Data protection and privacy statement of QSC AG as a website operator

A. Data protection and privacy statement in accordance with GDPR I. Name and contact details of the party responsible

The party responsible in accordance with applicable data-protection rules and other national data-protection laws of EU member states, along with other data-protection regulations is:

QSC AG
Mathias-Brüggen-Str. 55
50829 Köln/Cologne, Germany
T +49 221 6698-000
F +49 221 6698-009
info@qsc.de
www.qsc.de

II. Name and contact details of the data-protection officer

The data-protection officer of the party responsible is:

Thomas Bösel
QSC AG
Mathias-Brüggen-Str. 55
50829 Köln/Cologne, Germany
datenschutzbeauftragter@qsc.de

III. Data processing: general points

1. Scope of personally identifiable data subject to processing

We collect and process our users’ personal data only to the extent necessary for the provision of a functioning website and as required for the supply of our content and services. The collection and processing of users’ personal data is normally exclusively subject to their consent An exception applies in those cases where the applicable circumstances mean that the previous obtaining of such consent would be impossible, although such data are processed as permitted by law.

2. Legal basis for the processing of personal data

Whenever we obtain a person's informed consent for the processing of his or her personal data, the provisions of art. 6, sect. 1, subsection “a” of the EU General Data Protection Regulation (GDPR) shall apply as the legal basis.
If personal data are processed in order to fulfil a contractual agreement to which the person concerned is one of the parties, art. 6, sect. 1, subsection “b” GDPR shall apply as the legal basis. This shall also apply to processing operations that are necessary to implement pre-contractual provisions.
If and insofar as the processing of personal data fulfils a legal obligation to which our company is subject, art. 6, sect. 1, subsection “c” GDPR shall apply as the legal basis.
In the event of vital interests of the person concerned or of another individual requiring the processing of personal data, this shall take place on the legal basis of art. 6, sect. 1, subsection “d” GDPR.
If such processing is required to maintain a legitimate interest of our company or a third party, thereby outweighing the interests, fundamental rights and basic freedoms of the above person or persons, art. 6, sect. 1, subsection “f” GDPR shall apply as the legal basis for such processing.

3. Deletion of data and duration of storage

OThe personal data of the party concerned shall be deleted or blocked as soon as the purpose of their storage no longer applies. Personal data may also be stored if such a provision is envisaged or required by European or national legislators in intra-Community regulations, laws or other rules to which the party responsible is subject. The data concerned shall likewise be saved or deleted as applicable whenever a specific storage period defined by the above standards expires, unless further storage is required to enter into or fulfil a contractual agreement.

IV. Provision of the website and the creation of log files

1. Description and scope of data processing

The following data are collected:

(1) Information about browser type and version
(2) The user’s operating system
(3) This user’s IP address
(4) The date and time of access
(5) Websites from which the user accessed our site
(6) Websites that the user visits via links on our site

These data are also stored in log files on our system. These data are not stored alongside users’ other personal information.

2. Legal basis for data processing

Article 6, sect. 1, subsection “f” GDPR provides the legal basis for the temporary storage of data and log files.

3. Purpose of data processing

Temporary storage of the IP address by the system is required to allow the website data to be delivered to the user’s computer. This requires the user’s IP address to be saved for the duration of the session.

Storage in log files ensures proper functioning of the website. These data also allow us to optimise the website and provide secure protection for our IT systems. Data are not analysed or evaluated for marketing purposes in this context.

These purposes are also defined as our legitimate data-processing interest under the terms of article 6, sect. 1, subsection “f” GDPR.

4. Period held on file

Data are deleted as soon as they are no longer required to fulfil the purpose for which they were collected. In the case of data collected for the provision of website content, this occurs when the session concerned ends.

Data saved to log files are deleted no later than seven days after their collection. Storage for a longer period may be possible. In this case, users’ IP addresses are deleted or anonymised so that it is no longer possible to assign them to the client computers used to call up the website.

5. Possibility of opposition and elimination

A website operator needs to collect data and store them in log files in order to be able to run the website concerned. There is thus no way for users to object to this.

V. Use of cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in or by an Internet browser and then saved to the user’s computer system. A cookie may be saved to a user’s operating system whenever that user visits a website. This cookie contains a characteristic string of characters which serve as a unique browser-identifier whenever the user revisits the website concerned.

Visitors to our website are notified about the use of cookies for the purposes of analysis, and are asked to consent to the processing of their personal data for use in this context. The notification also includes a reference to this data protection and privacy statement. We do not currently use cookies for the purposes of analysis.

b) Legal basis for data processing

Article 6, sect. 1, subsection “a” GDPR provides the legal basis for our processing, subject to the user's corresponding consent, of personally identifiable data in conjunction with cookies for analysis purposes.

c) Purpose of data processing

We use analysis cookies to improve the quality of our website and its content. Analysis cookies let us know how the website is being used and allow us to keep its content optimised and up to date.

These purposes are also defined as our legitimate interest in the processing of personal data under the terms of article 6, sect. 1, subsection “f” GDPR.

d) Duration of data storage, possibility of opposition and elimination

Cookies are stored on the user’s computer and transferred to our site. This means that you, as the user, have full control over how cookies are used. Modification of the settings on your Internet browser allows you to disable or restrict the transfer of cookies. Previously saved cookies can be deleted at any time. This can also be carried out automatically. However, if you disable all the cookies on our website, you may not be able to access all the features and functions provided or use them to their full extent.

VI. Newsletter

1. Description and scope of data processing

Visitors to our website can subscribe to our free newsletter. The data that you enter in the online newsletter subscription form are transferred to us. You must at least provide an e-mail address.

The following optional registration data may also be collected:

(1) Title or form of address
(2) Last name
(3) First name
(4) Job title
(5) Date and time of registration

We will ask you to provide your consent to data processing during the registration procedure.

2. Legal basis for data processing

Article 6, sect. 1, subsection “a” GDPR provides the legal basis for our processing, subject to the user's consent, of data supplied when subscribing to the newsletter.

3. Purpose of data processing

The user’s e-mail address is collected in order to deliver the newsletter.

Other personally identifiable data collected during the registration process are used to stop services being abused and to prevent any misuse of the e-mail address concerned. QSC must likewise be able at all times to verify that users have consented, in accordance with article 7, sect. 1 GDPR, to their personal data being used in order to send them the newsletter.

4. Period held on file

Data are deleted as soon as they are no longer required to fulfil the purpose for which they were collected. Users’ e-mail addresses (along with optional name, position and title) are then saved for as long as the newsletter subscription remains active.

All other personally identifiable data obtained during the registration process are normally deleted after a waiting period of seven days.

5. Possibility of opposition and elimination

Users can cancel their newsletter subscriptions at any time. Each edition of the newsletter contains a link for this purpose.

VII. Contact form and use of e-mail

1. Description and scope of data processing

Our website contains various contact forms for different information purposes. These can be used for the purposes of online contact. If a user exercise is one of these options, the data entered in the online form are transferred to us and stored. These data are:

Webseite Minimum details Optional details
- These fields are obligatory for the purposes of establishing contact Details that the user may provide voluntarily
Investor Relations E-mail address, first and last name Title or form of address, organisation, telephone/fax number, text of message
Press releases E-mail address, first and last name, editorial team Title or form of address, media organisation, telephone number, reason for enquiry, comments
Customer enquiries E-mail address, first and last name, subject Customer number, contract number, title or form of address, company name, address, telephone/fax numbers
Jobs at QSC Title or form of address, first and last name, postal address, e-mail address, Date of birth, nationality, landline/mobile number, school education and vocational training, studies, work experience, starting date, period of notice, salary expectations, application documents, statement concerning the accuracy of information supplied, extension of data-storage period
Product-specific contact forms for Cloud services, SAP and data-centre services Interested party/customer, area of interest, title or form of address, first and last name, company, address, company size, e-mail address, message Landline/mobile number, desired form of contact

The following data are saved whenever a message is despatched:

(1) User’s IP address
(2) Date and time of registration/logon

We will ask you to provide your consent to data processing during the despatch procedure and refer you to our data-privacy statement.

It is also possible to contact us via the e-mail address posted on our website. In this case, the personally identifiable user details sent along with the message will be saved.

We do not transfer the data concerned to third parties. The data are used exclusively for the processing of the communication concerned.

2. Legal basis for data processing

Article 6, sect. 1, subsection “a” GDPR provides the legal basis for our processing of data subject to the user’s consent.

Article 6, section 1, subsection “f” of DSGVO/GDPR shall provide the legal basis of the processing of data transmitted in the course of e-mail correspondence. If the purpose of this e-mail correspondence is the conclusion of a contractual agreement, processing shall also be subject to article 6, section 1, subsection “b” of the same.

3. Purpose of data processing

We process the personally identifiable data obtained from the online form for the sole purpose of managing the new contact details. Our necessary legitimate interest likewise lies, in the event of contact being made by email, in being able to process the data concerned.
Other personally identifiable data processed during despatch of the message are used solely to prevent misuse of the contact form and safeguard the security of our IT systems.

4. Period held on file

Data are deleted as soon as they are no longer required to fulfil the purpose for which they were collected. In the case of personally identifiable data entered via the online form or sent by e-mail, this applies once the correspondence with the user concerned has ended. Correspondence is considered to be terminated once circumstances make it clear that the matter concerned has been dealt with conclusively.

All other personally identifiable data obtained during the despatch process are deleted after a maximum waiting period of seven days.

5. Possibility of opposition and elimination

Users shall at all times be entitled to withdraw their consent to the processing of personal identifiable data. Users who enter into contact with us by e-mail shall at all times be entitled to oppose the storage of their personal identifiable data. If this occurs, the correspondence concerned cannot continue.

Users may revoke their consent at any time and oppose the processing of their data. This can be done, for example, by e-mailing widerruf@qsc.de.

All personal identifiable data obtained and stored when establishing contact will be deleted in such cases.

VIII. E-commerce (Rack Configurator)

1. Scope of personally identifiable data subject to processing

QSC collects and stores the user's full name, company name, telephone number and e-mail address, along with details of the requested service, whenever a user wishes to obtain specific quote from QSC relating to the user's specific data-centre service requirements. The user may also opt to send QSC a message, the contents of which will be saved by QSC.

2. Legal basis for the processing of personal data

Article 6, sect. 1, subsection “b” GDPR provides the legal basis for the collection and storage of user data.

3. Purpose of data processing

QSC employs these details to draw up a quotation for data-centre services based on the user’s requirements.

4. Period held on file

The user’s data are stored for the duration of the quotation-issuing process.

5. Possibility of opposition and elimination

Users may revoke their consent at any time and oppose the processing of their data. This can be done, for example, by e-mailing widerruf@qsc.de.

IX. Website analysis services

QSC does not currently use analysis services like Matomo, Google Analytics, Google AdWords or Tag Manager.

X. Rights of the person concerned

If your personal data are processed, you are the “person concerned” within the meaning of GDPR, which affords you the following right vis-à-vis the party responsible:

1. Right to access information

You can ask the party responsible to confirm whether your personal data are being processed by us.

(1) The purposes for which your personal data are being processed;

(2) The categories of personal data being processed;

(3) The recipients or categories of recipients to whom your personal data have been or will be disclosed;

(4) The envisaged duration of the storage of your personal data or, if specific details are not available, the criteria used to determine the duration of such storage;

(5) The existence of the right to correct or delete the personal data concerned, the right to restrict their processing by the party responsible, or the right to oppose such processing per se;

(6) The existence of the right to appeal to a supervisory authority;

(7) All available information regarding the origin of personal data not obtained from the person concerned

(8) The existence of automated individual decision-making, including profiling, in accordance with art. 22, sections 1 and 4 GDPR and – at least in these cases – full information on the logic involved and the scope and envisaged consequences of such processing for the person concerned.

You are entitled to demand information on whether your personal data are being transferred to a third-party country or an international organisation. You can in this context demand information on such transfers by application of the corresponding safeguards described in art. 46 GDPR.

2. The right to correction

You have the right, vis-à-vis the party responsible, to demand the correction and/or completion of your personal data that are found to be inaccurate or incomplete. The party responsible undertakes to apply such corrections with immediate effect.

3. The right to restrict the processing of data

You may demand, subject to the following requirements, that the processing of your personal data be restricted:

(1) If you dispute the correctness of your personal data for a duration that allows the party responsible to verify the accuracy of personal data concerned;

(2) Processing is unlawful and you reject the deletion of your personal data, opting instead to demand restrictions on their use;

(3) The party responsible no longer requires the personal data concerned for the purpose of processing, but you still require them to establish, exercise or defend legal claims, or

(4) If you have expressed your opposition to processing under the terms of art. 21, sect. 1 GDPR and it has not yet been established whether the legitimate interests of the party responsible outweigh your grounds for making the request.

If the processing of personal data concerning you has been restricted, these data can then only be processed (other than for your storage purposes) with your consent, and in the following circumstances: to establish, exercise or defend legal claims; to protect the rights of other individuals or legal entities or for reasons of substantial public interest affecting the European Union or one of its member states.

If the restriction on processing is subject to one of the above-mentioned limitations, the party responsible will notify you accordingly before the restriction is lifted.

4. Right to deletion

a) Obligation to delete

You can demand that the party responsible delete your personal data with immediate effect. The party responsible is obliged to do so, provided one of the following conditions applies:

(1) The personal data concerning you are no longer required for the purposes for which they were obtained or otherwise processed.

(2) You revoke your consent under the terms of art. 6, sect. 1, subsection “a” or art. 9, sect. 2, subsection “a” GDPR, and there is no other legal basis for such processing.

(3) You express your opposition to processing under the terms of art. 21, sect. 1 GDPR and there are no legitimate overriding reasons for such processing, or you express your opposition under the terms of art. 21, sect. 2 GDPR.

(4) The personal data affecting you have been processed unlawfully.

(5) The deletion of personal data concerning you is required to fulfil a legal obligation, under the law of the European Union or that of its member states, to which the party responsible is subject.

(6) The personal data concerning you were obtained in relation to the offer of information society services within the meaning of art. 8, sect. 1 GDPR.

b) Information supplied to third parties

If the party responsible has disclosed personal data concerning you and is then obliged to delete such data under the terms of art. 17, sect. 1 GDPR, the party responsible shall, after taking into account the available technology and the cost of implementing appropriate measures (including those of a technical nature), inform the parties engaged to process your personal data that you have demanded, as the person concerned, that they delete all links to such personal data or copies or replications of the same.

c) Exceptions

The right to deletion does not apply if processing is required in the following circumstances:

(1) In order to exercise the right of free expression and access to information;

(2) In order to comply with a legal processing obligation in accordance with the law of the European Union or its member states, to which the party responsible is subject, or which might be required to perform a service in the public interest, or in the exercise of a public function that has been transferred to the party responsible;

(3) For reasons relating to public health within the meaning of art. 9, sect. 2, subsections “h” and “i” and art. 9, sect. 3 GDPR;

(4) If archiving, scientific or historical research or the collection of statistics on grounds of public interest within the meaning of art. 89, sect. 1 GDPR, subject to the rights expressed in subsection “a” of the same law, are likely to be prevented or seriously restricted by such a measure, or

(5) In order to establish, exercise or defend legal claims.

5. Right to be informed

If you have exercised, vis-à-vis the party responsible, your right to correct, delete or restrict processing, that party shall be obliged to notify all parties to whom your personal data have been disclosed regarding this right to correct or delete data or restrict its processing, unless it can be demonstrated that such a step is impossible or that it entails unreasonable expense.

You then have the right to demand that the party responsible notify you regarding these recipients.

6. Your rights regarding data transfer and portability

You have the right to demand that the party responsible supply the personal data concerning you in a standard, structured machine-readable format. You also have the right to transfer these data to another responsible party without interference from the responsible party who originally obtained the personal data concerned, provided

(1) Processing relates to consent within the meaning of art. 6, sect. 1, subsection “a” GDPR or art. 9, sect. 2, subsection “a” GDPR or a contractual arrangement subject to art. 9, sect. 1, subsection “b” GDPR, and

(2) Processing is based on automated procedures.

You are furthermore entitled, when exercising this right, to demand that personal data concerning you be supplied to you directly by a party acting on behalf of another responsible party, insofar as this is technically feasible. This must not affect the liberties or rights of other persons.

The right to data portability does not apply to the processing of personal data required for the performance of a task carried out in the public interest or in the exercise of a public function that has been transferred to the party responsible.

7. Right to object

You have the right at any time, for reasons relating to your specific situation, to oppose the processing of personal data concerning you within the meaning of art. 6, sect. 1, subsections “e” or “f” GDPR. This also applies to provisions based on profiling.

The party responsible will then cease to process your personal data, unless it can be demonstrated that there are valid and legitimate grounds for processing which outweigh your interests, rights or freedoms; or if such processing is required for the establishment, exercise or defence of legal claims.

If personal data concerning you are processed for the purposes of direct advertising, you have the right at any time to oppose the processing of your personal data for advertising of this type. This also applies to profiling, insofar as it was carried out for the purposes such direct advertising.

If you oppose the processing of your data for the purposes of direct advertising, the personal data concerned will no longer be used for this purpose.

You have the option, in connection with the use of information society services (notwithstanding Directive 2002/58/EC), to exercise your right of objection by automatic means based on the technical specifications used.

8. The right to revoke consent previously granted under the terms of data protection legislation

You have the right to revoke at any time your consent previously granted under the terms of data-protection legislation. The withdrawal of consent will not affect the legality of data-processing carried out on the basis of consent granted up to the moment of such revocation.

9. The right to appeal to a supervisory authority

You are entitled, without prejudice to any other administrative or judicial remedies available, to appeal to a supervisory authority, with particular reference to one based in your member state of residence, your place of work or the place where the alleged infringement took place, if you are of the opinion that the processing of personal data concerning you violates the terms of GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant regarding the status and outcome of the complaint, including the possibility of a legal remedy within the meaning of art. 78 GDPR.