Data Protection Information for Partner Companies and Business Partners

Please ensure that the data subjects – i.e. the employees of your company – are informed about how we process their data in accordance with the requirements of the GDPR.

1. Controller

The responsible party or Controller within the meaning of Art. 4 No. 7 GDPR is:
e.solutions GmbH
Despag-Straße 4a, 85055 Ingolstadt
Telephone: +49 8458 3332-100

2. Data Protection Officer

Claudia Langer
Chief Data Protection Officer
Legal
E-Mail: datenschutzbeauftragter@esolutions.de
Telephone: 08458-3332-3818

3. Purposes of Data Processing and Legal Basis in relation to Employees of Partner Companies and of Business Partners

In the course of our business relationship with Partner Companies and Business Partners, we collect personal data from your company and from individual employees. This may include, in particular, the following data:

• the full name;
• information regarding the affiliation with a Partner Company or Business Partner and the role in that company and within eso;
• information on services performed for eso;
• professional contact details (e-mail address, telephone numbers, department);
• personal data as part of e-mails and documents;
• personal data as part of data regarding video and audio quality and as part of text, video and audio files;
• personal data used in invoices.

We process contact details of contacts in the company, data regarding their affiliation to a Partner Company or Business Partner and their role in that company and for eso in order to manage and carry out the cooperation. For the same purpose, we also process information about services performed for eso. We also process personal data as part of our correspondence and personal data contained in e-mails and documents shared with us. We carry out all the data processing described above on the basis of our legitimate interests in the use of data communicated to us to carry out, manage and coordinate cooperation and communication with employees of Partner Companies and Business Partners on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests also cover the use of common tools for video conferencing and external communication, which most of our Partner Companies, Business Partners and other external persons can also use and operate. If necessary, we process the personal data mentioned in this section in accordance with Art. 6 para. 1 lit. f GDPR to ensure IT security and IT operations, for statistical purposes or to avoid credit or default risks.

If we use data to assert, defend or exercise our own rights, this data processing is carried out on the basis of our legitimate interest in defending and exercising rights and on the basis of Art. 6 (1) lit. f GDPR. If special categories of personal data are also processed for these purposes, this is additionally done based on Art. 9 (2) lit. f GDPR. In addition, we store personal data contained in documents and e-mails relating to factual circumstances for as long as this is necessary for the fulfilment of our contractual and statutory rights and obligations or for the exercise of rights and defense against claims. Such data processing is carried out based on our legitimate interest (according to Art. 6 para. 1 lit. f GDPR) in the exercise of our rights and to ensure our ability to defend against claims as well as to demonstrate legally compliant behaviour.

Legal requirements oblige us to retain certain documents and the personal data contained therein for a certain period of time and, insofar as necessary for the fulfilment of legal obligations, to disclose the documents and the personal data contained therein to the authorities. The data processing necessary for this is carried out based on Art. 6 para. 1 lit. c GDPR in connection with the specific legal obligation. For example, according to § 147 of the German Tax Code (Abgabenordnung – AO), we are obliged to store business letters for six years and to keep invoices for ten years. Further legal obligations may also arise from the German Civil Code (Bürgerliches Gesetzbuch – BGB) and the German Commercial Code (Handelsgesetzbuch – HGB). We also process personal data to ensure adequate security of data processing. This is done on the basis of Art. 6 (1) lit. c GDPR in conjunction with Art. 32 GDPR.

In case we separately request the consent of data subjects in individual cases, we carry out the data processing described in more detail in the respective declaration of consent on the basis of Art. 6 (1) lit. a GDPR and – where indicated – also in accordance with Art. 9 (2) lit. a GDPR.

4. Purposes of Data Processing and Legal Basis exclusively in relation to Partner Companies

Within the scope of the business relationship with Partner Companies, we may receive further personal data from your company and individual employees not yet mentioned under section 3. This may include, in particular, the following data:

• information regarding activities in projects;
• in relation to persons with a Partner Company admin account: Information on requested access and access authorisations;
• access and access authorisations in relation to eso devices, systems and buildings;
• login data used for the access to eso devices and systems and used for services provided by service providers (e.g. Microsoft Teams);
• information regarding the eso sponsor of the employee of the Partner Company;
• personal data as part of documents and information entered into Microsoft 365 Copilot.

We process information on the activities of employees of Partner Companies in projects in order to manage and carry out the cooperation. For employees of Partner Companies to be able to access eso devices and systems and so that their rights correspond to what is necessary for the activities of individual employees, eso processes information on login and access authorisations relating to eso devices, systems and buildings as well as login data. In the case of Partner Companies, there are some employees who may request login and access authorisations from eso for other employees of their company. These persons have a Partner Company admin account through which they can make corresponding requests. Each employee of a Partner Company is assigned an eso sponsor who is responsible for granting access and access rights at eso. For this purpose, eso records the name of the eso sponsor assigned to an employee of a Partner Company for each employee of Partner Companies. In addition, employees of Partner Companies also use services provided by external service providers for internal and external communication. For this purpose, these persons receive login data. This applies, for example, to the use of Microsoft Teams. As part of communication via these services, translations can be provided in the form of Microsoft Live subtitles in Teams. In addition, we use applications for automation to optimise our work processes, for example in project management or for processing administrative tasks. This includes, for example, the use of an application to improve the ticket search function in the JIRA project management system and Microsoft 365 Copilot as an add-on to other Microsoft 365 services. Information on the activities of Partner Company employees in projects can also be processed. This includes information that is already available in the JIRA application or the Microsoft 365 services, e.g. in tickets or uploaded files. We also process company and employee data for the efficient management of business relationships and projects, evaluation and creation of group-related reports on company key figures for the improvement of business processes.

We carry out all of the data processing described above on the basis of our legitimate interests in the use of data provided to us for the implementation, administration and coordination of the collaboration, the granting of appropriate access and access rights and communication with employees of partner companies on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interests also lie in the provision of common tools, such as for video conferencing and external and internal communication, which most of our business partners and other external persons can also use and operate. We also have a legitimate interest in the use of applications (e.g. Microsoft 365 Copilot) to automate work processes and to optimise our workflows (especially in project management and the processing of administrative tasks).

5. Recipients and categories of recipients

In the context of our cooperation with Partner Companies and Business Partners, we use standard third-party services whose providers are recipients of the data. These include services for invoicing, calendar and e-mail programmes, communication services, video conferencing systems and services for the automation of work processes, e.g. for the processing of administrative tasks (including so-called processors in accordance with Art. 28 GDPR). We also use rights management services exclusively in relation to employees of Partner Companies. We also work with tax and legal advisors and auditors who are recipients of personal data insofar as this is necessary for the provision of their services. In the event of an official or legal obligation, we must pass on personal data to public bodies and institutions (e.g. authorities). It may also be necessary for us to share personal data with courts, supervisory authorities and other government bodies in the event of disputes.

6. Sources of the Data

We receive the personal data of employees of Partner Companies and Business Partners either from the company or the respective employee of the Partner Company or Business Partner itself.

7. Data Transfers to Third Countries

If we transfer personal data to a country outside the European Union and the European Economic Area, these transfers are made either on the basis of an adequacy decision of the European Commission or on the basis of appropriate safeguards within the meaning of Article 46 (2) of the GDPR or based on Article 49 of the GDPR. The appropriate safeguards include the standard contractual clauses adopted by the European Commission.

The standard contractual clauses adopted in the decision 2021/914 of the European Commission can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=de The standard contractual clauses adopted in the earlier decision 2010/87/EU of the European Commission can be found here: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:02010D0087-20161217. In addition, copies of the standard contractual clauses from Decision 2001/497/EC are available at the following URL: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=celex%3A32001D0497. From December 28, 2022 onwards we will only use the standard contractual clauses adopted in the decision 2021/914.

8. Storage Periods

The criterion for determining the storage period is the necessity of storage for a legitimate purpose. We are entitled to store the data for as long as storage is necessary for a legitimate purpose.

Except for personal data contained in e-mails and invoices, we store all personal data for the duration of the active cooperation and beyond that for as long as it is necessary for the fulfilment of our contractual and legal rights and obligations. For example, in the event of litigation, we will retain data necessary for the exercise and defense of our own claims until the litigation is finally resolved and thereafter for as long as further retention is necessary for any other legitimate purpose pursued by us. If the data is no longer necessary for the fulfilment of these purposes, it will be deleted, unless its further processing is necessary for the fulfilment of retention periods under commercial and tax law.

We store personal data contained in business letters – which also includes e-mails – for a period of six years in accordance with the provisions of § 147 AO. Based on the same provision, we keep invoices for 10 years. As stated above, in the event of a legal obligation to store data, we will therefore delete stored data at the end of the legal obligation, unless further storage is necessary for another legitimate purpose.

If a data subject objects to data processing carried out by us based on Art. 6 (1) lit. f GDPR, we will delete the data, provided that the interests of the data subjects in the deletion prevail and the data processing by us is not legitimized by another legal basis.

If data subjects withdraw their consent, we will delete their data unless we are legally obliged to continue storing it or further storage is necessary for another legitimate purpose.

9. Data Protection Rights

Data subjects are entitled to the following data protection rights if the respective applicable requirements are met:

• right of access (Art. 15 GDPR);
• right to rectification (Art. 16 GDPR);
• right to erasure (Art. 17 GDPR);
• right to restriction of processing (Art. 18 GDPR);
• right to data portability (Art. 20 GDPR);
• the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects or similarly significantly effects;
• the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

If we process personal data on the basis of the consent given by the data subjects, they may withdraw their consent with effect for the future. Withdrawals can be sent to us via e-mail to datenschutzbeauftragter@esolutions.de.

We have separate data protection notices for specific topics, such as the data protection notice for Copilot.