Privacy policy for Seismic

We use Seismic for our digital marketing activities. Seismic is an American service provider with headquarters in the USA (Seismic Software Inc., 12390 El Camino Real, San Diego, California, 92130 USA).

We use Seismic as a sales enablement platform to provide Endress+Hauser customers and potential customers, suppliers, distributors and business partner with selected marketing and information material.

Below we inform you in accordance with the General Data Protection Regulation (GDPR) about the types of personal data processed by us and by third parties when using Seismic, with whom we share this data, the legal basis and your rights as a data subject. This Privacy policy applies within the territorial scope of the GDPR (Art. 3 GDPR).

The Endress+Hauser company that has provided you with the information via Seismic is the responsible controller in the sense of Art. 4 (7) GDPR, meaning the company the determines the purposes and means of the processing of personal data (“Controller”).

Further information regarding the Controller, and if applicable, the data protection officer as well as the competent supervisory authority can be found on the respective Endress+Hauser country website (www.endress.com) under the tab "Data protection notice".

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the EU General Data Protection Regulation (GDPR) in relation to goods and services we offer to individuals and our wider operations in the European Union (EU).

The categories of personal data processed include:

•      Master data (such as your name, your telephone number, your job title, the name of your employer, your postal address, your e-mail addresses);

•      Your search queries and the content you have viewed using the services;

•      Information about your online behavior and activities, such as browsing the Seismic solution;

•      Geolocation and automatically collected information such as IP addresses and the type of device or operating system used to access the services.

•      We also collect personal data from authorised users and account administrators of our clients (typically their employees or agents) to provide them with accounts to access the Services. This data is specifically login and profile data (such as user name, password, contact details, employer, job title and other relevant details).

We process personal data which we have obtained from business relationships or enquiries. As a rule, we receive this data directly from the contractual partner or a person making an enquiry. However, personal data may also originate from public sources (e.g. commercial register), provided that the processing of this data is permitted.

Data may also have been legitimately transmitted to us by other companies, such as affiliated companies. Depending on the individual case, we also store our own information on this data (e.g. as part of an ongoing business relationship).

Seismic is a sales enablement platform to provide Endress+Hauser customers and potential customers, suppliers, distributors and business partners with selected marketing information material. The aim is to improve the sales process and provide the exact information and documents you are looking for. We use Seismic as Sales Content Management to create, maintain and manage content within the Endress+Hauser world.

In this context, we use your personal data for the following commercial or business purposes:

a) For the fulfilment of contractual obligations (Art. 6 (1) b) GDPR)

We process personal data primarily for the fulfilment of contractual obligations and the provision of related services or in the context of a corresponding contract initiation.

The data processing serves the following purposes in particular:

• Contract initiation, fulfilment and settlement;

• Communicate with our contacts about products, services and promotions;

• Support, in particular answering enquiries from our contact persons;

• Planning, implementation and management of the business relationship with our contacts.

b) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Art. 6 (1) f) GDPR)

To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties, namely:

• Direct marketing to existing customers, unless you have objected to the use of your data;

• Data processing for security, quality assurance and process optimization: for (data) security purposes (e.g. for the purpose of detecting criminal offences or misuse), for compiling statistics and for quality assurance, process optimization and planning security. The data controller has a legitimate interest in this processing with regard to ensuring a smooth process and the continuous improvement of the respective products and services.

c) Based on your consent (Art. 6 (1) a) GDPR)

If you have given us your consent, we analyze the data processed, in particular your user behavior, e.g. what information you have downloaded, your search queries and the content you have viewed with the services. From this, we create personalized content and communications that we can send to you. For this we need your consent. Consent given can be revoked at any time with effect for the future.

We process personal data of our customers and potential customers, suppliers, distributors, agents and all business partners who make enquiries to us or to whom we proactively provide relevant information via Seismic Live Link.

(1) Apart from the cases described in this data protection declaration and unless otherwise regulated in additional data protection declarations, your personal data will not be passed on to third parties or otherwise disseminated without your express consent.

(2) Within the responsible Endress+Hauser company, access to your data is granted to those offices that need it to fulfil our contractual and legal obligations or to protect legitimate interests. Furthermore, affiliated companies of the Endress+Hauser Group as well as service providers and vicarious agents employed by us and authorities or third parties may receive data for these purposes.

Service providers, vicarious agents, etc. commissioned by us will be contractually obliged to comply with the applicable data protection laws.

(1) Data is only transferred to third countries (outside the EU) within the scope of the GDPR. In particular, insofar as this is necessary for the execution of your orders, is required by law (e.g. reporting obligations under tax law), you have given us your consent or within the framework of order processing. Furthermore, we transmit data to affiliated companies for the purpose of legitimate interests.

(2) In the event of the transfer of personal data to third countries, we ensure an appropriate level of data protection, e.g. by means of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g. for Switzerland) or compliance with recognized special contractual obligations (so-called "EU standard contractual clauses").

(3) Seismic processes data in the USA, among other countries, under a commissioned processing agreement based on the new EU standard contractual clauses (Module 2). The processing is carried out for the purposes stated in section 3 herein. Seismic also processes data for its own purposes. The details are described in Seismic's privacy policy.

Under data protection laws, we can only transfer your personal data to a country outside the Union/EEA where:

• In the case of transfers subject to Union data protection laws, in particular the GDPR the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.

• There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or

• a specific exception applies under relevant data protection law.

An automatic decision-making process or profiling in the sense of Art. 22 GDPR does not take place.

We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. We delete your personal data as soon as they are no longer required for the above-mentioned purposes (Art. 17 GDPR). Personal data may be retained for the period during which claims can be asserted against affiliated Endress+Hauser companies (statutory limitation periods). We also store your personal data insofar as we are legally obliged to do so.

We also store business-relevant documents and e-mails for the purpose of legally secure archiving for tax purposes and documentation for the defence against unjustified claims and the enforcement of claims.

If the processing of your personal data is covered by the GDPR, you have the following rights, otherwise the legal provisions applicable to the processing apply.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller. If you would like to exercise your rights or would like more information, please contact the data controller or the data protection officer:

a) Rights according to Art. 15 ff. GDPR

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she has a right of access to those personal data and to the information specified in Article 15 of the GDPR.

Under certain legal conditions, you have the right to rectification under Article 16 GDPR, the right to restriction of processing under Article 18 GDPR and the right to erasure ("right to be forgotten") under Article 17 GDPR.

In addition, you have the right to receive the data you have provided in a structured, common and machine-readable format (right to data portability) in accordance with Article 20 GDPR, insofar as the processing is carried out with the help of automated procedures and is based on consent in accordance with Article 6 (1) a) or Article 9 (2) a) or on a contract in accordance with Article 6 (1) b) GDPR.

b) Withdrawal of consent pursuant to Art. 7 (3) GDPR

If the processing is based on consent, you can withdraw your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

c) Right of appeal

You have the possibility to contact us or a data protection supervisory authority with a complaint (Article 77 GDPR). Information regarding the company responsible for processing your data and, if applicable, the data protection officer as well as the competent supervisory authority can be found on our website.

d) Right to object to the processing of data for advertising purposes pursuant to Art. 21 of the GDPR

In individual cases, we process your personal data in order to carry out direct advertising based on legitimate interests. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is related to such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.