Data protection directive
1 Preface
Statutory data protection and security of information are issues that are becoming ever more important and meaningful for us, our customers, and our partners. As a service partner for software and PLM consultation, we are very glad that our customers trust us.
However, trust also means responsibility for our actions, for our work, and for our customers’ systems and data. Our customers confide their personal and commercial data, thus all information that is important to their business, to us.
We at DSC Software AG are convinced that it is of particular importance to handle this data responsibly. We therefore take statutory provisions for data protection very seriously in our day-to-day business and organize our company accordingly.
This directive is intended to underline the significance and importance of statutory provisions for data protection and to make the issue more transparent also for employees.
2 Responsibilities
External Data Protection Officer:
ah-consulting GmbH
Am Sandfeld 17 a
76149 Karlsruhe
+49 721 75408840
3 Aim of Data Protection Directive
Within the social responsibility of DSC Software AG, the company obliges to comply with the General Data Protection Regulation (GDPR).
To uphold this GDPR is a basis for trusting business relationships and the reputation of DSC Software AG.
4 Scope and Amendments of the Data Protection Directive
This data protection directive is based on the guidelines of the EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG (neu)).
The latest version of the data protection directive is accessible on the website of DSC Software AG (https://www.dscsag.com/en/data-protection-directive).
5 Principles for the Processing of Personal Data
5.1 Legality
For the processing of personal data, the informational self-determination of the data subject must always be safeguarded. Personal data must be collected and processed lawfully.
5.2 Purpose
Personal data may only be processed for purposes that were defined prior to data collection. Subsequent changes to these purposes are possible to a limited extent only and require a legal basis.
5.3 Transparency
The data subject must be informed about the handling of the data. In general, personal data must be obtained from the data subject. For the data collection, the data subject must at least be able to recognize the following or be informed about accordingly:
- Identity of the responsible authorities
- Purpose of data processing
- Defined retention periods
- Third parties or categories of third parties to whom the data may be transmitted
5.4 Data Avoidance and Data Economy
Before personal data is processed, it needs to be checked if and to what extent it is necessary to achieve the aim expected from the data processing. Personal data must not be stored for potential future purposes unless this is required or permitted by national law.
5.5 Storage and Deletion
Personal data that is no longer needed after the expiration of statutory or business process-related storage periods must be deleted.
5.6 Factual Correctness and Data Relevance
Personal data must be stored correctly, completely, and in an up-to-date status. Appropriate measures must be taken that ensure that irrelevant, incomplete, or obsolete data is deleted, corrected, completed, or updated.
5.7 Confidentiality and Data Security
Personal data is subject to data secrecy.
It must be treated confidentially in personal contacts and secured by appropriate organizational and technical measures against unauthorized access, unlawful processing or forwarding, as well as accidental loss, alteration, or destruction.
6 Admissibility of Data Processing
The collection, processing, and use of personal data is admissible only if one of the following circumstances applies. This is also necessary, if the purpose of the collection, processing, and use of the personal data is to be changed
6.1 Customers and Partner Data
6.1.1 Data Processing for a Contractual Relationship
Processing of personal data is permitted, if it serves to fulfill the contract or to fulfill pre-contractual measures.
6.1.2 Consent to Data Processing
Personal data may only be processed if the data subjects consent to the processing.
For this consent, the data subject must be informed according to this data protection directive. For purposes of proof, the declaration of consent must be obtained in writing or electronically. In exceptional cases such as telephone consulting, consent may be given verbally, and this must be documented.
6.1.3 Data Processing Based on Legal Permission
Personal data can also be processed if national regulations demand, assume, or permit data processing. The mode and extent of the data processing must be necessary for legally admissible data processing and comply with these regulations.
6.1.4 Data Processing Based on Legitimate Interest
Personal data can also be processed if this is necessary for the fulfillment of a legitimate interest of DSC Software AG. Legitimate interests are normally statutory (e.g. enforcement of open claims) or economic (e.g. avoidance of breaches of contract). The processing of personal data based on a legitimate interest is not possible if there is evidence to suggest that the legitimate interests of the data subject are more important than the interest in data processing. The legitimate interests must be checked for each act of processing.
6.1.5 Processing of Especially Sensitive Data
The processing of especially sensitive data is only possible if this is legally required or if it is expressly permitted by the data subject. This data may also be processed if it is absolutely essential for the assertion, exercise, or defense of legal rights against the data subject.
6.1.6 Automated Individual Decisions
Automated processing of personal data for the evaluation of individual personality features (e.g. creditworthiness) must not be treated as the exclusive basis for decisions with negative legal consequences or significant impairments for the data subject. The data subject must be informed of the fact and the result of an automated individual decision and be given an opportunity to make a statement. In order to avoid wrong decisions, an examination and a plausibility check by an employee must be provided.
6.1.7 User Data and Internet
If personal data is collected, processed, and used on websites or in apps, the data subjects must be informed about this in data privacy statements. The data protection information must be integrated in such a way that the data subject can easily recognize it, access it immediately, and have it available at all times.
If usage profiles (tracking) are created for assessing behavior in the usage of websites and apps, the data subjects must be informed about this in the data privacy statements. If tracking takes place under a pseudonym, those data subjects must be given the chance to opt out in the data privacy statements.
6.2 Employee Data
6.2.1 Data Processing for the Employment Relationship
For the employment relationship, the personal data necessary for the justification, execution, and termination of the employment contract may be processed.
For the initiation of an employment contract, applicants’ personal data may be processed. Following a rejection, the applicant’s data must be deleted in accordance with evidential periods, unless the applicant consents to further storage for a subsequent selection process.
In the existing employment relationship, data processing must always relate to the purpose of the employment contract so long as none of the following permission-relevant circumstances apply to the data processing.
If it is necessary during the initiation of the employment contract or in the existing employment relationship to collect further data about the applicant from a third party, relevant national statutory requirements have to be considered. In case of doubt, the consent of the data subject must be obtained.
For the processing of personal data in the context of the employment relationship but not originally needed for the fulfillment of the employment contract, a legal legitimation must exist. This can be statutory requirements, collective regulations with employee representatives, the employee’s consent, or the legitimate interests of the company.
6.2.2 Data Processing Based on Legal Authorization
Personal data may also be processed if national regulations demand, assume or permit data processing. The mode and extent of data processing must be required for legally admissible data processing and comply with these regulations. Within a legal scope of actions, the employee’s legitimate interests must be taken into account.
6.2.3 Collective Regulations for Data Processing
If the processing exceeds the purpose of the contract implementation, it is nevertheless admissible if it is permitted by a collective regulation. Collective regulations are collective wage agreements or agreements between the employer and employee representatives within the framework of possibilities of the respective labor law. The regulations must extend to the concrete purpose of the desired processing and can be customized within the frame of the national data protection law.
6.2.4 Consent to Data Processing
Employee data can be processed if the data subjects give their consent.
Declarations of consent must be given voluntarily. Involuntary declarations of consent are null and void. For purposes of proof, the declaration of consent must be obtained in writing or electronically. If, in exceptional cases, this is not possible due to circumstances, the consent may be given verbally, and must be documented. In the case of an informed voluntary specification of data by the data subject, consent can be assumed if national law does not prescribe explicit consent. Before declaring consent, the data subject must be informed in accordance with this data protection directive.
6.2.5 Data Processing Based on Legitimate Interest
Personal data may also be processed if this is necessary for the fulfillment of a legitimate interest of DSC Software AG. Legitimate interests are usually legally justified (for example, the assertion, exercise, or defense of legal claims) or economically justified.
The processing of personal data based on a legitimate interest is not possible if there is evidence to suggest that the legitimate interests of the data subject are more important than the interest in processing. The legitimate interests must be checked for each act of processing.
Control measures requiring the processing of employee data may only be carried out if a legal obligation or other reasonable grounds exist. If reasonable grounds exist, the reasonableness of the control measure must be checked. The company’s legitimate interests in the execution of the control measure (e.g. compliance with legal provisions and company-internal rules) must be weighed against a possible legitimate interest of the employee affected by the measure in the exclusion of the measure, and such measures may only be carried out if they are appropriate. The company’s legitimate interest and the possible legitimate interests of employees must be determined and documented before any measure is taken. Moreover (if applicable), any other existing requirements according to national law (e.g. employees’ rights to participate within employee representation and information rights of the data subjects) must be considered.
6.2.6 Processing of Especially Sensitive Data
Especially sensitive data may only be processed under certain conditions. With regard to employee data, especially sensitive data are, e.g. data on origin and ethnicity, religious or philosophical beliefs, union membership, or the health of the data subject.
Similarly, data concerning legal offenses, can, in general, only be processed under certain conditions governed by national law.
The processing must be expressly permitted or prescribed on the basis of national law. Additionally, processing can be permitted if it is necessary for the authority responsible to comply with its rights and duties in the field of labor law. The employee can expressly grant consent for processing voluntarily.
6.2.7 Automated Decisions
Insofar as personal data in the employment relationship is processed automatically, data with which individual personality features are assessed (e.g. as part of employee selection or the assessment of ability profiles), such automated processing must not be the exclusive basis for decisions with negative consequences or significant impairments for the data subject.
To avoid wrong decisions, it must be guaranteed in the automated process that a content assessment of the facts is made by a natural person and that this assessment is the basis for the decision. The employee concerned must also be informed of the fact and the result of an automated individual decision and given an opportunity to make a statement.
6.2.8 Telecommunication and Internet
Telephone systems, e-mail address, intranet, and internet as well as internal social networks are provided by the company primarily as part of the operational tasks. They are working equipment and company resources. They can be used within the scope of current statutory regulations and company guidelines (User Agreement IT).
Telephone and e-mail communication, intranet, and internet usage are not monitored. To defend against attacks on the IT infrastructure or individual users, protective measures are implemented at the interfaces to the DSC network that block harmful content or analyze the pattern of attacks. For reasons of security and traceability, the use of the telephone systems, e-mail address, intranet, and internet as well as of internal social networks is logged.
Person-related analyses of this data may only be made in the event of concrete, clear ground of suspicion for a breach of law. These controls may only be made in compliance with the principle of reasonableness. The analyses do not serve for performance recording.
7 Transmission of Personal Data
7.1 Data Transmission of Personal Data
Transmission of personal data to recipients outside or inside DSC Software AG is subject to the admissibility requirements for the processing of personal data. The recipient of the data must be obligated to use such data exclusively for the defined aims.
In the event of data transmission to a third party within the area of validity of the GDPR or to a third country, this person must guarantee a data protection level equivalent to this data protection directive. This does not apply if the transmission is based on a statutory obligation.
In the event of data transmission from a third party to DSC Software AG, it must be ensured that the data is allowed to be used for the intended purpose.
8 Commissioned Data Processing
Commissioned data processing applies when a contractor is commissioned with the processing of personal data but is not responsible for the related business process. In such cases, an agreement on commissioned data processing must be signed with external contractors.
The contractor may only process personal data according to the customer’s instructions. The agreement must ensure compliance with the following conditions, and the department issuing the agreement must ensure compliance in implementation.
- The contractor must be capable of guaranteeing the required technical and organizational protective measurements.
- The agreement must be in writing. The instructions concerning data processing as well as the responsibilities of the customer and the contractor must be documented.
- Before the start of data processing, the customer must check that the contractor will comply with the agreement. In particular, a contractor can present suitable certification to prove compliance with data security. Depending on the risk of data processing, checks are to be made regularly during the term of the agreement.
- In the case of international commissioned data processing, the respective national requirements for forwarding personal data to a foreign country must be met. In particular, personal data from the European Economic Area may only be processed in a third country if the contractor can guarantee a data protection level equivalent to this data protection directive.
9 Rights of Data Subjects
Every data subject can exercise the following rights. Their enforcement must be ensured promptly by the responsible department and must not lead to any disadvantages for the data subject.
- The data subject can request information about the data stored, its origin, and the aim of data storage.
- If personal data is transmitted to a third party, information on the identity of the recipient must be provided.
- If personal data is incorrect or incomplete, the data subject can demand the correction or completion of this data.
- The data subject can object to the processing of personal data for the purposes of advertising or market/opinion research. The data must be locked for these purposes.
- The data subject is entitled to demand the deletion of relevant data. Existing statutory storage obligations and the deletion of conflicting legitimate interests must be considered.
- The data subject has a right to object to the processing of the data according to Art. 21 GDPR, and this right must be considered if the data subject’s legitimate interest outweighs the importance of the data processing. This does not apply if a legal regulation obligates the data processing.
You can address your objection to us at any time informally. For the best possible processing, we ask you to use the following contact data:
DSC Software AG
Am Sandfeld 17
76149 Karlsruhe
E-mail: datenschutz@dscsag.com
10 Confidentiality of Processing
Personal data is subject to data secrecy. Unauthorized collection, processing, or usage by employees is prohibited.
Any data processing undertaken by employees that they have not been authorized to carry out as part of their legitimate duties is unauthorized.
Employees may only be given access to personal data if this is required for their respective tasks. This requires the allocation and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.
Employees may not use personal data for their own private or commercial purposes, forward it to unauthorized persons, or make it accessible to such persons in any other manner.
11 Security of Processing
Personal data must be protected against unauthorized access, unlawful processing or transfer, as well as loss, falsification, or destruction. Prior to the introduction of new methods of data processing, in particular of new IT systems, technical and organizational measures must be taken to define and implement the protection of personal data. These measures must be oriented towards the state of the art, the risks of processing, and the protection required by the data.
The technical and organizational measures for the protection of personal data are part of the company-wide information security and data protection management and must be continuously adapted to the technical developments and organizational changes.
12 Data Protection Monitoring
Compliance with data protection regulations and the latest data protection legislation are checked regularly by inspections of the Data Protection Officer.
The result of data protection monitoring must be submitted to the company management.
13 Data Privacy Incidents
Every employee must immediately inform the Data Protection Officer, the Data Protection Manager, or company management of any incidents violating this data protection directive or any other regulations concerning the protection of personal data.
These can be:
- Unlawful disclosure of personal data to third parties
- Unauthorized access by third parties to personal data
- Loss of personal data
In such cases, the reports defined within the company (Information Security Incident Management: “ISIM”) must be made immediately in order that reporting obligations of data privacy incidents can be fulfilled in accordance with national law.
14 Responsibilities and Sanctions
The company management is responsible for compliance with legal regulations for data protection.
It is a company management duty to take measures regarding organization, employees, and technology to ensure correct data processing in compliance with data protection and data security. The implementation of these tasks is the responsibility of employees in charge. In the event of data protection inspections by public authorities, the Data Protection Officer must be informed immediately.
Both the Data Protection Officer and the Data Protection Manager are contacts for data protection matters. Both can carry out inspections and familiarize employees with the contents of data protection directives. The company management is obligated to support the Data Protection Officer in their activity. Those responsible for business processes and projects must inform the Data Protection Officer before the start of changes to the processing operations of personal data.
The company management must ensure that employees are sufficiently trained in data protection. Unlawful processing of personal data or other breaches of the data protection regulations are prosecuted and can lead to claims for compensation or damages. Infringements for which individual employees are responsible can lead to disciplinary actions.
15 The Data Protection Officer
15.1 The External Data Protection Officer
The Data Protection Officer is independent and not bound by internal company management instructions, and ensures the compliance of the data protection regulations. The Data Protection Officer is supported in this by the Data Protection Manager, who is responsible for supervising the compliance with data protection regulations.
The Data Protection Officer informs the company management about data protection hazards.
Any data subject can contact the Data Protection Officer with suggestions, queries, requests for information, or complaints about data protection or data security. Queries and complaints are treated confidentially if requested.
These tasks are performed without directions from but in agreement with company management, and if applicable on request by the company division responsible.
The Data Protection Officer is the contact for employees and persons affected in company-internal and company-external data protection questions. The Data Protection Officer is obliged to maintain confidentiality, if requested by the data subject, about this person’s identity and the circumstances leading to conclusions about their identity. The Data Protection Officer is independent in the execution of these duties and has an advisory status.
The Data Protection Officer must be supported by all employees in the fulfillment of these duties and must be supplied immediately with all documents required in executing these duties. In particular, the Data Protection Officer must be informed about all data processing methods in which personal data is processed, and, for the consideration of data protection requirements, must be involved immediately in the planning and development in the event of procedural changes, new developments or acquisitions.
15.2 The Data Protection Manager
The Data Protection Manager is the interface between DSC Software AG and the external Data Protection Officer. It is their task to integrate the external Data Protection Officer in the company and in the departments, and to involve him or her in the relevant information and communication flows to the extent that he or she can perform his or her duties.
16 Implementation
This document is checked once a year and whenever required for completeness and up-to-date checks.
Changes to this document are the responsibility of the Data Protection Manager.
June 29, 2020
Andrea Keller
Member of the Board