Dear PRISMA users, visitors, guests and stakeholders,
at PRISMA we adhere to the EU General Data Protection Regulation (GDPR).
We are PRISMA European Capacity Platform GmbH, a company registered with the District Court of Leipzig (commercial register number: HRB 21361, VAT ID: DE 241 646 520). Our registered office is at the Reichsstraße 1-9 in 04109 in Leipzig, Germany. Our managing director is Dr. Götz Lincke.
Customers, platform users, employees, applicants to the job positions offered by PRISMA, service providers and shareholder representatives. Occasionally, and after obtaining consent, we process pictures of employees and people that attend our events.
Personal data are data which contain individual information on personal or factual circumstances for instance, name, address, e-mail address, telephone number, date of birth, age, sex, social security number, video footage, photos, voice recordings of persons and special categories of data such as health data or data regarding criminal proceedings may also be covered.
We may process your personal data (which we have received either directly from you or from somewhere else) if:
- you are our prospective customer, customer, supplier or service provider;
- you use our platform or otherwise use our services;
- you work for a customer, supplier or service provider of ours, or for someone who uses our platform or otherwise uses our services;
- you are a shareholder representative;
- you are an employee of PRISMA or an applicant for a position offered by PRISMA.
Personal data relating to you that we may process includes:
- “Identity data” including first name, last name, username or similar identifier, date of birth, gender, your job function, your employer or department, (if you are PRISMA employee we may process additional data such as maiden name, marital status, title);
- “Contact data” including billing address, postal address, email address and telephone numbers;
- “Transaction data” including details about payments to and from you and other details of services you have received from us (if you are PRISMA employee we may process additional data such as bank account and other payment method details);
- “Technical data” including:
- Your username and password.
- If you have given your consent thereto: your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit to our website/platform, such as the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), services viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling and clicks).
You directly provide us with data when you:
- register at our platform as User administrator or User;
- enter into a service contract;
- enter into a contract with PRISMA as a freelancer;
- enter into a REMIT Reporting agreement, subscribe to our Inside Information Platform or any other additional service provided by PRISMA;
- subscribe to receive our newsletters;
- apply for a job at PRISMA;
- share your business or personal information with us, e. g. via email, telephone or voice over IP calls;
- share your business or personal information with us, e. g. via letters, notices, business cards, information sheets or any other paper-based communication methods;
- attend a PRISMA organized online webinar or meeting;
- contact our Customer Success Team;
- attend one of our events.
Personal data which is not collected directly from you may be collected from:
- your employer in connection with your job and how it relates to us; or
- governmental bodies, regulators, institutions, courts or any other similar bodies.
We could also obtain your personal information via Cookies. Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our website, we may collect information from you automatically through cookies.
We will only process personal data if we have a lawful reason to do so. The legal basis for processing personal data by us will be one of the following:
- processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
- processing is necessary in order for us to comply with our legal obligations;
- processing is necessary for the pursuit of our legitimate business interests;
- data subject (you) has given consent to the processing of personal data for one or more specific purposes (“consent”).
At PRISMA we neither sell nor lease any personal data. Furthermore, we DO NOT perform any type of automated decision-making based on your personal data.
The contractual obligations on the basis of which we may process the personal data include, for instance:
- PRISMA’s General Terms and Conditions (GTCs) & PRISMA’s Platform Usage Conditions (PUCs) for use of the PRISMA Capacity Platform. This includes processing personal data of our platform users to enable registration in our platform and the booking and trading of gas capacities and participation in the demand aggregation and joint tendering platform of the EU. The processing of our users' personal data also enables us to monitor the proper functioning of our platform and to provide appropriate service management;
- PRISMA’s service contracts for the development and operation of an electronic platform for gas infrastructure operators for the allocation of capacities (primary capacity platform), for the trading of capacities (secondary capacity platform) and for related services, such as the marketing of gas storage capacities;
- REMIT Reporting Contracts to fulfil the delegated obligation of allowing Network Users to report their relevant trade data to the relevant recipients;
- Inside Information Platform (IIP) Contracts to enable Network Users that hold a valid Platform Service Contract with PRISMA to fulfill their obligation of publishing their inside information in an effective and timely manner;
- Automated Shipper Connection and Application Program Interface (API) Contracts to connect the contract management of Network Users to the PRISMA Platform and provide secure and reliable data exchange of relevant trade information;
- Contracts with Service Providers: We process the personal data of the representatives of service providers to evaluate offers, fulfil the contract and enable the provision of the service;
- Employment Contracts;
- Any other (pre-)contractual, business, or corporate relation or contact with PRISMA.
Other legitimate business interests on the basis of which we may process the personal data in this regard include:
- Customer Care: We resolve enquiries and solve tickets to improve our customers’ experience on our platform and optimize our service.
- Newsletters about Contractual and/or Technical Updates: We process personal data of customers and prospects to provide technical updates relating to improvements and/or enhancements of the functionalities offered, as well as changes in related legislation, where such changes are relevant to the usage of the platform.
- Job applications: We process personal data of applicants to evaluate their job applications. We keep their personal information for longer than legally allowed only after obtaining their consent.
Based on your consent we may process the personal data related to:
- General information Newsletters: We process personal data of customers and other data subjects interested in our services if they have expressly consented to receive our Newsletter. In our Newsletter: PRISMA Insights, we inform recipients about our future projects, events and general news about our company and the gas market. You can unsubscribe from our newsletter at any time via a link included in each issue. We will delete your e-mail address from our distributor. Alternatively, you can unsubscribe from the newsletter at any time by e-mail to email@example.com or firstname.lastname@example.org.
We may share your personal data with service providers who assist us in providing our core service. We only work with service providers who lawfully process your personal data. To ensure that they have high standards for the protection of personal data, we have established a contract management system that allows us to evaluate the processing activities of service providers and their commitment to the protection of personal data. We also maintain ongoing communication with our service providers.
Our main service providers and their privacy policies are:
- Amazon Web Services: https://aws.amazon.com/privacy/
- Boldare: https://www.boldare.com/privacy-policy/
- BTC AG: https://group.btc-ag.com/privacy-statement
- ONTEC AG: https://www.ontec.at/datenschutzerklaerung/
- Synexys GmbH: https://synexus.de/impressumdatenschutz/
We also work with:
- Atlassian: https://www.atlassian.com/legal/privacy-policy
- Calendly: https://calendly.com/privacy
- DHL: https://www.dhl.com/global-en/home/footer/global-privacy-notice.html
- DocuSign: https://www.docusign.com/company/privacy-policy
- Elastic: https://www.elastic.co/security-and-compliance
- Freshworks: https://www.freshworks.com/privacy/
- Funk Zander & Partner GmbH: https://lohnabrechnung-aktuell.de/datenschutzerklaerung/
- Google Analytics: https://policies.google.com/privacy?hl=en
- Greenhouse: https://www.greenhouse.io/de/privacy-policy
- Languagetool: https://languagetool.org/legal/privacy?force_language=1#:~:text=%20Privacy%20Policy%20%201%20We%20don%27t%20store,undetected%20errors%2C%20we%20store%20that%20feedback.%20More%20
- Leapsome: https://www.leapsome.com/privacy
- Microsoft: https://privacy.microsoft.com/en-us/privacystatement/
- Miro Realtime Board: https://miro.com/legal/privacy-policy/
- Personio: https://www.personio.com/privacy-policy/
- Robin Data GmbH: https://www.robin-data.io/datenschutzerklaerung
- Rydoo: https://www.rydoo.com/privacy/
- Sage: https://www.sage.com/en-gb/legal/privacy-and-cookies/
- Sign in App: https://signinapp.com/privacy-policy/
- Survey Monkey: https://www.surveymonkey.com/mp/legal/privacy/
- Testdome: https://www.testdome.com/legal/privacy-policy
- Virtimo AG: https://www.virtimo.de/en/privacy-policy/
- Workflex: https://www.getworkflex.com/de/policy
- Insurance companies.
We may disclose your personal information to public authorities in order to comply with legal obligations. Some of these authorities include, but are not limited to:
- Agency for the Cooperation of Energy Regulators (ACER) – to fulfil the report obligations established in the Regulation on the Wholesale Energy Market Integrity and Transparency (REMIT);
- Bundesagentur für Arbeit;
- Data Protection Authorities;
- National Regulatory Authorities (NRAs) – to enable their investigatory functions in the context of e. g. REMIT;
- Directorate-General for Energy of the European Commission – for AggregateEU-service, to fulfil the transparency and information exchange obligations established in the Council Regulation (EU) 2022/2576 enhancing solidarity through better coordination of gas purchases, reliable price benchmarks and exchanges of gas across borders.
We may also share personal information about our customers if required to do so by a competent authority.
Finally, we may also share the personal information we collect after we have received your explicit consent.
In some cases, we may transfer your personal data to third countries (countries that are not a member of the EU) as a consequence of contractual relationships between PRISMA and our service providers.
However, at PRISMA we make sure to establish contractual relationships only with service providers that offer an EU-approved level of protection of personal data or with service providers who have been declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’).
In this sense, we may transfer your personal data to other EU countries and countries recognized by the EU as providing a high degree of personal data protection. In exceptional cases, we might consider transferring your personal data to countries that do not fall within the previous categories ONLY if they provide guarantees and appropriate safeguards for the lawful processing of your personal data, such as signing with us a data protection agreement incorporating the standard contractual clauses approved by the European Commission.
At PRISMA we value your “right to be forgotten”. At the same time, we are aware of other legal obligations arising from a contractual relationship between your company and PRISMA.
For this reason, we have developed an erasure concept that balances your data protection rights with legal obligations in accordance with tax, civil, commercial, regulatory, corporate, labor and criminal law.
We erase your personal data at the expiry of the retention period permitted or required by applicable law. However, with respect to our platform users, the Network Users, as controllers of users' information, are responsible for deleting their registration information upon termination or cessation of use of the platform.
To ensure the safety of personal data, we have implemented corresponding organizational and IT measures, among others:
- Onboarding & annual trainings: to make sure that every PRISMA employee understands their data protection responsibilities;
- Data Protection Software: to possess a data protection management system and to document the legal data protection requirements online, digitally and securely;
- Internal procurement management: to check the GDPR compliance of all new service providers we acquire;
- Contract management: to ensure contracts with service providers offer appropriate protection of personal data;
- Password policies: to enhance computer security by encouraging employees to use strong passwords and use them properly;
- ISO 27001 certification: to ensure mechanisms are in place for safeguarding sensitive data and information;
- On-site security measures: to make sure that no malicious entity can gain access to the data you have entrusted tous;
- Restricted access to documentation: to strictly ensure that the individuals who do not need to have access to your personal data do not have access to it;
- Confidentiality clauses: to ensure that our employees and subcontractors keep your personal information confidential;
- Risk assessment: to ensure risk-based strategy when it comes to data protection;
- Virus scans and firewalls: to review and identify technological threats that could affect our information;
- Data backup and data restoration: to prevent your personal data from being lost;
- Tests and audits: to verify security measures;
- Automated security tests: to ensure that each software release is subject to constant adjustments to new hazards. To this end, PRISMA regularly performs a comprehensive penetration test.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
PRISMA would like to make you aware that within the framework of the applicable regulations, you have the following data protection rights:
- Right to access – You have the right to know what personal information we hold about you, why and how we are using it, who we are sharing it with, where we got your data from as well as to ask us for copies of your personal data.
- Right to rectification – You have the right to request that we correct your personal information you believe is inaccurate. Taking into account the purposes of the processing, you also have the right to ask us to complete information you believe is incomplete.
- Right to erasure – You have the right to request that we erase your personal data if the conditions set out in Article 17 GDPR are met. Accordingly, you may opt to have your personal data deleted if, for example, it is no longer necessary for the purposes for which it was collected. You can also request deletion if we process your personal data on the basis of your consent and you revoke this consent.
- Right to restrict processing – You have the right to request that we restrict the processing of your personal data if the requirements of Article 18 GDPR are met (e.g. while we verify or investigate your concerns in relation to that personal data).
- Right to object to processing – If the requirements of Article 21 GDPR are met , you have the right to object to processing of your personal data.
- Right to withdrawal – Where the processing of your personal data by us is based on consent, you have the right to withdraw that consent at any time and free of charge, with effect for the future. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of our services.
- Right to data portability – You have the right to request that we transfer the personal information you gave us from one organization to another, or give it to you in a commonly used, machine readable format.
Please note that the set of rights you have may depend on the basis for processing your data.
You can exercise the rights listed above at any time by contacting us at: email@example.com or calling our Data Protection Officer at: +49 341 22 229 030.
What we may need to process your request
We may need to ask you for specific information to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to facilitate our response.
Time limit for reply
We endeavour to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Should you wish to lodge a complaint about our processing of your personal data or you feel that PRISMA has not addressed your concern in a satisfactory manner, you may also contact the Information Commissioner's Office https://www.saechsdsb.de/impressum-datenschutzerklaerung
To see prior version, click here.