Privacy Policy for the Vendor Portal

Privacy Policy for the Vendor Portal

Status: July 2022

Our use of your data and your rights – Information in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR). This privacy policy applies to the collection, processing and use of your personal data when using our portal.


The issue of data protection enjoys a high priority at SEFE Securing Energy for Europe GmbH (hereinafter "we", "SEFE" or “SEFE Group”). We would like to thank you for visiting our Internet platform " SEFE Securing Energy for Europe supplier portal" (hereinafter "Portal") and for your interest in our company. We take the protection of your data very seriously. We would therefore like to take this opportunity to inform you how we implement data protection in our company, what information we collect during your visit to our Portal, how this information is used and what rights you have. What is important: Your personal data will be used exclusively for the following purposes and will not be processed in any other way without legal basis.

I. General information

1. Controller

The controller responsible for processing of your personal data

SEFE Securing Energy for Europe GmbH, Markgrafenstraße 23. 10117 Berlin, Phone +49 30 20195-0,

2. Data Protection Officer

You can contact our Data Protection Officer at the following contact details:

You can contact our data protection officer at the above address, for the attention of the data protection officer, or at the e-mail address:   

3. What data do we process and from what sources?

We process personal data that you voluntarily provide us with or that is gathered as part of use of our Portal.

For further information, please refer to Section II - Processing of personal data.

4. For what purpose do we process your data and what is the legal basis for that?

We process your personal data in compliance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR) and German national data protection legislation (for Germany e.g. the German Data Protection Act - BDSG and German Telecommunications Telemedia Data Protection Act - TTSG), for various purposes. In principle, the purposes for which we process your data are: to perform contractual obligations (Article 6 paragraph 1 lit. (b) GDPR), to safeguard legitimate interests (Article 6 paragraph 1 lit. (f) GDPR), for processing subject to your prior consent (Article 6 paragraph 1 lit. (a) GDPR) and/or to comply with statutory obligations (Article 6 paragraph 1 lit. (c) GDPR).

For further information, please refer to Section II - Processing of personal data.

5. Who obtains my data?

Service providers whom we engage to work on our behalf (termed “processors”; cf. Article 4 No. 8 GDPR) may obtain personal data. We use IT service providers as processors.

The technical provider of this portal is the HCM Customer Management GmbH (hereinafter "HCM").
The service provider stores this Portal on server in Germany (hosting). In order to make this Portal available, the commissioning of a webhosting service is necessary.  The use of HCM is made in accordance with Art. 6 para. 1 lit. (f) GDPR due to our legitimate economic interest in keeping our offer available on this Portal.

We have concluded an order processing contract for the hosting. By this contract, the processor assures that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

In principle, we do not pass on personal data to third parties who process personal data under their own responsibility (termed “controllers”; cf. Article 4 No. 7 GDPR). Something different applies only if it is essential for the procurement process within the SEFE Group.

For further information, please refer to Section II – Processing of personal data.

If a legitimate interest exists and the statutory provisions are observed, SEFE may transfer personal data to affiliated companies within the meaning of national legislation (e.g., section 15 of the AktG for Germany) within the European Economic Area to the extent permitted. The transmission is made in particular because of our legitimate interest in improving and coordinating our internal administration and for the use of shared databases for shared infrastructures and services. The data will be transmitted to the following companies: WINGAS GmbH, astora GmbH und SEFE Marketing & Trading Ltd.

6. Data Retention

We process your personal data only as long as it is required to fulfil the respective processing purpose.

Personal data which we process when you visit our Portal (IP address, name of your internet service provider, website from which you visit us and Portal pages that you visit on our website) are stored during your visit of the website on the server of our Portal in the Session Cookies and automatically deleted after end of the session. In addition, we are subject to various storage and documentation obligations resulting from national legal provisions, often from tax, labour and company law regulations.

Finally, the storage period is also assessed according to the national statutory limitation periods.

7. Security

We use technical and organizational security measures to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. In the case of the collection and processing of personal data, the information is transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in line with technical advances.

All data that you personally transmit is encrypted using the generally accepted and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard that is also used, for example, for online banking. You can recognise a secure TLS connection by the s attached to http (i.e. ... ) in the address bar of your browser or by the lock symbol at the bottom of your browser.


II. Processing of personal data

1. User Account

In the course of creating an account, the following data is collected from a user:

  • Name of the supplier (mandatory)
  • Address (mandatory)
  • Contact information, including e-mail address for orders and payment transfers (mandatory)
  •  Contact person (mandatory)
  • D&B - No. (D-U-N-S® numbers, identification numbers) (optional)
  • Sales tax/tax register number (optional)
  • Main products and services (optional)
  • SEFE Group entity for which the supplier is applying (mandatory)
  • Supplier analysis by us

Our Portal provides a registration function – this is done by double opt-in (through the e-mail with confirmation link). The processing is carried out on the basis of Article 6 para. 1 lit. b, f GDPR. The purpose of the data processing and our legitimate interest is to provide the services of the Portal, the initiation and execution of contracts, but also for internal purposes (vendor analysis, optimization and further development of the vendor pool).

Your account will be valid for a period of 5 years and will be checked for active status. Confirmed inactive accounts will be manually deleted after a period of 5 years. Your account can naturally be deleted, whenever you/your company chose to delete it.

2. Cookies

In order to make visiting our Portal attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files which are stored on your end device. The cookies can be transmitted to a page when it is accessed and thus allow identification of the user. Cookies help to simplify the use of internet pages for the user. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your end device and enable us to recognize your browser the next time you visit us (so-called persistent cookies).

We process personal data or categories of data by us of session cookies. These are deleted after the session has ended.

Personal data is processed using cookies on the basis of Article 6 paragraph 1 lit. (f) GDPR. The purpose of processing your data and our legitimate interests are to enhance the features of our Portal.

3. Automatic collection of access data / server log files

Within the scope of each access to our Portal, some general information is automatically collected, which is personal data. The web servers we use store the following usage data by default, provided they are transmitted by your computer or Internet provider, which are collected during the visit to

  • The name of the user’s Internet service provider
  • The name of the user’s Internet browser
  • The time and date of the visit
  • The amount of data transferred
  • The user’s IP address
  • A description of the user’s Internet browser
  • The name of the accessed file
  • The referrer URL (the previous webpage)
  • The operating system
  • Notification of a successful data access, errors or unauthorized access

The personal data in log files are processed on the basis of Article 6 para. 1 lit. f GDPR. The purpose of the data processing and our legitimate interest is to facilitate the administration of our Portal and the possibility of detecting and tracking hacking.

4. Your application

If you are turning to us as an applicant, please take into account the more specific Data Privacy Note for Applicants which you will find with the vacant positions.

5. Your rights

Every data subject has the right to access personal data and obtain information (Article 15 GDPR), the right to rectification of data (Article 16 GDPR), the right to erasure of data (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), and the right to data portability (Article 20 GDPR). You can get in touch with us under the contact data specified in Section I “General information”, no. 1 and no. 2, to exercise the aforementioned rights.

If you have given us consent to process your data, you can revoke it at any time without using a special form. Where possible, notice of revocation should be sent to us using the contact data specified in Section I “General information”, no. 1 or no. 2.

Under Article 77 paragraph 1 GDPR, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the law, in particular the General Data Protection Regulation (GDPR). In this case you have the right to turn to the supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. Irrespective of your aforementioned rights please feel free to contact us directly regarding your concerns (for contact details see Section I “General information”, no. 1 and no. 2, of this Data Protection Policy).

You also have a right to object to the processing of your data:


Information on your right to object to processing in accordance with Article 21 of the General Data Protection Regulation (GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 paragraph 1 lit. (f) GDPR (data processing based on a weighing of interests), including any profiling based on those provisions within the meaning of Article 4 no. 4 GDPR.

If you object, we will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.<

Your objection can be submitted without using a special form and, where possible, should be sent using the contact data specified in Section I “General information”, no. 1 and no. 2, of this Data Protection Policy.