With this privacy statement, we want to inform you of the scope in which and the purpose for which personal data is processed in connection with access to our websites (www.sunnyportal.com, www.sunnyplaces.com, ennexos.sunnyportal.com) and use of our online services. Personal data is data that allows inferences to be directly or indirectly made to you, e.g. your name, e-mail address, usage data, or user behavior.
As the operator of the websites www.sunnyportal.com, www.sunnyplaces.com, and the portal accessible via ennexos.sunnyportal.com, we – SMA Solar Technology AG, Sonnenallee 1, 34266 Niestetal – are the controller responsible for processing personal data. You will find our contact details under the corporate information on the websites and online services. If you have questions about the processing of your personal data, you are welcome to contact us (see information on this in section "Data Protection Officer and Contact").
Provision of and Access to Websites (Log Files)
Each time our websites are accessed, we collect the following information regardless of registration: the IP address of your end device, the query from your web browser and the time of this query, status and transferred data quantity, product and version information for the web browser used, and the operating system of the end device as well the website from which our website was accessed. This data is typically stored for three months and then automatically deleted.
We use this data to operate our website, particularly to identify and remedy errors in order to determine the utilization of our online services and make adjustments or improvements. Our legitimate interest in data processing pursuant to Article 6 (1f) GDPR – which is the legal basis for this processing – is also for these purposes.
Cookies are used on our websites, like with many websites. Cookies are small text files that are sent from our webservers to your web browser when you access our websites and are kept on your computer for later access. Cookies enable us to identify the end device you use and to make any default settings immediately available.
The purpose of using cookies is to ensure the functionality of our websites (see additional information on "Required Cookies"), to capture statistics on the use of our websites, and to evaluate optimization (see additional information under "Analysis Cookies").
We use both session cookies and permanent cookies. Session cookies are automatically deleted at the end of the browser session. In contrast, permanent cookies have a longer storage period and are stored for the predetermined amount of time.
Most web browsers are set up to automatically accept cookies. However, you can disable cookie storage or set up your web browser so that it notifies you as soon as cookies are sent. It is also possible to manually delete previously stored cookies using the web browser settings. Please note that if you do not accept the storage of cookies, you may have restricted access to our website or none at all.
Some cookies are necessary for you to be able to use our websites. We use these cookies to record and save certain user settings and information, for instance, in order to identify and/or authenticate the user (e.g. to use the log-in function).
These cookies are used on the basis of Article 6 (1f) GDPR. If these cookies are not used, the websites' offerings and your access or use of the websites will be possible only to a very limited extent or not at all.
We use analysis cookies to allow us to record the usage patterns (e.g. advertiser banner clicks, subpage visits, search queries) of our users and to statistically evaluate them. We use the Google Analytics tool for these purposes. You can find additional information on this in the section "Use of Google Analytics."
The legal basis for this processing is our legitimate interest (Article 6 (1f) GDPR) in improving and optimizing the quality of our websites and their content and in reviewing and improving the range and discoverability of our websites.
Use of Google Analytics
On our websites, we use Google Analytics and/or Google Universal Analytics, a web analytics service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google").
In conjunction with the use of Google Analytics, we create pseudonymized usage profiles. Unless express consent is granted separately, these pseudonymized usage profiles are neither combined with personal data about the pseudonym holder nor with the IP address sent by your web browser.
You can prevent Google from collecting the data generated by the cookie and related to your use of the website and from processing it by downloading and installing the web browser plug-in available via the following link: tools.google.com/dlpage/gaoptout.
Sign-Up for Our Online Services
If you sign up for our online services on our website, you will have the opportunity to use all of the services we offer for registered users. If you sign up for one online service, this registers you for all our online services that are covered by this privacy statement, and you can use the same login credentials to log into each online service.
In order to use the online services, you must create a user account You will be prompted to provide several pieces of information about yourself when setting up your user account. Mandatory fields in this process are marked as such. You may view and change the information provided by you in your user account at any time. The information about you includes first name, last name, company, company address, VAT ID number, contact details (phone number, fax number, e-mail address). In any case, you must also provide an e-mail address and password when signing up. If you would like to make use of particular services, you may be prompted to provide additional information.
Your user account will be used to perform contractual services for you. The legal basis for this processing is the initiation of a contract conclusion at your request pursuant to Article 6 (1b) GDPR and our legitimate interest in designing our online services pursuant to Article 6 (1f) GDPR.
Collection and Use of Equipment Data
Equipment Baseline Data and Performance Data
Once you have set up a user account, you can register one or more pieces of Equipment. When a piece of Equipment is registered, we collect and save the baseline data provided or transmitted (e.g. from Sunny Design) by you for the Equipment ("Equipment Baseline Data"), e.g. Equipment name, date of commissioning, location, PV system operator, and other technical details.
If a piece of Equipment has been registered, we collect and save performance data for this Equipment ("Performance Data"), e.g. performance values for PV generation, grid-supplied power and grid feed-in, any battery charging and discharging, as well as electric currents, voltages, and other measured values for devices. Performance data must be collected in order to render the services we offer, especially to graphically display and statistically evaluate energy production and consumption by your Equipment and to report malfunctions.
Equipment Baseline Data and Performance Data must be processed in order to fulfill the contract of use concluded with you pursuant to the particular contractual provisions that apply. The legal basis for processing is Article 6 (1b) GDPR.
Aside from providing the services offered as part of our online services, we also use the Performance Data to draw up statistics, evaluations, and prognoses. However, we forward this data to grid operators in an anonymous display format and also depict it in publicly accessible maps. The legal basis for this processing is Article 6 (1f) GDPR (legitimate interests).
Collection and Use of Grid Status Data
We also collect and save general technical data for the utility grid status at the point of interconnection of registered Equipment, referred to as Grid Status Data. The point of interconnection is typically at or near the location of the Equipment. For private households, the connection box is the point of interconnection. For instance, we collect and save the following Grid Status Data: voltage, phase angle, frequency, and impedance. This data is not dependent on individual use of the utility grid and does not allow any inferences to be drawn about the usage of the Equipment, the power consumption, the amount of electric current produced by the Equipment, or other personal circumstances.
We collect and save Grid Status Data in order to support cost-effective grid expansion in the interest of the national economy and to promote the expansion of renewable energy and the integration of increasing e-mobility. To this end, we provide the Grid Status Data to some grid operators and other public utility service providers. When transferred, the Grid Status Data is forwarded citing the address of the Equipment. The address must be cited in order to locate the point of interconnection. No other information is sent. We transfer these records only to grid operators and public utility service providers that operate the utility grid at the corresponding location. The grid operators have considerable interest in the Grid Status Data since they need it for maintenance and for efficient expansion of the utility grid.
The legal basis for this processing is Article 6 (1f) GDPR (legitimate interest). We and the grid operators or the public utility service providers have a legitimate interest in using the Grid Status Data for the purposes stated above.
E-mail Marketing (Newsletter) and Personalization
As a registered user, you can subscribe to a newsletter that we use to notify you of updates, new products, offers, and other promotions.
Please note that the marketing e-mails and our newsletter contain web beacons and/or tracking pixels. These allow us to record and evaluate your user behavior. In particular, we use them to determine when you read our newsletter and what links you click in it. We assign your e-mail address and an individual ID to the data thus obtained, and create a user profile based on this. The data from the Equipment you registered (i.e. Equipment Baseline Data and Performance Data – for content on this data, see section "Sign-Up for Our Online Services") is also saved in this user profile. The described processing and linking of data is used to tailor the newsletter to your personal interests.
To send the newsletter, we use the software product "Pardot" ("Pardot") from Salesforce.com EMEA Limited ("Salesforce"), village 9, floor 26 Salesforce Tower, 110 Bishopsgate, London, UK, EC2N 4AY. The Pardot software/cloud is located on the computers of Salesforce or its parent company Salesforce.com Inc. in the US. As a result, personal data that is collected and processed in connection with our use of Pardot and with sending out the newsletter is stored and processed by Salesforce or its parent company Salesforce.com Inc. on servers in the US. No level of data protection equivalent to the level of data protection in the EU exists in the US. Salesforce.com Inc. is certified in accordance with the EU-US Privacy Shield Framework and has also obtained the TRUSTe Privacy Seal (https://www.trustarc.com/). Salesforce.com Inc. thus offers an additional guarantee of compliance with European data protection laws. For more information on data protection at Salesforce, visit https://www.salesforce.com/company/privacy/.
Salesforce works for us exclusively as a processor and acts in accordance with our instructions.
If you have expressly subscribed to the newsletter, the legal basis for processing your data is your consent pursuant to Article 6 (1a) GDPR.
You may object to this tracking at any time by unsubscribing from the newsletter. To do so, simply use the unsubscribe link included in every newsletter.
Use of Google Maps
We also embed some maps from the Google Maps service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94034, USA ("Google").
If you access a page on our website that contains Google Maps, your web browser establishes a direct link to Google's servers. This allows Google to generally obtain all the information requested from your web browser by Google's webserver. In particular, this includes the IP address, the web browser used, and the operating system of your computer as well as other data typically stored in server log files.
We use Google Maps to make it easier for you to locate the places named on our website. This constitutes a legitimate interest as defined in Article 6 (1f) GDPR, which is also the legal basis for our use of Google Maps.
Transfer of Data
We forward your personal data to third parties only if you have given express consent pursuant to Article 6 (1a) GDPR; the forwarding is necessary to assert, exercise, or defend legal claims pursuant to Article 6 (1f) GDPR and there is no reason to presume you have an overriding legitimate interest in not having your data forwarded; in the event that there is a legal obligation for the forwarding pursuant to Article 6 (1c) GDPR; or if this is required to comply with the contractual relationship with you pursuant to Article 6 (1b) GDPR. We would like to expressly point out that we reserve the right to use other service providers aside from the service providers mentioned in this privacy statement.
Approved Data Transfers
As a registered user, you can approve the transfer of Equipment Data to third parties that you specify. To do so, you must specify in the log-in area which Equipment is approved and to whom the data will be transferred. Once approved, we will allow the third party to access Equipment Data. The third party will thus obtain the Equipment Baseline Data and Performance Data that they access regarding the approved Equipment (for content on Equipment Baseline Data and Performance Data, see section "Sign-Up for Our Online Services"). To clarify, the login credentials for the user account will not be forwarded under any circumstances.
Under this approval, data may be transferred to third parties based in a country outside the European Economic Area (EEA). These countries may not have an adequate level of data protection. In such cases, we do not take any precautions to ensure an adequate level of data protection.
You can prohibit the transfer of data at any time by disabling the approval.
The legal basis for processing this data is Article 6 (1b) (performance of a contract). Use of the approval function falls under the services we offer pursuant to the applicable contractual terms. The legal basis for transfer to a third party in a third country without an adequate level of protection and without suitable safeguards for compliance with the provisions of GDPR is Article 49 (1b) GDPR (performance of a contract).
Data Transfer to SolarCoin
We offer you as a registered user a simple option to register Equipment with the SolarCoin Foundation in order to receive SolarCoin cryptocurrency. To do so, you can approve Equipment for participation in the SolarCoin program in the log-in area. If you grant this approval, we transfer your first and last names, your e-mail address, and the city/town, postcode, street, number, country, commissioning date, and nominal PV system power of the registered Equipment to the two parties involved in the process in order to register the piece(s) of Equipment: SolarCoin Foundation (28 River Valley Road #4245, Greenwich, CT 06831, USA) and SolarLux (2301, 23/F., Bayfield Building, 99 Hennessy Road, Wanchai, Hong Kong). Solarlux is the technical service provider for the SolarCoin Foundation. Through this registration, a contract of use for the use of the SolarCoin program is established between you and the SolarCoin Foundation.
After registration, the SolarCoin Foundation will send a query to the system's energy meter at regular intervals to determine how many SolarCoins (or fractions thereof) should be posted to the user's SolarCoin wallet. All SolarCoin transactions are recorded in the SolarCoin blockchain, which SMA is unable to access.
As part of the registration for SolarCoin and participation in the SolarCoin program, personal data is transferred to a third party (Solar Coin Foundation) based in a country outside the EEA, namely in the US and China (Hong Kong). No level of data protection equivalent to the level of data protection in the EU exists in the US and China. We have not taken any precautions to ensure a level of data protection that broadly meets the requirements of GDPR, and have not concluded any EU standard contractual clauses in particular. The SolarCoin Foundation is not certified under the EU-US Privacy Shield Framework and thus has not assumed any obligation to comply with the data protection requirements that would establish an adequate level of data protection.
The legal basis for processing this data is Article 6 (1b) (performance of a contract). Registration with SolarCoin falls under the services we offer pursuant to the applicable contractual terms. The legal basis for transfer to a third party in a third country without an adequate level of protection and without suitable safeguards for compliance with the provisions of GDPR is Article 49 (1b) GDPR (performance of a contract).
We also transfer data to Salesforce and Google. More detailed information can be found in the sections of this privacy statement that describe the circumstances of the inclusion of tools and services from Salesforce and Google.
As a rule, we always delete or block your personal data when the purpose of the storage no longer exists. However, storage may also take place if this is stipulated by legal provisions to which we are subject, for instance regarding statutory retention and documentation obligations. In such cases, we delete or block your personal data after the end of the relevant provisions.
It is very important to us to describe the processing of personal data as transparently as possible and to inform you of your rights. If you would like more detailed information or want to exercise your rights, you can contact us at any time so that we can address your concern.
Data Subject Rights
With regard to processing your personal data, you are entitled to extensive rights. In addition, you have a comprehensive right of access and may demand the rectification, restriction, and/or erasure or blocking of your personal data, if applicable. With regard to the personal data you transferred to us, you also have the right to data portability.
If you wish to exercise your rights and/or receive more information about them, please contact our data protection officer.
Revoking Consent and Objection
Any consent that you have provided can be withdrawn on request at any time with effect for the future. Withdrawing consent will not affect the lawfulness of the processing that was carried out between the time of consent and withdrawal. Our data protection officer is also the contact person for this matter.
If your personal data is processed on the basis of legitimate interests pursuant to Article 6 (1f) GDPR, you have the right to object to processing of your personal data pursuant to Article 21 GDPR, provided that there are grounds for this relating to your particular situation or if the objection is regarding direct marketing. In the event of the latter, you have a general right to object that we will enforce without specification of a particular situation.
If you conclude that the processing of your personal data by us is not in line with this privacy statement or the applicable data protection requirements, you can lodge a complaint with our data protection officer. The data protection officer will then review the matter and inform you of the result of the review.
In addition to this, you also have the right to lodge a complaint with a supervisory authority.
Data Protection Officer and Contact
Our data protection officer is available, together with their team, to answer questions related to our handling of personal data or more information on issues relating to data protection:
SMA Solar Technology AG
Data Protection Officer
Version of this privacy statement: February 2020