Data processing principles of CFP FlexPower GmbH

You have accessed this page via a link because you want to find out how we handle your personal data. We, CFP FlexPower GmbH (hereinafter collectively referred to as "the organisation", "we" or "us"), take the protection of your personal data seriously and would like to take this opportunity to inform you about data protection in our organisation.

The EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") imposes obligations to ensure the protection of personal data of the data subject affected by processing. As a data subject, you may be a customer, user or employee, for example.

Insofar as we decide, either alone or jointly with others, on the purposes and means of data processing, this primarily includes the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Articles 13 and 14 GDPR). With this declaration (hereinafter: "Principles of Data Processing"), we inform you about how we process your personal data.

Our data processing principles are structured in a modular fashion. They consist of a general section for all processing of personal data and processing situations and, where applicable, a special section whose content only refers to the processing situation specified there.

General section

Definitions

Based on Art. 4 GDPR, this data protection notice is based on the following definitions:

"Personal data" (Article 4(1) GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by reference to information about their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability may also be established by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings may also contain personal data).
"Processing" (Art. 4 No. 2 GDPR) is any operation involving personal data, whether or not with the aid of automated (i.e. technology-based) procedures. This includes, in particular, the collection (i.e. procurement), recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning, combining, restricting, erasing or destroying personal data, as well as changing the purpose or objective for which the data was originally processed.
"Controller" (Art. 4 No. 7 GDPR) is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Third party" (Art. 4 No. 10 GDPR) is any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal entities belonging to the group.
"Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with its instructions (e.g. IT service providers). In terms of data protection law, a processor is not a third party.
"Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Name and address of the controller

The controller within the meaning of data protection law is

CFP FlexPower GmbH

Lippmannstr. 8
22769 Hamburg

shout@flex-power.energy
Tel: +49-(0)40-60778-6155

You can find further information about our organisation, details of authorised representatives and other contact options in the legal notice on our website: https://flex-power.energy/de/impressum/.

Contact details of the data protection officer

Our company data protection officer is available at any time to answer any questions you may have and to act as your contact person for data protection issues. His contact details are:

R2Data GmbH

Scanbox 18556
Ehrenbergstraße 16a
10245 Berlin

b.rudolph@r2data.de

What data do we process about you? And for what purposes?

When we receive data from you, we will only process it for the purposes for which we received or collected it.

Data processing for other purposes will only be considered if the necessary legal requirements pursuant to Art. 6 (4) GDPR are met. We will, of course, comply with any information obligations pursuant to Art. 13 (3) GDPR and Art. 14 (4) GDPR in this case.

What is the legal basis for this?

The legal basis for the processing of personal data is, in principle, Article 6 of the GDPR, unless there are specific legal provisions. The following options are particularly relevant here:

Art. 6(1)(a) GDPR ("Consent"): Where the data subject has given his or her consent freely, in an informed manner and unambiguously by means of a statement or other unequivocal affirmative action to the processing of his or her personal data for one or more specific purposes;
Art. 6(1)(b) GDPR: Where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Art. 6(1)(c) GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory retention obligation);
Art. 6(1)(e) GDPR: If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Art. 6(1)(f) GDPR ("legitimate interests"): If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which are likely to result in the protection of personal data (especially where the data subject is a child).

If personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time with effect for the future.

If we process data on the basis of a balancing of interests, you as the data subject have the right to object to the processing of personal data, taking into account the provisions of Art. 21 GDPR.

How long is the data stored?

We process the data for as long as is necessary for the respective purpose.

If there are legal retention obligations – e.g. under commercial or tax law – the relevant personal data will be stored for the duration of the retention obligation. Once the retention obligation has expired, we check whether there is any further need for processing. If there is no longer any need, the data is deleted.

As a matter of principle, we review data towards the end of each calendar year to determine whether further processing is necessary. Due to the volume of data, this review is carried out with regard to specific types of data or purposes of processing.

You can, of course, request information about the data we have stored about you at any time (see below) and, if there is no longer a need for processing, request that the data be deleted or that processing be restricted.

Data security

We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

To which recipients is the data passed on?

Your personal data will only be passed on to third parties if this is necessary for the performance of the contract with you, if the transfer is permissible on the basis of a balancing of interests within the meaning of Art. 6 (1) lit. f) GDPR, if we are legally obliged to do so, or if you have given your consent.

We use external domestic and foreign service providers to handle our business transactions (e.g. in the areas of IT, logistics, telecommunications and marketing). These service providers only act on our instructions and are contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.

If we pass on your personal data to our subsidiaries or if our subsidiaries pass on your personal data to us (e.g. for advertising purposes), this is done on the basis of existing data processing agreements.

Where is the data processed?

Within the scope of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the EEA, i.e. in third countries. Such processing is carried out exclusively for the purpose of fulfilling contractual and business obligations and maintaining your business relationship with us. We will inform you about the respective details of the transfer below in the relevant sections.

The European Commission certifies that some third countries have data protection standards comparable to those of the EEA (a list of these countries and a copy of the adequacy decisions are available on the European Commission's website). In other third countries to which personal data may be transferred, however, there may not be a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This can be achieved through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct.

No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

No obligation to provide personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a customer, you are generally not under any legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent or not at all if you do not provide the necessary data. If this should be the case in exceptional circumstances in relation to the products we offer, you will be notified separately. For example, we cannot send you a newsletter if you do not provide us with an email address.

Legal obligation to transfer certain data

We may be subject to a specific legal or regulatory obligation to provide lawfully processed personal data to third parties, in particular public authorities (Art. 6(1)(c) GDPR).

Your rights as a "data subject"

You can assert your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided in I.(2) above. As a data subject, you have the right:

to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
to request the immediate rectification of inaccurate data or the completion of your data stored by us in accordance with Art. 16 GDPR;
to request the erasure of your data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
to request the restriction of the processing of your data in accordance with Art. 18 GDPR, unless the accuracy of the data is disputed by you or the processing is unlawful;
pursuant to Art. 20 GDPR, to receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request its transfer to another controller ("data portability");
pursuant to Art. 21 GDPR, to object to data collection in specific cases and to direct marketing (Art. 21 GDPR), provided that the processing is based on Art. 6(1)(e) or (f) GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, we ask you to explain the reasons why we should not process your data as we have done when exercising such an objection. In the event of your justified objection, we will examine the situation and either stop or adjust the data processing or inform you of our compelling legitimate grounds for continuing the processing;
in accordance with Art. 7 (3) GDPR, to revoke your consent at any time – i.e. your voluntary, informed and unambiguous declaration of intent, made clear by a statement or other unequivocal confirmatory action, that you agree to the processing of the personal data concerned for one or more specific purposes – if you have given such consent. As a result, we will no longer be permitted to continue processing the data based on this consent in the future;
in accordance with Art. 77 GDPR, to lodge a complaint with a data protection supervisory authority about the processing of your personal data in our organisation; and
pursuant to Art. 79 GDPR, to obtain judicial protection before the ordinary courts and the labour courts, in particular if we refuse to act on the request of the data subject pursuant to Art. 12(5) GDPR.

Changes to the principles of data processing

In the context of the further development of data protection law and technological or organisational changes, our data processing principles are regularly reviewed for the need for adjustment or supplementation. You will be informed of any changes in particular on our website. This data protection information is current as of November 2025.

Special section

In addition to the general section, the following special provisions apply to further processing.

Visitors to the website

Information about specific data processing on the website and in social media can be found in the privacy policy of the respective website.

Applications for employment

We offer you the opportunity to apply for a job with us (e.g. by e-mail, post or via the online application form). We assure you that the collection, processing and use of your personal data will be carried out in strict compliance with the statutory data protection regulations and all other applicable legal provisions. Your data will be treated as strictly confidential.

As part of your application, we process your personal data (e.g. contact and communication data, application documents, interview notes, etc.) in order to make a decision about establishing an employment relationship. The legal basis for this is Art. 6 (1) lit. b GDPR.

Your data is only accessible to those persons within our organisation who are involved in the application process and will not be passed on to third parties unless this is permitted by law or you have expressly consented to this.

If your application is successful, the data you provide will be stored in our data processing systems on the basis of Art. 6 (1) (b) GDPR for the purpose of implementing the employment relationship.

In the event that we are unable to offer you a position, you decline a job offer or withdraw your application, we reserve the right to store the data you have provided on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to six months after completion of the application process (rejection or withdrawal of the application). The storage serves in particular as evidence in the event of legal disputes. We have taken your interests, fundamental rights and freedoms into account and consider this storage to be appropriate in order to protect and defend our legal obligations and claims. If, after the expiry of the six-month period, it transpires that the data is required for an imminent or pending legal dispute, it will only be deleted once the purpose for further storage no longer applies.

In addition, you have the option of being included in our applicant pool. If you are accepted, all documents and information from your application will be transferred to the applicant pool so that we can contact you when suitable vacancies arise. Inclusion in the applicant pool is based exclusively on your express consent (Art. 6(1)(a) GDPR). The data in the applicant pool will be deleted as soon as the purpose for storage no longer applies, whereby the criteria for the duration of storage are based on the relevance of your qualifications for future vacancies. You can revoke your consent at any time, in which case your data will be irrevocably deleted from the applicant pool.

Audio and video conferences

Data processing

We use online conference tools, among other things, to communicate with our customers. The specific tools we use are listed below. When you communicate with us via video or audio conference over the Internet, your personal data is collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/use to use the tools (e-mail address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" related to the communication process (metadata).

In addition, the tool provider processes all technical data required to handle online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.

If content is exchanged, uploaded or otherwise made available within the tool, it is also stored on the tool provider's servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared during use of the service.

Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the privacy policies of the respective tools, which we have listed below this text.

Purpose and legal basis

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). If consent has been requested, the use of the relevant tools is based on this consent; consent can be revoked at any time with effect for the future.

Storage period

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to its storage or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the storage period of your data stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

Conference tools used

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when processing data in the US. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/6474.

Order processing

We have concluded a contract for order processing (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.

Zoom

We use Zoom. This service is provided by Zoom Communications Inc., San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. Details on data processing can be found in Zoom's privacy policy: https://www.zoom.com/de/trust/privacy/privacy-statement/.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.zoom.com/de/trust/privacy/privacy-statement/.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5728.

Order processing