Policy for data subjects` rights

This Policy (“The Policy”) describes the terms and conditions under which data subjects whose personal data are processed by Chaos Software GmbH and its Affiliates (together, Chaos or We) may exercise their rights under the personal data protection legislation. Please note the Policy is supplemental and should be read and interpreted only alongside our Global Consumer Privacy Policy.

Part 1: General Principles

1.1. Chaos processes and protects personal data collected throughout its activities transparently, lawfully and according to the purposes for which the personal data was collected.

1.2. Our employees, contractors and service providers who process personal data are obliged to adhere to the following principles of data processing:

i) The personal data is processed lawfully and in good faith.

ii) The personal data is collected for specific precise and lawful purposes and are not processed additionally in a manner not compatible with those purposes. 

iii) The personal data which is collected and processed by Chaos are compatible, related to and limited to the purposes for which they are processed.

iv) The personal data is accurate and, if necessary, updated.

v) The personal data is being deleted or rectified when it is established that they are inaccurate or not limited for the purposes for which they are being processed.

vi) Personal data is maintained in a format, which allows identifying of the respective natural person for a period not longer than the one necessary for the purposes for which the data were collected.

1.3. The employees who process personal data are subject to initial and subsequent periodic data privacy training and are familiarized with the applicable data privacy legislation.


Part 2: Definitions

The terms listed below shall have the following meaning:

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Applicable legislation” Governing law applicable to this Privacy Policy is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) and other applicable privacy laws and regulations in countries where we operate.   

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Data subject” means an individual (natural person) who can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identifiers of that individual


Part 3: Data subjects’ rights

The data subjects shall have the following rights regarding to their personal data processed by Chaos:

i) Right of access.

ii) Right of rectification.

iii) Right to data portability.

iv) Right of erasure (‘right to be forgotten’).

v) Right to restriction of processing.

vi) Right to object against the processing of personal data.

vii) Right not to be subject to a decision based solely on automated processing, including profiling.

Right of Access

2.1. When requested Chaos shall present to the data subject the following information:

i) information whether Chaos processes personal data of the data subject who made the request or not.

ii) copy of the personal data of the person which are processed by Chaos and

iii) explanation about the processed personal data.

2.2. The explanation under item 2.1. (iii) above shall include the following information about the personal data processed by Chaos:

i) purposes of processing.

ii) respective categories of personal data.

iii) recipients or categories of recipients to which personal data is or may be disclosed, recipients in third countries outside of the EU or the European Economic Area.

iv) when it is possible, the envisaged retention period for which the personal data shall be retained and when this is impossible the criteria used for determining such period.

v) the existence of the rights to require correction, rectification, erasure or restriction of processing of personal data related to the data subject as well as the right to object against the processing of personal data. 

vi) the right to file a complaint before the respective authorities.

vii) when the personal data are not collected through the individual full information shall be provided about the source of the collected personal data.

viii) the existence of automated decision making regardless of which this processing includes profiling and information related to the logic as well as the expected consequences from this processing to the data subject.

ix) when personal data is transferred to a third country or to an international organization the data subject shall have the right to be informed about the applicable safeguards to their personal data related to the transfer.

2.3. The explanation about the processed personal data contains information which Chaos provides to the data subject by its privacy policy.

3.1. Based on a request by the data subject Chaos may provide a copy of the personal data, which Chaos is processing about the respective data subject.

3.2. When providing a copy of personal data Chaos shall not disclose to the subject the following categories of data:

i) personal data of third parties, unless the said parties have given their explicit consent for this.

ii) data which can be qualified as a trade secret, intellectual property or confidential information.

iii) other information which is protected under the applicable legislation

3.3. Granting the right of access to data subjects shall not interfere negatively with the rights of third parties or lead to a breach of Chaos’ statutory obligation.  

4.1. When the requests for access are being manifestly unfounded or excessive, especially because of their repeatability, Chaos may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.

4.2. Chaos determines on a case-by-case basis whether a request for access is manifestly unfounded or excessive.

4.3. When refusing access to personal data, Chaos issues an official explanation for its refusal and informs the data subject of his right to file a complaint with the respective personal data protection authority.

Right of rectification

5.1. Data subjects may request that their personal data processed by Chaos be corrected if the data are inaccurate or incomplete. 

5.2. Upon a satisfactory request for correcting personal data, Chaos shall notify the other recipients to whom personal data have been disclosed (such as government bodies, service providers) so that they can reflect the changes.

Right of erasure (‘right to be forgotten’)

6.1. Upon request, Chaos shall erase all personal information of the data subject who made the request in case any of the following grounds apply:

i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.

ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.

iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing.

iv) the data subject objects to the processing of personal data for the purposes of direct marketing.

v) the personal data have been unlawfully processed.

vi) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which Chaos is subject.

vii) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

6.2. Chaos is not obliged to erase and may continue processing the personal data as long as the processing is necessary for one of the following grounds:

i) for exercising the right of freedom of expression and information.

ii) for compliance with a legal obligation of Chaos.

iii) if there is a valid legal ground like existing contract to provide licensed software products or services that require personal individualized account.

iv) or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

v) for the establishment, exercise or defense of legal claims.

Right to restriction of processing

7.1. The data subject has the right to request a restriction of processing when one of the following applies:

i) the accuracy of the personal data is contested by the data subject, for a period enabling Chaos to verify the accuracy of the personal data.

ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

iii) Chaos no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims. 

iv) the data subject has objected to processing based on the legitimate interest of Chaos pending the verification whether the legitimate grounds of the controller override those of the data subject.

7.2. Chaos may process personal data whose processing is restricted only for the following purposes:

i) storage purposes

ii) if explicit consent is provided by the data subject.

iii) or the establishment, exercise or defense of legal claims.

iv) for the protection of the rights of another natural or legal person; or

v) or reasons of important public interest of the Union or of a Member State

7.3. When a data subject has requested a restriction of the processing and there is one of the grounds under Art. 7.1. above, Chaos informs the data subject before the restriction of the processing is lifted.

Right to data portability

8.1. The data subject shall have the right to receive their own personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where.

8.2. Upon request, the personal data may be transferred to another controller designated by the data subject where this is technically feasible.

8.3. The data subject may exercise the right of portability in the following cases:

i) the processing is based on the consent of the data subject.

ii) the processing is based on a contractual obligation.

iii) the processing is carried out by automated means.

8.4. The right of data portability cannot adversely affect the rights and freedoms of others.

Right to object

9.1. The data subject shall have the right to object against the processing of their personal data by Chaos if the data are processed based on one of the following grounds:

i) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

ii) processing is necessary for the purposes of the legitimate interests pursued by Chaos.

iii) the processing includes profiling.

9.2. Chaos shall no longer process the personal data when the right to object is exercised by a data subject unless Chaos demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Right to object against processing for the purposes of direct marketing

10.1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

10.2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right of human intervention in the process of automated decision making

11.1. Where Chaos uses automated decision making, regardless of whether it includes profiling and this decision-making process have legal consequences for, or significantly affect natural persons, in a similar way, such persons may request a review of the decision with human intervention and express their point of view.

11.2. Chaos provides information to natural persons subject to automated decision making about the logic as well as the meaning and envisaged consequences of such processing when a request for such information is made.


Part 4: Procedure for exercising the rights of data subjects

12.1. All data subjects may exercise the rights under this Policy by submitting a request for the exercise of the relevant right.

12.2. Requests to exercise the data subjects’ rights shall be made in one of the following manners:

i) By email to the following email address dpo@chaos.com

ii) By mail to the following address: An der Raumfabrik 33b, 76227 Karlsruhe, Germany.

12.3. The request for the exercise of rights relating to the personal data of the data subject should contain the following information:

  1. Identification of the person beyond doubt 
  2. Contact details: address, telephone, email
  3. Request - description of the request

12.3. Chaos provides information on the actions taken in relation to a request for the exercise of the rights of the data subjects within one month of the receipt of the request.

12.4. That period may be extended by two further months where necessary, considering the complexity and number of the requests. Chaos shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

12.5. Chaos is not obliged to respond to a request if it is unable to identify the data subject.

12.6. Chaos may request the provision of additional information necessary to verify the identity of the data subject when there are reasonable concerns about the identity of the requesting individual.

12.7. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

12.8. Please see Section 14. Privacy Rights and Choices in our Global Consumer Privacy Policy, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who to contact depending on your country of residence.