Others

Legal Notice

Others


Definitions

1
Personal Data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2
Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the processing controller.

3
Processing

Processing is any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

4
Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

5
Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

6
Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

7
Controller or Processing Controller

A controller or processing controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

8
Processor

A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

9
Recipient

A recipient is a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

10
Third Party

A third party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

11
Consent

Consent of the data subject is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Data Processing Agreement

1
Scope of Application
2
Data Processing

2.1
The contractor shall process the personal data exclusively on behalf of and in compliance with the client's instructions within the meaning of Art. 28, 29 of GDPR (commissioned data processing). From a data protection legislation perspective, the client shall remain the responsible party ("master of the data") and shall be responsible for the lawful processing of the personal data in accordance with the contract.

2.2
The personal data shall be exclusively and entirely processed in a Member State of the European Union or any other nation that has ratified the Agreement on the European Economic Area and according to the nature as well as for the purpose finalized in Attachment 1 of this DP Agreement. The processing of personal data shall include the type of personal data stated in Attachment 1 of this DP Agreement, as well as the categories of data subjects affected by the processing defined therein.

2.3
The contractor shall not acquire any rights to the personal data and shall surrender the personal data to the client at any time upon request. Rights of retention related to the personal data shall be precluded. On the client's instruction, the contractor shall be obligated to rectify personal data or restrict its processing.

2.4
The contractor shall be obligated to unconditionally follow the instructions arising from the contract and the written instructions of the client for the processing of the personal data (hereinafter referred to as "data protection instructions"), issued in individual cases by the executives as well as the client's data protection officer. The individual data protection instructions shall be issued in written or via email. In justified individual cases, it shall also be possible to give verbal data protection instructions. However, such instructions must be confirmed by the client in writing or via email in a timely manner. If the contractor takes the view that the data protection instruction violates legal provisions and/or the contract, the contractor shall be obligated to inform the client of this without undue delay, and shall be entitled to not execute the data protection instruction until such time as the data protection instruction is confirmed by the client.

2.5
The contractor shall be obligated to commission a company data protection officer in writing, pursuant to § 38(1) s. 1 of the Federal Data Protection Act (BDSG). The contact details of the contractor's company data protection officer are published at www.dlubal.com/en-US/legal-notice/privacy-policy-basic-information.

3
Data Security / Technical and Organizational Measures

3.1
The contractor shall ensure the confidentiality of the agreement pursuant to Art. 28(3) s. 2 lit. b, 29, and 32(4) of GDPR by requiring any persons engaged in the processing of personal data to commit to compliance with confidentiality in written form.

3.2
The contractor shall organize the processes and measures they are responsible for in such a manner that they meet the data protection requirements and while ensuring that the personal data is processed exclusively in compliance with the data protection instructions of the client (especially by separating the personal data from the data of other clients of the contractor) and that third parties are unable to gain the data access.

3.3
The contractor shall guarantee the security of the data processing pursuant to Art. 28(3) lit. c, 32 of GDPR, in particular in combination with Art. 5(1),(2) of GDPR, within the scope of responsibilities assigned to them according to the contract. The contractor shall be obligated to take appropriate technical and organizational measures required in order to permanently ensure data security and guarantee a level of security appropriate to the risk in regards to confidentiality, integrity, availability, and resilience of the systems and services relating to the processing. To take into account for this are the state of the art, the costs of implementation, and the nature, scope, circumstances, and purpose of processing, as well as the varying likelihood and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) of GDPR. Subject to additional data protection instructions of the client, the technical and organizational measures stated in Attachment 2 of this DP Agreement shall be considered as measures within the meaning of Section 3.3 of this DP Agreement with the conclusion of the contract and/or this DP Agreement.

3.4
The contractor shall process no personal data beyond the extent required to fulfill the obligations strictly required by the agreement (especially any unauthorized duplication or transfer to third parties).

3.5
The contractor shall completely and irrevocably delete or destroy (hereinafter uniformly referred to as "delete") any and all provided and additionally processed personal data in all of the contractor's systems (including any duplications, as well as archiving and backup files) pursuant to the provisions stated in Attachment 2 of this DP Agreement, if the processing of the personal data is no longer required for the fulfillment of the contract processing.

3.6
The deletion of personal data shall be documented by the contractor and confirmed in written form at the client's request. Excluded from this deletion obligation is the personal data required by law to be retained or stored. According to legal provisions, this personal data shall be restricted in its processing and deleted after the obligation to preserve or store data has expired.

4
Notification Obligation

In case of events specified in Art. 33 and 34 of GDPR, as well as in case of violations by the contractor or persons employed by the contractor against regulations for the protection of personal data or the provisions stipulated in this DP Agreement, including its attachments, the contractor shall be obligated to take measures to preclude resulting dangers to the integrity and confidentiality of the personal data without undue delay. In such cases, the contractor shall also be obligated to notify the client and the client's data protection officer of the precise circumstances without undue delay, including causes, the exact point of time, as well as the extent of the event, and to coordinate further processing of the personal data with the client.

5
Subcontractors

5.1
The contractor shall be entitled to commission subcontractors with the fulfillment of the contractor's obligations, providing the subcontractor has committed in written form to adhere to the contractor's obligations towards the client according to this DP Agreement. The contractor shall especially oblige the subcontractor in such a way that the client is also able to directly exercise their control rights stipulated in Clause 7 of this DP Agreement towards the subcontractor. Persons tasked with the processing of personal data who are not contractually bound to the contractor and are verifiably obligated by taking Clause 3.1 of this DP Agreement into consideration, are considered subcontractors according to this Clause 5.

5.2
The contractor shall inform the client about any intended modification related to the involvement or replacement of subcontractors, providing the client with the opportunity to appeal such changes.

6
Third Party Requests, Audits by Supervisory Authorities

6.1
If the contractor should receive third party requests (especially from data subjects) for information regarding the processing of personal data or events that elicit the notification obligation according to Clause 4 of this DP Agreement, the contractor shall be obligated to inform the client and the client's data protection officer of the request without undue delay. The contractor shall refrain from giving information pursuant to Sentence 1 of this Clause 6.1 to third parties, unless the processor is mandated by law to provide such information. Clause 6.1 of this DP Agreement shall apply correspondingly, if supervisory authorities announce audits of the processor or perform them unannounced.

6.2
If the client is on their part subjected to an audit by the supervisory authority, the contractor shall support the client to the best of their abilities.

7
Controlling and Information Rights

7.1
The contractor shall provide the client with any information required to prove adherence to the obligations stated in Art. 28 of GDPR, and shall enable audits performed by the client or an auditor they commissioned to the extent required. If in the process there is a possibility to acquire confidential information, the contractor shall be entitled to demand a declaration of confidentiality from the client or the commissioned auditor.

If the client claims reasonable doubts based on factual indications, the client's data protection officer and/or the auditor commissioned by them shall have the right to enter the premises of the contractor following written notice of generally 14 calendar days prior, to convince themselves that the relevant lawful and contractual data protection regulations are complied with. In this regard, the contractor shall provide the required access rights, rights to information, and rights of inspection to the client's data protection officer and/or third parties commissioned by them.

To enable audits by the client, the contractor shall be entitled to make an appropriate claim for remuneration.

7.2
Before beginning the processing, the contractor shall inform the client in writing if and how they have implemented the measures stipulated in Clauses 3.2 trough 3.6 of this DP Agreement.

8
Support of Client

8.1
The contractor shall support the client in the latter’s obligation to respond to requests to exercise the rights of data subjects stated in Art. 16 through 21 of GDPR and on request provide all relevant information in this regard without undue delay.

8.2
The contractor shall furthermore support the client with the implementation of the latter’s data protection impact assessments pursuant to Art. 35 of GDPR as well as in conjunction with prior consultations with the supervisory authority pursuant to Art. 36 of GDPR on request.

8.3
The contractor shall on request provide the client with the information required for the client's compilation of a record of processing activities without undue delay.

8.4
The contractor shall provide the client with all documentation necessary to comply with the accountability pursuant to Art. 5(2) of GDPR.

9
Final Provisions

Unless otherwise agreed by the contractual parties, this DP Agreement shall be effective for an unlimited period of time. If the contractor should seriously violate any provision of this DP Agreement, fail to implement a data protection instruction pursuant to Clause 2.4 of this DP Agreement, or refuse to allow audits pursuant to Clause 7.1 of this DP Agreement, the client shall have the right to terminate the contract and/or this DP Agreement at any time without a need to observe an advance notice period, any other provisions of the contract notwithstanding.

10
Attachment 1 to DP Agreement: Nature and Purpose

Nature and purpose of the data processing, nature of the personal data, and categories of data subjects affected by the processing

1 Nature of Data Processing

Subject matter of the order is the performance of maintenance work and technical service by the contractor via email, phone, or remote servicing, i.a. on IT systems of the client. This includes all activities required for the provision of the service contractually agreed on with the client.

2 Purpose(s) of Data Processing

  • Technical service in case of application questions regarding Dlubal software
  • Maintenance and care of Dlubal software used by the client
  • Troubleshooting of the Dlubal product in which personal data is stored, if required
  • Quality control for the Dlubal product in which the data is stored or for a later version of it
  • Further development of existing or development of new Dlubal products

3 Nature of Personal Data Processed by Contractor

  • Personal master data
  • Contact data (such as phone, email)
  • Key contract data (contractual relationship, contractual or product interest)
  • Customer history
  • Contract billing and payment data
  • Model files, other data relevant for the technical service (for example, crash reports)

4 Categories of Data Subjects Affected by Processing

  • Employees of the customer
  • If applicable, employees of the customer's IT service provider
  • Interested parties
  • Other persons, even consumers, as the case may be, provided they are users of a Dlubal service
11
Attachment 2 to DP Agreement: Technical and Organizational Measures

Hereinafter, a description of the principal measures of Dlubal for the adherence to the data protection regulations pursuant to Art. 32 of GDPR will follow. However, it must be pointed out that not all security measures can be disclosed; rather, particularly in the interest of data protection and data security, forgoing confidential and detailed descriptions is indispensable.

1 Confidentiality (Art. 32(1)(b) of GDPR) b DS-GVO)

1.1 Physical Access Control

Measures, which are suitable to deny unauthorized persons access to data processing systems with which personal data is processed or used:

  • The office premises are only accessible via a central entrance. Access areas are monitored with a camera and occupied by reception staff. In case no reception staff is present, the access doors are closed and secured with an alarm system.
  • The server rooms are additionally under permanent lock and only accessible by authorized personnel.
  • Troubleshooting of the Dlubal product in which personal data is stored, if required
  • Important server systems outside the office premises are secured in a datacenter via multi-factor person authorization, video surveillance linked to the police, and against terror attacks.

1.2 Electronic Access Control

Measures, which are suitable to prevent unauthorized persons from using data processing systems:

  • The data is only available to Dlubal employees to the extent necessary via a role-based CRM system, manageable with configurable rights.
  • The employees have role-based access rights.
  • The computers are protected by authentication with a user name and password (Active Directory).
  • Passwords with increased security (structure, length, expiration date).
  • External systems are connected via VPN tunnels. Only known addresses are permitted access via an IP whitelist. All external communication is encrypted.
  • The computer systems are centrally provided with anti-virus software.
  • The data networks are secured with firewalls.
  • Only specifically authorized persons have access to the server systems.

1.3 Internal Access Control

Measures, which ensure that the persons authorized for the use of a data processing system can only access the data within their access privilege, and that personal data cannot be read, copied, altered, or deleted without authorization during processing, utilization, and after storage:

  • Rights: All services use the "deny by default" access model. Only authorized persons and groups have appropriate access. The rights matrix of each individual service is monitored and can be exported into the admin panel for every * service. All rights are managed by system administrators. The number of system administrators is reduced to a minimum.
  • Log files: The network storage servers possess Audit logs including version history of the files (CRUD). The Active Directory server logs every authorization query to services in the network.
  • Version control system: All data in the network is secured via VSS and BTRFS snapshots. Databases are secured via hourly snapshots.

1.4 Separation Control

Measures, which ensure that data compiled for different purposes can be processed separately:

  • Physically separate storage on separate systems or data mediums
  • Creation of an authorization concept
  • Encryption of datasets, which are processed for the same purpose
  • Assignment of purpose attributes/data fields to datasets
  • Establishment of database rights
  • Logical separation of customer data according to competency and function

1.5 Pseudonymization and Encryption (Art. 32(1)(a) of GDPR; Art. 25(1) of GDPR) a DS-GVO; Art. 25 Abs. 1 DS-GVO)

The processing of personal data in such a way that the data cannot be attributed to a specific data subject without the consultation of additional information, as long as this additional information is stored separately and is subject to appropriate technical and organizational measures:

If possible for the respective data processing, the primary identifying features of the personal data are removed from the respective data application and stored separately.

2 Integrity (Art. 32(1)(b) of GDPR) b DS-GVO)

2.1 Data Entry Control

Measures, which ensure that it is possible to retroactively check and determine, whether personal data has been entered, altered, or deleted in data processing systems, and by whom:

  • Logging of input, alteration, and deletion of data
  • Traceability of input, alteration, and deletion of data via individual user names
  • Allocation of rights for the input, alteration, and deletion of data based on an authorization concept
  • Document management

2.2 Data Transfer Control

Measures, which ensure that personal data cannot be copied, altered, or deleted without authorization in the course of electronic transmission, or during their transport or storage on data mediums:

  • The email server uses the Sender Policy Framework (SPF) to prevent unauthorized use of our domains. This way, the email recipient can check whether the email originates from an authorized server.
  • Emails are signed with DKIM signatures to ensure authenticity.
  • Sensitive emails may additionally be encrypted via end-to-end encryption.
  • FTP and VPN services operate with SSL/TLS encryption.

3 Availability and Resilience (Art. 32(1)(b) of GDPR) b DS-GVO)

3.1 Availability Control

Measures, which ensure that personal data is protected from accidental destruction or loss:

  • Backup & recovery concept
  • Uninterruptible power supply (UPS)
  • Hard disk mirroring
  • Use of RAID systems
  • BTRFS and ReFS data systems for error detection and correction, and for prevention of concealed loss of data
  • High-availability clusters and mirroring of data and services across several locations
  • Backup of the Internet connections and routers to prevent lengthy downtimes
  • ECC memory on all servers to detect memory errors, data modifications, and data loss
  • Microsoft System Data Protection Manager agent installed on every server
  • Backup via DPM Storage at least once per day
  • Windows Backup + iSCSI LUNs
  • Important services are monitored by network tools and report failing services, downtimes, DoS and DDoS attacks.
  • Secured server room
  • Protection socket boards in the server room
  • Regular inspection of the electrical equipment by a specialist company
  • Fire and smoke alarms, fire-extinguishing equipment
  • Emergency plans and crisis management
  • Firewall with antivirus and intruder detection, protection, and prevention (AV/IDS/IDP, Zywall Security Gateway)
  • ESET Mail Security for Exchange to safeguard the e-mail server against spam, viruses, ransomware, scams, etc.
  • ESET Security Antivirus on all computers as endpoint user protection with ESET Remote Administration Console
  • ClamAV open source Antivirus for the protection of the network servers and storage
  • Periodic system updates managed via WSUS
  • Active Directory Group Policy for all computers

3.2 Recoverability

Measures, which allow for the availability of personal data and the access to it to be quickly restored after a physical or technical incident: All data is protected against loss via periodic backups. Different tools allow for this data to be recovered with minimal effort in the event of physical or technical incidents. Specific measures are:

  • Backup & recovery concept
  • Backup via DPM Storage at least once per day
  • Windows Backup + iSCSI LUNs

4 Procedures for Regular Testing, Assessment, and Evaluation (Art. 32(1)(d) of GDPR; Art. 25(1) of GDPR) d DS-GVO; Art. 25 Abs. 1 DS-GVO)

4.1 Data Protection Management

  • Employee training courses in data protection
  • Obligation of the employees to the confidential handling of personal data
  • Nomination of a data protection officer
  • Employee guidelines for the handling of personal data
  • Maintaining a record of processing activities within the meaning of Art. 30(1)(2) of GDPR
  • Implementation of a data protection management system

4.2 Processing Control

Measures, which ensure that personal data that is processed in the order can only be processed according to the instructions of the client within the meaning of Art. 28 of GDPR:

  • Clear contract design
  • Formalized order management
  • Selection of the contractor under careful consideration
  • Written instructions to the contractor via the data processing contract
  • Obligation of the contractor to confidentiality
  • Continuous supervision of the contractor and their activities

Rights of Data Subject

1
Right to Confirmation

The data subject of the processing of personal data has the right, granted by European directives and regulations, to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. If the data subject wishes to exercise their right to confirmation, they shall contact the controller's employee at any time.

2
Right of Access to Personal Data

The data subject of the processing of personal data has the right, granted by European directives and regulations, to obtain the stored personal data concerning them as well as a copy of this information from the controller free of charge and at any time. Furthermore, European directives and regulations grant the data subject access to the following information:

  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • The right to lodge a complaint with a supervisory authority
  • Where the personal data are not collected from the data subject: any available information as to their source
  • The existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) of GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Furthermore, the data subject has the right to be informed as to whether the personal data are transferred to a third country or to an international organization. If this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

If the data subject wishes to exercise their right to access, they shall contact the controller's employee at any time.

3
Right to Rectification

The data subject of the processing of personal data has the right, granted by European directives and regulations, to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Furthermore, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If the data subject wishes to exercise their right to rectification, they shall contact the controller's employee at any time.

4
Right to Erasure (Right to Be Forgotten)

The data subject of the processing of personal data has the right, granted by European directives and regulations, to obtain from the controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay, where one of the following grounds applies and unless the processing is not necessary:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) of GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of GDPR.
  • The personal data have been unlawfully processed.
  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • the personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of GDPR.

If one of the conditions mentioned above applies and the data subject wishes to request the erasure of the personal data stored at Dlubal Software, they may contact the controller's employee at any time. The employee of Dlubal Software will arrange for the erasure to be complied with immediately.

Where Dlubal Software as the controller has made the personal data public and is obliged pursuant to Art. 17(1) of GDPR to erase the personal data, Dlubal Software, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, these personal data, unless the processing is not necessary. The employee of Dlubal Software GmbH will arrange the necessary in individual cases.

5
Right to Restriction of Processing

The data subject of the processing of personal data has the right, granted by European directives and regulations, to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
  • The data subject has objected to processing pursuant to Art 21(1) of GDPR pending verification as to whether the legitimate grounds of the controller override those of the data subject.

If one of the conditions mentioned above is met and the data subject wishes to request the restriction of the personal data stored at Dlubal Software, they may contact the controller's employee at any time. The employee of Dlubal Software will arrange for the processing to be restricted.

6
Right to Data Portability

The data subject of the processing of personal data has the right, granted by European directives and regulations, to receive the personal data concerning them that they have provided to a controller, in a structured, commonly used, and machine-readable format. Furthermore, the data subject has the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Point (a) of Art. 6(1) or Point (a) of Art. 9(2) of GDPR, or on a contract pursuant to Point (b) of Art. 6(1), and the processing is carried out by automated means, unless this processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising their right to data portability pursuant to Art. 20(1) of GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible, and unless it does not adversely affect the rights and freedoms of others.

To exercise the right to data portability, the data subject may contact the Dlubal Software employee or any other employee.

7
Right to Object

The data subject of the processing of personal data has the right, granted by European directives and regulations, to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on Art. 6(1), (e) or (f) of GDPR. This also applies to profiling based on those provisions.

In case of an objection, Dlubal Software will no longer process the personal data, unless we demonstrate compelling legitimate grounds for the processing that overrides the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed by Dlubal Software for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. Where the data subject objects to Dlubal Software's processing for direct marketing purposes, the personal data shall no longer be processed by Dlubal Software for such purposes.

Furthermore, where the personal data are processed by Dlubal Software for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) of GDPR, the data subject, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may contact the Dlubal Software employee or any other employee. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.

8
Automated Individual Decision-Making, Including Profiling

The data subject of the processing of their personal data has the right, granted by European directives and regulations, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and a data controller; or (2) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests; or (3) is not based on the data subject's explicit consent.

In case the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is based on the data subject's explicit consent, Dlubal Software as the data controller shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

If the data subject wishes to exercise their right concerning the automated individual decision-making, they shall contact the controller's employee at any time.

9
Right to Withdraw Consent to Privacy Policy

The data subject has the right, granted by European directives and regulations, to withdraw their consent to the processing of personal data concerning them at any time.

If the data subject wishes to exercise their right to withdraw consent, they shall contact the controller's employee at any time.

Newsletter

1
Purpose

The Dlubal Software website provides users with the opportunity to subscribe to our company's newsletter. We use a newsletter to inform our customers, interested parties, and business partners at regular intervals about:

  • New products
  • Practical tips
  • Product recommendations
  • New services
  • Exclusive promotions
  • Vouchers
  • Useful / free services
  • Interesting projects designed with Dlubal Software
  • Current trends
2
Subscription to Our Newsletter

The input window used for this purpose indicates which personal data are transmitted to the controller when subscribing to the newsletter.In principle, the data subject can only receive the newsletter of our company if (1) the data subject has a valid email address, and (2) the data subject has subscribed to the newsletter. For legal reasons, a confirmation email is sent to the email address entered for the first time by the data subject, using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address, as the data subject, has authorized the newsletter subscription.

3
Data Collection for Subscription

When registering a new newsletter subscription, we save the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of subscription, as well as the subscription date and time. This data collection is necessary to be able to trace the (possible) misuse of the email address of the data subject at a later point in time, and thus it is used by the controller as a legal protection.

The personal data collected when subscribing to the newsletter are only used to send our newsletter. Furthermore, newsletter subscribers may be informed by email if necessary for the operation of the newsletter service or a corresponding registration (for example, if changes are made to the newsletter offer or to the technical conditions).

  1. The personal data collected as part of the newsletter service are not transmitted to third parties, except to our legally independent Dlubal branches in the shared customer management system (CRM).
4
Withdrawal of Consent at Any Time

The data subject can cancel the subscription to our newsletter at any time. The consent to store the personal data given to us by the data subject for the purpose of sending the newsletter may be withdrawn at any time. To withdraw consent, every newsletter contains a corresponding unsubscribe link. It is also possible to unsubscribe from the newsletter at any time directly on the website of the controller, or to inform the controller in another way.

5
Newsletter Tracking

The Dlubal Software newsletter contains tracking pixels. A tracking pixel is a miniature graphic that is integrated in emails sent in HTML format to enable log file recording and analysis. This allows for a statistical evaluation of the success or failure of the online marketing campaigns. Using the integrated tracking pixel, Dlubal Software may recognize whether and when an email was opened by the data subject, and which links in the email were accessed by the data subject.

These personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the controller in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to the interests of the data subject. These personal data will not be transmitted to third parties. The data subjects may withdraw the separate declaration of consent given via the double opt-in procedure at any time. After the withdrawal, the personal data will be deleted by the controller. Dlubal Software automatically interprets newsletter unsubscription as a withdrawal.

6
Newsletter as Product Recommendations and Practical Tips

As a Dlubal customer or recipient of our services (that is, using a demo, trial, or student version), you will receive newsletters from us as product recommendations and practical tips. In this case, you will receive our newsletter regardless of whether you have subscribed to it. In this way, we want to inform you about products from our offer that may be of interest to you, based on your recent purchases from us. You will also find useful tips on using our software here.

If you no longer wish to receive any newsletters or any promotional messages from us, you may object at any time. Please address your objection in writing (for example, by email, fax, letter) to our contact address or unsubscribe on the Newsletter Subscription page. Of course, you will also find an unsubscribe link at the end of each newsletter.

The legal basis is Art. 6(1)(f) of GDPR and Art. 7(3) of the German Act Against Unfair Competition (UWG).

Use and Support of Dlubal Programs

1
Purpose

As part of the use of Dlubal programs, personal data may be processed which are required to process the application questions, to resolve possible problems in the current or future versions, or to implement desired functionalities in future versions.

2
Legal Basis of Processing

The legal basis for the processing is Chap. II, Art. 6(1)(b) of GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

3
Authorization File

The authorization file contains the company name or username as well as the address of the company or the user. The Author.ini file contains specific information about the product key and is necessary for the software licensing. The registered company name or username as well as the address are also preset in the printout report header.

4
Data Collection in History, Project Manager, and Windows Information

A full Windows username is saved in the history of an RFEM/RSTAB file.

The following data are saved in an RFEM/RSTAB file and shown in the Project Manager:

  • Full Windows username
  • Used add-on module
  • Date of creation and modification
  • Processing time
  • Customer number

By installing a plug-in for the Windows Explorer, the username as well as the date of creation and modification of a file are also visible there.

5
Data Collection in Windows System Information

By using the "System Diagnoses" function, the MSInfo32 tool by Microsoft may carry out a computer analysis and generate system information. By clicking the "System Info" button, the Windows System Information us opened and saved as a file.

This file contains the information about hardware resources, components, and software environment related to the respective user.

6
Data Processing by Support and Quality Management

Users of Dlubal Software may use different channels to send us their requests: by phone/fax, email, or by using a form on our website (Ask Individual Question / Submit Program Feature or Idea / Report Problem or Program Issue).

The data submitted with your request are first processed in our CRM system in order to handle the request.

The following data are processed in our development database (NetGenium), if required for processing the request:

  • User-related data
    • Company name
    • Customer number
    • Contact person name
    • If necessary, email address
  • Hardware
    • Operating system
  • Software
    • Program
    • Version
    • Problem description
  • Files
    • File Name
    • Models, screenshots
7
Data Transfer and Recipients

These personal data are transmitted to our legally independent Dlubal branches in the shared CRM system and development database (NetGenium). More information about the Dlubal locations is available at:

Dlubal Software Locations

Furthermore, our software development provider can access these personal data in our shared development database (NetGenium).

Depending on the user's country, the request may also be transmitted to our local authorized resellers, who are responsible for request processing.

More information about the Dlubal resellers is available at:

Authorized Resellers
8
Data Security

The personal data are exclusively transferred via the HTTPS encryption or a VPN connection.

9
Using Log Files

Your satisfaction with the Dlubal programs is our top priority. The new program generation RFEM 6 and RSTAB 9 allows you to send log files to our company via online registration. We use this to better analyze and improve our programs for your applications. By default, this setting is activated under the program options. However, you can rescind your consent in the programs at any time.

Crash Report

1
Purpose

If a Dlubal program closes unexpectedly, users have the possibility to send us a report with files and a description.
The information about the program crash will be transmitted in order to support the user in solving this issue or in solving this issue in future versions.

2
Legal Basis of Processing

The legal basis for the processing is Art. 6(1)(b) of GDPR, as the crash report is only sent upon the user's active request.

3
Data Collection when Sending Crash Report

By sending a crash report, the following data are transmitted to us:

User-related data

  • Customer number and address as shown in the standard report header
  • Dongle number
  • Email address, if entered by the user
  • Description of the problem, if entered by the user
  • Program run-time
  • Number of previous crashes, if this can be determined
  • Information as to whether the crash was likely caused by the graphics driver
  • Number of previous crashes presumably caused by the graphics driver

Hardware

  • Exact CPU type
  • Graphics card, including the driver version and date
  • Printer, including the driver version, path, and date

Software

  • Operating system with the exact version number and country code
  • Installed antivirus software, including the update status

Files

Configuration of graphics settings

All RFEM/RSTAB files open at the time of the crash, automatic backup file

  • Name of the user logged in
  • Version number the file was created in
  • Version number the file was last edited in
  • dlubal_parameters_file.txt: a list of attached files
  • dlubal_journal_main.txt: a list of all commands executed since the start of RFEM/RSTAB
  • dlubal_journal_protocol.txt: information about the printout report
  • dlubal_journal_threads.txt: a list of all running threads
  • Data.*: transfer files for the computational kernel
  • RFEM*.dmp or RSTAB*.dmp: memory dump
  • DLInstaller_*.log: information about the interfaces
  • Migration_CurrentUser_*.log: a list of all installed Dlubal Software programs
  • Migration_Init_*.log: a log file about customizing databases during the installation

MsiInstaller_*log: a log file about the installation process

dlubal_diagnostic.txt

  • Hardware information
    • Motherboard
    • CPU
    • Storage
    • Graphics Card
  • Software information
    • Drive letters
    • Operating System
    • User Rights
    • Installed printer drivers
  • Content of the registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\DLUBAL\ <program>\<version number>\64-bit)
  • Content of the folder (C:\Program Files\Dlubal\<program> <version number>\)
  • Content of the folder (C:\Program Files (x86)\Common Files\Dlubal\ImportExport\RX-Common.NET\)

dlubal_description.txt

  • User-related data
    • Customer number and address as shown in the standard report header
    • Dongle number
    • Email address, if entered by the user
    • Description of the problem, if entered by the user
    • Program run-time
    • Number of previous crashes, if this can be determined
    • Information as to whether the crash was likely caused by the graphics driver
    • Number of previous crashes presumably caused by the graphics driver
  • Hardware
    • Exact CPU type
    • Graphics card, including the driver version and date
    • Printer, including the driver version, path, and date
  • Software
    • Operating system with the exact version number and country code
    • Installed antivirus software, including the update status
4
Data Transfer and Recipients

This personal data is transmitted to our legally independent Dlubal branches in the shared development database (NetGenium). More information about the Dlubal locations is available at:

Dlubal Software Locations

Furthermore, our software development provider can access these personal data in our shared development database (NetGenium).

5
Data Security

The personal data mentioned above are transferred exclusively via the HTTPS encryption.

Zendesk Chat

1
Purpose of Zendesk Live Chat

On our website, we use Zendesk Chat, a live chat software by the US company Zendesk Inc. In this software, the messages and data received via live chat are processed and documented. Zendesk Chat is used for the purpose of direct communication in real time (live chat) with visitors to the website itself.

Each time our website featured with the Zendesk chat component is accessed, this component collects data with the purpose of operating the live chat system and analyzing the operation of the system.

2
Legal Basis

The processing is carried out on the basis of Art. 6(1)(f) of GDPR in compliance with our legitimate interest in direct and customer-friendly communication.

By using the Zendesk chat, you consent to the processing of the data collected about you in the manner described and for the stated purpose. You can rescind your consent at any time.

3
Scope of Data Collection by Zendesk

Zendesk chat shows the user whether one of our employees is currently online so that they can provide an immediate answer to your questions. If you use our live chat system, the data you provide will be saved to answer your questions. The collected data include:

  • Chat history
  • Entered name
  • IP address
  • Country of origin
  • Pages visited
  • Duration of the visit to the pages
  • Other personal information, depending on the information provided (for example, email address, phone number)

It is possible to enter contact details such as name, phone number, and email address in order to facilitate the contact. Such data are not passed on to third parties and are only used to process and document the requests.

Zendesk, Inc, 1019 Market Street San Francisco, CA 94103, has submitted to the EU-US Privacy Shield, which guarantees compliance with the EU data protection levels.

You can find more information about data processing by Zendesk in the Zendesk's trust center at https://www.zendesk.com/trust-center and on the page od Zendesk's privacy\ policy https://www.zendesk.com/company/agreements-and-terms/privacy-notice.

You will find further information here about your rights in this regard to protect your privacy: https://www.zendesk.com/company/agreements-and-terms/privacy-notice

If you have any questions, you can also contact Zendesk directly: privacy">zendesk.com.

4
Scope of Data Collected by Dlubal Software

As a provider of Zendesk chat, we are able to

  • Restrict, suspend, or terminate your access to the services,
  • Access and process your personal data provided to Zendesk,
  • Access and export your personal data processed by Zendesk, and
  • Modify your personal information, including your end-user profile.

The processing of the personal data entered in the Zendesk chat window is carried out for the direct processing of sales and support inquiries, as well as other questions via Zendesk chat. The chats you have conducted, including the email address (if provided), are passed on to our CRM system via our development database (NetGenium) in order to be able to process sales and support inquiries as well as other questions. Chats that have been carried out are recorded and saved there; if possible, they are assigned to the relevant contact person and the respective company using the specified email address.

5
Data Security

As part of the online helpdesk, you communicate via an encrypted Internet connection. This prevents unauthorized third parties from accessing the contents of the online helpdesk.

6
Data Transfer and Recipients

Your personal data in chat, including the email address (if provided), are accessible to our legally independent Dlubal locations in our shared CRM system and the development database (NetGenium). More information about the Dlubal locations is available at:
https://www.dlubal.com/en-US/company/contact/dlubal-locations/usa https://www.dlubal.com/en-US/company/contact/dlubal-locations/usa

Furthermore, our software development provider can access these personal data in our shared development database (NetGenium).

Hyvor Talk

1
General

This website uses the Hyvor Talk provider as a comment function. The comments and other exchanged data are securely stored within the Hyvor Talk system. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).

2
Purpose of Comment Platform Hyvor Talk

We use Hyvor Talk as a comment and feedback system on our website. This allows our visitors to post questions, comments, and remarks on almost all of our websites. We can start discussions on different topics. This way, we encourage an exchange with each other. Visitors also have the opportunity to give feedback, send us new ideas, and leave us interesting suggestions. We also support our community in sharing by providing this tool.

3
Hyvor Contact Details

The company responsible for this platform is Hyvor, No 130, Green Mount State, Madawa, Pilessa, Kurunegala, Sri Lanka. More Information: https://hyvor.com/about.

4
Scope of Transmitted Data

Dlubal Software agrees that the following data will be transmitted to Hyvor using Hyvor Talk:

  • Website URL: used in the console and in emails
  • Website identifier: used to identify each website individually
  • Length of the user's stay
  • User's reading behavior: whether or not the user scrolled down to read the comments
5
Data Storage

Hyvor Talk only collects the information that is necessary for the operation of the comment platform. Hyvor Talk stores the length of the user's stay (not personally identifiable) for analysis purposes. In addition, the company only saves the user's IP address if they leave a comment. The IP address is one of the most important metrics for moderators to block the IP address of spammers. Hyvor does not use IP addresses for any other purpose. When someone (a guest, Hyvor, or SSO) posts a comment on the website, the user's current IP address is saved, which is visible to the website's moderators. This is commonly used to block IP addresses of spammers.

6
More Information

Hyvor provides more information about its privacy policy at https://talk.hyvor.com/docs/privacy.

PayPal as Payment Method

1
Application and Use of PayPal

The controller has integrated components of PayPal on this website. PayPal is an online payment service provider. Payments are processed via PayPal accounts, which represent virtual private or business accounts. PayPal is also able to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed using an email address, which is why there are no classic account numbers. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also acts as a trustee and offers buyer protection services.

2
Privacy Policy – PayPal as Payment Method #2

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

3
Privacy Policy - PayPal as Payment Method #3

If the data subject selects "PayPal" as the payment method during the ordering process in our online shop, the data of the data subject will be automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transfer of their personal data required for payment processing.

4
Privacy Policy - PayPal as Payment Method #4

The personal data transmitted to PayPal are usually first name, last name, address, email address, IP address, phone number, mobile phone number, or other data that are necessary for payment processing. The personal data related to the respective order are also required to process the purchase contract.

5
Privacy Policy - PayPal as Payment Method #5

The purpose of transmitting the data is to process payments and to prevent fraud. The controller will transmit personal data to PayPal in particular if there is a legitimate interest in the transfer. The personal data exchanged between PayPal and the controller may be transmitted by PayPal to credit reporting agencies. The purpose of this transfer is to check your identity and credit history.

6
Privacy Policy - PayPal as Payment Method #6

PayPal may pass on personal data to affiliated companies and service providers or subcontractors, insofar as this is necessary to fulfill contractual obligations or the data are to be processed on behalf of the company.

7
Privacy Policy - PayPal as Payment Method #7

The data subject has the option to withdraw their consent to the handling of personal data at any time. The withdrawal does not affect the personal data that need to be processed, used, or transmitted for (contractual) payment processing.

8
Privacy Policy - PayPal as Payment Method #8

The applicable privacy policy of PayPal can be found at https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

Contact Us

In case of any questions regarding our privacy policy and the processing of your personal data, please do not hesitate to contact us. You can contact our internal data protection officer directly or send us an email to [email protected].

Our data protection officer is also the competent contact person for all your inquiries, suggestions, or concerns related to the privacy policy.