of
Kiwigrid GmbH
Kleiststraße 10 a-c
01129 Dresden
- hereinafter referred to as “Kiwigrid” -
As of: October 1, 2023
1. Preamble
Kiwigrid employees rethink energy systems and create energy services for a decentralized, digital energy world. To this end, Kiwigrid develops and operates a pioneering IoT platform with maximum modularity, interoperability, security, and scalability.
Kiwigrid is aware of the high importance of the issues of data security and data protection and has therefore established a data protection and information security management system. A Data Protection and Information Security Team has been established to plan, implement, evaluate, and make adjustments to measures in the area of data protection and data security. The team consists of the Data Protection Officer, the Information Security Officer, the Director Engineering Center, the IT Administrator, the Quality Management Officer, and software engineers.
Kiwigrid works according to the requirements of DIN EN ISO 9001:2015; DIN EN ISO 27001:2013, the requirements of the Common Criteria for the development of the SMGW product, occupational safety regulations, and data protection in accordance with the EU General Data Protection Regulation (GDPR). This has been certified for our management system in accordance with TÜV PROFiCERT to ISO/IEC 27001:2013 and to DIN EN ISO 9001:2015. The respective certificates can be presented on request.
2. Objectives in the company
The objectives and principles are documented in our binding data protection management manual, which provides a complete overview of all Kiwigrid’s data protection regulations and processes and is a guide for employees regarding the handling of personal data. The most important points are summarized below.
2.1. Objectives
|
Protection objectives |
Internal requirements |
|
Confidentiality |
Personal data must be protected from unauthorized knowledge. |
|
Availability |
Personal data and procedures for processing it must be available in a timely manner and processing must be correct at all times. |
|
Transparency |
Collection, processing using procedures for personal data, and use must be traceable, verifiable, and assessable with reasonable effort |
|
Auditability |
It must be possible to track the development, use, maintenance, administration, and application of the procedures for and processing of personal data. |
|
Integrity |
Personal data must remain intact, complete, and up-to-date during processing. |
|
Authenticity |
It must be possible to assign personal data to its origin. |
Our aim is to regulate the protection of personal data in accordance with the legally applicable regulations and to guarantee the confidentiality, integrity, availability, and authenticity of data at every stage of information processing. This is done by: implementing data protection in the company in compliance with the provisions of data protection law and/or implementing the provisions of the GDPR/BDSG by setting up suitable technical and organizational measures and procedures and by continuously monitoring compliance with the rules and regulations on data protection and data security.
3. Principles of collection, processing, and use of personal data
The scope and use of personal data for Kiwigrid are based primarily on the regulations of the GDPR, in particular Art. 5 GDPR, the Federal Data Protection Act (new version), and other data protection regulations at European, federal, and state level.
The GDPR, like other data protection standards, is based on the following fundamental rules that guarantee the right to self-determination in relation to information:
- the preventive prohibition principle, i.e. handling personal data is generally prohibited unless there is legal permission or the consent of the user has been obtained
- purpose limitation, i.e. data may only be processed for the purpose for which it has been collected
- transparency (right to information, notification, and disclosure)
- the principles of data minimization and data economy
- the existence of rights of correction (rectification, blocking, erasure, and objection)
- data backup (protection against loss, sabotage, unauthorized access)
- storage limitation
- resilience of the systems and services
- implementation of controls (internal/external)
3.1. Legal basis
The permissibility of the collection, processing, and use of personal data is governed by the central provision of Art. 6 GDPR. Regardless of the process used, this relates specifically to:
- storing, collecting, recording, or retaining personal data on a data carrier for the purpose of further processing or use
- modification, i.e. alteration of the content of stored personal data
- transmission, i.e. the disclosure of stored personal data or personal data obtained through data processing to a third party in such a way that
- the data is passed on to the third party or
- the third party can inspect or retrieve data held for inspection or retrieval
- blocking; specifically in advance: marking of stored personal data for restriction of further processing or use
- erasure, i.e. making stored personal data unrecognizable
- use is any use of personal data, from simple consultation by employees of the controller to active use
Processing of customer data as a means of fulfilling our own business purposes is permitted:
- if it is necessary for the establishment, performance, or termination of a legal or quasi-legal obligation in relation to the data subject,
- insofar as it is necessary to protect the legitimate interests of the controller and there is no reason to assume that the data subject’s legitimate interests in preventing the processing or use take precedence, or
- if the data is generally accessible or the data controller would be permitted to publish it unless the data subject’s legitimate interest in preventing the processing or use clearly outweighs the legitimate interests of the controller.
3.2. Purpose limitation and special personal data
Personal data is processed exclusively for the aforementioned purposes. When collecting personal data, the purposes for which the data is to be processed or used must be specified.
Special categories of personal data (Art. 9(1) GDPR, i.e. information about racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health or sex life) are generally not processed automatically by Kiwigrid, unless this is required by mandatory legal regulations (e.g. to comply with labor and/or tax law) or if there is separate consent of the data subject pursuant to Art. 9(2) point (a) GDPR.
3.3. Possible recipients of data
The Customer’s data may be disclosed to the following third parties on presentation of a legal authorization:
- Public authorities, provided that overriding legal provisions or permissions exist (e.g. investigative authorities, financial authorities, social insurance institutions, etc.),
- Contractors, in particular commissioned data processors pursuant to Art. 28 GDPR,
- External bodies, service providers, and internal departments to fulfill the processing purpose
3.4. Upholding the rights of data subjects
According to the law, every data subject is entitled to the following rights:
- Right of access, Art. 15 GDPR
- Right of rectification and erasure, Art. 16 and 17 GDPR (“The right to be forgotten”)
- Right to restriction of processing, Art. 18 GDPR
- Right to data portability, Art. 20 GDPR
- Right of objection in the event of processing without consent for the protection of legitimate interests, Art. 21 GDPR
- Right to be unaffected by legally binding decisions based on automated data processes, Art. 22 GDPR
These must be taken into account to an adequate extent in consultation with the Data Protection Officer and complied with promptly.
3.5. Privacy by design, privacy by default
Art. 25 GDPR requires data protection through technological design and data protection-compliant default settings by means of structural (technical and organizational) measures when designing and setting up data processing procedures.
Kiwigrid implements these requirements throughout the development phase and on to the finished product and during the acquisition/setup of software.
3.6. Avoidance of breaches of the law and resulting consequences
Kiwigrid attaches importance to ensuring that employees and/or third parties working for it are sufficiently well-informed about the provisions relevant to data protection and are trained in this area at regular intervals.
In addition to the explicit data protection regulations included in employment contracts and provisions regarding maintaining confidentiality, Kiwigrid employees are made aware of the importance of maintaining data protection and data security in their practical work. Persons employed in data processing are prohibited from collecting, processing, or using personal data without authorization (data secrecy).
All employees are obliged to maintain confidentiality and observe data protection; employees with administrative duties are additionally obliged to maintain telecommunications secrecy. The requirement to maintain data secrecy shall continue to exist even after termination of employment.
In the event of a personal data breach, notification obligations in relation to the supervisory authority shall be fulfilled and the controller and data subjects shall be notified in accordance with Art. 33, 34 GDPR. Appropriate reporting processes have been set up for this purpose and a response plan has been established.
3.7. Erasure of data
Data shall be erased promptly, provided that such a request is received by Kiwigrid and is legitimate under the applicable provisions, in accordance with the requirements of Art. 17(1) GDPR.
If legal, statutory, or contractual retention periods prevent erasure, processing shall be restricted instead of erasure, in accordance with Art. 18 GDPR. Relevant retention periods result in particular from the following regulations:
- Retention period: 10 or 6 years (Section 147(3) of the German Tax Code (AO), Section 14 b of the Value Added Tax Act (UStG) and Section 257(4) of the Commercial Code (HGB))
- Retention period: for the period specified by contractual agreement and other regulations (e.g. Section 8 of the German Money Laundering Act (GwG))
- Retention period: essentially 3 years (Section 195 BGB)
- Personal data shall also be blocked if its accuracy is lawfully and demonstrably disputed by the data subject, Art. 18(1) point (a) GDPR.
4. IT and data security regulations
Information processing and data protection play a key role in Kiwigrid’s fulfillment of its mission. All essential strategic and operational functions and tasks are supported to a significant extent by information technology (IT). It must be possible to compensate for a system failure in the short term.
All Kiwigrid employees comply with the relevant legislation (e.g. Criminal Code, Telecommunications Act, Commercial Code, Social Code, laws and regulations on data protection) and contractual regulations. Negative financial and immaterial consequences for the Customer and for employees due to breaches of the law must be avoided. All employees and management are aware of their responsibilities when dealing with services and support the security strategy to the best of their abilities.
Kiwigrid policies in the following areas are binding on all employees:
- IT Information Security Policy
- Handling of information security incidents (incl. data security incidents), emergency management
- Physical and electronic access control, security areas, visitor regulations
- Information classification, communication
- Risk assessment methodology
- Secure passwords
- Working from home
- Clean desk
- Onboarding and offboarding of employees
- Cryptographic requirements
- Secure development
- Software/Tool owner whitelist
- Safe disposal or reuse of equipment
5. Technical and organizational measures
According to Art. 32 GDPR, appropriate technical and organizational measures must be implemented for the processing of personal data, which take into account the state of the art, the implementation costs, and the risk to the rights and freedoms of data subjects, while ensuring an adequate level of protection.
Kiwigrid’s data security management is integrated into its information and IT security management. The information security measures from the ISO/IEC 27001 catalog also serve to protect personal data. Data security measures shall be taken on the basis of a risk assessment. An overview and detailed description of the technical and organizational measures taken by Kiwigrid can be provided on request.
6. Directory of processing activities
Kiwigrid maintains a register of all processing activities in accordance with Article 30(1) GDPR to meet its obligation under Article 30(5) GDPR.
7. External service providers
Kiwigrid sometimes uses carefully selected external service providers to carry out work for it. This relates in particular to the areas of data processing and IT infrastructure, which means that customer-specific applications are also affected. Contractual arrangements have been or shall be made in writing with the relevant service providers. Kiwigrid obliges its service providers to maintain data secrecy and confidentiality.
If the data processing is commissioned data processing, the Parties shall conclude a separate agreement pursuant to Art. 28 GDPR.
8. Processing of (personal) data in third countries
In addition to Section 7, Kiwigrid also makes some use of services provided by service providers located in third countries. Kiwigrid is entitled to transfer the data to selected service providers and have it processed there in order to fulfill its tasks. The service providers are carefully selected by Kiwigrid and work according to European data protection standards.
In order to ensure that the processing of personal data is carried out in accordance with the applicable data protection regulations, Kiwigrid undertakes to conclude a commissioned processing agreement with the service provider in accordance with Art. 28 GDPR in conjunction with the standard contractual clauses for the transfer of personal data to third countries of the European Commission.
9. Continuous improvement of the data protection management system
We continuously develop our data protection management system to ensure ongoing improvement in the protection of personal data at Kiwigrid. Regular audits are carried out, employees’ awareness is raised, measures taken are reviewed, and all relevant documents are checked to ensure that they are necessary, appropriate, and up to date.
In order to align our data protection management with the applicable legal requirements and to continuously improve it, our data protection information may change from time to time. We provide information about significant changes on our relevant channels.
10. Responsibilities
Data protection and the security of information technology systems impose fundamental, company-related requirements on daily operations. The Executive Board and its key management personnel are directly responsible for this:
|
Kiwigrid GmbH business located in 01129 Dresden, Germany, Kleiststraße 10 a-c Tel.: +49 351 50 1950 0 Fax: +49 351 50 1950 101 |
Chief Executive Officer (CEO): Frank Schlichting Chief Finance Officer (CFO): Janek Schuffenhauer |
|
|
Services |
Employees of the following departments are available as contact persons for our customers for administrative, performance-related, and financial matters:
|
|
|
Sales |
Team Lead Sales |
|
|
Operational Data Protection |
Data Protection Officer |
|
|
Information Security Officer |
Data Protection Officer |
|
|
IT Risk Management |
IT Risk Officer |
|
|
Quality Management |
Quality Management Officer |