Data Protection Information of JENOPTIK Smart Mobility Solutions

The responsible Data Controller is:
JENOPTIK Robot GmbH
Opladener Strasse 202
40789 Monheim am Rhein
Germany

Phone: +49 2173 3940-0
E-mail: traffic-solutions@jenoptik.com
www.jenoptik.com

Represented by the managing director: Tobias Deubel
Commercial register at Amtsgericht Düsseldorf, HRB 47032

Data Protection Officer of JENOPTIK Robot GmbH
- personally -
Opladener Strasse 202
40789 Monheim am Rhein
Germany
E-mail: dataprotection.sms@jenoptik.com

1. Scope of the processing of personal data

We only process our users' personal data to the extent necessary to provide our services.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the fulfilment of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
The processing of the data may also be necessary for the performance or exercise of an employment relationship, so that Section 26 BDSG (Bundesdatenschutzgesetz) is the legal basis for this.
As a manufacturer of traffic measurement systems and provider of services, we are contractors, and the processing of personal data takes place on the basis of a data processing agreement with our customers or clients.

3. Data erasure and storage duration

The user's personal data will generally be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject, in particular due to retention obligations. Finally, the storage period is also determined by the statutory limitation periods, which can be up to thirty years in accordance with Sections 195 et seq. of the German Civil Code (BGB), for example, whereby the regular limitation period is three years. Under certain circumstances, your data must also be stored for longer, e.g. if this is ordered by the authorities or a court. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract. In case of a contractual relationship, data is stored in accordance with the contractual agreement and the client's instructions. Further information can be found in the respective description of the processing below.

1. Description and scope of data processing

If customers, experts or legal advisors have technical enquiries about our products and services, they can do so via the email address provided on the website. This email will then be transferred to our support ticket system.
The following data is processed:
Customer name, customer number, customer contact data, contact person data (title, contact details), as well as all ticket data (content, date, time, processor, status, attachments, product, product location, interactions, comments); contact data of other third parties required for ticket processing.

2. Legal basis for data processing

In the customer relationship, the legal basis for the processing of personal data is, the contractual relationship and/or a contract processing agreement.
In the case of enquiries from experts or legal advisors, the legal basis for processing is either their (implied) consent in accordance with Art. 6 para. 1 lit. a GDPR or a balancing of interests in accordance with Art. 6 para. 1 lit. f GDPR.
If third-party data is transmitted to us without a legal basis, this data will be processed in accordance with the order processing agreement and the information documented here. Accordingly, you as the user or our contractors are solely responsible for this personal data. Therefore, please ensure that all personal data of third parties is also deleted or anonymised (redacted) in documents sent as attachments.

3. Purpose of data processing

The purpose of data processing is the proper processing of enquiries, as well as the fulfilment of our performance obligations from e.g. orders, warranty rights, repairs, delivery obligations etc.
These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

4. Duration of storage

The personal data is deleted or anonymised as soon as it is no longer required to achieve the purpose; this is the case when the contractual obligation has expired or the ticket has been closed and the content is not required for further customer enquiries. As a rule, and unless other legal regulations contradict this, personal data in the tickets will be deleted or anonymised five years after the ticket has been closed. Documents attached to the ticket will be deleted no later than 30 days after the ticket has been closed.

5. Possibility of objection and removal

The collection of data for the provision of the ticket system and the storage of data in log files is absolutely necessary for the operation of the system. Consequently, the user has no option to object.

Description and scope of data processing

If remote access to a system (measuring system or software solution) is required to process the support enquiry, this will be requested from the customer. Jenoptik and its employees will not establish a connection to the measuring systems and access them remotely without the express consent of the customer.
We use the TeamViewer software solution for remote access. Please see the data protection information under: TeamViewer data protection information
No personal data is transferred to other networks, changed or deleted by our support staff during remote access.

If we process data in third countries (countries outside the EU/EEA) or transfer it to companies in third countries, we will only do so if there is a legal basis for doing so. The level of data protection and the regulations in these countries may not meet European standards. In this respect, there is a theoretical risk that your data may be processed by authorities for control and monitoring purposes without you having any legal recourse. However, we will endeavour to take all necessary measures to provide an appropriate level of protection. If there is no adequacy decision by the Commission pursuant to Art. 45 GDPR for the third country concerned, i.e. there is no adequate level of data protection in the third country, we will ensure through contractual arrangements (EU standard contractual clauses on data protection) or other suitable guarantees within the meaning of Art. 46 GDPR that your privacy and your personal data are also protected in an appropriate and legally provided manner in the company in the third country.

When selecting the IT solutions used for ticket processing, we have ensured that data storage takes place within the EU. Data may only be transferred outside the EU for internal support requests from software providers. However, no customer data is transferred for this purpose.

There remain risks associated with the transmission over which we have no influence (e.g. no equivalent data protection regulations, data subject rights or local supervisory authorities), which we hereby expressly point out once again.

JENOPTIK Robot GmbH uses technical and organisational security measures to protect your personal data collected by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments. We also use external service providers for the processing of our services, which we have carefully selected and commissioned in writing. They are bound by our instructions and are regularly monitored by us. The necessary order processing contracts have been concluded with the service providers in accordance with Art. 28 GDPR.

If your personal data is processed, you as the data subject have the following rights vis-à-vis the controller. To assert your rights below, please use the contact details provided at the beginning.
You have the right:

• to request information from us about the personal data stored about you (Art. 13, 14 GDPR - right to information);
• to obtain access to and a copy of your personal data (right of access Art. 15 GDPR);
• Request rectification and erasure of the processing of your data (Art. 16, 17 GDPR - right to rectification and erasure); the right to rectification also includes the right to complete incomplete personal data, including by means of a supplementary declaration;
• to request the restriction of the processing of your personal data (right to restriction of processing, Art. 18 GDPR);
• to request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit it or have it transmitted to another controller without hindrance (right to data portability, Art. 20 GDPR);
• to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on the legitimate interests pursued by us or by a third party. Your personal data will then no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims (right to object, Art. 21 GDPR);
• to lodge a complaint with any data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of data relating to you infringes the GDPR or other data protection law.
• to withdraw your consent to the processing of your personal data at any time in accordance with Art. 6 para. 1 lit. a) GDPR. Exercising the right to withdraw consent does not affect the lawfulness of processing in the past.

The competent supervisory authority for JENOPTIK Robot GmbH is the Landesbeauftragte für Datenschutz und Informationsfreiheit NRW, Kavalleriestraße 2-4, 40213 Düsseldorf.

Status: 11/2023