Name and Address of the controller
Controller for the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union, and other provisions related to data protection is:
EXTEDO GmbH
Einsteinstraße 30
85521 Ottobrunn
Germany
Phone: +49 89 189454-0
EXTEDOs Global Data Protection Officer is happy to help with questions or inquiries.
Email: privacy@extedo.com
Legal basis for personal processing information
Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. Suppose the processing of personal data is necessary for the performance of a contract to which the data subject t is a party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service. In that case, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations necessary for carrying out pre-contractual measures, for example, in inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations? The processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. For example, this would be the case if a visitor were injured in our company, and his name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or another third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations that are not covered by any of the abovementioned legal grounds if the processing is necessary for the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because the European legislator has specifically mentioned them. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and shareholders.
Provision of personal data as a statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data
We clarify that the provision of personal data is partly required by law (e.g., tax regulations) or can also result from contractual provisions (e.g., information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which we must subsequently process. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with them. The non-provision of personal data would mean that the contract with the data subject could not be concluded. Before the data subject provides personal data, the data subject must contact any employee. The employee clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and the consequences of non-provision of the personal data.
Security
Our infrastructure has technical and organizational security measures in place. Some measures we use in different circumstances are encryption; secured entry points to our servers, and monitoring and training for our personnel to protect against the loss, misuse, and alteration of the information under our control. However, no system is perfect or can guarantee that unauthorized access or theft of data will not occur.
International data transfers
Your personal information may be transferred to and processed in countries other than where you reside. These countries may have data protection laws different from your country's laws.
Specifically, some of our servers are located in the United States, and our group companies, third-party service providers, and partners operate worldwide. This means we may process your personal information in various countries when we collect it.
However, we have taken safeguards to make sure that your personal information will remain protected by this Privacy Policy. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies. We have also implemented safeguards with our third-party service providers and partners. Further details and copies of the standard contractual clauses can be provided upon request.
Data retention
We retain personal information we collect from you where we have an ongoing legitimate business need to do so, for example, to provide you with a service you have requested, to retain your information for future marketing purposes, or to comply with applicable legal, tax, or accounting requirements.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After the expiration of that period, the corresponding data is routinely deleted as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
Your data protection rights
You have the following data protection rights, which you can exercise by contacting us using the details below:
- The right to access, correct, update or request deletion of your personal information.
- The right to object to processing your personal information, ask us to restrict processing your personal information, or request portability of your personal information.
- The right to opt out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. Alternatively, you can indicate your marketing preferences for email, phone, and postal marketing during registration or at any time by contacting us using the contact details provided below.
- The right, if we have collected and processed your personal information with your consent, to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted before your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- The right to complain to a data protection authority about our collection and use of your personal information. For more information, please get in touch with your local data protection authority.
We respond to all requests from individuals who wish to exercise their data protection rights per applicable data protection laws.
Additional information is provided via our website in the privacy policy.