1. Privacy Policy for Univention Corporate Server (UCS)

In order to provide information in accordance with Art. 13 GDPR, this privacy policy describes the processing of personal data by the Univention GmbH with the software Univention Corporate Server (hereinafter also referred to as “UCS”), the integrated Univention App Center and Univention.

Univention App Center is designed for simple and convenient administration of applications in an environment with Univention Corporate Server (UCS). It uses online services provided by Univention, for example, to download apps, their descriptions and graphics.
To use the App Center, you need to activate your UCS system, see 3.2.

2. Responsible party

Responsible for the data processing as described below is Univention GmbH, Mary-Somerville-Straße 1, 28359 Bremen. In the following briefly referred to as “we”.

3. Purposes and legal bases for the processing of personal data

The purposes and legal basis for the processing are described below.

3.1 Execution of contracts

We process personal data on the basis of Art. 6 para. 1 lit. b GDPR if the processing is necessary for the fulfillment of a contract with the data subject (the individual customer). This also includes the execution of pre-contractual measures that take place at the request of the person concerned and the corresponding customer support.

Where necessary, personal data will be passed on to the companies involved in the execution of this contract, e.g. app providers. During the installation and uninstallation of apps, the personal data collected during activation is transferred to the respective app provider, insofar as this data is required by the app provider to be able to use his app. Whether this data is collected or not can be seen in the app description in the App Center.

If legal retention periods exist, Univention archives the affected data for the duration of these periods.
If a legal entity is a contracting party (such as your employer), the legal basis for the processing is Art. 6 para. 1 lit. f GDPR and the processing of data is carried out in the interest of enabling this legal entity to use UCS.

Information on the processing of personal data by the respective app providers can be found in the privacy policies of the providers.

3.2 Activation for the App Center

When activating the App Center, an email address is collected which is used for delivering a license file. You can optionally enter your name, first name, organization, country and language of correspondence. This data will be linked to a generated unique identifier of the UCS system. In addition, the App Center stores information on actions with apps such as displaying, installing, updating and uninstalling.

The legal basis for the processing is Art. 6 para. 1 lit. b GDPR, provided that you are an individual contractual partner. If a legal entity is the contractual partner (e.g. your employer), the legal basis is Art. 6 para. 1 lit. f GDPR.

In cases where the processing is based on Art. 6 para. 1 lit. f GDPR, data processing serves the purpose of product optimization in the interest of Univention and its users.
The data will be stored for the duration of the use of the App Center and deleted after 2 years of inactivity.

3.3 Data processing for direct marketing

We process your data for the purpose of direct marketing, in particular for sending our newsletter by email. This data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR in the interest of informing you about our own products and services.

Every user has the right to object against this processing. The objection leads to the termination of processing for the purpose of direct marketing in accordance with § 7 para. 3 UWG (German Unfair Competition Act). If data is stored exclusively for direct marketing purposes, it will be deleted after the objection has been made.

3.4 Analysis of usage data and analysis tools

Each UCS installation has a unique identifier that can be linked to the email address collected during the activation. Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR in the interest of being able to contact you for market research purposes or for surveys in order to obtain product feedback or to enable segmentation to test new features.

Furthermore, on UCS systems without Enterprise Subscription, user activities are collected in the web-based UCS management system using the open source solution Matomo to analyze product usage and improve the management system. This allows the user’s transaction data and interactions to be traced. The processing of user activities in UCS via Matomo can be switched off independently within the Enterprise Subscription by setting the UCR variable umc/web/piwik to false. See also the corresponding SDB article.

3.5 Compliance with legal requirements

We collect and process personal data in accordance with Art. 6 lit. c GDPR if the processing is necessary to fulfill a legal obligation.

4. Transfer of personal data to third parties

We transmit your data only to third parties (e.g. to financial institutions for payment processing, app providers) if a legal basis for the transfer exists.
We transmit your data to processors in accordance with Art. 28 GDPR. These processors are IT service providers who support us in the delivery of our services and the associated processes. Our service providers are strictly bound by our instructions and contractually bound to us with data processing agreements.

5. Your rights as a user

As a data subject, the GDPR grants you certain rights:

5.1 Right to rectification and erasure (Art. 16 and 17 GDPR)

You have the right to request confirmation as to whether personal data relating to you are being processed; if this is the case, you have the right to access this personal data and the individual information specified in Art. 15 GDPR.

5.2 Right to rectification and erasure (Art. 16 and 17 GDPR)

You have the right to immediately request the rectification of your personal data if it is inaccurate and, if applicable, the completion of incomplete personal data.
You also have the right to demand that your personal data is deleted immediately if one of the reasons specified in Art. 17 GDPR applies, e.g. if the data is no longer required for the original purposes.

5.3 Right to restriction of processing (Art. 18 GDPR)

You have the right to demand the restriction of the processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have objected against the processing under Art. 21 GDPR or for the duration of a possible examination as to whether our legitimate interests outweigh your interests as the person concerned.

5.4 Right to data portability (Art. 20 GDPR)

In certain cases, which are listed in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of this data to a third party.

5.5 Right to object (Art. 21 GDPR)

If data is collected on the basis of Art. 6 para. 1 1 lit. f GDPR (data processing to safeguard legitimate interests) or on the basis of Art. 6 para. 1 1 lit. e GDPR (data processing to safeguard public interest or in the exercise of official authority), you have the right to object to the processing of your data at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are compelling reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or protection of legal claims.

6. Right of appeal to a supervisory authority

According to Art. 77 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your data violates data protection regulations. In particular, the right of appeal may be asserted at a supervisory authority in the Member State of your place of residence, your work place or the place of the alleged infringement.

7. Contact details of the data protection officers

You can reach our contact persons for all questions concerning data protection under the following contact data:

Univention GmbH
Data Protection Department
Mary-Somerville-Straße 1
28359 Bremen

Phone: +49 421 / 22232-0
Email: privacy@univention.de

Furthermore, our external corporate data protection officer will be available for information or suggestions on the subject of privacy:

Dr. Uwe Schläger
datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen

Phone: +49 421 / 696632-0
Email: office@datenschutz-nord.de