IREKSbox

Data protection information on the “IREKSBox” data exchange platform

Information on the processing of your data in accordance with Art. 13 and Art. 14 of the European General Data Protection Regulation (GDPR)
References to legal regulations refer to the European General Data Protection Regulation (GDPR) and the Bavarian Data Protection Act (BayDSG) in the version applicable from 15 May 2018.

1    Scope
This data protection information applies to the users of the data exchange platform IREKSBox, hereinafter referred to as the platform, of IREKS GmbH, hereinafter referred to as IREKS, and the personal data processed via this platform. IREKS is the operator of the platform. For websites of other providers, to which reference is made e.g. via links in documents made available, the data protection notices and declarations there apply.

2    Responsibility
Responsible within the meaning of the GDPR for the processing of personal data on the platform is the

IREKS GmbH
Lichtenfelser Str. 20
95326 Kulmbach
Germany
Phone: +49 9221 706-0
Email: info@ireks.com

3    Data Protection Officer
You can reach our data protection officer as follows:

Mr Christian Volkmer
Projekt 29 GmbH & Co KG
Ostengasse 14
93047 Regensburg
Germany
Phone: +49 941 2986930
Fax: +49 941 29869316
Email: datenschutz@ireks.com
Internet: www.projekt29.de

4    Handling of your data
4.1    Personal data
According to Art. 4 GDPR, personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more personal characteristics that are an expression of that natural person's physical, physiological, genetic, mental, economic, cultural or social identity.

4.2    Registration on the platform
When a user registers, the following data is processed for the purpose of providing and using the platform (uploading and / or downloading data):
•    Name
•    First name
•    E-mail = Login name
•    Optional phone number
•    Authentication method
•    User name in the system (depending on the authentication method)
•    2FA decision (yes/no)
•    Password (encrypted, only known to the user himself)

IREKS receives this data voluntarily from you, the user.
A registered user can request his deregistration on the platform at any time. The user orders the deregistration without notice and formless with a responsible administrator of IREKS. IREKS is responsible for the deletion of the data. The use of the platform is only possible by providing the above mentioned data.
In addition to registered users, non-registered users can also upload or download files. Such a possibility can be provided by registered users by sending links.

IREKS does not pass on user data to third parties or compare it with other data. A forwarding to third countries does not take place, either.

4.3    Usage data
For each action in the application, the following data is processed to ensure traceability and thus secure technical operation (activity logging):

•    User name (if action requires user login)
•    Date and time of the request
•    Name of the function used and references to retrieved objects (usually files)
•    Access status (file transferred, file not found, etc)
•    Web browser and operating system used
•    Complete IP address of the requesting computer
•    Volume of data transferred

For reasons of data security and data protection, i.e. in order to be able to clarify unauthorised access or prevent misuse, the complete IP address of the requesting computer as well as the e-mail address (also in the case of actions by unlicensed users) are recorded on the webserver of the subcontractor, stored and automatically deleted 30 days after the end of the access.
Other data will be deleted after 30 days after deletion of the user profile.

4.4    Purposes and legal bases
We process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018, as amended:

•    for the fulfilment of (pre-)contractual obligations (Art. 6 para. 1lit.b GDPR):
The platform is used for the exchange of data in file form (file sharing) between the partners involved in order to fulfil contractual obligations or in the initiation phase of a contract.

•    for the protection of legitimate interests (Art. 6 para. 1 lit.f GDPR):
Based on a balancing of interests, data processing may take place beyond the actual fulfilment of the contract in order to protect the legitimate interests of us or third parties. Data processing for the protection of legitimate interests occurs, for example, in the following cases: Retention of project documentation such as specifications, requirements specifications, operating instructions, design documentation; commercial documents such as contracts, license documents.

4.5    Platform operation, maintenance and care
A contractual relationship exists with a subcontractor in connection with the provision of the platform, its operation and the maintenance and servicing of the platform. A data processing agreement (DPA) exists with this subcontractor. It stipulates that the subcontractor is not permitted to access the file contents of the user's data.

5    Your rights
As a user of our platform, you have various rights vis-à-vis IREKS, which arise in particular from Art. 15 to 18, Art. 21 GDPR:

5.1    Right to information
You can request information about your personal data processed by us in accordance with Art. 15 GDPR, subject to the restrictions of Art. 10 BayDSG. In your request for information, you should specify your request in order to make it easier for us to compile the necessary data and to avoid queries.

5.2    Right of rectification
If the information concerning you is not (or no longer) correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.

5.3    Right of cancellation
Under the conditions of Art. 17 GDPR you can demand the deletion of your personal data.

5.4    Right to restrict processing
Within the framework of the requirements of Art. 18 GDPR, you have the right to demand a restriction of the processing of the data concerning you.

5.5    Right to object
In accordance with Art. 21 GDPR, you have the right to object to the processing of data relating to you at any time for reasons arising from your particular situation. However, should legal regulations conflict with this request, it cannot be complied with or only to a limited extent.

5.6    Right of appeal
If you are of the opinion that we have not complied with data protection regulations when processing your data, you can lodge a complaint with the supervisory authority responsible for you in accordance with Art. 77 GDPR. For us, this is the Bayerische Landesamt für Datenschutz, Promenade 18, 91522 Ansbach (www.lda.bayern.de/de/index.html).  
General information on data protection at IREKS can also be found on our website (www.ireks.de/datenschutz.htm).

5.7    Withdrawal of consent
If the collection or processing of your personal data is based on consent pursuant to Art. 7 GDPR, you may revoke your consent at any time with effect for the future. The lawfulness of the processing carried out until the revocation remains unaffected in the event of revocation.