+++ New: Flexibly BUY or RENT your Enpal solar solution. +++
Information pursuant to Articles 13 and 14 of the GDPR from Enpal B.V.
At Enpal B.V. (“Enpal” or “we”), data protection is our top priority. We are delighted that you want to help shape the future of green energy with us and firmly believe that the protection of your data plays an exceptionally important role in this. With the following information, we therefore wish to explain to you what types of your personal data we process, for what purposes, and to what extent.
If you are a customer of other Enpal companies, are applying for a job at Enpal, or are using the whistleblower system, we will inform you separately about additional data processing in connection with our service provision or your application. You can find this supplementary privacy information in Section J.
We generally process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Personal data in this context refers to all specific details regarding the personal or factual circumstances of an identified or identifiable natural person, such as name, address, date of birth, contact information, customer data, offer and contract details, etc.
The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
The data controller for data processing in connection with the use and provision of your data via the Enpal website, as well as for the initiation and performance of contracts and the use of the Enpal app, in accordance with Article 4(7) of the GDPR, is:
Enpal B.V.
Bödikerstr. 25, 10245 Berlin
Email: info@enpal.de
Phone: +49 (0) 3030808052
For any questions regarding data protection in connection with our products and services or the use of our website, you may also contact our Data Protection Officer at any time. The Data Protection Officer can be reached at the postal address provided above and at the email address listed below.
You can contact our Data Protection Officer at:
Enpal B.V.
Data Protection Officer
Bödikerstr. 25, 10245 Berlin
Email: datenschutz@enpal.de
Every time you use our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data includes so-called HTTP header information, including the user agent, and specifically comprises:
The processing of this connection data is technically necessary to enable access to the website, to ensure the ongoing functionality and security of our systems, and to perform general administrative maintenance of our website. Connection data is also stored in internal log files for the purposes described above, limited to what is strictly necessary in terms of time and content. This serves to identify and address the cause of any repeated or malicious access attempts that jeopardize the stability and security of our website.
The legal basis for this processing is Article 6(1)(b) of the GDPR, provided that the page visit occurs in the course of the initiation or performance of a contract, and otherwise Article 6(1)(f) of the GDPR based on our legitimate interest in enabling access to the website as well as the ongoing functionality and security of our systems.
On the Enpal website, you can calculate the savings you could achieve by using an Enpal solar power system (Solar Calculator) or a heat pump (Heat Pump Calculator). As part of this calculation, the following personal data is processed, depending on the product you are inquiring about:
The legal basis for the processing is Article 6(1)(b) of the GDPR, as the calculation is performed as part of the process of entering into a contract. Based on this data, we will plan your solar system and create a virtual roof layout. This will be presented to you during a subsequent sales consultation. Failure to provide the aforementioned data may make it impossible to perform the calculation and subsequently prepare a quote.
In addition, we may process your data on the basis of Article 6(1)(f) of the GDPR, based on our legitimate interest in advertising or market and opinion research, in reviewing and optimizing procedures for needs analysis and direct customer outreach, in measures for business management and the further development of services and products, as well as related processes, provided that you have not objected to the use of your data for these purposes.
On the Enpal website, you have the option to contact us via various contact forms.
1. The following information is collected through the required fields for trade partners (https://www.enpal.de/partner-werden):
2. The following data is collected via the required fields for heat pump partners (https://www.careers.enpal.com/handwerkspartner-fur-waermepumpen):
3. The following data is collected via the required fields for referral partners (https://www.enpal.de/empfehlungspartner):
4. The following data is collected via the required fields for sales partners (https://www.enpal.de/vertriebspartner-formular):
The data collected via the contact forms is processed for the following purposes:
The legal basis for this processing is Article 6(1)(b) of the GDPR, as your contact with us is made in the course of initiating the partnership agreement with Enpal, and, furthermore, Article 6(1)(f) of the GDPR based on our legitimate interest in you contacting us and our ability to respond to your inquiry.
The aforementioned personal data will be transferred to the extent necessary to fulfill the task to:
As part of our marketing communications, we process the contact information you provide—namely your name, email address, mailing address, and phone number—based on your consent in accordance with Article 6(1)(a) of the GDPR. We use this contact information to send you information about our products, services, and offers via the following communication channels:
RCS (Rich Communication Services) is an enhanced messaging format for mobile devices that is provided via the device’s messaging app and functions similarly to an enhanced SMS.
In our marketing communications, you will find information about:
Your contact information will only be used if you have given your consent. You may revoke your consent at any time, effective for the future. Please send your revocation to datenschutz@enpal.de or use the unsubscribe options provided in the respective messages. For SMS and RCS, you can unsubscribe directly by replying to the message with “STOP.” The revocation will then apply to all further communications via these two channels.
Since the individual products and services are offered by different companies within the Enpal Group, we forward your contact information and—where available—additional selected data regarding your contractual relationship (name, address, subject of the current contractual relationship, and, if applicable, network operator) to the respective responsible Enpal company. This forwarding is covered by your consent.
We also use the contact information you provide to send promotional materials to existing customers, unless you have objected to this. The content of these Enpal promotions consists of recommendations for Enpal’s own products and similar products from Enpal or companies within the Enpal Group. You may object to the use of your contact information at any time, free of charge, at datenschutz@enpal.de.
You can subscribe to our newsletter, in which we regularly provide updates on new developments regarding the Enpal Group’s products and services in the renewable energy sector. We also conduct market and opinion research as part of our newsletter.
To receive the newsletter, you must provide your email address; without it, we cannot send you the newsletter. If you have also provided us with your name, we will use it to address you personally.
When you subscribe to our newsletter, we use the so-called double opt-in procedure: After subscribing, you will receive an email in which you must confirm your subscription again. We will only begin sending the newsletter after this confirmation. This ensures that no one uses your email address without authorization. The legal basis for processing in connection with the sending of the newsletter is your consent pursuant to Art. 6(1)(a) GDPR.
If you confirm your email address, we will store your email address, the time of registration, and the IP address used for registration until you unsubscribe from the newsletter. This storage serves solely the purpose of sending you the newsletter and verifying your registration. The legal basis for this storage is Article 6(1)(c) of the GDPR in conjunction with Article 7 of the GDPR and/or Article 6(1)(f) of the GDPR, based on our legitimate interest in being able to provide proof, in cases of doubt, that consent was given to receive our newsletter.
You may revoke your consent to receive the newsletter at any time with future effect by unsubscribing from the newsletter. A link to unsubscribe is included in every newsletter. Of course, you may also simply send a message to abmelden@enpal.de or use the contact information provided in the newsletter.
We track whether our newsletter can be delivered at all. The legal basis for this measurement is your consent pursuant to Article 6(1)(a) of the GDPR. We also analyze pseudonymized open and click-through rates to improve our offerings. The legal basis for this is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
To measure success, we use the customer engagement platform Braze from Braze, Inc. (hereinafter “Braze”; 63 Madison Avenue, 12th Floor, New York, NY 10016, USA). The tool records deliveries, opens, clicks, and unsubscribes for each newsletter campaign and provides us with these metrics both in aggregate and on a user-specific basis (max. 30 days). Tracking pixels in the newsletter header (“open tracking”) and personalized redirect links for click measurement are used for this purpose, but no cookies are used. IP tracking is also not performed.
We use the data collected in this way to create a user profile so that we can tailor the newsletter to your individual interests. In doing so, we track when you read our newsletters and which links you click on, and use this information to infer your personal interests. This helps us manage the distribution and evaluate the effectiveness of newsletter campaigns, as well as improve deliverability and content through KPI analysis. Braze stores the data on servers located in the EU. Furthermore, there is potential support access from the U.S. For the U.S., there is an adequacy decision by the European Commission (EU-U.S. Data Privacy Framework, or “DPF” for short), which applies to certified companies. Braze is DPF-certified. This ensures that a level of protection comparable to that in the EU is maintained. Braze further protects such transfers through Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Further information can be found in Braze’s privacy policy. We have entered into a data processing agreement with Braze in accordance with Art. 28 GDPR.
When sending out press releases and event invitations, we process your first and last name, the organization you represent, and your email address.
To subscribe to our press newsletter, we use the so-called double opt-in procedure, meaning we will only send you newsletters via email once you have confirmed in our confirmation email—by clicking on a link—that you are the owner of the provided email address. If you confirm your email address, we will store your email address, the time of registration, and the IP address used for registration until you unsubscribe from the newsletters. This storage serves solely the purpose of sending you the newsletter and verifying your registration. The legal basis for this storage is Article 6(1)(f) of the GDPR, based on our legitimate interest in being able to prove, in cases of doubt, that consent was given to receive our newsletter. In addition, we track whether our newsletter can be delivered at all.
To receive the press newsletter, you must provide your email address; without it, we cannot send you the newsletter. The legal basis for processing your data in connection with the distribution of the press newsletter is your consent pursuant to Article 6(1)(a) of the GDPR. You may revoke this consent at any time with future effect by unsubscribing from the newsletter. A corresponding unsubscribe link is included in every newsletter. Of course, you may also simply contact us using the contact information provided above or in the newsletter.
You have the opportunity to participate in one of our surveys. We use the results of these surveys to improve our services.
The legal basis for sending the survey is Article 6(1)(f) of the GDPR in conjunction with Section 7(3) of the German Unfair Competition Act (UWG), based on our legitimate interest in designing and continuously improving our services to meet the needs of our customers, drawing on the experiences of our customers in the sales process and our existing customers.
If we ask you to participate in a survey as part of the sales process, we will obtain your consent in accordance with Article 6(1)(a) of the GDPR in conjunction with Section 7(2)(2) of the German Unfair Competition Act (UWG). You may revoke this consent at any time with future effect. To do so, simply send an informal message to datenschutz@enpal.de.
You may object to the sending of a satisfaction survey and the promotional use of your data at any time by clicking on the corresponding link in the emails or by notifying us via the contact details provided above (e.g., by email or letter), or revoke your consent with future effect.
You have the opportunity to participate in our contests.
In connection with contests, we use your data for the purpose of conducting the contest and notifying winners. Detailed information can be found in the terms and conditions for the respective contest. The legal basis for processing is the contest agreement pursuant to Art. 6(1)(b) GDPR. Data processing for other or further purposes, in particular for advertising, is based on your consent pursuant to Art. 6(1)(a) GDPR.
In addition, we may process your data on the basis of Article 6(1)(f) of the GDPR, based on our legitimate interest in advertising or market and opinion research, in testing and optimizing procedures for needs analysis and direct customer outreach, in measures for business management and the further development of services and products as well as related processes, provided that you have not objected to the use of your data for these purposes.
We base the sending of the invitation to participate in the sweepstakes on your consent pursuant to Article 6(1)(a) of the GDPR, provided that you have given us such consent, and otherwise on Article 6(1)(f) of the GDPR in conjunction with Section 7(3) of the German Unfair Competition Act (UWG), based on our legitimate interest in offering sweepstakes and strengthening our customer loyalty.
You may object to or revoke your consent to the sending of offers to participate in sweepstakes and the promotional use of your data at any time by clicking the corresponding link in the emails or by notifying us via the contact details provided above (e.g., by email or letter), with effect for the future.
We use the Typeform service provided by Typeform S.L. (hereinafter “Typeform”), located at Calle de Pallars 108, 08018 Barcelona, Spain, on our website to provide an online form for event registration and to collect information we require for the purpose of entering into or fulfilling a contract. This includes, for example, photos of your house or the roof shape to assess the technical conditions.
Through the embedded Typeform form, interested parties can register for our events and provide the necessary information. Depending on your input, personal data such as your name, email address, address, phone number, photos, and, if applicable, the name of your organization will be collected and transmitted to Typeform. When you access and fill out the form, Typeform also collects certain technical usage data (e.g., IP address, device and browser information, as well as the date and time of access) via cookies to ensure the form displays and functions properly.
We process the provided data exclusively for the purpose of registering, managing, and organizing the respective event; specifically, to accept your event registration, send you confirmation of participation or information about the event, and carry out the event. The legal basis for this data processing is Article 6(1)(b) of the GDPR, as the provision of the aforementioned data is necessary for the organization of and participation in the event. In addition, we process information in the context of the planning, installation, operation, and maintenance or repair of your photovoltaic system—including photos (exterior view of the house, interior of the roof, exterior of the roof, meter cabinet, electricity meter, inverter, foundations, fuse box, AC box)—to ensure we can plan and install your PV system in the best possible way.
Typeform acts as a data processor on our behalf and may only use the data in accordance with our instructions. We have entered into a data processing agreement with Typeform in accordance with Article 28 of the GDPR. Please note that Typeform stores the collected data on servers belonging to the cloud provider Amazon Web Services (AWS); the main servers are located in the United States. To the extent that data is transferred to the United States in this context, we have agreed with Typeform on EU Standard Contractual Clauses as an appropriate safeguard pursuant to Article 46 of the GDPR to ensure an adequate level of data protection.
We process and store your personal data only for as long as is necessary for the preparation, execution, and follow-up of the event. Once the event has concluded or the purpose of processing has been achieved, the data will be deleted, unless statutory retention periods (such as those under commercial or tax law) require longer storage. Apart from that, the data will be deleted at the latest upon termination of our contractual relationship with Typeform, unless legal requirements mandate further storage.
The provision of the aforementioned personal data is voluntary but necessary for processing the event registration. It is not required by law or contract; without this information, we cannot accept or process your event registration. In this case, participation in the event is not possible.
When you apply for our Future Scholarship at Enpal, you have the option to submit your application materials to Enpal via our website at https://www.enpal.de/stipendium#ueberblick (Apply Now) by clicking the “Apply Now” button. In doing so, you may provide the following personal data:
The legal basis for the processing of your data is Article 6(1)(a) and Article 6(1)(b) of the GDPR.
You have the right to withdraw your consent to the processing at any time without giving a reason. Withdrawing your consent does not affect the lawfulness of processing carried out on the basis of your consent prior to its withdrawal. You can send your withdrawal, for example, to datenschutz@enpal.de. Please note, however, that upon withdrawal, we may be required to delete your personal data in accordance with Article 17 of the GDPR and will then be unable to consider your application further in the recruitment process.
The Enpal website uses various services and applications provided either by us or by third parties. These include, in particular, cookies and similar technologies used to store information on the user’s device or to access it:
Cookies are pieces of information stored on the user’s device and consist, in particular, of a name, a value, the storing domain, and an expiration date. So-called session cookies (e.g., PHPSESSID) are deleted after the session ends, while so-called persistent cookies are deleted after the specified expiration date. Cookies can also be removed manually.
We use certain cookies to enable the basic functions of our website (“Essential Services”). These include, for example, cookies used to format and display website content, to manage and integrate cookies, and to prevent security breaches and ensure the security of our website. Without these cookies, we would not be able to provide our service. Therefore, essential services are used without consent.
In addition to these essential services, we also use marketing and analytics cookies. Marketing and analytics cookies include those we use to analyze your interaction with our website or for marketing purposes. We also use analytics services to evaluate the use of our various marketing channels. The usage information collected is aggregated and allows us to understand the usage habits of our visitors. This helps us adapt and optimize the design of our website and make the user experience more enjoyable.
With the help of these cookies and comparable technologies, as well as simply by establishing a connection to a page, so-called “fingerprints” may be created—that is, usage profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints based on the connection establishment cannot be completely prevented manually.
Most browsers are set by default to accept cookies, execute scripts, and display images. However, you can usually adjust your browser settings to reject all or specific cookies, or to block scripts and images. If you completely block the storage of cookies, the display of graphics, and the execution of scripts, our services will likely not function or may not function properly.
The cookie settings list the cookies and similar technologies we use, organized by category. In particular, we provide information about the providers of these technologies, the retention period for cookies or data stored in local storage and session storage, and the sharing of data with third parties. We also explain in which cases we obtain your voluntary consent to use cookies and similar technologies and how you can withdraw that consent. You can find a detailed list of the cookies we use in the cookie settings.
The data processing essential for the operation of the website is carried out on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR to provide the basic functions of our website. Access to and storage of information on the user’s device is strictly necessary in these cases and is carried out pursuant to Section 25(2)(2) of the TDDDG. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures; in such cases, processing is carried out in accordance with Article 6(1)(b) of the GDPR.
We use all other non-essential (optional) cookies and similar technologies that provide additional features based on your consent in accordance with Article 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on Section 25(1) of the TDDDG. Data processing using these tools only takes place if we have obtained your prior consent.
If personal data is transferred to third countries, we refer you to Section G, also with regard to any associated risks. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we transfer the data processed during the use of the tools (also) to third countries on the basis of this consent in accordance with Article 49(1)(a) of the GDPR.
We use the “Usercentrics” tool to obtain and manage your consents. It displays a banner that informs you about data processing on our website and allows you to consent to all, some, or none of the data processing activities using optional tools. This banner appears on your first visit to our website and when you revisit your settings to change them or withdraw your consent. The banner also appears on subsequent visits to our website if you have disabled the storage of cookies or if the cookies or information in local storage have been deleted or have expired.
During your visit to the website, your consents or revocations, your IP address, information about your browser, your device, and the time of your visit are transmitted to Usercentrics. Additionally, necessary information is stored on your device to document the consents and revocations you have provided (“Cookie_Name” (x years)).
Data processing is necessary to provide you with the consent management required by law and to comply with our documentation obligations. The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in complying with the legal requirements for consent management. Access to and storage of information on the end device is absolutely necessary in these cases and is based on Section 25(2)(2) of the TDDDG.
You may withdraw your consent for specific tools—that is, for the storage of and access to information on your device, the processing of your personal data, and the transfer of your data to third countries—at any time with future effect. To do so, click on the following link: Cookie Settings. There you can also change your selection of the tools you wish to consent to, as well as find additional information about the tools used. Alternatively, you can submit your revocation for specific tools directly to the provider.
This website uses technology provided by our partner, Awin AG, Otto-Ostrowski-Straße 1A, 10249 Berlin. Awin operates an affiliate network that connects website operators who wish to advertise for other companies with companies that wish to sell their products and services. Using cookies and similar technologies, provided you have given your consent in accordance with Art. 6(1)(a) GDPR, information is collected about how you, as a user, navigate from a website to a company such as ours and, if applicable, purchase products there. Further information about the technology used and Awin can be found in the cookie settings, as well as in Awin’s privacy policy, which you can find here.
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address bar of your browser changes from “http://” to “https://” and by the lock icon in your browser bar. When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.
We use social media buttons (Facebook, Instagram, Google+, YouTube) on our website provided by Meta Inc., Google Inc., and other companies (“Providers”). These social media buttons are not integrated as plugins via an iFrame, but are provided as links. By clicking on the social media buttons, you will be redirected directly to the website of the respective provider. No data is transferred from the Enpal website to the providers. The respective provider is then responsible for compliance with data protection regulations and for the accuracy, timeliness, and completeness of the information provided there regarding data processing, within the meaning of Art. 4(7) GDPR.
When you enter your data via the form on our website (e.g., the Solar Planner), we process your personal data to contact you and provide you with a customized quote, schedule appointments, and send you information as part of the sales process. In doing so, we will also contact you by phone to explain your personalized solar quote or to clarify any questions, provided you have left your phone number,
In addition, we will send you promotional information about our products and services even before you enter our sales process and beyond, provided you have given your consent. This communication may take the form of emails, phone calls, text messages, push notifications, or our newsletter. To do so, we process, among other things, your name, title, email address, and phone number.
You may object to the use of your contact information for marketing purposes or withdraw your consent at any time.
For more information on your data subject rights, please see Section I.
We may use various tools to communicate with you.
We offer you the option to contact us via the WhatsApp messaging service. We use the services provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. When using WhatsApp Business, WhatsApp’s Terms of Service and Privacy Policy apply.
When using WhatsApp, personal data (e.g., metadata) is processed and may, under certain circumstances, be transferred to servers outside the European Union, particularly to the United States. The information provided in Section G applies to data transfers to third countries.
The use of WhatsApp Business serves exclusively the purpose of customer communication and responding to inquiries and is based on your consent pursuant to Art. 6(1)(a) GDPR. By contacting us via WhatsApp, you consent to communication via this messaging service. In addition, you can give your consent for us to contact you via WhatsApp either on our Solar Planner or during a conversation with our employees. This consent is voluntary on your part, and you will not suffer any disadvantages if you do not give it. Furthermore, you may freely revoke your consent at any time. To do so, you can use the following link and click the “No” button there: Enpal WhatsApp Consent. Alternatively, you can send an email to datenschutz@enpal.de
The data we collect when contacting you will be deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations (see Section H).
Our company uses the customer engagement platform Braze, Inc., 63 Madison Building, 28 East 28th Street, 12th Floor, New York, New York 10016, USA, to automatically send emails, SMS, push notifications, and in-app messages to customers and prospects. Braze enables the creation of journey workflows (Canvas), cross-channel delivery management, and the analysis of key metrics (deliveries, opens, clicks, unsubscribes, conversions). The processing of personal data is carried out for the purpose of sending personalized marketing, service, and transactional messages; for lifecycle automation (onboarding, retention, re-engagement); for performance measurement and optimization through event tracking and A/B testing; and for managing consents and unsubscriptions.
The legal basis for this processing is Art. 6(1)(b) GDPR, insofar as the respective service and transactional messages are necessary for the performance of a contract, and otherwise Art. 6(1)(f) GDPR based on our legitimate interest in enabling you to contact us and allowing us to respond to your inquiry, as well as our legitimate interest in direct marketing to existing customers and in optimizing our communications.
In this context, the following categories of personal data from customers and prospects are processed:
With regard to data transfers to third countries, the information provided in Section G regarding Braze applies.
Detailed event data (e.g., opens, clicks) is automatically deleted after 30 days. User profiles and attributes remain stored for the duration of the business relationship or until revoked or a deletion request is made, and are subsequently deleted.
We use Demodesk GmbH as a service provider for video conferencing, automated scheduling, and AI-powered telephone services to enable efficient and secure communication within our customer processes. The provider is Demodesk GmbH, Isartorplatz 8, 80331 Munich.
The purpose of the processing is the provision, hosting, and maintenance of the Demodesk video conferencing tool as well as a tool for automated appointment scheduling. In addition, we use Demodesk for some client meetings to record video conferences or phone calls. This serves to ensure the quality of our consulting services, to train employees, and to document client meetings so that we can clarify any questions or resolve conflicts that may arise following client meetings.
In this context, Demodesk processes the following categories of personal data from customers and prospective customers:
The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing our customers with efficient and secure customer service as well as seamless appointment scheduling. The legal basis for processing conversations that are recorded or transcribed is exclusively based on consent pursuant to Article 6(1)(a) of the GDPR, which is obtained at the beginning of the conversation through a clear verbal request and logged by the system. If consent is not granted, the call is terminated or transferred to a human agent. To the extent that consent is required (e.g., for recordings), processing is based on Article 6(1)(a) of the GDPR.
The recording is used exclusively for the purpose defined prior to the conversation and is not used for performance or behavioral monitoring or for profiling. Audio files are automatically deleted after 6 months at the latest (or sooner in individual cases), provided there are no legal retention requirements. Any other data collected is deleted as soon as the purpose for which it was collected no longer applies and there are no legal retention requirements. Further information is available in the provider’s privacy policy at https://demodesk.com/de/rechtliches/datenschutzerklaerung.
We use telli technologies GmbH to provide AI-powered telephone services that efficiently support customer processes (e.g., scheduling appointments, switching providers, troubleshooting, and accounts receivable management). The provider is telli technologies GmbH, Knaackstraße 78, 10435 Berlin.
In this context, the following categories of personal data from Telli customers and prospects within and outside the EU are processed:
The legal basis for the processing of calls involving recording or transcription is exclusively based on consent pursuant to Art. 6(1)(a) GDPR, which is obtained at the beginning of the call through a clear verbal prompt and logged by the system (timestamp). If consent is not granted, the call is terminated or transferred to a human agent. For calls involving only call routing or information provision without recording, there may additionally be a legitimate interest pursuant to Article 6(1)(f) of the GDPR in providing our customers with efficient and secure customer service.
At the start of every interaction, Telli clearly states that it is a digital assistant and refers users to this privacy policy, which includes information on the purpose of data collection, retention periods, and the rights of data subjects. Further information is available in the provider’s privacy policy at https://hi.telli.so/datenschutz.
The recording serves exclusively the purpose defined prior to the conversation and is not used for performance or behavioral monitoring or for profiling. Audio files are automatically deleted after 6 months at the latest (or earlier in individual cases), provided there are no legal retention obligations. Other collected data is deleted as soon as the purpose for which it was collected no longer applies and there are no legal retention obligations.
We use Docusign as a service provider for automated appointment scheduling to enable efficient and secure communication and scheduling within our customer processes. The provider is Docusign Germany GmbH, Mies-van-der-Rohe-Straße 6, 80807 Munich.
The purpose of the processing is the creation, execution, and verification of digital or electronic signatures on important documents, such as the electronic signing of the MVT application or a solar system contract. In doing so, information is also collected and recorded to help the parties prove the validity of the transactions, such as the names of the individuals involved and the devices used.
In this context, the following categories of personal data from customers and prospective customers are processed:
The legal basis for the processing is Article 6(1)(b) of the GDPR, insofar as the signing of the document is necessary for the performance of the contract, e.g., the contract itself. Furthermore, there is a legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR in enabling our customers to use an efficient and secure process for contract initiation and execution, in which documents can be digitally signed in a secure and verifiable manner.
The data will be deleted as soon as the purpose for which it was collected no longer applies and there are no legal retention obligations. Further information is available in DocuSign’s Privacy Policy at https://www.docusign.com/de-de/datenschutzerklaerung/datenschutz.
As part of the contract initiation process, we also review the prospective customer’s creditworthiness and payment history to determine whether to enter into a contract. This serves to protect against payment defaults and is necessary for carrying out pre-contractual measures, as Enpal enters into a long-term contractual relationship with you as a customer and fully installs our products at the start of the contractual relationship.
For this purpose, we obtain information from SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, and receive details regarding the verified identity and creditworthiness. In doing so, we transmit your name, address, and date of birth to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. We also transmit data regarding non-contractual behavior or fraudulent behavior to SCHUFA after the contract is concluded. Conversely, as part of the credit check, we receive data from SCHUFA and additionally process your place of birth, your SCHUFA score, your score range, your risk ratio, and your rating level. Your credit check will only be conducted after you have had an initial consultation with an Enpal customer advisor and the next steps have been outlined to you. We conduct the credit check in connection with scheduling an installation preparation appointment.
The personal data and information we receive from SCHUFA is one of several factors we consider when deciding whether to enter into a business relationship with you. No automated decision-making takes place. In addition, we process the personal data and information received from SCHUFA to verify your ownership of the property in question.
The SCHUFA Score is transmitted to the respective company within the Enpal Group that enters into a contract with you. The scoring is based on a mathematically and statistically recognized and proven method. For more information on scoring, please see “Scoring at SCHUFA: Information on the Process.”
The legal basis for this transfer is Article 6(1)(b) of the GDPR.
Transfers based on Article 6(1)(f) of the GDPR may only take place to the extent that this is necessary to safeguard the legitimate interests of Enpal or third parties and does not override the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. Enpal’s interest in conducting credit checks is to minimize the financial default risk associated with the long-term sales financing it offers. At the same time, credit checks are also conducted to protect potential customers from excessive debt. Data processing is therefore also in the interest of the data subjects, meaning that there is no conflict with conflicting interests or the fundamental rights and freedoms of the data subjects.
The exchange of data with SCHUFA also serves to fulfill legal obligations to conduct creditworthiness checks on customers (Sections 505a and 506 of the German Civil Code). The legal basis for data processing is then Article 6(1)(c) of the GDPR.
We store the personal data and information received from SCHUFA for as long as is necessary to conclude a contract with you and provided that no statutory retention or storage periods prevent its deletion (see also Section H).
If you decide to enter into a consumer loan agreement with Enpal to finance the product you desire, we will transmit your name and date of birth to SCHUFA to comply with our legal obligations under the Money Laundering Act (GwG) and for the purpose of preventing money laundering. SCHUFA cross-checks this data against various databases and verifies whether there are any entries regarding you on terrorist or sanctions lists, or whether the entries pertain to a so-called politically exposed person. The legal basis for such processing operations is Article 6(1)(c) of the GDPR.
SCHUFA processes the data received and also uses it for profiling (scoring) purposes to provide its contractual partners in the European Economic Area and Switzerland, as well as in other third countries where applicable (provided that an adequacy decision by the European Commission exists for such countries or standard contractual clauses have been agreed upon, which can be viewed at www.schufa.de) to provide information, among other things, for the assessment of the creditworthiness of natural persons.
For more information about SCHUFA’s activities and data protection (in particular, data retention periods and your rights as a data subject vis-à-vis SCHUFA), please visit “Data Protection | SCHUFA”.
In addition, personal data is collected from notary offices that provide Enpal with the land registry extract required for the conclusion of the contract. The processing for the purpose of verifying ownership status is based on Article 6(1)(b) of the GDPR, as this is necessary for the further initiation of the contract and for the conclusion of the contract.
When you enter into a contract with us, we process your personal data for the purpose of fulfilling the contract. The scope of data processing depends on which contract(s) you enter into with us. A more detailed description of the individual processing activities can be found below in the respective subsection.
We generally process your data solely for the purpose of fulfilling the contract, unless otherwise described below. The legal basis is therefore generally Article 6(1)(b) of the GDPR. In addition, we continue to store your data for commercial and tax law purposes. A more detailed description of the retention period can be found in Section H.
In connection with the planning, installation, operation, and maintenance or repair of your photovoltaic system, Enpal processes the following personal data:
The processing of your photovoltaic system’s production and consumption data includes electricity generation, grid feed-in, and household consumption. Additional information is calculated from this data: the percentage of your solar electricity consumption relative to your total electricity consumption, your feed-in tariff in euros, and the carbon dioxide savings in kilograms. The production and consumption data displayed are provided by the solar logger located in your home and made visible to you in the Enpal app (for more information, see Section E).
Once the contract has been concluded, we will transmit personal data to the refinancing financial institutions for the purpose of refinancing the photovoltaic system. This is necessary to assert the assignment of your contractual rights as stipulated in the General Terms and Conditions for the Lease of a Photovoltaic System and to transfer the corresponding claims to the respective financial institution.
As part of the contract execution, Enpal provides insurance for your photovoltaic system as well as, if applicable, any other products you have leased, such as the energy storage unit and the wallbox. To this end, Enpal transmits personal data to insurance companies. This is necessary to be able to offer you the photovoltaic system, energy storage unit, and wallbox on a lease basis.
Enpal offers an energy storage solution in the form of a battery, which allows customers to store the electricity generated by their photovoltaic system when it is not consumed immediately. In doing so, Enpal processes personal data to operate the product and determine the battery’s charge or discharge status. This data is displayed to you in the Enpal app (for more information, see Section E).
In doing so, Enpal processes data on electricity production by your photovoltaic system, the battery storage level, data on grid feed-in, the household’s current, daily, weekly, monthly, and annual electricity consumption, and, where applicable, that of the heat pump and the wallbox. In addition, the feed-in tariff amount is displayed, self-sufficiency is calculated, grid feed-in and consumption are measured, and the wallbox and heat pump are controlled.
As part of the contract execution, Enpal provides insurance for your photovoltaic system and, if applicable, for other products you have rented, such as the energy storage unit and the wallbox. To this end, Enpal transmits personal data to insurance companies. This is necessary in order to be able to offer you the photovoltaic system, energy storage unit, and wallbox on a rental basis.
Enpal offers a wallbox, i.e., a charging station for your electric car. If you own a wallbox, Enpal processes the wallbox’s production and consumption data—that is, the wallbox’s charge level and the amount of electricity consumed by the electric vehicle when it is connected to the wallbox. This data is made available in the Enpal app (for more information, see Section E). In addition, remote maintenance services are performed and software updates are provided.
As part of the contract execution, Enpal provides insurance for your photovoltaic system as well as, if applicable, any other products you have rented, such as the energy storage unit and the wallbox. To this end, Enpal transfers personal data to insurance companies. This is necessary in order to be able to offer you the photovoltaic system, energy storage unit, and wallbox on a rental basis.
Enpal acts as a marketing agent for private charging station operators in accordance with Sections 37a et seq. of the Federal Immission Control Act (BImSchG) and the 38th Ordinance Implementing the Federal Immission Control Act (38th BImSchV) regarding the greenhouse gas reduction quota (hereinafter “GHG quota”) in the version applicable as of January 1, 2022.
If you have entered into a marketing agreement with Enpal for the marketing of the GHG quota, Enpal processes the data necessary for the performance of the contract on the basis of Article 6(1)(b) of the GDPR. This includes your first and last name, data regarding your battery-electric vehicle, and your account details for the payment of the remuneration. You provide us with the necessary data based on the contract between you and us. For the purpose of fulfilling the contract, we have engaged specialized service providers. Data processing agreements have been concluded. This means that these service providers may only process the data provided by us based on our instructions and, in particular, not for their own purposes.
If you, as a customer, sell your property or parts of the property on which the photovoltaic system is installed, you are entitled and obligated, in accordance with our General Terms and Conditions, to transfer the contractual relationship—including all rights and obligations—to the purchaser. To carry out the change of operator, we process the necessary personal data of both you and the new owner.
As an Enpal customer, you also have access to our customer portal. Here, you can view the installation progress and the refinancing progress of your photovoltaic system. This includes data regarding the status of your contract, the delivery of components, installation, meter replacement, and the commissioning of your photovoltaic system. For refinancing, the following information is required: your monthly installment, the term, and the outstanding balance of your installment purchase; the next direct debit date; the system activation date; SEPA information; customer number; the date of the first payment received; and the status of the refinancing.
This data is processed only if you have entered into a contract with us regarding the installation and operation of a photovoltaic system. We are contractually obligated to provide this data, and the legal basis for data processing is Article 6(1)(b) of the GDPR.
For more information on processing in connection with the performance of the contract for the installation and commissioning of your photovoltaic system, please refer to Section D.
For our central customer communication, we use the provider Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland. The AI-powered platform helps us process customer inquiries received via chat (in the Enpal app and on the customer portal) or via email efficiently and effectively.
In this context, Intercom processes the following categories of personal data from customers:
Data processing in the context of customer communication takes place within the EU and is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest is to provide customers with fast, high-quality service.
To ensure prompt and structured processing even when we receive a high volume of inquiries, we also utilize the platform’s AI features. This helps us sort inquiries by topic, prioritize them, and process them in a targeted manner. For customers, this can lead to shorter wait times and tailored responses. At the same time, this approach supports the scalability of our services and enables our teams to focus on handling complex cases, which contributes to quality assurance across our entire customer support operations.
Intercom is also used for sentiment analysis and escalation classification to assess customer satisfaction and identify high-priority issues. At the start of each interaction, the system notifies users that the conversation is beginning with a digital assistant and refers them to this privacy policy. The AI does not make decisions with legal implications or that could cause comparable significant harm. If customers wish to interact with a human representative or if a concern cannot be processed automatically, the matter is always transferred to a customer service representative.
This processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in improving the quality of our customer service and prioritizing inquiries. No individual customer scoring or profiling in the sense of a systematic evaluation of personal aspects is carried out in this context. If a voluntary satisfaction feedback survey is completed after the interaction has ended, the processing of this feedback is based on our legitimate interest pursuant to Art. 6(1)(a) GDPR in conjunction with § 7(3) UWG.
The data collected in connection with the use of Intercom is deleted as soon as the purpose for which it was collected no longer applies and there are no legal retention obligations to the contrary.
Further information on data protection at Intercom is available in the provider’s privacy policy at https://www.intercom.com/legal/privacy.
We use the provider Lime Connect (Userlike) GmbH, Probsteigasse 44-46, 50670 Cologne, Germany, to communicate with our customers and prospects. Lime Connect is a central communication platform that enables us to contact you via various channels such as WhatsApp, SMS, or other messaging services and to manage these interactions.
Lime Connect processes the following categories of personal data on our behalf based on a data processing agreement in accordance with Article 28 of the GDPR:
Data processing takes place on servers located in the European Union (EU). To the extent that data is transmitted to the respective third-party provider for the use of specific communication channels (e.g., WhatsApp), we ask that you review the privacy policy of the respective service provider.
Communication in the context of contract initiation and execution—such as coordinating appointments or arranging the installation process—is based on Article 6(1)(b) of the GDPR. To the extent that communication is conducted for advertising purposes, the processing is based on your consent pursuant to Article 6(1)(a) of the GDPR (see Sections C and D). You may revoke your consent at any time with future effect.
Further information on the provider’s data protection practices is available at: https://connect.lime-technologies.com/de/legal/privacy-policy/.
When using the Enpal app, certain application data is processed. This includes the type of your mobile device, the operating system used, the language used, technical information about the device used, the date and time of the request, IP address, mobile phone number and device number, current geolocation of the mobile device, phone number and email address, technical information about errors, and data for their analysis.
If you have entered into a contract with us, the provision of your usage data via the Enpal app is part of the performance of the contract and is therefore justified under Article 6(1)(b) of the GDPR. If you use the Enpal app independently of a contract, we have a legitimate interest under Article 6(1)(f) of the GDPR in providing you with the app at your request and processing the data necessary for this purpose. Access to your device data is justified under Section 25(2)(1) of the TDDDG.
You can calculate your savings in the Enpal app. To do this, we process the following data collected when using the app: first and last name, street and house number, ZIP code, mobile phone number, email address, roof shape of your home, skylight characteristics, number of people in the household, time-of-day electricity consumption patterns, and home ownership status.
We only offer this service if you click the “Calculate Savings” button; there is no obligation to do so. We have a legitimate interest in providing our customers with an optimal customer experience, which includes calculating savings through the use of our systems. The processing of your data is necessary to fulfill our legitimate interest and is justified under Article 6(1)(f) of the GDPR.
In order for us to tailor your photovoltaic system to the on-site conditions and your preferences, we need photographs of your house or roof. To do this, you must grant the Enpal app access to your mobile phone’s camera. This is done via a permission request from your mobile phone. The processing of the photos and their linking to your app data is necessary to prepare for and enable the conclusion of a contract with you. We therefore process your data for this purpose based on Article 6(1)(b) of the GDPR.
When you interact with the Enpal App, interaction data is processed automatically. This data arises from actions you perform (e.g., clicking a button), is generated by the Enpal App itself (e.g., crash reports), or is used for content updates (e.g., changes to the displayed text). To process interaction data, the Enpal app uses the Firebase services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Firebase”). Below is a more detailed description of the individual Firebase services.
All of the listed services are certified according to the recognized data protection and security standard ISO 27001. Further information can be found in the Google Firebase Privacy Policy.
When interaction data is processed by Google LLC, your data is transferred to the USA. Further information on transfers to third countries, especially the USA, can be found in Section G. Google is certified under the Data Privacy Framework. This ensures that a level of data protection comparable to that in Europe is maintained.
We use Google Analytics for Firebase to understand how our app is used and to determine which features are of particular interest to users and how we can improve the app. The legal basis for Google Analytics is Article 6(1)(f) GDPR. Further information can be found at: https://firebase.google.com/docs/analytics.
Firebase A/B testing allows us to conduct product and marketing experiments. The goal is to improve the Enpal app. The legal basis for Google Analytics is Article 6(1)(f) GDPR. Firebase A/B testing relies on the information generated by Google Analytics. This means that if you object to the processing of your data within the scope of Google Analytics for Firebase, this objection automatically also includes Firebase A/B testing. Further information can be found at: https://firebase.google.com/docs/ab-testing.
We use Firebase Crashlytics to improve the stability and reliability of our app by analyzing anonymized and aggregated crash reports. To provide us with anonymized crash reports, Firebase Crashlytics collects information about the crash or malfunction (e.g., device, app version, time of crash) in the event of an app crash or malfunction. The legal basis for Firebase Crashlytics is Article 6(1)(f) GDPR. Further information can be found at https://firebase.google.com/docs/crashlytics.
Since the processing described in the previous sections is carried out within the framework of Firebase services on the basis of Article 6(1)(f) GDPR, you have the right to object to this processing pursuant to Article 21(1) GDPR. If you do not want this data to be collected by Enpal via Firebase, you can register your objection in the settings of the Enpal app. You can withdraw your objection at any time by re-enabling the button.
Firebase Remote Config allows us to make changes to app settings without requiring a complete redownload and reinstallation each time. We use this feature to fix content errors or update the content. In this context, certain device information is processed. The legal basis for Firebase Remote Config is Article 6(1)(b) GDPR. Further information can be found at https://firebase.google.com/docs/remote-config/config-analytics.
Unless specific recipients of personal data have already been mentioned, the following applies to other recipients: We generally only disclose the data we collect if there is a legal basis for doing so under data protection law in the specific case, in particular if:
Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy and the cookie banner, these may include, in particular, data centers that store our website and databases, software providers, IT service providers that maintain our systems, CRM systems, agencies, communication service providers, market research companies, group companies, and consulting firms. Furthermore, personal data will be transferred to the following service providers:
If we transfer data to our service providers, they may only use the data to fulfill their tasks. These service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions in accordance with Article 28 of the GDPR, have implemented appropriate technical and organizational measures to protect the rights of data subjects, and are regularly audited by us.
In connection with data processing, data may be transferred to third countries, i.e., to recipients outside the EU or the European Economic Area (EEA). If Enpal transfers personal data to countries outside the scope of the GDPR, Enpal ensures that the recipient of the data guarantees an adequate level of data protection.
If the European Commission has issued a decision regarding the third country as ensuring an adequate level of protection (see Article 45(3) GDPR), no additional measures are required for the data transfer.
In the case of data transfers to recipients located in the USA, the data transfer is based on the Transatlantic Data Privacy Framework (DPF) of July 10, 2023, provided the recipient has the corresponding certification. A list of currently certified companies is available here.
In other cases, as well as in the case of data transfers to other so-called non-safety-assured third countries, data transfers only take place if the requirements of Articles 46 et seq. GDPR are met. Specifically, this means that data will only be transferred to third countries if:
Data transfers to recipients located in the USA who do not have DPF certification and for whom an adequate level of data protection cannot be established through safeguards in accordance with Article 46 GDPR will only take place with your consent in accordance with Article 49(1)(a) GDPR. Please note that for recipients located in the USA without DPF certification, an adequate level of data protection comparable to that in the EU cannot be guaranteed. The following risks therefore exist with such a transfer of personal data: There is a risk that US authorities may gain access to personal data based on the PRISM and UPSTREAM surveillance programs, which are based on Section 702 of the FISA (Foreign Intelligence Surveillance Act), as well as on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal remedies against such access in the US or the EU.
We process your personal data for as long as necessary for establishing, implementing, or processing the contractual relationship between you and Enpal, or for exercising or fulfilling the rights and obligations arising from the contractual relationship.
The data we process will be deleted in accordance with Article 17 GDPR or its processing restricted in accordance with Article 18 GDPR as soon as it is no longer required for its intended purpose and there are no legal retention obligations or other grounds specified in Article 17(3) GDPR that preclude deletion.
We are subject to various retention and documentation obligations arising, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention periods prescribed therein range from two to ten years. Finally, the storage period also depends on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.
The data is stored for evidentiary purposes in connection with civil claims, due to statutory retention obligations, or if, in a specific individual case, another legal basis under data protection law exists for the continued processing of your data.
If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
You have the following data subject rights at any time, provided the respective legal requirements are met:
If you have given your consent as the legal basis for the processing of your data by us, for example pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, you can withdraw this consent at any time in accordance with Article 7(3) GDPR. If you do so, we will cease processing your data; however, the lawfulness of the processing prior to the withdrawal remains unaffected.
In accordance with Article 15 GDPR, you have the right to request information from us at any time about all data we store about you. This includes, in particular, information about
The restrictions pursuant to Sections 34 and 35 of the German Federal Data Protection Act (BDSG) must be observed with regard to the right of access.
If your data processed by us is incorrect or incomplete, you can request that we rectify or complete this data at any time in accordance with Art. 16 GDPR.
If the original legal basis for data processing no longer applies, or if you have withdrawn your consent or objected to processing, or if we are no longer permitted to process your data for any of the reasons listed in Art. 17 para. 1 GDPR, you may request that we erase your personal data pursuant to Art. 17 GDPR.
This right does not apply if processing is necessary for exercising the right of freedom of expression and information, for the purposes of the processing, for compliance with a legal obligation to which we are subject, or for the establishment, exercise, or defense of legal claims.
The restrictions set out in Sections 34 and 35 of the German Federal Data Protection Act (BDSG) must be observed with regard to the right to erasure.
Pursuant to Art. 18 GDPR, you may also request the restriction of processing. You have this right if you contest the accuracy of the data, the processing is unlawful, we no longer need the data for the stated purposes, or you have objected to the processing and, in the latter two cases, we are not otherwise legally permitted to process the data.
If we process your data based on legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If the objection concerns data processing for direct marketing purposes, you have a general right to object, which we will implement even without you providing reasons. If you wish to exercise your right to object, an informal notification to datenschutz@enpal.de is sufficient.
Furthermore, pursuant to Art. 20 GDPR, you can request that we transfer your data to you or another controller in a structured, commonly used, and machine-readable format.
You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act (BDSG). You can exercise this right, for example, with a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. In Berlin, our registered office, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for up to three years and, in individual cases, for the establishment, exercise, or defense of legal claims, even longer. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against potential civil claims pursuant to Art. 82 GDPR, avoiding fines pursuant to Art. 83 GDPR, and fulfilling our accountability obligation pursuant to Art. 5 para. 2 GDPR.
If you are a customer of other Enpal companies, apply to Enpal, or use the whistleblower protection portal, we inform you about the data processing carried out in this context in the following supplementary data protection information:
In the course of operating the Enpal website or initiating and executing contracts, neither automated decision-making nor profiling within the meaning of Article 22 GDPR takes place that has legal effect on you or similarly significantly affects you.
Enpal ensures that only personal data that is absolutely necessary for the lawful execution and processing of the services offered in the field of innovative solar energy solutions is collected. Furthermore, we adhere to the principle of data minimization within the meaning of Article 5(1)(c) GDPR. You are under no obligation to provide Enpal with your personal data. However, we need your personal data in connection with some of the purposes specified in Section D. Without processing personal data, a business relationship between you as a customer and Enpal is not possible.
We occasionally update this Privacy Policy, for example, when we adapt our website or when legal or regulatory requirements change.