Version
4.0
2
/
9
If
processing
of
personal
data
is
necessary
for
compliance
with
a
legal
obligation
to
which
the
controller
is
subject,
Article
6,
para.
1
point
(c)
of
the
GDPR
serves
as
the
legal
basis.
In
the
event
that
vital
interests
of
the
data
subject
or
another
natural
person
make
processing
of
personal
data
necessary,
Article
6,
para.
1
point
(d)
of
the
GDPR
serves
as
the
legal
basis.
If
the
processing
is
necessary
to
protect
a
legitimate
interest
of
the
controller
or
a
third
party
and
the
interests,
fundamental
rights
and
freedoms
of
the
data
subject
do
not
outweigh
the
first-mentioned
interest,
Article
6,
para.
1
point
(f)
of
the
GDPR
serves
as
the
legal
basis
for
the
processing.
For
any
transfer
to
a
third
country,
the
processing
shall
be
carried
out
in
compliance
with
the
principles
pursuant
to
Article
44
et
seq.
of
the
GDPR.
3.
Data
deletion
and
duration
of
storage
The
personal
data
of
the
data
subject
will
be
deleted
or
blocked
as
soon
as
the
purpose
of
the
storage
ceases
to
apply
or
a
given
consent
is
revoked
by
the
data
subject,
or
the
processing
is
objected
to.
In
addition,
storage
may
take
place
if
this
has
been
provided
for
by
the
European
or
national
legislator
in
Union
regulations,
laws
or
other
provisions
to
which
the
controller
is
subject.
The
data
will
also
be
blocked
or
deleted
if
a
storage
period
prescribed
by
the
aforementioned
standards
expires,
unless
there
is
a
need
for
further
storage
of
the
data
for
the
conclusion
or
performance
of
a
contract.
4.
Data
transfer
to
non-secure
third
countries
The
European
General
Data
Protection
Regulation
(GDPR)
requires
that
the
transfer
of
personal
data
that
is
already
being
processed
or
is
to
be
processed
after
its
transfer
to
a
third
country
or
an
international
organisation
is
only
permitted
if
a
level
of
data
protection
comparable
to
the
requirements
of
the
GDPR
is
guaranteed.
In
other
words,
if
it
is
ensured
that
the
provisions
of
the
GDPR
are
complied
with
-
this
may
include,
for
example,
the
existence
of
an
adequacy
decision
by
the
EU
Commission
within
the
meaning
of
Art.
45
para.
1,
3
GDPR
or
the
introduction
of
internal
company
data
protection
regulations
approved
by
a
supervisory
authority
(so-
called
‘appropriate
safeguards’,
Art.
46
para.
2,
3
GDPR).
If
there
is
no
level
of
data
protection
comparable
to
the
requirements
of
the
GDPR,
there
may
be
risks
associated
with
processing
in
a
third
country.
Risks
of
a
transfer
to
a
non-secure
third
country:
Personal
data
could
possibly
be
passed
on
by
the
provider
to
other
third
parties
beyond
the
actual
purpose
of
order
fulfilment,
who
could
use
the
data
for
advertising
purposes,
for
example.
In
addition,
it
is
probably
not
possible
to
effectively
enforce
any
data
subject
rights
against
the
provider.
There
may
be
a
higher
probability
that
incorrect
data
processing
may
occur,
as
the
provider's
technical
and
organisational
measures
for
the
protection
of
personal
data
do
not
fully
meet
the
requirements
of
the
GDPR
in
terms
of
quantity
and
quality.
It
is
also
possible
for
government
agencies
to
access
the
personal
data
provided
without
the
data
subject
being
aware
of
this.
In
principle,
this
also
corresponds
to
the
European
legal
regulations,
e.g.
for
the
purpose
of
security.
However,
the
admissibility
threshold
for
such
data
processing
is
higher
in
the
European
Union
than
in
the
country
of
the
data
recipient
concerned.
In
summary,
there
is
no
level
of
data
protection
comparable
to
the
requirements
of
the
GDPR
in
non-secure
third
countries.
In
our
DataPortal,
we
use
tools
from
providers
whose
headquarters
or
the
headquarters
of
the
parent
company
(or
its
affiliates)
are
located
in
a
third
country
from
a
data
protection
perspective.
We
also
transfer
data
to
the
USA.
The
transfer
of
data
to
the
USA
is
permitted
if
the
recipient
is
certified
under
the
‘EU
-
US
Data
Privacy
Framework’
(DPF)
or
has
suitable
additional
guarantees.
The
DPF
is
an
(individual)
agreement
between
the
European
Union
and
the
USA,
which
is
intended
to
ensure
compliance
with
European
data
protection
standards
for
data
processing
in
the
USA.
Every
DPF-certified
company
undertakes
to
comply
with
these
data
protection
standards.
The
list
of
certified
companies
can
be
found
at:
https://www.dataprivacyframework.gov/list.
There
you
can
search
for
the
provider
name
and
view
the
certification
directly.
If
data
is
transmitted
to
a
provider
that
is
certified
in
accordance
with
the
DPF,
you
will
find
a
separate
notice
from
the
respective
service
provider.
II.
Rights
of
the
data
subject
If
we
process
personal
data
of
you,
you
have
the
following
rights
as
a
data
subject
against
us
as
a
data
controller:
Version
4.0
8
/
9
4.
Duration
of
storage,
possibility
of
objection
and
elimination
The
data
is
deleted
as
soon
as
it
is
no
longer
required
to
achieve
the
purpose
for
which
it
was
collected.
This
is
the
case
for
data
collected
during
the
registration
process
for
the
fulfillment
of
a
contract
or
for
the
implementation
of
pre-contractual
measures
when
the
data
is
no
longer
required
for
the
implementation
of
the
contract.
Even
after
the
conclusion
of
the
contract,
it
may
be
necessary
to
store
personal
data
of
the
contractual
partner
in
order
to
fulfill
contractual
or
legal
obligations.
If
the
data
is
required
for
the
performance
of
a
contract
or
for
the
implementation
of
pre-contractual
measures,
early
deletion
of
the
data
is
only
possible
insofar
as
contractual
or
legal
obligations
do
not
prevent
deletion.
VIII.
Subcontracting
relationships
–
Information
on
subcontractors
used
by
the
DataPortal
operator
The
DataPortal
uses
services
of
several
subcontractors,
which
are
carefully
selected
and
used
by
the
DataPortal
operator.
In
order
to
ensure
a
continuously
updated
overview
of
the
services
and
subcontractors
used,
the
operator
of
the
DataPortal
provides
an
up-
to-date
overview
with
the
required
information
on
the
subcontractors
used
under
the
following
link
https://dataportal.proemion.com/#!/subprocessors
.
This
will
be
updated
regularly
if
the
use
of
the
services
changes.
IX.
Requesting
an
offer
1.
Description
and
scope
of
data
processing
On
the
DataPortal,
you
can
request
a
quote
for
a
service
or
a
product.
If
you
choose
this
option,
the
information
entered
in
the
form
is
stored
and
forwarded
to
Proemion.
T
he
following
data
is
generally
requested
and
stored
by
Proemion:
(1)
Name
(2)
First
name
(3)
E-mail
address
(4)
Phone
number
(5)
Company
information:
Name,
Address,
Region
(European
Union
/
other),
if
EU:
VAT
ID
(6)
Invoice
contact:
name,
first
name,
Email
address
(7)
Addition
al
information
(not
required)
:
Annual
machine
production,
Annual
potential
TCUs,
Primary
Industry
of
machines.
Your
consent
to
process
the
data
will
be
required/obtained
during
the
requesting
process.
Reference
will
be
made
to
this
privacy
policy.
If
you
purchase
goods
or
services
on
our
DataPortal
and
enter
your
e-mail
address,
we
may
subsequently
send
you
a
newsletter
to
this
e-mail
address.
The
newsletter
is
only
used
to
send
direct
advertising
for
our
similar
products
or
services
in
this
event.
Transfer
to
a
third
country:
The
data
collected
via
the
aforementioned
mask
to
request
an
offer
may
be
transferred
to
a
service
provider
located
in
a
third
country.
Processing
of
personal
data
thus
also
takes
place
in
a
third
country.
The
service
provider
is
certified
in
accordance
with
the
‘EU
-
US
Data
Privacy
Framework’
(DPF).
Further
information
on
the
DPF
can
be
found
in
this
data
protection
information
under
‘I.
General
information
on
data
processing
-
4.
Data
transfer
to
a
third
country
or
an
international
organisation’.
Further
information
on
the
provider's
DPF
can
be
found
at
the
following
link
https://www.dataprivacyframework.gov/list
.