Privay Policy for the Cloud of Alpha ESS CO. Ltd., China
Alpha ESS CO Ltd. (hereinafter referred to as „the Responsible“ or „Alpha ESS“ or „we“ or „us“) is pleased as the operator of the homepage https://cloud.alphaess.com/ and as the operator of the Alpha Cloud (hereinafter also „our cloud“) about your interest in our cloud. The following informs you about the processing of personal data when using our cloud.
I. Definitions
II. Controller, representative according to Art. 27 GDPR and data protection officer
III. Principles for the processing of personal data
IV. General data processing in connection with the provision of our website
V. Customer account for the use of the services of Alpha Cloud
VI. Tokens
VII. Email contakt and ticket system
VIII. Data processing by third parties and transfer of data to third countries
IX. Your rights as a data subject
X. SSL Encryption
XI. Reservation of change
I. Definitions
Our privacy policy uses terms defined in the EU General Data Protection Regulation (GDPR). In order to make the privacy policy readable and understandable, we have explained these terms below:
(1) Personal data
According to the GDPR, personal data is any information relating to an identified or identifiable natural person. This means information such as your name, your date of birth, your address, your e-mail address, your IP address or your telephone number, as well as your user behavior. In contrast, information that is not directly associated with your real identity - such as generally preferred websites by all users or the number of users of a site - is not referred to as personal data.
(2) Person affected
Data subject means any identified or identifiable natural person whose personal data is processed by the controller.
(3) Processing
Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(4) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
(5) Person responsible or controller and representative according to Art. 27 GDPR
The person responsible or controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.
Insofar as the data controller has its registered office outside the European Union, a representative must be appointed in accordance with Art. 27 GDPR. The representative must be established in one of the Member States in which the data subjects whose personal data are processed in connection with the goods or services offered to them or whose behavior is monitored are located. The representative shall be appointed by the controller or processor to serve as a point of contact, in addition to or in place of the controller or processor, in particular for supervisory authorities and data subjects on all matters relating to the processing to ensure compliance with this Regulation. "Representative" therefore means a natural or legal person established in the Union who has been appointed in writing by the controller or processor in accordance with Article 27 GDPR and represents the controller or processor in relation to their respective obligations under this Regulation.
(6) Processor
Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
(7) Recipient
A recipient is a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not that person, agency or other body is a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.
(8) Third party
Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processo r.
(9) Consent
Consent shall mean any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner in the form of a statement or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
II. Person responsible for processing, representative according to Art. 27 GDPR and data protection officer
(1) Person responsible for processing
Alpha ESS CO., Ltd.
No. 888, Jiuhua Road, Nantonmg High-tech Zone,
Nantong City, Jiangsu Province, China, 226300
email: info@alpha-ess.com
The aforementioned responsible party is also referred to hereinafter collectively as "the responsible party" or "Alpha ESS" or "we" or "us".
Since the controller does not have a registered office in the EU, a representative has been appointed in accordance with Article 27 of the GDPR.
(2) Representative according to Art. 27 GDPR
Alpha ESS Europe GmbHPaul-Ehrlich-Strasse 1a
63225 Langen
Deutschland
Phone:
+49 (0) 6103 – 4591601
Email:
europe@alpha-ess.de
Internet:
https://www.alpha-ess.de
(3) Data protection officer
The data protection officer of Alpha ESS Europe GmbH is Michael Steininger-Yang. The data protection officer can be reached at the above address.
III. Principles for the processing of personal data
(1) Scope of processing of personal data
As a matter of principle, we collect and use personal data of our users only insofar as this is necessary for the provision of a functioning cloud as well as our content and services. The collection and use of your personal data within the framework of our cloud is regularly only carried out after your consent. However, an exception applies in those cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is nevertheless permitted by legal regulations.
(2) Legal basis for the processing of personal data
The data transmitted or collected by you will be collected, used, processed, stored and, if necessary - if required by law or contractually necessary - forwarded to third parties exclusively within the framework of the applicable data protection laws (GDPR, Federal Data Protection Act, State Data Protection Acts and Telemedia Data Protection Act).
Various legal bases for the processing of your personal data arise from Art. 6 GDPR, each of which is referred to in this privacy policy:
Art. 6 para. 1 a) GDPR is the legal basis for processing operations of personal data, if consent of the data subjects is given.
Art. 6 para. 1 b) GDPR is the legal basis for the processing of personal data which becomes necessary for the performance of a contract to which the data subject is a party. This legal basis also refers to those processing operations which are necessary for the performance of pre-contractual measures.
If we have to process personal data in ordert o fulfill a legal obligation of our company, Art. 6 para. 1) c) GDPR shall be the legal basis for this.
Art. 6 para. 1 d) GDPR serves as the legal basis if vital interests of the person affected by the data processing or another natural person make it necessary to process their personal data.
If the processing of personal data is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override this first interest of our company or a third party, this processing is carried out on the legal basis of Art. 6 para. 1) f) GDPR.
Storing information in the end user's terminal equipment, e.g. via tokens or cookies, or accessing information that is already stored in the terminal equipment is only permissible if it is covered by one of the following justifications:
– § 25 para. 1 TTDPA: If the end user has consented on the basis of clear and comprehensive information. The consent has to be given according to Art. 6 para. 1 p. 1 lit. a) GDPR;
– § 25 para. 2 Nr. 1 TTDPA: When the sole purpose is to carry out the transmission of a message over a public telecommunications network; or
– § 25 para. 2 Nr. 2 TTDPA: If the storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.
(3) Data deletion and storage duration
As soon as the purpose of storing the respective personal data of the data subject ceases to apply, such data shall be deleted or blocked. However, storage beyond this point in time may take place if this has been provided for in European or national regulations, laws or other provisions to which we, as the data controller, are subject. Data will also be blocked or deleted if a storage period stipulated by the aforementioned standards expires, unless there is a necessity for the continued storage of such data for the conclusion or performance of a contract.
IV. General processing activities in connection with the provision of our website
(1) Visit of our website
When you visit the website on which the cloud is provided, we process the personal data described below to enable convenient use of the functions. If you only visit our website without already being registered in the cloud, it is generally not necessary for you to provide us with personal data. Rather, during your visit to our website, we automatically collect, use and store information that is transmitted to us by the respective browser used.
Information about your browser: Type, language and the version you are using (e.g. Mozilla Firefox, Microsoft Internetexplorer, Apple Safari, Google Chrome)
The operating system you are using
The internet service provider you use
Your IP address
Date and time of your access
Websites from which your system accesses our website
Websites that are accessed by your system via our website
Content of the request (specific page)
Access status/http status code
Amount of data transferred in each case
The data listed above cannot be assigned to specific persons by us. We do not combine this data with other data sources, i.e. this data is not stored together with other personal data such as your name, address, telephone number or email address.
(2) Legal basis
Legal basis for the storage of the data is Art. 6 para. 1 f) GDPR, as our legitimate interests in this storage, as set out below, outweigh your interests, fundamental rights and freedoms: The IP address is considered a personal data. The temporary storage of the IP address by the system is necessary to enable a transmission of our website, on which we maintain the cloud, to your browser. For this purpose, the IP address must remain stored for the duration of the session.
(3) Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of our website, it is deleted when the respective session has ended.
(4) Possibility of objection and removal
The collection of data for the provision of our website is mandatory for the operation of the website. Consequently, there is no possibility for you to object in this respect.
V. Customer account to use the services in the Alpha Cloud
(1) Data for the customer account - registration as a user
The use of the monitoring services, including weather data display, and the customer service in the Alpha Cloud requires registration (creation of a customer account) in the cloud. To create a customer account, the following data is required, not all of which constitutes personal data per se:
(a) Mandatory data for registration in CLOUD:
- role of registrant: end-user or installer
- Email address
- password and check code used to authenticate and access accounts
- SN (device number) and SN check code
(b) Optional data– we ask for your consent:
- Postal code
- address
- Country
- Phone number
- contact person
Time zone
- Installation date of device monitored
- Automatic update of the cloud
( c) Registration process
There are two types of registered users: end-user registration and installer registration. Please choose according to the actual situation. After selecting the type, you need to fill in the account e-mail as User Name and set the account password first. You must use your valid e-mail address. If your email address cannot receive emails, you will not be able to register your account successfully.
Furthermore, you need to fill in SN (Serial number) and SN check code. When you enter your product serial number (SN), the installation date will automatically recognize when your system was installed by the installer. If it is not recognized, you will need to manually select the installation date for your device. You can also scan the code to obtain the product serial number. The checkcode is the check code on your system.
We ask you to indicate optional data, that is choose your language; indicate a Contact person; Country, Address, Postal code; Phone Number, Time zone, Installation time – if it needs to be indicated manually and to give your consent to the processing of such data.
Please read the "Privacy Policy" and "Terms of Service" before proceeding to the next step.
When you click "Submit", the system will check if the checkcode is correct, if not, the registration will not be successful. Contact phone number is optional, other fields are required. Please read the "Privacy Policy" and "Terms of Service" before proceeding to the next step.
You can choose whether to accept the automatic update of system firmware. After clicking OK, a registration activation email will be sent to your email address, you have to go to the email address and click on the activation in order to register successfully.
Click on the activation link in the email and your account will be activated and you will be redirected to the login page automatically (Double-Opt-in). At the same time, we store the double-opt-in and the date of your registration along with the time. This data is not passed on to third parties.
If you create a customer account for our cloud, we will collect and store the data you entered during registration exclusively for pre-contractual services, for the fulfillment of the contract or for the purpose of customer care (e.g. to provide you with an overview of your previous orders or inquiries with us).
In the course of the registration process, your consent to this processing will be obtained and reference will be made to this privacy policy. The data collected by us in this process will be used exclusively for the provision of the customer account.
(2) Data processing for monitoring services
From the SN (Serial Number) we can see Device and Usage data about your device, the products and the functions that you use, including information about your hardware and software, the performance of our products, and your settings as well as Device and configuration data, that is data about your device, device configuration, and neighboring networks, for example, the IP address, SN, device identifiers, location and language settings, and neighboring WLAN access points of the device. All such data are used for device interaction only and not for any other purposes. We use this information to provide you with the monitoring information. Without this information no monitoring services are possible.
In order to have accurate weather data we process Country, post code and address. These information are send to a subcontractor providing the weather information with whom we have concluded a Controller/Processor Agreement as well. Without this information no weather data can be shown.
(3) Customer service - Trouble shooting data
Troubleshooting and help data: data submitted when you contact Alpha ESS for help, such as authentication information and data related to your device and its corresponding products, as well as the problems you face. The processing of personal data from an inquiry for trouble shooting sent to us serves solely to process the contact and the problem. In this context we may process contact data, such as name, address data, telephone numbers, e-mail address to contact you and device, usage and configuration data in order to solve problems and instruct our sub-contractors with whom we have concluded a Controller/Processor Agreement pursuant to Art. 28 GDPR.
(4) Legal basis
Pursuant to Art. 6 para. 1) lit. b) GDPR, the legal basis for data processing is the contract that we conclude with you for the provision of our services. The legal basis for the processing of data, if and insofar as your consent is given, is Art. 6 para. 1 lit. a) GDPR. In accordance with Art. 7 para. 3) GDPR, you can revoke the consent given to us to open and maintain the customer account at any time with effect for the future. For this purpose, you only need to inform us of your revocation.
(5) Purpose of processing
(a) Weather Data Service: We provide a weather data service by forwarding the country, address and zip code to a weather data service.
(b) Monitoring: We provide an overview of the performance of the products from our product portfolio when they are connected to the Internet via Wi-Fi. To do this, you must register the products in the cloud under Basic settings "Add device".
(c) We offer a question service - customer service - under ticket system. Here you can report problems and ask questions.
(6) Storage duration
(a) Weather data: Weather data is only shown on the day monitoring takes place. There will be no history of weather data provided for user. However, there will be anonymous storage for scientific use.
(b) Performance Data of Alpha ESS products (Monitoring): Device, usage, configuration data
Data shown in monitoring will be part of the device history and will be saved by Alpha Ess. However, this data will not be deleted if we are entitled or obliged to continue storing it on the basis of a legal ground other than your consent or despite your objection.
(c) Customer service – ticket, suggestions
Data will be part of device history and will be saved by Alpha Ess as long as the device is registered. If registration of a device is cancelled data will be deleted. However, this data will not be deleted if we are entitled or obliged to continue storing it on the basis of a legal ground other than your consent or despite your objection.
(d) Account data
Account data, like email address, contact address, contact person and phone number as well as Credentials (password and check code used to authenticate and access accounts) are stored as long as the account is registered.
Data storage can be terminated by deleting the customer account. However, this data will not be deleted if we are entitled or obliged to continue storing it on the basis of a legal ground other than your consent or despite your objection. The data collected in this respect will be deleted, for example, as soon as processing is no longer necessary. In doing so, however, we must observe retention periods under tax and commercial law.
(7) Possibility of objection and removal
You have the option to revoke your consent to the processing of personal data at any time [see X. (8) Right of revocation below].
VI. Tokens
(1) Description
In addition to the previously mentioned data, technical tools are used for various functions when you use our cloud, in particular tokens, which can be stored on your end device. These functions are not based on cookies, but on similar technical mechanisms, such as Flash cookies, HTML objects or an analysis of your browser settings. The tokens used by Alpha Ess are information in a database that are stored in the device memory of your end device and assigned to the cloud you are using. Tokens allow certain information to flow to the entity that sets them. They are used for authentification purposes. Tokens cannot execute programs or transfer viruses to your terminal device.. This cloud uses the following types of tokens, whose functionality and legal basis we will explain below.
(2) Necessary and optional tokens
A distinction is made between technically mandatory tokens and optional tokens:
Mandatory, technically necessary for the function of the cloud: The technical structure of the cloud requires that we use techniques, in particular tokens. Without these techniques, our cloud cannot be used (completely correctly) or the support functions cannot be enabled. These are basically tokens that are deleted after the end of the usage process, at the latest after 30 days. You cannot deselect these tokens if you wish to use our cloud. Legal basis for tokens that are absolutely necessary to provide you with the expressly requested service is § 25 para. 2 no. 2 TTDPA.
We use the following technically mandatory tokens:
Tokens are used for account system authentication of the currently logged-in User to allow cloud data interchange and to store user accounts and passwords for authentication so that you will not be required to log in every time you open the app. Tokens will be stored in the system for two hours. They will be automatically deleted once the User has logged out. This is applicable for the following tokens:
|
1 |
Device Unique Identification |
deviceId |
mandatory |
Associate with user identities, improve scalability and performance |
Cloud user expects to receive information accurately to specific devices, which can be useful for alerting users to new messages, updates, or other important information; App uses device IDs to send push notifications in order to deliver such messages |
Fetch each time the program starts |
|
2 |
authentication certificate |
token |
mandatory |
Authenticate user identity, enable features, prevent fraud, implement security measures, and access necessary parameters for cloud-based services |
Use valid token credentials to exchange for data saved in the cloud of Alpha Ess |
Fetch each time the login Api is called |
|
3 |
user ID |
username |
mandatory |
Display user name back on certain screens of the app |
Display user name in personal center after login |
Fetch each time the Api is called |
|
4 |
user ID |
userId |
mandatory |
Authenticate user identity, synchronize data , prevent fraud, improve scalability and performance, provide customer support, uniquely identify users |
In an application that supports multi-platform synchronization, the user ID can be used to ensure that the user's data remains consistent across devices |
Fetch each time the login Api is called |
Optional tokens when you give your consent: In case you gave your consent to collect the data “country”, we set a token that indicates the App in which country you are located and displays the corresponding customer support.
|
5 |
nations |
country |
non-mandatory |
Provide customer support |
The user fills in the country and the country is displayed in the corresponding interface after logging in. |
Fetch each time the login Api is called |
Any use of tokens that is not absolutely technically necessary for the services provided via the Cloud constitutes data processing that is only permitted with your explicit and active consent pursuant to Section 25 para. 1) TTDPA in conjunction with Article 6 para. 1) sentence 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. We do not use such tokens without your consent. In addition, we will only disclose your personal data processed by tokens to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1) p. 1 lit. a GDPR. The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation.
(4) Possibility of objection and removal
Most browsers accept tokens automatically. You may, however, configure your browser so that no cookies or tokens will be stored on your computer or that you will always be informed before a new cookie or token is set up. A complete deactivation of tokens may, however, render you unable to use all functions of our website. You can erase cookies or tokens once they have been set again at any time on your own by calling up the corresponding menu item in your web browser or deleting the cookies/tokens from your hard disk. For details on this, see the help menu of your web browser.
As for the login or authetification tokens mentionesd above if those are deleted and no longer stored on your device, the cloud can no longer be used.
VII. Email contact, ticket system and suggestion for product improvement
(1) Description and scope of data processing
Our cloud contains information to enable quick contact/communication. If you contact us by e-mail, via our ticket system or suggestion for product improvement using the ticketsystem function of the Cloud, the personal data you provide (such as first name, last name, email address, and any other voluntary information) will be stored automatically. At the time the message is sent, your IP address and the date and time are also stored.
However, there is a possibility to create a guest complaint as well: In this case, besides the data you provide to us in the text of the guest complaint, we only store time in the server's time zone.
The response to these inquiries is handled by our subsidiary Alpha ESS Europe GmbH, with whom we have concluded an order processing agreement pursuant to Art. 28 GDPR.
(2) Legal basis for data processing
The legal basis for the processing of the data, if and insofar as your consent is given, is Art. 6 para. 1 lit. a) GDPR.
The legal basis for the processing of data transmitted in the course of sending an e-mail or within the framework of the ticket system is also Art. 6 para. 1 lit. f) GDPR. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.
(3) Purpose of data processing
The processing of personal data from an email or ticket – including guest complaint - sent to us serves solely to process the contact. This also constitutes the necessary legitimate interest in the processing of the data if it is processed on the basis of Art. 6 para. 1) f) GDPR.
(4) Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the respective conversation with the user has ended as far as e-mail conversation is concerned. The conversation has ended when it is clear from the circumstances that the matter in question has been conclusively clarified. After an objection or revocation declared by you [see below under (5)], your personal data will be deleted within 7 days. However, this data will not be deleted if we are entitled or obliged to continue storing it on the basis of a legal ground other than your consent or despite your objection.
As far as the tickets are concerned these are stored in the ticket list in the cloud as long as you have an account in the cloud. In case the account is deleted, the ticket list will be deleted as well.
(5) Possibility of objection and removal
You have the option to revoke your consent to the processing of personal data at any time [see X. (8) Right of revocation below]. In addition, you may also object to the processing of your personal data at any time if and to the extent that this processing is based on Art. 6 para. 1) p. 1 lit f) GDPR [see X. (1) Right of objection below]. You can send both the revocation and the objection, for example, by email to europe@alpha-ess.de. In such a case, however, the conversation cannot be continued.
VIII. Data processing by third parties and to third countries
1. Order data processing
(1) It may happen that commissioned service providers are used for individual functions of our cloud. As with any larger company, we also use external domestic and foreign service providers to handle our business transactions (e.g. for the areas of IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obligated to comply with the data protection provisions of Art. 28 GDPR.
(2) The following categories of recipients, which are usually processors, may receive access to your personal data:
- Service providers for the operation of our cloud and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 p. 1 lit. b) or lit. f) GDPR, insofar as they are not order processors;
- Government agencies/authorities, insofar as this is necessary for the fulfillment of a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 p. 1 lit. c) GDPR;
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. b) or lit. f) GDPR.
(3) In addition, we will only disclose your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1) p. 1 lit. a GPDR.
(4) If personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.
2. Conditions for the transfer of personal data to third countries
(1) In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit b or lit. f) in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer at the relevant points.
(2) Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/dataprotection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eurlex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en ), certificates or recognized codes of conduct. In accordance with the data protection laws of the European Commission, we may also seek your consent in this regard.
3. Legal obligation to transfer certain data
We may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public bodies (Art. 6 para. 1 p. 1 lit. c) GDPR).
IX. Your rights as a data subject
If we process your personal data, you are a data subject within the meaning of the GDPR and you have the following rights against us as the controller:
(1) Right of objection
(a)
You have the right at any time to object to the processing of your
personal data on the basis of Art. 6 para.1 p. 1 lit. f) GDPR for
purposes of direct marketing to us without giving reasons. We will
then no longer process your personal data for these purposes. This
also applies in principle to profiling, insofar as it is associated
with such direct advertising. However, we do not currently carry out
profiling. (b)
You may also object to other processing that we derive from a
legitimate interest within the meaning of Art. 6 para. 1) sentence 1
lit. f) GDPR for reasons arising from your particular situation,
stating these reasons. In principle, this also applies to profiling
based on this provision. However, we do not currently carry out such
profiling. We will then no longer process your personal data unless
we can demonstrate compelling reasons for the processing that
override your interests, rights and freedoms, or the processing
serves the assertion, exercise or defense of legal claims. (c)
Any objection can be made form-free. For this purpose, it is
sufficient to send an email to:
europe@alpha-ess.de.
(2) Right of information
You can request confirmation from us as to whether personal data concerning you is being processed by us.
If such processing is taking place, you can further request information from us about the following:
1. the purposes for which the personal data are processed;
2. the categories of personal data which are processed;
3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
4. the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage period;
5. the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. any available information about the origin of the data if the personal data is not collected from you as the data subject.
You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate guarantees pursuant to Art. 46 DSGVO in connection with the transfer.
(3) Right to rectification
You have a right against us as the responsible party to rectification and/or completion, insofar as the personal data processed by us concerning you is incorrect or incomplete. We shall carry out the rectification without undue delay.
(4) Right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions:
- if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
- we no longer need the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims; or
- if you have objected to the processing pursuant to Article 21 para. 1) GDPR and it has not yet been determined whether the legitimate grounds asserted by us outweigh your grounds.
If the processing of personal data concerning you has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.
(5) Right to deletion
(a) Obligation to delete
We are obliged to delete the personal data concerning you without delay if one of the following reasons applies:
1. the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
2. you revoke your consent on which the processing was based pursuant to Art. 6 para. 1) a) or Art. 9 para. 2) a) GDPR and there is no other legal basis for the processing.
3. you withdraw your consent on which the processing was based pursuant to Art. 6 para. 1) a) or Art. 9 para. 2) a) GDPR and there is no other legal basis for the processing.
4. you object to the processing pursuant to Art. 21 para. 1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2) GDPR.
5. the personal data concerning you have been processed unlawfully.
6. the erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
7. the personal data concerning you has been collected in relation to information society services offered pursuant to Article 8 para. 1) GDPR.
(b) Information to third parties
If we have made the personal data concerning you public and we are obliged to erase it pursuant to Article 17 para. 1) of the GDPR, we shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other data controllers which process your personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.
(c) Exceptions
The right to erasure does not exist insofar as the processing is necessary to
1. to exercise the right to freedom of expression and information;
2. for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health pursuant to Article 9 para. 2) h) and i) and Article 9 para. 3) of the GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 para. 1) GDPR, insofar as the right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
5. for the assertion, exercise or defense of legal claims.
(6) Right of information
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against us to be informed about these recipients.
(7) Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us as the controller to whom the personal data was made available, provided that
1. the processing is based on consent pursuant to Art. 6 para. 1) a) GDPR or Art. 9 para. 2) a) GDPR or on a contract pursuant to Art. 6 para. 1) b) GDPR and
2. the processing is carried out with the help of automated procedures.
In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from us as a controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as controller.
(8) Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
If you wish to exercise your right of revocation, an email to europe@alpha-ess.de .
(9) Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to submit a complaint to a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority to which the complaint has been submitted will inform you, as the complainant, of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
Please address any inquiries in connection with data subject rights to europe@alpha-ess.de. Please note that in the case of requests for information that are not made in writing, our representative may require proof that you are really the person about whose personal data information is requested, in order to protect the persons about whom data is stored.
X. SSL-Encryption
This site uses SSL encryption for security reasons and to protect the transmission of confidential content that you send to us. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. The activation of SSL encryption serves as protection against third parties reading the data you transmit to us.
XI. Subject to change
We reserve the right to adjust this privacy policy to always comply with the applicable regulations as well as our offers on the cloud. Status: November 2023.