This privacy notice describes how Plugsurfing GmbH processes your personal data. The notice applies when you use our products and services or otherwise interact with us.
We may give you additional product or service-specific privacy information in the service or product-specific terms, privacy supplements or other notices you may see while using our product or service.
Who is the data controller?
The data controller is Plugsurfing GmbH, Weserstraße 175, 12045 Berlin, Germany (hereinafter “Plugsurfing”).
How does Plugsurfing process your personal data?
What kind of data does Plugsurfing process?
Plugsurfing collects and processes personal data that is necessary for the relationship you have with us and the purposes for which the data are used. Plugsurfing collects the following personal data categories.
- Permission data – such as marketing permissions;
- Preference data – such as contract type, contact language; payment method; pricing type;
- Security data – such as passwords, security incident information;
- Technical data – such as technical data of customer consumption point;
- Transactional detail data – such as invoicing details;
- Financial data – such as credit card number, bank account information;
- Identifying data – such as name; RFID key number
- Behavioral data – such as customer profiling and other information derived from your use of our services; login details;
- Communications – such as your answers to surveys and other feedback and communications you send us;
- Data on your use of our service – such as energy/ electricity consumption data;
- Computer device data – such as IP address, cookie data;
- Contact data – such as email address; telephone number; billing address; delivery address for RFID keys e.g.
- Contract data – such as payment terms
What sources are the personal data obtained from?
The processed personal data include data that are received from you at the time of the order, at the time of joining our service, or during the customer relationship. We also receive observed data from your use of our devices and services. Plugsurfing may also process derived data which have been derived from or concluded based on the received data.
Third parties, such as marketing partners, car manufacturers, charging point operators, e-mobility service providers and other data providers.
Group companies, which share information for purposes mentioned below.
What are the purposes for processing personal data?
We process personal data only for predefined purposes. The purposes for which we process personal data are:
- Customer relationship management (e.g sending of contract related notifications, product or service related notifications or updates, customer guidance)
- Contract and product management
- Providing, managing and maintaining the service (e.g. end-user license management, investigating and fixing technical issues)
- Identification of data subjects
- Suspension of provided services
- Receipt and transaction information storing
- Contract and invoice archiving
- Delivering goods and services, including returns’ management
- Complaint and dispute management, including compensation demands
- Transferring personal data (to include transfers and disclosures)
- Profiling, segmentation, and direct marketing (for existing and prospective customers)
- Sales and Marketing (including e.g. organizing seminars)
- Billing and debt collection
- Refunds of payments to customers
- Internal reporting
- Establishment, exercise or defense of legal claims
- Partner reporting
- Product and service development, including feedback and surveys
- Customer satisfaction surveys
- Vendor communications
- Fraud protection
On what legal basis do we process your personal data?
In order for us to be able to process your personal data, we rely on different legal bases, including:
- Your consent. If we rely on your consent as a legal basis for the processing of your data, you may withdraw your consent at any time;
- The necessity to establish a contractual relationship with you and to perform our contractual obligations;
- The necessity for us to comply with a legal obligation (for instance, we are required by law to store certain data for a specific period of time) and to establish, exercise, or defend Plugsurfing against legal claims;
- The necessity to pursue our legitimate interests, including:
- Internal reporting
- Partner reporting
- Product and service development including feedback and surveys
- Transferring personal data (to include transfers and disclosures)
- Compensation demands
- Customer profiling or segmentation
- Direct marketing for existing and prospective customers
- Debt collection
- The necessity to protect the vital interests of any person;
We may make decisions about you through automated decision making. Such as automated tracking of your potential debt to Plugsurfing from previous unpaid use of our services.
Our automated decision-making procedures may affect your ability to use our services. We may need to do this either to perform our legal obligations or because it is necessary to enter into, or the performance of, a contract between you and us. This means, that if we have outstanding invoices, we may deactivate your account until the bill is paid.
If we have made a decision about you solely on the basis of an automated process (e.g. through automatic profiling) and that affects your ability to use the services or has another significant effect on you, you can ask to not to be subject to such a decision unless we can demonstrate to you that such a decision is necessary for entering into, or the performance of, a contract between you and us.
How long do we store personal data?
Plugsurfing seeks to limit the period for which the personal data are stored to a minimum. Thus, Plugsurfing processes your personal data only to the extent and as long as is necessary to meet the purposes of the data processing.
The specific retention periods may be different depending on the categories of data. As a general rule, your personal data are stored for the duration of the customer relationship as well as for a period of three (3) years from the end of the customer relationship. Whereas e.g. information about transactions will be kept for at least ten (10) years on a legal basis. Plugsurfing sets out and regularly re-evaluates data type specific retention periods for the personal data it holds. Once personal data is no longer necessary, Plugsurfing will delete it or anonymize it as soon as possible.
Who processes your personal data?
Principally, we do not sell, trade or license any personal data to third parties. Companies belonging to the same group of companies may process personal data in accordance with existing privacy laws. Personal data may be disclosed to our authorized employees or affiliates to the extent necessary for the purpose of processing. The data will never be available to all employees but to a limited number of authorized persons. We also use third parties as our data processors to help us develop, deliver and maintain our product and services, and fulfil our other purposes as defined in this privacy notice. When a third party processes personal data on our behalf, we always ensure via contractual arrangements that the processing of personal data is always conducted safely and in accordance with privacy laws and data processing best practices.
List of categories of such data processors:
- Service providers, such as printing services, installation partners, customer service providers
- Sales and marketing partners
- Payment Service Providers
- Cloud Service Providers
- Charger Manufacturers
- Roaming platform providers
- IT service providers and Consultancies (e.g. developers, designers, and testers)
- Service and maintenance partners (e.g. HW repair and maintenance)
- Charger Cloud systems providers
- Invoicing and debt collection service and system providers
- Data hosting system providers (e.g. Amazon Web Services)
- Warehouse service and management system providers
- Software and tool providers (e.g. for software development, business analytics, sales, marketing, work order management, customer relationship management, online conferencing and communication)
- Operational companies such as the post office or delivery couriers
- Research companies (for e.g. conducting customer satisfaction or product and service development surveys)
- Telecommunications system providers
In addition, personal data may be disclosed to authorities when we are required to do so by law, based on demands made by competent authorities in accordance with existing privacy laws.
Does Plugsurfing transfer personal data to third countries?
Principally, Plugsurfing does not transfer personal data outside the European Union or the European Economic Area (EEA). However, if personal data is transferred outside the EU or the EEA, Plugsurfing uses appropriate safeguards in accordance with existing privacy legislation, such as the standard contractual clauses provided by the European Commission.
How does Plugsurfing protect personal data?
Plugsurfing fulfils the necessary technical and organizational measures, which ensure and demonstrate that privacy laws are being followed in the processing of personal data.
These measures include the use of Identity and Access Management systems to ensure that only authorized persons have access to personal data, the use of firewalls, IP filtering, multi-factor authentication, pseudonymisation and encryption of data, detailed instructions and training for personnel on protection of personal data and careful consideration when selecting our service providers that are involved in the processing of personal data on our behalf.
How do we handle personal data from IP addresses, cookies, and similar technologies
Cookies used on websites
When you use our services or visit our websites, Plugsurfing can collect data about your devices through cookies and other tracking techniques.
Cookies are a small text file that we use to Identify and count the browsers and devices that visit our websites. This information may then be used by us or third parties for marketing purposes.
The location data of the user’s device may be used to provide services based on the location of the device if the user has given clear consent to the processing of location data.
The user has the right to withdraw the consent at any time by changing appropriate settings on their device.
To whom we share your personal data?
Who can access your personal data?
Where applicable, we may share your personal data with:
Our Group companies may use your personal data for the purposes defined in this notice, based on legitimate interest to the extent permitted by applicable law.
We disclose personal data to our commercial partners to the extent permitted by applicable law. Examples of such situations include:
Your charging identification number is used for identifying you at the charging station when you are charging your car.
Your charging identification number can be used also for invoicing process.
Our commercial partners including for example charging station operators, e-mobility service providers, roaming hubs, car manufacturers, online advertising partners and other commercial partners.
Consent, contract or request
We may share your personal data if we have your consent to do so. We may also share your personal data with a third party when this is required to fulfil our obligations under a contract with you or to fulfil a request by you. As an example, we will disclose your address to the postal, courier or to be able to deliver a charging key or charging card you have ordered.
We use subcontractors to provide services. Such subcontractors may have access to your personal information and are processing it on our behalf but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical service providers that process personal data include for example customer service partners, payment and invoicing partners, and IT software & service providers.
Mergers and acquisitions
If we decide to sell, merge or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.
Authorities, legal proceedings and law
We will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order in connection with a trial or authority process, or as otherwise required or permitted by a law.
What are your rights when it comes to your personal data?
Right of access
You have the right to access your personal data, which means that you have the right to obtain confirmation as to whether or not your personal data are processed and, if so, also receive a copy of the personal data that is processed by Plugsurfing and further information about the processing carried out by Plugsurfing.
Data Portability Right
You are entitled to data transfer, which means that you may, under certain circumstances, have the right to have the personal data transmitted to another controller.
Right to rectification
You are entitled to receive incorrect information about you corrected or supplemented.
Right to erasure
You have the right to have your data erased, if:
- The data are no longer necessary for the purposes for which they are processed
- You withdraw your consent for some treatment and thereafter there is no legal basis for Plugsurfing to process the data
- Your data has been processed illegally
- The processing of your data is not necessary to comply with applicable legal requirements in order to determine, enforce or defend legal claims and/or for archival, research or statistical purpose
Right to withdraw consent
If you have given special consent to a certain treatment, you are always entitled to withdraw your consent.
Right to object to the processing of personal data
When processing is carried out on the basis of the legitimate interests pursued by Plugsurfing or by a third party, you have the right to object at any time to processing of personal data concerning you. Unless Plugsurfing can demonstrate compelling legitimate grounds for the processing, Plugsurfing shall no longer process the personal data.
Right to object to direct marketing – You are entitled to object to the processing of personal data pertaining to you for direct marketing at any time. Then we will no longer process personal data for such purposes.
Right to restriction
You are entitled to limit your data during the time we investigate and check your request.
Right not to be subject to an automated decision
If we have made a decision about you based entirely on an automated process and the decision has legal consequences or otherwise significantly affects you, you may request that the decision be reviewed by us through renewed and individual assessment. This applies if we cannot prove that an automated decision is necessary to conclude or implement an agreement between you and us.
In order to exercise these rights, please do this by email to the following email address: email@example.com
Right to complain to the supervisory authority
You are entitled to complain to the Data Inspection Authority or other competent regulatory authority if you believe that we treat your personal data in violation of applicable data protection legislation.
Changes to our Privacy Notice
We reserve the right to amend this Privacy Notice. Amendments may be necessary due to the development of our services or, for example, changes in the relevant laws. Any changes to our Privacy Notice will be communicated on our website or through our mobile application Plugsurfing. In some cases, we may choose to inform about these changes also by email.
Questions, comments, and requests regarding this privacy notice are welcomed and should be addressed by email to firstname.lastname@example.org or by post to: