STACKIT GmbH & Co. KG

STACKIT Data Protection Notice

Data Protection Notice for STACKIT and the websites, services and support associated therewith

Version 4.0

We take the protection of your personal data very seriously and strive to provide you with comprehensive information about the processing of your personal data. The following privacy policy explains how and for what purposes we process your personal data when you visit our website, contact us and/or (wish to) purchase STACKIT goods and services.

As a rule, the personal data of yours that we collect is obtained directly from you. The statutory basis is, in particular, the EU General Data Protection Regulation (GDPR).

Table of content

A. “Controller” within the meaning of Article 4(7) GDPR

Unless otherwise stated in the following, the controller within the meaning of Article 4(7) GDPR responsible for the processing of data described below is:

STACKIT GmbH & Co. KG

Stiftsbergstraße 1

74172 Neckarsulm

Telephone: +49 7132 30-4000

E-Mail: info@stackit.cloud

B. STACKIT websites

1. Communication by e-mail/telephone (excluding customer hotline)/mail/contact form and event registration via registration form

1.1. Purpose of the processing and legal basis

We treat all personal data that we receive from you by e-mail, telephone, mail or contact form confidentially. We use your data solely for the limited purpose of processing your inquiry.

We process data that you provide us via contact and/or registration forms to register for events (e.g., fairs or our webinars) to select and process the respective registrations and to organize and manage the event.

The legal basis for the processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the interest in responding to your inquiries so that the satisfaction of our customers, business partners and/or website users alike is ensured and promoted, as well as to select and process the respective registrations for events and to organize and manage the event.

If we ask for your consent to data processing in advance when communicating with you, the legal basis is Article 6(1)(a)GDPR.

When you send us personal data by contacting us for purposes of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing. The same applies to data processing for the purposes of organizing and managing events that you attend, to the extent that you personally are party to the respective agreement on event participation (terms and conditions of participation) and not, for instance, your employer.

If you provide us with personal data in the context of the notice and action mechanism under Article 16 of the Digital Services Act, Article 6(1)(c) GDPR in conjunction with Article 16 of the Digital Services Act is the legal basis for the data processing. This means that we are processing your data on the basis of a legal obligation.

1.2. Recipients/categories of recipients

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

We transfer information that you provide to us via the contact or registration form for registering for events to the event organizer and/or service providers used by us, e.g., event agencies, insofar as this is necessary for organizing and conducting the event and the event is not one that we ourselves are organizing and conducting.

1.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, if you do not provide us with the data required to process your request or your registration for an event, we will not be able to process or respond to it.

1.4. Storage time/criteria for determining storage time

We delete or securely anonymize all information we receive from you when you make inquiries no later than 90 days after the final response is sent to you. The information is retained for 90 days in case you contact us again after receiving a response from us on the same matter and we need to refer to our previous correspondence. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject, your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met.

We delete personal data used to select and process participation at events 90 days after the final selection and processing, provided that no invitation to an event is extended.

If the data processing is based on your consent, for verification purposes we store the record of your consent for a period of three years from the date on which you withdraw your consent or the associated data processing ends.

Data that you provide to us in the context of the notice and action mechanism under Article 16 of the Digital Services Act will be retained until the applicable statutory retention period expires.

If you send us personal data for purposes of initiating or performing a contract, statutory retention obligations require us to store that data for up to 12 years.

2. Data processed when you visit our websites

The information contained in this section applies equally to our websites as well as to the associated sub-domains and sub-pages. At present, this includes:

2.1. Purposes and legal basis of processing

When you visit our websites, log files are generated containing the following information:

The legal basis for the processing is Article 6(1)(f) GDPR. Our legitimate interest arises from our interest in protecting our systems and preventing improper and/or fraudulent activity each time that a user accesses this website.

Where processing of the aforementioned data is necessary for preparing or performing a contractual relationship, we process your data on the basis of Article 6(1)(b) GDPR.

2.2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, such data will be processed for technical reasons as soon as you access our site. The only way to prevent your data from being processed is to stop using our website.

2.4. Storage time

We store the aforementioned data for a period of seven days.

3. Cookies

We, STACKIT GmbH & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, are the controller with respect to data processing in connection with the use of “cookies” and other similar technologies to process usage data on our websites and the associated sub-domains and sub-pages. At present, this includes:

Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our websites. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie stores certain information connected with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

You may also configure your browser to ensure that a warning appears every time a new cookie is placed. This makes the use of cookies more transparent for you. You may also configure your browser to refuse acceptance of all or some cookies from certain sources. Please be advised, however, that disabling cookies may limit the functionality of this website.

3.1. Purposes and legal basis of processing

Cookies and the other technologies used to process usage data are deployed for the following purposes, depending on the categories of cookie/other technologies:

Depending on the purpose, the use of cookies and similar technologies to process usage data involves processing the following types of personal data in particular:

Technically necessary:

Preferences:

Statistics

Marketing:

The legal basis for using preference, statistics and marketing cookies and similar technologies is your consent given pursuant to Article 6(1)(a) GDPR and section 25 (1) sentence 1 of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG). The legal basis for using technically necessary cookies and similar technologies is your consent given pursuant to Article 6(1)(f) GDPR and section 25 (2) no. 2 TTDSG. We have a legitimate interest in ensuring the technical stability and security of website operation.

You may withdraw/modify your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. 

To change your consent for cookies and similar technologies used on www.stackit.de and its sub-domains and sub-pages, please click here and make your selection.  

Currently only technically necessary cookies are used on www.stackit.cloud and the associated sub-domains/sub-pages.

For an overview of the cookies and other technologies we use, including the respective purposes of processing, storage periods and any third-party providers involved, please refer to our Cookie Policy for www.stackit.de and our Cookie Policy for www.stackit.cloud.

3.2. Recipients/categories of recipient

When using cookies and similar technologies to process usage data, we may on occasion retain specialized service providers, particularly from the field of online marketing, to process data. These service providers process data on our behalf.

If you have consented to processing for marketing purposes, we may potentially share your User ID and the associated user profiles with third parties via the providers of advertising networks.

For information about other recipients in connection with using cookies to process data, see our cookie policy under the heading “Providers”.

3.3. Google Analytics

Our website www.stackit.de and the associated sub-domains and sub-pages use the “Google Analytics” service offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Cookies and similar technologies, in particular JavaScript, are used to store and analyze data on your end device.

In the European Union and in the European Economic Area (EEA), the “Google Analytics” service is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which assists us a processor in accordance with Article 28 GDPR.

“Google Analytics” creates user profiles on the basis of pseudonyms (recognition attributes from cookies and device ID and further data on the end device used or the “browser fingerprint”) and usage data (e.g., name and address of the website content requested by your browser, referral links, description of the web browser and operating system used, and the IP address of the requesting end device). Demographic data, such as the age, gender and interests of the users, and interactions, such as button clicks, scroll depth and length of stay, are collected, analyzed and merged with existing anonymized data.

We have configured “Google Analytics” in a such way that your IP address is processed and truncated within the EU using the „_anonymizeIp()“ feature before it is transmitted to Google’s servers in the USA.

We transmit your data in connection with our use of “Google Analytics” to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as well as Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. In principle, we have no influence on further data processing by the third-party provider. For further information on how Google handles personal data, please visit https://policies.google.com/privacy?hl=en. By virtue of the fact that we use “Google Analytics” on our web pages, data is transmitted to the aforementioned recipients and stored there for a period of 26 months.

3.4. Adobe Analytics

Our website www.stackit.cloud and the associated sub-domains and sub-pages use the “Adobe Analytics” service to analyze user access to this website. Data is processed solely on the basis of your consent (Article 6(1)(a) GDPR and section 25 (1) sentence 1 TTDSG), in other words if you do not give your consent, no data is processed. We use information generated during your use of the above-mentioned pages (namely, the page from which the file was requested, the name of the file, the date and time of the request, the volume of data transferred, the access status such as “file transferred”, “file not found”, etc., a description of the type of web browser used and an anonymized IP address – truncated by the last three digits) for purposes of user navigation, statistical analyses and adapting our web pages to your needs. For this purpose, we use cookies that control your connection to our web pages during the session. A permanent cookie is set in your web browser by our provider Adobe Systems Software Ireland Limited, 4–6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland, to create an anonymized user profile. This permanent cookie makes it possible to recognize your browser the next time you visit our website. That serves to recognize your anonymized user profile and tailor our website to your needs.

The information stored on the Adobe servers cannot be used to directly identify you because Adobe Analytics is used with the settings “Before Geo-Lookup: Replace visitor’s last IP octet with 0” and “Obfuscate IP-Removed”. The setting “Before Geo-Lookup: Replace visitor’s last IP octet with 0” ensures that the IP address is anonymized before geolocation by replacing the last octet of the IP address with zeros. The user’s approximate location is added to the tracking packet, which still contains the full IP address, for purposes of statistical analysis. Before the tracking packet is stored, the IP address is then replaced with a single fixed IP address referred to as a generic IP address if the “Obfuscate IP-Removed” setting is configured. This means that the original full-length IP address is no longer included in a stored data record.

The data collected using Adobe Analytics technology is not used to personally identify visitors to this website. Nor is the usage data stored in the cookie merged with personal data. To prevent general tracking by Adobe, simply click on this Link and confirm your objection on the page it redirects you to. In this case, Adobe will place a permanent “Do not track” cookie in your browser so that the Adobe technology is no longer used.

3.5. Transfer of data to third countries

As a rule, we do not transfer your data to recipients located outside of the European Union or the European Economic Area. To the extent that you have consented to the use of the relevant cookies, your data will only be transferred to the servers of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, if it is processed using Google Analytics and YouTube. Some of these servers are located in the USA. In addition, we have no control over the extent to which Google uses your data for its own purposes. The European Commission has certified some third countries as having a level of data protection comparable to that offered by the GDPR by means of an adequacy decision. For service providers headquartered in the USA, this only applies if they base the data transfer on the EU-US Data Privacy Framework dated July 10, 2023 (DPF). This is the case for this recipient.

3.6. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. You may prevent cookies from being stored by adjusting the aforementioned settings, selecting the categories of cookies accordingly or by withdrawing or modifying any consent you may have given.

3.7. Storage time

Please refer to our cookie policies for Cookie Policy www.stackit.de  and www.stackit.cloud for information on the storage time for cookies. If “persistent” is entered in the “expiration” column, the cookie will be stored permanently until the corresponding consent is withdrawn.

4. Google Ads and Microsoft Ads

We use the Google Advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google) and the Microsoft Advertising and Microsoft Clarity services provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (Microsoft) for our own promotional purposes on our website. Google and Microsoft also process your data as part of the Google and Microsoft Advertising services under their own responsibility.

Google Advertising and Microsoft Advertising can be used to display targeted ads via the Google and Microsoft networks (e.g., in search engines and e-mail programs), optimize them and track the activities of users on our website if they have been redirected to our website via ads. Microsoft Clarity can be used to track and visualize user interactions with our website.

We also use Google and Microsoft Advertising services to collect information that allows us to track target groups using remarketing lists. Google Advertising and Microsoft Advertising allow us to recognize when our website has been visited and an ad can be displayed when Google or Microsoft networks are subsequently used. The information is also used to generate conversion statistics, i.e., to record how many users have been redirected to our website after clicking on an ad. This only serves to provide us with information on the total number of users who have clicked on our ad and were then redirected to our website. However, we do not receive any information that could personally identify users.

You can disable or customize personalized advertising at Google and Microsoft. Details can be found on the respective support pages of our partners:

Setting options for personalized ads is also available at https://youradchoices.com/ and https://optout.networkadvertising.org/?c=1.?c=1.

5. Embedded third party content

We use the Google Advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google) and the Microsoft Advertising and Microsoft Clarity services provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (Microsoft) for our own promotional purposes on our website. Google and Microsoft also process your data as part of the Google and Microsoft Advertising services under their own responsibility.

Google Advertising and Microsoft Advertising can be used to display targeted ads via the Google and Microsoft networks (e.g., in search engines and e-mail programs), optimize them and track the activities of users on our website if they have been redirected to our website via ads. Microsoft Clarity can be used to track and visualize user interactions with our website.

We also use Google and Microsoft Advertising services to collect information that allows us to track target groups using remarketing lists. Google Advertising and Microsoft Advertising allow us to recognize when our website has been visited and an ad can be displayed when Google or Microsoft networks are subsequently used. The information is also used to generate conversion statistics, i.e., to record how many users have been redirected to our website after clicking on an ad. This only serves to provide us with information on the total number of users who have clicked on our ad and were then redirected to our website. However, we do not receive any information that could personally identify users.

You can disable or customize personalized advertising at Google and Microsoft. Details can be found on the respective support pages of our partners:

Setting options for personalized ads is also available at https://youradchoices.com/ and https://optout.networkadvertising.org/?c=1.

5. Embedded third party content

We have embedded YouTube videos on our website, which are stored at http://www.YouTube.com and can be played directly from our website. All videos are embedded with “privacy-enhanced mode” enabled, which means that no data about you as the user is transferred to YouTube if you do not play the videos. Data is only transferred if you play the videos. We do not have any control over this transfer of data.

You can find further information on the purpose and scope of data collection and how YouTube processes data in the provider’s privacy policy. You will also find further information there about your rights in this regard and settings to protect your privacy. YouTube’s Address and privacy policies: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; https://www.google.de/intl/de/policies/privacy/.

6. Newsletter

6.1. Purposes and legal basis of data processing

We offer you the opportunity to subscribe to our newsletter. If you consent to receive our newsletter, we will use your data (e-mail address and (optionally) your first and last name) to send you information about STACKIT. This includes for instance information about products, offers, promotions, services, announcements and invitations to take part in prize draws, surveys, training opportunities, events and webinars relating to STACKIT services. We also record your newsletter usage behavior (in particular opening, clicking on links and other newsletter activities), among other things by means of tracking mechanisms (such as cookies, tracking pixels and beacons), and on this basis create a personalized usage profile assigned to you and/or your e-mail address in order to tailor newsletter content and communications to your interests and optimize our services.

The legal basis for such processing is your consent pursuant to Article 6(1)(a) GDPR, section 25 (1) TDDDG.

To ensure that no mistakes are made when entering the e-mail address, we use the “double opt-in” procedure: once you enter your e-mail address in the registration field, we will send you a confirmation link. Your e-mail address will not be added to our distribution list until you click on the confirmation link.

If you subscribe to the newsletter, the IP address of the accessing system and the date and time of registration are recorded, as is the e-mail verification. This data is processed for the sole purpose of being able to track potential misuse of an e-mail address. The legal basis for processing the above-mentioned data is Article 6(1)(f) GDPR. We have a legitimate interest in ensuring IT security.

You may withdraw your consent to receive the newsletter and to the recording of newsletter activities at any time with effect for the future, e.g., by unsubscribing from the newsletter on our website. The link to the unsubscribe page is provided at the bottom of every newsletter. When you unsubscribe, we consider your consent to a newsletter subscription and the recording of your usage behavior and the receipt of newsletters based thereon as withdrawn. We will delete your usage data. The lawfulness of the processing carried out until such time as we receive your notice of withdrawal shall not be affected.

6.2. Recipients/categories of recipient

In exceptional cases, your personal data may be accessible to Microsoft Ireland Operations Ltd., South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland, for service, support and maintenance purposes because our newsletter tool is hosted/technical support is provided by that service provider.

6.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. Subscribing to our newsletter is voluntary and always subject to your consent.

6.4. Storage time

Your e-mail address and your name (if provided by you) and your usage data will be deleted as soon as you unsubscribe from our newsletter. The IP address will be stored for 30 days and then deleted.

For verification purposes, we store the record of your consent for a period of three years from the date on which you withdraw your consent or the associated data processing ends.

7. STACKIT Community Platform

7.1. Purposes and Legal Basis of Data Processing

Users of STACKIT are provided with an online forum, the STACKIT Community Platform, for purposes of exchanging information.

As part of the registration process, we require your e-mail address and a user name in order to perform the user agreement and create the user account. The purpose is to perform the contract and therefore Article 6(1)(b) GDPR is the legal basis. To enable you as a STACKIT user to participate in that forum, we require your STACKIT account activated via e-mail.

For IT security purposes, we also process your IP address, create log files and keep track of your most recently used devices. The legal basis is our legitimate interests in accordance with Article 6(1)(f) GDPR.

If you voluntarily enter further information about yourself in your profile (e.g., “About me” text) or publish posts on the platform to participate in the discussion which may contain personal data, this is done on the basis of your voluntary, implied consent to data processing in accordance with Article 6(1)(a) GDPR by virtue of using the corresponding functions. You may withdraw such consent at any time by removing/deleting the relevant data from your profile.

If you upload photos of yourself to your profile, the legal basis for processing that data is your express consent pursuant to Article 6(1)(a) GDPR and, to the extent that the images indicate your ethnic background, religion or state of health (e.g., skin color, head coverings or glasses), also pursuant to Article 9(2)(a) GDPR. You may withdraw such consent at any time by removing your photo from your profile.

Please note: The legal bases cover solely your own personal data provided. Users are not permitted to provide any personal data of third parties on the platform.

7.2. Recipients/Categories of Recipients

Depending on the visibility settings of your own profile, the data stored there may be publicly available on the platform or only visible to you. Posts can also be visible to all users or only to certain groups of people, depending on the default settings for the topic. Therefore, data recipients are potentially all registered users of the platform for posts in discussions with limited visibility and all visitors to the site for public posts www.community.stackit.cloud. Please adjust your settings according to your preferences and note the settings for the specific topic.

7.3. Obligation to Provide Your Data

You are under no statutory or contractual obligation to provide personal data to us. However, users must register before they can actively use the STACKIT Community Platform (including creating posts), which means that the basic data for entering into a user agreement is required. If you do not wish to enter this data, read-only access to the public content of the platform will be available.

7.4. Storage Time

Technically necessary data will be stored for 90 days for IT security purposes.

If your account is inactive, it will be deleted after 24 months, or upon termination of your business relationship with STACKIT.

In the event of deletion due to inactivity or termination of the business relationship, the posts in your account will be deleted or anonymized, provided that the respective topics are still being actively discussed.

8. Webinars

8.1. Types of Data

Participation:

If you wish to participate live in a webinar, you will be asked to provide the following information for login purposes: Your name, business e-mail address (required), company name, business telephone number, job title (optional).

If you use the interactive functions when participating, the content of your chat or other comments (e.g., questions, responses to surveys) may also be processed. Please note that the webinar will be recorded and therefore the content of your interactions may also be part of the recording. Please do not provide any personal data of yours or any third parties when making comments.

Further information is available in the privacy policy of the respective webinar.

Subsequent Replay:

If you wish to watch the replay of a webinar later, you will be asked to provide the following information for login purposes: Your name, business e-mail address (required), company name, business telephone number, and job title (optional).

8.2. Purposes and Legal Basis of Data Processing

We collect the aforementioned identification and contact data for inclusion in our customer database so that we can later send you information about our products and any training documentation associated with the webinar by mail and telephone; this is done on the basis of your consent given voluntarily pursuant to Article 6(1)(a) GDPR and section 7 a (1) of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG). With respect to contact per e-mail, please see the information on newsletter subscription above.

Your consent is given voluntarily and may be withdrawn at any time. If you withdraw your consent, your contact details will be deleted immediately. Any such withdrawal of consent shall not affect the lawfulness of processing prior to receiving the notice of withdrawal.

Participation:

In addition, the other data is required to make the webinar, including the interactive functions, technically available. This data is processed to the extent necessary on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR in enabling the webinar to be conducted.

8.3. Recipients/Categories of Recipients

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR. In this context, the service provider Cisco International Limited, 9-11 New Square Park, Bedfont Lakes, Feltham, England TW14 8HA, United Kingdom, is used to provide the webinar tool Webex. In order to provide the webinar tool MS Teams Webinar/MS Teams Live, we use the services of Microsoft Ireland Operations Ltd. South County Business Park, One Microsoft Court, Carmanhall an Leopardstown, Dublin, D18 P521, Ireland.

To operate our customer database, we use the services of Microsoft Ireland Operations Ltd South County Business Park, One Microsoft Court, Carmanhall an Leopardstown, Dublin, D18 P521, Ireland.

8.4. Obligation to Provide Your Data

You are under no contractual or legal obligation to provide your data. However, please note that participating in or accessing our free webinars requires that you voluntarily provide us with your contact details and give us the associated consent to advertising.

8.5. Storage Time

We delete personal data as soon as it is no longer required for the above-stated purposes.

Recordings of the webinar will be stored for five years.

Your contact details will be stored in our customer database until such time as you withdraw your consent in this regard. Your consent itself will also be stored for a further three years after deletion for verification purposes or for five years after the last telephone contact pursuant to the statutory documentation requirements.

9. Whitepapers

9.1. Types of Data

If you wish to download one of our whitepapers, you will be asked to provide the following information for login purposes: Your name, business e-mail address (required), company name and business telephone number (optional).

9.2. Purposes and Legal Basis of Data Processing

We also collect the aforementioned identification and contact data for inclusion in our customer database so that we can later send you information about our products by mail and telephone; this is done on the basis of your consent given voluntarily pursuant to Article 6(1)(a) GDPR and section 7 a (1) of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG). With respect to contact per e-mail, please see the information on newsletter subscription above.

Your consent is given voluntarily and may be withdrawn at any time. If you withdraw your consent, your contact details will be deleted immediately. Any such withdrawal of consent shall not affect the lawfulness of processing prior to receiving the notice of withdrawal.

9.3. Recipients/Categories of Recipients

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

9.4. Obligation to Provide Your Data

You are under no contractual or legal obligation to provide your data. However, please note that accessing our free whitepapers requires that you voluntarily provide us with your contact details and give us the associated consent to advertising.

9.5. Storage Time

We delete personal data as soon as it is no longer required for the above-stated purposes.

Your contact details will be stored in our customer database until such time as you withdraw your consent in this regard. Your consent itself will also be stored for a further three years after deletion for verification purposes or for five years after the last telephone contact pursuant to the statutory documentation requirements.

10. Our social media sites

10.1. Responsibilities

The party responsible for the collection and processing of data described below (the controller) is in some cases us, STACKIT GmbH & Co. KG, and in some cases the operator of the relevant social media platform. For certain types of processing, we and the platform operator act as joint controllers as defined in Article 26 GDPR.

We use the following social media sites:

LinkedIn:https://de.linkedin.com/company/stackit-cloud-colocation
Xing:https://www.xing.com/pages/stackit-ihrpartnerfurcloudundcolocation
YouTube:https://www.youtube.com/channel/UCrlj8jX00GYQYJO5Wnal6Bw
Facebook:https://www.facebook.com/Stackitcloud
Instagram:https://www.instagram.com/stackitcloud
Twitter:https://twitter.com/stackitcloud

10.1.1. The platform operator as controller

We have only limited control over the processing of data by the operators of social media platforms (e.g., the management of members and the information shared). In the situations in which we are able to have influence and can set parameters for the data processing, we endeavor to ensure within the confines of the options available to us that the social media platform operator deals with the data in accordance with data protection law requirements. In many cases, however, we are unable to influence the way in which social media platform operators process data and also do not know exactly which data they process.

Platform operators operate the entire IT infrastructure of the service, have their own privacy policies and maintain their own user agreements with you (where you are a registered user of the social media service). The operator is also solely responsible for all questions relating to the data that makes up your user profile, which we as a company have no access to.

You will find further information about the data processing performed by social media platform operators and your rights to object in the privacy policies of the operators.

LinkedIn:LinkedIn Privacy Policy
Xing:Privacy at XING
YouTube:Privacy Policy – Privacy & Terms – Google
Facebook:Facebook Privacy Policy
Instagram:Instagram Privacy Policy
Twitter:Twitter Privacy Policy

10.1.2. STACKIT GmbH & Co. KG as the controller

10.1.2.1. Purposes and legal basis of processing

We process data on our social media sites for the purpose of providing information to customers about services, promotions, prize draws, specific topics and latest company news, to interact with visitors to our social media sites on these topics, and to respond to relevant inquiries and positive or negative feedback.

We merely reserve the right to delete content if it becomes necessary to do so. We may share your content on our site if this is one of the functions of the social media platform, and communicate with you through the social media platform. Article 6(1)(f) GDPR is the legal basis for this. The processing is carried out for the purpose of our public relations work and communications. Operators have no ability to influence our processing of your data in connection with customer communications or prize draws.

As already mentioned, where social media platform operators give us the option, we make sure we design our social media sites to be as compliant as possible with data protection laws.

10.1.2.2. Recipients/categories of recipient

The data entered by you on our social media sites, such as comments, videos, images, likes, public messages, etc., is published by the social media platforms and is not used or processed by us for other purposes at any time. We merely reserve the right to delete unlawful content if it becomes necessary to do so. This would be the case, for example, for posts that infringe rights or violate the law, comments that incite hatred, offensive comments (sexually explicit content) or attachments (e.g., images or videos), which may be in violation of copyright laws, moral rights/rights of publicity or criminal law.

We may share your content on our site if this is one of the functions of the social media platform, and communicate through the social media platform. If you post an inquiry on the social media platform, we may also, depending on the required response, refer you to other more secure modes of communication that guarantee confidentiality. You always have the option of sending confidential inquiries to us at our address listed under no. 1 above or in the “legal notice” section of our website.

10.1.2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. When you use our social media sites for purely informational purposes, we do not collect any personal data. You can still visit our sites even if you do not wish to provide us with any personal data, but you will not be able to use any enhanced features such as the news function and the function allowing you to post images or comments etc.

10.1.2.4. Storage time

We delete or securely anonymize all information we receive from you when you make inquiries no later than 90 days after the final response is sent to you. The information is retained for 90 days in case you contact us again after receiving a response from us on the same matter and we need to refer to our previous correspondence. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject, your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met.

All public posts that you put on our social media sites remain in the timeline for an indefinite period, unless we delete them as part of updating the information on the topic, they violate the law or breach our guidelines or policies, or you delete the post yourself. We have no control over the deletion of your data by the operator itself. The privacy policy of the relevant operator therefore also applies in relation to the storage period.

10.1.2.5. LinkedIn Sales Navigator

We use the Sales Navigator function on LinkedIn. This allows us to search for corresponding profiles of LinkedIn users based on certain criteria, such as interests, professional background, work location specified in the profile, etc., and to contact these users based on this. The Sales Navigator function includes a messaging feature that allows us to contact you through our employees’ profiles on LinkedIn. Messages that we exchange with you via this function on LinkedIn are stored by us for the duration of your use of the Sales Navigator function. The communication that takes place in this way is not publicly visible to other users on LinkedIn. The legal basis for the processing presented above is Article 6(1)(f) GDPR. Our legitimate interest lies in establishing contact and forming a network of people who might be interested in STACKIT.

10.1.2.6. LinkedIn Lead Generation

We also use the lead generation feature on LinkedIn. In a first step, defined characteristics are used to pre-filter the profiles that our ads are displayed to. Article 6(1)(f) GDPR is the legal basis for this. The legitimate interest here lies in being able to display ads for STACKIT to relevant target groups.

By clicking on our ad on LinkedIn, you will be able to leave your name and work contact details and request to be contacted by STACKIT to receive further information on our products. The data you provide will be included in our customer database. Article 6(1)(f) GDPR is the legal basis for this. The legitimate interest here lies in ensuring effective communication with prospective customers. When you send us personal data within the scope of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

We delete or securely anonymize all information we receive from you by the means referred to above no later than 90 days after the final response is sent to you. The information is retained for 90 days in case you contact us again after receiving a response from us on the same matter and we need to refer to our previous correspondence. Based on experience, we generally do not receive any questions concerning our responses after 90 days.

If you send us personal data for purposes of initiating or performing a contract, statutory retention obligations require us to store that data for up to 12 years.

10.2. Processing as joint controllers

In some cases, we and the operator of the social media service act as joint controllers as defined in Article 26(1) GDPR:

We and the platform operator act as joint controllers with regard to the web tracking methods used by the social media platform operator. Web tracking can occur regardless of whether you are logged in or registered on the social media platform. As already explained, unfortunately we have almost no control over the web tracking methods used by social media platforms. We are unable, for example, to switch web tracking off.

The legal basis for the web tracking methods is Article 6(1)(f) GDPR. Optimizing social media platforms and the relevant fan pages is seen as a legitimate interest for the purpose of the above provision.

For further information about recipients and categories of recipients and the storage time/criteria for determining storage time, please refer to the privacy policies of the platform operators. We do not have any control over this.

You will find information on the rights available to you to prevent these web tracking methods in the privacy policies of the platform operators. You can also contact the platform operators about this using the contact details provided in the legal notice section of their respective websites.

We have only a very limited ability to influence and prevent the provision of statistics to us by social media platform operators. However, we do make sure that we do not receive any additional optional statistics.

Please be aware that it is possible that social media platforms will use your profile and user behavior data in order to analyze, for example, your habits, personal relationships and preferences etc. STACKIT GmbH & Co. KG has no control over the processing or disclosure of your data by social media platform operators.

11. Processing Inquires from Public Bodies

11.1. Purposes and Legal Basis of Processing

If we receive inquiries from public bodies about our customers or business partners, we process these inquiries on the basis of Article 6 (1)(f) GDPR for the purpose of reviewing, documenting and responding to the inquiry in our legitimate interest or in the legitimate interest of a third party, including that of the public in effective law enforcement and the establishment, exercise or defense of legal claims. This means that personal data of our customers or business partners may be transferred to the respective public body. If we have a legal obligation to respond to inquiries from authorities, the legal basis for the transfer of personal data is Article 6(1)(c) GDPR in conjunction with any relevant special law.

11.2. Origin of the Data and Types of Data

The public body may provide us with information on the content of the inquiry and other data that we need to identify the data subject. Otherwise, we use the data already known to us to process the inquiry, insofar as this is absolutely necessary to process the inquiry. The content of the inquiry and the data processed depend on the specific individual case. This may include, for example, names, contact details, information on the payment method and information on potential crimes or administrative offenses.

11.3. Recipients/Categories of Recipients

Where necessary to process the inquiry and covered by the aforementioned legal basis, we transfer personal data to public bodies (e.g., police authorities, public prosecutor’s offices or courts) and external parties that support us in processing the inquiry (e.g., law firms, legal consultants, credit agencies, detectives). Furthermore, the inquiry, including the relevant data, may be forwarded within our Group to the departments responsible for processing.

In exceptional cases, we will have a processor, e.g., our customer service providers, process the data on our behalf. Such processors are carefully selected, audited by us and bound by contract in accordance with Article 28 GDPR.

11.4. Storage time/Criteria for Determining Storage Time

We store the inquiries and the associated correspondence until the applicable statutory periods expire.

C. STACKIT customer service hotline

If you contact the STACKIT customer service hotline, we will process your personal data (by default: name, title, contact information) in the course of handling your telephone inquiry.

1. Purpose of the processing and legal basis

We treat all personal data that we receive from you by telephone when you contact the customer service hotline confidentially. We use your data solely for the limited purpose of processing your inquiry.

The legal basis for the processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the interest in responding to your inquiries so that in connection with the services we provide the satisfaction of our customers, employees, business partners and interested parties in STACKIT alike is ensured and promoted.

When you send us personal data by contacting us for purposes of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, if you do not provide us with the data required to process your request, we will not be able to process or respond to it.

4. Storage time/criteria for determining storage time

We delete or securely anonymize all information we receive from you when you make telephone inquiries no later than 45 days after the telephone call. The information is retained for 45 days in case you contact us again after your telephone inquiry on the same matter and we need to refer to the information we previously shared with you. Based on experience, we generally do not receive any questions concerning the telephone inquiries after 45 days.

D. STACKIT services and support

1. Customer registration and setting up an account

1.1. Purposes and legal basis of processing

An account is required to be able to access STACKIT services. The legal basis for processing data in this context is Article 6(1)(f) GDPR. STACKIT GmbH & Co. KG’s legitimate interest is based on the fact that it intends to offer its services to potential customers who require an account for this purpose.

If data is processed within the scope of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

As part of the registration process, we may need to perform a credit and risk assessment of your company. This generally involves information about your company, which would only constitute personal data in exceptional cases where the company is not a legal entity, e.g., in the case of a sole proprietorship. In this case, we process your data on the basis of Article 6(1)(f) GDPR. Our legitimate interest follows from the aforementioned purpose.

1.2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

For purposes of a credit and risk assessment, we may need to transfer data to Verband der Vereine Creditreform e.V., Hammfelddamm 13, 41460 Neuss, Germany (Creditreform).

1.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, you will not be able to use any SIT services if you do not provide us with the data required to set up an account.

1.4. Storage time

Your data will always be deleted and/or anonymized securely after the purpose has been fulfilled. Different time limits apply in this context.

To complete your registration, you will receive an account activation e-mail at the address you provided (user account). If you do not activate your user account, all of your data will be deleted after 90 days. Following activation, you will be asked to set up a customer account. If a customer account is not set up and the user account is not subsequently allocated to a customer account, all of your data will likewise be deleted after 90 days.

If we do not activate a customer account, all of your data will be deleted after 120 days. If we reject a customer account, all of your data will be deleted immediately.

We delete personal data for the credit and risk assessment of your company as soon as it is no longer required for the stated purpose.

2. Provision of the portal/account administration

2.1. Purposes and legal basis of processing

To enable you to use the STACKIT portal, data processing is required so that employees of STACKIT GmbH & Co. KG can perform back-office administration of the account. The legal basis for processing data in this context is Article 6(1)(f) GDPR. STACKIT GmbH & Co. KG’s legitimate interest is that you can manage the account yourself, for example, to invite other users to access your customer account.

When you send us personal data within the scope of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

2.2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, if you do not provide us with the necessary data, you will not be able to manage your account independently.

2.4. Storage time

There is a clearly differentiated concept for deleting data, which, as a rule, distinguishes between the individual deletion periods depending on the type of data. For example, your personal data is always deleted when the purpose has been fulfilled, i.e., it is stored for as long as the user/project is active. The data is deleted at the latest after 120 days provided there are no retention obligations preventing this.

3. Processing support queries

3.1. Purposes and legal basis of processing

The legal basis for the processing is Article 6(1)(f) GDPR. STACKIT GmbH & Co. KG’s legitimate interest is based on the support service it wishes to provide to its customers. To be able to respond to queries and to provide support, it is necessary to have a means of contact and to process your personal data as required.

When you send us personal data by contacting us for purposes of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

3.2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

You have the option of sharing the support tickets you generate with other persons you have assigned to your organization’s account as users in our STACKIT Portal. Users may also include external users insofar as you have assigned them to your organization in the STACKIT Portal. For sharing purposes, each user has the option of selecting users from among those assigned to your organization’s account as possible recipients. Accordingly, the user can have the users of your organization suggested as recipients of the ticket based on their name and/or e-mail address. Each user with whom a ticket is shared also receives information about the other users (name and e-mail address) from your organization’s account with whom the same ticket was shared.

3.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, if you do not provide us with the data required to process your request, we will not be able to process or respond to it.

3.4. Storage time

We delete or securely anonymize all personal data we receive from you when you make support requests at the latest when the existing business relationship with you comes to an end.

4. STACKIT Cloud Services

If a customer of STACKIT GmbH & Co. KG uses STACKIT cloud services and STACKIT GmbH & Co. KG processes personal data on behalf of and on the instructions of the customer (commissioned data processing), the customer is the data controller for the corresponding data processing within the meaning of Article 4(7) GDPR.

5. Storage and backups

5.1. Purposes and legal basis of processing

The legal basis for processing the data collected as part of storage and backups is Article 6(1)(f) GDPR. STACKIT GmbH & Co. KG’s legitimate interest is based on the need to ensure that the data stored in the cloud is secured in order to provide cloud services. In addition, your data is processed within the scope of system-based evaluations for the purposes of IT security (incorrect login attempts), evaluation of the services/features used for billing purposes as well as capacity management, optimization purposes and ensuring operations.

If data is processed within the scope of an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

5.2. Recipients/categories of recipient

As a rule, we do not transfer the data to third parties outside STACKIT GmbH & Co. KG. In exceptional cases, we will have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

5.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, we will not be able to back up your data if you do not provide us with the data necessary to back up customer/business partner data in the hybrid cloud via backup and recovery storage solutions.

5.4. Storage time

As a rule, the data is stored for as long as the system user is active. After that, the deletion deadline is 30 days. The deletion deadline for the log files is 90 days.

6. Aggregation of usage data

6.1. Purposes and legal basis of processing

The legal basis for processing your personal data with regard to the aggregation and provision of usage data is Article 6(1)(f) GDPR. In this case, STACKIT GmbH & Co. KG’s legitimate interest is based on determining usage in order to identify which customer has used/purchased which items in relation to the cloud service.

Data processing as part of further processing for billing purposes may be based on Article 6(1)(b) GDPR because data processing is necessary for the performance of the contract to which the data subjects are parties. Since the services offered are generally subject to a charge, the fact that they are chargeable is relevant to the necessity of data processing. If this affects persons who are not contracting partners, data processing may be based on Article 6 (1)(f) GDPR.

6.2. Recipients/categories of recipient

In this case, data is transferred to third parties outside STACKIT GmbH & Co. KG to Schwarz Corporate Solutions KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany for billing purposes. In exceptional cases, we will also have a processor process the data on our behalf. Such processors are carefully selected and bound by contract in accordance with Article 28 GDPR.

In those cases where STACKIT end customers purchase services due to actions by STACKIT partner companies (e.g., intermediaries or resellers) and the partners’ commission is affected by the end customer’s use of STACKIT Cloud Services or the scope of their use, the partner will receive information on the end customer’s use/scope of use insofar as the commission cannot be billed otherwise.

6.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, we will not be able to back up your data if you do not provide us with the data necessary to back up customer/business partner data in the hybrid cloud via backup and recovery storage solutions.

6.4. Storage time

As a rule, the data is stored for as long as the system user is active. After that, the deletion deadline is 30 days. The deletion deadline for the log files is 90 days. Reports are stored for a period of 12 years in order to comply with record-keeping obligations under tax law.

E. Processing of customers personal data

Apart from the data processing described elsewhere herein, we process personal data of customers in connection with the associated contractual relationship and/or taking steps prior to entering into a contract.

As a rule, the personal data of yours that we collect is obtained directly from you. However, it may also be necessary to process personal data that we obtain from other companies, authorities or other third parties, such as credit agencies, tax offices and the like. This may include personal data that we obtain through our whistleblower channels about potential compliance violations or in the context of compliance investigations.

Relevant personal data may include: personal details (e.g., first name, last name, address and other contact details, date and place of birth and nationality), identification and authentication data (e.g., commercial register excerpts, I.D. data, specimen signature), data within the scope of our business relationship (e.g., payment data, data on orders), creditworthiness data, data on corporate and ownership structure, photos and videos, and other data comparable to the aforementioned categories.

You may elect to communicate with us by e-mail or mail. For technical reasons, e-mail communications may be unencrypted.

1. Purposes and legal basis of processing

1.1. For the performance of contractual obligations (Article 6(1)(b) GDPR)

The purposes of processing follow from the need to take steps prior to entering into a contract, in advance of a contractual business relationship and to perform obligations under an existing contract.

1.2. For compliance with a legal obligation (Article 6(1)(c) GDPR)

The purposes of processing follow from statutory requirements in the individual case. Such legal obligations include, e.g., complying with retention and identification obligations, e.g., in the context of anti-money laundering requirements, tax monitoring and reporting requirements and data processing in the context of requests from authorities.

1.3. For the purposes of legitimate interests (Article 6(1)(f) GDPR)

It may be necessary to process your personal data for purposes beyond the actual performance of the contract. Legitimate interests in this case include, in particular, selecting suitable customers, conducting research on prospective customers, e.g., to ensure that compliance requirements and the like are met, asserting legal claims, defending against liability claims, avoiding legal risks and financial detriment (including for third parties), protecting our IT infrastructure, managing system access authorizations, data access controls, other internal administrative purposes (such as optimizing processes and workflows, ensuring data quality), sending the invitation to provide feedback you previously agreed to provide about your contact at the companies of Schwarz Group, carrying out and facilitating communication (e.g., web meeting, telephone) and contact via our Group-wide user directory, clarifying potential compliance violations, preventing crimes and settling claims arising out of the business relationship.

At the time of contracting, we occasionally obtain data on your credit history from credit agencies to serve the aforementioned legitimate interests. We use the credit history information from the credit agencies to assess your creditworthiness. Credit agencies store data that they receive from banks or companies, for example. Such data includes in particular last name, first name, date of birth, address and information on payment history. Information on the data stored about you can be obtained directly from the credit agencies.

If you accept our offer of contract by means of digital signature (e.g., Adobe Sign), we process your data, such as in particular e-mail address, IP address as well as the time and date of any modifications you make to the respective contract document, for instance when you approved, displayed or digitally signed it. We have a legitimate interest in ensuring that the process for signing contracts digitally is fast and efficient and that the signing process can be logged for verification purposes. Certain contracts may also be signed using a so-called qualified electronic signature. In this case we also process the certificate data associated with your signature in addition to the aforementioned data. We have a legitimate interest in being able to verify whether you are able to provide a valid qualified electronic signature serving to replace any written form prescribed by statute. To use a qualified electronic signature, you must independently register with a trust service provider (e.g., D-TRUST/Bundesdruckerei). When you register, the respective provider will process your data under its own responsibility and not on our behalf, however.

They may be given access to your contract details to check for marketing purposes whether products of other companies of Schwarz Group might be of interest to you.

In addition, we occasionally process personal data to document key milestones and events in the development of the companies of Schwarz Group in order to chronicle its corporate history.

2. Recipients/categories of recipient

Within our company, access to the data provided by you will be granted to those departments that require such data for the purposes of performing contractual obligations, complying with legal obligations or serving legitimate interests. Processors or service providers may also be given access to your personal data in the context of contractual relationships and in order to fulfill statutory obligations and safeguard legitimate interests. Their compliance with data protection requirements is ensured by contractual agreement.

In addition, the data may be transferred to companies of Schwarz Group for purposes of performing contractual obligations or other legitimate interests (e.g. for marketing purposes).

In the case of contracts executed by digital signature, your data is also accessible to all persons involved in the approval and signing of the contract, as they receive a log after the contract has been signed indicating all processing steps, including e-mail address, IP address, date and time. Your data may also be accessible to the respective service providers that we use for the relevant digital signature procedure. In the case of Adobe Sign, this would be Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West, Business Campus, Saggart D24, Dublin, Ireland. If a qualified electronic signature is used to execute digital contracts, your data will also be accessible to D-Trust GmbH, Kommandantenstraße 18, 10969 Berlin, Germany, which is the provider responsible for checking the validity of the signature.

3. Obligation to provide your data

Within the scope of our business relationship, you must provide us with the personal data needed to commence, execute and terminate a business relationship and to perform the obligations associated therewith, which we are legally obligated to collect or are entitled to collect on the basis of legitimate interests. Without such data, we would generally not be able to enter into a business relationship with you.

4. Storage time

The personal data will be stored for as long as necessary for fulfilling the above-mentioned purposes. Particularly relevant in this context are the statutory retention obligations under the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO), which provide for retention periods of up to 12 years.

Data in the corporate history will be stored on a permanent basis, to the extent it remains relevant for that purpose.

F. Provision of Your Personal Data by Third Parties

Depending on how you purchase STACKIT Cloud Services or what business model we use, it may be that we do not collect your personal data directly from you, but receive such data from third parties instead.

Such third parties may, for example, be intermediaries who establish contact between us and you as a potential end customer. The intermediary will send us your contact details (e.g., last name, first name, company name, e-mail address, address and your function/position within your company). We process this data on the basis of Article 6 (1)(f) GDPR in order to select potential end customers and contact them, and to initiate potential contractual relationships. Our legitimate interest follows from the aforementioned purposes.

Where STACKIT Cloud Services are sold by partner companies of STACKIT GmbH & Co. KG, e.g., as resellers or service providers in their own right, it may be necessary for those partners to provide us with information about a potential end customer in advance in order to take advantage of individual contractual conditions. This usually involves information about the company of the potential end customer, which may constitute personal data under certain circumstances. We process this data on the basis of Article 6(1)(f) GDPR in order to verify whether the partner is authorized to apply individual contractual conditions. Our legitimate interest follows from the aforementioned purpose.

G. Your rights as the data subject

Under Article 15(1) GDPR, you have the right to access information, free of charge, on the personal data stored about you.

If the statutory requirements are met, you also have a right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR) of your personal data.

If the basis of processing is Article 6(1)(e) or (f) GDPR, you have a right to object under Article 21 GDPR. If you object to processing, your data will no longer be processed thereafter, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests of the data subject in the objection.

If you have provided the processed data yourself, you have a right to data portability under Article 20 GDPR.

If the data processing is carried out on the basis of consent granted under Article 6(1)(a) or Article 9(2)(a) GDPR, you may withdraw that consent at any time with effect for the future without this affecting the lawfulness of the previous processing.

In the above-mentioned cases, or if you have questions or complaints, please write to or e-mail the data protection officer. You also have a right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority located in the state in which you live or where the controller is domiciled has jurisdiction.

H. Data protection officer

For further questions concerning the processing of your data or the exercise of your rights, please contact the competent data protection officer of the controller at:

STACKIT GmbH & Co. KG

Data Protection Officer –

Stiftsbergstraße 1

74172 Neckarsulm, Germany

E-mail: datenschutz@mail.schwarz