The protection of your personal data is very important to us. Therefore, we process your personal data (in the following “data”) only on the basis of statutory provisions.

1. Who is the controller and who can I contact?

The controller is the Exasol group, consisting of Exasol AG, Exasol Europa Vertriebs GmbH, Exasol UK Limited, Exasol Inc. (USA), Exasol Schweiz AG.

The Data Protection Officer of the German companies is

The DPO Centre
Friedrichstraße 88
10117 Berlin
Email: advice@dpocentre.com

2. What data is processed and where does this data come from?

We process data that you have provided us, such as during the contract initiation or execution, contacting us, or within the scope of your application or employment at Exasol.

Personal data may include the following:

Your master and contact data, which – in case you are a client, when you have asked for demo or contacted us for other business reasons– includes first name and surname, address, contact data (e-mail-address, telephone number etc.), bank details.

In case you are an applicant data includes e.g. your first name and surname, address, contact data, date of birth, data from your CV and job references, bank details.

In case you are a business partner it includes e.g. names of your legal representatives, the business name, the commercial register number, address, contact data of persons in charge, bank details.

Furthermore, we may also process the following personal data:

• information about type and content of contract data, order information, sales data, customer and supplier history as well as consulting documents,
• advertising data,
• information from your electronic communication with us (e.g. IP address, login data),
• other data we received from you during our business relationship (e.g. during customer talks),
• the documentation of your declarations of consent (e.g. for receiving newsletters),
• photographs as part of events.

Data Sources

We use the following methods, among others, to collect data from and about you:

1. Direct collection: You can directly provide us with your information (e.g. contact information) by using our website forms or by contacting us by phone, e-mail, or other means. Examples:
   • Registration on our website
   • Participation in a survey
   • Feedback and problem reports
2. Automated interactions: When you use our website, we automatically collect data about your devices and information about behaviours and patterns on our website. We collect this Internal personal data using cookies or other technologies. For cookies, please refer to the cookie manager on the left bottom of our website.
3. Collection by third parties or from publicly available sources: We receive your personal data from various third parties and from public sources (within and outside the EU), eg:
   • Contact, financial and transaction details of technical service providers (e.g. payment services)
   • Identity and contact information from data brokers or aggregators like DiscoverOrg and LinkedIn
   • Identity and contact information from publicly available sources 

3. What are the purposes of the processing and what is the legal basis?

We process your data in accordance with the provisions of the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz):

• for the performance of a contract or due to precontractual duties (Art. 6 (1) lit. b GDPR): The data may be processed during the initiation of business transactions, the performance of the contracts with you or during recruitment when you apply for a job.

• for the compliance with legal obligations (Art. 6 (1) lit. c GDPR): A processing of your data is required for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code (Handelsgesetzbuch) or the Fiscal Code of Germany (Abgabenordnung).

• for the purpose of legitimate interests (Art. 6 (1) lit. f GDPR): On the basis of a balancing of interests a processing of data may be undertaken when necessary for the legitimate interest of Exasol or third parties e.g. in the following cases:
  • promotion or marketing,
  • measures for business management and further development of products and services,
  • maintaining a group-wide customer database to improve customer services,
  • in the context of legal proceedings,
  • provision with non-promoting information and press releases.

• based on your consent (Art. 6 (1) lit. a GDPR): This applies in case you have given us a consent to the processing of your data, e.g. for receiving our newsletters.

4. Processing of personal data for promotional purposes

You may at any time object to the use of your personal data for promotional purposes in whole or for individual measures.

Under the legal requirements of § 7 (3) of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) we are entitled to use an e-mail address you provided to us in the context of concluding a contract for promotional purposes for our own similar goods and services. You may receive these recommendations regardless of whether you have subscribed to a newsletter or not. If you do not want to receive such recommendations, you may at any time object to the use of your e-mail address for this purpose. A text message is sufficient for this purpose. Of course, every e-mail contains a unsubscribe link.

5. Who will receive my data?

If we contract a service provider in the meaning of a processor according to Art. 28 GDPR, we remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only within the scope of the provision of our services. Data processors will only receive data needed for the performance of their respective services. These are e.g. IT service providers that we need for the operation and security of our IT systems.

Your data is made available to other group companies of the Exasol group when necessary for the performance of a contract. Customer data is stored separately for each company, with respective group companies acting as service providers for the other participating companies. All group companies are contractually bound in accordance with the provisions of applicable data protection laws.

If there is a legal obligation and in the context of legal prosecution, authorities and courts as well as external auditors may receive your data. In addition, insurance companies, banks, credit agencies and service providers may receive your data for the purpose of initiating and fulfilling contracts.

6. How long is my data stored?

We process your data until the business relationship is terminated or until the expiry of the applicable statutory retention periods (e.g. from the German Commercial Code, the Fiscal Code of Germany, the Working Hours Act); furthermore, until the termination of legal disputes in which your data is required as evidence.

7. Is personal data transferred to a third country?

In principle, we do not transfer any data to a third country. In individual cases, data will be transferred only on the basis of an adequacy decision of the European Commission or subject to appropriate safeguards, such as with standard contractual clauses.

8. What are my rights?

At any time, you have the right to information, rectification, erasure or restriction of processing of your data, the right to object, the right to data portability and the right to lodge a complaint in accordance with the requirements of data protection law.

Right to information:
You can request information from us as to whether and to what extent we process your data.

Right to rectification:
If we are processing inaccurate data about you, you have the right to obtain a rectification from us.

Right to erasure:
You can obtain the erasure of your personal data from us, if we are processing it unlawfully or the processing disproportionately interferes with your legitimate interests. Please note that there may be reasons that contradict an immediate erasure, e.g. when there are legal obligations to retain the data. Irrespective of your right to erasure, we will delete your data immediately and completely, insofar as there is no legal or statutory obligation to retain data in this respect.

Right to restriction of processing:
You have the right to obtain from us the restriction of processing if:

• you contest the accuracy of your personal data, for a period enabling us to verify the accuracy,
• the processing is unlawful, and you oppose the erasure of your data and request a restriction of use instead,
• we no longer need your data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims, or
  Internal
• you have objected to the processing.

Right to data portability: 
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us, where

• the processing is based on a consent or a contract; and
• the processing is carried out by automated means.

Where technically feasible, you have the right to have your data transmitted from us to another controller.

Right to object:
If we process your data on the basis of our legitimate interests, you have the right to object at any time. We will then no longer process your data unless we can prove compelling reasons for processing which outweigh your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. Where your data is processed for direct marketing purposes, you have the right to object at any time.

Right to withdraw Consent:
Where we are processing your data on the basis of consent you have provided us, and we have no other legal justification or obligation to continue the processing, you have the right to withdraw your consent for that specific processing at any time.

Right to lodge a complaint:
If you consider that the processing of your data infringes German or European data protection law, we kindly ask you to contact us. Of course, you also have the right to lodge a complaint to the competent supervisory authority.

If you want to assert one of the aforementioned rights, please contact our Data Protection Officer. In case of doubt, we may request additional information to confirm your identity.

Where we determine that your request is related to information that we hold in our capacity as a Data Processor, we will pass the request on to our client (the Data Controller) and will act under their direction.

9. Automated decision making.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

10. How do We protect your personal data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, contractors, and trusted third parties who have a business need-to-know basis for the purpose of supporting us to deliver our services.

Examples of Our security measures include:
Limiting access to our buildings to those that we believe are entitled to be there by use of passes.
Implementing access controls to our information technology.
Ensuring there are appropriate procedures and technical security measures (including strict encryption, anonymisation, and archiving techniques) to safeguard your Personal Data across all our systems, website, and offices.
When we work with trusted third parties, known as Data Processors who help to deliver our services or manage our business, we carry out due diligence checks to review a third parties’ compliance with Data Protection Legislation before We work with them and ensure there are appropriate contracts in place before a Data Processor processes any Personal Data.
Regular training for staff on Information Security and Data Protection
Policies and procedures to cover Data Protection matters including incidents, personal data breaches, and data subject right requests.

11. Am I obliged to provide data?

The processing of your data is necessary to conclude or perform your contract with us. If you do not provide us with appropriate data, we will generally have to refuse to conclude a contract or will no longer be able to perform an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regards to data which is not relevant for the performance of a contract, or which is not required by law.