Notes on Privacy

Notes on data protection:

Thank you for visiting our website and for your interest in our company and our products. In order for you to feel safe and comfortable when visiting our website, we would like to inform you below about the handling of your data. The following privacy policy is intended to inform you about our processing of personal data.

This declaration on data protection only applies to the website of the Utimaco group of companies as further explained under point I. of this privacy policy. Please note that it does not apply to websites of other providers to which we refer through links.

I. Name and Address of Controller

Date: May 2022

The controller within the meaning of the General Data Protection Regulation (GDPR), other national data protection legislation of the Member States and other data protection provisions is

Utimaco Management GmbH
Germanusstrasse 4
52080 Aachen
Germany

Tel.: +49 241 1696-200
Fax: +49 241 1696-199

E-mail: info@utimaco.com
Website: https://www.utimaco.com

in its own name and in the name of the subsidiaries consisting of Utimaco GmbH, Utimaco IS GmbH, Utimaco TS GmbH, Utimaco Inc., Utimaco IS PTE Ltd., Utimaco TS Srl and Utimaco TS UK Ltd.

 

II. Contact details of the data protection coordinator and the data protection officer of the joint controllers

Utimaco GmbH
- Data Protection Officer -
Germanusstraße 4
52080 Aachen
Germany
Phone: 0049 241 16960
E-Mail: dataprotection@utimaco.com

 

III. General Information on Data Processing

1. What are personal data?

Personal data within the meaning of the GDPR include all information relating to the personal or material circumstances of an identified or identifiable natural person (see Art. 4(1) GDPR). Such information will regularly include not only a person’s name and (e-mail) address, for example, but also the IP address and any other information that could permit identification of that person.

2. Scope of Processing of Personal Data

In principle, we process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. The processing of personal data of our users takes place regularly only if the processing of the data is permitted by legal regulations or with the consent of the user.

3. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) EU General Data Protection Regulation (GDPR) serves as the legal basis.

For the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR constitutes the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures or steps.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1) (d) GDPR.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

4. Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

 

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected:

  • Date and time of access
  • Browser type, Browser version, Browser language
  • City/Region/Country
  • IP address of the user
  • User's system used

The data is stored in the log files of our system. IP addresses are only stored anonymously. This is done by storing the IP addresses in the log files by default by replacing the last three digits, which are selected randomly. The creation of a personal reference is no longer possible.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 (1) (f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

The storage in log files takes place in order to ensure the functionality of the website and to ensure the technical administration of the network infrastructure. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems and we use the data to create and evaluate internal statistics. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

4. Duration of storage

The data is collected as soon as the website is accessed and deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the data is anonymized so that an assignment to a specific user is no longer possible. Backups are kept in encrypted form for 14 days.

5. Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the use of the website. Consequently, there is no possibility of objection on the part of the user.

 

V. Contact form and e-mail contact

1. Description and scope of data processing

On our website we provide a contact form for electronic contact. If a user makes use of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

  • First and last name (required)
  • E-mail address (required)
  • Telephone number
  • Enterprise
  • User's question (required)
  • Country (required)
  • Industry (depending on the contact form)
  • Product interest (depending on the contact form)

At the time of sending the message, the following data is also stored:

  • IP address
  • Date and time the message was sent
  • Utimaco home page URL

Alternatively, it is possible to contact us via the e-mail addresses provided. These are listed here: https://utimaco.com/company/contact-us. In this case, the user's personal data transmitted with the e-mail will be stored.

We process the user's personal data in order to process his or her contact request. If the user wishes to receive information about our products, the answer to his request can also be taken over by one of our sales partners in certain cases. An overview of the sales partners we use can be found on our Partner Locator on the partner website under https://utimaco.com/partners. For this purpose, we forward the user's data in such a case to the responsible partner. Both we and our sales partner have a legitimate interest in contacting you regarding product issues in accordance with Art. 6 (1) (f) GDPR.

In addition, the user can indicate in the contact form that he or she wishes to be informed by us from time to time about our products and services. He or she can give his or her consent to this, regardless of sending the contact form, by activating a check box. In this case, we will inform the user by e-mail and/or telephone about our products and services. In all other respects, the provisions of the newsletter under chapter VII. apply.

As part of our contact form, we use a so-called marketing automation tool called Pardot.Further information can be found in this privacy policy under chapter X.

2. Legal basis for data processing

The legal basis for the processing of data in the context of establishing contact is Art. 6 (1) (f) GDPR. If the e-mail contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

If the user declares his or her consent to receive information about our products and services, the legal basis for this is Art. 6 (1) (a) GDPR. In all other respects, our regulations for receiving the newsletter in accordance with chapter VII. of this Privacy Policy apply.

3. Purpose of data processing

The processing of personal data in the context of establishing contact serves us on the one hand to process such contact requests. The personal data processed during the sending process from the input mask also serves to prevent misuse of the contact form and to ensure the security of our information technology systems. On the other hand, we process personal data of the user in the context of our marketing activities. This is our legitimate interest in data processing.

4. Duration of storage

The data is collected as soon as it has been transmitted via contact form or message and will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been conclusively clarified and no communication between us and the user is to be expected. This is the case no later than 18 months after the last contact by us or the user.

5. Possibility of objection and removal

The user has the possibility to object to the processing of personal data at any time. In such a case, the conversation cannot be continued. The objection can be declared to us by sending an e-mail to dataprotection@utimaco.com.

In addition, the user has the possibility at any time to revoke his or her consent to receive information about our products and services for the future. The revocation can be declared to us by sending an e-mail to dataprotection@utimaco.com or by activating the unsubscribe link contained in each newsletter.

In this case, the user's data will be deleted immediately, unless the deletion is contrary to reasons grounds from the law. More information can be found under chapter XI.

 

VI. Downloads

1. Description and scope of data processing

In our download area on our website https://utimaco.com/de/downloads "Downloads" there is the possibility to download various documents or to receive a download link. This is done by providing a few personal data. If the user provides his or her data, the processing of the data takes place with the consent of the user. The user will be informed of this before submitting any data and his or her consent will be obtained by activating a check box. In addition, cookies are used when initiating downloads (more on this in our Cookie Policy, see chapter IX.).

If the user enters his or her data in the input mask provided for this purpose, the following data will be collected:

  • First and last name (required)
  • E-mail address (required)
  • Company (required)
  • Country (required)
  • Branch of industry (required)
  • Interest (required)

In addition, the following data is processed:

  • IP address
  • Time zone
  • Date and time of download
  • Validity of the user's domain

Subject to a positive result of the verification of the country entry and the domain carried out by us, the user will receive an e-mail with the download link and the information on the revocation of his consent.

As part of our download section, we use the marketing automation tool called Pardot. Further information can be found in this privacy policy under chapter X.

2. Legal basis for data processing

The legal basis for the processing of the data with the consent of the user is Art. 6 (1) (a) GDPR.

The consent given also refers to the transfer of at least part of the personal data to the United States as a third country in accordance with Art. 49 (1) (a) GDPR. In the opinion of the European Court of Justice, there is currently no level of protection in the United States that is essentially equivalent to the GDPR. In addition, the legal remedies guaranteed to EU citizens by the Charter of Fundamental Rights of the European Union are limited. This applies in particular to legal protection options against the processing of personal data. There is a risk that the user's personal data may be processed by US authorities for control and monitoring purposes without the possibility of a legal remedy.

On the other hand, we process personal data of the user in the context of our marketing activities and thus our legitimate interest in accordance with Art. 6 (1) (f) GDPR.

The legal basis for the processing of data in compliance with our legal obligations in this context is Article 6 (1) (c) GDPR.

3. Purpose of data processing

By collecting the data, we can constantly optimize and continuously improve the offers on our website. In addition, we can identify which users are interested in our download content and better adapt it to demand.

The personal data processed during the sending process from the input mask also serve to prevent misuse of the download option and to ensure the security of our information technology systems. This is also our legitimate interest in data processing.

The country information is also checked for the purpose of fulfilling our legal obligations.

4. Duration of storage

The data will be collected and deleted upon transmission as soon as they are no longer required to achieve the purpose for which they were collected.

5. Possibility of objection and removal

The user can at any time object to the data processing in an e-mail to dataprotection@utimaco.com as described under chapter XI. and to revoke a consent given by him or her for the future. In this case, the user's data will be deleted immediately, unless the deletion is contrary to grounds arising from the law (see chapter XI.).

If the data is required to fulfil legal obligations, premature deletion of the data is only possible unless contractual or legal obligations prevent deletion.

 

VII. Newsletter

1. Description and scope of data processing

On our website it is possible to subscribe to a free newsletter. When registering for the newsletter, the following data from the input mask is transmitted to us:

  • First and last name (required)
  • E-mail address (required)
  • Company (required)
  • Country (required)

In addition, the following data is collected during registration:

  • IP address (anonymized)
  • Time zone/date and time of registration

Our newsletters also contain so-called tracking pixels (web bugs), on the basis of which we can recognize whether and when an e-mail was opened and which links in the e-mail the recipient has followed (so-called newsletter tracking).

For the dispatch of newsletters by the marketing automation tool Pardot, a transfer to the service provider Salesforce takes place. Further information on the newsletter dispatch by Pardot can be found under section 5 in chapter VII.

For the processing of the data, the user's consent is obtained during the registration process and via a subsequent confirmation e-mail and reference is made to this privacy policy (so-called double opt-in).

In addition, cookies are used as part of the registration process (more on this in our Cookie Policy, see chapter IX.).

The personal data processed during the sending process from the input mask also serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

2. Legal basis for data processing

The legal basis for the processing of data in the context of the newsletter subscription is the consent of the user in accordance with Art. 6 (1) (a) GDPR in conjunctionwith § 7 para. 2 no. 3 of German Act against Unfair Competition (UWG).

The consent given also refers to the transfer of at least part of the personal data to the United States as a third country in accordance with Art. 49 (1) (a) GDPR. In the opinion of the European Court of Justice, there is currently no level of protection in the United States that is essentially equivalent to the GDPR. In addition, the legal remedies guaranteed to EU citizens by the Charter of Fundamental Rights of the European Union are limited. This applies in particular to legal protection options against the processing of personal data. There is a risk that the user's personal data may be processed by US authorities for control and monitoring purposes without the possibility of a legal remedy.

The consent given also extends to the above under section VII.1. described so-called newsletter tracking.

We also process personal data of the user to prevent misuse of the service or email address in accordance with Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The collection of the user's e-mail address serves to deliver the newsletter. The other data regarding newsletter tracking is processed by us so that we can optimally align our newsletters to the wishes and interests of our subscribers. This allows us to send personalized newsletters to the respective recipient.

Insofar as personal data is processed as part of the registration process for the purpose of preventing misuse of the services or the e-mail address used, this is our legitimate interest in data processing.

4. Duration of storage

The data from the input mask will be collected and stored and deleted when it is transmitted as soon as it is no longer necessary to achieve the purpose for which it was collected. If a user unsubscribes from the subscription, his or her data will be stored for the purpose that no newsletter may be sent to him. In addition, the user is shown that he or she has unsubscribed from the subscription at an earlier point in time and that he or she can order the newsletter again.

5. Newsletter dispatch via Pardot

We use our marketing automation tool Pardot to send our newsletters. The operating company is salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany. The data stored during the newsletter registration (e-mail address, name, company, IP address, country, time zone/date as well as the time of your registration) will be transmitted to a server of the company salesforce.com Germany GmbH in Germany and stored there. The e-mail address is initially stored only for the purpose of sending the user an e-mail in which he or she can confirm the inclusion in the e-mail list ("double opt-in"). If the e-mail address has been confirmed, it will be stored permanently in Pardot until the e-mail address is deleted by its owner by revocation or by us manually.

Further information on data protection at Pardot and a transfer to so-called third countries can be found in this privacy policy under section 4 in chapter X.

6. Possibility of objection and removal

The user can unsubscribe from the newsletter at any time by revoking his or her consent for the future. Details can be found in the confirmation e-mail as well as in each individual newsletter. Each newsletter contains an unsubscribe link corresponding to this purpose. In addition, the user can unsubscribe from the newsletter by e-mail to dataprotection@utimaco.com. In this case, the user's data will be stored for the purpose that the user may no longer be sent a newsletter, that he or she will be informed of this and that he or she can order the newsletter again. In addition, the deletion may be precluded by grounds arising from the law. More information can be found in chapter XI.

If the data is required to fulfil legal obligations, premature deletion of the data is only possible unless contractual or legal obligations prevent deletion.

 

VIII. Registration in the Utimaco Portal

1. Description and scope of data processing

On our website https://utimaco.com/downloads/free-simulators-and-sdks, we offer users the opportunity to register by providing personal data in order to test the Utimaco SecurityServer HSM simulator free of charge. The data is entered into an input mask during registration and transmitted to us and stored. The data will not be passed on to third parties. Subject to a positive result of the export law review carried out by us, the user will be activated with his or her registered data in the Utimaco portal.

During registration, the following data from the input mask is transmitted to us:

  • E-mail address (required)
  • Salutation (optional)
  • First name (required)
  • Last name (required)
  • Company (required)
  • Job title (optional)
  • Company website (required)
  • Street (required)
  • Country (required)
  • Region (optional)
  • City and postal code (required)
  • Telephone number (required)
  • Password (required)

At the time of registration, the following data is also stored:

  • IP address of the user
  • Date and time of registration

During the use of the portal, the following data is stored:

  • Customer
  • Newsletter (yes/no)
  • Password
  • Roles (access permission in the portal)
  • MAC Address
  • Username
  • URL access to portal
  • File name and path of information being accessed
  • Company name
  • IP address

As part of the registration for our portal, the user also has the opportunity to subscribe to our newsletter. For this purpose, the regulations for the newsletter in chapter VII. apply.

2. Legal basis for data processing

The legal basis for the processing of data for the use of our portal is Art. 6 (1) (f) GDPR.

If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 (1) (b) GDPR.

If the user makes a download of goods controlled by export law, Utimaco is legally obliged, if it is a download to a server outside the European Union, to report this download to the Federal Office of Economics and Export Control (BAFA). Its legal basis is the obligation in the General Authorization No. 16 (Telecommunications and Information Security) issued by the BAFA from and in the General Export Permit No. EU 001. The legal basis for the processing of the data in this context is Art. 6 (1) (c) GDPR.

3. Purpose of data processing

Upon completion of the registration, the user receives direct access to the download files provided by us. The processed data is required by us in order to enable the download and to ensure the provision of the respective software or other documents to the user. In addition, we process data of users who log into the portal in order to constantly optimize and continuously improve it.

The user's registration is required for export control checks and then for the fulfilment of a contract with the user or for the implementation of pre-contractual measures. If the user downloads goods controlled by export law outside the European Union, the data will also be processed for the purpose of being able to make the legally required reports to the BAFA described above. These purposes also constitute our legitimate interest in data processing.

4. Duration of storage

The data is collected as soon as the registration in the portal takes place and deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

This is the case for the data processed during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures if they are no longer necessary for the execution of the contract or the pre-contractual measures. Even after conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations, such as in particular to make the legally required export reports to the BAFA and to keep this documentation within the statutory retention periods.

5. Possibility of objection and removal

The user can object to the data processing at any time by e-mail to dataprotection@utimaco.com. In this case, the user's data will be deleted immediately, unless the deletion is contrary to grounds arising from the law. Further information can be found in chapter XI. The use of the portal is then no longer possible.

If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible unless contractual or legal obligations prevent deletion.

 

IX. Use of cookies

Information about the cookies we use and their functions can be found in our Cookie Policy. There you will also find information on how to change the cookie settings in your browser.

 

X. Use of website analysis services

1. Google-Analytics

On our website we use Google Analytics, a web analysis service provided by Google Inc. ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses cookies that are stored on the user's computer and enable an analysis of the use of the website. The information generated by the cookies (including the user's IP address) is transmitted to a Google server in the United States and stored there. For more information on the use of cookies, please see our Cookie Policy (see chapter IX.).

The following data is processed by Google Analytics:

  • Date and time of access
  • Length of stay per visitor and page
  • Visitor type and history (in terms of distinction between new and returning visitors)
  • Name and URL of the retrieved files and pages
  • Website from which access was made (origin page)
  • Websites accessed by the user's system via our website
  • The search term (from search engine input)
  • Entry and exit pages
  • Frequency of page views
  • Click Paths
  • Browser type, Browser version, Browser language
  • Operating system, screen resolution
  • City/Region/Country
  • Internet service provider of the user
  • connection speed
  • IP address of the user

Google uses this information to evaluate the use of the website by the user, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage. In addition, Google may transfer this information to third parties if required to do so by law or if third parties process this data on behalf of Google. According to its own statement, Google will not associate the user's IP address with other Google data.

You can prevent the processing of your data by Google Analytics by means of a so-called opt-out cookie. This cookie is set when you download the following browser add-on to deactivate Google Analytics: https://tools.google.com/dlpage/gaoptout?hl=en

We would like to point out that IP addresses are only processed in abbreviated form on this website. By using Google Analytics with the extension "_anonymizeIp()", a personal reference of the collected data is excluded.

The terms of use and privacy policy of Google and Google Analytics are available under https://marketingplatform.google.com/about/analytics/terms/us/ or under https://policies.google.com/.

Google Analytics is also used to evaluate data from Google AdWords for statistical purposes.

2. Google AdWords

For our online marketing, we use the AdWords function of Google. If the user reaches our website via a Google ad, a cookie is stored on the user's computer.

These so-called "conversion cookies" are no longer active after 90 days and are not used to personally identify the user. If the user visits certain pages of our website while the cookie is still active, we and Google know that the user has been clicked on ads on Google and redirected to our website. Google uses the information obtained through "conversion cookies" to compile statistics for our website. These statistics show us the total number of users who clicked on our ad, as well as the pages of our website viewed by each user. However, neither we nor other advertisers who use "Google Adwords" receive information that can be used to personally identify users. The installation of "conversion cookies" can be prevented via the settings of the browser, e.g. by setting the browser to disable the automatic placement of cookies or by blocking cookies from the domain "googleadservices.com". For more information on the use of cookies, please see our Cookie Policy (see chapter IX.).

More information can be found at https://policies.google.com/technologies/ads?hl=en.

Further information on data protection at Google can be found at https://policies.google.com/privacy?hl=en.

3. Google Tag Manager

On our website we use Google Tag Manager, an organization tool of Google Inc. ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA., to control advertisements. Tags are small sections of code that record your activities on our website.

Google Tag Manager is a solution that allows website tags to be centrally integrated and managed via a user interface. The Tag Manager itself, which implements the tags, is a cookie-less domain and does not collect any personal data. The Tag Manager triggers other tags, which in turn may collect data, but does not access this data itself. If you have opted out at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager.

4. Pardot

For our marketing activities as well as our marketing automation tool, we use the services of Pardot. The operating company is salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich, Germany.

Pardot is a software cloud solution that collects and stores data and, depending on the intended use, enables its use. The data collected is stored on Salesforce's servers in Frankfurt, Germany. In addition, a data transfer to the USA, a so-called third country, can take place.

Pardot is certified under the terms of APEC Privacy Recognition for Processors (PRP) (http://cbprs.org/compliance-directory/prp/) and ISO 27001/27017/27018 and is subject to TRUSTe's Privacy Seal (https://privacy.truste.com/privacy-seal/validation?rid=0a5802d6-2a9a-4865-9fe9-70e1140cf3b6). In addition, in accordance with Art. 28 GDPR, a data processing agreement has been concluded with salesforce.com Germany GmbH, which contains further suitable guarantees for data transfer to third countries in the form of standard data protection clauses. Salesforce has also taken additional measures to achieve an adequate level of data protection, in particular when dealing with government inquiries, which can be viewed on Salesforce data protection pages under https://www.salesforce.com/eu/company/privacy/.

Pardot uses so-called cookies, which are stored on the user's computer and enable an analysis of the use of the website. For more information on the use of cookies and a list of the cookies used by Pardot, please refer to our Cookie Policy (see chapter IX.).

The following personal data is collected:

  • IP address
  • Geographical location
  • Type of browser
  • Duration of the visit
  • Pages viewed

Furthermore, Pardot collects the data entered by the user if the user

  • fills out the contact form (see chapter V. Contact form and e-mail contact),
  • uses our download area (see chapter VI. Downloads), or
  • subscribes to our newsletter (see chapter VII. Newsletter).

For Salesforce's Privacy Policy, see https://www.salesforce.com/eu/company/privacy/

5. Purpose of data processing

We use these services to analyze the use of our website so that we can constantly optimize it and make it more user-friendly.

In addition, Pardot is an integrated software solution with which we cover various aspects of our online marketing. These include content management (website), e-mail marketing (newsletters and automated mailings, e.g. to provide downloads), social media publishing & reporting, reporting (e.g. traffic sources, accesses, etc.), contact management (e.g. user segmentation), landing pages and contact forms.

These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

6. Legal basis

The legal basis for the processing of the data is Art. 6 (1) (f) GDPR or, if the user has given his consent , Art. 25 (1) and Art. 6 (1) (a) GDPR.

We would like to point out that the consent you have given also applies to the transfer of at least part of your personal data to the United States as a third country in accordance with Article 49 (1) (a) GDPR. In the opinion of the European Court of Justice, there is no level of protection in the United States that is essentially equivalent to the GDPR. In addition, the legal remedies guaranteed to EU citizens by the Charter of Fundamental Rights of the European Union are limited. This applies in particular to legal protection options against the processing of personal data. There is a risk that your data will be processed by US authorities for control and monitoring purposes without you being granted any means of legal remedy. For this reason, the transmission of your data therefore takes place on the basis of the consent given by you.

7. Duration of storage

The data is collected as soon as the website is visited or as soon as a corresponding consent of the user has been given and deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In addition, we refer to the following points of this Privacy Policy as well as to our Cookie Policy:

  • V. Contact form and e-mail contact,
  • VI. Downloads and
  • VII. Newsletter.

8. Possibility of objection and removal

If the collection of personal data by website analysis services is generally not desired, the user can manage the use of cookies himself at any time and block or delete them through his/her browser settings. In addition, he/she can at any time object to the data processing in an e-mail to dataprotection@utimaco.com as described under chapter XI. and revoke any consent given by him or her for the future. In this case, the user's data will be deleted immediately, unless the deletion is contrary to grounds arising from the law.

 

XI. Rights of Data Subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing exists, you can request information from the controller about the following:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data processed;

(3) the recipients or categories of recipients to whom your personal data are or have been disclosed;

(4) the planned period of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

(5) the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to object to such processing;

(6) the existence of a right to lodge complaints with a supervisory authority;

(7) all available information on the origin of personal data not obtained from the data subject;

(8) the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to receive information on whether your personal data are transferred to a third country or an international organization. In this context, you can require that we notify you of appropriate safeguards pursuant to Art. 46 GDPR in connection with any such transfer.

2. Right to Rectification

You have the right to require that the controller rectify and/or complete your personal data if the data that are processed are inaccurate or incomplete. The controller must make such changes without undue delay.

3. Right to Restrict Processing

Under the following conditions, you can request the restriction of the processing of your personal data:

(1) if you contest the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;

(3) the controller no longer needs the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or

(4) if you have objected to the processing pursuant to Article 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the controller override your reasons.

If the processing of your personal data has been restricted, this data may only be processed – apart from its storage – with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a EU Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to Erasure

a) Obligation to erase

You may request from the controller that the personal data concerning you be erased without undue delay and the controller is obliged to erase this data without undue delay if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You revoke your consent on which the processing was based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.

(3) You object to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Art. 21 (2) GDPR.

(4) The personal data concerning you have been unlawfully processed.

(5) The deletion of personal data concerning you is necessary to fulfil a legal obligation under European Union law or the law of the EU Member States to which the controller is subject.

(6) The personal data concerning you have been collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

b) Information to Third Parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to them or copies or replications. of such personal data.

c) Exceptions

The right to erasure does not exist if the processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to comply with a legal obligation requiring processing under European Union or EU Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the field of public health in accordance with Art. 9 (2) (h) and i as well as Art. 9 (3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or

(5) to assert, exercise or defend legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been provided, provided that

(1) the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and

(2) processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is related to such direct advertising.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of information society services, you have the possibility – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects against you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the controller,

(2) is permitted by European Union or EU Member State law to which the controller is subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or

(3) with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9 (1) GDPR, unless Article 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

10. Right to Lodge Complaints with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Data Protection Information Zoom

XII. Further data protection information


Data protection information for online meetings, telephone conferences and webinars via "Zoom":

Data Protection Information Zoom

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.