Data Privacy

Preamble

Responsible for the internet offers is adesso banking solutions GmbH, Herriotstraße 1, 60528 Frankfurt am Main, in short: adesso, (hereinafter also we/us).

In the following, we would like to inform you comprehensively and in detail about how we protect your privacy and how personal data is processed within the scope of our websites and/or online offers. Personal data will be deleted as soon as possible and will never be used or passed on for advertising purposes without your consent.

If the following information is not sufficient or not understandable, please do not hesitate to contact our data protection officer at the contact details given in section II.

Responsible person / data protection officer / supervisory authority

Responsible

adesso banking solutions GmbH
Herriotstraße 1
60528 Frankfurt am Main
Germany

Phone: +49 231 7000-7000
e-mail: datenschutz@adesso.de
Website: www.adesso.de

Data protection officer

Julius Hüttmann
adesso SE
Adessoplatz 1
44269 Dortmund
Germany

Phone: +49 231 7000-7000
e-mail: info@adesso.de
Website: www.adesso.de

Competent supervisory authority

State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia
Cavalry St. 2-4
40213 Düsseldorf

phone: 0211/38424-0
fax: 0211/38424-10
e-mail: poststelle@ldi.nrw.de

General principles / information

Scope of the processing of personal data
As a matter of principle, we process personal data of our users only to the extent necessary for the provision and supply of our services and for the provision of our web or online offers (including mobile apps), unless otherwise stated in this data protection declaration below.

A collection and use of personal data for other purposes is regularly only

(i) after the consent of the user,

(ii) if the processing is for the purpose of fulfilling the contract, or

(iii) to safeguard legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

An exception is also made in cases where prior consent cannot be obtained for factual reasons or where the processing of the data is permitted by law.

  1. Legal basis

Insofar as personal data are processed on the basis of the consent of the data subject, Art. 6 para. 1 letter a DSGVO is the legal basis for processing.

Where personal data are processed for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b DSGVO is the legal basis; this also applies to processing necessary for the implementation of pre-contractual measures.

If personal data is processed to fulfil a legal obligation to which we are subject, Art. 6 para. 1 lit. c DSGVO is the legal basis. If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DSGVO is the legal basis.

If processing is carried out to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f DSGVO is the legal basis for processing.

  1. Obtaining consent / Right of withdrawal

Consent under Art. 6 para. 1 lit. a DSGVO is generally obtained electronically. Consent is obtained by placing a tick in the appropriate box to document the granting of consent. The content of the declaration of consent is recorded electronically.

Right of revocation: Please note that once consent has been granted, it can be revoked at any time with future effect – in full or in part; the legality of the processing carried out on the basis of the consent until revocation remains unaffected. If you wish to revoke your consent, please contact the contact data stated in section II (responsible office or data protection officer).

  1. Possible recipients of personal data

In order to provide our web and/or online offers, we sometimes use third party service providers who act on our behalf and according to our instructions (order processors). These service providers may receive personal data or come into contact with personal data in the course of providing services and represent third parties or recipients within the meaning of the DSGVO.

In such a case, we ensure that our service providers provide sufficient guarantees that appropriate technical and organisational measures are in place and that processing is carried out in such a way that it complies with the requirements of this Regulation and ensures the protection of the rights of the data subject (cf. Art. 28 DSGVO).

Insofar as personal data is transferred to third parties and/or recipients outside a commissioned processing operation, we ensure that this is done exclusively in accordance with the requirements of the DSGVO (e.g. Art. 6 Para. 4 DSGVO) and only if there is a corresponding legal basis (e.g. Art. 6 Para. 4 DSGVO, otherwise see Section IV.2).

  1. Processing of data in so-called third countries

Your personal data is generally processed within the EU or the European Economic Area („EEA“).

Only in exceptional cases (e.g. in connection with the involvement of service providers for the provision of web analysis services) may information be transferred to so-called „third countries“. „Third countries“ are countries outside the European Union and/or the Agreement on the European Economic Area in which an adequate level of data protection in accordance with EU standards cannot be assumed without further ado.

If the information transferred also includes personal data, we will ensure before such a transfer that an adequate level of data protection is guaranteed in the third country in question or with the recipient in the third country, that you have given your consent to this, or that there is some other permissible circumstance (e.g. Art 49 DSGVO).

An adequate level of data protection can result from a so-called „adequacy decision“ of the European Commission or can be ensured by using the so-called „EU standard contractual clauses“. In the case of recipients in the USA, compliance with the principles of the so-called „EU-US Privacy Shield“ can also ensure an adequate level of data protection. Further information on the appropriate and adequate safeguards to ensure an adequate level of data protection is available on request; contact details are provided at the beginning of this Privacy Information. Information on the EU-US Privacy Shield participants can also be found at www.privacyshield.gov/list.

  1. Data deletion and storage duration

Personal data of the data subject will be deleted or blocked as soon as the purpose of the processing ceases to apply. Data will only be stored after the purpose of processing has ceased to apply if this is provided for by the European or national legislator in EU ordinances, laws or other regulations to which our company is subject (e.g. in order to comply with statutory storage obligations and/or if there are justified interests in storage, e.g. during the course of limitation periods for the purpose of legal defence against any claims). The data will also be blocked or deleted when a storage period prescribed by the above-mentioned standards expires, unless there is a need for further storage of the data for the conclusion of a contract or for other purposes.

  1. Rights of data subjects

The DSGVO grants the person affected by the processing of personal data certain rights (so-called data subject rights, in particular Articles 12 to 22 DSGVO). The individual rights of data subjects are explained in more detail in Section XI. If you wish to exercise one or more of these rights, you can contact us at any time. To do so, please use the contact details given in section II.

Newsletter / Download information material

On our website we offer different offers where registration via forms is necessary. In detail:

  1. Newsletter
  2. a) Registration

If you would like to take advantage of the newsletter we offer, we need a valid e-mail address from you. In order to be able to check whether you are the owner of the email address provided or whether the owner of the email address agrees to receive the newsletter, we will send an automated email to the email address provided after the first registration step (so-called dDouble opt-in). Only after confirmation of the newsletter registration via a link in the confirmation e-mail do we include the specified e-mail address in our distribution list. We do not collect any further data beyond the e-mail address and the information provided to confirm the registration. The registrations are logged in order to be able to prove the process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address with the dispatch service provider.

  1. b) Shipping with Inxmail

The newsletter dispatch and the double-opt-in process is carried out via the software of the company Inxmail GmbH (Wentzingerstr. 17, 79106 Freiburg, www.inxmail.de). Inxmail is a service that is used, among other things, to organise and analyse the sending of newsletters. The data you enter to subscribe to the newsletter is stored on the Inxmail servers in Germany. Voluntary details such as title, first name and surname are used exclusively to personalise the newsletter. We use so-called newsletter tracking in our newsletters for analysis purposes. This involves recording recipient reactions (opening a mailing, clicking on text and image links, downloading images with an e-mail program) and storing them anonymously for statistical purposes. It is not possible to draw conclusions about individual users from the stored data.

We have concluded an order processing contract with Inxmail in which we oblige Inxmail to protect our customers‘ data and not to pass it on to third parties.

Your data will be processed exclusively for the purpose of sending the newsletter you have commissioned. The legal basis for this processing is Art. 6 Para. 1 letter a DSGVO. You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. You will find a link for cancelling the newsletter at the end of each newsletter; in addition, the explanations on the right of revocation of consent under IV.3 apply.

  1. Download of information material

On our website we offer you a variety of materials such as white papers or studies, which you can download free of charge. In order to send you the desired documents, we need your e-mail address. In addition, you can provide other voluntary details such as first name, surname and company. If you agree to the use of the form to contact us by e-mail, telephone or fax, we will send an automated e-mail to the specified e-mail address after the first registration step (so-called double opt-in). Only after confirmation of the contact data via a link in the confirmation e-mail will the data provided be stored in our systems. You can revoke this consent at any time by sending an e-mail to info@adesso.de. The registrations are logged in order to be able to prove the process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address with the shipping service provider. If you do not agree to be contacted, your data will be automatically deleted after 60 days.

The dispatch of materials and the double opt-in process described above is carried out by the following service providers:

Inxmail

Inxmail (Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, www.inxmail.de) is a service that is used to organise and analyse the dispatch of mailings and newsletters, among other things. The data you enter for the purpose of downloading is stored on Inxmail’s servers in Germany.

We have concluded an order processing contract with Inxmail in which we commit Inxmail to protect the data of our customers and not to pass it on to third parties.

Salesforce Pardot

Pardot is a cloud-based service from salesforce.com (Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich, Germany.), which is used for campaign management and marketing automation, among other things. The data collected in the form will only be used by salesforce for technical processing of the downloads and will not be passed on to third parties.

salesforce is certified under the Privacy Shield Agreement and thus offers an additional guarantee to comply with European data protection law, if data is processed in the USA (https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active). Further information on data protection can be found at https://www.salesforce.com/de/company/privacy/.

Your data will be processed solely for the purpose of sending you the materials you have requested. The legal basis for this processing is Art. 6 para. 1 letter a DSGVO. You can revoke your consent at any time. In addition, the information on the right of revocation of consent under IV.3.

Contact form

On our website there is a contact form which the user can use to contact us electronically. If the user makes use of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

  • Salutation
  • First name*
  • Last name*
  • Function
  • Company
  • Phone number*
  • E-mail*
  • Field for messages*
  • Street / House number
  • postcode/city

*mandatory data required for the purpose of registration are marked by an asterisk as mandatory fields (also in the input mask).
At the time the message is sent, the following data is also processed and saved:

The IP address of the user
Date and time of dispatch
Alternatively, it is possible to contact us via the e-mail address provided on our website. In this case, the user’s personal data transmitted with the e-mail will be stored. Under no circumstances will the data be passed on to third parties, unless we have to resort to third parties to process the request.

  1. Purpose and legal basis

The data is processed exclusively for the purpose of processing the respective enquiry or user request. The other data collected during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
Insofar as the data processing is carried out for the purpose of fulfilling a customer order or a customer enquiry, the legal basis for the processing of the data is Art. 6 para. 1 lit. b DSGVO, regardless of whether the contact is made via the contact form or by e-mail. If the user has given his or her consent, Art. 6 para. 1 letter a DSGVO is the legal basis for the processing of the data, if necessary in addition. The legal basis for the collection of additional data during the sending process is Art. 6 para. 1 f. DSGVO; the legitimate interest here lies in preventing misuse and ensuring system security (cf. Section VI.1).

  1. Data deletion and storage duration

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. For personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective communication with the user has ended and/or the user’s enquiry has been finally answered. The communication is ended or a final answer is given when it can be concluded from the circumstances that the matter in question has been conclusively clarified. Deletion is replaced by storage with blocking if further storage of the data is necessary for the reasons stated in section III.4.

  1. Possibility of objection and removal

The user has the possibility at any time to stop communication with us and/or to withdraw his request and to object to a corresponding use of his data. In such a case the communication cannot be continued. All personal data stored in the course of the contact will be deleted in this case, subject to further storage of the data for the reasons stated in section IV.6.

  1. Use of Google reCAPTCHA

In order to ensure sufficient data security when submitting forms, we use in certain cases the reCAPTCHA service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This is mainly to distinguish whether the input is made by a natural person or abusively by machine and automated processing. The service includes the sending of the IP address and, if applicable, other data required by Google for the service reCAPTCHA to Google. Further information on the privacy policy of Google Inc. can be found at http://www.google.de/intl/de/privacy .

Application procedure

An application form is available on our website, which the user can use for electronic applications. If the user makes use of this option, the data entered in the input mask is transmitted to us and stored.
The data protection regulations for the application procedure can be found here.

Video surveillance

Name and contact details of the person in charge:

adesso SE
Adessoplatz 1
44269 Dortmund
T 0231 7000 7000

Contact details of the data protection officer of adesso SE:

datenschutz@adesso.de

Purposes and legal basis of the data processing:

Art. 6 para. 1 f DSGVO

Legitimate interests pursued by the surveillance

Security burglary
Hazard prevention vandalism

Storage duration of the recordings:

11 days

Rights of data subjects

According to the DSGVO, the user is entitled to the following rights in particular:

  1. Right to information (Art. 15 DSGVO)

You have the right to request information as to whether or not we process personal data about you. If our company processes personal data relating to you, you have the right to request information about

the processing purposes;
the categories of personal data (type of data) processed;
the recipients or categories of recipients to whom their data have been or will be disclosed; this applies in particular if data have been or will be disclosed to recipients in third countries outside the scope of the DPAs;
the planned storage period, if possible; if it is not possible to specify the storage period, the criteria for determining the storage period (e.g. statutory retention periods or similar) must be communicated in any case;
your right to rectify and delete data concerning you, including the right to limit processing and/or the possibility to object (see also the following paragraphs);
the existence of a right of appeal to a supervisory authority;
the origin of the data, if personal data have not been collected directly from you.

You also have the right to information as to whether your personal data is the subject of an automated decision within the meaning of Art 22 DSGVO and, if so, which decision criteria form the basis of such an automated decision (logic) or what effects and consequences the automated decision may have for you.

If personal data is transferred to a third country outside the scope of the DSGVO, you have the right to information as to whether and, if so, on the basis of which guarantees an adequate level of protection within the meaning of Art. 45, 46 DSGVO is ensured for the data recipient in the third country.

You have the right to request a copy of your personal data. As a matter of principle, we provide data copies in electronic form, unless you have indicated otherwise. The first copy is free of charge, for further copies a reasonable fee may be charged. The provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy.

  1. Right of rectification (Art. 16 DSGVO)

You have the right to ask us to correct your data if it is incorrect, inaccurate and/or incomplete; the right of correction includes the right to have it completed by means of additional explanations or communications. Correction and/or completion must be carried out without delay, i.e. without undue delay.

  1. Right of cancellation (Art. 17 DSGVO)

You have the right to ask us to delete your personal data if

  • personal data are no longer necessary for the purposes for which they were collected and processed;
  • the data are processed on the basis of your consent and you have revoked your consent, unless there is another legal basis for the data processing;
  • you have lodged an objection to data processing in accordance with Art. 21 DSGVO and there are no overriding legitimate reasons for further processing,
  • you have lodged an objection to data processing for the purpose of direct advertising in accordance with Art. 21 para. 2 DSGVO;
  • your personal data have been processed unlawfully;
  • it concerns data relating to a child which have been collected in relation to information society services pursuant to Art. 8 para. 1 DSGVO.

A right to delete personal data does not exist in the following cases

  • the right to freedom of expression and information precludes the request for deletion;
  • the processing of personal data is necessary (i) to comply with a legal obligation (e.g. statutory retention obligations), (ii) to perform public tasks and interests under Union law and/or the law of the Member States (including public health interests) or (iii) for archiving and/or research purposes;
  • the personal data is necessary for the assertion, exercise or defence of legal claims.
  • Deletion must take place immediately – i.e. without culpable delay. If personal data have been made public by us (e.g. on the Internet), we must ensure, as far as technically possible and reasonable, that third party data processors are also informed of the request for deletion, including the deletion of links, copies and/or replications.
  1. Right to restrict processing (Art. 18 DSGVO)

You have the right to have the processing of your personal data restricted in the following cases:

  • If you have disputed the correctness of your personal data, you can demand that we do not use your data for other purposes for the duration of the correctness check and that your data is restricted in this respect.
  • In the event of unlawful data processing, you can demand the restriction of data use in accordance with Art. 18 DSGVO instead of data deletion in accordance with Art. 17 Para. 1 letter d DSGVO;
  • If you need your personal data for the assertion, exercise or defence of legal claims, but your personal data is no longer required in other respects, you can demand that we restrict processing to the aforementioned legal prosecution purposes;
  • If you have lodged an objection to data processing in accordance with Art. 21 para. 1 DSGVO and it is not yet clear whether our interests in processing outweigh your interests, you can demand that your data not be used for other purposes for the duration of the review and that it be restricted in this respect.

Personal data whose processing has been restricted at their request may – subject to storage – only be processed (i) with their consent, (ii) to assert, exercise or defend legal claims, (iii) to protect the rights of other natural or legal persons, or (iv) for reasons of important public interest. You will be notified in advance if any processing restriction is lifted.

  1. Right to data transferability (Art. 20 DSGVO)

hey have – subject to the following provisions – the right to demand the surrender of data concerning you in a common electronic, machine-readable data format. The right to transfer data includes the right to transfer the data to another responsible party; on request, we will therefore – as far as technically possible – transfer data directly to a responsible party designated by you or to be designated by you. The right to transfer data only applies to data provided by you and presupposes that the processing is carried out on the basis of consent or for the purpose of performing a contract and is carried out with the aid of automated procedures. The right to transfer data in accordance with Art. 20 DSGVO does not affect the right to delete data in accordance with Art. 17 DSGVO. The data transmission is subject to the rights and freedoms of other persons whose rights may be affected by the data transmission.

  1. Right of objection (Art. 21 DSGVO)

In the case of processing of personal data for the performance of tasks in the public interest (Art. 6 para. 1 letter e DSGVO) or for the pursuit of legitimate interests (Art. 6 para. 1 letter f DSGVO), you can object to the processing of personal data relating to you at any time with effect for the future. If you do so, we must refrain from any further processing of your data for the aforementioned purposes, unless

  • there are compelling legitimate reasons for processing which override their interests, rights and freedoms, or
  • the processing is necessary for the assertion, exercise or defence of legal claims

You can object to the use of your data for direct marketing purposes at any time with effect for the future; this also applies to profiling, insofar as it is connected with direct marketing. In the event of an objection, we must refrain from any further processing of your data for the purpose of direct marketing.

  1. Legal protection options / right of appeal to a supervisory authority

If you have any complaints, you can always contact the competent supervisory authority of the Union or the Member States. Our company is subject to the supervisory authority mentioned in section II.