Effective starting: 25.5.2018
1. INTRODUCTORY INFORMATION
Etrel respects your privacy and thoroughly protects your personal data.
In this Personal Data Protection Policy (henceforth ‘Policy’), we define the methods of personal data collection, their purpose, security measures, with which personal data are protected, persons, with whom we share them, and your rights concerning the protection of your personal data.
- This Policy affects:
- All users of our Ocean platform (henceforth ‘platform’) and its corresponding mobile application
- Ordering and performing subscription contracts for services provided by Etrel
- Registration to notifications about product news and organized events (Etrel Newsletter)
- The use of any technical support or services offered by Etrel
Ocean system is the central system, divided in two parts backend and frontend. Backend is intended for operators to manage charging stations on the locations they operate. Frontend system is connected with backend system and uses the charging station infrastructure information from Ocean backend and displays it to the end users on their mobile apps for their use to charge their EV.
2. DATA CONTROLLER
This Policy is used for all personal data that Etrel d.o.o., Pod jelšami 6, 1290 Grosuplje, Slovenia (henceforth ‘Etrel’, ‘we’, ‘us’) collects.
As a data controller, Etrel is responsible for the processing and storage of your personal data. If you have any questions about the use of this Policy or about the rights you can exercise arising from this
- Policy, contact us in any of the following ways:
- 01 60 10 075
- Etrel d.o.o., Pod jelšami 6, 1290 Grosuplje, with the addendum ‘Personal data protection’In relation to users of the services that it provides (e.g. Ocean platform), Etrel is a contractual controller.
Operators are Etrel’s clients. They manage their users via the back-end system. Etrel does not access operator’s Ocean instance, but may offer 2nd level and 3rd level support. Operators can upload to the backend system various data such as: charging station’s location pictures, various contractual documents operators have with location (parking lot owners), charging station owners and connection point owners (DSO, energy suppliers).
When Etrel is called by the operator to offer 2nd level or 3rd level support, Etrel will access the client’s Ocean instance via admin role. During the support process all information entered by the operator is seen by Etrel support.
3. DEFINITION OF TERMS
A list of terms from this Policy and their explanations can be found in this section. The purpose of each term listed below is defined in this Chapter.
Personal data means any information relating to an individual that can be used to identify that individual (e.g. first name, last name, e-mail, telephone number).
Controller means the legal person which determines the purposes and means of the processing of your personal data.
Processor means a natural or legal person which processes personal data on behalf of the controller. Processing means the collection, storage, access to, and all other forms of use of personal data.
EEA means the European Economic Area, which includes all member states of the European Union, Iceland, Norway, and Liechtenstein.
4. PERSONAL DATA PROCESSING
Etrel processes your personal data only for clearly defined purposes, in a secure manner, and transparently.
We acquire your personal data when you provide them (such as when you use our website, order our services, request quotes over e-mail, the phone or in writing to are physical address, or in any other way with which you provide your personal data).
Additionally, we acquire your personal data through publicly available data records (e.g. state institutions).
We collect data from 2 types of users, Account Operators – our partners and Operator’s Customers.
Customers can always exercise their right to request access to, correct, amend, delete, port to anotherservice provider, or object to certain uses of your personal data. Customers are generally over 18 years old.
4.1 Types of Personal Data Collected
Etrel can collect the following information or types of information:
- 1) From account operators:
- Basic personal data (first and last name, address and billing address),
- Basic contact data (telephone number, e-mail address),
- Basic data about the company you work for (company name, your role in the company, No. of employees),
- Payment details,
- How and when you access your account and the Ocean platform, including information about the device and browser you use, your network connection and your IP address.
- 2) Account Operators’ customers’ (End users):
- Basic personal data (first and last name, billing address),
- Basic contact data (telephone number),
- Information about sessions you initiate,
- Information about the device and browser you use,
- ID and type of vehicle.
Etrel follows the principle of data minimization as provided by legislation, which is why we collect only data appropriate, relevant, and limited to what is required for purposes for which they are collected. The purposes for which we collect personal data are defined in chapter 4.3 of this Policy.
4.2 Legal Basis for the Collection and Processing of Personal Data
We collect and process certain types of data on the base of contractual agreement. This mainly applies to processing data operators (instance owners) data that are entrusted to us through Admin accounts in the Ocean ecosystem.
- In accordance with personal data protection legislation, we may process your personal data on the following legal bases:
- Where the processing of your personal data is necessary to perform a contract, you’ve entered into
- Where you’ve given your consent to the processing of your personal data for a particular processing purpose. You always have the right to withdraw your consent.
- For instance, creation and setup (contact name, company, company address, billing address, email, charging station information).
- For invoicing (contact name, company, billing address, e-mail).
- For messaging for informational purposes (new features, updates, upgrades…).
- For provision of 3rd and 2nd level support (instance owners’ data, end user data).
- Where Etrel has a legitimate interest to process your personal data (when we’re processing data based on a legitimate interest, we’ll specify that explicitly in this Policy)
- Where processing is necessary for compliance with legal obligations (such as data we store for tax-related obligations).
In case end user data is accessed, there is a report system in place, that provides detailed information regarding the path used and the scope of data accessed in the process of resolving support request. Instance owner must therefore collect user consents for these events.
- Scope of personal data seen by Etrel’s support:
- charging station’s location information
- end user’s information (identification, Electric Vehicle information, contract terms, charging session information)
- number of end users
- uploaded documents with location pictures, contracts with location owner
Only those personal data have to be provided that we collect based on legal requirements.
Providing personal data that we require to perform a contract is voluntary. We would like to remind you that in case you do not provide your personal data that we require to provide our services (e.g. entering into a contract), we will not be able to provide that service.
Giving consent is always voluntary and without any adverse consequences. We would like to remind you that certain services (e.g. e-notifications, targeted advertising) cannot be provided without your consent or after you withdraw your consent.
4.3 Purposes of Processing
Etrel will process your data only for specific, explicit, and legitimate purposes. We undertake to not use your personal data in ways that are incompatible with the purposes defined in this Policy.
The purposes for which we may use your personal data are defined below. Etrel may use your personal data for one or more of the defined purposes.
- The purposes for which we will use your personal data are the following:
- Data on account operators: For the purposes of provide clients (=operator) with SaaS services. E.g. to confirm operator’s identity, contact, and invoicing purposes you. We also use this information to make sure that we comply with legal requirements.
- Data on Account Operators’ customers’ (End users): For the purposes of provide clients (=operator) with SaaS services, including supporting and processing charging sessions, risk and fraud screening, authentication. We also use this information to improve our Services.
- Communicating with you regarding the performance of our services and responding to your requests (especially notifications pertaining to the Ocean platform, responding to your requests for quotes made through online or physical forms, filling out satisfaction questionnaires).
- Entering into a contract and performing obligations from that contract. Specifically, the provision of services such as registrations and orders made through our website. All personal data processed in relation to orders in on our website is processed with the purpose of entering into and performing contracts that you entered into with us. If you do not provide all data required to complete an order, we reserve the right to delay or cancel the order.
- For marketing communications (such as notifications about new services or upgrades of existing services)
- For marketing communications, based on targeted or individualized offers. The use of some personal data helps us to personalized communication with you so that it’s as interesting and useful to you as possible. Based on certain personal data, we can divide individuals into groups, enabling us to tailor the content of messages to each group. We monitor individuals’ activities when categorizing them. Marketing communication with targeted or individual offers will be conducted only with your explicit consent.
- Transmission of personal data to third parties. We will transmit personal data only to those third parties defined in chapter 6. Your data will be transmitted only when justified by our legitimate interest of ensuring a safe and legitimate business and the performance of legal obligations (such as tax-related obligations, which may include transmitting your personal data to tax authorities). An exception is our contractual partners used for the purpose of remarketing. In this case, we will transmit your personal data only with your explicit consent.• In relation to any legal claims or for the resolution of disputes. During the course of protecting our business and exercising and/or protecting our rights, personal data may be disclosed. Your personal data will be disclosed only in the manner and under circumstances defined by the law.
- For statistical analyses. To improve the user experience, we conduct analyses of the use of our website, which is our legitimate interest of maintaining and/or improving our business success. You have the right to withdraw your consent for any processing of your personal data at any time. You can communicate the withdrawal of your consent to any of the contacts listed in Chapter 2 of this Policy.
4.4 How Long We Store Your Personal Data
All data is stored on the server in Germany, provided by company Hetzner. Operators are in charge of the personal data of end users and may delete them in full at any time.
We store your personal data in accordance with applicable legislation and (i) only for as long as it is necessary to achieve the purpose for which the data is processed, or (ii) for a period prescribed by law (such as 10 years for storing issued invoices), or (iii) for a period that is necessary to complete a contract, which includes warranty periods and periods during which any claims can be made based on the concluded contract (e.g. 5 years after the end of the contractual obligations).
Personal data acquired based on your consent is stored permanently or until you withdraw your consent (you can read more about how to withdraw your consent in Chapter 9 of this Policy). Data collected based on your consent will be deleted even before you withdraw your consent if the purpose for which the data were collected has been achieved.
Personal data for which the storage period has expired (e.g. because the purpose for which they were collected has been achieved, or because the legal deadline has been reached) will be erased, destroyed, or rendered anonymous to prevent the personal data from being reconstructed.
If you need more information about the storage periods of your personal data, please use one of the contacts listed in Chapter 2 of this Policy.
5. PERSONAL DATA PROTECTION
- Etrel has taken the appropriate technical and organizational measures to protect your personal data, especially:
- Regular and effective upgrades to software and hardware where your personal data are stored
- Securing access to personal data
- Backup creation
- Training of employees who are responsible for the processing of personal data
- Informed and thorough decision-making when selecting the processors of your personal data
- Monitoring employees and other processors of your personal data, including conducting audits
- Control and adequate action in the event of a security breach, with which we prevent or limit the damage to personal data
Etrel protects your personal data from illegal or unauthorized processing and/or access, and from unintentional loss, destruction, or damage. All measures we take are within our technical capacities (including the costs of taking certain measures) and at the discretion of the effects they have on your privacy.
In the event of a personal data breach, Etrel will inform the competent supervisory authority about the breach without hesitation. The supervisory authority in the Republic of Slovenia is the Data Protection Officer.
In the event a suspicion that a criminal act was committed, Etrel will also report the breach to the police and the competent state prosecutor’s office.
In the event a personal data breach occurs that could pose a great risk to the rights and freedoms of data subjects, Etrel will inform you of such breach immediately.
6. TRANSFERRING PERSONAL DATA
Your personal data – for the expressed purpose for which they were collected – can be transferred, consulted or access to certain third parties listed below. Each user with whom we share the personal data may process the data only for the purposes for which they were collected. Additionally, all users are required to follow applicable legislation and the provisions of the Personal Data Protection Policy.
- Your personal data can be transferred to:
- Business partners that help us provide certain services, such as advertising and marketing agencies. For remarketing purposes, we use Google AdWords and Google Analytics, and Facebook Ads, which help us show you relevant advertisements. For e-mail newsletters and notifications, we use Mailchimp service and for ensuring the adequate support as well knowledge base, we use Jira and Confluence software solutions from Atlassian corporation.
- Other contractual partners that provide services to Etrel (e.g. Hetzner, law firms).
- Partner companies that help us provide our services.
- Conform to legal requirements, or to respond to lawful court orders, subpoenas, warrants, or other requests by public authorities (including to meet national security or law enforcement requirements).
- Prevent, investigate, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or any other agreement related to the Services, or as otherwise required by law.
- Personal information may also be shared with a company that acquires our business or the business of a merchant whose store you visit or access, whether through merger, acquisition, bankruptcy, dissolution, reorganization, or other similar transaction or proceeding.
Your personal data may be transferred to third parties (listed above) outside of the European Economic Area (EEA), where these data can be processed by us or third parties. For each transfer outside of the EEA, we’ll take additional steps to ensure the security of your personal data.
Such steps include agreements with third parties about creating binding personal data protection rules, verification of the existence of approved certification mechanisms in line with our personal data protection standards, and defining contractual provisions that cover personal data protection.
WHAT ARE COOKIES?
Cookies are small text files that most websites store on devices with which users access the Internet. They are designed to recognized individual devices that users used to access a website. Their storage is completely controlled by the user’s web browser. Users can freely restrict or block the storage of cookies. Cookies are not harmful and always expire.
WHY ARE THEY USED?
- Some examples on how cookies are used:
- Improving the user experience of a website by adjusting the way content of the website is displayed based on past visits
- Storing choices, the user made when displaying a selection of devices and offers, and displaying comparisons
- Recognizing your device (computer, tablet, smartphone), which allows us to adjust how the content is displayed to fit the device.
- Tracking visits, which allows us to check how effective the content we display is, to make sure ads are relevant, and to continuously improve our websites.
1. STRICTLY NECESSARY COOKIES
Necessary cookies enable the use of components necessary for the website to function correctly. Without these cookies, the services that you’d like to use on this website wouldn’t work correctly.
2. PERFORMANCE COOKIES
These cookies collect data on how users behave on the website in order to improve the performance component of a website (e.g. which content on our website you visit most often). These cookies do not collect information which could identify the users. They ensure that using the website is a pleasant experience.
3. FUNCTIONALITY COOKIES
These cookies enable the website to remember some of your settings and choices (e.g. language, region) and enable advanced, personalized functions. These cookies may allow your actions on the website to be tracked.
4. ADVERTISING OR TARGETED COOKIES
These cookies are most commonly used by advertising and social networks (third parties) with the goal to show you more targeted ads, reduce repetition of ads, or measure the effectiveness of advertising campaigns. These cookies enable your actions on the Internet to be tracked.
- For more information about the options available for each browser, we recommend you to check their settings.
- Internet Explorer 9
- Internet Explorer 7 and 8
Using cookies allows us to adapt online content to make it more attractive to individuals. Additionally, we conduct website use analyses which allow us to improve and edit our website to make it more userfriendly.
Some cookies are strictly necessary, because our website couldn’t work without them, whereas you can refuse all other cookies. We use strictly necessary cookies to store statistical data about the use of our website and to store information necessary for contact forms available on our website.
In addition to strictly necessary cookies, we use other cookies that allow us to get to know our users better and to provide you with targeted advertising on the basis of the data we collect. Refusing cookies can cause certain content or functions of the website to not function properly (especially features that allow the website to adapt to the interests of the user).
Overview of all cookies:
In addition to first-party cookies, we use the following third-party cookies: Google Analytics, Google AdWords, Display Advertising extension for Google Analytics (all listed cookies by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA), Hotjar, ActiveCampaign (by ActiveCampaign, LLC, North Dearborn Street, 5th Floor, Chicago, IL 60602), AdRoll (by AdRoll Inc. 972 Mission Street, San Francisco, CA 94103), Facebook Custom Audience in Facebook remarketing (by Facebook Inc, 1 Hacker Way, Menlo Park, CA 9420).
- You can refuse all third-party cookies listed above or delete them from your browser at any time.
We want to remind users that the service providers listed above may collect certain personal data, which is not connected to the data collection done by Etrel. Any such independent personal data collection is not covered by this Policy, but is covered by the privacy policies of each cookie provider.
- You can read more about personal data protection for third-party cookies in the privacy policies of each third-party cookie provider:
8. WEB PLUGINS AND ACCESS TO SOCIAL NETWORKS
Our website uses the YouTube plugin (controller YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA), while YouTube is controlled by Google. If you visit our website’s content that contains a YouTube plugin, a connection with YouTube’s servers is established, which means that YouTube is made aware of your visit to our website.
More about how YouTube handles user data can be found on their website.
Etrel assumes no responsibility for any activities related to social media.
9. RIGHTS OF DATA SUBJECTS
- You have the following rights in relation to the processing of personal data:
- Access to personal data: You can request information from Etrel about whether they process your personal data. If they do, you can request access to your personal data and information about the processing (which data is being processed and where the data come from).
- Rectification of personal data: You can request that Etrel rectifies or amends imperfect or inaccurate data about you which is being processed.
- Restriction of processing of personal data: You can request that Etrel limits the processing of your personal data (e.g. when the accuracy or completeness of your personal data is being verified)
- Erasure of personal data: You can request from Etrel that they erase your personal data (we cannot erase those personal data that we control due to legal obligations or based on a contractual relationship).
- Copy of personal data: You can request from Etrel that they provide a copy of the personal data that you sent in a structured, commonly used, and machine-readable format.
- Withdrawing consent: You have the right to withdraw your consent about the use of personal data that we collect and process with your consent at any time. You can withdraw consent in any way listed in Chapter 2 of this Policy. Withdrawing consent has no drawbacks, but it is possible that Etrel will not be able to provide certain services to you after you withdraw consent.
- Objecting to processing of personal data: You have the right to object the processing of your personal data when the purpose of the processing is direct marketing or transferring your personal data to third parties with the purpose of direct marketing. Additionally, you can object the processing when your data is being used with the purpose of indirect marketing with the use of personalized or individual offers (profiling). You can communicate your objection in any way listed in Chapter 2 of this Policy.
You can exercise all your rights by contacting us through any channel listed in Chapter 2 of this Policy. Additionally, these contacts are available to you if you need any additional information regarding your rights.
You have the right to lodge a complaint against us with a Data Protection Officer, which is the supervisory authority for personal data protection.
Etrel ensures that the personal data being processed is up to date and complete. Please communicate any changes of your personal data at firstname.lastname@example.org or +386 1 60 10 075. We will correct or amend your personal data as soon as possible.
Etrel reserves the right to request certain personal data (e.g. first name, last name, e-mail address) when you exercise any of your rights from this chapter to facilitate the identification of the data subject.
10. FINAL PROVISIONS
Etrel reserves the right to change this Policy. If any changes do occur, we will notify you about that in advance. You agree to the new version of this Policy if you continue using our website and other services defined in this Policy after a new version of the Policy is published.