Privacy Notice
This Privacy Notice describes the processing of personal data by Cumulocity GmbH (‘we’, ‘us’ or ‘our’).
Personal data is information that may identify you, such as your name or email address.
Below we explain what personal data we process about you, with whom we share it and how long it is stored. In addition, you will be informed about your rights regarding your personal data.
This Privacy Notice applies to the processing of your personal data in the following cases:
- Use of the Online Services
- Performance of the business relationship
- Marketing and communication
- Application for a job
This Privacy Notice does not apply when we process personal data as a processor (see Section 9).
We may change this Privacy Notice at any time. Previous versions will be archived and can still be accessed.
1. Who is the data controller and how can you contact the Data Protection Officer?
Cumulocity GmbH, Toulouser Allee 25, 40211 Düsseldorf, Germany is the data controller in accordance with Article 4 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Cumulocity’s Data Protection Officer can be reached by email at dataprotection@cumulocity.com or by post at the following address:
Data Protection Officer Cumulocity GmbH Toulouser Allee 25 D-40211 Düsseldorf Germany
2. What personal data do we process?
Below you find a list of the categories of personal data we are processing:
- Contact details: Name, email address, phone number, address;
- Business data: Company, job title, business address, billing-related data (for example, remuneration);
- Metadata: IP address, operating system, internet browser, URL of the website from which the Online Service was accessed, accessed pages of the Online Service, duration of use (including date and time);
- Login data: User name, password;
- Marketing data: Use of information and advertising material, data in the context of participation in events or webinars (e.g. registration, photos, videos), information about Online Services and products used (e.g. user behavior);
- Job application data: Resumes, cover letters, passports or other identification documents, date of birth and other data processed in connection with a job application.
Special categories of personal data, such as health data, trade union membership, religious affiliation, are only processed if required by law or if you have consented to this**.** We generally collect personal data directly from you, but may also obtain such data from your contacts, from your employer or from public sources.
If we receive personal data from customers or other business partners, they are responsible for ensuring that this is done in accordance with applicable data protection laws.
3. For what purposes do we process your personal data and on what legal basis?
Below we explain for what purposes and on what legal basis we process your personal data:
Use of Online Services
In order to provide our websites, cloud products or other web-based services (“Online Services”) in a secure and stable manner, and (if applicable) for contractual use, as well as to be able to recognize and detect unlawful behavior, we process login, meta and contact data. On the one hand, this is in our legitimate interest and, on the other hand, may be necessary to fulfill a legal obligation or to fulfill a contractual relationship with you. Furthermore, we are interested in continuously improving our Online Services and user experience. For this purpose, we process information about your use of our Online Services or Metadata. In particular, we analyze popular or unused functions as well as settings for functions, which is in our legitimate interest. A personal analysis of your user behavior will only take place if you have previously consented to this. Our Online Services may include integrated content or links to content provided by third parties, such as videos. This Privacy Notice does not apply to third parties that provide such content.
Performance of the business relationship
In order to carry out the business relationship and manage our customers, business partners and interested parties, we process contact and business data about you as our contact person and any communication with you. This is in our legitimate interest or is necessary for the fulfillment of the existing contract with you. Furthermore, the processing of this data may be necessary for the fulfillment of a legal obligation.
Marketing and communication
To inform you about our products, services, events, technical and commercial news, forums, other networking opportunities and to respond to your requests to us, contact, marketing, business, login and metadata are processed.
In the context of participation in marketing campaigns, events and webinars, the use of marketing information may be analyzed for the continuous improvement of products and services. Such analyses may include, but are not limited to, opening or clicking links in emails and the duration of participation in webinars. Contact, meta and marketing data are processed for this purpose.
To communicate with us, for example by email or chat, and to respond to your inquiries, contact and business data are processed.
To enable the use of our forums and portals, contact, meta and login data are processed.
Processing your personal data for the aforementioned purposes is in general in our legitimate interest. If required by law, we will only process your personal data for these purposes if you have given your prior consent.
To be able to recognize and detect any illegal behavior when using our forums and portals, the processing of the aforementioned data may also be necessary to comply with a legal obligation.
Application for a job
Application data is required for applicant management to fill any vacancies. On the one hand, this is necessary for the implementation of pre-contractual measures to establish an employment relationship. On the other hand, we process this data to fulfill our legal obligations.
4. What are cookies and how are they processed?
Through the use of cookies and similar technologies, we process data which may also include personal data. The aim is to optimize our website and Online Services, to control their use, to adapt them to your interests and needs and to keep you informed about our products and services. Cookies are small text files that are stored by the server when you read websites. Below we describe the types of cookies used on our websites, including their purpose.
We use the following types of cookies on our websites and online services:
- essential cookies
- functional cookies, and
- advertising cookies.
Essential cookies are necessary for the use of the website and enable, for example, navigation on the website. Functional cookies enhance your personal experience on the website and advertising cookies collect information about your online activities to enable personalized advertising. Functional and advertising cookies are only used if you consent to it.
You can choose how we use functional and advertising cookies by changing the cookie settings. To do so, please go to “Cookie preferences” at the bottom of this page. In the cookie settings, you will also find an overview of the third parties that place cookies on our websites. In addition, you can control and restrict the placement of cookies via the browser settings. In this context, you can also delete existing cookies. However, deselecting functional and advertising cookies may lead to a restriction of the functionalities of our websites. Essential cookies are set automatically and cannot be deselected, otherwise the websites would not work properly.
5. Google Analytics
The Cumulocity websites use functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin. This data is assigned to the respective end device of the user. An assignment to a user ID does not take place.
Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics uses various modeling approaches to augment the collected data sets and uses machine learning technologies in data analysis.
Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (for example, cookies or device fingerprinting). The website use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.
The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.
Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.
Browser plugin
You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.
Contract data processing
We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.
6. How do we share your data and how is it transferred to third countries?
We only share your personal data with recipients if this is necessary for fulfillment of the respective purpose. Your personal data may be transferred to and processed by:
-
our subsidiaries to fulfill the purposes stated in this Privacy Notice;
-
service providers, to provide IT and system administration, hosting, analytics, marketing, and customer purchase management services in accordance with the purposes stated above;
-
our customers, if they provide you with access our Online Services or if the transfer is necessary to resolve suspicious account activity or contract terms;
-
third parties who operate forums, portals, marketing activities, or host events. In some countries, your prior consent is required and will be requested at the appropriate place. Details will be available there;
-
consultants, to pursue our legitimate interests or to comply with legal requirements;
-
users of our forums and portals, as far as posts and comments submitted by you are concerned;
-
third parties in cases where we are legally obligated or have a final judgement, and when we are enforcing our rights or defending against claims.
All service providers who work for us as so-called data processors are contractually obligated to process personal data exclusively according to our instructions. These service providers do not use your personal data for their own purposes.
The transfer of personal data to recipients located in a country outside the EEA for which the EU Commission has not issued an adequacy decision is based on the EU Standard Contractual Clauses.
7. How long do we store your personal data?
We will delete or anonymize your personal data as soon as it is no longer required for the purposes stated in this Privacy Notice, or if you have requested us to do so and there is a right to data deletion. An exception may occur if legal retention obligations require a storage period that deviates from this.
If you have applied for a job or provided your data for future job postings, we will keep your personal data for one year after the last activity. This could be any activity, for example, your recruiter had to send you a rejection because there was no match. If there was no match, but your application was interesting to us, the recruiter will move your record to a candidate pool, which is exempt from purge. You will be notified by email, when this is the case. If you do not agree with the further storage of your data, you can simply send us a reply email and your data will be purged.
8. Which rights do you have?
You may contact us at any time and free of charge to exercise your following rights:
- Information about your processed personal data;
- Correction of inaccurate or incomplete personal data;
- Deletion of your personal data;
- Restriction of the processing of your personal data if you dispute the accuracy of the data;
- Obtaining your personal data provided to us in a structured, common and machine-readable format or transferring it to another controller;
- Revocation of your consent;
- Objection to the processing of your personal data.
In addition, you have the right to file a complaint with a supervisory authority (for more details, see section 11).
9. To whom can you address your right to object to the processing of personal data?
An objection to processing based on our legitimate interest may be lodged at any time. In this case, processing will be terminated unless it serves our compelling interests that are worthy of protection and outweigh your interests.
Please direct corresponding inquiries to the contact specified under section 1 of this Privacy Notice.
10. Who can you contact if we process your personal data as a processor on behalf of a customer?
Your personal data may be processed as part of the Online Services that we provide to customers. The customer is responsible for compliance with the protection of your personal data processed in these services in its role as a so-called data controller. This Privacy Notice does not apply where we process personal data in direct connection with the provision of Cloud Services, Maintenance & Support Services or Professional Services on behalf of a customer as a processor.
In this case, please address your inquiries directly to the relevant controller.
11. Local regulations
For residents of the United States of America the respective local privacy notices apply in addition to this Privacy Notice.
12. Where can you address complaints to?
You have a right of appeal to the data protection supervisory authorities pursuant to Art. 77 GDPR. The competent supervisory authority for Cumulocity is:
Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestrasse 2-4, D-40213 Düsseldorf, tel. +49211-384240, email poststelle@ldi.nrw.de.