Privacy policy
Last revised: January 2023
ENERCON GmbH (‘ENERCON’) thanks you for visiting our website at www.enercon.de (‘Website’) and for your interest in our company and our products.
The purpose of this Privacy Statement is to inform you about how we handle your personal data. It applies to the processing of personal data for the purposes of communication through this Website and outside the context of this Website.
Contents
I. Controller; Data Protection Officer 1
II. Definitions 1
III. Data processing when visiting the website 2
IV. Other data processing operations 3
V. Data processing operations in the setting of services and other business operations 6
VI. Presences in social networks 7
VII. Rights as a data subject 9
VIII. Data security 10
IX. Obligations to provide data 11
X. Automated decision-making 11
XI. Information about your right to object 11
XII. Amendments to and updates of this Privacy Statement 11
I. Controller; Data Protection Officer
ENERCON processes your data as a controller.
Contact details: ENERCON GmbH, Dreekamp 5, 26605 Aurich, Germany
E-mail: geschaeftsfuehrung@enercon.de
You can write to ENERCON’s appointed Data Protection Officer at Dreekamp 5, 26605 Aurich, Germany, or send an e-mail to datenschutz@enercon.de.
II. Definitions
The following is an overview of the terminology used in this Privacy Statement. Many terms have been taken from the law and are defined primarily in Article 4 of the General Data Protection Regulation (GDPR). The statutory definitions are binding. The explanations below, however, are intended for a better understanding.
• Cookies: ‘Cookies’ are small text files the web browser stores on the computer (either in the browser folder or the Program Data folder). These text files automatically store specific information about your computer or your internet connection such as the IP address, the browser used, the operating system or similar, which applications reuse for future connections.
• Recipient: ‘Recipient’ means any legal or natural person to whom personal data processed by the Controller are disclosed and who gains access to these data in this way.
• Personal data: ‘Personal data’ means any information relating to an identified or identifiable natural person (in the following referred to as ‘data subject’); any natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to said natural person’s physical, physiological, genetic, mental, economic, cultural or social identity is deemed to be identifiable.
• Controller: ‘Controller’ means any natural or legal person, public authority, agency or any other body which – alone or jointly with others – decides about purposes and means of the processing of personal data.
• Processing: ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means. This is a comprehensive term and includes virtually any handling of data such as collection, analysis, storage, transmission or erasure.
III. Data processing when visiting the website
1) Cookies
We use cookies in some areas for a need-based design of our Website. Most of the cookies we use expire after closing the browser session (known as ‘session cookies’). Others remain on your terminal device and enable us to recognise your browser the next time you visit the site (persistent cookies). We do not use this information to personally identify any visitor to this Website.
Most browsers are configured so that they accept cookies automatically. Still, you can disable cookies altogether or configure your browser so that it will ask you when a website wants to set a cookie. Please note that blocking cookies from our Website might result in functional restrictions when using our web pages or those of other service providers.
Cookies we have set on your system will, as a rule, be deleted after leaving our Website.
2) Making our Website technically available using a server log file
If you just visit our Website without actively contacting us we will only process the personal data transmitted automatically by your browser. Our web servers record every access in a temporary log file for a period of seven days.
The following information is collected: IP address of your client; website from which access takes place; date and time of access; name and URL of the file accessed; pages visited; data volume transmitted; message as to whether access was successful; playback of video/audio files; clicks on individual links; search terms or phrases; detection of browser and operating system used and name of your internet access provider.
Processing this information serves to render our Website optimal and secure from a technical point of view. There is no analysis of personal data.
Our legitimate interest under Article 6 [1] Item f of the GDPR in optimal and secure technical operation of our Website not outweighed by any interests or fundamental rights and freedoms of the data subject that require the protection of personal data forms the legal basis of these processing operations.
3) Usage analysis with Matomo Analytics
We use Matomo Analytics (formerly Piwik), an analytics service for statistical analysis of the usage of our Website. We use cookies to store information about how you use our Website and what browser/operating system you use. This includes your IP address. The IP address is instantly anonymised during the process so that you remain anonymous to us as a user.
We use Matomo only with your express prior consent under Article 6 [1] Item a of the GDPR, which you can give using the cookie banner when accessing our Website for the first time. Once given, you can revoke your consent at any time with effect for the future by proceeding as follows:
Please keep the following in mind: If you wipe all of your cookies the opt-out cookie will also be deleted. This means that you will have to give your consent once more and also opt out from the analysis of your user behaviour once again.
In the setting of the use of Matomo tools for collecting and processing your usage data we transmit your truncated IP address to New Zealand. Data transmission takes place on the basis of an available adequacy decision of the European Commission regarding the adequacy of the data protection level in New Zealand.
The cookies used in this setting will be stored for a period of 30 days. However, you have the option to delete cookies manually at any time.
IV. Other data processing operations
1) Making contact
We will process your personal data if you input them into the contact form on our Website, send them to us by e-mail, or contact us by phone. If you contact us we will collect the following information about you: title; last name/first name; company; branch of industry; address details; contact details (phone/e-mail); contents (of request).
We will only use your personal data to communicate with you, or for the purpose you intended when providing these data, and then delete them.
We process your personal data for responding to contact requests on the following legal basis:
• Protection of our legitimate interests under Article 6 [1] Item f of the GDPR; our legitimate interest consists in properly responding to contact requests and is not outweighed by any interests or fundamental rights and freedoms of the data subject that require the protection of personal data, or
• Fulfilment of a contract or performance of precontractual measures under Article 6 [1] Item b of the GDPR, if that is the purpose of your contact request.
Personal data collected in the setting of making contact will be deleted without delay once the communication initiated by the data subjects is completed by mutual agreement or at the request of the data subjects.
2) Distribution of information material
If applicable, we will use your postal address and e-mail address to send you information about our events, products or services. Nevertheless, we will refrain from this unless you wish us to do so and have given your express consent under Article 6 [1] Item a of the GDPR. You may revoke your consent at any time with effect for the future by e-mailing to vertrieb@enercon.de or writing to ENERCON GmbH, Vertrieb National, Dreekamp 5, 26605 Aurich, Germany.
If we have acquired your address or e-mail address in conjunction with the sale of goods or services and you have not raised any objection, we reserve the right to send you offers for products from our range similar to the one(s) you purchased, by post or by e-mail under Article 6 [1] Item f of the GDPR or Section 7 [3] of the German Act Against Unfair Competition on a regular basis. This serves to safeguard our overriding legitimate interests in advertising appeals to our customers in the setting of a weighing of interests.
In addition, you may opt out from continued storage and use of your personal data, particularly your contact details, at no cost other than transmission costs at basic rates. Please contact vertrieb@enercon.de or ENERCON GmbH, Vertrieb National, Dreekamp 5, 26605 Aurich, Germany also in this matter.
In the event of a revocation or legitimate objection we will erase your data without delay if no other legal basis or overriding legitimate reasons for processing exist. If that objection concerns your request, however, this can no longer be processed.
3) ‘Windblatt’ customer magazine subscription
If you order our free ‘Windblatt’ customer magazine, the personal data you provided during registration (title; last name/first name; company; branch of industry; address details; contact details [phone/e-mail]) will be used to process your order. For this purpose they will be transferred to service providers that have been authorised accordingly and contracted as processors (e.g. the customer magazine printers). For this we will seek your express prior consent under Article 6 [1] Item a of the GDPR in advance. In this context your personal data will not be passed on to third parties in other respects. You may revoke your consent to processing of your personal data for shipment of the customer magazine with effect for the future at any time by sending an informal notice to vertrieb@enercon.de or by writing to ENERCON GmbH, Vertrieb National, Dreekamp 5, 26605 Aurich, Germany. Following receipt of your revocation, shipment of the customer magazine to you will be discontinued and we will erase the data collected from you at the time of ordering the magazine at once if no other legal basis for processing exists.
4) Use of the Service Info Portal
Our Service Info Portal (SIP) that can be accessed from these web pages gives customers the option to store operating reports, service reports and other documents about their wind energy converters, or to share them with us within the framework of the performance of the contract. Safeguarding our legitimate interest under Article 6 [1] Item f of the GDPR forms the legal basis of the associated processing of your personal data; our legitimate interest consists in responding appropriately to customer enquiries and proper rendering of our contractually agreed services or fulfilment of the contract for the purposes of Article 6 [1] Sentence 1 b of the GDPR. The amount of personal information collected in this setting is very limited; it is merely the contact details of points of contact. We keep this information strictly confidential and will store and use the data only to enable you to use the Service Info Portal; following termination of the contractual relationship the information will be erased at once if no other legal basis for processing exists.
5) Job applications
You can apply for jobs at our company either online or through electronic media. As a matter of fact we will use the information you provide only to process your application and erase it in line with statutory regulations once the application procedure has been completed. Data processing in this context takes place on the legal basis of performance of precontractual measures under Article 6 [1] Item b of the GDPR.
Please keep in mind that unencrypted e-mails are not protected against access during transmission. Therefore, we strongly recommend sending your application documents either by encrypted e-mail or through the contact form on our Career Portal.
For detailed information on how your personal data are handled during the job application process, please see our Career Portal privacy statement.
6) E-mail marketing
a) E-mail marketing including subscription to the ENERCON eShop newsletter
If you subscribe to the ENERCON eShop newsletter we will use the information required or communicated to us separately by you in order to send you our e-mail newsletter on a regular basis as per your consent under Article 6 [1] Sentence 1 Item a of the GDPR. You can unsubscribe from the newsletter at any time by sending a message to eShop@enercon.de or using the link provided in the newsletter. Following unsubscription we will erase your e-mail address unless you have given your express consent to further use of your data, or we have reserved the right of additional use of the data that is legally permitted and about which we are informing you in this Statement.
b) E-mail marketing without subscription to the newsletter, and your right to object
If we have acquired your e-mail address in conjunction with the sale of goods or services and you have not raised any objection, we reserve the right to send you offers for products from our range similar to the one(s) you purchased, by e-mail under Section 7 [3] of the German Act Against Unfair Competition on a regular basis. This serves to safeguard our overriding legitimate interests in advertising appeals to our customers in the setting of a weighing of interests. You may opt out from the use of your e-mail address at any time by sending a message to eShop@enercon.de or using the link specifically provided in the marketing e-mail, at no cost other than transmission costs at basic rates. In the setting of processing, the newsletter is distributed by a service provider on our instructions; we pass on your e-mail address to that service provider for this purpose. This service provider is located in a country inside the European Union or the European Economic Area.
7) Queries and surveys
We use Microsoft Forms for internal and external queries and surveys. For this purpose ENERCON concluded a processing agreement with Microsoft that meets the requirements of Article 28 of the GDPR. In addition, the EU standard contractual clauses (SCCs) have been contractually agreed for data transfers to third countries. Under Article 46 [2] Item c of the EU GDPR the EU standard contractual clauses guarantee an adequate EU data protection level.
This is to inform you that, according to the case law of the European Court of Justice, the United States is not a safe third country for the purposes of the EU GDPR. Under the surveillance laws of the United States U.S. service providers may be bound to surrender personal data to security agencies without data subjects being able to appeal against this practice. Therefore, it cannot be ruled out that U.S. authorities such as intelligence agencies will process, analyse and permanently store your data residing on servers of U.S. service providers. We cannot influence these processing activities.
Depending on the individual query or survey this setting allows for the collection of personal data to a very limited extent. This includes, among other things, first name and last name, contact details, date of birth and other information from the list of questions.
If and to the extent that we request the data subject’s permission for the processing of personal data, Article 6 [1] Item a of the EU GDPR serves as a legal basis. For the processing of personal data that are required for the fulfilment of a contract or the performance of precontractual measures, Article 6 [1] Item b of the EU GDPR serves as a legal basis. If and to the extent that the processing of personal data is required for the fulfilment of a statutory obligation to which our company is subject, Article 6 [1] Item c of the EU GDPR serves as a legal basis. If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6 [1] Item f of the EU GDPR serves as a legal basis.
V. Data processing operations in the setting of services and other business operations
Within the framework of the services provided by us and that of other business operations we process personal data for different purposes (see Items 1 to 3 of this section), transmit these data to third parties from time to time and store them until the purpose has been achieved (see Items 4 to 6 of this section).
1) Contractual relationships
Within the framework of the contracts concluded or initiated with us (e.g. for installation or maintenance of a wind energy converter, with suppliers or service providers, etc.) we collect and process personal data on the legal basis of Article 6 [1] Item b of the GDPR for the purpose of performance, initiation or termination of a contractual relationship.
2) Statutory obligation
We process personal data insofar as there is a statutory obligation to that effect (e.g. in the setting of the execution of administrative procedures) under Article 6 [1] Item c of the GDPR in conjunction with the relevant specific legal basis.
3) Legitimate corporate interests
In addition, we process personal data in different cases in order to assert legitimate corporate interests (e.g. to enforce legal claims or for video surveillance of our facilities for protection against unauthorised access, where required) on the legal basis of Article 6 [1] Item f of the GDPR, always balancing legally protected interests to ensure that no interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail.
4) Recipient
ENERCON GmbH and other companies of the organisation host central functions that are active on behalf of the corporate network and, in this context, also process personal data, e.g. Marketing and Communication, Sales, Purchasing, Central Administration (e.g. Legal Department), and Recruiting. If central functions are involved by other companies of the organisation (e.g. for procurement transactions or administrative procedures), personal data will be exchanged to the extent required between the involved companies of the organisation. In this case, overriding legitimate corporate interests under Article 6 [1] Item f of the GDPR constitute the legal basis; the legitimate interest consists in internal administrative purposes. These may be commercial, administrative or other internal business purposes; this applies only to the extent that the interests or fundamental rights and freedoms requiring the protection of personal data of data subjects do not outweigh the above.
We will transfer personal data to other third parties (e.g. authorities or banks or service providers employed to fulfil a contract) only if required by the particular business relationship or a statutory requirement. We bind any service provider we employ (e.g. acting as processors on our behalf for IT or printing services) by contract to process personal data only within the scope of their job.
In the following we are going to specify the categories of recipients to which we transfer data in order to fulfil our contractual and statutory obligations, or on the basis of our legitimate interests:
• IT service providers, for administration and hosting of our Website
• Printers, for the production and distribution of information material
• Shippers, for shipment of information material or communications
• Authorities (e.g. for approval procedures)
• Banks, for execution of payment transactions
5) Transmission to third EU countries
We do not transmit any personal data to countries outside the EU or the EEA, or to international organisations.
6) Storage period
Personal data processed by us will always be stored for the period required for the particular purpose (e.g. performance of contract until revocation of your consent) and then erased, taking into account the statutory retention periods, or locked for the required retention period after the purpose has been achieved (e.g. fulfilment of contract by both parties), or restricted from processing and then erased. In addition, we will then store personal data until the start of limitation of any legal claim. As a rule, the limitation period is between 12 and 36 months; it may, however, be up to 30 years.
Upon the start of limitation we will erase personal data unless there is a statutory retention period, e.g. under the German Commercial Code (Sections 238, 257 [4] HGB) or the German Tax Code (Section 147 [3], [4] AO). These retention periods may be two to ten years.
VI. Presences in social networks
We maintain presences in the social networks named below and, within this framework, process user data in order to communicate with active users in these networks or to provide information.
Please note that user data might be processed outside the European Union in the course of the process. This may entail risks to the users, e.g. because enforcement of user rights might be hampered.
Moreover, user data are typically processed inside social networks for market research and advertising purposes. For instance, usage profiles can be generated based on user behaviour and the interests of users derived from it. These usage profiles can be utilised e.g. to show advertisements inside and outside the networks that are presumed to match the users’ interests. As a rule, cookies that store user behaviour and users’ interests are placed on users’ computers for that purpose. In addition, usage profiles can also contain data that are unrelated to the individual devices a user uses (particularly if that user is a member of the respective platform and has logged in to it).
For a more precise description of the individual types of processing and the options for objection, please refer to the privacy statements and information provided by operators of the respective platforms.
Also with regard to requests for information and enforcement of data subjects’ rights we would like to point out that these are most effectively asserted vis-à-vis the providers. Only the respective providers have access to user data and can take suitable measures directly and provide information. Still, if you have any questions about this you can contact us directly at the addresses given above.
Data types processed: Contact details (e.g. e-mail, phone numbers); content (e.g. input into online forms); usage (e.g. websites visited, interest in contents, access times); metadata/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, online service users)
Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback through online forms); marketing
Legal basis: Our legitimate interest under Article 6 [1] Sentence 1 Item f of the GDPR is to publish information about our company and to establish contact with interested parties. There are no overriding interests of data subjects conflicting with this interest.
1) Facebook
Together with Facebook Ireland Ltd. we are joint controllers with regard to collecting (but not further processing of) user data from visitors to our Facebook page (‘fan page’).
These data include information about the type of content users view or interact with, or the actions they perform (see ‘Things you and others do and provide’ in Facebook’s data policy: www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device Information’ in Facebook’s data policy: www.facebook.com/policy). As explained in ‘How do we use this information?’ in Facebook’s data policy, Facebook collects and uses information also to provide analytics services (‘Page Insights’) to website operators for them to gain insight as to how persons interact with their pages and the linked contents. We have concluded a special agreement with Facebook (‘Information about Page Insights’, www.facebook.com/legal/terms/page_controller_addendum), which particularly stipulates the security measures to be observed by Facebook and in which Facebook agrees to honour the rights of data subjects (i.e. users can address requests for information and erasure directly to Facebook).
User rights (particularly to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.
For additional notes, see ‘Information about Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: www.facebook.com;
Privacy statement: www.facebook.com/about/privacy; standard contractual clauses (ensuring data protection level for processing in third countries): www.facebook.com/legal/EU_data_transfer_addendum;
Further information: Joint controllers agreement: www.facebook.com/legal/terms/information_about_page_insights_data.
2) Instagram
Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA;
Website: www.instagram.com;
Privacy statement: instagram.com/about/legal/privacy.
3) LinkedIn
Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: www.linkedin.com;
Privacy statement: www.linkedin.com/legal/privacy-policy.
4) Xing
Service provider: XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany;
Website: www.xing.de;
Privacy statement: https://privacy.xing.com/en.
VII. Rights as a data subject
Subject to the statutory provisions, you have the following rights as a data subject, which you may assert against us:
Right to information: You are entitled at any time, within the framework of Article 15 of the GDPR, to request us to confirm whether or not we process personal data concerning you; if this is the case, you are also entitled, within the framework of Article 15 of the GDPR, to receive information about these personal data, as well as specific further information (among others, purpose of processing; personal data categories; recipient categories; envisaged storage period; origin of the data; use of automated decision-making, and – in the event of transmission to third countries – suitable guarantees) and a copy of your data.
Right to rectification: You are entitled under Article 16 of the GDPR to request us to correct the personal data we have stored about you if they are inapplicable or incorrect.
Right to erasure: You are entitled, subject to the provisions of Article 17 of the GDPR, to request us to erase personal data concerning you without delay. No right to erasure will exist if, among other things, processing of personal data is required for exercising the right to freedom of expression and information, fulfilling a legal obligation to which we are subject (e.g. statutory retention periods), or asserting, exercising or defending legal claims.
Right to restriction of processing: You are entitled, subject to the provisions of Article 18 of the GDPR, to request us to restrict processing of your personal data.
Right to data portability: You are entitled, subject to the provisions of Article 20 of the GDPR, to request us to hand over, in a structured, common, machine-readable format, the personal data that concern you and you have provided to us.
Right to revocation: You are entitled to revoke your consent to processing of personal data with effect for the future at any time. Revocation of consent will not affect the lawfulness of the processing performed on the basis of that consent until revoked.
Right to objection: You are entitled, subject to the provisions of Article 21 of the GDPR, to object against processing of your personal data so that we will have to discontinue processing of your personal data. The right to objection only exists within the limits set by Article 21 of the GDPR. Furthermore, our interests may exclude discontinuation of processing so that we are entitled to process your personal data, your objection notwithstanding.
Right to complain to a supervisory authority: You are entitled, subject to the provisions of Article 77 of the GDPR, to lodge a complaint with a supervisory authority, particularly in the member state of your whereabouts, your workplace or the location of the suspected violation, if you are of the opinion that processing of the personal data concerning you is in breach of the GDPR. The right to complain exists without prejudice to any other administrative or judicial remedy.
Competent supervisory authority:
Die Landesbeauftragte für den Datenschutz Niedersachsen [State Commissioner for Data Protection; Lower Saxony]
Prinzenstraße 5
30159 Hannover, Germany
Phone: +49 (511) 120 45 00
Fax: +49 (511) 120 45 99
E-mail: poststelle@lfd.niedersachsen.de
Nevertheless, we recommend directing any complaint to our Data Protection Officer first.
If possible, please address your requests for exercising your rights to the above address or directly to our Data Protection Officer in writing.
VIII. Data security
We have taken extensive technological and operational precautions to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. We review and adapt our security procedures on a regular basis to keep up with technological progress.
When you use our contact form or log on to the Service Info Portal (SIP) platform you also provide personal information about yourself. To prevent this information from falling into the wrong hands we use TLS (Transport Layer Security) to encrypt your personal data end-to-end. This is a tried-and-tested data transfer method on the internet that is highly secure if used according to the state of the art the way we do.
IX. Obligations to provide data
Basically, you are not obliged to share your personal data with us. However, if you do not do so, we will not make our Website available to you nor respond to your enquiries, send advertisements, etc. We will also be unable to conclude any contract with you. Personal data that are absolutely needed for the above processing purposes are identified as mandatory information with an ‘*.’ or another character.
X. Automated decision-making
We do not use any automated decision-making process or profiling (i.e. an automated analysis of your personal circumstances).
XI. Information about your right to object
You are entitled to object against processing of your data performed on the basis of Article 6 [1] Item f of the GDPR (data processing on the basis of a weighing of interests) or Article 6 [1] Item e of the GDPR (data processing in the public interest), if there are any reasons resulting from your particular situation. This applies likewise to any profiling based on this provision for the purposes of Article 4 Item 4 of the GDPR.
If you raise an objection we will no longer process your personal data unless we are able to give compelling reasons for processing worthy of protection that outweigh your interests, rights and freedoms, or processing serves to assert, exercise or defend legal claims.
If, in individual cases, we process your personal data for direct advertising purposes, you are entitled to object to this at any time; this applies also to any profiling, if associated with such direct advertising. We will respect this objection in the future.
We will no longer process your data for direct advertising purposes if you object to processing for this purpose.
This objection may be informal and should be addressed to the point of contact given in Section I hereof.
XII. Amendments to and updates of this Privacy Statement
The contents of this Privacy Statement may be updated if necessitated by modifications to the data processing operations performed by us. We will inform you in case any modification requires assistance on your part (e.g. consent) or any other individual notification.
