Introduction
Thank you for visiting our website. Sunlight GmbH (hereinafter referred to as “Sunlight,” “we,” or “us”) attaches great importance to the security of user data and compliance with data protection regulations. We would like to inform you below about the processing of your personal data on our website.
Responsible body and data protection officer
Responsible body:
Sunlight GmbH, Ölmühlestr. 6, 88299 Leutkirch
Tel.: +49 7561 9097-200
E-Mail: info@sunlight.de
External data protection officer:
DDSK GmbH, Dr.-Klein-Str. 29, 88069 Tettnang
Tel.: 07542 949 21 – 01
E-Mail: datenschutz@sunlight.de
Terms
The technical terms used in this privacy policy are to be understood as defined in Art. 4 GDPR.
Information on data processing
Automated data processing (log files, etc.)
Our site can be visited without actively providing personal information. However, we automatically store access data (server log files) such as the name of the Internet service provider, the operating system used, the website from which the user visits us, the date and duration of the visit, or the name of the requested file, as well as, for security reasons, e.g. to detect attacks on our website, the IP address of the device used for a period of 7 days. This data is evaluated exclusively for the purpose of improving our offer and does not allow any conclusions to be drawn about the identity of the user. This data is not merged with other data sources.
We process and use the data for the following purposes: provision of the website, improvement of our websites, prevention and detection of errors/malfunctions, and misuse of the website.
Legal basis: legitimate interest, pursuant to Art. 6 (1) (f) GDPR
Legitimate interests: Ensuring the functionality and error-free and secure operation of the website and adapting this website to the requirements of users.
Use of cookies (general, functionality, opt-out links, etc.)
In order to make visiting our website attractive and to enable the use of certain functions, we use so-called cookies on our website. The use of cookies serves our legitimate interest in making visiting our website as pleasant as possible and is based on Art. 6 (1) lit. f) GDPR. Cookies are a standard Internet technology for storing and retrieving login and other usage information for all users of the website. Cookies are small text files that are stored on the end device. They enable us, among other things, to store user settings so that our website can be displayed in a format tailored to the user’s device. Some of the cookies we use are deleted after the end of the browser session, i.e., after closing the browser (so-called session cookies). Other cookies remain on the user’s device and enable us or our partner companies to recognize the browser on the next visit (so-called persistent cookies).
The browser can be set so that the user is informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies in certain cases or in general. Furthermore, cookies can be deleted retrospectively to remove data that the website has stored on the user’s computer. Deactivating cookies (so-called opt-out) may lead to some restrictions in the functionality of our website.
Categories of data subjects: Website visitors, users of online services
Opt-out:
Internet Explorer:
https://support.microsoft.com/de-de/help/17442
Firefox:
https://support.mozilla.org/de/kb/wie-verhindere-ich-dass-websites-mich-verfolgen
Google Chrome:
https://support.google.com/chrome/answer/95647?hl=de
Safari
https://support.apple.com/de-de/HT201265
Legal basis: Consent (Art. 6 (1) (a) GDPR); legitimate interests (Art. 6 (1) (f) GDPR)
The relevant legal basis is specified for each tool.
Legitimate interests: Storage of opt-in preferences, display of the website, ensuring the functionality of the website, preservation of user status across the entire website, recognition for subsequent website visitors, user-friendly online offering, ensuring chat function
Consent management platforms ( Consent management )
We use a consent management process on our website to store and manage the consent given by website visitors in a verifiable manner in accordance with data protection requirements.
The consent management platform we use helps us to recognize all cookies and tracking technologies and control them based on the consent status. At the same time, visitors to our website can use the consent management service we have integrated to manage the consents and preferences they have given (optional setting of cookies and other technologies that are not necessary) or revoke their consent at any time using the button.
The consent status is stored on the server side and/or in a cookie (known as an opt-in cookie) or comparable technology so that consent can be assigned to a user or their device. The time at which consent was given is also recorded.
Categories of data: Consent data (consent ID and number, time of consent, opt-in or opt-out), meta and communication data (e.g., device information, IP addresses)
Purposes of processing: Fulfillment of accountability obligations, consent management
Legal basis: Legal obligation (Art. 6 (1) (c) GDPR in conjunction with Art. 7 GDPR)
Manage/revoke consent
Cookiebot
Recipient: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark
Third country transfer: Does not take place.
Privacy policy: https://www.cookiebot.com/de/privacy-policy/
Usercentrics
Recipient: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany
Third country transfer: Does not take place.
Privacy policy: https://usercentrics.com/de/datenschutzerklaerung/
Content Management System
Web-based application without data transfer
We use the WordPress content management system (CMS) from Automattic Inc. on our website to edit, organize, and display digital content. The CMS allows us to edit and manage our website and equip it with the necessary functions (e.g., forms, images, and other digital content).
In addition, the website designed by the CMS helps our website to be found more easily in search engine results pages (SERPs) when users enter queries.
Support from an integrated firewall within the CMS ensures that our website is protected against external attacks, thereby preventing misuse of the website. In addition, we ensure that the CMS undergoes regular updates and patches to guarantee the security of our website, which is based on the CMS.
Categories of data subjects: Website visitors
Categories of data: Usage data (e.g., visited web pages, access time), meta and communication data (e.g., device information; anonymized IP address), interaction data (interest in content, etc.)
Purposes of processing: Creating, editing, and managing page content, storing and archiving data, creating landing pages, statistics, reach measurement
Legal basis: Legitimate interest pursuant to Art. 6 (1) (f) GDPR
Balancing of interests: By using Pimcore, we can manage our website more efficiently and update content more easily. Pimcore offers a variety of features that enable us to improve the user experience on our website. No data is transferred to third parties.
WordPress
Recipient: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA
Privacy policy: https://automattic.com/de/privacy/
Hosting (including content delivery network)
Our website is hosted by an external service provider. Data relating to visitors to our website, in particular log files, is stored on our service provider’s servers. By using a specialized service provider, we are able to provide our website efficiently. The hosting provider we use does not process the data for its own purposes.
We also use a so-called Content Delivery Network (CDN) to deliver the content of our website more quickly. For example, when website visitors access graphics, scripts, or other content, these are delivered quickly and optimally using regionally and internationally distributed servers. When the files are retrieved, a connection to the servers of a CDN provider is established, whereby personal data of visitors to our website is processed, for example, the IP address and browser data.
Categories of data: User data (e.g., websites visited, interest in content, access times), meta and communication data (e.g., device information, IP addresses)
Purposes of processing: Proper display and optimization of the website, faster and location-independent accessibility of the website
Legal basis: Consent (Art. 6 (1) (a) GDPR); legitimate interests (Art. 6 (1) (f) GDPR)
Legitimate interests: Avoidance of downtime, high scalability, reduction of bounce rate on the website
Google Static
Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Legal basis Consent (Art. 6 (1) (a) GDPR)
Third country transfer: Based on the adequacy decision of the European Commission for the USA
Privacy policy: https://policies.google.com/privacy?hl=en-US
Hetzner
Recipient: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR)
Third country transfer: Does not take place
Privacy policy: https://www.hetzner.com/legal/privacy-policy/
Website support and consulting, web agency
We have commissioned a web agency to provide support and advice for services and applications on our website. This agency assists us with all activities related to the design and functionality of our website. Within this framework, the web agency selected by us receives the access data for our website in order to make necessary adjustments and changes, such as the design of forms or other programming activities.
Access to personal data, such as data from forms or log data from website visitors, cannot be ruled out. The web agency therefore acts as a so-called processor for us and acts exclusively on our instructions. Data is not processed for any other purposes.
Categories of data: Usage data (e.g., access times), meta and communication data (e.g., device information, IP addresses), contact data (e.g., email address), content data (e.g., text information)
Purposes of processing: Support with web analysis and optimization, analysis of usage behavior on the website (website interaction) for web optimization and reach measurement, checking website utilization
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
Legitimate interests: Assistance and support with website maintenance through a high level of technical expertise, efficiency through outsourcing
Web agency
Recipient: Huangart, Kranzgasse 18/10, 1150 Vienna, Austria
Third country transfer: Does not take place.
Privacy policy: https://www.huangart.at/privacy
Web agency
Recipient: PANSOFT GmbH, Tullastr.28, 76131 Karlsruhe, Germany
Third country transfer: Does not take place.
Privacy policy: https://pansoft.de/de/home/datenschutz/index.html
Web analysis and optimization
We use web analysis and reach measurement tools to evaluate visitor traffic on our website. To do this, we collect information about the behavior, interests, and demographic characteristics of our visitors, such as age, gender, etc. This helps us to identify at what times our website, its functions, or its content are most frequently accessed or encourage repeat visits. In addition, we can use the information collected to determine whether our online offering needs to be optimized or adapted.
The information collected for this purpose is stored in cookies or similar methods and is used for reach measurement and optimization. The data stored in the cookies may include viewed content, visited websites, settings, and functions and systems used. However, no clear data of users is regularly processed for the purposes described. In this case, the data is modified in such a way that neither we nor the provider of the tool used are aware of the actual identity of the users. The data modified in this way is often stored in user profiles.
Categories of data subjects: Website visitors, users of online services
Categories of data: User data (e.g., websites visited, interest in content, access times), meta and communication data (e.g., device information, IP addresses), contact data (e.g., email address, telephone number), content data (e.g., text information, photographs, videos)
Purposes of processing: Website analysis, reach measurement, utilization and evaluation of website interaction, lead evaluation
Legal basis: Consent (Art. 6 (1) (a) GDPR); legitimate interests (Art. 6 (1) (f) GDPR)
Legitimate interests: Optimization and further development of the website, profit increase, customer loyalty and new customer acquisition
Facebook Connect / Meta Pixel
Service used: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Privacy policy: https://www.facebook.com/privacy/explanation
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google Analytics
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
LinkedIn Insight Tag
Service used: LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
Data protection: https://www.linkedin.com/legal/privacy-policy
Opt-out link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Sentry
Service used: Sentry, 45 Fremont Street, San Francisco, CA 94105, USA.
Data protection: https://sentry.io/privacy/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Online marketing
In order to continuously increase the reach and awareness of our online offering, we process personal data in the context of online marketing, in particular with regard to potential interests and the measurement of the effectiveness of our marketing measures.
For the purpose of measuring the effectiveness of our marketing measures and identifying potential interests, relevant information is stored in cookies or similar procedures are used. The data stored in cookies may include viewed content, visited websites, settings, and functions and systems used. However, no clear data of users is regularly processed for the purposes described. The data is then modified in such a way that the actual identity of the users is not known to us or to the provider of the tool used. The data modified in this way is often stored in user profiles.
In the case of user profile storage, the data can be read, supplemented, and added to on the online marketing provider’s server when visiting other online offerings that use the same online marketing method.
We can determine the success of our advertisements on the basis of aggregated data made available to us by the provider of the online marketing method (so-called conversion measurement). Within the scope of these conversion measurements, we can track whether a marketing measure has led to a purchase decision by a visitor to our online service. This evaluation serves to analyze the success of our online marketing.
Categories of data subjects: Website visitors, users of online services, interested parties, communication partners, business and contractual partners
Categories Data: User data (e.g., websites visited, interest in content, access times), meta and communication data (e.g., device information, IP addresses), location data, contact data, content data (e.g., text information, photographs, videos)
Purposes of processing: Marketing (in some cases also interest-based and behavior-related), conversion measurement, target group formation, click tracking, development of marketing strategies, and increasing the efficiency of campaigns
Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR)
Legitimate interests: Optimization and further development of the website, profit increase, customer loyalty and new customer acquisition
MicrosoftInvest
Service used: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Data protection: https://privacy.microsoft.com/de-de/privacystatement
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google Ads
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google AdSense with personalized ads
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google DoubleClick
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google Play
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google Tag Manager
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Legitimate interest (Art. 6 (1) (f) GDPR)
Legitimate interests: Coordination of different tools, management, ease of use, and presentation
LinkedIn Ads
Service used: LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
Data protection: https://www.linkedin.com/legal/privacy-policy
Opt-out link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Social media presence
We maintain online presences on social networks and career platforms in order to exchange information with users registered there and to be able to contact them easily.
In some cases, user data on social networks is used to conduct market research and for advertising purposes. User profiles can be created and used based on user behavior, such as the interests they specify, in order to tailor advertisements to the interests of target groups. For this purpose, cookies are regularly stored on users’ devices, in some cases regardless of whether they are registered users of the social network.
In connection with the use of social media, we also use the associated messengers to communicate with users in an uncomplicated manner. We would like to point out that the security of individual services may depend on the user’s account settings. Even in the case of end-to-end encryption , the service provider can draw conclusions about whether and when users communicate with us and, if necessary, collect location data.
Depending on where the social network is operated, user data may be processed outside the European Union or outside the European Economic Area. This may result in risks for users, for example, because it makes it more difficult for them to enforce their rights.
Categories of data subjects: Registered and unregistered users of the social network
Categories of data: Master data (e.g., name, address), contact details (e.g., email address, phone number), content data (e.g., text, photos, videos), usage data (e.g., websites visited, interests, access times), meta and communication data (e.g., device information, IP address)
Purposes of processing: Expanding reach, networking
Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR), consent (Art. 6 (1) (a) GDPR)
Legitimate interests: Interaction and communication on social media Presence, profit increase, insights into target groups
Service used: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Data protection: https://help.instagram.com/519522125107875
Opt-out link: https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/
Service used: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Data protection: https://www.facebook.com/privacy/explanation
Opt-out link: https://www.facebook.com/policies/cookies/
Service used: LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-out link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
TikTok
Service used: TikTok Inc., 10100 Venice Blvd., Culver City, CA 90232, USA
Privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=de
YouTube
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Sunlight Expert Talk
We provide videos on various topics on our website. We will send these to the email address you provide via a link. We also collect and process your name for personalization purposes. Videos are accessed on the basis of your consent, which you can revoke at any time with future effect at info@sunlight.de .
Categories of data subjects: Website visitors
Categories of data: Master data (name), contact data (email address), meta and communication data (e.g., device information, IP address)
Purposes of processing: Provision of content, compliance with documentation requirements
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Service used: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Plug-ins and integrated third-party content
We have integrated functions and content from third-party providers into our online offering. For example, videos, images, buttons, or posts (hereinafter referred to as content) may be integrated.
In order to display content to visitors to our online offering, the respective third-party provider processes, among other things, the user’s IP address so that the content can be transmitted to the browser and displayed. Without this processing, the display of third-party content is not possible.
In some cases, additional information is collected via so-called pixel tags or web beacons, which provide the third-party provider with information about the use of the content or visitor traffic on our online offering, technical information about the user’s browser or operating system, the time of the visit, or referring websites. The data obtained in this way is stored in cookies on the user’s device.
In order to protect the personal data of visitors to our online offering , we have taken certain security measures to prevent the automatic transmission of this data. This data is only transmitted when users use the buttons or click on the third-party content.
Categories of data subjects: Users of the plug-in or integrated third-party content
Categories of data: Usage data (e.g., websites visited, interests, access time), meta and communication data (e.g., device information, IP address), contact data (e.g., email address, telephone number), master data (e.g., name, address)
Purposes of processing: Design of our online offering, increasing the reach of advertisements on social media, sharing posts and content, interest- and behavior-based marketing, cross-device tracking
Legal basis: Consent (Art. 6 (1) (a) GDPR), legitimate interest (Art. 6 (1) (f) GDPR)
Legitimate interests: Protecting our website from misuse, ensuring functionality and error-free and secure operation of the website
Google APIs
Service used: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de or
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google Maps
Service used: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de or
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Google ReCaptcha
Service used: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Legitimate interest (Art. 6 (1) (f) GDPR)
Polylang
Service used: WP SYNTEX, 8, rue Joseph Cugnot 38307 Bourgoin Jallieu, France
Data protection: https://polylang.pro/privacy-policy/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Spotify
Service used: Spotify AB, Regeringsgatan 19, Stockholm 111 53, Sweden
Data protection: https://www.spotify.com/de/legal/privacy-policy/
Opt-out link: https://www.spotify.com/de/legal/cookies-policy/
Legal basis Consent (Art. 6 (1) (a) GDPR)
Syscara
Service used: Web for You., Manuel Wendt, Lassahner Str. 73, 19300 Grabow, Germany
Data protection: https://www.syscara.com/datenschutz.php
Legal basis: Consent (Art. 6 (1) (a) GDPR)
YouTube
Service used: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data protection: https://policies.google.com/privacy?hl=de&gl=de
Opt-out link: https://tools.google.com/dlpage/gaoptout?hl=de
or https://myaccount.google.com/
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Vehicle marketplace
On our website, we offer a marketplace for available vehicles offered by various dealers. If you are interested in a vehicle, you can use our form to contact the vehicle provider to obtain further information, arrange a consultation appointment, or request a quote for the vehicle, among other things. For this purpose, your data, name, email address, and, if applicable, telephone number will be transmitted from the form to the respective trading partner offering the vehicle. From the time of data transmission, the vehicle provider is responsible for data processing and decides, based on the contact details provided and your inquiry, how further communication with you will take place.
Categories of data subjects: Interested website visitors, prospective buyers
Categories Data: Master data (e.g., name, address), contact data (e.g., email address, telephone number), content data (e.g., text entries), meta and communication data (e.g., device information, IP addresses)
Purposes of processing: Mediation of vehicle offers
Legal basis: Consent (Art. 6 (1) (a) GDPR)
CARAVANA
Service used: CARAVANA GmbH, Pferdemarkt 2, 19300 Grabow, Germany
Data protection: www.caravana.de/datenschutz
Newsletter and broad communication (with tracking)
On our website, users have the option of subscribing to our newsletter or any notifications via various channels (hereinafter referred to as “newsletter“). In accordance with legal requirements, we only send newsletters to recipients who have consented to receiving them. We use a selected service provider to send our newsletter.
To subscribe to our newsletter, you must provide an email address. We may also collect additional data, such as your name, in order to personalize our newsletters.
Our newsletter is only sent after the so-called double opt-in procedure has been completed. If visitors to our online offering decide to subscribe to our newsletter, they will receive a confirmation email, which serves to prevent the misuse of false email addresses and to exclude the possibility of the newsletter being sent by a simple, possibly accidental click. You can unsubscribe from our newsletter at any time. An unsubscribe link (opt-out link) is included at the end of each newsletter.
We are also obliged to keep evidence that our subscribers actually wanted to receive the newsletter. For this purpose, we collect and store the IP address and the time of registration and deregistration.
Our newsletters are designed in such a way that we can gain insights into improvements, target groups, or the reading behavior of our subscribers. This is made possible by a web beacon or tracking pixel, which reacts to interactions with the newsletter, for example, whether links are clicked, whether the newsletter is opened at all, or at what time the newsletter is read. For technical reasons, we can assign this information to individual subscribers.
Categories of data subjects: Newsletter subscribers
Categories of data: Master data (e.g., name, address), contact data (e.g., email address, telephone number), meta and communication data (e.g., device information, IP address), usage data (e.g., interests, access times)
Purposes of processing: Marketing, customer retention and new customer acquisition, analysis and evaluation of campaign success
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Salesforce
Service used: Salesforce.com, Inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Data protection: https://www.salesforce.com/uk/company/privacy/
Prize draws and competitions
We use our online presence to hold prize draws and/or competitions. In doing so, we process the data of the participants required to carry out the respective promotion. This also includes data that we need to inform the winner and distribute the prize.
Depending on the type of promotion, entries from participants may be published, for example, when reporting on the promotion or if voting on a participant’s entry is part of the promotion. The participant’s name will also be published. The data we process in each case depends on the specific promotion and the data we receive from the participant.
The implementation of the respective promotion on our social network presence is also subject to the terms of use and data protection provisions of the respective network.
Categories of data subjects: Campaign participants
Categories of data: Master data (e.g., name, address), contact data (e.g., email address, telephone number), content data (e.g., text entries, photos, videos)
Purposes of processing: Conducting the competition, including distributing prizes and announcing the winner in various media
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Contact
Our online offering provides the option of contacting us directly or obtaining information about various contact options. We use a management tool to process such inquiries so that we always have an overview of the contacts made with us.
When you contact us, we process the data of the person making the inquiry to the extent necessary to respond to or process the inquiry. The data processed may vary depending on how you contact us.
Categories of data subjects: Inquiring persons
Categories of data: Master data (e.g., name, address), contact data (e.g., email address, telephone number), content data (e.g., text entries, photographs, videos), usage data (e.g., interests, access times), meta and communication data (e.g., device information, IP address).
Purposes of processing: Processing of inquiries
Legal basis: Consent (Art. 6 (1) (a) GDPR), performance or initiation of a contract (Art. 6 (1) (b) GDPR)
Zendesk
Service used: Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA
Data protection: https://www.zendesk.de/company/customers-partners/privacy-policy/
3CX
Service used: 3CX GmbH, 4 Markou Drakou, 2409 Engomi, Nicosia, Cyprus
Data protection: https://www.3cx.com/company/privacy/
Welcome package
To welcome our new SUNLIGHT vehicle buyers to our SUNLIGHT family, they have the opportunity to register for the welcome package on our website. In order to send the package and check whether the conditions for receiving it have been met, we need your name and address, among other things. We will inform you when it has been sent to the email address you provided. If you do not receive it within 30 days, please contact us at info@sunlight.de. Please note that the package can only be ordered once within 6 months with the same vehicle identification number.
Categories of data subjects: Vehicle buyers
Categories of data: Master data (e.g., name, address), contact details (e.g., email address), vehicle data (e.g., chassis number)
Purposes of processing: Shipping of welcome packages; compliance with documentation requirements, ensuring and confirming shipment
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Salesforce
Service used: Salesforce.com, Inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Data protection: https://www.salesforce.com/uk/company/privacy/
Appointments for test drives/viewings/consultations with retail partners
You can arrange a test drive and/or consultation appointment via our website https://visit.sunlight.de/. For this purpose, the necessary personal data will be collected and transmitted to the dealer you have selected: name, title, email address, preferred vehicle type. If you would like your selected dealer to contact you by phone, your phone number will also be collected and transmitted as voluntary information. To ensure that the appointment takes place as agreed, we will send you a confirmation and a reminder.
This collection, storage, and transmission of data is based on your voluntary consent within the meaning of Art. 6 (1) (a) in conjunction with Art. 7 GDPR. You can revoke this consent at any time with future effect by sending an email to info@sunlight.de or by post to Sunlight GmbH, Ölmühlestraße 6, 88299 Leutkirch, Germany. In addition, you can also assert your rights against the dealer. To do so, please contact the dealer you have selected.
Salesforce
Service used: Salesforce.com, inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Data protection: https://www.salesforce.com/uk/company/privacy/
Vehicle configuration
On our website https://configurator.sunlight.de/, we offer you the opportunity to customize your vehicle. You can have the configuration sent to you and/or contact a dealer directly. Contact with the vehicle provider is established using the form provided in order to provide you with further information and/or arrange a consultation appointment, among other things. For this purpose, your data, name, email address, and, if applicable, telephone number will be transmitted from the form to the respective trading partner offering the vehicle. The vehicle provider is then responsible for data processing from the time the data is transmitted and decides, based on the contact details provided and your request, how further communication with you will take place.
You can access our configurator https://configurator.sunlight.de/ via our main page https://www.sunlight.de/. We use fewer services on the configurator website than on our main page. Specifically, these are Facebook Connect/Meta Pixel, Sentry, Spotify, Syscara, YouTube, Polylang, Google Fonts, Google APIs, Google Maps, Google Play, and Google Static, which are not used on the configurator website. The services and cookies used in the configurator, which you consent to in their processing, are listed in the Consent Management Tool.
Categories of data subjects: Interested website visitors, prospective buyers
Categories of data: Master data (e.g., name, address), contact data (e.g., email address, telephone number), content data (e.g., text entries), meta and communication data (e.g., device information, IP addresses)
Purposes of processing: Mediation of vehicle offers
Legal basis: Consent (Art. 6 (1) (a) GDPR)
Salesforce
Service used: Salesforce.com, Inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Privacy policy: https://www.salesforce.com/uk/company/privacy/
PHP.net
Service used: The PHP Group, USA
Data protection: https://www.php.net/privacy.php
Data transfer
We transfer the personal data of visitors to our online offering for internal purposes (e.g., for internal administration or to the human resources department in order to comply with legal or contractual obligations). Internal data transfer or disclosure of data only takes place to the extent necessary and in compliance with the relevant data protection regulations.
We are a global company headquartered in Germany. The data of visitors to our online offering is stored in our centralized customer database in Germany in compliance with the relevant data protection regulations and is processed within this framework for internal administrative purposes throughout the group. No processing beyond administrative purposes takes place.
Legal basis: legitimate interests (Art. 6 (1) (f) GDPR)
Legitimate interests: so-called small group privilege, centralized management and administration within the company to exploit synergy effects, save costs, and increase effectiveness
Recipients: https://www.erwinhymergroup.com/de/unternehmen/ueber-die-erwin-hymer-group
In the event that we transfer data to a country outside the EEA for internal group processing, we ensure that the processing is legally permissible in the manner intended by us. In this case, we have concluded binding corporate rules/standard data protection clauses, including a separate provision on appropriate technical and organizational measures to protect the data of data subjects in the best possible way. A copy of the guarantee used is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de
In order to execute contracts or fulfill a legal obligation, it may be necessary for us to disclose personal data. If the necessary data is not provided to us, it may not be possible to conclude the contract with the data subject.
We transfer data to countries outside the EEA (so-called third countries). This is done for the purposes mentioned above (transfer within the group and/or to other recipients). The transfer only takes place to fulfill our contractual and legal obligations or on the basis of prior consent given by the data subject.
Storage period
We generally store the data of visitors to our online offering for as long as this is necessary to provide our services or as long as this is provided for by European directives and regulations or other legislators in laws or regulations to which we are subject. In all other cases, we delete personal data after the purpose has been fulfilled, with the exception of data that we must continue to store in order to comply with legal obligations (e.g., we are obliged to retain documents such as contracts and invoices for a certain period of time due to tax and commercial law retention periods).
Automated decision-making
We do not use automated decision-making or profiling in accordance with Art. 22 GDPR.
Legal basis
The relevant legal bases are primarily derived from the GDPR. These are supplemented by national laws of the member states and may be applicable together with or in addition to the GDPR.
Consent: Article 6(1)(a) GDPR serves as the legal basis for processing operations for which we have obtained consent for a specific processing purpose.
Contract fulfillment: Art. 6 (1) (b) GDPR serves as the legal basis for processing that is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation: Art. 6 (1) (c) GDPR serves as the legal basis for processing that is necessary for compliance with a legal obligation.
Vital interests: Art. 6 (1) (d) GDPR serves as the legal basis if processing is necessary to protect the vital interests of the data subject or another natural person.
Public interest: Art. 6 (1) (e) GDPR serves as the legal basis for processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interest: Art. 6 (1) (f) GDPR serves as the legal basis for processing that is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail, in particular where the data subject is a child.
Rights of data subjects
Right of access: Pursuant to Art. 15 GDPR, data subjects have the right to request confirmation as to whether we are processing data concerning them. They may request information about this data as well as the further information listed in Art. 15 (1) GDPR and a copy of their data.
Right to rectification: According to Art. 16 GDPR, data subjects have the right to request the rectification or completion of data concerning them and processed by us.
Right to erasure: Data subjects have the right under Art. 17 GDPR to request the immediate erasure of data concerning them. Alternatively, they may request that we restrict the processing of their data in accordance with Art. 18 GDPR.
Right to data portability: Data subjects have the right under Art. 20 GDPR to request the provision of the data they have made available to us and to request its transfer to another controller.
Right to lodge a complaint: Data subjects also have the right to lodge a complaint with the supervisory authority responsible for them in accordance with Art. 77 GDPR.
Right to object: If personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, data subjects have the right to object to the processing of their personal data pursuant to Art. 21 GDPR, provided that there are reasons for this arising from their particular situation or the objection is directed against direct marketing. In the latter case, data subjects have a general right to object, which we will implement without specifying a particular situation.
Revocation
Some data processing operations are only possible with the express consent of the data subjects. You have the option to revoke consent you have already given at any time. To do so, simply send us an informal message or email to datenschutz@sunlight.de . The legality of the data processing carried out until the revocation remains unaffected by the revocation.
External links
Our website contains links to the online offerings of other providers. We hereby point out that we have no influence on the content of the linked online offerings and the compliance with data protection regulations by their providers.
Changes
We reserve the right to amend this privacy policy at any time in the event of changes to our online offering and in compliance with the applicable data protection regulations so that it complies with legal requirements.
This privacy policy was created by
DDSK GmbH