In the following, we would like to inform you about the collection and processing of your data in connection with the business relationship with OpenSynergy and your rights in this regard.

1. Controller. The controller within the meaning of the General Data Protection Regulation (GDPR) for the data processing described below is OpenSynergy GmbH, Rotherstraße 20, 10245 Berlin (“OpenSynergy”, “We”), info(at)opensynergy.com.

2. Data Protection Officer. If you have any questions about data protection at OpenSynergy, you are welcome to contact our data protection officer by e-mail to datenschutz(at)opensynergy.com . We expressly point out that if you use this e-mail address, the contents will not be viewed exclusively by our data protection officer. If you wish to exchange confidential information, we therefore ask that you first contact us via this e-mail address.

3. Data processing in connection with the business relationship with OpenSynergy. As part of the business relationship with OpenSynergy, we also process personal data about you or your employees.

3.1 Business contacts. To manage our business contacts, we process information about your company (in particular address, branches if applicable, authorized representatives and their contact details, summarized below: Company data) as well as information about the respective contact persons (in particular names, position, professional contact information, summarized as follows: Contact data) and any communication with you. We manage the data with the help of the CRM tool Salesforce from the provider salesforce.com Germany GmbH, Erika -Mann- Straße 31-37, 80636 Munich. We use this data to be able to reach the right contact person when you contact us, to process your requests and orders appropriately and to maintain our business relationship. The legal basis is Art. 6 para. 1 lit. b GDPR. The data will be stored for the duration of the business relationship. We may also use the data for other purposes if or as long as the law permits further storage for certain purposes, including the defense of legal claims.

3.2 Contract documents, orders, order management and invoicing. As part of contract fulfilment, order processing and invoicing, we collect information on offers, orders and invoice items as well as details of bank details. Contact details of contact persons may also be processed in this context. The legal basis is Art. 6 para. 1 lit. b GDPR. The data is stored for the duration of the business relationship, but at least for the duration of the statutory accounting obligations. We will then delete the data immediately, unless we still need the data until the statutory limitation period expires for evidence purposes for civil law claims, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of your data in the specific individual case. For evidence purposes, we must retain contractual data in particular for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period. In addition, contract documents must be kept for six years in accordance with Section 147 (1) No. 2, 3 / No. 5 AO, unless they qualify as accounting documents within the meaning of Section 147 (1) No. 4 AO, in which case a retention period of 8 years applies. After termination of the contractual relationship, we will review the contractual documents and delete them in accordance with the aforementioned deletion periods or anonymize them insofar as they contain personal data.

3.3 Compliance risk analysis screening. In order to identify and defend against any compliance risks, we check your company for any incidents that could lead to a breach of legal requirements on our part when initiating a new business relationship and also during the course of an existing business relationship. For this purpose, your company data is entered into software solutions, such as the Third Party Tracker of PwC LLC, or export screening solutions, in order to be informed in good time if there is a risk in the collaboration. As a rule, no personal data is processed in this context. Should personal data nevertheless be processed, the legal basis for this processing activity is Art. 6 para. 1 lit. f GDPR. Our legitimate interest here lies in particular in minimizing risk by complying with legal prohibitions and avoiding sanctions. The data is stored for a period of 10 years, starting at the end of the year of the audit, in accordance with Art. 6 para. 1 lit. f GDPR for documentation and verification purposes in order to ward off any criminal prosecution of our company. Where possible, the data is anonymized before it is stored.

3.4 Project management and customer service. For the provision of contractually agreed services, for the documentation of product delivery and for project communication and monitoring, we process your company data as well as the contact details of your employees listed under point 3.1 who are responsible for the project or have submitted a service request. We use a Jira ticket system for data processing, which is provided by the software provider Atlassian Pty Ltd, Level 6, 341 George Street, Sydney, NSW 2000, Australia. We use this data in the context of service requests or project communication in order to be able to reach the appropriate contact person when you contact us, to process your requests and orders appropriately and to maintain our business relationship. The legal basis is Art. 6 para. 1 lit. b GDPR. The data will be stored for the duration of the business relationship. We may also use the data for other purposes if or as long as the law permits further storage for certain purposes, including the defence of legal claims.

4. Credit rating information. If necessary, we will obtain creditworthiness enquiries about your company from the credit agency Dun & Bradstreet Deutschland GmbH. This query helps us to better assess your liquidity in order to minimize default risks. The credit agency transmits the following data to us as part of the credit check: Company name, DUNS, address, rating and the associated parameters used to calculate the rating. Under certain circumstances, personal data of the management may be included. We will extract this data where possible so that no further data processing takes place. The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. f GDPR. We have carried out the balancing of interests required here, with the result that we have a legitimate interest in checking the creditworthiness of our business partners before entering into a business relationship in order to avoid bad debts. The data is stored in anonymized form for a period of 6 years, starting at the end of the year of the check, in accordance with Art. 6 para. 1 lit. f GDPR for documentation and verification purposes.

5. Product liability and warranty. In order to check legal and contractual claims, we may need information about the contractual products and their use as well as details of invoices. The legal basis is Art. 6 para. 1 lit. b and c GDPR in conjunction with the relevant national legal basis. The data will be stored for a further six months after completion for documentation purposes, but at least for the duration of the statutory accounting obligations. After completion, the data is generally stored for up to three years for documentation and evidence purposes or, in individual cases, for longer if this is necessary for legal prosecution or enforcement or the fulfilment of statutory retention obligations.

6. Controlling and reporting. We also use information on orders and invoice items for internal cost and performance accounting, controlling and internal reporting, which we use for corporate management and planning. In principle, no personal data is processed in this context; if this should nevertheless happen, the legal basis is Art. 6 para. 1 lit. f GDPR. We have carried out the necessary balancing of interests, with the result that we have a legitimate interest in data processing. Our legitimate interests consist of the following aspects: In order to work economically and to be able to compete with other companies, we are required to constantly check whether and to what extent we are covering our costs and whether there is a need for optimization in certain business processes or in our cost calculation. In particular, we can organize our personnel requirements planning on the basis of the processing and align the recruitment of new employees accordingly.

7. Online meetings via “Teams”. We use “Teams” to conduct online meetings, conference calls and/or webinars (hereinafter collectively referred to as “Meetings”). Teams is software from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”), which is available as a desktop, web and mobile app. It is used by us in particular for holding digital conferences with business partners.

The legal basis for data processing for the organization of meetings via Teams is our legitimate interest in the effective organization of meetings in accordance with Art. 6 para. 1 lit. f GDPR. We have carried out the necessary balancing of interests, with the result that we have a legitimate interest in processing personal data on a voluntary basis, for example to present our products and technologies, establish partnerships, agree contract terms and much more. Insofar as the meetings are held in the context of existing contractual relationships with you, the legal basis is Art. 6 para. 1 lit. b GDPR. We are not responsible for further data processing on the Teams product website, where the desktop software can be downloaded and the web app can be used.

The following data may be processed during a meeting:

• Subscriber details: display name if applicable, first name, surname, telephone, e-mail address, password (encrypted for authentication), profile picture;
• Metadata: Meeting topic and description, IP address, participant’s phone number, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, duration of audio, video and screen sharing time;
• When using chat or channel messaging: Text data for display and logging if necessary;
• For audio use: Recording data of the microphone;
• When using video: Recording data of the video camera;
• For recordings: Audio, video and screen sharing for storage in the cloud / Microsoft Stream;
• For phone usage: incoming and outgoing phone numbers, country name, start and end time, other connection data if applicable, such as the IP address of the device.
  • Prior to a meeting, you must register via our website or by e-mail. Your registration data will be processed by us. Before the meeting, you will receive a confirmation email with an invitation link or a calendar appiontment.
  • To participate in a meeting, you must at least provide your name and – in the case of telephone use – your telephone number, unless we enable anonymous participation in meetings. In the latter case, we will inform you of this possibility of anonymous participation in the course of the invitation. You can deactivate the transmission via microphone and camera at any time via the corresponding settings. We only record meetings or log text data with your consent and prior notification. Microsoft stores and uses the metadata to enable us to analyze and report on the use of Teams.

Microsoft may obtain knowledge of the above-mentioned data as part of the order processing in order to process it. All data traffic is encrypted (MTLS, TLS or SRTP) and always takes place on European servers. In the event that data is nevertheless processed in the USA, we have concluded EU standard contractual clauses with Microsoft.

You can find more information in the

8. Promotional use and newsletter. We use your company data and contact details and, if applicable, details of previous orders to send you further information relevant to you about our products and services, as well as related news, promotions and offers. We will send you this information by post or e-mail. To contact you, we will use the contact details you have provided. The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG to safeguard our legitimate interests, in particular direct advertising, the need-based design of our services, the strengthening of our customer loyalty and the promotion of our business. You can object to the use of your data for advertising purposes at any time by sending a message to the contact details specified in section 1 (e.g. by email or letter). We also offer the OpenSynergy newsletter, which informs you regularly about our technologies, products and solutions and their possible applications. You can unsubscribe from the newsletter at any time using the unsubscribe-link contained in every newsletter. An informal message to the contact details given under point 1 or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. a GDPR.
9. Recipient. As a matter of principle, contact data is processed exclusively by OpenSynergy and is not passed on to third parties. Exceptionally, data will be passed on to third parties if this is required by law or is mandatory (e.g. as part of a tax audit by the tax authorities or as part of money laundering prevention). In certain cases, it is necessary to pass on your data to third parties in order to protect your or our interests or to fulfil our contractual obligations. Such disclosure occurs in particular when we involve external service providers in our internal processes. In these cases, the service provider is bound by instructions and only receives data to the extent and for the period required to provide the services. We also pass on the contact data to our local sales partners (independent regional representatives, subsidiaries and branch offices of OpenSynergy) in order to provide the best possible support for your concerns.

In addition, we regularly transfer your personal data to other recipients who process your personal data under their own responsibility. These are in particular

• Public bodies – against the background of legal regulations (e.g. authorities, courts),
• Credit institutions, payment service providers – as part of contract settlement,
• Credit agencies – in the context of checking potential contractual partners,
• Tax consultants, lawyers or auditors who work for us,
• Postal service provider – in the context of general correspondence with you.

10. Data transfer to third countries. As already explained in this data protection notice, we use services from providers that are partly located in so-called third countries, i.e. in countries whose level of data protection does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the data transfer on exceptions to Art. 49 GDPR, in particular on your express consent or the necessity of the transfer for the fulfilment of the contract. In the event of a transfer to a third country without an adequacy decision or suitable guarantees, there is the possibility and risk that authorities of the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it and that the enforcement of your data subject rights is not guaranteed.

11. Duration of storage. The general storage period of the data is shown above for the individual cases. In addition, we generally only store personal data for as long as is necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need the data until the statutory limitation period expires, for evidence purposes for civil law claims or due to statutory retention obligations. For evidence purposes, we must retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the usual statutory limitation periods. Even after this time, we must still store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG) and the German Money Laundering Act (GwG). Correspondence that is considered a commercial or business letter within the meaning of § 147 para. 1 no. 2 AO is kept for six years from the end of the calendar year in which the business letter was received or sent. Accounting documents are kept for eight years from the end of the calendar year in which the accounting transaction took place (§ 147 para. 1 no. 4 AO, § 257 para. 1 no. 3 HGB). In addition, we retain other documents that are relevant for taxation purposes for six years from the end of the calendar year in which the documents were created (Section 147 (1) No. 5 AO).

12. Your rights. You have various rights under data protection law. You have the right at any time to request information about which data we process about you and to have this corrected if necessary. You can also request the deletion of your data. You can also have the processing of your personal data restricted if, for example, the accuracy of the data is disputed by you or object to the processing if this is based on our legitimate interests. You also have the right to data portability. Finally, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You can assert this right, for example, with a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. The competent supervisory authority for us is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstraße 219, 10969 Berlin.