Data Protection Notice
in accordance with Art. 13 General Data Protection Regulation (GDPR) and in Section 32 of the new German Federal Data Protection Act
Last updated on: 24th July 2019
This Data Protection Notice is intended to inform the person concerned (data subject) about what personal data is collected and processed by Symanto Research GmbH & Co. KG (hereinafter Symanto) and the purpose for its collection and processing. Furthermore, this notice will provide data subjects with information regarding which rights they are entitled to during the processing of their data.
Personal data may only be processed if the data subject has given his/her consent or it is permitted by law, i.e. when there is statutory permission to do so.
When processing personal data, Symanto observes the high standards set out in the European General Data Protection Regulation (GDPR), which has been in effect since 25 May 2018, and the German Data Protection Act (GDPA-new), which has also been in effect since May 2018.
In the process, Symanto continually reviews and improves its technical and organisational measures which serve to protect the personal data of its customers and third-parties.
In the event that Symanto does not collect the data itself or only processes data on behalf of a controller within the meaning of Art. 28 of the GDPR, this processing is regulated by corresponding contractual arrangements — so-called contract processing agreements (CPA) — in accordance with the legal requirements of the GDPR.
As a general rule, Symanto places great importance on protecting the privacy of its customers and any other data subjects during all processing operations, and it only saves the data for the intended purpose or as required by law.
1. Contact data of the controller
The following company is responsible for the collection and processing of personal data:
Symanto Research GmbH & Co. KG
Represented by the Managing Director Mr Khaleeq Aziz
Pretzfelder Strasse 15
90425 Nuremberg, Germany
Phone: +49 911 – 378466 – 39
Fax: +49 911 – 378466 – 40
The appointed data protection officer is:
Dr Matthias Müller
Arndtstrasse 4, 90419 Nuremberg, Germany
2. Purposes and legal basis for the processing of personal data
Symanto collects and processes the data of its customers for different purposes and to varying extents. Personal data is saved and used for the following purposes:
If you enter into a contract with Symanto, the personal data of the individuals involved in the project at your company will be collected and processed. During the process, the contact data of your company, the departments involved and your staff will be collected and processed in particular.
Data from the contractual relationship is used to fulfil the agreed contractual obligations that we have to customers and to be able to contact them. The data collected is also needed in order to fulfil warranty claims, to prove the fulfilment of contractual obligations or to be able to contest any asserted liability claims. The collection and use of the data are absolutely necessary for the fulfilment of the contract and the implementation of the (pre-)contractual measures.
Furthermore, Symanto collects and uses the personal data of its customers to send them important information or updates on Symanto’s products and services. This includes, in particular, important safety information or significant changes to products, services or this data protection policy. The legal basis for the processing of data for these purposes is Symanto’s legitimate interest in adapting to fulfil new legal requirements and rectifying product defects, in fulfilling its legal obligations and in offering high-quality product support. The collection and use of this data may be absolutely necessary for compliance with existing legal regulations.
If you contact Symanto by telephone, email, online or in person, we will collect personal data, such as your name, address, telephone number, email address and communication preferences, and will send you information about Symanto’s products and services. We use this information in order to provide you with customer service and product support and to monitor the quality and type of customer service and product support. Furthermore, Symanto would like to improve its products and services for its customers in the future. This entails carrying out customer satisfaction surveys so that we can understand the expectations of our customers better and can adapt our services to meet their needs. The legal basis for these purposes is Symanto’s legitimate interest in offering high-quality product support and in being able to meet its pre-contractual obligations.
We would also like to inform our customers about Symanto’s other products and services in the future. For this reason, personal data is used for advertising purposes and for sending out marketing information either after receiving express consent to do so or to the extent permissible by law. The legal basis for the processing of data for these purposes is either the data subject’s express consent or Symanto’s legitimate interest in offering the customer optimal support when realising economic enhancements.
If and when Symanto collects or uses data for this purpose after obtaining prior consent, the customer may revoke his/her consent with future effect at any time. Revocation of consent – as well as the granting of consent – may take place verbally, in writing or in text form.
3. Recipients of personal data
Symanto processes the personal data of its customers by employees within the company to the greatest extent possible. There are various specially trained staff members at Symanto who save and process the personal data within their department.
Additionally, it may be the case that this data is shared within the Symanto Group or with third-parties in order to be able to offer the customer optimum service. If and when necessary, legally stipulated contractual arrangements will be concluded and/or relevant security provisions under data protection law will be complied with in this case. Recipients of personal data generally can be:
- The owner and employees of Symanto
- The owner and employees of companies affiliated with Symanto
- Financial institutions for the purpose of settlement and collection of payment claims
- Suppliers and freelance service providers
- Tax consulting firms for the purpose of tax and/or accounting work
- Financial accounting firms for the purpose of accounting work
- Law firms for the purpose of safeguarding legitimate interests and obtaining legal advice.
- EDP service providers within the scope of maintenance of our EDP system
- Companies for billing purposes
- Strategy partners
Due to existing statutory inspection or reporting obligations, Symanto may be obligated to send certain information to the competent authorities.
Symanto can disclose your personal data to a third party: (a) if your valid consent has been submitted concerning this matter; (b) in order to comply with a valid subpoena, legal order, court order, legal action or another legal obligation; (c) in order to enforce conditions or directives; or (d) in order to exercise legal remedies or to defend legal claims if needed.
Furthermore, your personal data can be transmitted to affiliated companies, subsidiaries or third-parties in the event of restructuring, a merger, sale, joint venture, assignment, transfer or other form of divestiture of business operations, business assets or shares of Symanto unless it is either in whole or in part related to insolvency or similar proceedings; it can only be transferred to one of the said parties that we transmit personal data to as long as they are not permitted to process your personal data in another manner other than is described in this data protection notice without informing you about this and without obtaining your consent in the event it is required under applicable laws.
4. Transmitting personal data to third countries
Symanto conducts business internationally for its customers as a global company. For this purpose, the processing of personal data is carried out primarily within the European Union. In some circumstances, transferring personal data to other companies of Symanto in countries outside of the European Union is necessary so that Symanto’s products and services can be handled with consistent quality and the customer can be offered the best possible service.
Symanto protects the data of its customers regardless of whether it is saved or processed within or outside of the European Economic Area and regardless of whether it is processed by Symanto itself or by service providers on behalf of Symanto.
If data is transmitted outside of the European Economic Area, this personal data will be protected by suitable contractual, technical and organisational measures in any event, such as the standard contractual clauses approved by the EU Commission or suitable privacy shield certification possessed by the respective recipient.
It should be noted that data can be transmitted to countries for which the Commission has not yet issued an adequacy decision. In this event, Symanto will also take necessary technical and organisational measures and/or conclude contractual arrangements in order to ensure the greatest level of security for the data subject’s personal data.
5. Retention period of personal data
We process and save our customers’ personal data as long as it is necessary for fulfilling the obligations arising from the contractual relationship or for satisfying our statutory retention periods (e.g. German Tax Code).
When the retention period expires, the corresponding personal data will be erased if it is no longer required for performance (fulfilment of purpose) and no other retention obligations exist.
Symanto must observe any retention periods required under commercial and tax law. The periods specified in the German Commercial Code and Tax Code are six and ten years respectively. Furthermore, additional processing for preserving evidence under the statute of limitations may be necessary to some extent. These limitation periods are up to 30 years.
6. Rights of the data subject
Data subjects have the right to demand information from Symanto about the personal data being collected and processed, and where applicable, may request the correction or erasure of their own personal data.
Furthermore, they have the right to data portability, the right to limit the processing of their personal data, the right to object to the processing of their personal data and the right to submit a complaint with a supervisory authority.
To exercise your previously mentioned rights, you can contact Symanto’s data protection officer.