The legal basis is Art. 6 para. 1 sentence 1 lit. f. DSGVO. As the website operator, we have a legitimate interest in the technically error-free presentation, optimisation and guarantee of the functionality of our website.

4.1 Cookies

We use cookies. Cookies serve to make our website more user-friendly and to enable the use of certain functions. Cookies are small data storage devices with a program code that are stored on your end device and saved by your browser. So-called ‘session cookies’ are used to assign a specific session to a user. For example, the server generates a so-called session ID between a login and a logout and stores it in the cookie. The session cookie is therefore a temporary cookie that is automatically deleted at the latest when the session ends or the device is restarted. So-called ‘persistent cookies’, on the other hand, remain stored even after the session has ended or the device has been restarted. These cookies enable the website operator or their partner companies (third-party cookies) to recognise the browser the next time you visit. According to Section 25, paragraph 1, sentence 1 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), the storage of information in the end device of the end user or access to information already stored in the end device is only permitted if the end user has given their consent on the basis of clear and comprehensive information. According to § 25 para. 2 no. 2 TTDSG, the setting of technically necessary cookies is permitted. Website visitors can set their browsers so that they are informed when cookies are set and only allow cookies in individual cases, accept cookies for specific cases or generally exclude them, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of the website may be limited.

4.1.1 Technically Necessary Cookies

We use technically necessary cookies on our website. Technically necessary cookies are required for the connection with the server to display the website. We use the following technically necessary cookies on our website:

Name	Purpose	Storage Period
CookieConsent (Cookiebot)	Saves the user's consent status for cookies on the current domain.	1 year
CONSENT [x2] (YouTube)	Used to determine whether the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for the website to comply with the GDPR.	2 years
tnsApp (www.connect-gp-joule.de)	This cookie is associated with a bundle of cookies that serve the purpose of delivering and presenting content. The cookies maintain the correct state of fonts, blog/image sliders, colour themes and other site settings.	Persistent
cart-widget-template (www.connect-gp-joule.de)	Used to maintain the visual appearance of the shopping cart pictogram and other visual elements on the site.	Persistent
csrf[frontend.account.recover.request] (www.connect-gp-joule.de)	Ensures browsing security for visitors by preventing cross-site request forgery. This cookie is essential for the security of the website and the visitor.	Session
csrf[frontend.checkout.line-item.add] (www.connect-gp-joule.de)	Ensures the security of visitors' browsing by preventing cross-site request forgery. This cookie is essential for the security of the website and the visitor.	Session
csrf[frontend.form.contact.send] (www.connect-gp-joule.de)	Ensures browsing security for visitors by preventing cross-site request forgery. This cookie is essential for the security of the website and the visitor.	Session
csrf[frontend.store-api.proxy] (www.connect-gp-joule.de)	Ensures visitor browsing security by preventing cross-site request forgery. This cookie is essential for the security of the website and the visitor.	Session
empty-cart-widget (www.connect-gp-joule.de)	Necessary for the shopping cart functionality on the website.	Persistent
object(quot;#-#-#T#:#:#.#Zquot;) (www.connect-gp-joule.de)	Registers statistical data about visitor behaviour on the website. Used by the webmaster for internal analysis.	Persistent
SESS# (www.connect-gp-joule.de)	Maintains the user's states across all page requests.	Session
t3D, tADe, tADu, tAE, tC, tMQ, tPL, tTDe, tTDu, tTE, tTf (www.connect-gp-joule.de)	These cookies are linked together in bundles that serve the purpose of providing and presenting content. The cookies maintain the correct state of fonts, blog/image sliders, colour themes and other website settings.	Persistent

The legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR. We as the website operator have a legitimate interest in the storage of cookies for the technically error-free and optimised provision of our website.

4.1.2 Cookies Requiring Consent

We use cookies that require consent on our website. We only use these if you have given us your consent. Preference cookies enable a website to remember information that affects the way a website behaves or looks, such as your preferred language or the region you are in. Statistics cookies help us to understand website visitors and how visitors interact with websites by collecting and reporting information anonymously. Marketing cookies are used to follow visitors around websites. The intention is to show ads that are relevant and appealing to the individual website visitor and therefore more valuable to publishers and third-party advertisers. We use the following cookies on our website that require consent:

Preference Cookies

Name	Purpose	Storage Period
translationOverlay (us-wbe.gr-cdn.com)	Used in connection with the language setting on the website. Facilitates translation into the visitor's preferred language.	Session
uslk_umm_#_s [x2] (userlike-cdn-umm.b-cdn.net www.connect-gp-joule.de)	Pending	1 year
loglevel:userlike (www.connect-gp-joule.de)	Unique user ID that recognises returning visitors.	Persistent
timezone (www.connect-gp-joule.de)	Saves the user's time zone.	30 days
uslk_umm_# [x2] (www.connect-gp-joule.de) userlike-cdn-widgets.s3-eu-west-1.amazonaws.com)	Pending	Persistent

Statistics Cookies

Name	Purpose	Storage Period
_ga (Google)	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	2 years
_ga_# (Google)	Collects data on how often a user has visited a website, as well as data for the first and last visit. Used by Google Analytics.	2 years
td (Google)	Registers statistical data about visitor behaviour on the website. Used by the webmaster for internal analysis.	Session
yt-player-headers-readable [x2] (YouTube)	Used to determine the optimal video quality based on the visitor's device and network settings.	Persistent
gaVisitorUuid (us-an.gr-cdn.com)	Registers statistical data about visitor behaviour on the website. Used by the webmaster for internal analysis.	1 year
gaUserPageSessionVisit (us-an.gr-cdn.com)	Stores data about the time spent on the website and its subpages during the current session.	Session

Marketing Cookies

Name	Purpose	Storage Period
_gcl_au (Google)	Used by Google AdSense to experiment with advertising efficiency on websites using their services.	3 months
pagead/landing (Google)	Collects data on visitor behaviour across multiple websites to present more relevant advertising – this also allows the website to limit the number of times the same advertisement is displayed. (Pixel)	Session
test_cookie (Google)	Used to check whether the user's browser supports cookies.	1 day
LAST_RESULT_ENTRY_KEY [x2], nextId [x2], requests [x2] (YouTube)	Used to track users' interaction with embedded content.	Session
TESTCOOKIESENABLED [x2] (YouTube)	Used to track how users interact with embedded content.	1 day
yt.innertube::nextId [x2] (YouTube)	Registers a unique ID to keep statistics of the videos from YouTube that the user has seen.	Persistent
ytidb::LAST_RESULT_ENTRY_KEY [x2] (YouTube)	Used to track how users interact with embedded content.	Persistent
YtIdbMeta#databases [x2] (YouTube)	Used to track how users interact with embedded content. (type: IDB)	Persistent
ytidb::LAST_RESULT_ENTRY_KEY [x2] (YouTube)	Used to track user interaction with embedded content.	Persistent
YtIdbMeta#databases [x2] (YouTube)	Used to track user interaction with embedded content. (type: IDB)	Persistent
yt-remote-cast-available [x2], yt-remote-cast-installed [x2], yt-remote-fast-check-period [x2], yt-remote-session-app [x2], yt-remote-session-name [x2] (YouTube)	Stores user settings when accessing a YouTube video embedded in other websites.	Session
yt-remote-connected-devices [x2], yt-remote-device-id [x2] (YouTube)	Stores user preferences when retrieving a YouTube video embedded on other websites.	Persistent
LogsDatabaseV2:V#||LogsRequestsStore (YouTube)	Pending (type: IDB)	Persistent
remote_sid (YouTube)	Necessary for the implementation and functionality of YouTube video content on the website.	Session
VISITOR_INFO1_LIVE (YouTube)	Tries to estimate user bandwidth on pages with integrated YouTube videos.	180 days
VISITOR_PRIVACY_METADATA (YouTube)	Pending	180 days
YSC (YouTube)	Registers a unique ID to keep statistics of the YouTube videos the user has seen.	Session
grUuidHasBeenSet (us-an.gr-cdn.com)	Collects information about the contents of the shopping cart and which products the visitor has viewed – This is used to increase the site's conversion rate through targeted advertising and product promotions via email.	Session

Unclassified Cookies

Name	Purpose	Storage Period
gaDomain-# (us-an.gr-cdn.com)	Pending	1 day
popup:5fae5ff7-f657-4de5-999e-bed0cfb5f548:__sswv (us-wbe.gr-cdn.com)	Pending	Persistent
csrf[frontend.account.gp-joule.login], csrf[frontend.account.gp-joule.register], csrf[frontend.account.gp-joule.register-b2c], csrf[frontend.dvsn.set-configurator.add-to-cart], csrf[frontend.dvsn.set-configurator.save-selection], csrf[moorl-fb-form.submit]e (www.connect-gp-joule.de)	Pending	Session
gr-translations#translations (www.connect-gp-joule.de)	Pending (Typ: IDB)	Persistent

The legal basis is Art. 6 Para. 1 S. 1 lit. a GDPR. You can give your consent to the use of cookies that require consent via our provided Consent solution.

4.2 Consent Tool Cookiebot

We use the consent tool Cookiebot from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (Cookiebot) to manage the cookies used. We have concluded an order processing contract with Usercentrics in accordance with Art. 28 GDPR. With Cookiebot, you can control the use of all cookies that require consent, and we can document and prove your consent. If you have given us your consent, we store the consent date, the consent time and the consent ID. Cookiebot displays a list of cookies categorised by function group, explains the purpose of the function groups and the individual cookies, as well as their storage duration. When you visit our website for the first time or after the cookie has expired or all cookies on the end device have been deleted, the website displays the consent tool Cookiebot as a pop-up window. In it, you can activate or deactivate the cookies categorised by function group. The technically necessary cookies are already stored when you access the website. You can accept cookies by clicking on the ‘necessary cookies’, ‘customise +’, ‘allow cookies’ buttons. The necessary cookies are preselected and cannot be deselected, as this is technically necessary for the presentation of the website. You can revoke your consent at any time by clicking on the open padlock symbol in the bottom left corner of our website. Clicking on the open padlock symbol opens the cookie settings. You can view the current status of your cookie settings with regard to the cookies ‘Necessary’, ‘Preferences’, ‘Statistics’, ‘Marketing’. By clicking on the ‘Show details’ button, you can see the date and time of consent as well as your consent ID. By clicking on the ‘Revoke consent’ button, you can revoke the consent you have given. The consent given will be automatically deleted. By clicking on the ‘Change consent’ button, you will be taken back to the consent tool. Cookiebot is used to obtain and document legally required consent for the use of cookies. The legal basis is Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with Section 25 para. 1 TTDSG.

4.3 Amazon Web Service "AWS"

We host the contents of our website at Amazon Web Services, EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (AWS). The legal basis is Art. 6 para. 1 sentence 1 lit. f DSGVO. We have a legitimate interest in the secure and efficient provision and optimisation of our website. When you visit our website, your personal data is processed on AWS servers. Personal data may also be transferred to AWS's parent company in the United States. We have no influence over this processing activity. AWS is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an adequate level of data protection for the data transfer. We have concluded an order processing contract with AWS. Further information on data processing with AWS can be found at: https://aws.amazon.com/de/privacy/.

4.4 Amazon CloudFront

We use the Amazon CloudFront content delivery network (CDN) from Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS) to increase the security and delivery speed of our website. The legal basis is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the secure and efficient provision and optimisation of our website.

A CDN is a network of globally distributed servers that is able to deliver optimised content to the website user. For this purpose, personal data may be processed in AWS server log files. AWS is the recipient of your personal data and acts as a processor for us. We do not operate a content delivery network ourselves. The functionality of the website is not guaranteed without this processing. We have no influence over this processing activity. For more information about how you can object to or delete your data with AWS, please visit: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf. For more information about data processing by AWS CloudFront, please visit: https://aws.amazon.com/de/privacy/. AWS has implemented compliance measures for international data transfers. These apply to all global activities in which AWS processes personal data of natural persons in the EU. The Amazon group is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an adequate level of data protection for the data transfer.

4.5 Google Tag Manager "GTM"

We use Google Tag Manager (GTM), a service provided by Google Ireland Ltd. based in Ireland, to simplify tag management. A tag is basically a code snippet that can be used to measure website and ad performance. GTM is used to manage code elements such as cookies, tags or pixels. GTM sets a cookie on the website visitor's (user's) end device. In addition, GTM automatically transmits the full IP address of the user (data subject) to the parent company Google LLC, headquartered in the United States. We have concluded an order processing contract with Google. Further information about Google Tag Manager can be found at https://policies.google.com/privacy?hl=de&gl=de. The Google Group is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an appropriate level of data protection for the transfer of data. The legal basis for this processing is Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG in the form of your consent. However, Google also processes your data for its own purposes. We have no influence over this data processing.

4.6 Google Analytics

This website uses functions of the web analysis service Google Analytics. The service provider is Google Ireland Limited (Google) Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies. The information generated by the cookie about your surfing behaviour is usually transferred to a Google server in the USA and stored there. The legal basis for the use of Google Analytics is Art. 6 para. 1 sentence 1 lit. f DSGVO. As the website operator, we have a legitimate interest in analysing surfing behaviour in order to optimise both our website and our advertising. If the appropriate consent has been obtained (e.g. consent to store cookies), the processing is carried out exclusively on the basis of Art. 6 (1) 1 lit. a GDPR or Art. 49 (1) 1 lit. a GDPR.

4.6.1 IP Anonymisation

We have activated the IP anonymisation function on our website. This means that your IP address will be truncated by Google within the area of member states of the European Union (EU) or other parties to the Agreement on the European Economic Area (EEA) before it is transmitted to the United States. Only in exceptional cases will the full IP address be sent to a Google server in the US and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of our website, to compile reports on website activity and to provide us with other services relating to website and internet use. The IP address transmitted by your browser in the context of Google Analytics is not associated with any other data held by Google. You can find more information about data processing by Google at https://marketingplatform.google.com/about/analytics/terms/de/ and https://policies.google.com/?hl=de.

4.6.2 Browser Plug-in

You can prevent cookies from being stored by selecting the appropriate settings in your browser software. You can also prevent the data generated by cookies about your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

4.6.3 Objection to Data Collection

You can prevent Google Analytics from collecting your data by clicking on the following link. This sets an opt-out cookie that prevents the collection of your data during future visits to our website: disable Google Analytics. For more information about how Google Analytics handles user data, please visit: https://support.google.com/analytics/answer/6004245?hl=de.

4.6.4 Contract Data Processing

We have entered into a contract data processing agreement with Google.

4.6.5 Demographic Characteristics with Google Analytics

This website uses the "demographic characteristics" function. This allows reports to be created that contain information about the age, gender and interests of the website visitors. These data come from interest-based advertising by Google and from visitor data from third-party providers. These data cannot be assigned to a specific person. You can disable this feature through the ad settings in your Google Account or generally prevent Google Analytics from collecting your data as described in the section "Objection to data collection".

4.6.6 Storage Period

Data stored by Google at user and event level that is linked to cookies, user IDs (e.g. user ID) or advertising IDs (e.g. Android advertising ID) is anonymised after 14 months or deleted. You can find details about this here: https://support.google.com/analytics/answer/7667196?hl=de.

4.6.7 Google Analytics Remarketing

This website uses the Google Remarketing feature, which analyses your surfing behaviour on our website in order to assign you to specific advertising target groups and then display suitable advertising messages to you when you visit other online offers (remarketing or retargeting). The advertising target groups created with Google Remarketing can be linked to Google's cross-device features. This means that interest-based, personalised advertising messages that have been adapted to you based on your previous surfing behaviour on one device (e.g. smartphone) can also be displayed on another of your devices (e.g. tablet PC or desktop PC). You can object to personalised advertising at the following link if you have your own Google account: https://www.google.com/settings/ads/onweb/. The legal basis is Art. 6 (1) 1 lit. f GDPR. We as the website operator have a legitimate interest in marketing our products and services as effectively as possible. If a corresponding agreement has been requested, processing will be carried out exclusively on the basis of Art. 6 (1) 1 lit. a GDPR. We use, for example, the customer matching feature of Google Remarketing to create target groups. In doing so, we transfer certain customer data (e.g. email addresses) from our customer lists to Google. If the customers in question are Google users and logged into their Google account, they will be shown appropriate advertising messages within the Google network (e.g. on YouTube, Gmail or in the search engine). You can find more information about data processing by Google at: policies.google.com/technologies/ads.

4.6.8 Google Ads and Google Conversion-Tracking

This website uses Google Ads and conversion tracking. If you click on an ad placed by Google, a cookie is set for conversion tracking. These cookies become invalid after 30 days and are not used for personal identification of website visitors. If you visit certain pages of this website and the cookie is still valid, we and Google can recognise that you clicked on the ad and were redirected to this page. Every Google Ads customer receives a different cookie. The cookies cannot be tracked via the websites of Google Ads customers. The information obtained through the conversion cookie is used to generate conversion statistics for Google Ads customers. We therefore receive the total number of website visitors who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that can be used to personally identify website visitors. If you do not wish to participate in tracking, you can object to this use by disabling the Google Conversion Tracking cookie on your web browser under User Settings. Your data will then not be included in the conversion tracking statistics. The storage of ‘conversion cookies’ and the use of this tracking tool are based on Art. 6 para. 1 sentence 1 lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. If the appropriate consent has been obtained (e.g. consent to store cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR. Further information on data processing by Google can be found at: https://policies.google.com/privacy?hl=de.

4.7 Font Awesome

We use the Font Awesome service from Fonticons, Inc. 307 S Main St Ste 202 Bentonville, AR, 72712-9214, USA, to display the offered content, in particular icons and fonts, in a uniform manner. We have installed Font Awesome locally. Therefore, no connection to the Fonticon, Inc. servers takes place. You can find more information about Font Awesome at: https://fontawesome.com/privacy.

4.8 Userlike

We use the software-based solution for chat communication from the customer communication platform Userlike. Userlike is a service provided by Userlike UG (limited liability), Probsteigasse 44-46, 50670 Cologne. Userlike enables us to communicate with you via chat and to provide targeted help with questions. When you visit our website, the chat widget is loaded in the form of a JavaScript file from AWS-Cloudfront. The chat widget technically represents the source code that is executed on your device and enables the chat. The legal basis for the storage of cookies is § 25 para. 1 TTDSG. Messages that you send to us may be stored in the Userlike ticket system or answered by our employees in the live chat. We delete messages sent to us via the chat as soon as the purpose for storing the data no longer applies (e.g. after your request has been processed) or when you request us to do so. Mandatory legal provisions, in particular legal retention periods, remain unaffected. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR, we have a legitimate interest in processing your requests as quickly, reliably and efficiently as possible. We have concluded a contract with Userlike for order processing. You can find more information about data processing by Userlike at: https://www.userlike.com/data-privacy.

4.9 Facebook Pixel

We use Facebook's visitor action pixel to measure conversion (measure the effectiveness of marketing measures). The service provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). Meta can determine the visitors to our website as target groups for the display of ads in Facebook (Meta-Ads). For us as the website operator, the data collected is anonymous. We cannot draw any conclusions about the identity of the respective user. However, Meta stores this data so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes, in accordance with the Meta data protection guidelines. We have no influence on this data processing.

We use Facebook Pixel to display the meta ads we have placed only to users on meta and partner platforms who have also shown an interest in our online services or in certain topics or products, which can be seen from the websites visited. With the help of Facebook Pixel, we can track the effectiveness of meta ads for statistical and market research purposes. This allows us to see whether users were redirected to our website after clicking on a meta-ad (conversion measurement).

The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR. The data processing only takes place if you have consented to it. Further information on the processing of your data by Meta can be found here: Data Policy, Joint Responsibility. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of the data to the parent company Meta Platforms, Inc. in the USA. Meta is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an adequate level of data protection.

4.10 Contacting GP JOULE Connect via our website

You can choose how you would like to contact us: by phone or using our contact form. When you contact us, we process your information and personal data for the purpose of dealing with your enquiry.

Categories of Personal Data
Contact details (title, first name, surname, mobile phone number, email address), company, subject, concern (free text field), address (street and house number, postcode and city), telephone number, company reference (existing/new customer, commercial/private customer) and selection information on the concern (product area)

Purpose
Processing and answering the concern

Legal Basis
Art. 6 (1) 1 (b) GDPR: If your enquiry is related to the performance of a contract or is necessary to take steps prior to entering into a contract.
Art. 6 (1) 1 (f) GDPR: We have a legitimate interest in dealing with your request effectively

Recipients / Categories of Recipients
We at GP JOULE Connect GmbH support the other companies in the GP JOULE group of companies with administrative tasks. If your enquiry is specifically addressed to another GP JOULE company, we will forward it for processing and answering. Further information on data processing within the GP JOULE group of companies can be found in our notes on data processing within the GP JOULE group of companies.

Storage Period
We store your personal data exclusively for the purpose of processing and answering your enquiry or request. After processing your enquiry, your personal data will be deleted, provided that there are no legal obligations to retain it.

Data Origin
We have received your personal data.

4.11 Customer Login

You can register on our website via our customer login. If you are a registered customer, you can use additional features on our website or services from our partners via our customer login. We use the data entered for this purpose only for the use of the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we must reject the registration. We use the email address provided during registration to inform you of important changes, such as those to the scope of the offer or those that are technically necessary. The data entered during registration is processed for the purpose of implementing the user relationship established by the registration and, if necessary, for initiating further contracts. The legal basis is Art. 6 Para. 1 S. 1 lit. b GDPR.

4.12 Charging Point Management System

You can view your charging infrastructure data in our charging point management system. The data required to create a user account is processed for the purpose of providing the service. The legal basis for this is Art. 6 (1) (b) GDPR.

4.13 Google Maps

We use the map service Google Maps from Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland (Google) to enable you to conveniently enter locations on our website. Google Maps uses cookies and other browser technologies to recognise website visitors and analyse their behaviour on the websites recorded. Furthermore, if you have an active and registered Google account, this data can be linked to your account. We would like to point out that in order to use the Google Maps functions, it is necessary to store your IP address. This information is usually transmitted to a Google LLC server in the United States. The Google Group is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an adequate level of data protection for the data transfer, but Google also processes your data for its own purposes. We have no influence over this data processing. You can find out exactly which data is collected and what this data is used for by Google at the following link: https://www.google.com/intl/de/policies/privacy/. Information on the cookies used by Google can be found at the following link: https://policies.google.com/technologies/cookies?hl=de&gl=de . The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 TTDSG in the form of your consent given by means of our provided two-click solution.

4.14 Google reCAPTCHA

We use Google reCAPTCHA, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to protect our website from a flood of spam from bots (robots/malware) and abusive activity. The CAPTCHA is designed to prevent misuse of our website's login, registration, survey or comment functions through click fraud, fake users or targeted data network overload (DDoS attacks), for example. reCAPTCHA is therefore used to check whether the data entered on our website (e.g. in a contact form) is being done by a human or by an automated program. The legal basis is Art. 6 para. 1 lit. f GDPR, we have a legitimate interest in protecting our website from abusive automated spying and from spam.

Google reCAPTCHA analyses the visitor's behaviour, e.g. by recording the visitor's dwell time and mouse movements. This analysis begins as soon as the visitor visits the website. By accessing this content, you establish a connection to the Google server. This means that your IP address and possibly other identifiers such as your user agent are transmitted to Google. Although the Google Group is certified for the EU-U.S. Data Privacy Framework (DPF), there is an appropriate level of data protection for the data transfer, Google also processes your data for its own purposes. We have no influence over this data processing. You can find out exactly which data is collected and what this data is used for by Google at the following link: https://www.google.com/intl/de/policies/privacy/. You can find information about the cookies used by Google at the following link: https://policies.google.com/technologies/cookies?hl=de&gl=de.

4.15 GetResponse Newsletter

We use GetResponse to send newsletters. The service provider is GetResponse S.A., Grunwaldzka 413, (80-309) Gdańsk, Poland. GetResponse is a service that can be used to organise and analyse the sending of newsletters. Your data is stored on GetResponse servers. We would like to point out that data may be transmitted by GetResponse to servers in the United States in the context of technical and logistical infrastructure. We have a data processing agreement with GetResponse. In addition, GetResponse is certified for the EU-U.S. Data Privacy Framework and thus provides an adequate level of data protection in accordance with the GDPR. For more information about GetResponse's data processing, please visit: https://www.getresponse.com/de/legal/datenschutz.

Newsletters sent with GetResponse enable us to analyse the behaviour of newsletter recipients. This includes, for example, information on how many recipients have opened the email and how often which link in the email has been clicked. With the help of so-called conversion tracking, it can also be determined whether a predefined action (e.g. purchase of a product, sharing of information on social media, unsubscriptions) has taken place after clicking on the links in the newsletter. GetResponse also offers the option of dividing newsletter recipients into groups based on their interests. This allows us to provide our newsletter recipients with content that is as relevant to their interests as possible. You can find more information about data analysis by GetResponse at: https://www.getresponse.com/de/legal/cookie-policy. The legal basis is Art. 6 Para. 1 S. 1 lit. a DSGVO. You can revoke your consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation. If you do not wish GetResponse to analyse your data, you must unsubscribe from the newsletter. You will find a link to do this in every email.

4.16 Links to Other Websites

Our website contains links to other websites. Please note that our data protection information does not apply to these other websites, unless this is explicitly stated.

5. Visiting our Social Media Sites

We operate social media sites with the aim of informing visitors about our services and communicating with you. If you visit social networks such as Instagram, Facebook, LinkedIn, YouTube, etc. or websites with integrated social media content (e.g. like buttons or banner ads), social networks may analyse your surfing behaviour. For example, social networks can associate your visit to our social media site with your user account, provided that you are logged into your social media account. Regardless of this, your personal data may also be collected if you do not have a social media account. Data collection can be done through cookies stored on your device, by collecting your IP address or identifier. Typically, your personal data is processed for market research and advertising purposes. Social networks can create user profiles based on your surfing behaviour and the interests that arise from it, which are used, for example, to display corresponding advertisements within and outside the social network. Please note that your data may be processed outside the EU or EEA, for example in the USA. This may pose risks for you, as it could make it more difficult to enforce your rights as a data subject. For data transfers to the USA, please refer to our information on third-country transfers. We cannot retrace all processing activities of the social networks, in particular whether further processing activities are carried out. You can find more information on this in the terms of use and data protection of the respective social network (see below). With our social media sites, we want to ensure a broad presence on the internet. Our legitimate interest lies in effectively informing users and communicating with them. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. If we have obtained your corresponding consent, the processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 49 para. 1 sentence 1 lit. a GDPR.

5.1 Controller and Assertion of Data Subject Rights

We are jointly responsible with the social network operator for the data processing operations triggered during your visit. In principle, you can assert your data subject rights both against us and against the social network. However, we would like to point out that, despite our joint responsibility with the social networks, we have no comprehensive influence on the data processing operations. Our possibilities for exerting influence are based on the company guidelines of the respective social network.

5.2 Storage Period

We delete data that we collect directly via our social media presence as soon as the purpose for storing it no longer applies, you request us to delete it or you revoke your consent to store it. Mandatory legal provisions, e.g. retention periods, remain unaffected. We have no influence on the storage duration of your data that is stored by social networks for their own purposes.

5.3 Processing by the Social Media Providers

You can find more information about how your data is processed by the individual social media providers here:

• Responsible for Facebook: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland; Privacy Policy; Joint Responsibility; Adequate Level of Data Protection
• Responsible for Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland; Privacy Policy; Joint Responsibility; Adequate Level of Data Protection
• Responsible for YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; Privacy Policy; Adequate Level of Data Protection
• Responsible for LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Irland; Privacy Policy
• Responsible for XING: New Work SE, Am Strandkai 1, 20457 Hamburg; Privacy Policy

5.4 YouTube

We use the video service YouTube of Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland (Google) to provide you with further information about our services. YouTube uses cookies and other browser technologies to recognise website visitors and analyse their behaviour on the websites in question. Furthermore, if you have an active and registered Google account, this data can be linked to your account. We would like to point out that when you use YouTube's features, your data is usually transmitted to a Google LLC server in the United States. The Google Group is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an appropriate level of data protection for the data transfer, however, Google also processes your data for its own purposes. We have no influence over this data processing. You can find out exactly which data is collected and what this data is used for by Google at the following link: https://www.google.com/intl/de/policies/privacy/. You can find information about the cookies used by Google at the following link: https://policies.google.com/technologies/cookies?hl=de&gl=de. The legal basis for this processing is Art. 6 (1) 1 lit. a GDPR and Section 25 (1) TTDSG in the form of your consent given by means of our provided two-click solution.

6. Other Data Processing

6.1 Connect Products

We collect, process and use personal data only to the extent necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 (1) (b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data concerning the use of our website (usage data) only to the extent necessary to enable the user to use the service. The requested mandatory information must be provided in full. Otherwise, an order and a subsequent contract cannot be concluded. The customer data collected will be deleted after the order has been completed or the business relationship has ended. Statutory retention periods remain unaffected. Further information on data protection can also be obtained directly from the specific products.

6.1.1 Product "Electricity"

We process your personal data (in particular the information provided by the customer in connection with the conclusion of the contract) for the purpose of establishing, executing and terminating the energy supply contract, as well as for the purpose of direct advertising and market research in accordance with the relevant data protection regulations ( e.g. the Federal Data Protection Act (BDSG)), in particular Section 31 BDSG), the Metering Point Operation Act (MsbG) and on the basis of the GDPR, in particular Art. 6 (1) sentence 1 lit. b and f. For the purpose of deciding on the establishment, execution or termination of an energy supply contract, we process probability values for your future payment behaviour (so-called credit scoring); your address data, among other things, is included in the calculation of the probability values. We also reserve the right to transfer personal data about claims against you to credit reference agencies if the requirements of Section 31 of the German Federal Data Protection Act (BDSG), Article 6 (1) sentence 1 lit. b or f GDPR are met.

Your personal data will only be disclosed to the following recipients or categories of recipients within the scope of the purposes stated here: network operator, metering point operator, supplier.

Your personal data will be stored for the purpose of establishing, implementing and terminating an energy supply contract and for complying with statutory archiving and retention obligations (e.g. Section 257 of the German Commercial Code (HGB), Section 147 of the German Tax Code (AO)) for as long as is necessary to fulfil these purposes. For the purposes of direct advertising and market research, your personal data will be stored for as long as we have an overriding legal interest in processing it in accordance with the relevant legal provisions, but for no longer than two years after the end of the contract.

6.1.2 Product "Minol Drive powered by GP JOULE CONNECT"

E-mobility with Minol Drive: smart electric mobility from a single source - powered by GP JOULE CONNECT:

Electric mobility is one of the rising trends in the housing industry. Studies predict that by 2030, at least 30 per cent of cars in Germany will be electric. In future, a flat without a charging point will seem just as unattractive as a flat without an internet connection. The sharing economy trend is also making its way into the world of housing: tomorrow's mobility means no longer having things, but sharing them.

Minol Messtechnik W. Lehmann GmbH & Co. KG, Nikolaus-Otto-Str. 25, 70771 Leinfelden-Echterdingen (Minol), a leading global service provider for the real estate industry, and we, as the e-mobility division of the GP JOULE Group, are combining our expertise to offer the real estate industry tailored and scalable solutions that meet the growing demands of tenants in terms of e-mobility.

The cooperation between Minol's expertise as a service and solution partner for the digitalisation of the housing industry and our expertise as a provider of integrated, modular energy and mobility solutions has resulted in an attractive, comprehensive offering for the housing industry under Minol Drive - powered by GP JOULE CONNECT. This means that we and Minol not only offer solutions for charging e-vehicles, but also an easy introduction to mobility offers with a high level of operator and user convenience:

• E-mobility analysis for your existing portfolio
• Smart charging infrastructure for your property
• Sharing solutions for your tenants
• Comprehensive charging network
• Consultancy and planning, including with regard to funding opportunities and attractive financing offers
• Installation, assembly and acceptance
• Operation, service and maintenance
• Issue and administration of charging cards

We collect, process and use your personal data that we have received from Minol only to the extent necessary for the establishment, content or modification of the contract. The establishment, execution or termination of the contract is not possible without the provision and processing of your personal data. This is done on the basis of Art. 6 para. 1 sentence 1 lit. b DSGVO, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

If you contact us directly without a contact transfer via Minol taking place, we collect, process and use your personal data insofar as it is necessary for the establishment, content or modification of the contract. The establishment, execution or termination of the contract is not possible without the provision and processing of your personal data. This is done on the basis of Art. 6 (1) sentence 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

We transmit your personal data to Minol. The purpose of the data transmission is to provide information on the conclusion of the contract (e.g. in negotiation; conclusion; no conclusion) between you and us, for controlling the cooperation between Minol and us, and for billing. Your personal data will be processed exclusively on the basis of your consent in accordance with Article 6, paragraph 1, sentence 1, point a of the GDPR. Your consent is voluntary. You can revoke this consent at any time with effect for the future (in writing to GP JOULE Connect GmbH, Cecilienkoog 16, 25821 Reußenköge or by email to service.connect@gp-joule.de). However, your cancellation does not affect the legality of the processing carried out on the basis of the consent until the cancellation.

You can find Minol's data protection information here: www.minol.de/minol-drive-datenschutzerklaerung.

6.1.3 Product "E.xpert"

E.xpert – the digital consultant for your electrification project, powered by GP JPOULE CONNECT:

The E.xpert supports you with cost forecasts, background knowledge and individual recommendations for action on the subject of electrification. This is how your personal electrification project becomes a plannable reality step by step.

We collect, process and use your data in this context insofar as it is necessary for the establishment, content or modification of our contract with you. The establishment, execution or termination of the contract is not possible without the provision and processing of your personal data. This is done on the basis of Art. 6 (1) (b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect personal data for the professional preparation of your customised advice. During the booking process, we ask for more detailed information about your electrification project, including the type and status of the project and the type, number and type of use of vehicles and parking spaces. When using our service for the areas of petrol station and charging park, information about the location is required. In addition to a manual entry, you can also use an interactive map for this. You can find information about the interactive map in our data protection notice ‘Google Maps’ below. For a better understanding of our ‘Expert Discussion’ service, we provide you with an informative short video via the video service YouTube. You can find information about this in our data protection notice below under ‘YouTube’. When you purchase our extended ‘expert discussion’ service, we collect your contact details (title, surname, first name, postal address, telephone number, email address, company name and VAT ID if applicable). You can find information about the payment process in our data protection notice below under "payment service provider Stripe".

6.2 Payment Service Provider Stripe

For payment processing of our "Expert Talk" service, we offer the option of processing the payment transaction via the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (Stripe). The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR, we have a legitimate interest in offering an efficient and secure payment method. Insofar as it is necessary to pass on your data to Stripe for the fulfilment of the contract, the legal basis for this processing is Art. 6 Para. 1 lit b. DSGVO. In this context, the following of your data is collected and transmitted to Stripe: credit card data (number, validity period, check number, issuer, holder), transaction data (date and time, sum, ID, purchased service), email address and IP address. According to its own information, Stripe processes device information such as the IP address of the device you use when using Stripe for the purpose of technical transmission and uses a cookie for this purpose. The processing of the data specified in this section is not required by law or contract. However, we cannot process a payment via Stripe without the transmission of your personal data.

Stripe has a dual role as controller and processor when processing data. As a controller, Stripe uses your transmitted data to fulfil regulatory obligations. We have no influence over this process. Stripe acts as a processor in order to be able to complete transactions within the payment networks. As part of the processing relationship, Stripe acts solely in accordance with our instructions and has been contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR. Stripe, Inc. (parent company), based in South San Francisco, California, USA, is certified for the EU-U.S. Data Privacy Framework (DPF). In this respect, there is an adequate level of data protection for the data transfer. We store your data until the payment process has been completed. This also includes the period required for processing refunds, claims management and fraud prevention. We are subject to a statutory retention period in accordance with Section 147 AO / Section 257 HGB. You can find more information about objection and removal options vis-a-vis Stripe at: https://stripe.com/privacy-center/legal.

6.3 Payment Service Provider PayPal

We offer you the option of processing the payment transaction via the payment service provider PayPal (PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR, we have a legitimate interest in offering an efficient and secure payment method. Insofar as it is necessary for the fulfilment of the contract to pass on your data to PayPal, the legal basis for this processing is Art. 6 para. 1 lit b. DSGVO. In this context, the following of your data is collected and transmitted to PayPal: first name, last name, address, telephone number and transaction data (date and time, sum, ID, purchased service), email address and IP address. The processing of the data specified under this section is neither legally nor contractually required. However, we cannot process a payment via PayPal without the transfer of your personal data.

PayPal carries out a credit check for various services, such as payment by direct debit, to ensure your willingness and ability to pay. This corresponds to PayPal's legitimate interest and serves the execution of the contract. For this purpose, your data (name, address and date of birth, bank account details) will be passed on to credit reference agencies. We have no influence over this process and only receive the result, whether the payment was carried out or rejected or a review is pending. We store your data until the payment process is complete. This also includes the period required for processing refunds, claims management and fraud prevention. We are subject to a statutory retention period in accordance with § 147 AO / § 257 HGB. Further information on objection and removal options vis-à-vis PayPal can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

6.4 Mastercard

We offer the option of processing the payment transaction via the payment service provider Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (Mastercard). Mastercard may transfer data to its parent company in the USA. The data transfer to the USA is based on Mastercard's Binding Corporate Rules. Details can be found here: https://www.mastercard.de/de-de/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.

6.5 VISA

We offer the option of processing payments through the payment service provider Visa Europe Services Inc., London branch, 1 Sheldon Square, London W2 6TT, United Kingdom (VISA).

The United Kingdom is considered a safe third country under data protection law. This means that the United Kingdom has a level of data protection that corresponds to the level of data protection in the European Union. VISA may transfer data to its parent company in the United States. Data transfer to the United States is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zuzustandigkeitsfragen-fur-den-ewr.html. For more information, please refer to the VISA data protection declaration: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

6.6 Contact with GP JOULE

When you contact us by email, post, telephone, fax, in person, etc., we process your information and personal data for the purpose of dealing with your enquiry or for making contact and the associated processing. Depending on the method of communication, we process the following personal data about you in particular: contact details (title, first name, surname, mobile phone number, email address) and your request. The legal basis for this is Art. 6 (1) 1 (b) GDPR if your contact is related to the performance of a contract or is necessary to take steps prior to entering into a contract (e.g. to prepare and send an offer). In other cases, the processing is based on your consent in accordance with Article 6 (1) (1) (a) GDPR and/or on our legitimate interests in accordance with Article 6 (1) (1) (f) GDPR in the effective processing of requests addressed to us. We are part of the GP JOULE Group (GP JOULE), which is a comprehensive provider of renewable energy. Within the GP JOULE Group, GP JOULE GmbH supports us and the various GP JOULE companies (business units) with administrative and organisational tasks as needed. Further information on data processing within the GP JOULE group of companies can be found in our notes on data processing within the GP JOULE group of companies. After your request has been processed, your personal data will be deleted, provided that there are no legal obligations to retain it.

6.7 Interested Parties, Customers and Contractual Partners

We process your personal data for the performance of a contract and the related implementation of pre-contractual measures (e.g. to prepare and send an offer), or termination of our contract. This data processing is necessary for the mutual fulfilment of obligations under the contract. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.

6.8 Contact Persons

We process the contact details of our contact persons, i.e. employees, service providers or agents of our contractual partners. The legal basis is Art. 6 (1) 1 lit. f GDPR. Our legitimate interest lies in the smooth processing of the business relationship.

6.9 Business Contacts, Trade Fairs, Events, etc.

We process your personal data that we have received from you, for example, in the context of business contacts, trade fairs or events, e.g. when you handed over your business card and other data. The data processing is carried out exclusively for the purpose of maintaining contacts, communication and fulfilling a contract and the related implementation of pre-contractual measures (e.g. preparing offers) within the scope of our business or contractual relationship. The data processing is necessary for the mutual fulfilment of contractual obligations or pre-contractual measures. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR. If we have met you at one of our trade fair appearances and we exchange contact details, we use a service provider to collect, supplement and manage contact information. The service provider is snapADDY GmbH, Haugerkirchgasse 7, 97070 Würzburg (snapADDY). We have concluded an order processing contract with snapADDY in accordance with Art. 28 GDPR.

6.10 Microsoft 365

We use Microsoft 365 applications to communicate with you. The service provider is Microsoft Ireland Operations, Ltd. (Microsoft), One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521 Ireland. Microsoft belongs to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft 365 is a communication platform for individual users (e.g. guest users) or teams that can be used across groups. When Microsoft 365 applications are used, users' personal data is processed, in particular the IP address used to access the Microsoft 365 application; user name (access data for the Microsoft 365 application), display name, data related to multifactor authentication; first name, last name, business contact information (telephone number, email address, fax number, etc.), profile picture (optional), preferred language; Data for authentication and for use, e.g. time of access, date, time, type of access, meeting ID, location and creation, modification, deletion of a document, creation of a team and channels in teams; creation of notes in the notebook, starting a chat, replying in a chat; information on the data, files, documents accessed; text, audio and video data. We use the Microsoft 365 applications to communicate with contractual partners for the purpose of implementing the contractual relationship or to offer certain services to our customers. For example, to communicate with you, we will send you an invitation to use Microsoft Office applications as a guest user, such as Microsoft Teams. For information about Microsoft Teams as an online conferencing tool, see 6.10. Online conferencing tools. The legal basis is Art. 6 Para. 1 S. 1 lit. b GDPR. In addition, the use of Microsoft 365 serves to optimise our operational processes and communication with our group of companies. The legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest lies in being able to use functional office applications that are widely used in the business areas in order to be able to communicate efficiently and across the group with our group of companies. We cannot rule out the possibility that your personal data may also be transferred to Microsoft Corporation servers in the United States. We have contracted Microsoft as a processor. Furthermore, all Microsoft Corporation companies are certified for the EU-U.S. Data Privacy Framework and thus demonstrate an appropriate level of data protection in accordance with the GDPR. For more information about data processing in Microsoft Teams, please visit: https://learn.microsoft.com/de-de/microsoftteams/teams-privacy.

6.11 Online Conference Tools

We use online conference tools (Microsoft Teams, Zoom, etc.) to communicate with you. The service provider of the respective online conference tool collects and processes personal data of the participants, in particular email address, telephone number, duration, number of participants, other ‘context information’ in connection with the communication process (metadata). Furthermore, the respective service provider processes technical data that is necessary for the processing of the communication, as well as other service-related data. We have no influence on these processing activities. We use the online conference tools to communicate with contractual partners for the execution of the contractual relationship or to be able to offer certain services to our customers. The legal basis is Art. 6 (1) 1 lit. b GDPR. In addition, the use of online conferencing tools serves to optimise communication with us or our group of companies. The legal basis is Art. 6 (1) 1 lit. f GDPR. Our legitimate interest lies in being able to use functional online conferencing tools that are widely used in the business sectors in order to communicate efficiently with external partners. We have no influence on the storage period of your data, which is stored by the service providers of the online conference tools for their own purposes. We use the following online conference tools:

6.11.1 Microsoft-Teams

We use Microsoft Teams. The service provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. We have contracted Microsoft as a processor. Furthermore, all companies of the Microsoft Corporation are certified for the EU-U.S. Data Privacy Framework and thus demonstrate an appropriate level of data protection in accordance with the GDPR. For more information about data processing in Microsoft Teams, please visit: https://learn.microsoft.com/de-de/microsoftteams/teams-privacy.

6.12 Data Processing Within the Group of Companies

We are part of the GP JOULE Group (GP JOULE), which is a holistic provider of renewable energies. GP JOULE is the integrated energy supplier that is active in all parts of the energy value chain – from generation to use and from advice on financing and project planning to construction and service. GP JOULE GmbH supports the various GP JOULE companies (business units) with administrative and organisational tasks as needed. The business units fulfil their primary tasks/business areas from generation, conversion, distribution, construction to use. Currently, the business units include GP JOULE Connect GmbH, GP JOULE Consult GmbH & Co. KG, GP JOULE EPC GmbH & Co. KG, GP JOULE Hydrogen GmbH, GP JOULE Invest GmbH & Co. KG, GP JOULE Plus GmbH, GP JOULE Projects GmbH & Co. KG, GP JOULE Service GmbH & Co. KG, GP JOULE Think GmbH & Co. KG belong to the GP JOULE Group. This list is not exhaustive. Due to the highly dynamic nature of the renewable energy sector, the GP JOULE Group is constantly growing and new business units are being added. To ensure that our business processes are efficient, it may be necessary for us to process your personal data within the GP JOULE Group for administrative purposes. The legal basis for this is Article 6(1)(f) of the GDPR, provided that the data processing is carried out for administrative purposes. We have corporate and business interests in ensuring that our business processes are efficient. The legal basis is Art. 6 (1) 1 (b) GDPR if the data processing is necessary for the fulfilment of our contractual obligations and the related implementation of pre-contractual measures.

6.13 Invitations to Events, Trade Fairs, etc.

We process your personal data in order to invite you to events, trade fairs, etc. by email or post. The legal basis for this is Art. 6 (1) 1 lit. a GDPR, provided that we have obtained your consent. In all other cases, the processing is based on our legitimate interests in accordance with Art. 6 (1) 1 lit. f GDPR, since we have a legitimate interest in maintaining our contacts and business partners and in carrying out promotional measures.

6.14 Direct Ddvertising

We process your personal data for advertising purposes, for example to inform you about products, services, events, trade fairs, etc., including those of the GP JOULE group, by email, post, telephone (e.g. telephone marketing), via social media, or using digital or printed media, provided you have given your consent to the processing. The legal basis is Art. 6 (1) 1 lit. a GDPR. In addition, we process your personal data for advertising purposes within the scope of our legitimate interest (by post, telephone, etc.). The legal basis is Art. 6 (1) 1 lit. f GDPR. Our legitimate interest lies in the implementation of advertising measures. When it comes to telephone marketing, we naturally comply with the requirements of Section 7 of the German Unfair Competition Act (UWG) (e.g. the existence of presumed consent). We usually collect your data on what are known as lead sheets, which we sometimes also fill out together at trade fairs or events. For the purposes of direct marketing, your personal data will be stored for as long as there is an overriding legal interest of our company in processing it in accordance with the relevant legal provisions, but for no longer than a period of two years after the end of the contract.

6.15 "Greetings from GP JOULE" (Christmas Card, Greeting Card, etc.)

We process your personal data in order to send you ‘Greetings from GP JOULE’ by post or email. The legal basis is Article 6(1)(1)(a) GDPR, provided that we have obtained your consent. In other cases, the processing is based on our legitimate interests in maintaining contacts with our business partners in accordance with Article 6(1)(1)(f) GDPR.

6.16 Job Application

We process the data that you have provided to us in connection with your application in order to check your suitability for the position or for possible other vacancies, to make contact and to carry out the application process from the receipt of the application to the selection decision. You can apply for an advertised position with us via the careers page. In this case, you will need to complete an application form. You can also send us a speculative application by email to bewerbung@gp-joule.de or use the Career Booster to send us an express application. If you apply to us by email or send us an express application, your application will be transferred from the application mailbox to our applicant management system and deleted from the mailbox. If we need further information in the context of your express application, we will send you an email asking you to send us your application documents. You also have the option of adding your Xing or LinkedIn profile as part of the express application. If you provide us with the link to your profile, we will download the publicly accessible part and create a document in our applicant management system. If you receive an invitation to an initial interview, we will conduct it online via video conference. Invitations to the second interview will take place on site. You are not obliged to provide your personal data. However, the provision of personal data is necessary for the decision on an application. However, you should only provide us with the personal data that is necessary to process and complete your application. If you do not provide us with any personal data as part of your application, we will not be able to make a selection. There will be no further consequences for you.

Categories of personal data

• Address data (salutation, title, surname, first name, street, house number, postcode, town/city, country), contact data (email address, mobile number), qualification data (CV, professional career, vocational training, school education, further education, special skills), certificate data, salary expectations, date of birth, marital status, gender, photograph, notice period, "How did you hear about us?" etc.
• Express application: additional Xing profile or LinkedIn profile

Purpose

• Recruitment of new employees (receiving applications, conducting the application process, selection decision), conducting applicant management
• Fulfilment of retention obligations to defend against claims

Legal Basis

• Art. 6 para. 1 sentence 1 lit. b GDPR, § 26 para. 1 BDSG: We process your applicant data exclusively for the application process. The data processing is carried out as a pre-contractual measure (initiation of an employment relationship).
• Art. 6 para. 1 sentence 1 lit. f GDPR: We have an overriding legitimate interest in storing the applicant data for a maximum of 6 months after the application has been rejected in order to fulfil our storage obligation with regard to the defence against claims arising from § 15 of the German General Equal Treatment Act (AGG) and § 61b of the German Labour Court Act (ArbGG).
• Art. 6 para. 1 sentence 1 lit. a GDPR: You have the option of allowing us to consider your application for further application processes (talent pool). If you have consented to the talent pool, we will generally check whether the application data is suitable for inclusion in the talent pool. If the positions are common positions that we often advertise, inclusion in the talent pool is useful. However, if the positions are uncommon and only affect specific, rare areas, they will not be included in the talent pool. Your consent is voluntary. You can revoke it at any time for the future without giving reasons. You can send your cancellation by email to bewerbung@gp-joule.de. There will be no consequences for you if you refuse your consent or if you revoke it. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Recipients/Categories of Recipients
GP JOULE GmbH supports us and the other companies in the GP JOULE group of companies in the application process. To carry out the application process, GP JOULE GmbH uses the applicant management system of softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin (softgarden) and other services (video conferencing, email providers) from Microsoft Ireland Operations Ltd. (Microsoft), with whom data processing agreements have been concluded in accordance with Art. 28 GDPR.

Storage Period

• If your application is unsuccessful, we will store your application data for a maximum period of six months after your application has been rejected.
• If your application is successful, we will transfer your personal data from the application to the personnel file and store it until the end of the employment relationship, unless we are legally obliged to store it for a longer period (e.g. Section 147 (1) no. 1 of the German Fiscal Code – 10 years for tax purposes after the end of the employment relationship). For further information, please contact our personnel administration.
• Talent pool: If you have consented to inclusion in the talent pool, we will store your applicant data for a maximum of two years. If you have withdrawn your consent, we will delete your data.

Origin of Data

• We have received your personal data from you.
• In exceptional cases, we may also receive your personal data from third parties (e.g. headhunters, personnel service providers). If we use third parties for recruiting, we pass on the key data desired for the position in question. If the key data matches possible applicants, we receive corresponding offers from the third party. If we accept an offer, we will receive profiles. Either you have consented to this data being shared with us, or there is another legal basis within the meaning of Art. 6 (1) GDPR. The subsequent data processing is carried out in accordance with Art. 6 (1) sentence 1 b GDPR, § 26 (1) BDSG as a pre-contractual measure (initiation of an employment relationship).

6.17 Corporate Transaction

In the context of a corporate transaction, it may be necessary to transfer your personal data to a third party. This is at least the case with an asset deal. In the context of due diligence, only anonymised or pseudonymised data is processed. However, it may be necessary in specific individual cases to process personal data without anonymisation or pseudonymisation. The legal basis for the processing of your personal data in this case is Art. 6 (1) sentence 1 point f GDPR. Our legitimate interest lies in the execution of the corporate transaction.

7. Sources (Third-party Collection)

We may process personal data that we obtain from publicly accessible sources, e.g. from the internet or social media, to the extent permitted, or that we receive from third parties, e.g. credit agencies. Should this be the case, we will inform you of this in the individual data protection notices of this data protection information.

8. Recipients or Categories of Recipients

As part of our business activities, we sometimes use external service providers. In this respect, your personal data may also be affected. Service providers are carefully selected and commissioned by us, are bound by our instructions and are regularly checked. As a rule, this is done on the basis of order processing in accordance with Art. 28 GDPR. In addition, we only transfer personal data to third parties if there is legal permission to do so or if you have given your prior consent. Your personal data may be disclosed or transferred to the following categories of recipients:

• IT service providers;
• Credit institutions for the processing of payments;
• Companies in the insurance industry in the course of the settlement of claims;
• Collection service providers and lawyers, e.g. to collect claims and enforce claims in court;
• Lawyers, notaries, banks, tax advisors, etc.;
• Company buyers/prospects in corporate transactions;
• Controllers, processors;
• Other authorised parties (e.g. authorities and courts), insofar as there is a legal obligation or entitlement to do so;
• Depending on the order, to other recipients, which we may coordinate with you.

Further information on recipients or categories of recipients can be provided in the context of the individual data protection notices of this data protection information.

9. Transfer to Third Countries

Insofar as we process data outside the European Union (EU) or the European Economic Area (EEA) or if this occurs in the context of using third-party services or disclosing or transferring data to third parties, this will only take place if it occurs in order to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. To ensure an adequate level of data protection, we comply with the requirements of Articles 44 to 49 of the GDPR. The EU-US adequacy decision, namely the Data Privacy Framework (DPF), has been in place since 10 July 2023. US companies must undergo a self-certification procedure in order to be able to invoke this adequacy decision. If no certification is available, we generally use EU standard contractual clauses to ensure an adequate level of data protection at the recipient of the data and check the existence of additional guarantees to increase the level of protection of your personal data.

10. Storage Period

We store your personal data for as long as is necessary to fulfil the stated purposes. After that (e.g. after your request has been processed; when the matter in question has been conclusively resolved; after the order has been completed or the business relationship has ended), your personal data will be deleted, unless we are obliged to store it for a longer period due to legal requirements (e.g. commercial or tax law retention obligations). In this case, your personal data will initially be blocked and then deleted after the retention period has expired. Furthermore, data may be stored if you have given your consent in accordance with Art. 6 (1) 1 lit. a GDPR. In the event of obligations to permanently observe objections, we reserve the right to store your personal data (contact data such as email address, telephone number, surname, first name, postal address) in a block list (denylist) for this purpose alone. Further information on the duration of the storage and deletion of your personal data can be provided in the context of the individual data protection notices of this data protection information.

11. Rights of Data Subjects

You have a right against us, within the framework of the legal requirements, to

• Confirmation as to whether we are processing your personal data and information about the circumstances of the processing (Art. 15 GDPR);
• Correction if your personal data is incorrect (Art. 16 GDPR);
• Deletion of your personal data if there is no justification for the processing and no obligation to store it (Art. 17 GDPR);
• Restriction of processing if one of the conditions set out in Art. 18 (1) a) to d) GDPR applies (Art. 18 GDPR);
• Data portability of your personal data in a structured, commonly used and machine-readable format (Art. 20 GDPR);
• Lodge a complaint with a supervisory authority (Art. 77 GDPR).

If the processing of your personal data is based on your consent, you have the right to revoke your consent at any time in accordance with Art. 7 (3) GDPR, with the result that the processing of your personal data will be inadmissible in the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The revocation of consent can be communicated informally by e-mail to service.connect@gp-joule.de or by post to our postal address listed at the beginning of this data protection information.

In addition, you can object to the processing in accordance with Art. 21 GDPR in the case of processing based on a legitimate interest in accordance with Art. 6 (1) sentence 1 lit. f GDPR, whereby you must state a particular reason, except in the case of direct advertising. The objection can be communicated informally by email to service.connect@gp-joule.de or by post to our postal address listed at the beginning of this data protection information.

12. No Automated Decision-making, Including Profiling

We do not process your personal data for the purpose of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR.

13. Data Security

We have taken the necessary technical and organisational measures to protect the personal data you have provided against loss, destruction, manipulation and unauthorised access. All our employees and all persons involved in data processing are obliged to comply with the GDPR, the BDSG and other data protection-related laws and to handle personal data confidentially. Our employees are trained accordingly. Both internal and external audits ensure compliance with all data protection-related processes.

To protect your personal data, we use a secure online transmission method known as "Secure Socket Layer" (SSL) or "Transport Layer Security" (TSL) transmission. You can recognise this by the fact that an "s" is added to the address component http:// ("https://") or a green, closed lock symbol is displayed in the browser. Clicking on the symbol will provide you with information about the SSL certificate used. The way the symbol is displayed depends on the browser version you are using. SSL encryption ensures that your data is transmitted securely and in full.

14. Changes to the Data Protection Information

New legal requirements, business decisions or technical developments may require us to make changes to our data protection information, which we will implement accordingly. You can find the latest version of our data protection information here.

As of: December 2023