Privacy Notice Concerning IDEX India SaaS Services
1. Information About the Controller
IDEX INDIA PVT LTD, a Private Limited corporation in India with offices located at S14, First Floor, Solitaire Corporate Park, 167, Guru Hargovindji Marg, Chakala, Andheri (East), Mumbai – 400 093, India, (hereinafter ”IDEX India”, “we” or “us”) is the controller within the meaning of the EU General Data Protection Regulation (“GDPR”) for certain processing of your personal data in connection with our SaaS Services (“Services”).
2. Scope of this Privacy Notice
To the extend the GDPR applies to the processing of your personal data (which can in particular be the case if you are located in the European Union or the European Economic Area), we describe how we process your personal data when you are registered for or use one of the Services in this privacy notice. Any rights and obligations described in this privacy notice only apply insofar as the GDPR applies to the processing of personal data.
3. Information About Your Personal Data and Why We Use It
3.1 General description of processing activities: We make the Services available to customers of IDEX India who own and operate a terminal or use a terminal for storage (“Customer”). The Services integrate with other IDEX India software solutions in-stalled on the terminal or its components. This allows the Customer to read/enter da-ta and control certain functions remotely and digitally through its employees who are registered for use of the respective Service. For some of the Services, the Customer has the option to give their own clients direct access to the Service.
IDEX India processes the data of these employees to enable their registration with the service and acts as a controller of the data in this regard. IDEX India processes personal data of the Customer’s clients or employees which are provided in the course of using the Services as a (mere) processor on behalf and as instructed by the Customer, not as a controller. The same applies in regards to any other personal data entered into one of the Services by the Customer.
3.2 Collected data and purposes of processing
3.2.1 User (including admin) information: We collect, and associate with your account, the information provided for your registration as a user. We use your business email address for authentication.
3.2.2 Usage information: We may collect information on how and when you use a Service, meaning the day and time of usage and type of action performed. We do so to properly document the time of relevant usage, to track the correct operation of the Service, to enable workflow management and to make sure the notifications are being sent to the person responsible. Please also see the further purposes of processing below.
3.3 Purposes of processing: We process the personal data for the following purposes
- Fulfilling our contract with our Customer
- Invoicing
- Authentication of Users
- To defend ourselves against legal claims
- Verification of compliance with Master Agreement, in particular license agreement
- IT-security
- Service related communication with you
- To fulfil legal retention obligations
- To enforce applicable statutory obligations or obligations and rights resulting from the legal relationship with the Customer and/or individual users
- To prove our compliance with statutory obligations
3.4 Sources of data: The data we process has been provided either by yourself directly in the course of using the Services.
4. Lawfulness of Data Processing
The legal basis for processing is Art. 6 (1) (f) GDPR, as the processing is necessary for the purposes of fulfilling our contract with our Customer and the further purposes listed in section 2.3, which is a legitimate interest pursued by us. While we bear in mind the interests and fundamental rights and freedoms of you, your need for data protection does not override our interest as specified above.
5. Contact and Data Protection Officer
If you have any questions regarding data protection and the exercise of your rights, you can contact our data protection officer directly via the following contact details:
email: privacy@idexcorp.com
6. Storage Period
6.1 We will erase your personal data when it is no longer required for the purposes mentioned in section 2 subject to retention obligations. If our contract with the Customer is terminated, your personal data will be erased 30 days after the termination.
6.2 We may retain your personal data for the purposes of legal defense and law enforcement for as long as is necessary for the preparation or execution of a possible legal dispute (usually up to four years, whereby the legal dispute itself may inhibit the course of this period)
6.3 If longer retention periods apply after the time period listed above (e.g., because we are obliged to store the data for tax purposes or civil or criminal proceedings were initiated) we will block the data until the end of the respective retention period and then erase it.
7. Sharing Data within IDEX Corporation
Your data will be shared within IDEX Corporation and processed by entities located outside the EU/EEA. If and when transferring your personal data to which the GDPR applies onwards outside the EU/EEA, we will do so using one of the following safeguards:
- the transfer is to a non-EU/EEA country for which has an adequacy decision by the EU Commission exists;
- the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EU/EEA;
- the transfer is to an organization which has implemented Binding Corporate Rules approved by an EU data protection authority; or
- the transfer is covered by other approved safeguards in order to protect your personal data in a degree that equals the level of data protection in the European Union.
International transfers within IDEX Corporation are governed by EU Commission approved Standard Contractual Clauses for controllers (as defined under the GDPR) and, where relevant, for Processors (as defined under the GDPR).
You may request a copy of the standard contractual clauses or other applicable safeguards by contacting privacy@idexcorp.com.
8. Requirements to provide personal data
You are not legally nor by a contract with us obliged to provide us with the personal data. However if you fail to do so, we might not be able to provide you with a user account for any of the Services or provide the Service towards the Customer.
9. Automated decision making
No automated decision-making according to Art. 22(1) and (4) GDPR occurs with respect to your personal data.
10. Recipients of the Personal Data
We might transmit your personal data in parts or as a whole to other entities. This includes (a) authorities, who we are obliged to provide your personal data to, e.g., data protection authorities; (b) auditors or similar external consultants like lawyers or tax advisers and (c) IT service provider including cloud service and subscription service providers who process personal data on our behalf but have to follow our instructions on such processing; these service providers will not be allowed to use your personal data for other than our purposes and will act as data processors.
11. Your Rights as a Data Subject
11.1 You have the right to request from us information on which personal data about you we process at any time. Likewise, if data about you is inaccurate, you have the right to obtain from us rectification of such data without undue delay.
11.2 Under the requirements set out in Art. 17 GDPR you have the right to request from us the erasure of your personal data. In particular, you may ask us to erase personal data, if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the personal data has been unlawfully processed, (iii) you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, (iv) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject or (v) you withdraw your consent on which the processing is based and there is no other legal ground for the processing.
11.3 You have the right to obtain from us restriction of processing, where one of the following applies: (i) The accuracy of the personal data is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal data, (ii) the processing is un-lawful and you oppose the erasure of the personal data and request the restriction of their use instead, (iii) we no longer need the personal data for the purposes of the processing, but are required by you to keep them for the establishment, exercise or defense of legal claims or (iv) you have objected to processing pursuant to Art. 21(1) GDPR and the verification whether our legitimate interests override yours is pending.
11.4 According to Art 20 GDPR you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and ma-chine-readable format.
11.5 Please send your requests to privacy@idexcorp.com.
11.6 Pursuant to Art 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point f) of Art 6 para. 1 GDPR. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.
11.7 In addition, you have the right to complain to a data protection supervisory authority, e.g. in the EU Member State of your habitual residence or your place of work, if you are of the opinion that the processing of your personal data by us violates applicable data protection law.