Privacy Notice Concerning WinCan SaaS Services
- Information About the Controller
WinCan AG, a Private Limited corporation in Switzerland owned by IDEX Corporation with of- fices located at Irisweg 12, 3280 Murten, Switzerland, (hereinafter ”WinCan”, “we“ or “us“) is the controller within the meaning of the EU General Data Protection Regulation (“GDPR”) for certain processing of your personal data in connection with our SaaS Services (“Services”).
12 Scope of this Privacy Notice
To the extend the GDPR applies to the processing of your personal data (which can in particular be the case if you are located in the European Union or the European Economic Area), we describe how we process your personal data when you are registered for or use one of the Services in this privacy notice. Any rights and obligations described in this privacy notice only apply insofar as the GDPR applies to the processing of personal data.
13 Information About Your Personal Data and Why We Use It
- General description of processing activities: We make the Services available to cus- tomers of WinCan who own and operate a terminal or use a terminal for storage (“Customer”). The Services integrate with other WinCan software solutions installed on the terminal or its This allows the Customer to read/enter data and control certain functions remotely and digitally through its employees who are regis- tered for use of the respective Service. For some of the Services, the Customer has the option to give their own clients direct access to the Service.
WinCan processes the data of these employees to enable their registration with the service and acts as a controller of the data in this regard. WinCan processes per- sonal data of the Customer’s clients or employees which are provided in the course of using the Services as a (mere) processor on behalf and as instructed by the Cus- tomer, not as a controller. The same applies in regards to any other personal data entered into one of the Services by the Customer.
- Collected data and purposes of processing
- User (including admin) information: We collect, and associate with your account, the information provided for your registration as a We use your business email ad- dress for authentication.
- Usage information: We may collect information on how and when you use a Service, meaning the day and time of usage and type of action We do so to properly document the time of relevant usage, to track the correct operation of the Service, to enable workflow management and to make sure the notifications are be- ing sent to the person responsible. Please also see the further purposes of processing below.
- Purposes of processing: We process the personal data for the following purposes
- Fulfilling our contract with our Customer
- Invoicing
- Authentication of Users
- To defend ourselves against legal claims
- Verification of compliance with Master Agreement, in particular license agree- ment
- IT-security
- Service related communication with you
- To fulfil legal retention obligations
- To enforce applicable statutory obligations or obligations and rights resulting from the legal relationship with the Customer and/or individual users
- To prove our compliance with statutory obligations
- Sources of data: The data we process has been provided either by yourself directly in the course of using the
14 Lawfulness of Data Processing
The legal basis for processing is Art. 6 (1) (f) GDPR, as the processing is necessary for the purposes of fulfilling our contract with our Customer and the further purposes listed in section 2.3, which is a legitimate interest pursued by us. While we bear in mind the interests and fun- damental rights and freedoms of you, your need for data protection does not override our inter- est as specified above
15 Contact and Data Protection Officer
If you have any questions regarding data protection and the exercise of your rights, you can contact our data protection officer directly via the following contact details: privacy@idexcorp.com
16 Storage Period
- We will erase your personal data when it is no longer required for the purposes men- tioned in section 2 subject to retention If our contract with the Customer is terminated, your personal data will be erased 30 days after the termination.
- We may retain your personal data for the purposes of legal defense and law enforce- ment for as long as is necessary for the preparation or execution of a possible legal dispute (usually up to four years, whereby the legal dispute itself may inhibit the course of this period)
- If longer retention periods apply after the time period listed above (e.g., because we are obliged to store the data for tax purposes or civil or criminal proceedings were initiated) we will block the data until the end of the respective retention period and then erase
17 Sharing Data within IDEX Corporation
Your data will be shared within IDEX Corporation and processed by entities located outside the EU/EEA. If and when transferring your personal data to which the GDPR applies onwards outside the EU/EEA, we will do so using one of the following safeguards:
- the transfer is to a non-EU/EEA country for which has an adequacy decision by the EU Commission exists;
- the transfer is covered by a contractual agreement, which covers the GDPR require- ments relating to transfers to countries outside the EU/EEA;
- the transfer is to an organization which has implemented Binding Corporate Rules ap- proved by an EU data protection authority; or
- the transfer is covered by other approved safeguards in order to protect your personal data in a degree that equals the level of data protection in the European
International transfers within IDEX Corporation are governed by EU Commission approved Standard Contractual Clauses for controllers (as defined under the GDPR) and, where relevant, for Processors (as defined under the GDPR).
You may request a copy of the standard contractual clauses or other applicable safeguards by contacting privacy@idexcorp.com.
18 Requirements to provide personal data
You are not legally nor by a contract with us obliged to provide us with the personal data. However if you fail to do so, we might not be able to provide you with a user account for any of the Services or provide the Service towards the Customer.
19 Automated decision making
No automated decision-making according to Art. 22(1) and (4) GDPR occurs with respect to your personal data.
110 Recipients of the Personal Data
We might transmit your personal data in parts or as a whole to other entities. This includes (a) authorities, who we are obliged to provide your personal data to, e.g., data protection authori- ties; (b) auditors or similar external consultants like lawyers or tax advisers and (c) IT service provider including cloud service and subscription service providers who process personal data on our behalf but have to follow our instructions on such processing; these service providers will not be allowed to use your personal data for other than our purposes and will act as data processors.
111 Your Rights as a Data Subject
- You have the right to request from us information on which personal data about you we process at any Likewise, if data about you is inaccurate, you have the right to obtain from us rectification of such data without undue delay.
- Under the requirements set out in 17 GDPR you have the right to request from us the erasure of your personal data. In particular, you may ask us to erase personal data, if (i) it is no longer necessary for the purposes for which it was collected or oth- erwise processed; (ii) the personal data has been unlawfully processed, (iii) you ob- ject to the processing pursuant to Art. 21(1) GDPR and there are no overriding legiti- mate grounds for the processing, (iv) the personal data has to be erased for compli- ance with a legal obligation in Union or Member State law to which we are subject or
(v) you withdraw your consent on which the processing is based and there is no other legal ground for the processing.
- You have the right to obtain from us restriction of processing, where one of the fol- lowing applies: (i) The accuracy of the personal data is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal data,
(ii) the processing is un-lawful and you oppose the erasure of the personal data and request the restriction of their use instead, (iii) we no longer need the personal data for the purposes of the processing, but are required by you to keep them for the es- tablishment, exercise or defense of legal claims or (iv) you have objected to pro- cessing pursuant to Art. 21(1) GDPR and the verification whether our legitimate in- terests override yours is pending.
- According to Art 20 GDPR you have the right to receive the personal data concern- ing you, which you have provided to us, in a structured, commonly used and ma- chine-readable
- Please send your requests to privacy@idexcorp.com.
111.6 Pursuant to Art 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concern- ing you which is based on point f) of Art 6 para. 1 GDPR. We will no longer pro- cess your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.
- In addition, you have the right to complain to a data protection supervisory authority,
e.g. in the EU Member State of your habitual residence or your place of work, if you are of the opinion that the processing of your personal data by us violates applicable data protection law.