GDPR Compliance - Diligent Energy

1. OUR GDPR COMMITMENT

1.1 Compliance Scope. We comply with:

                EU GDPR: Regulation (EU) 2016/679
UK GDPR: UK Data Protection Act 2018
Swiss FADP: Federal Act on Data Protection
ePrivacy Directive: Cookie Law (2002/58/EC)

            

1.2 Our Commitment.

                ✓ Transparent data processing practices
✓ Robust security measures
✓ Respect for individual rights
✓ Lawful basis for all data processing
✓ Prompt response to data subject requests
✓ Regular compliance audits and updates

            

2. GDPR PRINCIPLES WE FOLLOW

Principle	What It Means	How We Comply
Lawfulness	Process data legally and fairly	Clear legal basis for all processing (consent, contract, legitimate interest)
Purpose Limitation	Collect data for specific purposes	Clearly state why we collect data; never use it for unrelated purposes
Data Minimization	Collect only necessary data	Request only essential information; optional fields clearly marked
Accuracy	Keep data accurate and up-to-date	Allow users to update information; regular data quality checks
Storage Limitation	Retain data only as long as needed	Clear retention periods; automatic deletion after expiry
Integrity & Confidentiality	Protect data with appropriate security	Encryption, access controls, security audits, staff training
Accountability	Demonstrate compliance	Document processes, conduct DPIAs, maintain records of processing

3. YOUR GDPR RIGHTS

3.1 Right to Be Informed.

What it means: You have the right to know how your data is collected and used.

How we comply:

Transparent Privacy Policy
Clear consent forms
Easy-to-understand language
Detailed data processing information

3.2 Right of Access (Article 15).

What it means: You can request a copy of your personal data.

How to exercise: Email [email protected] with subject "Data Access Request"

What you'll receive:

Copy of personal data we hold
Processing purposes
Categories of data
Recipients of your data
Retention periods
Your rights information

Timeline: Within 30 days (free of charge for first request)

3.3 Right to Rectification (Article 16).

What it means: You can correct inaccurate or incomplete data.

How to exercise:

Update directly in your account settings
Email [email protected] with corrections

Timeline: Changes applied immediately or within 30 days

3.4 Right to Erasure / "Right to Be Forgotten" (Article 17).

What it means: You can request deletion of your personal data.

When it applies:

Data no longer necessary for original purpose
You withdraw consent
You object to processing
Data processed unlawfully
Legal obligation requires deletion

Exceptions: We may retain data if required for legal compliance, contract fulfillment, or legitimate interests

How to exercise: Email [email protected] with subject "Data Deletion Request"

Timeline: Within 30 days

3.5 Right to Restrict Processing (Article 18).

What it means: You can limit how we use your data.

When it applies:

Accuracy of data is contested
Processing is unlawful but you don't want deletion
We no longer need data but you need it for legal claims
You've objected to processing (pending verification)

How to exercise: Email [email protected] with subject "Restrict Processing Request"

3.6 Right to Data Portability (Article 20).

What it means: You can receive your data in a machine-readable format and transfer it to another service.

Applies to: Data you provided based on consent or contract

Format: JSON, CSV, or other structured format

How to exercise: Email [email protected] with subject "Data Portability Request"

Timeline: Within 30 days

3.7 Right to Object (Article 21).

What it means: You can object to certain types of processing.

Applies to:

Processing based on legitimate interests
Direct marketing (always honored)
Profiling for marketing purposes

How to exercise:

Marketing: Click "Unsubscribe" in emails
Other processing: Email [email protected]

3.8 Rights Related to Automated Decision-Making (Article 22).

What it means: You have rights regarding automated decisions that significantly affect you.

Our practices:

We do not make fully automated decisions with legal/significant effects
AI-generated insights are reviewed by humans
You can request human review of any automated assessment

3.9 Right to Withdraw Consent (Article 7).

What it means: If we process data based on consent, you can withdraw it anytime.

How to exercise:

Account settings → Privacy preferences
Email [email protected]
Unsubscribe links in emails

Effect: Withdrawal doesn't affect previous lawful processing

3.10 Right to Lodge a Complaint (Article 77).

What it means: You can file a complaint with your data protection authority.

When: If you believe we're not complying with GDPR

First step: Contact us at [email protected] - we want to resolve issues directly

Supervisory Authority: Contact your local data protection authority if unsatisfied with our response

4. HOW TO EXERCISE YOUR RIGHTS

📧 EMAIL METHOD (All Requests):

To: [email protected]

Subject Line: Specify your request type (e.g., "Data Access Request", "Data Deletion Request")

Include:

Your full name
Email address associated with your account
Specific request details
Preferred format for data (if requesting access/portability)

Verification: We may request additional information to verify your identity

Response Time: Within 30 days (may extend to 60 days for complex requests with notification)

🌐 ACCOUNT SETTINGS (Self-Service):

Update personal information
Change privacy preferences
Manage cookie consent
Download your data
Delete your account

Access: Log in → Settings → Privacy & Data

4.1 No Charge. Exercising your rights is free of charge. We may charge a reasonable fee for:

Manifestly unfounded or excessive requests
Multiple copies of the same information

We'll always inform you before charging any fee.

5. DATA SECURITY MEASURES

5.1 Technical Safeguards.

                ✓ Encryption: TLS/SSL for data in transit, AES-256 for data at rest
✓ Access Controls: Role-based permissions, multi-factor authentication
✓ Secure Infrastructure: Industry-leading cloud providers with GDPR compliance
✓ Regular Audits: Quarterly security assessments and penetration testing
✓ Monitoring: 24/7 intrusion detection and anomaly monitoring

            

5.2 Organizational Measures.

                ✓ Data Protection Officer: Dedicated DPO overseeing compliance
✓ Staff Training: Regular GDPR and data protection training
✓ Confidentiality Agreements: All staff sign NDAs
✓ Incident Response: Documented breach notification procedures
✓ Data Processing Agreements: GDPR-compliant contracts with all processors

            

5.3 Data Breach Notification.

If a breach occurs:

To Supervisory Authority: Within 72 hours of discovery
To Affected Individuals: Without undue delay if high risk to rights and freedoms
Information Provided: Nature of breach, likely consequences, measures taken, contact point

6. THIRD-PARTY DATA PROCESSORS

6.1 Our Responsibilities. When we use third-party service providers (data processors), we ensure:

                ✓ GDPR-compliant Data Processing Agreements (DPAs) in place
✓ Processors provide sufficient guarantees for technical and organizational security
✓ Processors only process data according to our instructions
✓ Processors notify us of any data breaches
✓ Regular audits of processor compliance

            

6.2 Types of Processors.

Cloud Hosting: Secure data storage and infrastructure
Payment Processing: PCI-DSS compliant payment handling
Email Services: Transactional and marketing email delivery
Analytics: Usage statistics and platform performance
Customer Support: Ticketing and help desk systems

All processors are carefully vetted and contractually obligated to GDPR compliance.

6.3 International Transfers. When data is transferred outside the EU/EEA:

                ✓ We use Standard Contractual Clauses (SCCs) approved by the EU Commission
✓ We assess adequacy of data protection in destination country
✓ We implement supplementary measures where needed
✓ We document transfer mechanisms for transparency

            

7. RECORDS OF PROCESSING ACTIVITIES

7.1 Documentation. As required by Article 30, we maintain comprehensive records of:

                Purposes of processing
Categories of data subjects and personal data
Categories of recipients (including international transfers)
Retention periods
Technical and organizational security measures

            

7.2 Data Protection Impact Assessments (DPIAs).

We conduct DPIAs for processing activities that may result in high risk to individual rights, including:

Large-scale processing of sensitive data
Systematic monitoring
Automated decision-making with legal effects

DPIAs help us identify and mitigate privacy risks before implementing new features.

8. CHILDREN'S DATA PROTECTION

8.1 Age Requirements.

                Minimum Age: 16 years (or lower age set by EU member state)
Parental Consent: Required for users under 16
Verification: We implement age verification mechanisms
Deletion: If we learn we've collected data from children without proper consent, we delete it immediately

            

9. POLICY UPDATES AND REVIEW

9.1 Regular Review. We review our GDPR compliance practices:

                Quarterly: Internal compliance audits
Annually: Comprehensive GDPR assessment
As needed: When laws change or new processing activities begin

            

9.2 Policy Updates. Changes to this compliance statement will be communicated via:

                Updated "Last Updated" date
Email notification for material changes
Website banner announcement

            

10. CONTACT INFORMATION

10.1 Data Protection Officer.

Diligent Energy GmbH

Data Protection Officer: [email protected]

Privacy Inquiries: [email protected]

Data Subject Requests: [email protected]

Security Issues: [email protected]

Response Time: Within 48 hours for urgent matters, 30 days for data subject requests

10.2 Supervisory Authority.

If you're not satisfied with our response, you can contact your local data protection authority:

Find your authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

GDPR COMPLIANCE STATEMENT