Information to Residents in the European Economic Area and the UK
Effective Date: September 29, 2023
This GDPR Privacy Addendum supplements our Statement and applies to residents of the European Economic Area, i.e. the European Union plus Iceland, Norway, and Lichtenstein, as well as to residents of the United Kingdom.
The data controller pursuant to Art. 4 No. 7 General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation and the Data Protection Act of 2018 (collectively, the “GDPR”) is BAND-IT-IDEX, Inc, a company with its principal place of business at 4799 Dahlia St, Denver, CO 80216, USA and which can be contacted at the following email address: BID.firstname.lastname@example.org or email@example.com.
1. Processing of Personal Data
The types of information about you that we process and the purposes for that processing is described in our Statement. As described in our Statement we process personal data for different purposes. The legal bases according to the GDPR for such processing are listed below (Please see our Cookie Notice for information about processing of data derived from cookies):”
|Processing purposes||Lawful basis|
||We only process this kind of cookie or similar tracking data if you have given us your prior consent (Art. 6 (1) (a) GDPR).|
||These data are processed on the basis of statutory regulations, which allow us to process personal data to the extent necessary for the use of a service (Art. 6 (1)(b) GDPR) or because we have a predominant legitimate interest in providing you with, or optimize the functions on our presences on social media (Art. 6 (1)(f) GDPR), as well as your consent vis-á-vis the respective operator of the social media platform (Art. 6 (1)(a) GDPR). We might act as joint controller with the respective social media site. For further information, please see Section 2 below.|
||This data is processed on the basis of statutory provisions which allow us to process personal data to the extent necessary for the use of a service or the performance of a contract (Art. 6 (1) (b) GDPR), any processing for these purposes that is not necessary for the use of our website and the functions provided on the website is necessary for pursuing our or a third party’s legitimate interests which are not overridden by the interests or fundamental rights and freedoms of the users which require the protection of personal data (Art. 6 (1) (f) GDPR). Insofar as the processing is based on our legitimate interests, such interests are running a stable and efficient website, having a good customer service, employing people, making our business processes more efficient and improving our business and services.|
||The personal data is processed for pursuing our or a third party’s legitimate interests which are not overridden by the interests or fundamental rights and freedoms of the users which require the protection of personal data (Art. 6 (1) (f) GDPR). The legitimate interests are running a user-friendly website, improving our offers by tailoring our offers to the individual user, running a secure and stable website, making our business processes more efficient and pursuing our legal rights.|
||Depending on the individual case such communication can be based on different legal bases. We might provide you with certain information based on a declaration of consent (Art. 6 (1) (a) GDPR), we might also provide you the information because you have subscribed to a specific service in which case the processing is necessary for the performance of a contract with you (Art. 6 (1) (b) GDPR). Certain communication might also be based on our legitimate interest to provide tailored marketing information to the users of the Sites (Art. 6 (1) (f) GDPR).|
||The legal basis will depend on the individual case.|
2. Social Media
For users located in the European Economic Area and Switzerland, LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland”). The privacy statement of LinkedIn Ireland can be accessed here:
https://de.linkedin.com/legal/privacy-policy?trk=organization-guest_footer-privacy-policy. In it, you will also find information on the privacy setting options for your LinkedIn profile.
We are also jointly responsible with LinkedIn Ireland for the processing of so-called Page Insights data when people visit our LinkedIn company page. For this purpose, we have concluded a joint processing responsibility agreement with LinkedIn Ireland, which can be accessed here: https://legal.linkedin.com/pages-joint-controller-addendum. LinkedIn Ireland undertakes, among other things, to assume primary responsibility under the GDPR for the processing of Page Insights Data and to comply with all obligations under the GDPR with respect to the processing of Page Insights Data. We receive non-personal information and analytics about the use of our account or interactions with our posts from LinkedIn Ireland as part of so-called Page Insights. With this information, we can analyze and optimize the effectiveness of our LinkedIn activities. For this purpose, LinkedIn Ireland processes in particular data that you have provided to LinkedIn Ireland via the information in your profile. This especially includes the following data:
- occupational data,
- company size, and
- employment status.
In addition, LinkedIn Ireland will process information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page.
Twitter is operated by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (“Twitter”). The privacy statement of Twitter can be accessed here: http://twitter.com/privacy. Further setting options can be found at https://twitter.com/personalization.
Twitter also transfers personal data to the USA and other third countries outside the European Economic Area for which there is no EU Commission adequacy decision. Further information can be found here: https://twitter.com/de/privacy.
You can change your privacy settings on Twitter in the account settings at: http://twitter.com/account/settings.
3. Retention Periods
We delete or anonymize your personal data as soon as it is no longer required for the purpose for which we processed it.
In general, we store your personal data for the duration of the usage or the contractual relationship via the website plus a period of 15 days for IT security purposes. We store general web log files for a period of one year and for analytical information, we store the data for three years.
In the event that you have given us your consent to process your data (e.g. for marketing purposes including the associated profiling), we will store your data until you revoke your consent or the processing purpose does not apply anymore.
For the retention period of cookies and other tracking, please refer to the details in our Cookie Notice.
After these periods have expired, the data will be erased unless this data is required for a longer period due to legal retention periods, alternative purposes or for criminal prosecution. Beyond these retention periods, we may retain the data for the purposes of legal defense and law enforcement for as long as is necessary for the preparation or execution of a possible legal dispute (usually up to four years, whereby the legal dispute itself may inhibit the course of this period). If data can be stored for these reasons, it will be blocked. The data will then no longer be available for further use.
4. Rights of Residents in the European Economic Area and the United Kingdom
The GDPR provides you with certain rights in relation to the processing of your personal data. These rights are subject to various conditions under the GDPR and/or your countries specific implementation of the GDPR.
- Request access to personal data about you (commonly known as a “data subject access re-quest”). This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it.
- Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request personal data provided by you to be transferred in machine-readable format (“data portability”).
- Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no valid reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).
- Withdraw your consent. You may withdraw your consent at any time by sending an email request to BID.firstname.lastname@example.org or email@example.com. You may also disable some types of cookies of our website directly through this site’s Advanced Cookie Settings control panel. Click the button below to access the control panel. The withdrawal does not affect the lawfulness of the prior processing.
- Lodge a complaint with a supervisory authority. You have the right to make a complaint with a data protection authority.
RIGHT OF OBJECTION. YOU HAVE THE RIGHT; FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA ON THE BASIS OF ART. 6 (1) (e) OR (f) OF THE GDPR. WE WILL STOP PROCESSING YOUR PERSONAL DATA UNLESS WE CAN PROVE COMPELLING REASONS FOR PROCESSING WORTHY OF PROTECTION WHICH OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS.
5. Obligation to Provide Personal Data
You are under no contractual or statutory obligation to provide personal data. However, if you do not provide the personal data we require to process your request (e.g. when you contact us with questions about our products), we may not be able to respond to such request.
6. Automated Decision-Making
No automated decision- making as referred to in Art. 22 GDPR occurs on the Sites.
7. International Data Transfers
As BAND-IT IDEX, Inc. operates internationally, we may make your information available to companies and/or branches within our group which may be located outside of the U.S., including in countries which may not provide the same level of protection of your information as in your home jurisdiction. In some countries, the federal, state, local, provincial, or other governments, courts, and law enforcement or other regulatory agencies may be able to obtain disclosure of your information through their laws.
If and when transferring your personal data to which the GDPR applies onwards outside the EU/EEA or the United Kingdom, we will do so using one of the following safeguards:
- the transfer is to a non-EU/EEA country which has an adequacy decision by the EU Commission and/or is covered by UK “adequacy regulations” (as applicable);
- the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EU/EEA and/or the United Kingdom;
- the transfer is to an organization which has Binding Corporate Rules approved by an EU data protection authority or the Information Commissioner’s Office in the United Kingdom (as applicable); or
- the transfer is covered by other approved safeguards in order to protect your personal data in a degree that equals the level of data protection in the European Union and/or the United Kingdom (as applicable).
International transfers within BAND-IT-IDEX are governed by Standard Contractual Clauses (as defined under the GDPR) approved by the EU Commission and/or the Information Commissioner’s Office in the United Kingdom.
8. Contact Information
If you have any questions or comments about this GDPR Privacy Addendum, the ways in which BAND-IT-IDEX, Inc. collects and uses your information described above and in the Statement, your choices and rights regarding such use, or wish to exercise your rights under the GDPR, please do not hesitate to contact us at:
To Contact BAND-IT-IDEX, Inc.:
Postal Address: 4799 Dahlia St, Denver, CO 80216
To Contact IDEX:
Attn: Legal Department: Compliance/Privacy
3100 Sanders Road, Suite 301
Northbrook, IL 60062, USA