Privacy Policy of PRISMA European Platform GmbH

Customers, platform users, employees, applicants to the job positions offered by PRISMA, service providers and shareholder representatives. Occasionally, and after obtaining consent, we process pictures of employees and people that attend our events.

We collect names, birthdays, email addresses, postal addresses, IP addresses, phone numbers, invoicing information, job applications, pictures and consented video and voice recordings.

You directly provide our Company with most of the data we collect. We collect data and process data when you: 

• register at our platform as User administrator or User, 

• enter into a service contract, 

• enter into a contract with PRISMA as a freelancer, 

• enter into a REMIT Reporting agreement, subscribe to our Inside Information Platform or any other additional service provided by PRISMA, 

• subscribing to receive our newsletter, 

• apply for a job at PRISMA, 

• share your business or personal information with us, e. g. via email, business card, telephone or voice over IP calls 

• attend a PRISMA organized online webinar or meeting, 

• contact our Customer Success Team and 

• attend one of our events. 

PRISMA may also receive your data indirectly from your company if: 

• you are the company’s representative, 

• you are nominated by one of your shareholders to make governance decisions, 

• you are designated to be a contact between your company and PRISMA, and 

• your information has been legally made publicly available.   

We could also obtain your personal information via Cookies. Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our website, we may collect information from you automatically through cookies. 

How do we use cookies: We process your personal data by using a cookie that stores your Login credentials. This is a session cookie that is automatically deleted after your visit. We need this cookie to collect your User ID only for user validation. Without fulfilling this validation process is impossible for us, because of legal, contractual and security reasons, to grant you access to our platform. 

We use the services of Google Analytics which also uses cookies. These cookies are stored on your computer and allow the analysis of the use of the website. The information generated by the cookie is usually stored in a google server in the US. You can prevent Google’s storage of cookies by setting it in your browser. However, this may prevent you from fully using all the website features. Furthermore, you may prevent Google from collecting and processing the data generated by the cookie by downloading the browser plug-in available under the following link https://tools.google.com/dlpage/gaoptout?hl=de  

We may process the personal data of our clients or other data subjects based on contractual obligations.  

For instance: 

• PRISMA’s General Terms and Conditions (GTCs) for Use of the PRISMA Capacity Platform. This includes processing personal data of our platform users to enable registration in our platform and the booking and trading of gas capacities. Processing the personal data of our users also allows us to monitor the well-functioning of our platform and to provide proper service management; 

• PRISMA’s service contracts for the development and operation of an electronic platform for gas infrastructure operators for the allocation of capacities (primary capacity platform), for the trading of capacities (secondary capacity platform) and for related services, such as the marketing of gas storage capacities; 

• REMIT Reporting Contracts to fulfil the delegated obligation of allowing Network Users to report their relevant trade data to the relevant recipients; 

• Inside Information Platform (IIP) Contracts to enable Network Users that hold a valid Platform Service Contract with PRISMA to fulfill their obligation of publishing their inside information in an effective and timely manner.  

• Automated Shipper Connection and Application Program Interface (API) Contracts to connect the contract management of Network Users to the PRISMA Platform and provide secure and reliable data exchange of relevant trade information, 

• Any other (pre-)contractual or business relation or contact with PRISMA. 

In the context of contractual obligations, we also process personal data to provide customer care, solve tickets and to improve our customers’ experience at our platform and improve our service. 

Newsletter: We process personal data of clients and other data subjects interested in our services after receiving explicit consent to receive our Newsletter. In our Newsletter: PRISMA Insights, we inform recipients of our future projects, events and general news about our company and the gas market. 

Job applications: We process personal data of applicants to evaluate their job applications. We keep their personal information for longer than legally allowed only after obtaining consent.  

Representatives of Service Providers: We process the personal data of the representatives of service providers to evaluate offers, fulfil the contract and enable the provision of the service.  

We also process personal data to fulfil legal and regulatory requirements. 

At PRISMA we neither sell nor lease any personal data. Furthermore, we DO NOT perform any type of automated decision-making based on your personal data. 

We might share your personal data with third parties in the context of the reasons explained above.  We may share your personal data with some of our service providers under strict contractual clauses. We might also share personal information of our clients if required by a competent authority. Finally, we might also share the personal data we collect after receiving your explicit consent.

Service Provider:

We share your personal data to service providers that help us to provide our main service. We only work with service providers that lawfully process your personal data. To ensure they have high standards of personal data protection, we have in place a contract management system that allows us to evaluate providers processing activity and commitment towards the protection of personal data. We also keep constant communication to our service providers.  

Our main service providers and their privacy policies are: 

• Amazon Web Services: https://aws.amazon.com/privacy/  

• Boldare: https://www.boldare.com/privacy-policy/  

• BTC AG: https://group.btc-ag.com/privacy-statement  

• ONTEC AG: https://www.ontec.at/datenschutzerklaerung/  

• Synexys GmbH: https://synexus.de/impressumdatenschutz/  

We also work with:  

• Amplitude: https://amplitude.com/privacy  

• Atlassian: https://www.atlassian.com/legal/privacy-policy  

• DHL: https://www.dhl.com/global-en/home/footer/global-privacy-notice.html  

• Elastic: https://www.elastic.co/security-and-compliance  

• Freshworks: https://www.freshworks.com/privacy/ 

• Funk Zander & Partner GmbH: https://lohnabrechnung-aktuell.de/datenschutzerklaerung/  

• Gather Town: https://www.gather.town/privacy-policy  

• Google Analytics: https://marketingplatform.google.com/about/analytics/terms/us/  

• Greenhouse: https://www.greenhouse.io/de/privacy-policy  

• Lawpilots: https://www.lawpilots.com/legalnotice/  

• Leapsome: https://www.leapsome.com/privacy  

• Mail Chimp: https://mailchimp.com/legal/privacy/  

• Maxmind, Inc.: https://www.maxmind.com/en/privacy-policy  

• Microsoft: https://privacy.microsoft.com/en-us/privacystatement/  

• Miro Realtime Board: https://miro.com/legal/privacy-policy/  

• Robin Data GmbH: https://www.robin-data.io/datenschutzerklaerung  

• Rydoo: https://www.rydoo.com/privacy/    

• Sage: https://www.sage.com/en-gb/legal/privacy-and-cookies/  

• Sign in App: https://signinapp.com/privacy-policy/  

• Smartlys, Inc. (Bonusly): https://bonus.ly/privacy_policy  

• Survey Monkey: https://www.surveymonkey.com/mp/legal/privacy/  

• Virtimo AG: https://www.virtimo.de/en/privacy-policy/  

• Wonder: https://www.wonder.me/gdpr  

• Youtube: https://www.youtube.com/static?template=terms  

Public authorities:  

We may share your public information to public authorities to fulfil legal obligations. Some of this public authority include, but are not limited to:   

• Agency for the Cooperation of Energy Regulators (ACER): To fulfil the report obligations established in the Regulation on the Wholesale Energy Market Integrity and Transparency (REMIT) 

• Allgemeine Ortskrankenkasse (AOK) 

• Bundesagentur für Arbeit  

• Data Protection Authorities 

• Finanzamt 

• HDI Versicherungen   

• National Regulatory Authorities (NRAs): To enable their investigatory functions in the context of e. g. REMIT 

• R+V Versicherung AG  

In some cases, we would transfer your personal data to third countries (countries that are not a member of the EU) as a consequence of contractual relationships between PRISMA and our service providers. 

However, at PRISMA we make sure to establish contractual relationships with only service providers that offer a degree or protection of personal data approved by the EU or with service providers who are declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’). 

In this sense, we potentially transfer your personal data to other EU countries and countries recognized by the EU as having a high degree of personal data protection. In exceptional cases, we will ONLY consider transferring your personal data to countries that do not fall within the previous categories if they provide guarantees and appropriate safeguards for the lawful processing of your personal data, such as signing a data protection agreement with us where the standard contractual clauses approved by the European Commission are incorporated. 

At PRISMA we know you have the right to be forgotten. At the same time, we are aware of other legal responsibilities that derive from a contractual relationship between your company and ours. That is why we have designed an erasure concept that balances your data protection rights with legal obligations in line with tax, civil and commercial, regulatory, corporate, employment and criminal law. We erase your personal information at the end of the retention period allowed or required by those laws. However, in the case of our platform users, it is the responsibility of the Network Users, as controllers of the Users’ information, to delete their registration information upon termination or cessation of use of the platform. 

The personal data erasure concept designed by PRISMA is the following: 

• Personal data of shareholders (ID Data): deleted after 10 years, unless financial year tax evaluation has not yet been completed. 

• Personal data of employees: deleted 10 years after the conclusion of the employment contract unless financial year tax evaluation has not yet been completed. 

• Personal data of job applicants: deleted after one year upon recruitment process termination. If we require to keep your personal data longer and include it in our talent pool, we will request for your consent. 

• Personal data of platform users (ID Data): upon platform usage contract termination, unless there is a compelling reason to keep it. 

• Personal data in the platform archives: anonymized after 10 years. 

• Audios and videos: upon request unless there are a legitimate interest to keep it. 

To ensure the safety of personal data, we have implemented, among others, the following organizational and IT measures: 

• Annual trainings: to make sure that every employee of PRISMA understands their data protection responsibilities; 

• Data Protection Software: to possess a data protection management system and document the legal data protection requirements online, digitally and securely; 

• Internal procurement management: to check the GDPR compliance of all new service providers we acquire; 

• Contract management: to ensure contracts with service providers that offer accurate protection of personal data; 

• ISO 27001 certification: to ensure mechanisms in place to safeguard sensitive data and information;  

• On-Premises security measures: to make sure that no malicious entity can have access to the data you entrust with us; 

• Restricted access to documentation: to strictly ensure that the individuals who do not need to have access to your personal data do not have access to it; 

• Confidentiality clauses: to ensure that our employees and subcontractors keep your personal information confidential; 

• Risk assessment: to ensure risk-based strategy when it comes to data protection; 

• Virus scans and firewalls: to review and identify technological threats that could affect our information; 

• Data backup and data restoration: to prevent that your personal data gets lost; 

• Tests and audits: to verify security measures; 

• Automated security tests: to ensure that each software release is subject to constant adjustments to new hazards. Each year, the Company performs a comprehensive penetration test for this purpose.

Our Company would like to make sure you are fully aware of all your data protection rights. Every data subject is entitled to the following: 

• The right to access – You have the right to request Our Company for copies of your personal data.  

• The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete. 

• The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions. 

• The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions. 

• The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions. 

• The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions. 

If you want to exercise any of your data protection rights, you can send an email to our data protection officer Falk Porzig on the following email: dataprotection@prisma-capacity.eu or call him at: +49 341 22 229 030. We are ready to process your request and keep you informed in a timely manner.  

Should you wish to report a complaint, or you feel that PRISMA has not addressed your concern in a satisfactory manner, you may also contact the Information Commissioner’s Office: https://www.saechsdsb.de/impressum-datenschutzerklaerung