Inflectra is considered the “data controller” for its website as defined within the GDPR. The following agreement applies solely to personal data held within the Inflectra website, and support help desk.
If you have GDPR-related questions about our cloud hosted services instead, please consult our
Inflectra Cloud Hosting Terms of Service (ToS) which describes our responsibilities as “data processor” for our customers who act as “data controller” for the contracted services.
Data can only be processed if there is at least one lawful basis to do so. The lawful bases for processing data are:
For use of the Inflectra website, the data subject either:
It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.
As a user of the Inflectra website, Inflectra is acting as the data controller for the personal data we receive from you when you access our website to learn about Inflectra and our products/services, and from you as a paying customer, using our website to manage your contracted service with us.
Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data are used for (Article 7; defined in Article 4). Consent for children[16] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
Inflectra obtains the following personal information with your consent on our website:
The Right of Access (Article 15) is a data subject right.[20] This gives citizens the right to get access to their personal data and information about how these personal data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the Data Controller has to inform the data subject on details about the processing such as; what the purposes are of the processing (Article 15(1)(a)), with whom the data are shared (Article 15(1)(c)) and how it acquired the data (Article 15(1)(g)).
As described in section (3), depending on how you interact with our website, and what consent you have given, Inflectra may have the following personal data stored about you:
If you as a user of our website request that we provide you a copy of your personal data in writing by means of our website or support help desk, upon verification of the request being genuine, we will provide your personal information in an industry standard format such as Excel, XML, or CSV that will allow you to use it somewhere else.
A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[21][22] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
If you as a user of our website request that we delete your personal data in writing by means of our website or support help desk, upon verification of the request being genuine, we shall erase or obfuscate all requested personal data within a reasonable time (not to exceed five (5) business days). Should this request result in the inability for Inflectra to provide a contracted service (for example hosting a subscription of our software for you) we will inform you of the potential impact prior to performing the erasure.
In addition, visitors to the website who are not contracted customers, will have their personal data erased automatically after two (2) years if they do not continue to interact with the website or emails sent from Inflectra.
A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymized is excluded, but data that have only been de-identified but remains possible to link to the individual in question, such as by him or her providing the relevant identifier, is not.
If you as a user of our website request that we provide you a copy of your personal data in writing by means of our website or support help desk, upon verification of the request being genuine, we will provide your personal information in an industry standard format such as Excel, XML, or CSV that will allow you to use it somewhere else.
Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data are only processed when necessary for each specific purpose.
Inflectra has designed the security of its infrastructure used for providing its website in layers that build upon one another, from the physical security of data centers, to the security protections of hardware and software, to the processes used to support operational security. This layered protection creates a strong security foundation for the website.
In addition, Inflectra’s maintains certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework for its website, which provides the legal mechanism for transfers of personal data outside the EU and Switzerland.
Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request.[26] (article 30) to the data controller.
As outlined in sections (3) and (4) we have documented our data processing activities and will provide such records to the supervisory authority upon request.
Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
Inflectra will report to the Supervisory Authority (SA) within 72 hours, as well as to affected users once we have determined there has been a data breach in our website.
Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the data controller or data processor to monitor internal compliance with this Regulation.
Inflectra does not as its core activity, handle the data processing of operations that require regular and systematic monitoring of the data subjects, therefore Inflectra does not have a formal Data Protection Officer
In the case where the Data Controller or Data Processor is not established in the EU, The GDPR representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. (Article 27 (4) GDPR)
In this context, 'representative' means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
Inflectra has officially designated the following legal person to be its GDPR representative:
DATIS IT-Services
Weberstraße 2
68165 Mannheim
Germany
The contact person at DATIS is as follows:
Ralf Kurzhals
+49 621 72703-942
Ralf.kurzhals@datis.de