Data Protection Notice for the Single Sign-on Authentication Service (“K2 SSO”)
We would like to hereby inform you about the processing of your personal data collected and processed when you use the single sign-on authentication service (“K2 SSO”) as well as the claims and rights to which you are entitled in accordance with the data protection regulations.
A. Who is responsible for the data processing and to whom can I refer (Data Protection Officer)?
The responsible party is
K2 Systems GmbH (hereinafter referred to as “we”)
Haldenstraße 1, 71272 Renningen-Malmsheim
Fax: +49 (0) 71 59 42 059-177
info@k2-systems.com
Managing Director: Katharina David
You can contact our company data protection officer at
K2 Systems GmbH
Data Protection Officer
Haldenstraße 1, 71272 Renningen-Malmsheim
datenschutz@k2-systems.com
1. What personal data of yours do we process?
a) When calling up this website:
- The server log files (IP address, date and time of your enquiry), time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), operating system and its access status/HTTP status code, data volume transmitted, website the request came from (“referrer URL”), browser, language and version of the browser software (“user agent”), IP address (anonymised by default). This data is not attributable to specific persons especially due to the anonymisation of the IP addresses.
- The identification of cookies used including third-party requests (in particular Google services). See additional information on this below in section B.
b) When registering and using K2 SSO:
Mandatory information includes the first name, surname, e-mail address, password, country, …, language. Voluntary information includes the telephone number (if provided).
In addition, the following information is mandatory when registering a company: company name, street, building number, postcode, country (company location). Voluntary information includes the following: e-mail, phone, website.
2. For what purpose and based on what legal grounds do we process your data?
a) When calling up this website:
- The server log files are part of the so-called access data that we collect when accessing the website. We process this data so that we can take suitable technical measures in the case of an attack or disruption to our website or IT infrastructure, thus ensuring the operation of the website. None of this data is merged with other data sources and this data is only accessed if there is reasonable suspicion of attacks on our infrastructure or for troubleshooting purposes. In this case, we reserve the right to temporarily disable the anonymisation of the IP addresses. The legal basis for this is Art. 6, Para. 1 f) of the GDPR.
- With the help of the cookie identifier, we also receive information on the user behaviour and search queries and can adapt the offers to the interests of the user for any future visits. Additional information on this can be found below in section B. The legal basis for this is Art. 6, para. 1 f) of the GDPR.
b) When registering and using K2 SSO:
We process the mandatory data that you provide for the purpose of creating your user account. We process the collected data in this regard on the basis of Art. 6 para. 1 lit. b) and f) of the GDPR, on the one hand, to create a profile for you and to identify you at each login, and on the other hand, to compare and link your data with the data that we already have in our CRM system. Depending on the service and function that you use on K2 SSO, further data may be collected and then linked to your existing profile data (e.g. order data when you buy products from us).
As part of your registration, you also have the opportunity to provide further information on a voluntary basis (telephone number and/or region). This information is not required for the registration and creation of the user account. However, if you do not provide this information, we may not be able to completely fulfil your wishes when using the user account. If you provide this voluntary information, the processing of this data is based on our legitimate interests in the administration and maintenance of our customer relations as well as in the optimisation of our online offers. The legal basis is Article. 6 para. 1 lit. f) of the GDPR.
We will also process the contact data that you provide as part of your registration to inform you about other comparable and potentially interesting products or services in our range. The data processing in this regard is based on our legitimate interests in the marketing of our products as defined in Art. 6 para. 1 lit. f) of the GDPR. You may at any time object to the use of your contact data for this purpose as described further in section 8 below.
3. Cooperation with order processors and third parties – to whom do we pass on your data?
Cooperation with order processors and third parties
If we disclose or transmit data to order processors or third parties or grant them access to your data by other means, this is done only on the basis of legal permission (e.g. if the transmission of the data to third parties is required to fulfil a contract, Art. 6, Para. 1 lit. b of the GDPR), if you have given your consent (Art. 6, Para. 1 a) of the GDPR), a legal obligation requires this (Art. 6, Para. 1 c) of the GDPR) or on the basis of our legitimate interests (e.g. when using agents, web hosting companies etc.) in accordance with Art. 6, Para. 1 f) of the GDPR. If we entrust third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 of the GDPR.
We use the following companies as order processors – in addition to the Google services listed in section B – who are bound by an order processing contract in accordance with Art. 28 of the GDPR and strictly committed to comply with the data protection regulations. In particular, these companies are prohibited from disclosing your personal data to third parties outside of this contract or using it for their own purposes:
Userpilot, Inc., 2035 Sunset Lake Road, Newark, Delaware 19702, USA, usability optimisation
With regard to the personal data collected and processed during the website visit and the use of the “K2 SSO” single sign-on authentication service, the hosting takes place on servers of the Microsoft Corporation: Microsoft Azure: Western European location with the server location in Europe.
4. Do we forward personal data on to so-called third countries (countries outside the EU and EEA)?
With regard to the personal data collected and processed during the website visit and the use of the “K2 SSO” single sign-on authentication service, the hosting takes place on servers of the Microsoft Corporation: Microsoft Azure: Western European location with the server location in Europe, i.e. the transfer of data to third countries does not take place in this regard.
Userpilot – interactive pop-ups for user guidance
We offer user guidance for our offers and information based on Userpilot.io, a service of Userpilot.io, Inc. – Yazan Sehwail , 2035 Sunset Lake Road, Newark, Delaware 19702, United States (“Userpilot.io”). Userpilot.io connects to a server of Userpilot.io, Inc. when visiting a page of our website. When activating specific triggers, such as specific buttons or visiting a particular page, you will be provided with instructions on how to navigate the website. In addition, we inform you about news when you visit certain areas of our website with the help of Userpilot. The company then knows your IP address and the page the user has visited. The data is anonymised and then used to analyse and optimise the user guidance. Datenschutzerklärung: https://userpilot.io/policy/
5. How long do we store your data?
a) The server log files are deleted automatically after a maximum of 30 days.
Details on the cookies, the length of time that they are stored and how you delete this data can be found below in section B.
b) We store the personal data requested when registering for K2 Base and the additional information requested when using K2 Base until the user deletes the account. The user account of users who have not logged into their account for twelve years and therefore also the above-mentioned personal data is deleted automatically after prior notification by e-mail.
6. Is it obligatory to provide personal data?
There is no obligation to provide the data. However, it is not possible to register for or use the K2 SSO user service if you do not provide the data.
7. Do we use your data to perform so-called “profiling”?
We do not use automated decision-making including profiling within the scope of operating this website and using K2 SSO in accordance with Art. 22 of the GDPR.
8. What rights do you have?
You have the right at any time to request a confirmation on whether we are processing your personal data and the right to receive information on this personal data (Art. 15 of the GDPR). In addition, you have the right to rectification (Art. 16 of the GDPR), deletion (Art. 17 of the GDPR), restriction of data processing (Art. 18 of the GDPR) as well as the right to data portability (Art. 20 of the GDPR).
Information about your right to object according to Article 21 DS-GVO
You have the right on grounds relating to your personal situation to file an objection to the processing of personal data pertaining to you on the basis of Art. 6, Para. 1 e) of the GDPR (data processing in the public interest) or Art. 6, Para. 1 f) of the GDPR (data processing on the basis of a balance of interests).
If you file an objection, we will no longer process your personal data unless we can prove legitimate grounds for doing so, which outweigh your interests, rights and freedoms or the processing of the data is used to establish, exercise or defend legal claims.
This right of objection mainly affects the processing of the data collected when calling up this website and the data collected within the scope of using Google Analytics as well as the other Google services.
You can assert all rights with respect to us by e-mail at datenschutz@k2-systems.com or using the contact details listed in the section entitled “The responsible party is”.
In addition, you have the right to contact the competent data protection supervisory authority in the case of complaints in accordance with Art. 77 of the GDPR. The competent supervisory authority for us is the State Officer for Data Protection and Freedom of Information (Landesbeauftragter für den Datenschutz und die Informationsfreiheit) in Baden-Wuerttemberg, Königstraße 10a, 70173 Stuttgart, Germany. In general, you can also contact the competent data protection supervisory authority for your usual place of residence.
B. Use of cookies – opportunities for revocation and objection
The website uses the Userpilot analytics tool, where cookies are used and your IP address is collected, amongst other things. The analytics tool provides you with instructions on how to navigate the website when you visit a page on our website. In addition, we inform you about news when you visit certain areas of our website with the help of Userpilot. The use of the analytics tool is for user guidance and to learn how to improve our services. The legal basis for this is Art. 6, para 1 f) of the GDPR.
The following section provides you with details on the provider, the operating principle as well as the details on how you can object to the processing of your personal data with regard to our website and/or delete the personal data collected here.
1. Deletion of cookies and the do-not-track setting
You can delete individual cookies or all cookies through your browser settings. In addition, you can obtain information and instructions on how you can delete these cookies or block their storage in advance depending on your browser provider, using the following links:
- Mozilla Firefox
- Internet Explorer
- Google Chrome
- Opera
- Safari
You can also individually manage the cookies of many companies and functions used for advertising purposes. Use the appropriate user tools for this, available at aboutads.info choices or Your Online Choices.
Most browsers also offer a “Do-not-track” function where you can specify that you do not want to be “followed” by websites. If this function is enabled, the respective browser informs advertising networks, websites and applications that you do not want to be followed for the purpose of behaviour-based advertising and the like. You can obtain information and instructions on how you can edit this function depending on your browser provider, using the following links:
- Mozilla Firefox
- Internet Explorer
- Google Chrome
- Opera
- Safari
2. Information about cookies
- Name: connect.id
- Provider: K2
- Purpose: storing the session
- Expiry date: session
- Name: userpilot
- Provider: userpilot.io
- Purpose: user guidance
- Expiry date: 7 days
Additional information
Your trust is important to us. Therefore we are happy to talk to you at any time and answer questions relating to the processing of your personal data. If you have any questions that were not answered by this privacy statement or you wish to receive more detailed information on any aspect of it, please contact our Data Protection Officer at any time, using the contact details indicated above.
Version 1.0 (Status: 13.05.2022)