1. What does this Privacy Notice cover?
This Privacy Notice provides information regarding the personal data which is processed by a company belonging to cascaGroup (hereinafter “casca”, “we”, or “us”), suppliers, business partners and/or investors; including visitors to our websites and portals. If you are a visitor of our website our regulation regarding Data Protection and Cookie Policy are as well applicable. For more information, please read as well our Cookie Policy, published on our website.

As well as this Privacy Notice, local privacy notices vary among the countries in which we operate to reflect local practices and legal requirements. Therefore, the Privacy Notice is at all times subject to applicable local laws and subject to change.

This Privacy Notice explains what personal data is processed, for which purposes, how long we hold the personal data for, how to access and update your personal data and where to go for further information or to lodge a complaint.

2. Special Notice – If you are under 16 years old. Processing children’s personal data
If you are under 16 years’ old (or older if set out in any local privacy notice) please do not send us your personal data (for example, your name, address and email address). If you wish to contact us in a way which requires you to submit your personal data (such as for education or innovation events) please get your parents or guardian to do so on your behalf.

3. What personal data do we process?
We process personal data from and in relation to individuals who are customers, suppliers, business partners and/or investors in the following categories:

Private contact information (such as name, postal or e-mail address, and phone number) only if necessary;
Business contact and other information (such as job title, department, name of organization and your dealings with Casca).

4. Who is responsible for any personal data collected?
Controller of the data in the sense of any applicable laws is casca.


5. For what purpose do we process your personal data?
We process personal data covered by this Privacy Notice for the following purposes:

5.1 Performance of Business; Conducting of Contracts
Business execution, including researching, developing and improving products or services; concluding and executing agreements with customers, suppliers and business partners; recording and settling services, products and materials to and from sonnen; managing relationships and marketing such as maintaining and promoting contact with existing and prospective customers, account management, customer service, and development, execution and analysis of market surveys and marketing strategies.
 

5.2 Business Organisation
Organisation and management of our business including financial management, asset management, implementation of controls, management reporting, analysis, internal audits and investigations.

5.3 Health, Safety, Security
Health, safety and security including protection of an individual’s life or health, protection of sonnen and our staff, authentication of individual status and access rights.

5.4 Compliance with legal requirements, Execution of rights
Legal and/or regulatory compliance including compliance with legal or regulatory requirements including litigation and defence of claims.

5.5 Screening
In order to comply with legal and regulatory obligations, to protect our assets and employees/contractors and specifically to ensure that we can comply with trade control, anti-money laundering and/or bribery and corruption laws and other regulatory requirements, we carry out screening on existing customers and business partners and potential customers and business partner pre-contract and on a periodic basis post-contract (minimum at least quarterly).

The screening takes place against publicly available or government issued sanctions lists. The screening is conducted in Europe. We compare your first and last name with the names published on these publicly available sanctions lists. In case of an initial match sonnen will assess if the match is accurate based on the information sonnen may hold on you (such as your address) or sonnen may use other public sources such as information held by the credit check agencies. sonnen may also contact the individual directly to obtain further information. If sonnen cannot rule out the match, we may rely on the services of our external consultants (KPMG EU) to further assess and evaluate.

Once it has been verified that we have a match the Shell company Shell plc. has a legal reporting obligation to the US Securities and Exchange Commission (SEC). Shell Midstream Partners LP (MLP) is required to file quarterly and annual reports to SEC. If legally required sonnen has to alert the local regulatory authority.

Legal basis for the processing is Art. 6 subpar. 1, lit. c) and f) GDPR (EU General Data Protection Regulation).

The screening does not result in any automated decision making in relation to our customer, business partner or potential customer or business partner.

6. What are the legal bases for processing the personal data?
The personal data covered by this Privacy Notice is only processed:

in order to take steps at the request of an individual prior to entering into a contract;

in order to conduct a contract, you and sonnen entered into;
where it is necessary to comply with a legal or regulatory obligation to which we are subject to;
where it is necessary for the purposes of the legitimate interests pursued by sonnen, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual/s; or
(only if legally required) with the explicit consent of the individual.
In those cases, where processing is based on consent, and subject to applicable local law which provides otherwise, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.

7. Who will we share the personal data with?
Your personal data is exclusively processed for the purposes referred to above and will only be shared on a strict need to know basis with:

Your personal data may also be shared with a company that is a member of our group of companies.
We may also share your personal data with our group companies where they provide products and services to us that help us to provide products and services to you as our customer.
We may also share your data within our group of companies to offer you promotions or to inform you about related products and/or services. This is based on your marketing consent preferences and in all cases any marketing material will be sent to you by us only
Authorized third party agents, service providers and/or subcontractors of casca.
A competent public authority, government, regulatory or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which sonnen or the relevant sonnen company/companies is/are subject to or as permitted by applicable local law.

8. Transfers of personal data
Where the personal data is transferred to companies within casca and/or to authorized third parties in compliance with the aforementioned regulations, who may be located in or outside of your location (including outside of the European Economic Area) we take organizational, contractual and legal measures to ensure that the personal data is exclusively processed for the purposes mentioned above and that adequate levels of protection have been implemented in order to safeguard the personal data.  

These measures include European Commission approved transfer mechanisms for transfers to third parties in countries which have not been deemed to provide an adequate level of data protection as well as any additional local legal requirements.


9. How long do we hold the personal data for?
Any personal data that is required for the purposes of conclusion and execution of agreements with customers, suppliers and business partners or for considering bids or tenders will be held during the duration of the contractual relationship and up to 3 years after.

In all other cases for the purposes set out above, including personal data gathered as part of any unsuccessful bids to casca or which relates to screening as set out in Art. 5.5, such personal data is held for no longer than 3 months after it was gathered.

In all cases information may be held for a) a longer period of time where there is a legal or regulatory reason to do so (in which case it will be deleted once no longer required for the legal or regulatory purpose) or b) a shorter period where the individual objects to the processing of its personal data and there is no longer a legitimate purpose to retain it.

10. Access of personal data
You have a right of access and a right of information with regard to your personal data. We aim to keep our information about you as accurate as possible.

You can access your personal data, request correction or deletion of the personal data (but only where the purpose of storing has repealed) and request that the processing and the transfer of your data is restricted to the extent necessary to conduct the underlying contracts. For this purpose, please contact the data controller as defined below.

11. Who can I contact for more information?
If you have any issues, queries or complaints regarding the processing of your personal data please contact casca and also contact the company of the cascaGroup directly with which you entered into a contract for further questions.

If you are unsatisfied with the handling of your personal data by casca, then you have as well the right to lodge a complaint to the respective data protection authority.

12. Changes to this Privacy Notice
This Privacy Notice may be changed over time. Any changes will become effective when we post the revised Privacy Notice on our website. This Privacy Notice was last updated on December 8th 2022