11             Information About the Controller

TOPTECH SYSTEMS, INC., a Florida corporation with offices located at 1124 Florida Central Parkway, Longwood, Florida 32750, USA, (hereinafter ”Toptech”, “we” or “us“) is the controller within the meaning of the EU General Data Protection Regulation (“GDPR”) for certain processing of your personal data in connection with our SaaS Services (“Services”).

12             Scope of this Privacy Notice

To the extend the GDPR applies to the processing of your personal data (which can in particular be the case if you are located in the European Union or the European Economic Area), we describe how we process your personal data when you are registered for or use one of the Services in this privacy notice. Any rights and obligations described in this privacy notice only apply insofar as the GDPR applies to the processing of personal data.

13             Information About Your Personal Data and Why We Use It

13.1         General description of processing activities: We make the Services available to customers of Toptech who own and operate a terminal or use a terminal for storage (“Customer”). The Services integrate with other Toptech software solutions installed on the terminal or its components. This allows the Customer to read/enter data and control certain functions remotely and digitally through its employees who are registered for use of the respective Service. For some of the Services, the Customer has the option to give their own clients direct access to the Service.

Toptech processes the data of these employees to enable their registration with the service and acts as a controller of the data in this regard. Toptech processes personal data of the Customer’s clients or employees which are provided in the course of using the Services as a (mere) processor on behalf and as instructed by the Customer, not as a controller. The same applies in regards to any other personal data entered into one of the Services by the Customer.

13.2         Collected data and purposes of processing

13.2.1      User (including admin) information: We collect, and associate with your account, the information provided for your registration as a user. We use your business email address for authentication.

13.2.2      Usage information: We may collect information on how and when you use a Service, meaning the day and time of usage and type of action performed. We do so to properly document the time of relevant usage, to track the correct operation of the Service, to enable workflow management and to make sure the notifications are being sent to the person responsible. Please also see the further purposes of processing below.

13.3         Purposes of processing: We process the personal data for the following purposes

• Fulfilling our contract with our Customer
• Invoicing
• Authentication of Users
• To defend ourselves against legal claims
• Verification of compliance with Master Agreement, in particular license agreement
• IT-security
• Service related communication with you
• To fulfil legal retention obligations
• To enforce applicable statutory obligations or obligations and rights resulting from the legal relationship with the Customer and/or individual users
• To prove our compliance with statutory obligations

13.4         Sources of data: The data we process has been provided either by yourself directly in the course of using the Services.

14             Lawfulness of Data Processing

The legal basis for processing is Art. 6 (1) (f) GDPR, as the processing is necessary for the purposes of fulfilling our contract with our Customer and the further purposes listed in section 2.3, which is a legitimate interest pursued by us. While we bear in mind the interests and fundamental rights and freedoms of you, your need for data protection does not override our interest as specified above.

15             Contact and Data Protection Officer

If you have any questions regarding data protection and the exercise of your rights, you can contact our data protection officer directly via the following contact details:

email: privacy@idexcorp.com

16             Storage Period

16.1         We will erase your personal data when it is no longer required for the purposes mentioned in section 2 subject to retention obligations. If our contract with the Customer is terminated, your personal data will be erased 30 days after the termination.

16.2         We may retain your personal data for the purposes of legal defense and law enforcement for as long as is necessary for the preparation or execution of a possible legal dispute (usually up to four years, whereby the legal dispute itself may inhibit the course of this period)

16.3         If longer retention periods apply after the time period listed above (e.g., because we are obliged to store the data for tax purposes or civil or criminal proceedings were initiated) we will block the data until the end of the respective retention period and then erase it.

17             Sharing Data within IDEX Corporation

Your data will be shared within IDEX Corporation and processed by entities located outside the EU/EEA. If and when transferring your personal data to which the GDPR applies onwards outside the EU/EEA, we will do so using one of the following safeguards:

• the transfer is to a non-EU/EEA country for which has an adequacy decision by the EU Commission exists;
• the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EU/EEA;
• the transfer is to an organization which has implemented Binding Corporate Rules approved by an EU data protection authority; or
• the transfer is covered by other approved safeguards in order to protect your personal data in a degree that equals the level of data protection in the European Union.

International transfers within IDEX Corporation are governed by EU Commission approved Standard Contractual Clauses for controllers (as defined under the GDPR) and, where relevant, for Processors (as defined under the GDPR).

You may request a copy of the standard contractual clauses or other applicable safeguards by contacting privacy@idexcorp.com.

18             Requirements to provide personal data

You are not legally nor by a contract with us obliged to provide us with the personal data. However if you fail to do so, we might not be able to provide you with a user account for any of the Services or provide the Service towards the Customer.

19             Automated decision making

No automated decision-making according to Art. 22(1) and (4) GDPR occurs with respect to your personal data.

110           Recipients of the Personal Data

We might transmit your personal data in parts or as a whole to other entities. This includes (a) authorities, who we are obliged to provide your personal data to, e.g., data protection authorities; (b) auditors or similar external consultants like lawyers or tax advisers and (c) IT service provider including cloud service and subscription service providers who process personal data on our behalf but have to follow our instructions on such processing; these service providers will not be allowed to use your personal data for other than our purposes and will act as data processors.

111            Your Rights as a Data Subject

111.1       You have the right to request from us information on which personal data about you we process at any time. Likewise, if data about you is inaccurate, you have the right to obtain from us rectification of such data without undue delay.

111.2       Under the requirements set out in Art. 17 GDPR you have the right to request from us the erasure of your personal data. In particular, you may ask us to erase personal data, if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the personal data has been unlawfully processed, (iii) you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, (iv) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject or (v) you withdraw your consent on which the processing is based and there is no other legal ground for the processing.

111.3       You have the right to obtain from us restriction of processing, where one of the following applies: (i) The accuracy of the personal data is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal data, (ii) the processing is un-lawful and you oppose the erasure of the personal data and request the restriction of their use instead, (iii) we no longer need the personal data for the purposes of the processing, but are required by you to keep them for the establishment, exercise or defense of legal claims or (iv) you have objected to processing pursuant to Art. 21(1) GDPR and the verification whether our legitimate interests override yours is pending.

111.4       According to Art 20 GDPR you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.

111.5       Please send your requests to privacy@idexcorp.com.

111.6       Pursuant to Art 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point f) of Art 6 para. 1 GDPR. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.

111.7       In addition, you have the right to complain to a data protection supervisory authority if you are of the opinion that the processing of your personal data by us violates applicable data protection law. The data protection supervisory authority responsible for our Belgian subsidiary, Toptech Systems NV, Nieuwe Weg 1 – Haven 1053, B-2070 Zwijndrecht, Belgium is the Belgian data protection authority: Autorité de protection des données / Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels. However, you can complain to another data protection supervisory authority, e.g. in the EU Member State of your habitual residence or your place of work.