Privacy Notice

This Privacy Notice describes the processing of personal data by SAG ARIS GmbH and its subsidiaries (‘ARIS’ ‘we’, ‘us’, ‘our’).

Personal data is information that may identify you, such as your name or email address.
This Privacy Notice applies to the processing of your personal data in the following cases:

• use of Online Services
• performance of the business relationship
• marketing and communication
• job application

This Privacy Notice does not apply when we process personal data as a processor (see Section 9).

We may change this Privacy Notice at any time.

1.  Who is the data controller and how can you contact the Data Protection Officer?

SAG ARIS GmbH, Altenkesseler Straße 17, 66115 Saarbrücken, Germany is generally the data controller for the processing of your personal data. If you are a customer or applicant, the controller is the respective ARIS company, which is your contractual partner.

You can contact ARIS’ Data Protection Officer as follows:

Software GmbH
Data Protection Officer
Uhlandstraße 12
64297 Darmstadt
Germany
E-Mail: dataprotection@softwareag.com

2.  What personal data do we process?

Below you find a list of the categories of personal data we are processing:

• Contact details: Name, email address, phone number, address;
• Business data: Company, job title, business address, billing-related data;
• Metadata: IP address, operating system, internet browser, URL of the website from which the Online Service was accessed, accessed pages of the Online Service, duration of use (incl. date and time);
• Login data: User name, password;
• Marketing data: Use of information and advertising material, product training, data in the context of participation in events or webinars (e.g. registration, photos, videos), information about Online Services and products used (e.g., user behavior);
• Job application data: Resumes, cover letters, documents needed for identification, date of birth and other data processed in connection with a job application.

Special categories of personal data, such as health data, trade union membership, religious affiliation, are only processed if provided by you and based on your consent or if required by law.

In general, we collect personal data directly from you. But we may also obtain such data from our business partners, your employer or from public sources.

If we receive personal data from customers or other business partners, they are responsible for ensuring that this is done in accordance with applicable data protection laws.

3.  For what purposes do we process your personal data and on what legal basis?

Below we explain for what purposes and on what legal basis we process your personal data:

Use of Online Services

In order to provide our websites, cloud products or other web-based services (“Online Services”) in a secure and stable manner, and (if applicable) for contractual use, as well as to be able to recognize and detect unlawful behavior, we process login, meta and contact data. On the one hand, this is in our legitimate interest and, on the other hand, may be necessary to fulfill a legal obligation or to fulfill a contractual relationship with you. Furthermore, we are interested in continuously improving our Online Services and user experience. For this purpose, we process information about your use of our Online Services (“Metadata”). In particular, we analyze popular or unused functions as well as settings for functions, which is in our legitimate interest. If required by law, a personal analysis of your user behavior will only take place if you have previously consented to this. Our Online Services may include integrated content or links to content provided by third parties, such as videos. This Privacy Notice does not apply to third parties that provide such content.

Performance of the business relationship

To carry out the business relationship and manage our customers, business partners and interested parties, we process contact and business data about our contact persons and any communication with them. This is in our legitimate interest or is necessary for the fulfillment of the existing contract. Furthermore, the processing of this data may be necessary for the fulfillment of a legal obligation.

Marketing and communication

To inform you about our products, product trainings, services, events, technical and commercial news, forums, other networking opportunities and to respond to your requests to us, contact, marketing, business, login and metadata are processed.

In the context of participation in marketing campaigns, events, product trainings and webinars, the use of marketing information may be analyzed for the continuous improvement of products and services. Such analyses may include, but are not limited to, opening or clicking links in emails and the duration of participation in webinars or product trainings. Contact, meta and marketing data are processed for this purpose.

To communicate with us, for example by email or chat, and to respond to your inquiries, contact and business data are processed.

To enable the use of our forums and portals, contact, meta and login data are processed.
Processing your personal data for the aforementioned purposes is in general in our legitimate interest. If required by law, we will only process your personal data for these purposes if you have given your prior consent.

To be able to recognize and detect any illegal behavior when using our Online Services, the processing of the aforementioned data may also be necessary to comply with a legal obligation.

Job application

Application data is required for applicant management to fill any vacancies. On the one hand, this is necessary to carry out the application process and to establish an employment relationship. On the other hand, we may process this data to fulfill our legal obligations.

4.  What are cookies and how are they processed?

Through the use of cookies and similar technologies (‘Cookies’), we process data which may also include personal data. The aim is to optimize our website and Online Services, to control their use, to adapt them to your interests and needs and to keep you informed about our products and services. Below we describe the types of cookies used on our websites, including their purposes.

We use the following types of cookies on our websites:

• required cookies,
• functional cookies, and
• advertising cookies.

Required cookies are necessary for the use of the website and enable, for example, navigation on the website. Functional cookies enhance your personal experience on the website and advertising cookies collect information about your online activities to enable personalized advertising. Functional and advertising cookies are only used if you consent to it.

You can choose how we use functional and advertising cookies by changing the cookie settings. To do so, please go to “Cookie preferences”. In the cookie settings, you will also find an overview of the third parties that place cookies on our websites. In addition, you can control and restrict the placement of cookies via the browser settings. In this context, you can also delete existing cookies. However, deselecting functional and advertising cookies may lead to a restriction of the functionalities of our websites. Required cookies are set automatically and cannot be deselected, otherwise the websites would not work properly.

5.  How do we share your data and how is it transferred to third countries?

We only share your personal data with recipients if this is necessary for fulfillment of the respective purposes. Your personal data may be transferred to and processed by:

• our subsidiaries to fulfill the purposes stated in this Privacy Notice;
• service providers, to provide IT and system administration, hosting, analytics, marketing, and customer purchase management services in accordance with the purposes stated above;
• our customers, if they provide you with access to our Online Services or if the transfer is necessary to resolve suspicious account activity or contract terms;
• third parties who operate forums, portals, product trainings, marketing activities, or host events. In some countries, your prior consent is required and will be requested at the appropriate place. Details will be available there;
• consultants, to pursue our legitimate interests or to comply with legal requirements;
• users of our forums and portals, as far as posts and comments submitted by you are concerned;
• third parties in cases where we are legally obligated or have a final judgment, and when we are enforcing our rights or defending against claims.

All service providers who work for us as so-called data processors are contractually obligated to process personal data exclusively according to our instructions. These service providers do not use your personal data for their own purposes.

The transfer of personal data to recipients located in a country outside the EEA for which the EU Commission has not issued an adequacy decision is based on the EU Standard Contractual Clauses.

6.  How long do we store your personal data?

We will delete or anonymize your personal data as soon as it is no longer required for the purposes stated in this Privacy Notice, or if you have requested us to do so and there is a right to data deletion. An exception may occur if legal retention obligations require a storage period that deviates from this.

If you have applied for a job or provided your data for future job postings, we may keep your personal data for up to one year after the last activity. This could be any activity, for example when we had to send you a rejection, or if you logged into your candidate account. If we were unable to consider your application, but your application was interesting to us, the recruiter may move your record to a candidate pool, which is exempt from purge. You will be notified by email, when this is the case. If you do not agree with the further storage of your data, you can simply send us an email reply and your data will be purged.

7.  Which rights do you have?

You may contact us at any time and free of charge to exercise your following rights:

• Information about your processed personal data;
• Correction of inaccurate or incomplete personal data;
• Deletion of your personal data;
• Restriction of the processing of your personal data if you dispute the accuracy of the data;
• Obtaining your personal data provided to us in a structured, common and machine-readable format or transferring it to another controller;
• Revocation of your consent;
• Objection to the processing of your personal data.

In addition, you have the right to file a complaint with a supervisory authority (for more details, see section 11).

8.  To whom can you address your right to object to the processing of personal data?

An objection to processing based on our legitimate interest may be lodged at any time. In this case, processing will be terminated unless it serves our compelling interests that are worthy of protection and outweigh your interests.

Please direct corresponding inquiries to the contact details provided in this Privacy Notice.

9.  Who can you contact if we process your personal data as a processor on behalf of a customer?

Your personal data may be processed as part of the Online Services that we provide to customers. The customer is responsible for compliance with the protection of your personal data processed when using these services in its role as a so-called data controller. This Privacy Notice does not apply where we process personal data as a processor in direct connection with the provision of our services on behalf of a customer.

In this case, please address your inquiries directly to the relevant controller.

10.  Local regulations

For residents of Brazil, California and South Africa, the respective local privacy notices apply in addition to this Privacy Notice.

• California
• Brazil
• South Africa

11.  Where can you address complaints to?

You have a right of appeal to the data protection supervisory authorities pursuant to Art. 77 GDPR. The competent supervisory authority for ARIS GmbH is:

Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Str. 12
66111 Saarbrücken
Germany
Telephone: +49 0681 94781-0