The European Energy Exchange AG informs you within the scope of this privacy notice about how we (hereinafter "EEX", "We" or "Us") process your personal data, with special attention to the processing of personal data according to the general data protection regulation EU 2016/679 ("GDPR") and the applicable national data protection laws.
1. Name and address of the controller
The person responsible within the meaning of the GDPR, within other data protection laws in force in the Member States of the European Union and within other provisions of a data protection nature is:
European Energy Exchange AG
Augustusplatz 9
04109 Leipzig
Germany
Phone: +49 341 2156 0
Fax: +49 341 2156 109
E-Mail: info@eex.com
Link to imprint: https://www.eex.com/en/legal-information/imprint
2. Contact details of our Data Protection Officer
You can reach our Data Protection Officer under:
European Energy Exchange AG
Data Protection Officer
Augustusplatz 9
04109 Leipzig
Germany
E-Mail: dataprotection@eex.com
If you have any questions or comments on the subject of data protection, please contact the data protection officer.
3. Purpose, categories of personal data legal basis and retention
3.1 Purpose, categories of personal data legal basis
3.1.1 General contact by e-mail, post or telephone:
In the course of any request of information, your personal data may be collected by EEX. This includes any type of personal data within the meaning of GDPR, such as contact details (surname, first name, company, position, e-mail, postal address and telephone number). The personal data that we collect from you will only be used to answer and fulfil your specific enquiries. The legal basis is Art. 6 para. 1 lit. (f) GDPR, which permits the processing of personal data for the purpose of our legitimate interest in processing and answering your enquiry. Your personal data processed in this respect will be stored by us for as long as it is necessary to carry out our relationship (communication) with you and in accordance with the applicable legal storage regulations.
3.1.2 Marketing:
We may use your personal data (surname, first name, company, position, e-mail, postal address and telephone number) to send you information about our services, promotions and events similar to services you are already receiving that we think may be of interest to you. We may contact you by e-mail based on our legitimate interests under Article 6 para. 1 lit. (f) of the GDPR if we have a direct business relationship with you or with the company for which you work, and if you have not objected. We may contact you by telephone if you have given your consent (Article 6 para. 1 lit. (a) GDPR) or on the basis of a presumed consent on the condition that you will welcome the call. We may contact you by post on the basis of our legitimate interests under Article 6 para.1 lit. (f) GDPR as long as you do not object. Your personal data processed in this respect will be stored by us for as long as it is necessary to carry out our relationship (communication) with you and in accordance with the applicable legal storage regulations.
3.1.3 Newsletter:
We offer circulars, readiness newsflashes and product newsletters to keep you regularly informed about ongoing initiatives and upcoming projects and any future updates or news about products and events. You can register for the categories you would like to subscribe to on our websites by entering your email address. After entering your data, you will receive an e-mail in which you can confirm your registration in order to activate the newsletter. You can unsubscribe from this service in every newsletter and withdraw your consent with effect for the future. Regarding the processing of your personal data, the relevant legal basis is your consent in accordance with Article 6 Paragraph 1 lit. a in connection with Article 7 GDPR.
3.1.4 Events:
We may use your personal data (surname, first name, company, position, e-mail, postal address and telephone number) to send you an invitation to one of our events based on our legitimate interest. If you participate in our events, we collect your participant data (e.g. name, contact details, e-mail address, billing data) for the organisation and execution of the respective event. In order to carry out and organise the event, your data may also be passed on to other parties involved in the event if this is necessary (e.g. for admission control). The legal basis is Art. 6 para. 1 lit. (b) of the GDPR, permitting the processing of personal data for the purposes of the performance of a contract. Further information may be provided in a privacy notice for the specific event, if this is necessary. Your personal data processed in this respect will be stored by us as long as it is necessary to maintain our relationship (participation in the event) with you and as long as it is necessary in accordance with the legal retention periods.
3.1.5 Performance of contracts and services:
If you or your company want to be authorized as a customer of one of our services, we collect your personal data (first name, last name, contact details, company) to register you to our services and for the usage of our services. The sole responsible body is the respective EEX Group company with which a contract is concluded or occurs in the case of pre-contractual measures. The purposes of personal data processing are determined by the specific service or product. This may include especially assessments, consultation, trading activities, and the execution of business accounting and tolls. The legal basis for processing this personal data is Article 6 (1) lit. b GDPR, as processing is necessary to fulfill a contract or for pre-contractual measures between us and the customer. If the user is not the customer who concluded the contract with us, but an employee of the customer or otherwise authorized by the customer to use our services, the legal basis for processing is Article 6 (1) lit. f GDPR, as the processing is in the legitimate interest of the customer. The legitimate interest of the customer is to enable the user to use our services in accordance with the contract. Your personal data processed in this regard will be stored by us as long as it is necessary to carry out our relationship (registration and use of our service) with you and required by applicable statutory retention laws.
3.1.6 General use of our websites:
When you use our websites and online platforms, we will automatically log information about the browser that is used to access the website, such as your IP address, session time, pages viewed from that address and the website from which you are visiting the website. We may also collect device-specific information, such as your hardware model and operating system.
This information is required to (1) correctly deliver the content of our website, (2) optimize the content of our website and, if necessary, the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. These anonymously collected data and information are therefore evaluated statistically and additionally evaluated with the aim of increasing data protection and data security within EEX in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
Some of our websites or online platforms also offer the possibility of user registration. If you are registered with us, you can access content and services that we only offer to registered users. In the course of the respective registration process, you provide us with further personal data. Registered users also have the option of changing or deleting the personal data provided during registration at any time if required.
We use this personal data for the operation of the website, in particular:
- for the technical support of the users / for the answering of inquiries
- for the guarantee of network and data security, insofar as these interests are in accordance with the applicable law and with the rights and freedom of the users in each case
- for the prevention of malpractice and crime and to investigate improper conduct and detection of fraud and/or
- if we are legally obliged to do so.
The legal basis for the processing of your personal data for these purposes is Art. 6 para. 1 lit. (c) GDPR in fulfilling our legal obligation to take technical and organisational measures to ensure secure data processing in accordance with Article 32 GDPR and Article 6 para. 1 lit. (f) GDPR in order to pursue our legitimate interests in data processing for network and information security. After the specified period of 30 days, the above data will be deleted. If data is processed for a longer period of time, we will anonymise or delete the data as soon as their storage no longer serves the respective purposes.
3.2 Do you have to provide personal data to us?
The provision of your personal data is necessary in order to access the protected areas of the website, which are restricted to members of our customer groups, to contact us directly or to receive a newsletter. This means that it is necessary that you give us your personal data in the context of e.g. to provide a user registration process or contract.
3.3 Do We make automated decisions on you?
We do not make any automated decisions solely on automatic processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
3.4 Retention periods
The retention periods for personal data depend on the purpose of the processing. We will store the personal data mentioned under 3.1 above as long as (i) this is necessary for the respective purpose and / or (ii) this is required in accordance with the applicable statutory retention laws. We will keep personal data that you provide us for as long as our business relationship with you or with your company exists, plus all applicable retention periods that are in accordance with the statutory provisions (e.g. based on tax regulations) or to the extent they are necessary to pursue our legitimate interests after the end of the business relationship (e.g. to assert claims within the statutory limitation periods).
4. Transfer of personal data
We will not disclose your personal data to third parties unless such disclosure is permitted by law or you have explicitly consented to the transfer.
To provide our contractual services, we use selected service providers (data processing providers) and vicarious agents of the categories listed below who have access to your personal data to the extent necessary and can use it to process the orders placed by us.
We may transfer your personal data to public authorities where this is required by applicable law (e.g. the German Stock Exchange Act (Börsengesetz) or the German Securities Trading Act (Wertpapierhandelsgesetz)). A transfer of your personal data is also permitted if there is suspicion of a criminal offence or the abuse of the services offered on our website. In this event, we shall be entitled to transfer your Personal Data to the criminal prosecution authority.
Otherwise, your personal data will be stored exclusively in our database and on our servers or on those of our commissioned data processing providers. We will only share your Personal Data with other controllers for their own purposes such as cooperation or advertising partners under the condition that you explicitly and voluntarily agreed to such transfer of your Personal Data; in this case, we will obtain your consent separately from this Notice.
Sometimes the recipients to whom we transfer your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data.
Under these conditions, recipients of your personal data can be for example:
- public bodies and institutions in the presence of a legal or regulatory obligation (e.g. financial authorities),
- other companies and service providers (processors) / vicarious agents in the following areas:
- print service providers
- telecommunications service provider
- billing service provider
- financial institutions
- collection agencies
- management consultancies as well as business and tax audit companies
- provider of the online platform
- newsletter provider
5. Cookies and similar technologies
When you visit the websites and our online platforms, information is stored on your terminal device in the form of a "cookie." Cookies are small files that are stored on your terminal device and save certain settings and data to exchange with our websites via your browser.
For example, cookies enable us to tailor a website to better match your interests or to store your password so that you do not have to re-enter it every time. As a general rule, we never collect personal data via cookies, unless you have given us your express permission to do so.
If you do not want us to recognize your terminal device, please configure your Internet browser to erase all cookies from your device, to block all cookies or to receive a warning before a cookie is stored. You will find brief instructions on how to do this below.
Please note that certain functions of our website may no longer work, or not correctly, without cookies.
5.1 Types of cookies
Cookies can be assigned to four categories, depending on their function and intended purpose: absolutely necessary cookies, performance cookies, functional cookies, and cookies for marketing purposes.
5.1.1 Absolutely necessary cookies
This category of cookies is needed for you to navigate within websites and operate basic website functions, such as the issuance of anonymous session IDs for bundling several related queries to a server.
5.1.2 Analytics cookies
This category of cookies collects essential information on the usage of our websites, including for example the internet browsers and operating systems used, the domain name of the websites previously visited, the number of visits, the average duration of each visit, and pages called up. These cookies do not store any information that would make it possible to personally identify the user. The information collected with the aid of these cookies is aggregated and is therefore anonymous. Analytics cookies serve the purpose of improving the user friendliness of a website and therefore enhancing the user’s experience. You can block the use of such cookies by creating an exclusion cookie (see “managing cookies” below).
5.1.3 Functional cookies
This category of cookies enables our websites to store information the user has already entered (such as user ID, language selection, or the user’s location), in order to offer improved, personalized functions to the user. Functional cookies are also used to enable requested functions such as playing videos and to make a user’s decision to block or disable a certain function (e.g. web analysis) - “opt-out cookies”.
5.1.4 Cookies for marketing purposes
This category of cookies is used to offer more relevant content to users, based on their specific interests. They are also used to limit the display frequency of an ad and to measure and control the effectiveness of advertising campaigns. They register whether users have visited a website or not, and which contents were used. This information may possibly also be shared with third parties, such as advertisers, for example. These cookies are often linked to the functions of third-party websites. You can block the use of such cookies by creating an opt-out cookie (see “Managing cookies” below).
5.2 Cookies on our websites and online platforms
5.2.1 Absolutely necessary cookies
Cookie-Name |
Description |
Retention period |
form_key |
A security measure that appends a random string to all form submissions to protect the data from Cross-Site Request Forgery (CSRF). |
1 Hour |
form_key |
A security measure that appends a random string to all form submissions to protect the data from Cross-Site Request Forgery (CSRF). |
Duration of the session |
mage-cache-sessid |
The value of this cookie triggers the cleanup of local cache storage. When the cookie is removed by the backend application, the Admin cleans up local storage, and sets the cookie value to true. |
1 Day |
mage-cache-storage |
Local storage of visitor-specific content that enables ecommerce functions. |
1 Day |
mage-cache-storage-section-invalidation |
Forces local storage of specific content sections that should be invalidated. |
1 Day |
mage-messages |
Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages. The message is deleted from the cookie after it is shown to the shopper. |
2 Day |
mage-translation-file-version |
Tracks the version of translations in local storage. Used when Translation Strategy is configured as Dictionary (Translation on Storefront side). |
Duration of the session |
mage-translation-storage |
Stores translated content when requested by the shopper. Used when Translation Strategy is configured as “Dictionary (Translation on Storefront side)”. |
Duration of the session |
PHPSESSID |
The PHPSESSID cookie is native to PHP and enables websites to store serialized state data. |
1 Hour |
private_content_version |
Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server. It is set in multiple places: in PHP, in JavaScript as a cookie, and in JavaScript to local storage. For the HTTP Only Yes (based on request) means that the cookie Secure if set during HTTPS request and unsecure if set during HTTP request. |
10 Years |
product_data_storage |
Stores configuration for product data related to Recently Viewed / Compared Products. |
1 Day |
recently_compared_product |
Stores product IDs of recently compared products. |
1 Day |
recently_compared_product_previous |
Stores product IDs of previously compared products for easy navigation. |
1 Day |
recently_viewed_product |
Stores product IDs of recently viewed products for easy navigation. |
1 Day |
recently_viewed_product_previous |
Stores product IDs of recently previously viewed products for easy navigation. |
1 Day |
section_data_ids |
Stores customer-specific information related to shopper-initiated actions such as display wish list, checkout information, etc. |
1 Day |
5.2.2 Analytics cookies
Cookie-Name |
Description |
Retention period |
BT_ctst |
Is used only to detect whether or not cookies are activated in the visitor's browser (only if cookies are activated). |
Duration of the session |
BT_pdc |
Contains Base64-encoded visitor history data (is customer, newsletter recipient, visitor ID, displayed smart messages) for personalization (only if cookie is activated). |
1 Year |
BT_sdc |
Contains Base64-encoded data of the current visitor session (referrer, number of pages, number of seconds since the start of the session, displayed smart messages in the session), which are used for personalization purposes (only if cookie is activated). |
Duration of the session |
_et_coid |
Cookie recognition (only with cookie activation). |
2 Years |
et_allow_cookies |
Required: If data-block cookies are used, the API call _etracker.enableCookies() sets this cookie to "1" to indicate that etracker may set cookies. The cookie is set to "0" when _etracker.disableCookies() is called. |
"0" - 50 years "1" - 480 days |
isSdEnabled |
Recognition of whether the visitor's scrolling depth is measured (only with cookie activation). |
1 Day |
tarteaucitron |
Indicates whether a customer allows the use of cookies. (first party cookie). |
1 Year |
5.3 Managing cookies
You can change your cookie preferences at any time by clicking on the 'Cookies Preference Manager'. You can then adjust the available sliders to 'On' or 'Off' then clicking 'Save and close'. You may need to refresh your page for your settings to take effect.
Open Cookies Preference Manager
Please note: Not all of the cookies mentioned above will necessarily be used when you browse our website using a mobile terminal device.
In the following you will find a summary of links that provide detailed information on the deactivation of cookies in commonly used browsers.
5.4 Social media
If we integrate social media in our communication and you access their services, the data protection conditions of the social media service used apply.
For a detailed description of the respective forms of data processing and your possibilities of objection (opt-out), please refer to the privacy policy information provided by social network provider as listed below.
Our option to access profiles of specific users is limited by the privacy settings of the respective social media platform of each user following one of our social media channels. The information provided on your social media profile is presumed to have been intentionally disclosed. Thus, we may use your profile information for internal report on certain campaigns. Usage of your profile information is limited to the information you have set to be publicly available on the social media site. Furthermore, we store your username as personal data every time you send us a direct message.
Legal basis for processing is Article 6 (1) lit. f GDPR, our legitimate interest.
- LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland; privacy policy: https://www.linkedin.com/legal/privacy-policy;
Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. - Twitter: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/de/privacy, (settings) https://twitter.com/personalization.
- YouTube: Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://www.google.com/policies/privacy.
6. Disclosure of personal data
Your personal data may be disclosed both within Deutsche Börse Group and within the EEX Group, on a need-to-know basis, to ensure the performance of our services. Should further group mergers with other companies occur in the future or should individual companies belonging to the group decide to establish further subsidiaries, their declaration of consent to this data protection declaration shall continue to apply insofar as compliance with a data protection level comparable with this data protection declaration is ensured.
We may also disclose your personal data to public authorities if required by applicable law. A passing on of your personal data is also permitted if there is suspicion of a criminal offence or the misuse of the services offered on our websites. In this case we are entitled to transfer your personal data to the law enforcement authority.
Otherwise, we will only pass on your personal data to others such as cooperation partners or advertising partners for their own purposes if you have expressly and voluntarily consented to the passing on of your personal data. In this case, we will request your consent separately from this privacy policy.
7. Your rights as a data subject
Under applicable data protection laws, you have rights
- of access to, rectification of, and/or erasure of your Personal Data;
- to restrict or object to its processing;
- to tell Us that you do not wish to receive marketing information; and
- (in some circumstances) to require certain of your Personal Data to be transferred to you or a third party, which you can exercise by contacting Us at the details set out at the beginning of this Notice.
To the extent Our processing of your Personal Data is based on your consent, you also have the right to withdraw your consent, without affecting the lawfulness of Our processing based on your consent before its withdrawal.
To exercise your rights, you can contact Us as set out in Section 2 above. You can also lodge a complaint about Our processing of your Personal Data with a data protection authority. A list and contact details of the local data protection authorities can be found here. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Announced in: February 2021