(a)This Data Processing
Agreement ("DPA") applies exclusively to the processing of
personal data by Controllers as defined by the General Data Protection
Regulation (GDPR). Controllers are natural or legal persons who process (or
have processed) personal data of Data Subjects via the SEMS Portal. In this
case, GoodWe Europe GmbH ("GoodWe Europe"
or "Processor") acts as a processor in accordance with Article
28 of the GDPR. The DPA ensures that this processing is carried out in
compliance with the GDPR.
(b) This DPA does not apply to
Data Subjects who upload or otherwise process their own personal data on the
SEMS Portal. In such cases, GoodWe Europe merely acts
as a technical service provider (hosting provider), without acting on behalf of
a Controller. Therefore, a DPA is not required, as no data processing on behalf
of a Controller takes place under the GDPR.
(c) This Data Processing
Agreement ("DPA") supplements the SEMS Portal Terms of Use (available at:
https://www.semsportal.com/Home/GoodweReadLiteratureView?id=Terms_Use&page=login) and applies to the processing of personal data that
Controllers upload or otherwise process via the SEMS Portal ("Content Data"). With regard to the processing of Content
Data, GoodWe Europe GmbH ("GoodWe Europe"
or "Processor") acts on behalf of Controllers within the
EU/EEA ("EU/EEA Controllers") (hereinafter collectively referred to as
"the Parties") as the Processor, while the EU/EEA Controllers
act as Controllers within the meaning of the GDPR. The purpose of this DPA is
to ensure that such processing is conducted in compliance with the GDPR and
that the rights of data subjects are upheld.
(d) Annexes I to IV
form an integral part of this DPA.
(a) Terms defined in Article 4
of the GDPR shall have the same meaning in this DPA.
(b) This DPA shall be
interpreted in accordance with the provisions of the GDPR.
(c) This DPA shall not
contradict GDPR provisions or infringe upon the rights of data subjects.
In case of a conflict between this DPA, the
SEMS-Portal Terms of Use, or any related agreements, this DPA shall take
precedence.
The details of the processing operations, in
particular the categories of personal data and the purposes of processing for
which Content Data is processed by GoodWe Europe on
behalf of the Controller, are specified in Annex II.
(a) The Processor shall process
Content Data only on the documented instructions from the Controller
as set forth in Annex II,
unless required to do so by Union or Member State law to which the Processor is
subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless
the law prohibits this on important grounds of public interest. Subsequent
instructions may also be given by the Controller throughout the duration of the processing of Content
Data. These instructions shall always be documented.
(b) The Processor shall inform
the Controller if,
in the Processor’s opinion, instructions given by the Controller infringe the GDPR or the applicable Union or Member
State data protection provisions.
The Processor shall
process Content Data only for the specific purpose(s) of the processing, as set
out in Annex II, unless
it receives further instructions from the Controller.
Processing by the Processor shall only
take place for the duration specified in Section 8 and Annex II.
(a) The Processor shall at
least implement the technical and organisational measures specified in Annex
III to ensure the security of personal data. This includes protecting
personal data against a breach of security leading to accidental or unlawful
destruction, loss, alteration, unauthorised disclosure or access to the data
(personal data breach). In assessing the appropriate level of security, the
Parties shall take due account of the state of the art, the costs of
implementation, the nature, scope, context and purposes of processing and the
risks involved for the data subjects.
(b) The Processor shall grant
access to personal data undergoing processing to members of its personnel only
to the extent strictly necessary. The Processor shall ensure that persons
authorised to process the personal data received have committed themselves to
confidentiality or are under an appropriate statutory obligation of
confidentiality.
(a) The Parties shall be able
to demonstrate compliance with this DPA.
(b) The Processor shall deal
with inquiries from the Controller about the processing of personal data in accordance
with this DPA.
(c) The Processor shall make
available to the Controller all information necessary to demonstrate compliance
with the obligations that are set out in this DPA and stem directly from the GDPR.
At the Controller’s
reasonable request, and subject to the Controller bearing the respective cost
as set out below in Section 5.5 (f), the Processor shall also permit and
contribute to audits of the processing activities covered by this DPA, at
reasonable intervals or if there are indications of non-compliance. In deciding
on a review or an audit, the Controller may take into account
relevant certifications held by the Processor. The Parties shall mutually agree
upon the scope, timing, and duration of the audit.
(d) The Controller may choose to conduct the audit by itself or mandate
an independent auditor. Audits may also include inspections at the premises or
physical facilities of the Processor. Such on-site audits may be performed
after reasonable prior notice to the Processor of not less than thirty (30)
days and upon joint consultation between the Controller and the Processor, during regular business hours,
without unreasonably interfering with the Processor’s business operations. The
Parties agree to appoint a
independent auditor being subject to confidentiality obligations, and who is
not a competitor of the Processor or its affiliates, to carry out such audit.
Before the commencement of any such on-site audit, the Parties shall mutually
agree upon the scope, timing, and duration of the audit.
(e) The Parties shall make the
information referred to in this Section, including the results of any audits,
available to the competent supervisory authority/ies
on request.
(f) The Processor is entiteled to charge the Controller for the reasonable costs
incurred with respect to responding to information requests and assisting with
audits referred to in this Section.
(a) The Processor has the
Controller’s general authorisation for the engagement of sub-processors from an
agreed list. Currently, and depending on the choice of the Processor, the
Processor has engaged the sub-processors set forth in Annex IV whose
engagement is hereby authorized by the Controller. The Processor shall
specifically inform the Controller of any intended changes of that list through
the addition or replacement of sub-processors in advance, thereby giving the
Controller sufficient time to be able to object to such changes prior to the
engagement of the concerned sub-processor(s). The Processor shall provide
the Controller with the information necessary to enable the Controller to
exercise the right to object.
(b) Where the Processor engages
a sub-processor for carrying out specific processing activities (on behalf of
the Controller), it
shall do so by way of a contract which imposes on the sub-processor, in
substance, the same data protection obligations as the ones imposed on the
Processor in accordance with this DPA. The Processor shall ensure that the
sub-processor complies with the obligations to which the Processor is subject
pursuant to this DPA and to the GDPR.
The Controller retains full ownership and control over
the personal data. All data access, authorizations, and revocations must be
explicitly consented to by the Controller.
(a) The Processor shall notify
the Controller of
any request it has received from a data subject. The Processor shall not
respond to the request itself, unless authorised to do so by the Controller.
(b) The Processor shall reasonably assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with
Sections 6 (a) and (b), the Processor shall comply with the Controller’s instructions.
(c) In addition to the
Processor’s obligation to assist the Controller pursuant to Section 6 (b) and upon the Controller’s request, the Processor shall furthermore reasonably
assist the Controller in
ensuring compliance with its obligations pursuant to Art. 32 to 36 GDDPR, taking into account the nature of the data processing and
the information available to the Processor.
In the
event of a personal data breach concerning data processed by the Processor, the Processor shall notify
the Controller without undue delay after the Processor having become
aware of the breach.
This DPA will become effective upon the EU/EEA User’s
acceptance. This DPA will terminate automatically upon the later of (a)
termination or expiry of the Processor’s obligations in relation to the
SEMS-Portal Terms of Use or (b) termination of processing of the personal data
by the Processor. Following termination, the Processor shall, at the
choice of the Controller, delete
all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the personal data
to the Controller and
delete existing copies unless Union or Member State law requires storage of the
personal data. Until the personal data is deleted or returned, the Processor
shall continue to ensure compliance with this DPA.
The SEMS-Portal includes an Authority Management feature, which allows the Controller to manage data access permissions effectively. The Controller can:
Authorize third parties to access specific personal data.
Revoke or modify previously granted authorizations at any time.
This ensures that the Controller retains full control over who can access their data and under what conditions. Any changes made via the Authority Management feature will be implemented promptly, and access rights will be immediately updated in the system. This functionality ensures that data access complies with GDPR principles, particularly those relating to data security, access control, and the rights of data subjects (as outlined in Articles 12, 15-18 GDPR).
Controller(s):
EU/EEA-User(s)
of the SEMS-Portal who have accepted the SEMS-Portal Terms of Use.
Processor:
GoodWe Europe GmbH
Kistlerhofstraße 170,
81379 München
Deutschland
Categories
of data subjects whose personal data is processed
Distributors,
installers and end-users of GoodWe
power inverters (within a B2B and/or B2C context) who use the SEMS-Portal in
the context of the operation of GoodWe power
inverters.
Categories
of personal data processed
PV plant data: PV plant name, PV plant identifier, access date, company, street,
building number, city, federal state, country, time zone, latitude and
longitude, Photovoltaic plant rated power, manufacturer, model type, system
description, system image, energy usage data;
Sensitive
data processed (if applicable) and applied restrictions or
safeguards that fully take into consideration the nature of the data and the
risks involved, such as for instance strict purpose limitation, access restrictions
(including access only for staff having followed specialised training), keeping
a record of access to the data, restrictions for onward transfers or additional
security measures.
N/A
Nature
of the processing
The nature of the
processing is the provision of the functionalties of
the SEMS-Portal and performance of assocaited
services to EU/EEA Users.
Purpose(s)
for which the personal data is processed on behalf of the controller
Personal data is processed
by the provision of the functionalties of the
SEMS-Portal and performance of assocaited services to
EU/EEA Users.
Duration
of the processing
The processing will be
carried out for the duration of the respective service provided through the
SEMS-Portal. Personal data is processed on a continuous basis.
For processing by (sub-) processors, also specify
subject matter, nature and duration of the processing
Personal
data is processed by sub-processors for the provision of technical support and
hosting services in order to provide the functionalties of the SEMS-Portal to EU/EEA Users.
Third-Party
Access and Consent
The Processor shall provide a detailed list in Annex II of all third parties who may have access to the Controller's data. This list shall include a) the identities of third parties; b) the types of personal data they may access; c) the purposes for which such personal data will be processed.
The Controller's agreement to this DPA does not, by itself, constitute consent for third-party access. The Processor shall obtain specific and explicit informed consent from the Controller before allowing any third party to access the Controller's personal data, unless such access is required by law.
The Processor shall inform the Controller of the implications of providing or withholding consent for third-party access, including any potential impacts on the functionality of the services provided. The Controller shall also be informed of the procedures for revoking consent at any time without detriment.
GoodWe IT Personal Data Information Security Management
Program
1. Purpose:
This procedure is
formulated to effectively manage and control personal data. It ensures the
security and integrity of information during data usage and maintenance
processes.
2. Scope:
This procedure applies to
the use and maintenance of all EU personal data within the company.
3. Definition:
Information Department:
Refers to the Industrial Intelligence Information Department.
4. Responsibilities:
4.1 IT Department:
Responsible for the use,
maintenance, management, and storage of personal data in all company systems.
4.2 Departments:
Responsible for the custody
and appropriate use of personal data related to their respective departmental
tasks.
5. Working Procedures:
5.1 System Management:
5.1.1 System logs, including
OA and ERP system operation logs, must be obtained for data modification,
export, and operational activities.
5.1.2 System logs must
encompass logging, faults, and privileged personnel operations.
5.1.3 Logs must be retained
for a minimum of one year.
5.1.4 Independent auditors
must conduct monitoring and auditing.
5.2 Network Security
Management:
5.2.1 Wireless network
mechanisms must adhere to external network protocols.
5.2.2 Annual vulnerability
scanning and penetration testing by third-party information security companies
are mandatory for OA and ERP systems, as well as network security equipment
storing large amounts of personal data.
5.3 Computer Management:
5.3.1 Real-time monitoring
of outgoing emails of personnel handling significant personal data and review
by department heads is required.
5.3.2 USB interface usage
for exporting bulk personal data must be approved by the Information
Department.
5.3.3 Screen protection
time on employee computers should be set to three minutes via domain control.
5.3.4 Daily virus checks on
staff computers should be conducted via server-side antivirus software.
5.4 Mobile Device
Management:
5.4.1 Laptops must have
password protection, and important documents must be encrypted or
password-protected.
5.4.2 Data storage on
laptops should be avoided unless encrypted or password-protected.
5.4.3 Non-compliant data
must not be stored on company or personal cell phones.
5.5 Password Management:
5.5.1 Passwords must adhere
to specific rules set by the Information Department, including regular changes
and complexity requirements.
5.5.2 User account
passwords must not be shared.
5.5.3 Automatic login
bypass is not recommended.
5.5.4 Password-protected
screensavers or log-offs are required for unattended computers.
5.6 Backup Management of
Personal Data Storage Devices:
5.6.1 Daily backups of
databases containing personal data are mandatory, with additional backups under
special circumstances.
5.6.2 Backup and restore
tests should occur every three months.
5.6.3 Off-site storage of
important information is necessary.
5.7 End-of-life Management
of Personal Data Storage Devices:
5.7.1 Centralized scrapping
of personal data storage devices is required, with approval from the Personal
Data Information Protection Officer.
5.7.2 Scrapping must follow
an approved disposal plan.
5.7.3 Supervision by
departmental supervisors is necessary during scrapping.
5.8 Management of System
Users' Rights to Access Personal Data:
5.8.1 Quarterly inspections
of access privileges are conducted by the Information Department.
5.8.2 Department
supervisors evaluate user access privileges regularly.
5.8.3 IT department
evaluates and updates access privileges as per standards and departmental
needs.
5.9 Feedback and Complaint Channels
The Processor shall provide clear and easily accessible channels for the Controller to submit feedback, inquiries, or complaints regarding data privacy and processing issues. The Controller may contact the Processor through the designated Data Protection Officer (DPO) at DPO@goodwe.com for support, resolution, or in cases where the Controller believes their data privacy has been compromised.
The Processor is obligated to respond to any such inquiries or complaints without undue delay. If the Controller is not satisfied with the response or resolution provided by the Processor, the Controller retains the right to lodge a complaint with a competent supervisory authority, in accordance with Article 77 of the GDPR.
|
Name: |
Address: |
Contact person’s name, position and contact details: |
Description of the processing: |
|
Alibaba (US) Technology Co., Ltd. |
5341 Hammill Rd, El Monte, California, 91732, United
States |
Data Protection Officer |
Provision of hosting services in connection with the
hosting of the SEMS-Portal. |
|
GoodWe
Technologies Co., Ltd. |
No. 90 Zijin Rd., New District, Suzhou |
Ivan Lu |
Provision of technical support services in
connection with the SEMS-Portal. |