Privacy Policy

1. Controller

Controller within the meaning of the GDPR is:

2. Data Protection Officer

3. Definitions

This privacy policy is based on the terminology used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

Personal Data

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject

Data subject is any identified or identifiable natural person, whose personal data is processed by the controller (our company).

Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of Processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third Party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

4. Legal Basis for Processing

The legal basis for this processing of personal data results from the fulfilment of the contract with your employer, thus you are a contracting party and is based on Art. 6(1)(b) GDPR. The same applies to such processing operations as are necessary for carrying out pre-contractual measures. Art. 6(1)(a) GDPR additionally serves our company as the legal basis for these processing operations, as by registering you have acknowledged our privacy policy and thus consent to it. If our company is subject to a legal obligation by which processing of personal data becomes necessary, the processing is based on Art. 6(1)(c) GDPR. Some processing operations are based on Art. 6(1)(f) GDPR. On this legal basis, processing operations that are necessary to safeguard a legitimate interest of our company or a third party are based, provided that the interests, fundamental rights and freedoms of the data subject do not prevail.

5. Technology

5.1 SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us as the operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

5.2 Data Collection When Visiting the Website

When merely using our site for informational purposes, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (in so-called "server log files"). Our website collects a series of general data and information each time a page is accessed by you or an automated system. The following may be collected:

• browser types and versions used
• the operating system used by the accessing system
• the website from which an accessing system reaches our website (so-called referrers)
• the sub-websites that are accessed via an accessing system on our website
• the date and time of access to the website
• a shortened Internet Protocol address (anonymised IP address)
• the Internet service provider of the accessing system

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is needed to:

• deliver the content of our website correctly
• optimise the content of our website and advertising for it
• ensure the permanent functionality of our IT systems and the technology of our website
• provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack

The legal basis for data processing is Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes listed above for data collection.

6. Cookies

6.1 General Information About Cookies

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device, do not contain viruses, Trojans or other malware. Information is stored in the cookie that arises in connection with the specific end device used. However, this does not mean that we directly obtain knowledge of your identity. The use of cookies serves on the one hand to make the use of our offer technically possible for you. We use a temporary cookie to ensure functionality, which is stored on your device for a specified period.

7. Content of our Website

7.1 audatis MANAGER

We have integrated a data protection management software from audatis Services GmbH on this website. In addition, audatis Services GmbH provides the server, hosting, technical support, maintenance and care of the online software as well as the backup of the entered data.

Categories of personal data: Employee data, usage data, customer data, data about customers and suppliers.

Legal basis: Contract fulfilment according to Art. 6(1)(b) and additionally consent according to Art. 6(1)(a) for customers and contract with processor according to Art. 6(1)(b) in conjunction with Art. 28 GDPR for the provider of the offer.

7.2 Registration as a User

As our customer, you have the option of having us provide you or your employees with access to the customer portal. For this, we need the name and email address of the desired user. Which other personal data is transmitted to us results from the input of the respective user in the registration process or in the user profile. Your personal data is collected and stored exclusively for internal use by us and for our own purposes.

7.3 audatis PORTAL

As our customer, you have the option of booking employee training as e-learning in our portal. Corresponding logins are created and used for your employees. For this, we need the first and last name and the email address of the employees. Training content is provided in the portal. Via the simple login and the retrieval of the training content, it can be traced for each employee whether and when the training took place.

7.4 Forms - Data Subject Requests

We provide various forms for our customers via individual API links. These forms can be accessed and used with or without registration or login. They serve as a possibility to direct data protection requests for the exercise of data subject rights directly to us as the data protection officer of the respective customer. Information about the request as well as data about the data subject is collected. The personal data is collected and stored exclusively for processing the request.

7.5 Data Protection and Security Incidents

Within the audatis MANAGER, it is possible to record a corresponding incident via the "Data Protection and Security Incidents" module. For recording, it is necessary that the recording user is logged in. In particular, all information about the incident is recorded, but also e.g. the name and email addresses of the person who discovered the incident. The collection of this data is carried out to comply with the legal obligation of the customer within the meaning of Art. 6(1)(c) GDPR as well as Art. 6(1)(b) GDPR.

7.6 Employee Management

Within the audatis MANAGER, it is possible to document the employees of our customer in a so-called employee management. Specifically, first and last name as well as possibly a personnel number and the associated email address of the employees are stored. The employees are then assigned to an organisational unit. This documentation enables the creation of an employee account in the portal.

7.7 Contact via the Integrated Messaging System

Our online offer audatis MANAGER provides its users with an integrated messaging system. Users of an organisational structure can send messages and file attachments to each other. The messaging system can also be used as a contact form, through which system-related or data protection-relevant enquiries can be directed to the data protection officer. The user's mailbox is encrypted and not even accessible to the system administrator. Messages are stored until they are deleted by the user or the user is deleted.

7.8 Support Requests via Email

To give our customers the opportunity to ask us questions without a phone call or to request support on various matters regarding the use of our online offer audatis MANAGER, we offer links to request help at various points. These links refer to our portal-related email address. Data processing for support requests is accordingly carried out via regular email channels and not via this website.

7.9 Conclusion of Data Processing Agreements

Our online offer audatis MANAGER offers our customers the possibility to conclude data processing agreements according to Art. 28 GDPR with their contractual partners. During the process, contract-relevant data is requested. This data includes basic company data such as the official company name, address, name of the authorised representative and a corresponding email address.

7.10 Whistleblower System

The online offer audatis MANAGER optionally provides a whistleblower system for submitting and receiving as well as investigating reports to prevent, detect and/or take follow-up measures against violations of applicable law or company policies. The following data may be collected, among others, if no anonymous report is made:

• Information for personal identification of the whistleblower (name, address, telephone number, email address)
• Employment characteristics
• Information about the data subject identified in the report
• Information about violations that may allow conclusions about a natural person

Data processing is carried out on the basis of the legal obligation of the Whistleblower Protection Act (HinSchG) according to Art. 6(1)(c) GDPR or in case of voluntary provision on the basis of legitimate interest according to Art. 6(1)(f) GDPR. Deletion of received reports takes place at the earliest 3 years after completion of case processing.

8. Your Rights as a Data Subject

8.1 Right to Confirmation

You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed.

8.2 Right of Access Art. 15 GDPR

You have the right to receive free information at any time about the personal data stored about you and a copy of this data.

8.3 Right to Rectification Art. 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

8.4 Erasure Art. 17 GDPR

You have the right to request that we erase personal data concerning you without undue delay, where one of the legally provided grounds applies and insofar as the processing is not necessary.

8.5 Restriction of Processing Art. 18 GDPR

You have the right to request restriction of processing where one of the legal requirements is met.

8.6 Data Portability Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us.

8.7 Right to Object Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing.

8.8 Withdrawal of Consent

You have the right to withdraw consent to the processing of personal data at any time with effect for the future.

8.9 Complaint to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection about our processing of personal data.

9. Storage of Personal Data

9.1 Routine Storage, Deletion and Blocking

We process and store your personal data only for the period necessary to achieve the storage purpose or as far as this is provided for by the legal provisions to which our company is subject. If the storage purpose ceases to apply or if a prescribed retention period expires, the personal data are routinely blocked or deleted in accordance with the statutory provisions.

9.2 Duration of Storage

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data are routinely deleted, provided they are no longer required for the fulfilment of the contract or the initiation of a contract.

10. Currency and Changes to the Privacy Policy

Due to the further development of our websites and offers or due to changed legal or official requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed and printed at any time on this website.