Datenschutz

Data Protection Information for the Collection and Processing of Personal Data

INVENIO RESPECTS YOUR PRIVACY AND PERSONAL SPHERE

The protection of your personal data is important to us. According to the EU General Data Protection Regulation (GDPR), we are obliged to inform you about the purpose for which we collect, store or forward data. The information also tells you what rights you have in terms of data protection.

invenio GmbH Engineering Services (hereinafter referred to as 'invenio') is responsible for the central data processing of the following subsidiaries and affiliated companies of invenio AG:

  • invenio AG

  • invenio Automation Solutions GmbH

  • invenio Engineers Karlsruhe GmbH

  • invenio Healthcare Solutions GmbH

  • invenio Meiko Automation GmbH

  • invenio Systems Engineering GmbH

  • invenio Technical Simulations GmbH

  • invenio Virtual Technologies GmbH

Responsible for data processing is:

invenio GmbH Engineering Services
Eisenstraße 9, 65428 Rüsselsheim am Main, Germany
Tel.: +49 (6142) 899-0

You can reach our data protection officer at the following e-mail address:

datenschutzbeauftragter(at)invenio.net

  • Collection and processing for communication purposes

  • Collection and processing for the preparation of an offer

  • Collection and processing for the performance of the contract

  • Collection and processing within the framework of legal obligations

  • Collection and processing for the establishment and maintenance of an employment relationship

The legal basis for the processing of your data is:

Art. 6 para. 1 lit a GDPR, provided you have given us your consent. The data is stored until you, as the person concerned, request its deletion.

Art. 6 para. 1 lit. b GDPR, for the fulfilment of the contract or pre-contractual measures.

Art. 6 para. 1 lit. f GDPR, on the basis of the legitimate interest of the controller, insofar as this does not conflict with the fundamental rights and freedoms of the data subject.

The data that we process on the basis of Art. 6 para. 1 lit. b, Art. 6 para. 1 lit. f is deleted as soon as it is no longer required for the purpose of its processing, unless deletion is not possible due to legal retention periods and further processing is mandatory according to Art. 6 para. 1 lit. c GDPR or you have given us your consent to store your data beyond this in accordance with Article 6 para. 1 lit. a GDPR or this is necessary for the assertion, exercise and defence of legal claims in accordance with Art. 17 para. 3 lit. e GDPR.

Special category data according to Art. 9 GDPR is only processed if you have given us your voluntary consent, which can be revoked at any time, according to Art. 6 para. 1 lit. a, in conjunction with Art. 9 para. 1 lit. a GDPR. Art. 9 para. 1 lit. a GDPR.

Recipients of your personal data are order processors, tax consultants, auditors, registration authorities such as the tax office.

Possible recipients in the event of legal disputes may be associations, lawyers, debt collection service providers, public prosecutors, courts or other authorities.

The data is collected by the above-mentioned subsidiaries and affiliated companies of invenio AG.

Your personal data will not be transferred to third countries.

There is no automated decision making or profiling.

We would like to inform you below about the processing of personal data in connection with the use of 'Microsoft Teams'/'Microsoft Skype' and 'GoToMeeting', hereinafter referred to as Tool.

We use the respective tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: 'online meetings'). Microsoft Teams'/'Microsoft Skype' is a service of Microsoft Corporation, 'GoToMeeting' is a service of LogMeIn Ireland Unlimited Company.

Note:

If you access the website of 'Microsoft Teams', 'Microsoft Skype', 'GoToMeeting', the respective provider mentioned above is responsible for the data processing. However, accessing the website is only necessary for the use of the tool in order to download the software for the use of the tool.

If you do not want to or cannot use the tool's app, you can also use the tool via your browser. The service will then also be processed via the website of the respective provider mentioned above.

What data is processed?

When using the tool, various types of data are processed. The scope of the data also depends on the data you provide before or during participation in an 'online meeting'.

The following personal data are subject to processing:

User details:

For example, display name, e-mail address if applicable, profile picture (optional), preferred language

Meeting metadata:

For example, date, time, meeting ID, phone numbers, location

Text, audio and video data:

You may have the option of using the chat function in an 'online meeting'. In this respect, the text entries you make are processed in order to display them in the 'online meeting'. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the applications.

Scope of processing:

We use the above tools to conduct 'online meetings'. If we want to record 'online meetings', we will inform you transparently in advance and – where necessary – ask for consent.

The chat content is logged when using the tool. We store the chat content for a period of one month. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

Automated decision-making within the meaning of Art. 22 GDPR is not used.

Legal bases of data processing:

Insofar as personal data of invenio employees are processed, § 26 BDSG is the legal basis for the data processing. If, in connection with the use of 'Microsoft Teams', 'Microsoft Skype', personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of 'Microsoft Teams', 'Microsoft Skype', Art. 6 para. 1 lit. f) GDPR is the legal basis for data processing. In these cases, our interest lies in the effective implementation of 'online meetings'.

Furthermore, the legal basis for data processing when conducting 'online meetings' is Art. 6 para. 1 lit. b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships.

If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Again, our interest is in the effective conduct of 'online meetings'.

Recipient/disclosure of data:

Personal data processed in connection with participation in 'online meetings' will generally not be disclosed to third parties unless it is intended for disclosure. Please note that the content of online meetings, as well as face-to-face meetings, is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.

Other recipients:

The above-mentioned providers of the tool necessarily receive knowledge of the above-mentioned data insofar as this is provided for in the context of our order processing contract with the provider.

Data processing outside the European Union:

Data processing is generally carried out by Microsoft Ireland, LogMeIn Ireland and thus in data centres within the European Union (EU).

US companies that have been classified as 'Electronic Communication Service Providers', such as Microsoft or possibly LogMeIn, are required to provide personal information to US authorities such as the NSA (US National Security Agency). Intelligence collection powers such as Section 702 FISA and Executive Order 12 333 enable this. This results in the risk for individuals that it cannot be ruled out that US authorities (e.g. intelligence agencies) process, evaluate and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities

Based on these findings, the ECJ ruled on 16 July 2020 in its judgment C-311/18, "Schrems II", that there is no adequate (equivalent) level of data protection in the USA as in the EU. With this ruling, the EU Commission's adequacy decision was overturned and the EU-US Privacy Shield agreement based on it, which until then legitimised the transfer of personal data from the EU to the USA, was declared invalid.

Our contractual partners are therefore Microsoft Ireland and LogMeIn Ireland. However, due to the Cloud Act, there is a possibility that European subsidiaries of American parent companies that have been classified as 'Electronic Communication Service Providers', such as Microsoft or possibly LogMeIn, may have to guarantee US authorities access to stored data, even if the storage does not take place in the USA.

We therefore point out that a data transfer of your personal data to an insecure third country (USA), for which no adequacy decision exists and appropriate safeguards are lacking, may take place.

 

Right to information:

As a data subject, you have the right to request confirmation from the responsible body as to whether personal data relating to you are being processed. If this is the case, you as the data subject have the right to obtain information about this personal data.

Right to retification, erasure or restriction:

As a data subject, you have the right to have any incorrect data processed by us corrected. You also have the right to request the deletion or restriction of the processing of your data. If parts of the data are subject to a legal or official obligation to retain data, the data subject to the obligation to retain data will be blocked instead of deleted. You can assert your rights by post or by e-mail.

Right to data portability:

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as it is technically feasible.

Right to object to processing:

As a data subject, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR. In individual cases, exercising your right to object may mean that you can no longer make use of the services we offer. You can exercise your right of objection by post or by e-mail.

Right of complaint to the supervisory authority:

As a data subject, you have the right to lodge a complaint with the competent supervisory authority if you do not agree with this request for information or the type of data processing.

The contact details of the competent supervisory authority for data protection are:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden

Poststelle(at)datenschutz.hessen.de

Would You like to contact us?

Gladly we are at your disposal for any questions! 

TOP