What is personal data?
According to Art. 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person (hereinafter “data subject”).
Where do we get your personal data from?
In principle, your data is collected from you. The processing of the personal data provided by you is necessary to fulfill contractual or pre-contractual obligations resulting from the contract concluded with us or for the purpose of concluding a contract with us. Due to your obligation to cooperate, it is essential to provide the personal data requested by us, otherwise we will not be able to meet our contractual obligations. Otherwise, accounting and/or tax disadvantages for you cannot be ruled out.
The provision of your personal data is necessary as part of pre-contractual measures (e.g. master data collection for product demonstrations and contract negotiations with interested parties). If you do not provide the requested data, a contract cannot be concluded.
In order to provide our services, it may be necessary to process personal data that we receive from other companies or other third parties, e.g. tax offices, your business partner or similar. Permissibly and for the respective purpose.
Furthermore, we may process personal data from publicly accessible sources, e.g. Internet presences, which we use permissibly and only for the respective contractual purpose.
Relevant personal data of the authorized representative / authorized representative be:
Name, address/other contact details (phone, email), job title, tax ID.
When concluding and using products/services, additional personal data can be collected, processed and stored in addition to the aforementioned data.
Where do we get personal data from about your employees, customers and service providers?
As part of our services for the purpose of providing and operating (hosting) the web-based blueplant software, we only obtain the personal data of your employees, customers and service providers from you or from the persons/companies concerned themselves.
Personal data can also be made available to us via our external service providers, insofar as this is necessary for the execution of the contractual relationship (e.g. payment service providers or support service providers).
Purposes and legal bases of processing
The personal data you provide will be processed in accordance with the provisions of the European Data Protection Ordinance (GDPR) and the Federal Data Protection Act:
a) To fulfill contractual obligations (according to Art. 6 Para. 1 lit. b GDPR)
The purposes of data processing result on the one hand from the initiation of pre-contractual measures that precede a contractually regulated business relationship and on the other hand to fulfill the obligations arising from the contract concluded with you. Among these are e.g., to include data processing that is carried out in connection with our customer service. Further information can be found in your contract documents for the respective product or service (order form, service contract, service descriptions, etc.).
b) Due to legal requirements (according to Art. 6 Para.1 lit. c GDPR) or in public Interest (according to Art. 6 Para.1 lit. e GDPR)
The purposes of data processing result from legal requirements or are in the public interest (e.g., compliance with storage obligations). We are subject to various legal requirements that may result in an obligation to process personal data: under commercial, company, competition and tax laws, data protection laws and other general legal obligations or official orders.
c) As part of a balancing of interests (according to Art. 6 Para. 1 lit. f GDPR)
We process your personal data if this is necessary to safeguard our interests or the interests of third parties and if your interests do not prevail. We process personal data to protect the following legitimate interests:
- for internal purposes to control and improve our business processes, business analyses, company reviews, to further develop services and products
- for direct advertising, to offer you similar products that are suitable for your individual needs if permitted, for sales promotion
- for market and opinion research to gain knowledge about market structures and dynamics
- for the detection and elimination of misuse to prevent and investigate criminal offenses
- to ensure the security and availability of our IT systems, to prevent damage
- for address checks and detection of typos to avoid incorrect shipments of products
- for the fulfillment of contracts with those involved in the provision and sale of our services for billing
- for securing legal claims and for defense in legal disputes
d) Based on consent (according to Art. 6 Para. 1 lit. a GDPR)
The purposes of processing personal data result from the granting of consent. You can revoke your consent at any time with effect for the future. Consent that was given before the GDPR came into force (May 25, 2018) can also be revoked. Processing that took place before the revocation remains unaffected by the revocation.
Who receives the personal data you provide?
Within our company, those areas that need access to the personal data you have provided to fulfill contractual and legal obligations and that are authorized to process this data are given access to it. In fulfillment of the contract concluded with you, only those departments that require them for legal reasons will receive the data you have provided, e.g., tax authorities, social security institutions, competent authorities, and courts. As part of our service provision, we commission processors and service providers who contribute to the fulfillment of contractual obligations, e.g., data center service providers, IT partners, tax consultants, auditors, etc. The processors are contracted by us to maintain professional secrecy and to comply with the requirements of GDPR and the Federal Data Protection Act.
Who receives your customers’ personal data?
We do not pass on the personal data of your customers.
Will the data you provide to third countries or international organizations transmitted?
Your data will only be processed in Germany and other European countries. If, in exceptional cases, your data is also processed in countries outside the European Union (i.e., in so-called third countries), this will take place if you have expressly consented to this, or it is necessary for our service provision to you or it is required by law (Art. 49 GDPR). In addition, your data will only be processed in third countries if certain measures ensure that there is an appropriate level of data protection (e.g., adequacy decision of the EU Commission or so-called suitable guarantees, Art. 44 et seq. GDPR).
To process user requests, we use the ticket system from the provider HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA.
This storage takes place on the legal basis of Article 6 Paragraph 1 Letter f) GDPR. Our legitimate interest lies in the quick and efficient processing of user inquiries.
HubSpot, Inc. also processes user data in the USA. The transfer of personal data to the USA may involve various risks to the legality and security of data processing in relation to the adequacy of the level of protection, as the USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not have any legal remedies against access by authorities. On July 10, 2023, the European Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework adopted. The decision stipulates that the United States will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. The adequacy decision can now serve as the basis for data transfers to certified organizations in the USA. HubSpot Inc. is accordingly certified under the new agreement: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active
For more information, please see HubSpot’s privacy policy: https://legal.hubspot.com/de/privacy-policy.
We use the PandaDoc software from PandaDoc, Inc. 3739 Balboa Street, Suite #1083, San Francisco, CA 94121, USA (“PandaDoc”) for the digital signature of contracts and documents ready for signature. For this purpose, PandaDoc processes the data you enter when using the electronic signature services, usage data from your device and transaction-related data. The legal basis is Article 88 Paragraph 1 GDPR in conjunction with Section 26 Paragraph 1 BDSG or for the purpose of fulfilling a contract with the data subject on the basis of Article 6 Paragraph 1 Letters b and f GDPR. The legitimate interest lies in an efficient and cost-saving processing of the signing of contracts and documents. Failure to provide this data may result in an electronic signature not being able to be created. We transmit personal data to employees, customers and the responsible departments of the company. We have concluded a contract with PandaDoc with so-called standard contractual clauses, in which Pandadoc undertakes to process user data only in accordance with the EU data protection level. The transfer of personal data to the USA may involve various risks to the legality and security of data processing in relation to the adequacy of the level of protection, as the USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not have any legal remedies against access by authorities. On July 10, 2023, the European Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework adopted. The decision stipulates that the United States will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. The adequacy decision can now serve as the basis for data transfers to certified organizations in the USA. PandaDoc is accordingly certified according to the new agreement: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000hB9eAAE&status=Active
Further information on data processing by PandaDoc can be found here: https://www.pandadoc.com/privacy-policy/
Does automated decision-making including profiling take place?
No fully automated decision-making (including profiling) pursuant to Art. 22 GDPR is used to process the data you have provided.
Duration of processing (criteria for deletion)
The processing of the data provided by you takes place for as long as it is necessary to achieve the contractually agreed purpose if the contractual relationship with you exists. After the end of the contractual relationship, the data you have provided will be processed to comply with statutory retention requirements or based on our legitimate interests. After the statutory retention periods have expired and/or our legitimate interests no longer apply, the data you have provided will be deleted.
Estimated deadlines for our storage obligations and our legitimate interests:
- Compliance with commercial, tax and professional retention periods. The storage and documentation periods specified there are two to ten years.
- Preservation of evidence under the statute of limitations. According to §§ 195 ff. of the German Civil Code, these limitation periods can be up to 30 years, whereby the regular limitation period is three years.
Information about your rights
In particular, you have the following rights with regard to your personal data:
- Right to information about your stored personal data (Art. 15 GDPR),
- Right to correction if the stored data concerning you is incorrect, outdated or otherwise incorrect (Art. 16 GDPR),
- Right to erasure if the storage is inadmissible, the purpose of the processing is fulfilled and the storage is therefore no longer necessary, or you have revoked your consent to the processing of certain personal data (Art. 17 GDPR),
- Right to restriction of processing if one of the conditions specified in Art. 18 Para. 1 lit. a to d GDPR is met (Art. 18 GDPR),
- Right to transfer of the personal data you have provided (Art. 20 GDPR),
- Right to revoke a given consent, whereby the revocation does not affect the legality of the processing that has taken place up to that point based on the consent (Art. 7 Para. 3 GDPR) and
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Addresses and links to the contact details of the data protection officers in the federal states or the supervisory authorities for the non-public area can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
Do you have an obligation to provide data?
As part of our business relationship with the legal person which you represent, you must provide us with the personal data that is required for the establishment and implementation of a representation/authorization and the fulfillment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we usually have to reject you as an authorized representative/authorized representative or have to revoke an existing authorization to represent/authorize you.
