Below you will find the information to be provided in accordance with Articles 13 and 14 of the General Data Protection Regulation ("GDPR") on the processing of your personal data by KOSTAL Solar Electric GmbH (hereinafter "we" or "us") when you use the KOSTAL Solar App ("App").
A. Data controller and data protection officer
KOSTAL Solar Electric GmbH, Hanferstr. 6, 79108 Freiburg i. Br., info-solar@kostal.com,
Phone +49 (0) 761 47744-100.
Data Protection Officer of the KOSTAL Group, An der Bellmerei 10, 58513 Lüdenscheid,
datenschutz@kostal.com.
B. Information on the processing of personal data
Below you will find information about the processing of your personal data for the purposes listed in more detail and, among other things, about the legal basis for this processing. Insofar as the legal basis for processing is stated there as the balancing of interests, you can obtain further information on the balancing of interests from us under the contact details provided in section A contact details mentioned in section A.
I. Registration of a user account for the Solar Portal and display of performance data in the app
The App is used to display the performance data of the inverters that have been linked to your Solar Portal user account. To be able to use the App, you therefore need a user account for our Solar Portal. Registration for digital business processes takes place via the Kostal Solar Terminal, as a Single Sign-On solution.
To do this, you must register at https://terminal.kostal-solar-electric.com/registration?redirectUri=https:%2F%2Fterminal.kostal-solar-electric.com&language=en . A button in the App will take you directly here.
When you register a user account, we collect your master data such as e-mail address, password, first name, surname, country and language. For further details on data processing in connection with your use of the Solar Portal and the display of the performance data of the linked inverters via the app, please refer to the KOSTAL Solar Portal privacy policy, which also applies when using the app. You can view it here.
II. Analysis data
1. "Firebase Crashlytics"
The KOSTAL Solar App uses "Firebase Crashlytics", a tool offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for people from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") for all other people. The per-sonal data described below will be transmitted to Google as our processor and thus possibly also to the USA in the event of the app crashing; we have concluded standard contractual clauses for this case:
· Universally Unique Identifier (UUID) of your smartphone or tablet and
· Backgrounds that caused the app to crash, such as the function used, the version of the app, etc.
· IP address of the device.
· Firebase installations ID
· Crash traces
· Breakpad minidump formatted data
· (NDK crashes only)
We would like to point out that US companies may be obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.
We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes.
Crash reports are only sent with your express consent. When using iOS apps, you can give your consent in the app settings or after a crash. For Android apps, you have the option of generally agreeing to the transmission of crash notifications to Google and app developers when setting up the mobile device. You can revoke your con-sent for this processing at any time by deactivating the "Crash reports" function in the settings of the iOS apps (in the magazine apps, the entry can be found in the "Communication" menu item).
For Android apps, deactivation is basically done in the Android settings. To do this, open the Settings app, se-lect the "Google" item and then the "Usage & Diagnostics" menu item in the three-dot menu at the top right. Here you can deactivate the sending of the corresponding data. You can find more information in the help for your Google account.
The legal basis for data transmission is consent pursuant to Art. 6 para. 1 lit. a GDPR.
The data is stored for ninety (90) days.
Further information on data protection can be found in Firebase Crashlytics' privacy policy at https://firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#data-collection-policies
2. Localise
The KOSTAL Solar App uses "Localise", a tool from Lokalise Inc. 3500 South DuPont Highway, Suite BZ-101, Dover, DE 19901, USA ("Localise"), which acts as a processor for us. The personal data described below is used when the app is accessed in order to load translations via an OTA (Over the Air) update and to make the app available to the user in multiple languages,
-Universally Unique Identifier (UUID) of your smartphone or tablet
- Device model and manufacturer and
-IP address of the device.
The legal basis for this processing - including the setting and reading of cookies - is a consent to be given separately by you (Art. 6 para. 1 sentence 1 lit. a GDPR). You can withdraw this consent by revoking your consent in the privacy settings.
The data described in this section may be transferred to Localise in the USA. However, Localise has certified it-self under the Data Privacy Framework. The European Commission has determined in an adequacy decision pursuant to Art. 45 GDPR (see Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, published under file number C(2023) 4745) that the United States ensures an adequate level of protection for personal da-ta transferred from the European Union to organizations in the United States under the EU-US Privacy Shield
You can find more information on this in Localise's privacy policy (https://lokalise.com/privacy-policy)
We store the usage profiles for 5 minutes after the app is called up.
You can assert the right to object to this processing referred to in Section C.
3. Microsoft
We use Microsoft Azure Active Directory B2C for user identification and to enable login to the Solar App. The following personal data is collected to enable login via the device:
- Device model and manufacturer.
The legal basis for this processing - including the setting and reading of cookies - is the higher-value interest in providing the technical possibility to log in to the Solar App and to enable a link to the data of the Solar Portal (Art. 6 para. 1 lit. f GDPR). Without login and linking, we cannot provide the Solar App service.
The recipient of this data is our hosting provider Microsoft Azure, which acts for us as a processor; where necessary, we will also agree standard contractual clauses with the hosting provider.
We would like to point out that US companies are obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.
We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, evaluate and permanently store your data on US servers for surveillance purposes.
You can find more information at https://learn.microsoft.com/en-gb/compliance/regulatory/gdpr-arc-azure-dynamics.
3. Accuweather
The Solar app also uses the API of the "Accuweather" weather service to calculate the expected system yields. For this purpose, the city + country and the zip code of the system, if specified, are transmitted to the service. This sends back the weather data available for the location, on the basis of which the expected system yields are calculated.
We use a weather API to provide our users with up-to-date weather information. When using the weather API, the location data of the system is transmitted to Accuweather.
The legal basis for this processing is the overriding interest of the user to enable the service requested by him to monitor, control and optimize his system (Art. 6 para. 1 lit f GDPR).
The data is retrieved from the provider's website in the USA. We would like to point out that US companies are obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.
We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. Data is transferred in compliance with the necessary security rules.
Accuweather deletes the data immediately after retransmission.
III. Transmission of system data from an inverter
You have the option of sending the investment data displayed in the app by e-mail or sharing it via other services. You can determine the content of the transmitted information yourself. If you forward such information to us, we will process the data transmitted to us in this way to process your request. You are not obliged to provide this data. However, we cannot process your request properly without this data.
The legal basis for the processing of personal data is the balancing of interests pursuant to Art. 6 para 1 lit f GDPR. Our legitimate interest in this case is to process the request communicated by you.
We store this data for the duration of the processing of your request and thereafter for the duration of the statu-tory retention obligations (Section 257 HGB and Section 147 AO). For commercial letters, this is currently 6 years from the end of the calendar year in which the commercial letter was received or sent. The legal basis for this further storage is compliance with our legal obligation (Art. 6 para. 1 lit. (c) GDPR).
C. Information on the rights of data subjects
As a data subject, you have the following rights in relation to the processing of your personal data, which you can exercise using the contact details mentioned in section A:
· A right to information (Art. 15 GDPR) about which of your personal data we process. This includes further information about the data processing, such as the purpose and legal basis as well as recipients of this data. You also have the right to request a copy of this data.
· The right to obtain from us the rectification of inaccurate personal data concerning you and the comple-tion of incomplete personal data (Art. 16 GDPR).
· A right to request the deletion of personal data concerning you in the cases provided for by law (Art. 17 GDPR), for example if the data is no longer required for the purposes for which it was collected or if it has been processed unlawfully.
· A right to demand the restriction of processing in the cases prescribed by law (Art. 18 GDPR).
· The right to receive the personal data concerning you in a structured, commonly used and machine-readable format, which we have collected on the basis of your consent or for the performance of a con-tract (see section B) (right to data portability, Art. 20 GDPR).
· The right to withdraw consent given to us at any time. This does not affect the lawfulness of the processing carried out up to the point of withdrawal.
· A right to lodge a complaint with a supervisory authority (Art. 77 GDPR). A list of data protection supervisory authorities with their addresses can be found here.
Right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (see section B), to file an ob-jection. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
You are not necessarily entitled to the above rights without restriction in every case. The law provides for re-strictions in each case. The full scope of your rights can be found in the above-mentioned articles, which you can access via the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Status 01.06.2024