pursuant to Art. 13 GDPR in conjunction with Sec. 32 Federal Data Protection Act (BDSG) (new version)
Latest update: 23/09/2019
This data privacy statement is intended to inform data subjects about what personal data is collected and processed by Symanto Research GmbH & Co. KG (hereinafter referred to as “Symanto”), and for what purposes. In addition, data subjects are provided with information on what rights they are entitled to assert when said data is processed.
Personal data may only be processed if the person concerned (data subject) grants his or her consent or the legal framework permits it – in other words, if a statutory circumstance in which permission is granted – in particular pursuant to Art. 6(1) GDPR – exists.
When processing personal data, Symanto takes into account the high standard that exists due to the European General Data Protection Regulation (GDPR) valid since 25 May 2018 and the Federal Data Protection Act (BDSG – new version), likewise valid since May 2018.
In that respect, Symanto continually reviews and improves its technical and organisational measures, which serve to protect the personal data of its customers and third parties.
In the event of Symanto not gathering data itself or only processing data by order within the meaning of Art. 28 GDPR, such processing is regulated by corresponding contractual provisions – so-called contract processing agreements (CPAs) – in line with the statutory requirements of the GDPR.
Fundamentally, with all processing procedures, Symanto places great value on protecting the private sphere of its customers and other data subjects, and only keeping the data as long as the purpose or statutory requirements require.
I. Contact details of the controller
The following party is responsible for collecting and processing personal data:
Symanto Research GmbH & Co. KG
represented by the Managing Director Mr. Khaleeq Aziz
Pretzfelder Strasse 15
The following party has been appointed Data Protection Officer:
Dr. Matthias Müller
II. Purposes and legal basis for the processing of personal data
Symanto gathers and processes its customers’ data for various different purposes, and to a varying extent. Personal data is stored and used for the following purposes:
If you apply/register for one of our products on Symanto’s online platform, we record personal data, e.g. first name, surname, e-mail address and company details. This information is needed to make contact with you, as well as in order to fulfil the contract. Data from the contractual relationship is used to fulfil the contractually agreed obligations vis-à-vis customers and/or be able to make contact with them. The data gathered is also required in order to fulfil warranty claims and, if applicable, prove the fulfilment of contractual obligations or be able to counteract any liability claims asserted. The gathering and use of the data is absolutely necessary for the fulfilment of the contract or to carry out any (pre-)contractual measures.
During the time that our online services are used, information on the operating system used, browser information and the IP address is stored and processed. The legal basis for said processing of the data for said purposes is Symanto’s legitimate interest, in order to ensure that our online offers are displayed correctly, monitor the quality and type of customer and product support and be able to provide the data subject with optimum customer and product support.
In addition, Symanto would also like to improve its operations for its customers in future. Customer satisfaction surveys are conducted for this purpose, in order to obtain a better understanding of customer expectations and adapt the services accordingly. The legal basis for these purposes is Symanto’s legitimate interest in formulating a user-optimised product, offering excellent product support and being able to fulfil (pre-)contractual obligations.
We would, moreover, like to inform our customers about other products and services of Symanto in future. Personal data is therefore used for advertising or to forward marketing information, either following express consent by the data subject or within the scope of the statutory options. The legal basis for the processing of the data for such purposes is either the data subject’s express consent or
Symanto’s legitimate interest in offering optimum support in implementing the economic enhancement of customers.
In so far as Symanto gathers or uses data for this purpose, following prior consent, a right of revocation of such consent exists at any time, with effect for the future. The revocation – in the same way as the consent – needs to be effected, if applicable, either verbally, in writing or in text form.
III. Recipients of personal data
Symanto processes its customers’ personal data, as far as possible, within the company, using its own employees. Various specialists are available at Symanto for this purpose, who store and process personal data within the context of their specialist areas. In addition, it may occur that such data is exchanged within the Symanto corporate group or with third parties in order to be able to offer customers optimum services. If necessary, the contractual provisions stipulated by law will be concluded in this case, or corresponding provisions under data privacy law adhered to.
Essentially, recipients of personal data may be:
- Owners and employees of Symanto
- Owners and employees of affiliates of Symanto
- Banking institutions, for the purpose of settling and collecting debts
- Suppliers and freelance service providers
- A tax consulting firm for the purpose of processing tax and accounting information
- Financial accounting department for the purpose of processing accounts
- A law firm for the purpose of representing our legitimate interests and providing legal advice
- IT service providers in the course of maintaining our IT systems
- Companies for the purposes of invoicing
- Strategy partners (for example, for storing data and documents, sending e-mail messages, providing product support, maintaining the software quality, diagnosing software problems or tracing user activity)
Due to existing statutory monitoring or reporting obligations, Symanto may be obliged to transmit certain information to the competent authority.
Symanto may disclose data regarding your person to others in the following scenarios: (a) if your effective consent exists in this respect; (b) in order to comply with a valid summons, statutory instrument, judicial injunction, legal proceedings or any other statutory obligation; (c) in order to implement terms and conditions or directives; or (d) in order to assert available legal remedies or defend legal claims, as required.
IV. Transmission of personal data to countries outside the EU
Symanto operates for its customers as a global company. In that respect, the data is principally processed within the European Union. So that Symanto’s products and services can be processed with consistent quality and the customer can be offered the best possible service, it is, in certain circumstances, necessary for personal data to be transmitted to other companies of Symanto in countries outside the European Union.
Symanto protects its customers’ data, irrespective of whether the latter is stored or processed within or outside the European Economic Area, and irrespective of whether it is processed by Symanto itself or by service providers on behalf of Symanto.
Should data be transmitted outside the European Economic Area, said personal data will, in any case, be protected by suitable contractual, as well as technical and organisational measures, such as by the standard contractual clauses approved by the EU Commission or by a suitable privacy shield certification of the respective recipient.
It is pointed out that data may also be transmitted to countries where no resolution on appropriateness has yet been passed by the Commission. Also in this case, Symanto will take any technical and organisational measures necessary or agree upon any contractual provisions to guarantee the greatest possible security for the personal data concerned.
V. Duration of storage of personal data
We process and store personal data of our customers for as long as is necessary to fulfil the obligations arising from the contractual relationship or our statutory archival obligations (inter alia, under the German Fiscal Code (tax)).
Upon the expiration of the archival period, the corresponding personal data will be deleted, if it is no longer required for the purpose of fulfilment (fulfilling the purpose of the contract) and no further archival periods exist.
In that respect, Symanto is required to take commercial and fiscal archival periods into account. The periods stipulated in the German Commercial Code and the German Fiscal Code amount to six to ten
years. In addition, further processing is sometimes necessary to retain evidence as part of the regulations on the statute of limitations. Such periods of limitation amount to up to 30 years.
VI. Rights of the data subject
Data subjects are entitled to request information from Symanto on the personal data collected and processed, and, if applicable, request the rectification or erasure of their own personal data.
Moreover, the right to data portability, the right of restriction of the processing of your personal data, the right to file an objection to the processing of your personal data and the right to file an appeal with a supervisory authority exist.
To exercise your above rights, you may contact Symanto’s Data Protection Officer.