Information according to Article 13 GDPR

The protection of your personal data is very important to us. Therefore, we are processing your personal data (in the following “data”) only on the basis of statutory provisions. With this statement we want to provide you with comprehensive information within the meaning of Art.13 of the General Data Protection Regulation (“GDPR”) about the data processing in our company and about your rights.

1.  Who is the controller and who can I contact?

The controller is the Exasol group, consisting of Exasol AG, Exasol Vertriebsholding GmbH, Exasol Europa Vertriebs GmbH, Exasol Cloud Computing GmbH, Exasol Big Data Technologies GmbH, Exasol UK Limited, Exasol France SAS, Exasol Inc. (USA).

The Data Protection Officer of the German companies is

Bernhard Bock
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
E-Mail: anfragen@projekt29.de
Tel.: 0941-2986930

2.  What data is processed and where does this data come from?

We are processing data that you have provided us with during the contract initiation or execution, on the basis of a consent or within the scope of your application or employment at Exasol.

Personal data includes the following:

Your master and contact data, which – in case you are a client – includes first name and surname, address, contact data (e-mail-address, telephone number etc.), bank details.

In case you are an applicant or employee data includes e.g. your first name and surname, address, contact data, date of birth, data from your CV and job references, bank details, religious affiliation, picture recordings.

In case you are a business partner it includes e.g. names of your legal representatives, the business name, the commercial register number, address, contact data of persons in charge, bank details.

Furthermore, we are also processing the following personal data:

• information about type and content of contract data, order information, sales data, customer and supplier history as well as consulting documents,
• advertising data,
• information from your electronic communication with us (e.g. IP address, login data),
• other data we received from you during our business relationship (e.g. during customer talks),
• the documentation of your declarations of consent (e.g. for receiving newsletters),
• photographs as part of events.

Data Sources

We use the following methods, among others, to collect data from and about you:

1. Direct collection: You can directly provide us with your information (eg. contact information) by using our website forms or by contacting us by phone, e-mail, or other means. Examples:
   • Registration on our website
   • Participation in a survey
   • Feedback and problem reports
2. Automated interactions: When you use our website, we automatically collect data about your devices and information about behaviours and patterns on our website. We collect this personal data by the use of cookies or other technologies. Please find details in our privacy policy.
3. Collection by third parties or from publicly available sources: We receive your personal data from various third parties and from public sources (within and outside the EU), eg:
   • Contact, financial and transaction details of technical service providers (e.g. payment services)
   • Identity and contact information from data brokers or aggregators like DiscoverOrg and LinkedIn
   • Identity and contact information from publicly available sources

3.  What are the purposes of the processing and what is the legal basis?

We are processing your data in accordance with the provisions of the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz):

• for the performance of a contract or due to precontractual duties (Art. 6 (1) lit. b GDPR): The processing of your data is carried out online or in one of our offices during the performance of a contract, during the performance of your employment it is processed in our company. The data will be processed in particular during the initiation of business transactions and the performance of the contracts with you.

• for the compliance with legal obligations (Art. 6 (1) lit. c GDPR): A processing of your data is required for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code (Handelsgesetzbuch) or the Fiscal Code of Germany (Abgabenordnung).

• for the purpose of legitimate interests (Art. 6 (1) lit. f GDPR): On the basis of a balancing of interests a processing of data may be undertaken outside the actual performance of a contract in order to safeguard the legitimate interest of Exasol or third parties. A processing for the purpose of legitimate interests is undertaken e.g. in the following cases:
  • promotion or marketing (compare Nr. 4),
  • measures for business management and further development of products and services,
  • maintaining a group-wide customer database to improve customer services,
  • in the context of legal proceedings,
  • provision with non-promoting information and press releases.

• on the basis of your explicit consent (Art. 6 (1) lit. a GDPR): This applies in case you have given us a consent to the processing of your data, e.g. for receiving our newsletters.

4.  Processing of personal data for promotional purposes

You may at any time object to the use of your personal data for promotional purposes in whole or for individual measures.

Under the legal requirements of § 7 (3) of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) we are entitled to use an e-mail address you provided to us in the context of concluding a contract for promotional purposes for our own similar goods and services. You may receive these recommendations regardless of whether you have subscribed to a newsletter or not. If you do not want to receive such recommendations, you may at any time object to the use of your e-mail address for this purpose. A text message is sufficient for this purpose. Of course, every e-mail contains a unsubscribe link.

5.  Who will receive my data?

If we contract a service provider in the meaning of a processor according to Art. 28 GDPR, we remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only within the scope of the provision of our services. Data processors will only receive data needed for the performance of their respective services. These are e.g. IT service providers that we need for the operation and security of our IT systems.

Your data will be processed in our customer database. Our customer database supports the improvement of the data quality of existing customer data (duplicate cleansing, address correction) and enables the enrichment with data from public sources.

Your data is made available to other group companies of the Exasol group as necessary for the performance of a contract. Customer data is stored separately for each company, with respective group companies acting as service providers for the other participating companies. All group companies are contractually bound in accordance with the provisions of applicable data protection laws.

If there is a legal obligation and in the context of legal prosecution, authorities and courts as well as external auditors may receive your data. In addition, insurance companies, banks, credit agencies and service providers may receive your data for the purpose of initiating and fulfilling contracts.

6.  How long is my data stored?

We are processing your data until the business relationship is terminated or until the expiry of the applicable statutory retention periods (e.g. from the German Commercial Code, the Fiscal Code of Germany, the Working Hours Act); furthermore until the termination of legal disputes in which your data is required as evidence.

7.  Is personal data transferred to a third country?

In principle, we do not transfer any data to a third country. In individual cases, data will be transferred only on the basis of an adequacy decision of the European Commission, subject to appropriate safeguards, standard contractual clauses, or your explicit consent.

8. What are my rights?

At any time, you have the right to information, rectification, erasure or restriction of processing of your data, the right to object, the right to data portability and the right to lodge a complaint in accordance with the requirements of data protection law.

Right to information:
You can request information from us as to whether and to what extent we process your data.

Right to rectification:
If we are processing inaccurate data about you, you have the right to obtain a rectification from us.

Right to erasure:
You can obtain the erasure of your personal data from us, if we are processing it unlawfully or the processing disproportionately interferes with your legitimate interests. Please note that there may be reasons that contradict an immediate erasure, e.g. when there are legal obligations to retain the data. Irrespective of your right to erasure, we will delete your data immediately and completely, insofar as there is no legal or statutory obligation to retain data in this respect.

Right to restriction of processing:
You have the right to obtain from us the restriction of processing if:

• you contest the accuracy of your personal data, for a period enabling us to verify the accuracy,
• the processing is unlawful and you oppose the erasure of your data and request a restriction of use instead,
• we no longer need your data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims, or
• you have objected to the processing.

Right to data portability:
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us, where

• the processing is based on a consent or a contract; and
• the processing is carried out by automated means.

Where technically feasible, you have the right to have your data transmitted from us to another controller.

Right to object:
If we process your data on the basis of our legitimate interests, you have the right to object at any time. We will then no longer process your data unless we can prove compelling reasons for processing which outweigh your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. Where your data is processed for direct marketing purposes, you have the right to object at any time.

Right to lodge a complaint:
If you consider that the processing of your data infringes German or European data protection law, we kindly ask you to contact us. Of course, you also have the right to lodge a complaint to the competent supervisory authority.

If you want to assert one of the aforementioned rights, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

9. Am I obliged to provide data?

The processing of your data is necessary to conclude or perform your contract with us. If you do not provide us with appropriate data, we will generally have to refuse to conclude a contract or will no longer be able to perform an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regards to data which is not relevant for the performance of a contract or which is not required by law.