Data protection information
(1) Definitions
Following the example of Art. 4 GDPR, the following definitions are the basis for this data protection notice:
– "Personal Data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, online identifier, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Identifiability may also be given by linking such information with other additional knowledge. The occurrence, form, or embodiment of the information does not matter (even photos, video, or audio recordings may contain personal data).
– "Processing" (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data, whether or not by automated means. This includes in particular the collection (i.e. the procurement), the recording, the organization, the structuring, the storage, the adaptation or alteration, the retrieval, the consultation, the use, the disclosure by transmission, dissemination, or otherwise making available, the alignment, the linking, the restriction, the deletion, or the destruction of personal data as well as the change of a purpose or purpose limitation that was originally set for a data processing.
– "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
– "Third Party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency, or other body other than the Data Subject, the Controller, the Processor, and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the personal data; this also includes other affiliated legal entities.
– "Processor" (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller, in particular pursuant to its instructions (e.g., IT service providers). In the data protection legal sense, a Processor is in particular not a Third Party.
– "Consent" (Art. 4 No. 11 GDPR) of the Data Subject means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they signify agreement to the processing of personal data relating to them by means of a statement or a clear affirmative action.
(2) Name and Address of the Controller
The entity responsible for processing your personal data in accordance with Art. 4 No. 7
GDPR is us:
Bees & Bears GmbH
Lützowstraße 22, 10785 Berlin
info@beesandbears.com
For further information about our company, please refer to the imprint information on our website https://www.beesandbears.com/impressum.
(3) Contact Details of the Data Protection Officer
If you have any questions or need a contact person regarding data protection, our company data protection officer is available to you at any time. His contact details are:
Bees & Bears GmbH
Lützowstraße 22, 10785 Berlin
info@beesandbears.com
(4) Legal Bases for Data Processing
As a basic principle, the processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:
– Art. 6 para. 1 sentence 1 lit. a GDPR ("Consent"): If the Data Subject has voluntarily, in an informed and unambiguous manner, indicated by a statement or a clear affirmative action that they consent to the processing of their personal data for one or more specific purposes;
– Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the Data Subject is party or for the performance of pre-contractual measures taken at the request of the Data Subject;
– Art. 6 para. 1 sentence 1 lit. c GDPR: If the processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., a statutory retention period);
– Art. 6 para. 1 sentence 1 lit. d GDPR: If the processing is necessary to protect the vital interests of the Data Subject or of another natural person;
– Art. 6 para. 1 sentence 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or
– Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate Interests"): If the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject (especially when it concerns a minor).
The storage of information in the end user's device or access to information already stored in the end user's device is only permitted if it is covered by one of the following justifications:
– § 25 para. 1 TTDSG: If the end user has consented based on clear and comprehensive information. Consent must be given pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR;
– § 25 para. 2 No. 1 TTDSG: If the sole purpose is the transmission of a message over a public telecommunications network, or
– § 25 para. 2 No. 2 TTDSG: If storage or access is strictly necessary for the provider of a telemedia service to provide a telemedia service explicitly requested by the user.
For the processing operations we have carried out, we will indicate the applicable legal basis for each processing operation below. Processing may also be based on multiple legal bases.
(5) Data Deletion and Retention Period
For the processing operations we have carried out, we will indicate how long the data is stored with us and when it is deleted or restricted. Unless a specific retention period is expressly indicated below, your personal data will be deleted or restricted as soon as the purpose or legal basis for storage ceases to apply. Storage of your data generally only occurs on our servers, subject to any possible transmission according to the regulations in A.(7) and A.(8).
However, storage may exceed the specified time in the event of a legal dispute with you or other legal proceedings or if storage is required by legal provisions to which we are subject (e.g., § 257 HGB, § 147 AO). When the retention period prescribed by law expires, the personal data will be restricted or deleted unless further storage is required by us and a legal basis exists for that.
(6) Data Security
We employ appropriate technical and organizational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction, or against unauthorized access by third parties (e.g., TSL encryption for our website), taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of the processing, as well as the existing risks of a data breach (including their likelihood and severity) for the Data Subject. Our security measures are continuously improved in line with technological developments.
We will gladly provide you with further information upon request. Please contact our data protection officer for this (see A.(3)).
(7) Cooperation with Processors
As with any larger company, we also use external domestic and foreign service providers (e.g., for IT, logistics, telecommunications, sales, and marketing) to conduct our business. They only act according to our instructions and have been contractually obligated in accordance with Art. 28 GDPR to comply with data protection regulations.
Insofar as personal data is shared by us with our subsidiaries or is shared with us by our subsidiaries (e.g., for advertising purposes), this is done based on existing processing relationships.
(8) Conditions for the Transfer of Personal Data to Third Countries
In the context of our business relationships, your personal data may be transferred or disclosed to third parties. These may also be located outside the European Economic Area (EEA), that is, in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us (the legal basis is Art. 6 para. 1 lit. b or lit. f in conjunction with Art. 44 ff. GDPR). We will inform you of the details of the transfer in due course.
The European Commission grants certain third countries adequacy decisions confirming that their data protection is comparable to that of the EEA (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). In other third countries, where personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. In such cases, we ensure that data protection is adequately guaranteed. This can be achieved through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data according to Art. 46 para. 1, 2 lit. c GDPR (the 2021 standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates, or recognized codes of conduct. Please contact our data protection officer (see A.(3)) if you would like to receive more information on this matter.
(9) No Automated Decision-Making (including Profiling)
We do not intend to use personal data collected from you for a process of automated decision-making (including profiling).
(10) No Obligation to Provide Personal Data
We do not make the conclusion of contracts with us dependent on your prior provision of personal data. As a customer, you are generally under no statutory or contractual obligation to provide us with your personal data; however, it may be the case that we can only provide certain offers to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case within the scope of the products we offer below, you will be specifically notified.
(11) Legal Obligation to Provide Certain Data
We may be subject to a special legal or regulatory obligation to provide legally processed personal data to third parties, particularly public authorities (Art. 6 para. 1 sentence 1 lit. c GDPR).
(12) Your Rights
You can assert your rights as a data subject regarding your processed personal data at any time using the contact details provided at the beginning under A.(2). You have the right:
– to request information about your data processed by us according to Art. 15 GDPR. In particular, you can request information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, deletion, restriction of processing, or opposition, the existence of a right to lodge a complaint, the source of your data, if it was not collected from us, as well as about the existence of automated decision-making including profiling and, if applicable, meaningful information about their details;
– to request the correction of inaccurate or the completion of your data stored with us without delay according to Art. 16 GDPR;
– to request the deletion of your data stored with us according to Art. 17 GDPR, as far as the processing is not necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
– to request the restriction of processing your data according to Art. 18 GDPR, as far as you dispute the accuracy of the data or the processing is unlawful;
– to receive your data that you have provided to us in a structured, commonly used, and machine-readable format or to request the transfer to another controller according to Art. 20 GDPR ("Data Portability");
– to lodge an objection to the processing according to Art. 21 GDPR, provided that the processing is based on Art. 6 para. 1 sentence 1 lit. e or lit. f GDPR. This is particularly the case when the processing is not necessary for the fulfillment of a contract with you. If it is not an objection against direct marketing, we ask that you provide the reasons for why we should not process your data as we have conducted. In the case of a justified objection, we will review the situation and either cease or adjust the data processing or provide you with our compelling legitimate reasons for continuing the processing;
– to withdraw your consent once given (also before the applicability of the GDPR, i.e., before May 25, 2018) – meaning your voluntary, informed, and unambiguous indication by a statement or another clear affirmative action that you consent to the processing of the personal data in question for one or more specific purposes – at any time towards us, if you have given such consent. This means that we may no longer continue the data processing based on this consent for the future, and
– to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data in our company, for example with the competent data protection supervisory authority for us: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, Email: mailbox@datenschutz-berlin.de.
(13) Changes to the Data Protection Notice
As part of the development of data protection law as well as technological or organizational changes, our data protection notice will be regularly reviewed for the need for adjustments or additions. You will be informed of changes, in particular on our German website at https://www.beesandbears.com/. This data protection notice is valid as of August 2024.
(1) Explanation of the Function
Information about our company and the services we offer can be found particularly at https://www.beesandbears.com/ along with the associated subpages (hereinafter collectively referred to as "websites"). When visiting our websites, personal data may be processed from you.
(2) Processed Personal Data
When using the websites for informational purposes, the following categories of personal data are collected, stored, and processed by us:
"Log data": When you visit our websites, a so-called log data set (i.e., server log files) is temporarily and anonymously stored on our web server. This consists of:
–the page from which the page was requested (i.e., referrer URL)
–the name and URL of the requested page
–the date and time of the request
–the description of the type, language, and version of the web browser used
–the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established
–the amount of data transferred
–the operating system
–the message indicating whether the request was successful (access status/HTTP status code)
–the GMT time zone difference
"Contact form data": When using contact forms, the data transmitted through them is processed (e.g., gender, name and first name, address, company, email address, and the time of transmission).
In addition to the purely informational use of our website, we offer a subscription to our newsletter, with which we inform you about current developments in business law and events. If you sign up for our newsletter, we collect, store, and process the following "newsletter data":
–the page from which the page was requested (i.e., referrer URL)
–the date and time of the request
–the description of the type of web browser used
–the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established
–the email address
–the date and time of registration and confirmation
We inform you that we evaluate your user behavior when sending the newsletter. For this evaluation, the sent emails include so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your email address and an individual ID. Links contained in the newsletter also contain this ID. The data is collected solely in a pseudonymized manner, meaning that the IDs are not linked to your other personal data, and a direct personal reference is excluded.
(3) Purpose and Legal Basis of Data Processing
We process the personal data described above in accordance with the provisions of the GDPR, the other applicable data protection regulations, and only to the necessary extent. If the processing of personal data is based on Article 6 (1) sentence 1 lit. f GDPR, the stated purposes also represent our legitimate interests.
The processing of log data serves statistical purposes and the improvement of the quality of our website, particularly the stability and security of the connection (the legal basis is Article 6 (1) sentence 1 lit. a or lit. f GDPR).
The processing of contact form data is carried out to handle customer inquiries (the legal basis is Article 6 (1) sentence 1 lit. b or lit. f GDPR).
The processing of newsletter data is for the purpose of sending the newsletter. By registering for our newsletter, you consent to the processing of your personal data (the legal basis is Article 6 (1) lit. a GDPR). For the registration to our newsletter, we use the so-called double opt-in procedure. This means that we send you a confirmation email to the email address you provided, asking you to confirm that you wish to receive the newsletter. The purpose of this procedure is to be able to provide evidence of your registration and, if necessary, clarify any potential misuse of your personal data. You can revoke your consent to receiving the newsletter at any time and unsubscribe from the newsletter. You can revoke by clicking on the link provided in each newsletter email, by sending an email to info@beesandbears.com, or by sending a message to the contact details specified in the imprint.
If the processing of the data requires the storage of information on your end device or access to information already stored on the end device, § 25 (1), (2) TTDSG is the legal basis for this.
(4) Duration of Data Processing
Your data will only be processed as long as necessary to achieve the processing purposes mentioned above; the legal bases provided for the processing purposes apply accordingly. Regarding the use and storage duration of cookies, please refer to point A.(5) and the cookie policy.
Third parties used by us will store your data on their systems as long as necessary to fulfill the services for us according to the respective contract.
Further information on the storage duration can also be found in A.(5) and the cookie policy.
(5) Transfer of Personal Data to Third Parties; Justification Basis
The following categories of recipients, which can be both processors (see A.(7)) and independent controllers (see A.(7)), may gain access to your personal data:
–Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g., for data center services, payment processing, IT security). The legal basis for the transfer is then Article 6 (1) sentence 1 lit. b or lit. f GDPR, insofar as it does not concern processors;
–Government agencies, to the extent necessary to comply with a legal obligation. The legal basis for the transfer is then Article 6 (1) sentence 1 lit. c GDPR;
–Individuals employed for the conduct of our business operations (e.g., auditors, banks, insurance companies, legal consultants, parties involved in corporate acquisitions or the establishment of joint ventures). The legal basis for the transfer is then Article 6 (1) sentence 1 lit. b or lit. f GDPR.
Regarding the guarantees of an adequate level of data protection in the case of data transfer to third countries, see A.(8).
Furthermore, we only transfer your personal data to third parties if you have given explicit consent according to Article 6 (1) sentence 1 lit. a GDPR.
Data Transfer in the Event of Assignment of Claims
If we assign your purchase price claim from the installation and installment agreement for refinancing the installment payment to a third party (factor), usually to a bank cooperating with us, including rights of collection, termination, and withdrawal, we will transmit your contractual data to that third party, in particular your name, your customer number with us, your address, your date of birth, your gender, your nationality, your credit score, contract date, partially financed amount, agreed interest, due date/installment plan, term.
The legal basis for the transmission of this data by us to the refinancing third party (factor) is our overriding legitimate interest in the economic refinancing of the installment payment granted to you and the outsourcing of claims management, Article 6 (1) sentence 1 lit. f GDPR. The transfer of your personal data to the third party (factor) and the receipt of positive or negative information from this third party (approval or rejection of the claim purchase) is necessary for the execution of the claim sale. The third party (factor) needs the personal data of its debtors for credit assessment, collection of the assigned installment claim, and to meet its respective regulatory requirements. Further information about the third party (factor) that acquires our purchase price claim against you, as well as the data protection notices of this third party regarding its independent data processing of the data we transmit, can be found in section IV.2 of your installation and installment agreement.
Data Transfer upon a Specific Request for Personal Creditworthiness to SCHUFA and Creditreform
Only in the event that a person actively and explicitly requests a creditworthiness check from Bees & Bears GmbH, Bees & Bears GmbH will transmit personal data to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, and Creditreform (Crefo), a company of Creditreform Berlin Brandenburg Wolfram GmbH & Co. KG. This includes information that is collected during the active application, execution, and termination of a contractual relationship, as well as data on non-contractual behavior or fraudulent behavior.
Legal Bases for Transfers
The legal bases for these data transmissions are Article 6 (1) letter b and Article 6 (1) letter f of the General Data Protection Regulation (GDPR). A transmission according to Article 6 (1) letter f GDPR is only permitted if it is necessary to safeguard legitimate interests of Bees & Bears or third parties and does not oppose overriding interests or fundamental rights and freedoms of the affected individual that require the protection of personal data. The exchange of data with SCHUFA and Crefo is additionally necessary to meet legal obligations for conducting creditworthiness checks according to §§ 505a and 506 of the German Civil Code (BGB).
Processing and Use of Data by SCHUFA and Crefo
SCHUFA and Crefo process the data obtained and use it, among other things, for profiling (scoring) to provide their contractual partners in the European Economic Area, Switzerland, and possibly in other third countries (if there is a decision of adequacy from the European Commission) with information to assess the creditworthiness of individuals.
Further details about SCHUFA's activities are available in the SCHUFA information sheet according to Article 14 GDPR or online at www.schufa.de/datenschutz. Information regarding Crefo can be found at www.creditreform.de/datenschutz.
(6) Use of Cookies, Plugins, and Other Services on Our Website
a) Cookies
We may use cookies on our websites. Cookies are small text files that are assigned and stored on the hard drive of the browser you use through a characteristic sequence of characters, and through which specific information is transmitted to the place setting the cookie. Cookies cannot execute programs or transmit viruses to your computer and therefore cannot cause any damage. They are used to make the overall internet offering more user-friendly and effective, thus more pleasant for you.
Cookies may contain data that enable the recognition of the used device. However, some cookies only contain information about specific settings that are not personally identifiable. But cookies cannot directly identify a user.
There is a distinction between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, cookies can again be distinguished between:
–Technical Cookies: These are absolutely necessary to move around the website, use basic functions, and ensure the security of the website; they do not collect information about you for marketing purposes nor do they store which websites you have visited;
–Performance Cookies: These collect information about how you use our website, which pages you visit, and whether errors occur when using the website; they do not collect information that could identify you – all collected information is anonymous and is only used to improve our website and find out what interests our users;
–Advertising Cookies, Targeting Cookies: These are used to offer the website user targeted advertising on the website or offers from third parties and to measure the effectiveness of these offers; Advertising and targeting cookies are stored for a maximum of 13 months;
–Sharing Cookies: These serve to improve the interactivity of our website with other services (e.g., social networks); sharing cookies are stored for a maximum of 13 months.
The legal basis for cookies that are strictly necessary to provide you with the explicitly requested service is § 25 (2) No. 2 TTDSG. Any use of cookies that is not strictly technically necessary constitutes a data processing operation that is only permitted with your explicit and active consent in accordance with § 25 (1) TTDSG in conjunction with Article 6 (1) sentence 1 lit. a GDPR. This specifically applies to the use of performance, advertising, targeting, or sharing cookies. Furthermore, we will only pass your personal data processed by cookies to third parties if you have provided explicit consent under Article 6 (1) sentence 1 lit. a GDPR.
b) Cookie Policy
Further information on which cookies we use and how you can manage your cookie settings and deactivate certain types of tracking can be found in our cookie policy.
c) Social Media Plugins
We do not use social media plugins on our websites. If our websites contain icons from social media providers (e.g., LinkedIn), we use them only for passive linking to the pages of the respective providers.
7. Processing of Data by Partner Installation Companies
a) Processing of Data by the Installment Calculator
Our partner installation companies for sustainable energy systems may use an installment calculator to calculate financing options for sustainable energy systems for end customers. In this context, the following personal data is collected by us and transmitted to the partner installation company:
Offer price of the hardware
Optional down payment
Name of the end customer
Phone number of the end customer (optional)
b) Purpose of Data Processing
The processing of this data is carried out for the purpose of providing and optimizing financing solutions for sustainable energy systems for end customers. The transmitted data is stored and used by us to create individual financing offers and provide them to the installers.
Use of Google Analytics
1. Scope of Processing Personal Data
We use Google Analytics on our website, a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and that allow an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
2. IP Anonymization
We have activated IP anonymization on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area before it is transmitted to the USA. Only in exceptional cases is the complete IP address transferred to a Google server in the USA and there shortened. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activities, and provide further services related to website usage and internet usage to the website operator. The IP address transmitted by your browser within the framework of Google Analytics will not be merged with other data from Google.
3. Legal Basis
The storage of Google Analytics cookies and the use of this analysis tool is based on Article 6 (1) lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior to optimize both its web offerings and its advertising.
4. Objection to Data Collection
You can prevent the storage of cookies by making the appropriate settings in your browser software; however, we would like to point out that in this case you may not be able to use all features of this website to their full extent. You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en].
5. Order Processing
We have concluded a contract for order processing with Google and comply fully with the strict requirements of the German data protection authorities when using Google Analytics.
6. Demographic Features in Google Analytics
This website uses Google's "demographic features" of Google Analytics. This enables reports to be created that include information on age, gender, and interests of website visitors. This data is derived from interest-based advertising from Google and visitor data from third parties. This data cannot be assigned to a specific person. You can deactivate this feature at any time via the display settings in your Google account or generally prohibit the collection of your data by Google Analytics as set out in point "Objection to Data Collection".