Status: April 2025

This Notice applies to the processing of personal data of natural persons resident in the EEA/UK with whom we have a business relationship, including but not limited to representatives and employees of project, cooperation and contractual partners, suppliers, service providers, external consultants and visitors to our business premises ("Business Partners").

By providing you with this information, we are fulfilling our duty to inform you in accordance with the GDPR. Please note that this information does not grant you any rights or impose any obligations on you that are not granted or imposed by law.

Controller
Nemetschek SE
Konrad-Zuse-Platz 1
81829 Munich
Germany
 

Data protection officer of the controller

intersoft consulting services AG
Reachable by e-mail via:
[email protected]

We collect your personal data either directly from you (e.g. when you contact us) or receive it (i) from your employer/client or (ii) from another company with which you have had a business relationship, including one of our group companies, e.. as part of a corporate transaction. 

In general, we only process the following categories of personal data of our business partners:

• Contact details such as name, company address, business e-mail address and telephone number, business fax number;
• Professional details such as company name, position, job title, authorizations (e.g. to receive notifications regarding the relationship between your employer/client and us or to conclude contracts);
• Communication, such as correspondence by e-mail or SMS;
• Details of business transactions, such as orders, contracts, license agreements
• Contract and billing data.

You are generally not required to provide your personal data to us. However, if you do not provide your personal data, we might not be able to carry out certain processes (e.g., we will be unable to call you back if you do not provide us with your business phone number). In some cases, this may mean that we will be unable to continue with your engagement (in case we concluded or intend to conclude a contract with you) or that your employer / commissioner will not be able to deploy you as a point of contact for us. 

We process your personal data to administer and manage the relationship between us and you or your employer/client, to operate our business and to comply with our legal obligations.

More specifically, we process your personal data for the following purposes and rely on the listed legal bases. Where relevant, the legitimate interest is included in the table below as well.

The relevant legal bases are:

• Performance of a contract (Art. 6 (1) (b) GDPR);
• Compliance with legal obligations (Art. 6 (1) (c) GDPR);
• Protection of vital interests of you or of another natural person (Art. 6 (1) (d) GDPR);
• Legitimate interests (Art. 6 (1) (f) GDPR); and
• Consent (Art. 6 (1) (a), Art. 7 GDPR).

In some cases, your personal data may be processed on the basis of your voluntarily given consent (Art. 6 para. 1 lit. a, Art. 7 GDPR). You will be informed about the purposes of such processing before you are asked for your consent.

For certain processing activities of your personal data, there is joint controllership between us and the partners listed below in accordance with Art. 26 GDPR. We have listed the processing activities and purposes of processing under joint controllership for you below. You can contact any of the joint controllers to exercise your rights.

The joint controllers have defined in an agreement which of them fulfills which obligations under the GDPR. We will be happy to provide you with the essentials of this agreement on request. 

Only authorized Nemetschek employees with appropriate responsibility have access to your personal data. In addition, we may disclose your personal data to service providers who process personal data as so-called processors on our behalf and in accordance with our instructions in order to provide their professional services to us. The categories of processors typically used include, but are not limited to

• Web hosting and e-mail providers (e.g. operation and maintenance of websites, e-mail inboxes and domains);
• aintenance and remote maintenance of IT systems (e.g. external IT service providers);
• Cloud Service Providers (e.g. document management or CRM systems);
• Newsletter and marketing service providers (e.g. sending newsletters);
• File and data carrier destruction (e.g. disposal of electronic data carriers); and
• Shared service centers within the Group (e.g: Centralized services such as accounting, personnel administration or IT).

We may share your personal data with the following third parties:

• Other entities of our group of companies: We may disclose your personal data to group companies for the purposes set out above under "Purposes and legal bases of processing".
• Other third parties:
  • Tax and other state authorities (including law enforcement) for the purpose of compliance with laws and regulations applicable to us;
  • Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, in the context of corporate transactions and for safeguarding our rights;
  • Courts for the purpose of safeguarding our rights;
  • Potential buyers or other acquirers (including lessees) of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions

The relevant legal bases for the transfer of personal data to third parties can be found above under "Purposes and legal bases of processing".

We attach great importance to processing your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before your personal data is transferred. This means that an adequacy decision of the European Commission (EEA) or the Information Commissioner's Office (UK) or EU standard contracts or the UK Addendum ensures a level of data protection comparable to the standards within the EU - unless the GDPR provides for an exception or you have expressly given your consent (Art. 49 GDPR).

If we transfer your personal data from the EEA and/or UK to a jurisdiction where the level of data protection has been recognized as adequate, we will rely on the adequacy decision. When transferring personal data to recipients in the US, we may rely on the EU-U.S. Data Privacy Framework (EEA) or its UK Extension ("DPF"), which ensures an adequate level of protection for recipients certified under the DPF. You can find a list of the adequacy decisions of the European Commission here. 

Where we rely on the European Commission's Standard Contractual Clauses or the relevant UK Addendum, to the extent the transfer is to a service provider (including group companies acting as such) acting as a processor on our behalf, Module Two (transfers from controllers to processors) of the Standard Contractual Clauses is relevant; to the extent the transfer is to recipients who do not process personal data on our behalf but for their own purposes, Module One (transfers from controllers to controllers) is relevant.
 

Your personal data will only be stored until it is no longer required for the purposes for which it was collected (or otherwise processed). As a rule, the personal data will be deleted at the latest when the contractual relationship with you or your employer/commissioner has ended and the regular limitation period for this information in the respective country has expired.

Personal data that you have actively provided when registering for the newsletter will be stored for as long as the newsletter subscription is active; your consent will be stored for up to three additional years, depending on the applicable limitation period.

Exceptionally, personal data may be stored for longer if its processing is necessary for compliance with a legal obligation - including compliance with statutory retention periods - to which we are subject, or for the establishment, exercise or defense of legal claims.

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right of access and the right to erasure.

You also have the right to complain to the competent data protection supervisory authority about the processing of your personal data by us.

You can withdraw your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the General Data Protection Regulation came into force, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the withdrawal is not affected.

In accordance with Art. 21 (2) GDPR, you have the right to object at any time to the processing of personal data concerning you. If you object to processing for the purposes of direct marketing, we will no longer process your personal data for these purposes. Please note that the objection will only take effect for the future. Processing that took place before the objection is not affected.

Pursuant to Art. 21 (1) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) e GDPR (data processing in the public interest) or Article 6 (1) f GDPR (data processing to protect a legitimate interest); this also applies to profiling based on this provision. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as described by us. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or explain our compelling legitimate grounds to you.

We reserve the right to amend or adapt this privacy policy at any time in compliance with the applicable data protection regulations.