Data protection notice for business partners

Date d'entrée en vigueur : février 2022
Documents relatifs à la protection

1. Subject of this data protection notice

In the following, we would like to inform you with a detailed overview of the processing of your personal data of our Business Partners and their employees. Furthermore, we would like to inform you about the rights you are entitled to and the technical and organisational protective measures we have taken with regard to the processing of your data.

2. Name and address of the data controller and service provider

The controller within the meaning of Art. 4 No. 7 of the General Data Protection Regulation ("GDPR") is IONITY GmbH, Moosacher Straße 84, 80809 Munich, see our legal notice.

If you have any questions or comments about this data protection notice or about data protection in general, please send them to the above address or by e-mail to dataprotection@ionity.eu.

You can contact our data protection officer as follows:

IONITY GmbH
Data Protection Officer
Moosacher Strasse 84
80809 Munich, Germany
dataprotection@ionity.eu

3. Data processing, purposes, legal bases

We only process personal data where this is necessary and in accordance with the principles of data minimisation and purpose limitation. Therefore, following personal data categories will be collected:

3.1. Business relationship and communication

Types of personal data:

  • Business and Contact data (e.g. name, business email address, name of the company, business address, phone number, position in your company, other data about your company)
  • Data about the business relationship or joint project (e.g. correspondence or other communication between you and IONITY, details about the joint project)
  • General and invoice data of the supplier’s company (e.g. name of the invoiced party, registration number, IBAN, bank name, VAT ID, currency, DUNS number)
  • Land register data (area, location, dimensions) of site partners

We require this data for our business communication with our Business Partners which is based on Article 6 (1) (b) or Article 6 (1) (f) GDPR. Processing is legitimate for the communication for the contractual relationship. Furthermore, we process personal data in the context of the fulfilment of our tender process, contractual obligations and invoicing purposes (Article 6 (1) (b) GDPR). If the fulfilment of contractual obligation requires to process personal data of employees of Business Partners (generally as contact person), this is based on Article 6 (1) (f) GDPR.

If you provide further information during the onboarding process (e.g. in your partner account), your personal data will be collected and processed pursuant to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time.

Some business relationships require additional technical amenities or platforms (e.g. a shared data exchange platforms). If applicable, (technical) data will be collected to ensure the functionality of these platforms. For troubleshooting, technical data regarding a particular platform may be collected (e.g. log files). Both data processing activities are legitimate according to Art. 6 (1) (f) GDPR.

Furthermore, we need to process personal data to ensure the performance and management of the contract and business relationship which is to be considered as legitimate interest for us (Art. 6 (1) (f) GDPR):

  • For the enforcement of legal claims and defence in legal disputes,
  • To ensure IT security and IT operations (e.g. creating partner accounts for access rights),
  • For accounting purposes,
  • For risk management purposes.

3.2. Test Site Safety Instructions

Types of personal data:

  • Name, company name, proof of instruction

If you visit our Test Site and are required to attend to a safety instruction, we process your participation of safety instructions. This is based on Art. 6 (1) (f) GDPR. The legitimate interest is to adhere to safety regulation and to prevent safety incidents by trainings and awareness and show proof of those required safety instructions.

3.3. IONITY Fleet Charging

Types of personal data:

  • Shipping address
  • Card ID
  • Charging data (Charging token, charging curves, time, date and location of charging activity)

The shipping of the RFID card is based on Art. 6 (1) (f) GDPR and data will be deleted after 90 days. It is our legitimate interest to send you the RFID card in order to provide the requirements for charging. The processing of charging data serves the fulfilment of the contract in accordance with Art. 6 (1) (f) GDPR in order to be able to offer you our charging service and to process invoicing and payment transactions. We process the data on the basis of legal obligations in accordance with Art. 6 (1) (c) GDPR, which includes, for example, the creation, forwarding and retention obligations of invoices and contracts or transfers to authorities. The data is processed on the basis of the legitimate interest of our company pursuant to Art. 6 (1) (f) GDPR to ensure the security, availability and performance of our charging infrastructure and the associated processes and, if necessary, to adapt or improve them and to compile aggregated statistics for business management purposes.

3.4. Data from other sources

As far as it is necessary for the fulfilment of the contract or pre-contractual measures or if you have consented to it, we also process personal data (business and contact data) that we have permissibly received from other third parties.

4. Service providers and data transfer to third parties

We are supported in the fulfilment of our services by processors and third parties. Processors have been carefully selected by us and integrated by means of contracts for commissioned data processing in accordance with Art. 28 GDPR.

If not already specified, we use the following recipients:

  • Procurement software provider
  • IT service provider
  • Municipality (only for building permits)
  • Construction companies
  • Planning office
  • RFID card production company

Your data will otherwise only be passed on to other third parties if this data protection declaration expressly refers to this or if we are legally obliged to transfer personal data.

5. Data transfers to third countries

We also transfer your data to service providers and vicarious agents who are located in third countries (outside the EU) and carry out data processing there. Compliance with an appropriate level of data protection is ensured by various mechanisms.

  • If the level of data protection in the third country is guaranteed by an adequacy decision, this serves as the basis for the data transfer (Art. 45 GDPR).
  • If the service provider is certified under the Data Privacy Framework, the adequate level of data protection is ensured by the aforementioned adequacy decision pursuant to Art. 45 (1) GDPR.
  • Otherwise, transfers to third countries only take place if the level of data protection is otherwise ensured, such as through standard contractual clauses (Art. 46 (2) (c) GDPR), express consent or in the case of contractual or legally required transfers (Art. 49 (1) GDPR). If the transfer is based on standard contractual clauses, the standard contractual clauses provided by the EU Commission are used for this purpose: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

6. Automated decision-making

No automated decision-making takes place.

7. Storage duration

Unless specified in the individual data processing operations, the following applies:

  • In principle, data is only stored for as long as is necessary to fulfil the purposes for which it was collected or, if you have given your consent, until you withdraw your consent. After these periods have expired, the data will be deleted or anonymised unless there are statutory retention obligations that require longer storage.
  • Commercial and tax documents are subject to a retention period of 10 years.
  • Other business documents are subject to a retention period of 6 years.
  • Data that is required due to potential warranty and compensation claims or similar contractual claims must be retained for 3 years.
  • Contact data is processed until it is updated or until you object to the processing.

8. Your rights as a data subject and your right to lodge a complaint

8.1. Rights of data subjects

With regard to the processing of your personal data, you have the right to request information about your personal data processed by us in accordance with Art. 15 GDPR. You also have the right to have data rectified in accordance with Art. 16 GDPR or erased in accordance with Art. 17 GDPR and to restrict processing in accordance with Art. 18 GDPR. Furthermore, in accordance with Art. 20 GDPR, you have the right to demand the return of the personal data you have provided in a structured, commonly used and machine-readable format.

If we process your data on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR or for the performance of a public task in accordance with Art. 6 (1) (e) GDPR and if there are reasons against this processing arising from your particular situation, you have the right to object to this processing in accordance with Art. 21 (1) GDPR. In the event of an objection, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

You have the right to object - without restriction - in accordance with Art. 21 (2) and 3 GDPR to any type of processing for direct marketing purposes.

If we process your data on the basis of your consent, you have the right to withdraw your consent at any time. Your data will then no longer be processed for the purposes covered by your consent. Please note that the withdrawal of consent does not affect the lawfulness of data processing that took place prior to the withdrawal. Please refer to the above information or the information in the respective consent for details of how you can declare your cancellation or contact our Customer Service.

To exercise your rights, please contact: support@ionity.eu.

8.2. Complaint to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).

The competent supervisory authority in Bavaria is Bayerisches Landesamt für Datenschutzaufsicht, Postfach 606, 91511 Ansbach, www.lda.bayern.de.

9. Data security

We and our contractually bound processors use state-of-the-art technical and organisational security measures to protect the data you provide to us from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security measures are continuously improved in line with technological developments.

10. Version and update of the data protection information

We update our data protection information at regular intervals, as our data processing is subject to change. You will always find the latest version of our data protection information here. You can also request the current version of the data protection information by sending an email to dataprotection@ionity.eu.

Last update: March 2025