligation where such notification proves impossible or unreasonable.

You have the right to be informed of who these recipients are.

Right to data portability

You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without the controller to whom you have provided the data hindering you from doing so and if

  1. you have consented to processing as per art. 6 paragraph 1 point a GDPR or art. 9 paragraph 2 point a GDPR or processing is governed by a contract as per art. 6 paragraph 1 point b GDPR and
  2. processing occurs using automated methods.

When exercising this right, you can further request controllers to send the personal data relating to yourself directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others.

The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller.

Right to object

You are entitled to object for reasons arising from your own personal situation at any time against processing of personal data relating to yourself where processing is legitimised by art. 6 paragraph 1 points e or f GDPR; this applies in equal measure to profiling legitimised by these provisions.

The controller will cease to process your personal data unless they can prove compelling legitimate reasons for processing that override your interests, rights and liberties or processing pursues the assertion, exercise or defence of legal claims.

If personal data relating to yourself is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising.

If you object to processing for direct advertising, the personal data relating to yourself will no longer be processed for this purpose.

You may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications.

Right to withdraw your consent under data protection law

You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect legitimacy of any processing that has occurred with your consent prior to withdrawal.

Automated individual decision-making, including profiling

You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself, if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision

  1. is necessary to allow conclusion or fulfilment of a contract between yourself and the controller,
  2. is legitimate under the legal provisions of the European Union or its member states to which the controller is subject and these legal provisions include appropriate measures safeguarding your rights, liberties and legitimate personal interests or
  3. is made with your express consent.

However, such decisions may have been made based on personal data of special categories as per art. 9 paragraph 1 GDPR unless art. 9 paragraph 2 points a or g GDPR also apply and appropriate measures have been taken to protect your rights, liberties and legitimate personal interests.

With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller’s, to put forward your own opinion and to contest the decision.

Right to complain with a supervisory authority

If you believe that processing of personal data relating to yourself is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state you, your place of work or the locale of the alleged infringement are in. This does not affect your recourse to other administrative or judicial remedies.

The supervisory authority receiving the complaint will keep the appellant up to date on status and results of the complaint, including on recourse to judicial remedies as per art. 78 GDPR.

Changes to our data policy

We reserve the right to amend this data policy to keep it in line with the latest legal requirements or to adjust it to reflect changes to our services, e.g. if we introduce new services. The latest version of our data policy will apply to any further visits.

 

Latest version: 17 October 2018