Data Protection Statement

Version effective as of January 13th, 2021

With this Data Protection Statement we, greenmatch AG (hereinafter greenmatch), describe how we collect and process personal data. This Data Protection Statement is not necessarily a comprehensive description of our data processing. It is possible that other data-protection statements, General Terms and Conditions, or similar documents shall be applicable to specific circumstances. The term “personal data” in this Data Protection Statement shall refer to any information that identifies, or could reasonably be used to identify any person. If you provide us with personal data of other persons (such as family members or colleagues at work), please make sure the respective persons are aware of this Data Protection Statement and only provide us with their data if you are allowed to do so and such personal data are correct. This Data Protection Statement is in line with the EU General Data Protection Regulation (GDPR). Although the GDPR is a regulation of the European Union (EU), it may be relevant for us. The Swiss Federal Act on Data Protection (FADP) is heavily influenced by the law of the European Union. In addition, companies outside the European Union or the European Economic Area (EEA) have to comply with the GDPR in certain cases.

CONTROLLER

The “controller” of data processing as described in this data-protection statement is greenmatch AG, unless we have informed you differently as may be the case. You can notify us of any concerns related to data protection using the following contact details:

COLLECTION AND PROCESSING OF PERSONAL DATA

We primarily process personal data that we obtain from our clients and other business partners as well as other individuals in the context of our business relationships with them or that we collect from users upon their accessing our websites, apps, and other applications.

Insofar as this shall be permitted, we shall also collect a few data about our business partners from publicly accessible sources (e.g. debt collection and bankruptcy registers, land registers, commercial registers, the press, and the Internet).

In addition to any information about you that you provide directly to us, the categories of personal data that we collect include, but are not limited to, data taken from public registers, data we obtain in connection with official and legal proceedings, data relating to your professional positions and activities (to enable us, e.g., to enter into and process transactions with your employer), information about you gleaned from correspondence and discussions with third parties, credit reports (to the extent that we do business with you personally), and information about you provided to us by persons in your environment (consultants, legal representatives, etc.) so we can negotiate and process agreements and contracts with you (e.g. references, powers of attorney, information on compliance with legal requirements such as anti-money laundering and export restrictions, information on sales and other contractual partners of ours on the use or provision of services by you (e.g. payments made, purchases made, etc.), information gathered from the media and the Internet about you (insofar as this is relevant in a specific case, press reviews, marketing/sales, etc.), your addresses and, if applicable, your interests and other socio-demographic data (for marketing purposes), data in connection with the use of the website (e.g. IP address, MAC address of your smartphone or computer, information about the device/s you use and their settings, cookies, date and time of visit, pages and contents accessed, functions used, referring website, and location data).

PURPOSE OF DATA PROCESSING AND LEGAL GROUNDS

We primarily use the personal data we collect to conclude and process contracts with our clients and business partners, in particular however within the scope of financial structuring and valuation (GM Valuation), sales (GM Marketplace), and long-term financial asset management (GM Asset Controlling) of renewable-energy projects (wind, photovoltaic, hydro, and biomass). If you are working for such a client or business partner as an employee, you – or rather your personal data – may of course also be affected in this capacity.

In addition, in line with applicable law and where appropriate, we may process your personal data and personal data of third parties for the following purposes, which are in our (or, as the case may be, any third parties’) legitimate interest, such as:

1. providing and developing our products, services, websites, apps, and other platforms, on which we are active.
2. review and optimization of procedures regarding an assessment of needs for the purpose of directly approaching clients as well as obtaining personal data from publicly accessible sources for client acquisition.
3. advertisement and marketing (including organizing events), provided that you have not objected to the use of your data for this purpose (if you are part of our client base and receive our advertisement, you may object at any time and we shall block your name against further advertising mailings).
4. asserting legal claims and defence in legal disputes and official proceedings.
5. prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud).
6. ensuring our operation, including our IT, our websites, apps, and other appliances.
7. acquisition and sale of business divisions, companies or parts of companies and other corporate transactions and the transfer of personal data related thereto as well as measures for business management and compliance with legal and regulatory obligations as well as internal regulations of greenmatch AG.

If you have given us your consent to process your personal data for certain purposes (for example when registering to receive newsletters), we will process your personal data within the scope of and based on this consent, unless we have another legal basis, provided that we require one. Consent given can be withdrawn at any time, but this will not affect data processed prior to withdrawal.

COOKIES / TRACKING AND OTHER TECHNIQUES REGARDING THE USE OF OUR WEBSITE

We typically use “cookies” and similar technologies on our websites and for our apps to identify your browser or device. A cookie is a small file that is sent to your computer, or rather, that is automatically stored on your computer or mobile device by the web browser you are using when you visit our website or app. Once you return to this website or use our app, this allows us to recognize you, even if we do not know who you are. In addition to cookies that are merely used during a session and deleted once you leave the website (session cookies), cookies may also be used to store – for a certain period of time (e.g. two years) – user settings and other information (permanent cookies). However, you can set your browser to reject cookies, only save them for the duration of a session, or otherwise delete them prematurely. You can view the cookies we use here.

We also sometimes, and where permitted, integrate visible as well as invisible picture elements into our newsletters and other marketing e-mails, whose retrieval from our servers allows us to determine whether and when you have opened a specific e-mail, so we can measure and better understand how you use our offers and tailor them to you. You may block this function in your e-mail client; most e-mail clients are actually pre-set to do this.

By using our websites and apps and by agreeing to receive newsletters and other marketing e-mails, you automatically consent to the use of these techniques. If you do not wish to do so, you shall have to set your browser or e-mail client accordingly.

Occasionally, we use Google Analytics or similar services on our websites. This service is provided by third parties, who may be located in any country in the world (in the case of Google Analytics, it is Google LLC in the USA, www.google.com), with which we can measure and evaluate the use of the website (on a non-personal basis). Permanent cookies set by the service provider are used for this purpose, too. The service provider will however not receive any personal data from us (nor will it retain any IP addresses), but can track your use of the website, combine this information with data from other websites that you have visited and which are also tracked by the service provider, and then use these findings for its own purposes (e.g. controlling advertising). If you have registered directly with the service provider, the service provider will also know you. Any processing of our personal data by the service provider will then be the responsibility of the service provider in accordance with its own data-protection regulations. The service provider only ever informs us as to how our own website is used (and provides no information about you personally).

In addition, we use so-called plug-ins of social networks such as Twitter, LinkedIn, Xing, and YouTube on our websites. In fact, this will be apparent to you at any one time (typically via the corresponding icons). If you are logged into one or more of these social networks, the operators of the respective social networks will be able to register that you are on our website and can use this information for their own purposes. The processing of your personal data will then be the responsibility of this operator in accordance with its own data-protection regulations. We shall, however, not receive any information about you. Enclosed you will find the data-protection statements of the social networks we use:

• Data Privacy Policy Twitter
• Data Privacy Policy LinkedIn
• Data Privacy Policy Xing
• Data Privacy Policy YouTube/Google

DATA TRANSFER AND TRANSFER OF DATA ABROAD

In the context of our business activities and in line with the purposes of the data processing listed above, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned:

1. our service providers, including processors (such as e.g. IT providers);
2. clients within the framework of our Marketplace offer, which may provide for your contact details to be forwarded to other members of the greenmatch network;
3. domestic and foreign authorities or courts;
4. acquirers or parties interested in the acquisition of business divisions or other parts of greenmatch AG;
5. other parties in possible or pending legal proceedings;

collectively called “the recipients”.

These recipients are partially domestic, but may also be anywhere on the planet. You should, in particular, expect your data to be transferred to all countries where greenmatch AG is represented plus to all other countries in Europe and the USA, where the service providers we use are based (such as Google or LinkedIn). If we transfer data to a country lacking adequate legal data protection, we shall ensure an adequate level of protection as provided for by law by using contracts suitable for this purpose (in particular on the basis of the standard contract clauses of the European Commission, which can be accessed here) or so-called Binding Corporate Rules or rely on legal exceptions of consent, the execution of contracts, the determination, exercise, or enforcement of legal claims, overriding public interests, published personal data, or because it is necessary to protect the integrity of the subjects thus affected. You may, at any time, obtain a copy of the contractual guarantees from the aforementioned contact, if not available at the link above. However, we reserve the right to black out parts of the copies or to supply only excerpts for reasons of data-protection law or confidentiality.

RETENTION PERIODS FOR YOUR PERSONAL DATA

We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible.

DATA SECURITY

We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse such as internal policies, training, IT and network security solutions, encryption of data carriers, and pseudonymisation.

OBLIGATION TO PROVIDE PERSONAL DATA TO US

In the context of our business relationship, you shall have to provide us with any personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations (as a rule, there is no statutory requirement to provide us with data). Without this information, we will usually not be able to enter into or carry out a contract with you (or the entity or person you represent). In addition, the website cannot be used unless certain information is disclosed to enable data traffic (e.g. an IP address).

PROFILING

We may partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling). In particular, profiling allows us to inform and advise you more accurately about products possibly relevant for you. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise you as required, including market and opinion research.

RIGHTS OF THE PERSON AFFECTED

In accordance with and as far as provided by applicable law (as is the case where the GDPR is applicable), you have the right to access your personal data and have them rectified or erased, the right to a restriction of processing or to object to our data processing in addition to the right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights will cause you to incur costs, we will notify you thereof in advance. We have already informed you above of the possibility to withdraw consent. Please further note that the exercise of these rights may be in conflict with your contractual obligations and this may result in consequences such as a premature contract termination or involve costs. If this is the case, we shall inform you in advance, unless it has already been contractually agreed upon.

In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or cannot be verified in another way). In order to assert these rights, please contact us at the addresses provided above.

In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data-protection authority. The competent data-protection authority of Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).

AMENDMENTS OF THIS DATA PROTECTION STATEMENT

We may amend this Data Protection Statement at any time without prior notice. The current version published on our website shall apply. If the Data Protection Statement is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an amendment.