The legally binding version is the German version.

Below is a general overview of how INSIGMA IT Engineering GmbH processes your personal data and your rights under data protection law. Which data is processed on an individual basis and how it is used depends on the respective business relationship.

1. Who is responsible for data processing and who can you contact?

The responsible office is
INSIGMA IT Engineering GmbH
Prof. Dr Matthias Groß
Europaallee 31
50226 Frechen
Germany
T: 0221 78887-0
Q: 0221 78887-900
E: datenschutz@.spaminsigma.de

You can contact our company data protection officer at
KINAST Rechtsanwaltsgesellschaft mbH
Dr Karsten Kinast, LLM
Hohenzollernring 54
50672 Cologne
Germany

2. What sources and data do we use?

We process personal data that we receive as part of our business relationship. To the extent required for the provision of our services, we also process personal data that we accept from affiliated companies of INSIGMA or from other third parties (e.g. Bürgel) in an authorised manner (e.g. to execute orders, for the performance of contracts or based on consent given by you). We also process personal data that we have legitimately received and are authorised to process from publicly available sources (e.g. trade and association registers, the press, the media, the Internet and from social networks).

Relevant personal data in the context of the business relationship may be: Name, address, other contact information (telephone, email address, etc.), gender, professional title and title. When using products/services, additional personal data may be collected, processed and stored in addition to the aforementioned data. This mainly includes data from training (e.g. attendance times or results), login information (user name and login times) or IP addresses when accessing our web services.

As part of the initial business contact phase and during the business relationship, in particular through personal, telephone or written contacts, initiated by you or by us, further personal data may be collected, e.g. information about the contact channel, date, cause and outcome, (electronic) copies of correspondence and information about participation in direct marketing activities.

With regard to data processed using digital service products, we refer you to further information on data protection in relation to the respective digital service.

3. For what reason do we process your data (purpose of processing) and on what legal basis?

We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a. For the fulfilment of contractual obligations (Article 6 (1)(b) of the GDPR). The processing of personal data takes place for the provision of IT services and consulting services in the context of the performance of our contracts or for the implementation of pre-contractual measures, which are carried out at your request. The purpose of the data processing is based primarily on the specific product and may include, but is not limited to, requirement analyses, consulting and IT systems support, as well as providing training. Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.

b. In the context of the balancing of interests (Article (6)(1)(f) of the GDPR) to the extent necessary, we shall process your data beyond the actual fulfilment of contract performance for the protection of our or third party legitimate interests. Examples:

• Consultation and exchange of data with credit agencies (e.g. Bürgel) for the identification of credit and default risks.
• Review and optimisation of procedures for requirement analysis and for direct customer contact including customer segmentation and calculation of the probability of closure
• Asserting legal claims and defence in legal disputes
• Ensuring IT security and our IT operations
• Crime prevention
• Video surveillance and other measures to protect and safeguard the domiciliary right, to collect evidence
• Measures for building and facility safety (e.g. entry controls)
• Measures for business management and further development of services and products

c. Based on your consent (Article 6(1)(a) of the GDPR) to the extent that you have provided consent for the processing of personal data for specific purposes (e.g. disclosure of data to affiliates), the lawfulness of such processing is based on your consent. Consent given can be revoked at any time. This shall also apply to the revocation of declarations of consent that were given to us before the validity of the EU General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation only applies to the future. Processing that took place before the revocation remains unaffected. You can request a status overview of the consents you have given us at any time.

4. Who receives your data?

Within INSIGMA, only those entities and affiliates have access to your data who need it to fulfil our contractual and regulatory obligations. Our service providers and vicarious agents may also receive data for these purposes if they comply with our written data protection directives. These are essentially companies from the categories listed below.
Under these conditions, recipients of personal data may, for example, be:

• Public bodies and institutions in the event of legal or official obligation
• Similar entities and order processors to whom we transfer personal data in order to conduct the business relationship with you. In particular: Processing of bank information, support and maintenance of computer IT applications, archiving, document processing, call centre services, compliance services, controlling, data destruction, purchasing/procurement, space management, credit processing service, customer administration, letter shops, marketing, media technology, research, risk controlling, expense reporting, telephony, video legitimation, website management, auditing services, payments, lawyers, courts.
• Other data recipients may be those for whom you have given your consent to transmit the data.

5. Do we transmit data to a third country or an international organisation?

A transfer of data to countries outside the EU or the EEA (so-called third countries) only takes place, to the extent necessary for the execution of your orders, if prescribed by law, if you have given us your consent or as part of the processing of an order. If third country service providers are used, they shall also be required to comply with the level of data protection in Europe for written instructions by agreeing to EU standard contractual clauses.

6. How long is your data stored for?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that we view our business relationship as a long standing business relationship, which can continue for several years.
If data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its temporary processing is required for the following purposes:

• Fulfilment of commercial and tax retention periods: In particular, compliance with the German Commercial Code (HGB) or the German Fiscal Code (AO). The stipulated periods for storage and documentation of these are two to ten years.
• Preservation of evidence under the statute of limitations. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be to up to 30 years, but a regular limitation period is currently three years.

7. What data protection rights do you have?

Each data subject has the right of access to information under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR. With regard to the right of access to information and the right to erasure, the restrictions under §§ 34 and 35 of the BDSG shall apply. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR in conjunction with § 19 of the BDSG).

The authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information - North Rhine-Westphalia)
Helga Block
Kavalleriestraße 2-4
40213 Düsseldorf
Germany
T: 0211 38424-0
Q: 0211 38424-10

You may revoke your consent to the processing of personal data at any time. This shall also apply to the revocation of declarations of consent that were given to us before the validity of the EU General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation only applies to the future. Processing that took place before the revocation remains unaffected.

8. Are you obliged to provide data?

As part of our business relationship, you must provide the personal information necessary for us to enter into a business relationship with you and perform our contractual obligations thereunder, or that we are required to collect by law. Without this data, we will generally have to refuse to conclude the contract or to execute the order or be unable to complete an existing contract and possibly terminate it.

9. To what extent is there an automated decision-making process (including profiling)?

In principle, we do not use fully automated decision-making pursuant to Article 22 of the GDPR to justify and implement the business relationship. If we use this process in individual cases, we shall inform you about this separately, to the extent required by law.

Information about your right to object under Article 21 of the EU General Data Protection Regulation (GDPR)

1. Case-specific right to object

You have the right, at any time and for reasons related to your particular situation, to object to the processing of personal data relating to you pursuant to Article 6(1)(e) of the GDPR (Data Processing in the Public Interest) and Article 6 (1)(f) of the GDPR (Data Processing for the Purposes of Legitimate Interests); this also applies to profiling based on this provision within the meaning of Article 4 (4) of the GDPR.

If you object, we shall no longer process your personal data unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.

2. Right to object to the processing of data for advertising purposes

In individual cases, we shall process your personal data in order to pursue direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising, and this also applies to profiling insofar as it is associated with such direct advertising. If you object to the processing for direct advertising purposes, we shall no longer process your personal data for these purposes. The objection can be in any format whatsoever and should preferably be sent by email to the following address: datenschutz@.spaminsigma.de