Data protection
Data protection and data privacy become more and more important in our connected world. At Software GmbH customers can trust that their personal data is processed in compliance with data protection / data privacy requirements.
See our FAQ for how we manage the processing of our customers’ personal data and how we ensure that customers can use our products and services in compliance with applicable stipulations.
What measures have been implemented to achieve data protection compliant products and services?
All products offered by Software GmbH have been analyzed in respect to their functionality of processing personal data regarding the applicable data protection principles. For future functionalities, a release task to check for data protection compliance has been integrated into the product release cycle.
How are accountability and governance requirements addressed?
Software GmbH has set up a Data Protection Management System (DPMS) which defines clear processes for relevant data protection aspects including the following processes and risk assessments:
- Handle Data Subject Requests
- Handle Data Breach
- Review DPA (Data Processing Agreement)
- Data Privacy Impact Assessment Necessity Check
- Data Privacy Impact Assessment (DPIA)
- Data Breach and Risk Assessment
- Transfer Impact Assessment (TIA)
As part of the scope of Software GmbH’s ISO 9001 certification, the established DPMS processes are subject to regular external audits.
Additionally, Software GmbH has implemented a Global Data Protection Policy, which applies to all employees. The objective of this policy is to regulate the legally compliant handling of personal data within Software GmbH and its subsidiaries, and to protect the rights resulting from data protection / privacy regulations of all persons whose data is processed by Software GmbH.
How is Software GmbH processing personal data on behalf of customers?
When Software GmbH processes personal data on behalf of its customers (data controllers) or when access to personal data cannot be ruled out in line with service provision, a Data Processing Agreement (DPA) is concluded as a standard process. It addresses in particular the following aspects:
- Customer’s instructions: The DPA obliges Software AG to process personal data only as instructed by the customer and in compliance with data protection law applicable to the customer.
- Sub-processors: Software AG’s mission is to provide for high support services availability. This requires Software AG to include its affiliates all around the world as well as carefully selected external service providers into its support process. These organizations act as sub-processors to our customers. Also, for providing cloud and consulting services, sub-processors are used to provide the highest possible standard of quality, performance and flexibility to our customers.
- Data transfer: As mentioned above, for service provision, a transfer of personal data to other Software AG entities or external service providers is usually necessary. For any data transfers from EEA to countries without an adequate level of data protection, EU Standard Contractual Clauses are in place. This ensures the necessary safeguards to protect customers’ personal data in accordance with data protection regulations.
- Data subject requests: Software AG’s customers as the data controllers might be required due to applicable data protection law to provide information upon a data subject’s request. To the extent the request was addressed to Software AG by a data subject directly, we will notify the respective customer and will respond to the data subject in accordance with the customer’s instructions. Additionally, we will support our customers using appropriate technical and organizational measures to respond to data subjects’ requests themselves.
- Data breach notification: In case of a data breach, Software AG’s customers as the data controllers might be obliged to fulfill certain notification obligations towards the affected data subjects and / or the supervisory authority. Software AG will inform its customers without undue delay in case we have documented reason to believe that a data breach at Software AG or our sub-processors has occurred. Software AG has implemented a data breach handling process that aligns with these notification requirements, which is in the scope of the Data Protection Management System (DPMS).
- Technical and organizational measures: Software GmbH has implemented appropriate Technical and Organizational Measures (TOMs) to protect personal data from unauthorized processing. The TOMs are regularly reviewed and updated if necessary.
Does Software GmbH have a process to handle data breaches?
Yes, we have a Data Breach Handling Process documented in our Data Protection Management System. This process describes how to proceed in case of a personal data breach. A data breach occurs if there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Once a potential data breach is discovered, the relevant business team needs to report the incident to the Data Protection Team, which decides whether the incident qualifies as a data breach. If yes, the Data Protection Team will assess the data breach according to its cause, scope, extent, and document relevant findings. Once the Data Protection Team assessed the risk to data subjects, the DPO will decide whether to notify the supervisory authority, and if appropriate, the affected data subjects.
Does Software GmbH have a process to handle data subject requests?
Yes, we have a Data Subject Request Handling Process documented in our Data Protection Management System. This process describes how data subject requests (DSR) are processed at Software GmbH. Once a DSR is received, it must be forwarded to the Data Protection Team. The Data Protection Team will verify the identity of the data subject(s) and check with the relevant business teams whether such data exists in our systems. If there are doubts as to the identity of the data subject, Software GmbH may request further proof of identity (e.g. passport, ID Card), or decide to reject the DSR in case of insufficient proof. Once the required information is provided by the relevant business teams, the Data Protection Team will provide a response to the data subject by observing the statutory notification periods.
Does Software GmbH conduct any privacy risk assessment / impact assessment (DPIA)?
Yes, we have a process for Data Protection Impact Assessment (DPIA) and DPIA pre-check documented in our Data Protection Management System. For processing activities which are likely to result in a high risk to the rights and freedoms of data subjects or as required due to authority decision, a DPIA is performed. The relevant process describes the steps taken to check whether a DPIA is necessary to be performed or not. If pre-check shows that a DPIA is required, it is performed and documented. If a DPIA needs to be performed, the Data Protection Team will assess and document the risk of the data processing in terms of its proportionality and necessity and (if necessary) check whether there are alternatives that are less harmful to the rights and freedoms of the data subjects. If there is a high risk, appropriate technical and organizational measures to mitigate the risk will be identified and selected. Only if the risk can be reduced to an acceptable level, the processing activity be carried out.
Does Software GmbH have a Data Protection Officer?
Software GmbH has assigned a Corporate Data Protection Officer (CDPO). The CDPO monitors compliance with applicable data protection law and advises about processing of personal data at Software GmbH, as also regulated in the Global Data Protection Policy. The Data Protection Team supports the CDPO to fulfill its tasks..
Are employees trained in data protection requirements?
A data protection training mandatory to all staff of Software GmbH was established. It addresses the requirements on compliant processing of personal data as well as adherence to sufficient technical and or organizational measures and must be refreshed on a regular basis. Non-performance of this training is monitored and may be disciplined.
How does Software GmbH comply with changes in data protection requirements?
As data protection requirements can constantly change or expand due to legal amendments or decisions by the responsible supervisory authorities, Software GmbH regularly reviews the processes being part of our DPMS and technical and organizational measures regarding any new requirements and adapt them accordingly. Additionally, our processes are subject to regular external audits in line with ISO 9001 certification.
- Software GmbH Privacy Notice for processing of personal data is available at: SoftwareGmbH Privacy Notice
- The lists of Technical and Organizational Measures are available at: Technical and organisational methods (TOMs) | Software GmbH