SlickSkript

DSC Data Protection Directive 

 

1 Preface

Statutory data protection and security of information are subjects that are becoming ever more important and meaningful for us, our customers, and our partners. As a service partner for software and PLM consultation, we enjoy a high level of trust placed in us by our customers.
However, trust also means responsibility for our actions, for our work, and for our customers’ systems and data. Our customers place their personal and commercial data in our hands and thus all business-critical information.
For us at DSC Software AG, it is particularly important that we handle this data responsibly. We therefore take the subject of statutory data protection very seriously in practice and organize ourselves accordingly.
This directive is intended to help make clear the significance and importance of statutory data protection and also make the subject more transparent to our staff.

2 Responsibilities

Data Protection Officer:

ah-consulting GmbH
Am Sandfeld 17a
76149 Karlsruhe
Phone: +49 721 75 40 88 40
E-Mail: datenschutz@ah-consulting.gmbh
Website: www.ah-consulting.gmbh

Aim of Data Protection Directive

Within the framework of its social responsibility, DSC Software AG pledges itself to comply with the GDPR (General Data Protection Regulation).
Protection is a basis for trusting business relationships and the reputation of DSC Software AG.

4 Scope and Amendments of Data Protection Directive

This data protection directive is based on the guidelines of the EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG neu).
The latest version of the data protection directive can be seen on DSC’s homepage (www.dscsag.com/datenschutzrichtlinie).

Principles for the Processiong of Personal Data

5.1 Legality

During the processing of personal data, the informational self-determination of the person concerned must always be safeguarded. Personal data must be collected and processed lawfully.

5.2 Purpose

The processing of personal data may take place only for purposes defined prior to data collection. Subsequent changes to these purposes are possible to a limited extent only and require a lawful basis.

5.3 Transparency

The person concerned must be informed about the handling of the data. In principle, personal data must be obtained from the person concerned. In the collection of the data, the person concerned must at least be able to recognize the following or be informed about it accordingly:

  • Identity of the authority responsible
  • Purpose of data processing
  • Defined retention periods
  • (Categories of) third parties to whom the data may be transmitted

5.4 Data avoidance and date economy

Before personal data is processed, a check must be made to see whether and to what extent it is needed to achieve the aim expected from the processing. Personal data must not be stored in reserve for potential future purposes unless this is prescribed or permitted by national law.

5.5 Storage and deletion

Personal data no longer needed following the expiry of statutory or business process-related storage periods must be deleted.

5.6 Factual correctness and data relevance

Personal data must be stored correctly, completely, and in an up-to-date status. Appropriate measures must be taken to ensure that irrelevant, incomplete, or obsolete data is deleted, corrected, completed, or updated.

5.7 Confidentiality and data security

Personal data is subject to data secrecy.

It must be treated confidentially in personal contacts and secured by appropriate organizational and technical measures against unauthorized access, unlawful processing or forwarding, as well as accidental loss, alteration, or destruction.

6 Admissibility of Data Processing

The collection, processing and use of personal data is admissible only if one of the following circumstances applies. This is also necessary if the purpose of the collection, processing and use of the personal data is to be changed.

6.1 Customers and partner data

6.1.1 Data processing for a contractual relationship

Personal data may be processed in order to comply with a contract or meet pre-contract measures.

 

6.1.2 Consent to data processing

 

Personal data may be processed if the persons concerned give their consent.
For this consent, the person concerned must be informed according to this data protection directive. For purposes of proof, the declaration of consent must be obtained in writing or electronically. In exceptional cases such as telephone consulting, consent may be given verbally, and this must be documented.

 

6.1.3 Data processing based on legal authorization

 

Personal data may also be processed if this is necessary for the fulfillment of a legitimate interest of DSC Software AG. Legitimate interests are normally statutory (e.g., enforcement of open claims) or economic (e.g., avoidance of breaches of contract). The processing of personal data based on a legitimate interest must not take place if there is evidence to suggest that the legitimate interests of the person concerned are more important than interest in processing. The legitimate interests must be checked for each act of processing.

 

6.1.4 Data processing based on legitimate interest

 

Personal data may also be processed if this is necessary for the fulfillment of a legitimate interest of DSC Software AG. Legitimate interests are normally statutory (e.g., enforcement of open claims) or economic (e.g., avoidance of breaches of contract). The processing of personal data based on a legitimate interest must not take place if there is evidence to suggest that the legitimate interests of the person concerned are more important than interest in processing. The legitimate interests must be checked for each act of processing.

 

6.1.5 Processing of especially sensitive data

 

The processing of especially sensitive data may take place only if this is legally necessary or if expressly permitted by the person concerned. This data may also be processed if it is absolutely essential for the assertion, practice or defense of rights against the person concerned.

 

6.1.6 Automated individual decisions

 

Automated processing of personal data for the evaluation of individual personality features (e.g., creditworthiness) must not be treated as the exclusive basis for decisions with negative legal consequences or significant impairments for the person concerned. The person concerned must be informed of the fact and the result of an automated individual decision and given an opportunity to make a statement. To avoid wrong decisions, checks – including a plausibility check – by a fellow member of staff must be guaranteed.

 

6.1.7 User data and internet

 

If personal data is collected, processed and used on websites or in apps, those concerned must be informed in data protection declarations. The data protection information must be integrated in such a way that the person concerned can easily recognize it, access it immediately, and have it available at all times.
If usage profiles (tracking) are created for assessing behavior in the usage of websites and apps, the persons concerned must be informed about this in the data protection declarations. If tracking takes place under a pseudonym, those concerned must be given the chance to opt out in the data protection declarations.

6.2 Staff Data

6.2.1 Data processing for the working relationship

For the working relationship, the personal data necessary for the justification, execution and termination of the employment contract may be processed.
For the initiation of a working relationship, applicants’ personal data may be processed. Following a rejection, the applicant’s data must be deleted after taking into account periods that have to be proved, unless the applicant consents to further storage for a subsequent selection process. In the existing working relationship, data processing must always relate to the purpose of the employment contract so long as none of the following permission-relevant circumstances apply to the data processing.
If it is necessary during the initiation of the working relationship or in the existing working relationship to collect further data about the applicant from a third party, relevant national statutory requirements have to be taken into consideration. In case of doubt, the consent of the person concerned must be obtained.
For the processing of personal data in the context of the working relationship but not originally needed for the fulfillment of the employment contract, a legal legitimation must exist. This can be statutory requirements, collective regulations with employee representatives, the employee’s consent, or the justified interests of the company.

 

6.2.2 Data processing based on legal authorization

 

Personal data may also be processed if national regulations demand, assume or permit data processing. The type and extent of the data processing must be necessary for legally permissible data processing and comply with these regulations. If legal scope exists, the employee’s legitimate interests must be taken into account.

 

6.2.3 Collective regulations for data processing

 

If processing exceeds the purpose of the contract implementation, it is nevertheless admissible if it is permitted by a collective regulation. Collective regulations are collective wage agreements or agreements between the employer and employee representatives within the framework of the possibilities of the respective labor law. The regulations must extend to the concrete purpose of the processing desired and can be customized within the frame of the national data protection law.

 

6.2.4 Consent to data processing

 

Employee data may be processed if the persons concerned give their consent.
Declarations of consent must be given voluntarily. Involuntary declarations of consent are null and void. For purposes of proof, the declaration of consent must be obtained in writing or electronically. If in exceptional cases circumstances do not permit this, consent may be given verbally, and this must be documented. In the case of an informed voluntary specification of data by the person concerned, consent can be assumed if national law does not prescribe explicit consent. Before declaring consent, the person concerned must be informed in accordance with this data protection directive.

 

6.2.5 Data procesing based on legitimate interest

 

Personal data may also be processed if this is necessary for the fulfillment of a legitimate interest of DSC Software AG. Legitimate interests are normally statutory (e.g., enforcement, exercise of defense of legal claims) or economic.
The processing of personal data based on a legitimate interest must not take place if there is evidence to suggest that the legitimate interests of the person concerned are more important than interest in processing. The legitimate interests must be checked for each act of processing. Control measures requiring the processing of employee data may only be carried out if a legal obligation or other reasonable grounds exist. If reasonable grounds exist, the reasonableness of the control measure must be checked. The company’s legitimate interests in the execution of the control measure (e.g. compliance with legal provisions and company-internal rules) must be weighed against a possible legitimate interest of the employee affected by the measure in the exclusion of the measure, and such measures may only be carried out if they are appropriate. The company’s legitimate interest and the possible legitimate interests of employees must be determined and documented before any measure is taken. Moreover (if applicable), any other existing requirements according to national law (e.g. codetermination rights of workforce representatives and information rights of the persons concerned) must be taken into consideration.

 

6.2.6 Processing of especially sensitive data

 

Especially sensitive data may only be processed under certain conditions. With regard to employee data, especially sensitive data includes data on racial and ethnic origins, religious or philosophical beliefs, union membership, or the health of the person concerned.
Similarly, data concerning legal offences may normally be processed under certain conditions governed by national law.
The processing must be expressly permitted or prescribed on the basis of national law. Additionally, processing can be permitted if it is necessary for the authority responsible to comply with its rights and duties in the field of labor law. The employee can expressly grant consent for processing voluntarily.

 

6.2.7 Automated decisions

 

Insofar as personal data in the employment relationship is processed automatically, data with which individual personality features are assessed (e.g. as part of staff selection or the assessment of ability profiles), such automated processing must not be the exclusive basis for decisions with negative consequences or significant impairments for the person concerned.
To avoid wrong decisions, it must be guaranteed in the automated process that a content assessment of the facts is made by a natural person and that this assessment is the basis for the decision. The employee concerned must also be informed of the fact and the result of an automated individual decision and given an opportunity to make a statement.

 

6.2.8 Telecommunication and internet

 

Telephone systems, e-mail address, intranet and internet as well as internal social networks are provided by the company primarily as part of the operational assignment. They are working equipment and company resources. They can be used within the scope of current statutory regulations and company guidelines (user agreement IT).
Telephone and e-mail communication, intranet and internet usage are not monitored. To defend against attacks on the IT infrastructure or individual users, protective measures are implemented at the transitions to the DSC network that block technically damaging contents or analyze the pattern of attacks. For reasons of security and traceability, the use of the telephone systems, the e-mail address, the intranet and the internet as well as the internal social networks is logged. Person-related analyses of this data may only be made in the event of a concrete, founded suspicion of a breach of the laws. These controls may only be made in compliance with the principle of proportionality. The analyses do not serve performance recording.

7 Transmission of Personal Data

7.1 Data transmission of personal data

Transmission of personal data to recipients outside or inside DSC Software AG is subject to the admissibility requirements of the processing of person-related data. The recipient of the data must be obligated to use such data exclusively for the defined aims.
In the event of data transmission to a third party within the area of validity of the GDPR or to a third country, this person must guarantee a data protection level equivalent to this data protection directive. This does not apply if the transmission takes place on the basis of a statutory obligation. In the event of data transmission from a third party to DSC Software AG, it must be ensured that the data is allowed to be used for the intended purpose.

8 Contract Data Processing

Contract data processing applies when a contractor is commissioned with the processing of personal data but is not made responsible for the related personal data. In such cases, an agreement on contract data processing must be signed with external contractors.
The contractor may only process personal data according to the customer’s instructions. The agreement must ensure compliance with the following conditions, and the department issuing the agreement must ensure compliance in implementation.

  1. The contractor must be capable of guaranteeing the required technical and organizational protective measures.
  2. The agreement must be in writing. The instructions concerning data processing as well as the responsibilities of the customer and the contractor must be documented.
  3. Before the start of data processing, the customer must be convinced that the contractor will comply with the agreement. In particular, a contractor can present suitable certification to prove compliance with data security. Depending on the risk of data processing, checks are to be made regularly during the term of the agreement.
  4. In the case of international contract data processing, the respective national requirements for forwarding personal data to a foreign country must be met. In particular, personal data from the European Economic Area may only be processed in a third country if the contractor can guarantee a data protection level equivalent to this data protection directive.

9 Rights of Persons Concerned

Every person concerned can exercise the following rights. Their enforcement must be ensured promptly by the division responsible and must not lead to any disadvantages for the person concerned.

  1. The person concerned can request information about the data stored, its origin, and the aim of the data storage.
  2. If personal data is transmitted to a third party, information on the identity of the recipient must be provided.
  3. If personal data is incorrect or incomplete, the person concerned can demand its correction or completion.
  4. The person concerned can object to the processing of personal data for the purposes of advertising or market/opinion research. The data must be locked for these purposes.
  5. The person concerned is entitled to demand the deletion of relevant data. Existing statutory storage obligations and the deletion of conflicting legitimate interests must be considered.
  6. The person concerned has a right to object to the processing of the data, and this right must be taken into consideration if the person’s legitimate interest outweighs the importance of the data processing. This does not apply if a legal regulation obligates the data processing.

10 Confidentiality of Processing

Personal data is subject to data secrecy. Unauthorized collection, processing or usage by employees is prohibited.
Any data processing undertaken by employees that they have not been authorized to carry out as part of their legitimate duties is unauthorized.
Employees may only be given access to personal data if this is required for their respective tasks. This requires the allocation and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.
Employees may not use personal data for their own private or commercial purposes, forward it to unauthorized persons or make it accessible to such persons in any other manner.

11 Security of Processing

Personal data must be protected against unauthorized access, unlawful processing or transfer, as well as loss, falsification or destruction. Prior to the introduction of new methods of data processing, in particular new IT systems, technical and organizational measures must be taken to define and implement the protection of personal data. These measures must be oriented to the state of the art, the risks of processing, and the protection required by the data.
The technically organizational measures for protecting personal data are part of company-wide information security and data protection management and must be continually adapted to technical developments and organizational changes.

12 Data Protection Monitoring

Compliance with data protection regulations and the latest data protection legislation are checked regularly by inspections of the Data Protection Officer.
The result of data protection monitoring must be submitted to the company management.

13 Data Privacy Incidents

Every employee must immediately inform the Data Protection Officer, the Data Protection Manager or company management of any incidents of violations of this data protection directive or any other regulations concerning the protection of personal data.

These can be:

  • Unlawful disclosure of personal data to third parties
  • Unauthorized access by third parties to personal data
  • Loss of personal data

In such cases, the reports provided for in the company (Information Security Incident Management: “ISIM”) must be made immediately in order that reporting obligations of data privacy incidents can be fulfilled in accordance with national law.

14 Responsibilities and Sanctions

The company management is responsible for compliance with legal regulations for data protection. It is a company management duty to take organizational, staffing and technical measures to ensure orderly data processing in compliance with data protection and data security. The implementation of these tasks is the responsibility of employees concerned. In the event of data protection inspections by public authorities, the Data Protection Officer must be informed immediately.
Both the Data Protection Officer and the Data Protection Manager are contacts for data protection matters. Both can carry out inspections and familiarize employees with the contents of data protection directives. Company management is obligated to support the Data Protection Officer in his or her activity. Those responsible for business processes and projects must inform the Data Protection Officer before the start of changes to the processing operations of personal data. Company management must ensure that employees are sufficiently trained in data protection. Unlawful processing of personal data or other breaches of the data protection regulations are prohibited and can lead to claims for compensation or damages. Infringements for which individual employees are responsible can lead to labor law sanctions.

15 The Data Protection Officer

15.1 The external Data Protection Officer

The Data Protection Officer is independent and not bound by internal company management instructions, and ensures the compliance of the data protection regulations. He or she is supported in this by the Data Protection Manager.
He or she is responsible for supervising the compliance with data protection regulations. The Data Protection Officer informs company management about data protection hazards. Any person concerned can contact the Data Protection Officer with suggestions, queries, requests for information, or complaints about data protection or data security. Queries and complaints are treated confidentially if requested.

These tasks are performed without directions from but in agreement with company management, and if applicable on request by the company division responsible.
The Data Protection Officer is the contact for employees and persons affected in company-internal and external data protection questions. The Data Protection Officer is obliged to maintain confidentiality, if requested by the person concerned, about this person’s identity and the circumstances leading to conclusions about his or her identity. He or she is independent in the execution of his or her duties and has an advisory status.

He or she must be supported by all employees in the fulfillment of his or her duties and must be supplied immediately with all documents required in executing these duties. In particular, the Data Protection Officer must be informed about all data processing methods in which personal data is processed, and, for the consideration of data protection requirements, must be involved immediately in planning and development in the event of procedural changes, new developments or acquisitions.

15.2 The Data Protection Manager

The Data Protection Manager is the interface between DSC Software AG and the external Data Protection Officer. It is his or her task to integrate the external Data Protection Officer so far in the company and in the departments and involve him or her in the relevant information and communication flows that he or she can perform his or her duties.

16 Implementation

This document is checked once a year and whenever required for completeness and accuracy. Changes to this document are the responsibility of the Data Protection Manager.

July 24, 2018

English

You have further questions or you need further information?

Feel free to contact us.

Phone: +49 721 9774-100
Fax: +49 721 9774-101

English
Drop a message
CAPTCHA
For submitting this form answer this short question please. This helps us preventing automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.

Contact

DSC Software AG
Am Sandfeld 17
76149 Karlsruhe | Germany

Phone: +49 721 9774-100
Fax: +49 721 9774-101
E-Mail: info@dscsag.com