The protection of your Personal Data is particularly important to us. As a rule, you can use our Websites (“Website(s)”) without disclosing any Personal Data to us. However, if you wish to use more specific services via our Websites (including our other websites), applications, programs, software, social media pages, and the idOS network (“idOS Network”) we may have to process your Personal Data. This policy governs your Personal Data which is processed in the context of your use of the idOS and all related software, program, websites and applications (“idOS”), including, but not limited to, the use of the Websites, the idOS Dashboard (“Dashboard”), the idOS SDK(s) (“SDK(s)”), the idOS App (“App”), and the idOS Network. If we wish to process data about you and we cannot rely on any other legal basis, we will always ask you for your Consent first (e.g. via a cookie banner).
Our transparency document with all data subject rights and information, e.g. according to Art. 13 and 14 GDPR and on compliance with CCPA/CPRA, can be found HERE. We always comply with applicable data protection laws when handling your Personal Data (such as name, address, email or telephone number). With this Privacy Policy, we inform you about which data we process. This Privacy Policy also explains to you what rights you have as a Data Subject.
We have taken various technical and organizational measures to protect your data in the best possible way. This Privacy Policy is not only intended to fulfill the obligations under GDPR and to comply with the law of the Member States of the European Union (EU) and the European Economic Area (EEA). This Privacy Policy is also intended to comply with legislation such as UK data protection laws (UK-GDPR), Swiss Federal Data Protection Act and Swiss Data Protection Ordinance (DSG, DSV), California Consumer Privacy Act (CCPA/CPRA), China's Personal Information Protection Law (PIPL), Delaware Personal Data Privacy Act (DPDPA), Tennessee Information Protection Act (TIPA), Minnesota Consumer Data Privacy Act (MCDPA), Iowa Act Relating to Consumer Data Protection (ICDPA), Maryland Online Data Privacy Act (MODPA), Nebraska Data Privacy Act (NDPA), New Hampshire Consumer Data Privacy Law (SB255), New Jersey Data Privacy Law (SB332), South Carolina Consumer Privacy Bill (House Bill 4696) and other global data protection regulations and shall be interpreted accordingly. The following Privacy Policy shall be interpreted for each country, state or federal state in such a way that the terms and legal bases used correspond to the terms and legal bases used in the respective state or federal state. For reasons of better readability, the simultaneous use of the language forms male, female, diverse and other gender identities (m/f/d/other) is avoided on our websites, in publications, in communication and in our Privacy Policy. All formulations used apply equally to all genders.
In our Privacy Policy, we use special terms from various data protection laws. We want our statement to be easy to understand and therefore explain these terms in advance. The following definitions shall be interpreted or expanded, as appropriate, based on the case law of the General Court of the European Union (EGC), the European Court of Justice (ECJ), the Swiss Federal Supreme Court (SFSC), the Supreme Court of the United Kingdom (UKSC) or on national data protection laws or national case law of a state or federal state, including but not limited to California, including case law, also under common law, if this is necessary for the application of the law in individual cases. We use the following terms, among others, in this Privacy Policy:
a) Personal Data: Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or who must be regarded as such under national data protection legislation or national jurisdiction of a state or federal state, including under common law.
b) Data Subject: Data Subject is any identified or identifiable natural person whose Personal Data is processed by the Controller, a Processor, an international organization or another data recipient, and persons who must be regarded as such under national data protection laws or national jurisdiction of a state or federal state, including case law, also under common law.
c) Processing: Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of Processing: Restriction of Processing is the marking of stored Personal Data with the aim of limiting their Processing in the future.
e) Profiling: Profiling is any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
f) Pseudonymization: Pseudonymization is the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
g) Controller: The Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor: A Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
i) Recipient: A Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third Party: A Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.
k) Consent: Consent is any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
l) FADP: The Swiss Federal Act on Data Protection
The Controller, in the context of the Website and for personal information that idOS Association (“idOS Association”) is processing, within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and the European Economic Area, British data protection laws, Swiss data protection laws (DSG, DSV), Californian data protection law (CCPA/CPRA), Chinese data protection law (PIPL), as well as international laws and provisions with a data protection nature is:
idOS Association, Baarerstrasse 43, 6300 Zug, Switzerland. E-Mail: legal@idos.network Website: https://www.idos.network/
Our websites, including the App and the Dashboard, may collect a range of general data and information each time the websites are accessed by a Data Subject or an automated system. This general data and information may be stored in the log files of the respective server. Among other things, it may include the (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our websites (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our websites, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems can be recorded.
When using this general data and information, we generally do not draw any conclusions about the Data Subject. Rather, this information may be required to (1) correctly deliver the content of our websites, (2) optimize the content of our websites and the advertising for them, (3) ensure the long-term functionality of our information technology systems and the technology of our websites and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. This anonymously collected data and information is therefore evaluated by us both statistically and with the aim of increasing data protection and data security in our organisation to ultimately ensure an optimal level of protection for the Personal Data processed by us. The data of the server log files are stored separately from all Personal Data provided by a Data Subject.
The purpose of processing is to avert danger and ensure IT security, as well as the aforementioned purposes. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is the protection of our information technology systems. The log files are deleted after the stated purposes have been achieved.
Our websites, including the App and the Dashboard, may contain information that enables quick electronic contact with our organisation as well as direct communication with us, which also includes a general address of the so-called electronic mail (email address). If a Data Subject contacts us by email, via a contact form, via an input form or in any other way, the Personal Data transmitted by the Data Subject will be stored automatically. This Personal Data transmitted to us on a voluntary basis by a Data Subject is processed for the purposes of usage or contacting the Data Subject. We obtain your Consent for the transmission, storage and Processing of your contact data and inquiries and for contacting you in accordance with Art. 6 (1) (a) GDPR and Art. 49 (1) (1) (a) GDPR as follows:
By transmitting your Personal Data, you voluntarily consent to the Processing of the Personal Data you have entered or transmitted for the purposes of processing the inquiry and contacting you. By transmitting your data to us, you also voluntarily give your explicit Consent in accordance with Art. 49 (1) (1) (a) GDPR to data transfers to third countries to and by the companies named in this Privacy Policy and for the purposes stated, in particular for such transfers to third countries for which there is or is not an adequacy decision by the EU/EEA and to companies or other bodies that are not subject to an existing adequacy decision on the basis of self-certification or other accession criteria and in which or for which there are significant risks and no suitable guarantees for the protection of your Personal Data (e.g. due to Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). When you gave your voluntary and explicit Consent, you were aware that there may not be an adequate level of data protection in third countries and that your data subject rights may not be enforceable. You can withdraw your Consent under data protection law at any time with effect for the future. The withdrawal of Consent does not affect the lawfulness of Processing based on Consent before its withdrawal. With a single action (entry and transmission), you give several Consents. These are Consents under EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacy and telemedia law, and other international legislation, which are required, among other things, as a legal basis for any planned further Processing of your Personal Data. With your action, you also confirm that you have read and taken note of this Privacy Policy.
We process and store Personal Data for the period required to achieve the purpose of processing or if this has been provided for by the European legislator or another legislator in laws or regulations to which we are subject, or if a legal basis for the Processing exists. If the purpose of processing no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, or if the legal basis for the Processing no longer applies, the Personal Data will be routinely restricted or deleted in accordance with the statutory provisions.
a) Right to confirmation: Each Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her is being processed. If a Data Subject wishes to exercise this right, he or she may contact us at any time.
b) Right to information: Each Data Subject has the right to obtain from the Controller free information about the Personal Data stored about him/her and a copy of this data at any time. Furthermore, the European legislator has granted the Data Subject access to the following information:
Furthermore, the Data Subject has a right to information as to whether Personal Data has been transferred to a third country or to an international organization. If this is the case, the Data Subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If a Data Subject wishes to exercise this right, he or she may contact us at any time.
c) Right to rectification: Each Data Subject has the right to demand the immediate correction of incorrect Personal Data concerning them. Furthermore, the Data Subject has the right to request the completion of incomplete Personal Data, including by means of a supplementary declaration, taking into account the purposes of the Processing. If a Data Subject wishes to exercise this right, he or she may contact us at any time.
d) Right to erasure (right to be forgotten): Each Data Subject has the right, to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay, and the Controller shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies, as long as the Processing is not necessary:
If one of the aforementioned reasons applies, and a Data Subject wishes to request the erasure of Personal Data stored by us, he or she may contact us at any time. A deletion button is also provided in the App for each credential and its corresponding content “(Credential”) issued within the idOS Network, allowing you to request the deletion of such Credential from the idOS Network (regardless of idOS having access to such Credential or not) as long as no Time-locks (“Time-locks”) are validly existing for that Credential at the time of the request. If we have made the Personal Data public and if our organisation is obliged to delete the Personal Data in accordance with Art. 17 (1) GDPR, we shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data Controllers who process the published Personal Data that the Data Subject has requested the deletion of all links to this Personal Data or of copies or replications of this Personal Data from these other data Controllers, insofar as the Processing is not necessary.
Please be aware that idOS Network may incorporate blockchain technology and it is technically impossible to delete any elements written in a blockchain after being written, even if you retrieve your consent. The same may apply to other components of the idOS Network. If you (either yourself or through a Data Issuer to whom you grant permission to write into your idOS profile) allow unencrypted data to be issued into your idOS profile, please be aware that such data is made public within the idOS Network and only you have the ability to delete this information from the idOS Network. Your are fully responsible for ensuring no unencrypted data is issued into your idOS profile and that you will not issue or authorize the issuance of any unencrypted data into idOS Network. Additionally, for any operation that takes place within the idOS Network, the transactions and metadata (for example, wallet addresses, system-generated IDs, logs, public notes, etc) may be publicly accessible and by interacting with the idOS Network, you confirm to be aware of such a fact. Please be aware that it may be technically impossible to erase any such elements after the operation takes place. Under Article 7, paragraph 3 of the GDPR, you have the right to withdraw your consent at any time with effect for the future and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
e) Right to Restriction of Processing: Each Data Subject has the right to obtain from the Controller Restriction of Processing where one of the following applies:
If one of the aforementioned conditions is met, and a Data Subject wishes to request the restriction of the Processing of Personal Data stored by us, he or she may contact us at any time.
f) Right to data portability: Each Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another Controller without hindrance from the Controller to which the Personal Data have been provided, where Processing is based on Consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the Processing is carried out by automated means, unless the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. Furthermore, in exercising their right to data portability pursuant to Art. 20 (1) GDPR, the Data Subject has the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others. If a Data Subject wishes to exercise this right, he or she may contact us at any time. Access Grants (“Access Grant(s)”), a feature made available within the idOS Network for sharing Credentials, may be used as a mean to allow for compliance with the right to data portability.
g) Right to object: Each Data Subject has the right to object, on grounds relating to his or her particular situation, at any time, to Processing of Personal Data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to Profiling based on these provisions. In the event of an objection, we will no longer process the Personal Data unless we can demonstrate compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. If we process Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to Processing of Personal Data concerning him or her for such marketing. This also applies to Profiling insofar as it is associated with such direct advertising. If the Data Subject objects to us to the Processing for direct marketing purposes, we will no longer process the Personal Data for these purposes. In addition, the Data Subject has the right, on grounds relating to his or her particular situation, to object to Processing of Personal Data concerning him or her by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the Processing is necessary for the performance of a task carried out for reasons of public interest. If a Data Subject wishes to exercise this right, he or she may contact us at any time. The Data Subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.
h) Automated decisions in individual cases including Profiling: Each Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the Data Subject and the Controller, or (2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, or (3) is based on the Data Subject's explicit Consent. If the decision (1) is necessary for entering into, or the performance of, a contract between the Data Subject and a data Controller, or (2) it is based on the Data Subject's explicit Consent, we shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision. If a Data Subject wishes to exercise this right, he or she may contact us at any time.
i) Right to withdraw Consent under data protection law: Each Data Subject has the right to withdraw Consent to the Processing of Personal Data at any time. If a Data Subject wishes to exercise this right, he or she may contact us at any time.
In order to use idOS, you may need to register and/or create an idOS profile. Usage of the idOS may require the submission of certain necessary information. Different usage of idOS may require the submission of different necessary information. Usage may not be possible without submitting the information stated as necessary. Therefore, in case such information includes Personal Data, the processing of Personal Data in this case is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
Whenever you connect your wallet to idOS, idOS checks if your wallet address is already associated with idOS. During profile creation, a wallet address may be associated with your idOS profile. After registration and/or profile creation, you may be able to add/remove wallet addresses from your idOS profile, view, edit, manage, and add information to your idOS profile, have others issue, retaining the power to revoke, information into your idOS profile as well as share information in your idOS profile with others, through an Access Grant, and authorize a recipient to grant limited and controlled access or write permissions to third parties your behalf. You may also be able to delete information from your idOS profile. Information issued into idOS may be associated with a hash or cryptographic signature. You may be granted permission from others to create idOS profiles, issue information into idOS profiles, access information stored in idOS profiles and be authorized by others to grant limited and controlled access or write permissions to third parties on their behalf. In case any operation that takes place within the idOS Network, also within the idOS Isle and enclaves, includes the processing of Personal Data by us, as controllers, our legal basis for this processing is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) ot the FADP). This also includes unencrypted information that may be issued into idOS Network against the User Agreement and our recommendations and, if applicable, making the transaction, corresponding metadata and unencrypted information (if applicable) public within the idOS Network, which may be for an indefinite period, as well as keeping information issued within the idOS Network until you delete it. All processing of Personal Data in connection with the operations that take place between you and others within idOS are outside of our relationship with you and are governed by your own external relationship with such other parties. You acknowledge and agree that any such processing of your personal data is made under your and/or such other’s responsibility and authority. For example, it is not idOS’ responsibility to ensure that there is a valid legal basis under applicable data protection laws for the processing of such personal data. idOS does not and cannot verify whether the legal basis relied upon is valid or sufficient, nor is idOS responsible or liable for any such failure by your or others to comply with applicable legal requirements.
In the context of your interaction with others within idOS Network, a record may be created in the smart contract in a respective blockchain that the idOS Network monitors (and the information available on-chain is only that a certain wallet address has interacted with with another wallet address and therefore third parties likely cannot identify you with the information written on-chain). Please be aware that it is technically impossible to delete any elements written on-chain after being written and that as technology evolves, identification could become more likely.
As Credentials may contain public notes, whenever a Credential that contains public notes is issued or public notes in a Credential are edited within the idOS Network, we may need to process your Personal Data while executing such operation within the idOS Network as initiated or authorized by you. Without being able to process your Personal Data for this purpose, we would not be able to perform the services we have agreed to with you. Therefore, the processing of your Personal Data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
In the context of the App, you may interact with the idOS Network to create an idOS profile, manage it, including adding multiple wallet addresses, enabling the idOS FaceSign (“idOS FaceSign”) and corresponding idOS Face Wallet (“idOS Face Wallet”), adding and managing issued Credentials (including Proof of Personhood Credentials), configuring idOS keys, participating in the Points program, and managing access and write permissions, as well as any other content, program, functionality, and services available or accessible through the App from time to time, including third-party integrations. When you interact with the idOS Network through the App, and for any operations initiated or otherwise authorized by you within the App, in case such operations includes the processing of information that is Personal Data by us, as controllers, the processing of Personal Data in this case is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP). For the avoidance of doubt, all operations that you initiate or authorized within the App are executed upon your instruction, and may result in the processing and publication of the corresponding data, including personal data, within the idOS Network.
In connection with idOS FaceSign, logs may be made publicly available for transparency and verifiability, as instructed by you under the User Agreement and your interaction with idOS FaceSign, including idOS FaceWallet, may include the processing of Personal Data by us as controllers. Therefore, in case this includes the processing of information that is Personal Data by us, the processing of Personal Data in this case is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP). We and third-parties do not receive or process facial images, Users’ raw biometric images, or vectors. All processing of facial images and conversion to vectors occurs within the secure enclave. idOS and the respective third-party provider do not retain or process biometric data. All transactions signed and submitted via idOS Face Wallet are published on-chain. Please be aware that it is technically impossible to delete any elements written on-chain after being written.
In case you participate in an Airdrop (“Airdrop”), under the terms of the User Agreement you entered into with us or any other separate terms and conditions, we may process your Personal Data in order to verify your eligibility for such Airdrop (which may differ for each Airdrop, including but not limited to identity verification, high-risk jurisdiction, sanctions and restricted persons screening, and self-certification of jurisdictional status) and to conduct the respective Airdrop, including the corresponding allocations (if any). Without being able to process your Personal Data for this purpose, we would not be able to perform the services we have agreed to with you. Therefore, the processing of your Personal Data by us, as controllers, is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
When interacting with the Dashboard, you are able to manage grants have have been given to you and access their content, and any other operations that may be made available within the Dashboard. For any operation that takes place within the Dashboard, we may also be required to process certain information from you, such as your wallet address. Without being able to process your Personal Data for this purpose, we would not be able to perform the services agreed to with you. Therefore, the processing of your Personal Data by us, as controllers, is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
When interacting with the SDKs, you are able to interact with the idOS Network, for example, to request Access Grants. For any operation that takes place in connection with your interactions with the SDKs, we may be required to process certain information from you, such as your wallet address. Without being able to process your Personal Data for this purpose, we would not be able to perform the services agreed to with you. Therefore, the processing of your Personal Data by us, as controllers, is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
When you interact with the idOS Network as a Node Operator, you may be required to undergo a due diligence process that may include providing us with the requested information, as determined by us in our sole discretion. Your operation of the respective node may also involve the processing of your Personal Data by us. Without being able to process your Personal Data for this purpose, you would not be able to interact with idOS Network as a Node Operator. Therefore, the processing of your Personal Data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
If you participate in Passporting, you may be required to undergo a due diligence process that may include providing us with the requested information, as determined by us in our sole discretion. Your participation within Passporting may also entail the processing of Personal Data by us, and the publication of certain Personal Data in public or semi public registries and databases to allow for your participation in Passporting. Without being able to process your Personal Data for this purpose, we would not be able to perform the services agreed to with you. Therefore, the processing of your Personal Data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
If applicable, in order to notify you of the “Deals” (e.g., bonuses for registering with partners, discounts in trading fees when using partners’ services, etc.) we source for you and provide you with the information you need to participate in the Deals, as instructed by you under the terms of the User Agreement entered into with you, we will process your Personal Data in order to send you communications. Without being able to process your Personal Data for this purpose, we would not be able to perform the services agreed to with you. Therefore, the processing of your Personal Data by us, as controllers, is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR (Art. 31(2)(a) of the FADP).
We may use your Personal Data in order to send you marketing information or emails if you have agreed to receive such. If you have agreed to such, then we may also use the Personal Data that we collect in order to send you information on the products and services offered by us or our third-party partners. The legal basis for the processing of such Personal Data, for which we are the controllers, is your consent pursuant to Art. 6 (1) (a) of the GDPR (Art. 31(1) of the FADP).
If you voluntarily submit a customer support request via an email, chat or other correspondence system we will also process your Personal Data for the purpose of fulfilling such request. The legal basis for the processing of such Personal Data, for which we are the controller is your consent pursuant to Art. 6 (1)(a) of the GDPR (Art. 31(1) of the FADP). Further, while providing information to us, we may need to contact you to be able to provide services correctly. The legal basis for the processing of such Personal Data, for which we are the controllers, is your consent pursuant to Art. 6 (1)(a) of the GDPR (Art. 31(1) of the FADP).
Finally, we also process your personal data for the purposes of the legitimate interests, in order to ensure the integrity, security and availability of idOS and your Personal Data to you, us and others you have authorized. The legal basis for the processing of such data, for which we are the controller is Art. 6 (1) (f) of the GDPR (Art. 31(1) of the FADP).
The general purpose of processing of Personal Data is the handling of all activities relating to the Controller, customers, interested parties, business partners or other contractual or pre-contractual relationships between the aforementioned groups (in the broadest sense) or legal obligations of the Controller. This general purpose applies if no more specific purposes for specific Processing are specified.
The categories of Personal Data that we process are customer data, prospective customer data, employee data (including applicant data) and supplier data. The categories of recipients of Personal Data are public bodies, external bodies, internal processing, intragroup processing and other bodies. Specifically, we may also collect and process information about the device you use, location settings of the device, your IP address and your contact information. A list of our Processors and data recipients in third countries and, if applicable, international organizations is either published on our website or can be requested from us free of charge.
Art. 6 (1) (a) GDPR (Art. 31(1) of the FADP) serves as the legal basis for Processing operations for which we obtain Consent for a specific Processing purpose. If the Processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, as is the case, for example, when Processing operations are necessary for the supply of goods or to provide any other service or consideration, Processing is based on Art. 6 (1) (b) GDPR (Art. 31(2)(a) of the FADP). The same applies to such Processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services. If we are subject to a legal obligation which requires the Processing of Personal Data, such as for the fulfillment of tax obligations, Processing is based on Art. 6 (1) (c) GDPR (Art. 31(1) of the FADP). In rare cases, it may be necessary to process Personal Data to protect the vital interests of the Data Subject or another natural person. This would be the case, for example, if a visitor were injured in our organisation and their name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other Third Party. The Processing would then be based on Art. 6 (1) (d) GDPR (Art. 31(1) of the FADP). If the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, the legal basis is Art. 6 (1) (e) GDPR (Art. 31(1) of the FADP). Ultimately, Processing operations could be based on Art. 6 (1) (f) GDPR (Art. 31(1) of the FADP). This legal basis is used for Processing operations which are not covered by any of the abovementioned legal grounds, if Processing is necessary for the purposes of the legitimate interests pursued by our organisation or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data. We are permitted to carry out such Processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed, for example, if the Data Subject is a customer of the Controller (Recital 47 Sentence 2 GDPR).
If the Processing of Personal Data is based on Art. 6 (1) (f) GDPR (Art. 31(1) of the FADP) and no more specific legitimate interests are stated, our legitimate interest is the performance of our business activities for the benefit of the well-being of our staff and our members and officers.
We may send you direct advertising about our own goods or services that are similar to the goods or services you have requested, commissioned or purchased. You may object to direct advertising at any time (e.g. by email). You will not incur any costs other than the transmission costs according to the basic rates. The Processing of Personal Data for direct marketing purposes is based on Art. 6 (1) (f) GDPR (Art. 31(1) of the FADP). The legitimate interest is direct marketing.
The criterion for the duration of the storage of Personal Data is the respective statutory retention period. If there is no statutory retention period, the criterion is the contractual or internal retention period. After this period has expired, the corresponding data is routinely deleted if it is no longer required to fulfill or initiate a contract. This applies in particular to all Processing operations for which no more specific criteria have been defined.
We would like to inform you that the provision of Personal Data is partly required by law (e.g. tax regulations) or may also result from contractual obligations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded for a Data Subject to provide us with Personal Data that must subsequently be processed by us. For example, Data Subjects are obliged to provide us with Personal Data if our organisation concludes a contract with them. Failure to provide Personal Data would mean that the contract with the Data Subject could not be concluded. The Data Subject must contact us before providing Personal Data. We will inform the Data Subject on a case-by-case basis whether the provision of the Personal Data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the Personal Data and what the consequences would be if the Personal Data were not provided.
As a responsible company, we do not normally use automated decision-making or Profiling. If, in exceptional cases, we carry out automated decision-making or Profiling, we will inform the Data Subject either separately or in our Privacy Policy (here on our website). In this case, the following applies: Automated decision-making, including Profiling, may take place if (1) this is necessary for the conclusion or performance of a contract between the Data Subject and us, or (2) this is permissible on the basis of Union or Member State legislation to which we are subject and this legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the Data Subject, or (3) this takes place with the explicit Consent of the Data Subject. In the cases referred to in Art. 22 (2) (a) and (c) GDPR (Art. 21 (3) (a) and (b) FADP), we shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests. In these cases, you have the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision. Meaningful information on the logic involved and the scope and intended effects of such Processing for the Data Subject will be provided in this Privacy Policy where applicable.
According to Art. 46 (1) GDPR, the Controller or Processor may only transfer Personal Data to a third country if the Controller or Processor has provided appropriate safeguards and if enforceable rights and effective legal remedies are available to the Data Subjects. Appropriate safeguards can be provided by standard contractual clauses without the need for special approval from a supervisory authority, Art. 46 (2) (c) GDPR (similar to what is set forth under Art. 16(2) and Art. 17 of the FADP).
The EU standard contractual clauses or other appropriate safeguards are agreed with all recipients from third countries prior to the first transfer of Personal Data, or the transfers are based on adequacy decisions. Consequently, it is ensured that appropriate safeguards, enforceable rights and effective legal remedies are guaranteed for all Processing of Personal Data. Any Data Subject can obtain a copy of the standard contractual clauses or adequacy decisions from us. In addition, the standard contractual clauses and adequacy decisions are available in the Official Journal of the European Union. Art. 45 (3) GDPR authorizes the European Commission to decide by means of an implementing decision that a non-EU country ensures an adequate level of protection. This means a level of protection for Personal Data that essentially corresponds to the level of protection within the EU. Adequacy decisions mean that Personal Data can flow from the EU (as well as from Norway, Liechtenstein and Iceland) to a third country without further obstacles. Similar regulations apply to the United Kingdom, Switzerland and some other countries.
In all cases where the European Commission, or a government or competent authority of another country, has decided that a third country ensures an adequate level of protection and/or a valid framework exists (e.g., EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework), all transfers by us to the members of such frameworks (e.g. self-certified entities) are based solely on the membership of that entity in the respective framework or on the respective adequacy decisions. If we or one of our group companies is a member of such a framework, all transfers to us or our group company are based exclusively on the membership of the respective company in this framework. If we or one of our group companies is located in a third country with an adequate level of protection, all transfers to us or our group company are based solely on the respective adequacy decisions.
Any Data Subject can obtain a copy of the frameworks from us. In addition, the frameworks are also available in the Official Journal of the European Union or in the published legal materials or on the websites of data protection supervisory authorities or other authorities or institutions. In connection with idOS, we may use third party service providers to provide us with necessary services. We may transfer your personal data to these service providers for further processing based on the terms of this privacy policy and the transparency document or on the basis of your agreement to use idOS. All transfer of data is undertaken by way of secure connections to these service providers. These service providers only receive your personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which your personal data are processed. These include, but may not be limited to, the following categories of service providers: monitoring services, server hosting providers, newsletter senders, customer relationship or support services, website hosting services, email sending services, web traffic analysis providers.
As the Controller, we are obliged to inform the Data Subject of the existence of the right to lodge a complaint with a supervisory authority. The right to lodge a complaint is regulated in Art. 77 (1) GDPR (similar to Art. Art. 49(1) of the FADP). According to this provision, without prejudice to any other administrative or judicial remedy, every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the Processing of Personal Data relating to him or her infringes the General Data Protection Regulation. The right to lodge a complaint has been restricted by the EU legislator to the effect that it can only be exercised with a single supervisory authority (Recital 141 Sentence 1 GDPR). This provision is intended to avoid duplicate complaints in the same matter by the same Data Subject. If a Data Subject wishes to complain about us, it is therefore requested that only one supervisory authority is contacted.
We inform our customers and business partners about offers and news at regular intervals by means of a newsletter. You are therefore given the opportunity to subscribe to our newsletter on our website. The Personal Data transmitted to us when you subscribe to the newsletter can be understood from the input mask used. You can only receive our newsletter if (1) you have a valid email address and (2) you have registered to receive the newsletter. For legal reasons, a confirmation email is sent to the email address entered by a Data Subject for the first time for the newsletter using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address as the Data Subject has authorized the receipt of the newsletter. The legal basis for sending this double opt-in confirmation email is Art. 6 (1) (c) GDPR (Art. 31(1) of the FADP), as there is a legal obligation to send a newsletter only to confirmed recipients. When registering for the newsletter, we also store the IP address assigned by the internet service provider (ISP) of the internet connection used by the Data Subject at the time of registration, as well as the date and time of registration. The storage of this data is necessary to be able to trace the (possible) misuse of a Data Subject's email address at a later point in time and therefore serves as legal protection for the Controller. The legal basis for Processing is also Art. 6 (1) (c) GDPR (Art. 31(1) of the FADP). We obtain your Consent for the transmission and storage of your email address for the subscription to our newsletter in accordance with Art. 6 (1) (a) GDPR (Art. 31(1) of the FADP) and Art. 49 (1) (1) (a) GDPR (Art. 17(1)(a) FADP) as follows:
By entering and transmitting your Personal Data, you voluntarily consent to the Processing of the Personal Data you have entered for the purpose of sending our newsletter. By entering and transmitting your data to us, you also voluntarily give your explicit Consent in accordance with Art. 49 (1) (1) (a) GDPR (Art. 17(1)(a) FADP) to data transfers to third countries to and by the companies named in this Privacy Policy and for the purposes mentioned, in particular for such transfers to third countries for which there is or is not an adequacy decision by the EU/EEA and to companies or other bodies that are not subject to an existing adequacy decision on the basis of self-certification or other accession criteria and in which or for which there are significant risks and no suitable guarantees for the protection of your Personal Data (e.g. due to Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). When you gave your voluntary and explicit Consent, you were aware that there may not be an adequate level of data protection in third countries and that your data subject rights may not be enforceable. You can withdraw your Consent under data protection law at any time with effect for the future. The withdrawal of Consent does not affect the lawfulness of Processing based on Consent before its withdrawal. With a single action (entry and transmission), you give several Consents. These are Consents under EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacy and telemedia law, and other international legislation, which are required, among other things, as a legal basis for any planned further Processing of your Personal Data. With your action, you also confirm that you have read and taken note of this Privacy Policy.
Your Consent to the Processing of Personal Data that you have given us for the storage of the email address for sending the newsletter can be revoked at any time. There is a corresponding link in every newsletter for the purpose of revoking Consent. It is also possible to inform us of your wish to unsubscribe by other means. The Personal Data collected when registering for the newsletter will be used exclusively to send our newsletter. Furthermore, subscribers to the newsletter may be informed by email if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or changes to the technical circumstances. The Personal Data collected as part of the newsletter service will not be passed on to Third Parties. By subscribing to our newsletter, you conclude a contract with us for the delivery of the newsletter, which is why the Processing in connection with the dispatch is based on Art. 6 (1) (b) GDPR (Art. 31(2)(a) of the FADP) as the legal basis. The contract can be terminated at any time.
jQuery is a widely used JavaScript library used by web developers to simplify and speed up HTML document management, event handling, animation and Ajax interactions. The use of jQuery on our website serves to create a smoother and more interactive user experience. When visiting our website, jQuery can be used to collect certain data, such as information about user behavior and interactions on the site. This data processing takes place indirectly and is primarily aimed at improving website performance and user-friendliness. jQuery itself, as a client-side library, stores or processes Personal Data on its own servers. jQuery is executed in the user's browser and can be used for dynamic content updates by also transmitting data to external servers. The operating company of jQuery is the OpenJS Foundation, 1 Letterman Dr, Ste D4700, San Francisco, California, USA. Purposes of the processing for which the personal data are intended and the legal basis for the processing: The purpose of using jQuery is to improve the user experience on our website through an efficient interaction experience. The processing is based on Art. 6 (1) (f) GDPR (Art. 31 (1) of the FADP), whereby the legitimate interest lies in the provision and use of a functional, user-friendly and visually appealing website. The operating company of the service is based in a third country, namely in the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR (Art. 16 (2) of the FADP). The operating company of the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us.
The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the operating company of the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service. jQuery's Privacy Policy is available at https://jquery.com/.
jsDelivr is a public, free content delivery network that enables developers to efficiently host and deliver web libraries, jQuery plugins, CSS frameworks, fonts, and other JavaScript resources. By using jsDelivr, web developers can improve the load times of their websites by ensuring that these resources are loaded from servers that are geographically closer to the end users. When using jsDelivr, data such as users' IP addresses, type of resources requested, time of access and browser information are processed. This data is mainly collected for the provision of the service, performance optimization and security purposes. jsDelivr uses data protection and security measures to protect the data collected, with particular attention paid to compliance with the General Data Protection Regulation and other data protection laws.
The operating company of the service and therefore the recipient of the Personal Data is Prospect One Sp.z.o.o., ul. Krolweska 65A/1, 30-081, Krakow, Poland. Purposes of the processing for which the personal data are intended and the legal basis for the processing: The purpose of the processing is the efficient provision of web content via the CDN. The processing is carried out based on legitimate interests in accordance with Art. 6 (1) (f) GDPR (Art. 31 (1) of the FADP), namely optimizing the loading times of websites, improving the user experience and ensuring the security of the service. The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the operating company of the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service. Further information and the applicable data protection provisions of jsDelivr may be retrieved under https://www.jsdelivr.com.
YouTube is a video sharing and viewing platform used by individuals, artists, businesses, and media companies to publish a variety of content such as music videos, vlogs, educational material and much more. YouTube offers users the ability to upload, share, comment and interact with a broad community. When using YouTube, Personal Data such as IP addresses, user interactions (e.g., videos viewed, comments), location data (if enabled for services) and information from linked Google accounts are processed. This information is required to provide personalized content and advertising, enable user interactions, keep the platform secure and improve the user experience. The operating company of the service and therefore the recipient of the Personal Data is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Purposes of the processing for which the personal data are intended and the legal basis for the processing: The purpose of the data processing lies in the use of the video sharing services. The processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR (Art. 31 (2) (a) of the FADP), to which the Data Subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR (Art. 31 (1) of the FADP), such as the use of an efficient video platform, the improvement of the user experience, the use of personalized advertising and the use of embedded videos on our website. The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR (Art. 16 (2) of the FADP). The operating company of the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us. The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the operating company of the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service. Further information and the applicable YouTube Privacy Policy can be found at https://policies.google.com.
X (formerly known as Twitter) is a global platform for public self-expression and real-time conversation. Users can create and share short messages, called tweets, which can include text, images, videos, and links. The platform allows users to follow breaking news, interact with others and participate in global discussions. When using X, various types of Personal Data are processed, including usernames, email addresses, telephone numbers and location data. This information can be used for account creation, personalization of content, provision of advertising, security purposes and for analytical evaluations. The operating company of the platform and therefore the recipient of the Personal Data is X Corp, Suite 900, 1355 Market Street, San Francisco, California, 94103, USA. The Processing of Personal Data takes place, among other things, on the basis of the user's Consent (Art. 6 (1) (a) GDPR, Art. 31 (1) of the FADP), for the performance of a contract (Art. 6 (1) (b) GDPR, Art. 31 (2) (a) of the FADP) to which the Data Subject is a party, or on the basis of legitimate interests (Art. 6 (1) (f) GDPR, Art. 31 (1) of the FADP), such as the use of the platform and the improvement of communication with the public.
The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR (Art. 16 (2) of the FADP). The operating company of the service may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate guarantees from us. The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the operating company of the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service. Further information and the X can be found at https://twitter.com/.
LinkedIn is a social network for professional contacts and career development. The platform allows users to create a professional profile, network with colleagues, business partners and potential employers, share professional experiences and skills, and keep up to date with industry news. LinkedIn also provides tools for companies and recruiters to source talent, post job ads and build a brand presence. When using LinkedIn, Personal Data such as names, email addresses, professional titles and experience, educational background, skills, interests and platform usage data are processed. This information is necessary to provide and use the service, to create networking opportunities, to present personalized content and job offers and to ensure the security of user data. The operating company of the service and thus the recipient of the Personal Data is: LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.
Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use and optimization of network and career services. Processing is based on the Consent of the user (Art. 6 (1) (a) GDPR), Art. 31 (1) of the FADP), the performance of a contract (Art. 6 (1) (b) GDPR, Art. 31 (2) (a) of the FADP) to which the Data Subject is party and on legitimate interests (Art. 6 (1) (f) GDPR, Art. 31 (1) of the FADP), such as marketing and recruitment. The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR (Art. 16 (2) of the FADP). The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us. The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the operating company of the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service. Further information and the applicable data protection provisions of LinkedIn Corporation can be found at https://www.linkedin.com.
Our Terms and Conditions for Data Protection, which include, among other things, all five versions of the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, a Data Processing Agreement governed by UK law, a CCPA-CPRA Contractor Agreement, a Data Protection and Confidentiality Agreement for suppliers, and other data processing agreements, will automatically form part of all agreements entered into with us. By entering into any other agreement with us, you automatically agree to the respective terms. In detail:
1. EU Standard Contractual Clauses 2021/915 between Controller and Processor:
If you are an EU/EEA-based counterparty of ours that processes personal data on our behalf, by conducting business for or with us, you automatically consent to the applicability of our published Standard Contractual Clauses 2021/915. If we are your processor, the Standard Contractual Clauses 2021/915 published by us will also automatically apply between you and us.
2. EU Standard Contractual Clauses 2021/914 MODULE ONE: Transfer Controller to Controller:
To the extent that you are a counterparty of ours located in a third country and receive personal data (protected by the GDPR, Member State law or European Economic Area law) from us as a Controller and act as a Controller, by conducting business for or with us, you automatically consent to the applicability of the published Standard Contractual Clauses 2021/914 Module One. The same applies if you act as a Controller and transfer personal data to us as a Controller.
3. EU Standard Contractual Clauses 2021/914 MODULE TWO: Transfer Controller to Processor:
To the extent that you are a counterparty of ours located in a third country and receive personal data (protected by the GDPR, Member State law or European Economic Area law) from us as a Controller and act as a Processor, by conducting business for or with us, you automatically consent to the applicability of the published Standard Contractual Clauses 2021/914 Module Two. The same applies if you act as a Controller and transfer personal data to us as a Processor.
4. EU Standard Contractual Clauses 2021/914 MODULE THREE: Transfer Processor to Processor:
To the extent that you are a counterparty of ours and we are acting as a Processor (e.g., for a subsidiary or a third party), you are located in a third country and receive international data transfers of personal data (protected by the GDPR, Member State law or European Economic Area law), and you are therefore a (Sub)Processor, by conducting business for or with us, you automatically consent to the applicability of the published Standard Contractual Clauses 2021/914 Module Three. The same applies if you act as a Processor and transfer personal data to us as a (Sub)Processor.
5. EU Standard Contractual Clauses 2021/914 MODULE FOUR: Transfer Processor to Controller:
To the extent that you are a counterparty of ours and we are acting as a Processor (e.g., for a subsidiary or a third party), you are located in a third country and receive international data transfers of personal data (protected by the GDPR, Member State law or European Economic Area law), and you are a Controller, by conducting business for or with us, you automatically consent to the applicability of the published Standard Contractual Clauses 2021/914 Module Four. The same applies if you act as a Processor and transfer personal data to us as a Controller.
6. Confidentiality and Data Protection Agreement for Counterparties:
If you are a counterparty of ours that is not a processor, or if you receive other and non-personal data from us, by conducting business for or with us, you automatically consent to the applicability of the published Confidentiality and Data Protection Agreement for Counterparties.
7. Confidentiality and Data Protection Agreement for Customers:
If you are a customer of ours and data is exchanged between us, we may separately agree to the published Confidentiality and Data Protection Agreement for Customers by a concurring statement. This Confidentiality Agreement shall only become effective upon a separately declaration of intent by the parties.
8. International Data Transfer Agreement (United Kingdom)
To the extent that you are a party to an agreement with us, and personal data transferred by us to you belongs to individuals who are from the United Kingdom or we are based in the United Kingdom, and you yourself are based outside the United Kingdom and receive personal data (protected by the UK GDPR or UK law) from us, by conducting or transacting business for or with us, you automatically consent to the applicability of the published "International Data Transfer Agreement".
9. International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers (United Kingdom)
To the extent that you are a party to an agreement with us, and personal data we transfer to you belongs to individuals who are based in the UK or where we are based in the UK and you yourself are based outside the UK and receive personal data (which is protected by the UK GDPR or UK law) from us, by carrying out or transacting business for or with us, you automatically consent to the applicability of the published " International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers".
10. Data Processing Agreement for the United Kingdom
To the extent that you are a party to an agreement with us, and both we and you have our registered office in the United Kingdom, and you process personal data (which is protected by the UK GDPR or UK law) on our behalf, you automatically agree to the applicability of the published "Data Processing Agreement for the United Kingdom" by executing or conducting business for or with us. The same applies if you act as a Controller and transfer personal data to us as a Processor.
11. CCPA-CPRA CONTRACTOR AGREEMENT for California
To the extent that you are a contractor of ours, and we or you have a place of business in California, or employ or engage employees, service providers, processors, or other persons from California, and if the Contractor processes consumer data protected by CCPA-CPRA or California law as part of the relationship, you automatically enter into the CCPA-CPRA CONTRACTOR AGREEMENT published by us with us by each execution or handling of business, either as a Business or as a Contractor.
A list of our sub-processors must be requested separately from us.
The European Commission adopted the EU-U.S. Data Privacy Framework on July 10, 2023. The EU-U.S. Data Privacy Framework is an adequacy decision that allows transfers of personal data from the European Economic Area (EEA), which includes the 27 EU member states and Norway, Iceland, and Liechtenstein, to any U.S. company that has undergone a specified self-certification process. U.S. companies certified through the EU-U.S. Data Privacy Framework are listed on the following website: https://www.dataprivacyframework.gov/s/participant-search. Until the EU-U.S. Data Privacy Framework is invalidated by the Court of Justice of the European Union (CJEU) or the European Commission, or superseded by a new adequacy decision, the Controller will transfer Personal Data from the EEA to all companies certified through the EU-U.S. Data Privacy Framework and identified in this Privacy Policy or in the List of Processors and Data Recipients based on the EU-U.S. Data Privacy Framework. These transfers are permitted under Article 45 GDPR. The Controller points out that in the case of transfers based on the EU-U.S. Data Privacy Framework, neither an analysis of the legal situation in the recipient country (so-called Transfer Impact Assessment) nor supplementary measures, such as encryption to protect transferred personal data from access by U.S. authorities, are required or implemented. The EU-U.S. Data Privacy Framework obligates certified companies from the U.S. to comply with defined data protection principles, which are based on the requirements of GDPR, and to fulfill data subject rights (e.g., right of access and deletion).
Data Subjekts from the EEA who believe that the requirements of the EU-U.S. Data Privacy Framework are not being observed by a certified U.S. company may complain to the European Data Protection Authority responsible for them. This Data Protection Authority will forward the complaint to the European Data Protection Board, which subsequently transmits it to the U.S. authority responsible for handling the complaint. EEA Data Subjects also have legal remedies before independent arbitration bodies in the United States. If the Controller is based in the U.S. and certified under the EU-U.S. Data Privacy Framework, the Controller acts as a data importer and complies with the requirements of the EU-U.S. Data Privacy Framework. If you have any questions about the EU-U.S. Data Privacy Framework, you may contact the Data Protection Officer of the Controller at any time.
We may send you advertising using electronic mail if the advertising is in connection with the sale of products or services from us, if we received the electronic mail address from you, and use this address for direct advertising for our own similar goods or services, and you have not objected to the use. You were clearly informed when the address was collected and will be clearly informed each time it is used that you can object to the use at any time without incurring any costs other than the transmission costs according to the basic rates.
We organize webinars and invite customers, prospective customers, service providers and suppliers, including their and our employees, to online meetings. We use different third-party providers (operators of online meeting applications, application providers). Which third-party provider we use for a specific webinar or online meeting is recognizable from the participation link. You can find the privacy policy and, if applicable, additional legally required information on the website of the respective third-party provider.
By registering, accepting, and/or participating in a webinar or online meeting, you explicitly consent to your personal data being processed for the purposes of registering, planning, organizing and conducting the webinar or online meeting, which includes transfers to third-party providers (which may be located in a third country), and to audio, film or photo recordings being transmitted and/or published, and/or published to other participants as part of the webinar or online meeting. By a single action, you give multiple consents. By registering, accepting, in and/or participating, you also voluntarily give your explicit consent pursuant to 49 (1) (1) (a) GDPR (Art. 17 (1) (a) of the FADP) for data transfers to third countries for the purposes of registration, planning, organization and implementation of the webinar or online meeting, in particular for such transfers to third countries for which an adequacy decision of the EU/EEA is absent or does exist, and to companies or other entities that are not subject to an existing adequacy decision on the basis of self-certification or other accession criteria, and that involve significant risks and no appropriate safeguards for the protection of your personal data (e.g., because of Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). We hereby inform you in advance regarding your voluntary and explicit consent that in third countries there may not be an adequate level of data protection and that your data subject rights may not be enforceable, and that published personal data may not be deleted, may not be altered or may not be made anonymous at all, only conditionally and/or with a delay. You give your consent voluntarily. You are not obligated to give consent and may choose to stay away from or not participate in the webinar or online meeting, which we will consider a refusal of our request to give consent. You have the right to withdraw your data protection consent in whole or in part at any time with effect for the future, in particular by deactivating, switching off or not activating your sound, film or photo transmissions during the webinar or online meeting. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. By your action, you also confirm that you have read and acknowledged this Privacy Policy and the transparency document linked in it.
The data protection officer of the Controller is: Prof. Heiko Jonny Maniero, Franz-Joseph-Str. 11, 80801 München, Germany. Phone: +49 (0)8121 7929744; Email: info@dg-datenschutz.de; Website: https://dg-datenschutz.de/
25. Changes to the privacy policy or the purpose of processing
This Policy was last updated on the effective date noted above. This Policy may be amended or updated from time to time to reflect changes in our privacy practices with respect to the processing of personal data or changes in the applicable law. We encourage you to save this Privacy Policy locally on your device and to regularly check this page so that you may review any changes we might make.