The data controller, under the meaning of the European General Data Protection Regulation (GDPR) and other national data protection laws of member states, as well as for any other data protection regulations, is:
Software AG – Stiftung
Am Eichwäldchen 6
Tel.: +49 6151 916 65-0
Name and Address of the Data Protection Officer
The Data Protection Officer for the data controller is:
Management Consulting for Data Protection and IT Security
Mecklenburger Str. 2a
Tel.: +49 152 33655830
General Data Processing
Scope of Processing of Personal Data
We process the personal data of our users only insofar as required in order to provide a functional website as well as to provide content and services. Processing of the personal data of our users regularly takes place only after consent of the user. An exception is made in cases where obtaining prior consent is impossible for actual reasons and data processing is permitted by legal regulation.
Legal Basis for Processing Personal Data
Insofar as we obtain the consent of the affected persons for the processing of personal data, Art. 6 (1)(a) of the European General Data Protection Regulation (GDPR) forms the legal basis.
In the processing of personal data for fulfilling a contract, of which the affected person is a contractual partner, Art. 6 (1)(b) GDPR forms the legal basis. This applies also to data processing that is required to carry out pre-contractual measures.
Insofar as processing of personal data is necessary for fulfillment of a legal obligation on the part of our organization, Art. 6 (1)(c) GDPR forms the legal basis.
In the event that the vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1)(d) GDPR forms the legal basis.
Where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, then Art. 6 (1)(f) GDPR forms the legal basis for data processing.
Data Deletion and Duration of Data Storage
The personal data of the data subject are deleted or blocked as soon as the purpose for data storage no longer exists. Data storage may also take place when this is required by European or national legislators in EU regulations, laws or other regulations to which the controller is subject. Blocking or deleting data may also take place when the statutory data storage deadlines stipulated in the above-mentioned regulations expires, unless there is a requirement for further data storage for the purpose of closing or fulfilling a contract.
Provision of a Website and Creation of Log Files
Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information about the computer system of the accessing computer.
The following data are collected:
Information about the browser type and browser version
The user’s operating system
The user’s internet service provider
The user’s anonymous IP address
Date and time of access
Websites from which the user accessed our website
Websites that the user’s system accesses via our website
These data are also stored in the log files of our system. Excluded are the IP address of the user or other data that would allow identification of the user via his data. We do not store this data in combination with other personal data of the data subject.
Legal basis for data processing
Legal basis for the temporary storage of data and log files is Art. 6 (1)(f) GDPR.
Purpose of Data Processing
The temporary storage of the IP address by our system is necessary in order to allow the user’s computer to access our website. For this purpose, the user’s IP address must be saved for the duration of the session.
Storage in log files enables us to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. In this context, we do not carry out any evaluation of the data for marketing purposes.
For these purposes, we have a legitimate interest in data processing according to Art. 6 (1)(f) GDPR.
Duration of Storage
The data are deleted as soon as they are no longer required for the purpose for which they were collected. In the case of data collection to enable website provision, this is the case when the respective session ends.
In the case of data storage in log files, this is the case after 7 days, at the latest. Storage beyond this period is possible; in this case, the IP address of the user is deleted or anonymized so that it is not possible to identify the accessing client.
Possibility of Objection and Removal
Collection of data for website provision and the storage of data in log files are essential for provision of the website. There is no possibility for the user to object.
a) Description and scope of data processing
In this way, the following data (for example) could be transmitted:
Entered search terms
Frequency of page access
Use of website functionalities
The user data collected in this way are anonymized by the use of technical precautions. Thus, it is no longer possible to use the data to identify the accessing user. The data are not stored together with any other personal data of the user.
b) Legal basis for data processing
The legal basis for the processing of personal data using cookies for analysis purposes is the consent of the user, according to Art. 6 (1)(a) GDPR.
c) Purpose of data processing
The user data collected through the use of technically necessary cookies are not used to create user profiles.
The use of analysis cookies is for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used, and are able to continually improve our office.
These purposes constitute a legitimate interest in personal data processing according to Art. 6 (1)(a) GDPR.
d) Duration of storage, possibility to object or to request deletion
Web Analysis via Matomo (formerly PIWIK)
Scope of the processing of personal data
On our website, we use the open-source software tool Matomo (formerly PIWIK) to analyze the browsing behavior of our users. The software places a cookie on the user’s computer (for more on cookies, see above). When individual pages of our website are accessed, the following data are stored:
- Two bytes of the IP address of the accessing user’s system
- The website page accessed
- The website from which our website was accessed (referrer)
- The sub-pages that are accessed from the website
- Duration of time on the website
- Frequency of website access
The software runs only on the servers of our website. Storage of personal data of the user occurs only there. No data is transmitted to third parties.
The software is set up so that not the entire IP address, but only 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to associate the shortened IP address with the accessing computer.
If you object to the storage and evaluation of your data based on your website visit, you can object. In this case, a so-called “opt-out cookie” is placed on your browser, which results in Matomo being blocked for you.
Please click here to block Matomo tracking.
Legal basis for the processing of personal data processing
Legal basis for the processing of personal data processing is Art. 6 (1)(f) GDPR.
Purpose of Data Processing
The processing of personal data of the data subject enables us to analyze the user’s browsing behavior. Through evaluation of the collected data, we are able to compile information about the use of the individual components of our website. This helps us to continually improve our website and its usability. These purposes constitute a legitimate interest in data processing according to Art. 6 (1)(f) GDPR. The anonymization of the IP address sufficiently protects the interests of the user in the protection of their personal data.
Duration of storage
The data are deleted as soon as they are no longer needed for our recording purposes. In our case, this is after 180 days.
Possibility for Objection or Removal
We offer our website users the option of opting out of the analysis process. To do so, they should access the link provided. This will set another cookie on your computer that signals our system not to store the user's data. If the user later deletes the corresponding cookie from his own system, he must set the opt-out cookie again.
You can find more information about the privacy settings of Matomo software here: https://matomo.org/docs/privacy/.
Rights of the Data Subject
The following lists covers all rights of data subjects according to GDPR. Rights that are not relevant to our website do not need to be named. Thus, the list may be shortened.
If your personal data are processed, you are a “data subject” in the meaning of GDPR, and you have the following rights vis-a-vis the data controller:
Right to Information
You may ask the data controller to confirm whether we are processing personal data that pertains to you.
If such processing takes place, you have a right to information from the controller, as follows:
(1) The purposes for which personal data are being processed;
(2) The categories of personal data that are being processed;
(3) The recipients or categories of recipients to whom personal data has been transmitted or will be transmitted;
(4) The planned duration of storage of your personal data or, in case specific information is not possible, criteria for determining the duration of storage;
(5) The right of correction or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
(6) The existence of a right to complain to a supervisory authority;
(7) All available information on the source of the data, if the personal data are not collected from the data subject;
(8) The existence of automated decision-making, including profiling under Art. 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
You have the right to demand information about whether your personal data is transmitted to a third-party country or to international organizations. In this context, you can demand information regarding appropriate guarantees according to Art. 46 GDPR, in the context of the data transmission.
Right to data correction
You have the right to the correction and/or completion of the data vis-a-vis the data controller, insofar as your processed personal data are inaccurate or incomplete. The data controller must undertake the correction without undue delay.
Right to Restriction of Processing
Under the following conditions, you can demand the restriction of the processing of your personal data:
(1) If you contest the correctness your personal data for a period of time that allows the controller to verify the accuracy of your personal data;
(2) The processing is unlawful, and you oppose the erasure of the personal data and requests the restriction of their use instead;
(3) The controller no longer needs your personal data for the purposes of data processing, but you need the data for the purposes of asserting, exercising or defending legal claims; or
(4) If you have objected to processing pursuant to Art. 21 (1) pending the verification whether the legitimate grounds of the controller override your own interests.
If the processing of personal data concerning you has been restricted, this data may only be used – aside from storage – with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If data processing is restricted according to the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.
Right to Erasure
You may demand that the controller delete your personal information without delay, and the controller is required to delete that information immediately if one of the following is true:
(1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent, which is required for data processing according to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR, and there is no other legal ground for data processing.
(3) You object to data processing according to. Art. 21 (1) GDPR, and there are no prior justifiable reasons for data processing, or you object to data processing according to Art. 21 (2) GDPR.
(4) Your personal data have been processed unlawfully.
(5) The deletion of your personal data is required to fulfill a legal obligation under EU law or the law of the Member States to which the controller is subject.
(6) Your personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1).
Information given to third parties
If the controller has made your personal data public and is obligated to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure of data does not exists, as long as data processing is necessary
(1) For exercising the right of freedom of expression and information;
(2) For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) For reasons of public interest in the area of public health, according to Art. 9 (2)(h) and (i) and Art. 9 (3) GDPR;
(4) For archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Art. 89 (1) GDPR, to the extent that the law referred to in paragraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
(5) To assert, exercise or defend legal claims.
Right to Information
If you exercise your right to data correction, erasure, or restriction vis a vis the controller, he is obligated to inform any recipients of your personal data regarding this correction or erasure of data, or restriction of its use, unless this proves impossible or requires unreasonable effort.
You have the right to be informed about these recipients by the controller.
Right to Data Portability
You have the right to receive the personal data that you have shared with the controller in a structured, commonly used, machine-readable format. You also have the right to transfer this data to third party without hindrance by the controller that provided the personal data, provided that:
(1) Data processing is based in consent according to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or on a contract according to Art. 6 (1)(b) GDPR and
(2) the processing is carried out using automated procedures.
In exercising this right, you also have the right to demand that personal data is directly transferred from the controller to another controller, insofar as this is technically possible. Freedoms and rights of other persons may not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.
Right of Objection
On grounds related to your particular situation, you have the right to object at any time to the processing of personal data relating to you, on the basis of Art. 6 (1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing is for the purposes of asserting, exercising or defending legal claims.
If your personal data are being processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of this type of advertising; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to data processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, in the context of the use of information society services (regardless of Directive 2002/58/EC), of exercising your right to opt-out by means of automated procedures that use technical specifications.
Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply when the decision
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(2) is authorized by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
(3) or is based on the data subject’s explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Art. 9 (1) GDPR unless Art. 9 (2)(a) or (g) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
With regard to the cases mentioned in (1) and (3), the data controller shall take appropriate measures to uphold the rights and freedoms and legitimate interests, including at least the right to obtain the intervention by the controller, to express his/her own position and to appeal the decision.
Right to Complain to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you violates GRPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of judicial remedy pursuant to Art. 78 GDPR.