Daten Protection Information for Business Customers and Business Partners of NetKnights GmbH

(Version February 2021)

With this information, we provide you with an overview of the processing of your personal data and the resulting data protection rights within the scope of our business relationship, e.g. within the scope of the use of the "privacyIDEA Enterprise Edition" and other contractual services. As a business partner of NetKnights GmbH, we recommend that you also forward this letter to all employees who are involved in the respective business relationship with our company or who are involved in it – regardless of the type and form.

Who is responsible for processing your data and whom can you contact about data protection?

The responsible party for data processing pursuant to Art. 4 No. 7 GDPR is:

NetKnights GmbH
Ludwig-Erhard-Straße 12
D-34131 Kassel
info@netknights.it.

You can reach our Data Protection Officer Dr. Kevin Marschall (GDPC GbR) by mail at the above address with the addition – Data Protection Officer – or by e-mail at datenschutz@netknights.it.

Where does your data come from and what data is processed?

We process mainly such data that we receive directly from you due to the business relationship and which are necessary for this – for communication and contract processing/administration. This includes in particular:

  • Business legitimation and contact data (e.g. first and last name of the contact person, business address, e-mail address, telephone number).
  • Order and turnover data (e.g. account, IBAN, customer number)
  • Documentation data in order to be able to prove communication during the business relationship
  • Other socio-demographic characteristics (e.g. profession of contact person)
  • Tax data (e.g. tax number, tax identification number for the purpose of processing the order and fulfilling legal obligations, in particular vis-à-vis the tax authorities).

In addition, we also obtain your data from publicly accessible sources, in particular the Federal Gazette, Commercial Register, Internet.

Within the scope of our contractually provided services, we assist business customers in solving problems. For this purpose, you may provide us with log files from privacyIDEA. These log files may contain personal data of employees – for example, first name, last name, login name, telephone numbers and email addresses.

For more detailed information – in particular on the processing of personal data in the context of the specific business relationship with our company – we are available as contact persons under the above contact details.

What is your data used for and on what legal basis?

Data processing is always carried out in accordance with the provisions of data protection law in order to fulfill, first and foremost, the contractual and legal obligations in the provision of the respective contractual services.

a) Collection and processing within the scope of a contractual/business relationship

We collect and process your business and personal data described in more detail above in the context of entering into and fulfilling our contractual obligations towards you (Art. 6 (1) lit. b GDPR). For example, we process your contact data in the context of contacting you to conclude a contract and the associated execution. By entering into a business relationship as an interested party, supplier or business partner (pre-contractual data processing), we will store your contact data as well as information about business processes and communication with you and process it at least for the duration of the business relationship.

b) Processing on the basis of a legitimate interest

In addition, we process your personal data insofar as this is necessary to protect our legitimate interests or those of a third party (Art. 6 (1) lit. f GDPR). In addition, we process your data insofar as this is necessary for the assertion of legal claims and defense in legal disputes and this is necessary for the fulfillment of legal obligations.

c) Processing due to legal requirements

Furthermore, we process your data within the scope of legal obligations (Art. 6 para. 1 lit. c GDPR). This includes, in particular, the legal requirements of the German Tax Code.

d) Processing on the basis of consent

If you have given your consent to the processing of personal data for specific purposes (e.g. transfer of data to third parties), the lawfulness of the processing follows from Art. 6 (1) p. 1 a) GDPR. Consent can be revoked at any time with effect for the future. This also applies to consent given to us before the GDPR came into force, i.e. before May 25, 2018. However, the revocation of consent does not affect the lawfulness of the data processed until the revocation or the further processing based on another legal basis.

If we process personal data on the basis of declarations of consent, we will still separately inform the data subjects about the data processing intended thereby in the context of giving consent

Will your data be passed on?

Within our company, only those departments will have access to your data that absolutely need it for the performance of their tasks (e.g. for the execution of our maintenance/support contract). Depending on the type of order or service, these are the respective department managers/employees who require this data for the implementation, processing and coordination of the respective business/contract relationship.

Furthermore, our service providers and contractual companies receive personal data for the aforementioned processing purposes if they maintain confidentiality and the data transfer is otherwise based on one of the legal bases mentioned above. We contract processors or service providers partly on a temporary basis, partly on a long-term basis for IT services, logistics, postal services, assembly, telecommunications, tax consultancy, etc. In all cases, the service providers and contractors used only receive the data that is necessary and mandatory for the performance of individual tasks.

With regard to the transfer of data to recipients outside the company, it should be noted that we only pass on your data if this is permitted or required by law, you have given your consent or we are authorized to provide information. Under these conditions, recipients of your personal data may be, for example:

a) Public bodies and institutions (e.g. tax office, etc.) in the event of a legal or official obligation/permission (Art. 6 (1) (c) or (f) GDPR).

b) Other companies to which we transfer personal data in order to execute the respective order/contract or contract initiation with you (e.g. order processors for order coordination or execution, banks, tax consultancy).

If we transfer personal data to service providers outside the European Economic Area (EEA) as part of our business relationship, the transfer will generally only take place if the third country (such as Switzerland) has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or agreement of the EU Commission’s standard contractual clauses) are in place or if the transfer is absolutely necessary for the performance of the contract. Currently, such a transfer of personal data to third countries does not take place.

How long will your data be stored?

As soon as your data is no longer required for the fulfillment of contractual, legal and process-internal processing purposes, it is compulsorily deleted. As a rule, however, we are obliged to retain personal data beyond the end of the contractual relationship for reasons of commercial law, tax law. The period can be up to ten years. Reference is made to the relevant laws, in particular § 257 of the German Commercial Code, § 147 of the German Fiscal Code.

Insofar as we require data and documents with personal reference as evidence for the assertion, exercise or defense of legal claims, these will be retained by us depending on the respective limitation periods, whereby we restrict the processing for other purposes. This also applies, for example, to the assertion and settlement of warranty and service claims (max. 30 years) that you bring to us and in this context we process your data (contact person, company and relevant invoice/delivery). The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.

What Rights do You Have?

With regard to the processing of your personal data, you have a variety of rights, in particular the right to information about the personal data stored by us (Art. 15 GDPR), correction (Art. 16 GDPR), deletion (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) and objection to processing (Art. 21 GDPR), especially in the case of direct marketing. With regard to the right to information and the right to rectification, the restrictions of Sections 34 and 35 BDSG must be observed.

Furthermore, there is the right of appeal to the competent data protection supervisory authority (Art. 77 GDPR), to which we expressly refer. You can reach the supervisory authority responsible for our company under the following contact details:

The Hessian Commissioner for Data Protection and Freedom of Information.
P.O. Box: 3163
65021 Wiesbaden
Contact/E-mail: https://datenschutz.hessen.de/print_panel?nid=6