Information to be provided for customers and other data subjects following Art. 13, 14 GDPR

I. Name and address of the data controller

EMnify GmbH
Landsteiner Str. 4
97074 Würzburg, Germany
E-Mail: info@emnify.com
Website: www.emnify.com

is the data controller as defined in the EU General Data Protection Regulation (DSGVO) and the national data privacy laws.


II. Name and address of the data protection officer

The data protection officer of the data controller is:

AGOR AG
Niddastraße 74
60329 Frankfurt am Main
+49 (0) 69 - 9494 32 410
E-Mail: info@agor-ag.com
Website: www.agor-ag.com


II. Which data do we collect and from where do we get this data?

The following of your data is processed under this business relationship: 

  • Personalia (name, address, other contact information, IP-address) 
  • E-mail-address 
  • Phone number 
  • Phone data (International Mobile Equipment Identity, IMEI lock, international mobile subscriber identity, integrated circuit card identifier) 
  • As well as other data comparable to the named categories

The data mentioned above is usually acquired from you as a customer or business partner within our legal relationship. Additionally, we process data necessary for rendering our service, which may reliably be acquired through public sources or is rightfully transferred through other companies of the group or other third parties.

III. What is the purpose and the legal basis of the data processing?

We process data in accordance with the regulations of the EU-GDPR and those of the German data protection law (BDSG). As part of our business relationship, it is required that you provide any data needed for the conclusion of a contractual agreement, as well as its execution und termination.

1. Fulfillment of contractual obligations (Art. 6 (1) 1 lit. b GDPR)

The processing of your data is done in the frame of fulfilling our contractual obligations with you as a customer or business partner and/or for the implementation of pre-contractual evaluations measures on request.

2. Consent (Art. 6 (1) 1 lit. a GDPR)

If you have given us your consent to the processing of data for specific purposes (newsletter distribution), the legitimacy of the data processing is based on this consent. The consent given can be revoked at any time. The same applies to consent given to us before the enactment of the GDPR on May 25th, 2018. We want to point out that the revoking of your consent only applies to the future. The legitimacy of data processed before this remains valid.

3. Legitimate interests (Art. 6 (1) 1 lit. f GDPR)

Where necessary we process your data beyond the contractual fulfillment for the protection of our legitimate interests or the legitimate interests of third parties.

 

  • Assertion of legal claims and defense in case of legal disputes.
  • Guaranteeing IT security and functionality of IT operations.
  • Prevention and reconnaissance of criminal offenses
  • Measures meant for business management and further development of services and products.
  • Processing requests by our users. To answer these requests faster and more efficiently we use a CRM system, which only uses such data of our users that is needed for the technical processing of the input given. The CRM system does not transfer any data to third parties. To ensure the intended use of the system it is needed to enter your E-mail address. Following this our services can be used pseudonymized. For the processing of further requests, it may be necessary to collect further data (e.g., name, address).
    Should you be dissatisfied with our data processing and collection over the external system, you are also given the possibility of reaching us by an alternate contact (E-mail-address, phone number, postal address).
    The deletion period in the CRM system is rendered according to the statutory data retention obligations.
  • Where necessary we process your data beyond the contractual fulfillment for the protection of our legitimate interests. Inside our companies we use cloud services for the following purposes: Document management and retention, E-mail delivery, creation of presentations/ tables, managing the calendars, exchange of documents as well as charts and participation in audio- and videoconference. Should the processing be done outside the European Union (EU), our service providers will solely be used under the premise that these service providers fulfill the requirements following Art. 44 et seq. GDPR. Parts of the data processing may be done in the USA. In the process, personal data of the users are collected and processed, should they be part of the processed content within the services described above. This may include master data, contact information, contracts, and other processes. As part of these processing operations, usage data and metadata are also collected and processed for the purpose of security and service optimization. The legal basis for the use of cloud services is our legitimate interest in efficient and secure work processes and administrative procedures pursuant to Art. 6 (1) sentence no. 1 lit. f DSGVO. All processing operations are carried out based on a concluded order processing contract with the respective provider. The deletion period for data located within the cloud services is determined by the statutory data retention obligations.

 

IV. Data access: Who gets my data?

Within the company, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes. These could be in particular service providers and/or vicarious agents in the area of customer support, IT services, consulting, sales and marketing.

If data transfer to third parties outside our company is necessary, the transfer will only be done if this is required by legal provisions, the customer or the business partner has consented or if there is a legitimate interest. 

Considering the above, your personal data may be received by: 

  • Public bodies and institutions in the event of a legal or regulatory obligation,
  • Other companies to which we transfer personal data to carry out the business relationship with you (e.g. cloud service providers),
  • Third parties involved in the Customer Support process (e.g. external agencies),
  • Service providers that we use as processor,
  • Law firms and relevant jurisdictions for the enforcement of claims,
  • Auditors for the execution of the statutory audit mandate,
  • IT-Service Provider. 
Other data recipients may be those bodies for which you have given us your consent to transfer data or for which you have released us from the obligation to maintain confidentiality in accordance with the agreement or consent or to which we are authorized to transfer personal data based on a balancing of interests.

V. Transfer of personal data in third countries or international organizations

A transfer of data to countries outside the European Union (so-called third countries) takes place, as far as

  • It is necessary for carrying out our contractual obligations with you,
  • It is a statutory obligation (i.e., obligations for tax reporting),
  • You have given consent to such a transfer.

Furthermore, a transfer to bodies in third countries is foreseen in the following case:  

  • If necessary, in individual cases, your personal data may be transferred in compliance with the European data protection level to an IT service provider in the USA or another third country to ensure the IT operation of the company.  

Should the processing be done outside the European Union (EU) our service providers will solely be used under the premise that these service providers fulfill the requirements following Art. 44 et seq. GDPR. Parts of the data processing may be done in the USA.

VI. For how long is my data being stored?

We process and store your personal data as long as necessary for the fulfillment of our contractual and legal obligations.  

  • If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is necessary for the following purposes:  
  • Fulfillment of retention obligations under commercial and tax law, which for example may result from: German Commercial Code (HGB), German Revenue Code (AO), German Credit Services Act (KWG), German Money Laundering Act (GwG) and German Securities Trading Act (WpHG).
  • The periods for storage and documentation specified under these laws vary generally from two to ten years.
  • Preservation of evidence within the framework of the statutory limitation provisions. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.

VII. For how long is my data being stored?

As data subject you can assert the following rights: 

  • The right to information according to Art. 15 GDPR (considering possible restrictions by national data protection laws)
  • The right to rectification according to Art. 16 GDPR
  • The right to erasure (right to be forgotten) according to Art. 17 GDPR (considering possible restrictions by national data protection laws)
  • The right to restriction of the processing according to Art. 18 GDPR
  • The right to data portability according to Art. 20 GDPR as well as
  • The right to object according to Art. 21 GDPR. If you object, we will no longer process your personal data unless we can provide compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising, or defending legal claims. 

Furthermore, you have the right to appeal to a competent data protection supervisory authority (Art. 77 GDPR).

VIII. Is there an obligation to provide data?

Within the scope of our business relationship, you must provide the personal data that is required for the establishment, implementation, and termination of a business relationship and for the fulfillment of the associated contractual obligations, or such data which we are required to collect by law. We would like to point out that without this data we generally will not be able to conclude, execute and terminate a contract with you.

IX. Do we process data through automated decision making?

Automated decision-making within the meaning of Art. 22 GDPR for the establishment and implementation of the business relationship is generally not used. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.

X. Is profiling being used?

We do not use automated profiling within the scope of the business relationship.

XI. Information about your right to object acc. to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of data concerning you which is carried out on the basis of Art. 6 (1) 1 lit. f GDPR (data processing for the purpose of legitimate interest). 

If you object, we will no longer process your personal data unless we can provide compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising, or defending legal claims. The objection to the processing of data can be applied free of form to: dataprotection@emnify.com.