TA/UTAX Cloud Print and Scan Privacy Statement
TA Triumph-Adler GmbH (“TA”, “we” or “us”), located at Südwestpark 23, 90449 Nuremberg, Germany, has issued this Privacy Statement (“Statement”) to inform you, the user of TA/UTAX Cloud Print and Scan (“TA/UTAX CPS”), about the processing of your personal data when your organisation creates a user account for you and when you download and use TA/UTAX CPS on your terminal device.
A. Printing and scanning. In order to complete print and scan jobs, UTAX processes meta data (device IP addresses, serial number, hostname, date of job creation, print/scan job name, job execution, number of pages, filename, size, Print/Scan ID Card number and registration date). TA/UTAX CPS stores the content of the printed/scanned documents for a maximum period of 8 days.
B. Invoicing. UTAX processes the licence type, Tenant ID, date, time and number of devices to invoice these services to customers.
C. User account management. UTAX obtains names and e-mail addresses either directly from you or indirectly from a UTAX customer (probably your employer or organisation) so that we can set up and manage a user account for you. Please note that we provide this service as a data processor according to our Data Processing Terms and Conditions, available at www.triumph-adler.com.
D. Remote maintenance. A UTAX service engineer may access your personal data, which is processed within the local administrator’s account for bug fixing or trouble shooting purposes. Please note that we provide this service as a data processor according to our Data Processing Terms and Conditions, available at www.triumph-adler.com.
E. Hosting. UTAX uses Amazon Web Services, Germany, as a cloud storage provider. Please note that we provide this service as a data processor according to our Data Processing Terms and Conditions, available at www.triumph-adler.com.
UTAX processes personal data for the purposes mentioned above in order to perform its contractual rights and obligations as agreed with its customers pursuant to Article 6(1)(b) GDPR. To the extent that you as a data subject are not party to the agreement between UTAX and its customers, UTAX processes your personal data based on its legitimate interests pursuant to Art. 6(1)(f) GDPR, whereas UTAX’s contractual obligations to perform TA/UTAX CPS-related services constitute its legitimate interests.
We have made a careful assessment of your fundamental rights and freedoms and our legitimate business interests and are continuously monitoring the balance. Should you however wish to object to the processing of your personal data please see the section ‘Your rights’ below. Since the processing of personal data is necessary for UTAX to provide TA/UTAX CPS, please note that your objection to the processing will mean that you will no longer be able to use TA/UTAX CPS. Please note that in cases where UTAX processes personal data as a data processor on behalf of its customers, the customers qualify as data controllers, and are as such responsible for the processing of your personal data.
Your personal data shall only be shared with:
- KYOCERA Document Solutions Development America, Inc. (CA, USA) for remote maintenance services;
- KYOCERA Document Solutions, Inc., Japan for remote maintenance services;
- KYOCERA Document Solutions Europe B.V., Branch Office Germany, for remote maintenance services
- Amazon Web Services, Germany, for the provision of cloud services;
- To the extent we are required by law, regulation or court order to disclose your personal data, we may have to share your personal data in compliance with that law, regulation, or court order.
Where we transfer (see above to whom we share your personal data with) your personal data to a service provider that is based in a country that does not provide an adequate level of protection by domestic law according to the European Commission, we have ensured this adequate level of protection by agreeing on additional appropriate safeguards with that group company or third party through the conclusion of Standard Contractual Clauses as adopted by the European Commission and supplementary measures. A list of countries that have ensured an adequate level of protection according to the European Commission can be found here. You may request a copy of the Standard Contractual Clauses by sending us an e-mail, outlining the reasons for your request.
Alternatively, we may ask you for your explicit consent to the proposed transfer.
Where possible, we have set specific retention periods for keeping your personal data. These specific retention periods are stated below, or we shall communicate these to you at or before we start processing your personal data.
Where it is not possible for us to use set retention periods, we have stated the criteria that we use to determine the retention periods below.
Specific retention periods
Purpose (A) Printing and scanning. Unless customised by the TA/UTAX CPS Customer, expired print and scan jobs are automatically deleted after 8 days.
Purpose (B) Invoicing. In order to comply with generally accepted accounting principles, we store billing reports for one year.
Purpose (C) User account management. We shall store your personal information related to your user account as long as you have an active user account with us. There is no obligation for you from our side to have your account set up. If you don’t log in for the first time within 7 days of creating the account, we shall erase it. Upon your/your organisation’s explicit request, we will delete your user account. In that instance, we shall erase your user account within 30 days after your request. Your personal data may be stored in our back-up systems after your account has been deleted, and will automatically be deleted after 35 days. Inactive user accounts are automatically deleted one year after last use.
Purpose (D) Remote maintenance. For remote maintenance and support services, KYOCERA may have access to personal data. Personal data that is processed for remote maintenance services will be deleted 7 days after completion of the services.
Criteria for determining retention periods
In any other circumstances, we use the following criteria to determine the applicable retention period:
- The assessment of your fundamental rights and freedoms;
- The purpose(s) of processing your personal data. We shall not keep your personal data longer than is necessary for the purpose(s) we collected it for.
- Any relevant industry practices or codes of conduct on keeping personal data;
- The level of risk and cost associated with storing your personal data (accurate and up-to-date);
- Whether we have a valid lawful basis to store your personal data;
- The nature, scope and context of processing of your personal data and our relationship with you;
- Any other relevant circumstances that may apply.
In any case, we shall keep your personal data in compliance with applicable legal requirements and we perform periodical reviews of the personal data we hold.
We take the security of your personal data very seriously and take all reasonable efforts to protect your personal data from loss, misuse, theft, unauthorised access, disclosure or modification.
For more information regarding IT security measures, please read the TA/UTAX CPS Security Whitepaper.
You have certain legal rights that we wish to inform you of. The processing of personal data is necessary to achieve the above-mentioned purposes for UTAX to comply with its contractual obligations towards its customers. Where UTAX processes your personal data as Data Processor, UTAX is obliged to liaise with the Data Controller before performing your request.
Access. You have the right to be informed about whether we process your personal information or not and to information related to the processing.
Rectification. You have the right to have your personal information rectified or completed by us without undue delay. If you have set up an account with us, you have the possibility to rectify or complete your personal information yourself.
Right to be forgotten. You have the right to have your personal information erased by us without undue delay. This right is limited to specific grounds, for example if you have withdrawn your consent, or if you object and there are no overriding legitimate grounds for us to maintain the processing. If you have an account with us, you have the option to erase your personal data yourself, in which case all your personal data is permanently deleted. In order to prevent the user account from being deactivated, you must provide alternative contact details.
Restriction of processing. You have the right to request that we restrict the processing of your personal information based on specific grounds. These are (1) the time for us to verify the accuracy of your personal information on your request; (2) instead of erasure of unlawful processing, you request restriction of use instead; (3) you need personal information in legal proceedings; or (4) we are verifying whether our legitimate grounds override your objection to the processing.
Right to object. You have the right to object at any time to our processing of your personal information if such processing is (1) based on our legitimate interest (including us making a profile of you based on your consent); (2) for direct marketing purposes; or (3) necessary for the performance of a task carried out in the public interest or exercise of official authority vested in us. We shall cease to process your personal information based on your objection, unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms or if we need your personal information in legal proceedings.
Data portability. We are required to inform you of your right to receive your personal information from us so that you can transmit that personal information to another service provider.
Consent withdrawal. If you have supplied us with your personal information based on your consent, you have the right to withdraw such consent at any time. You may do so by unsubscribing from the service that you have subscribed to if applicable. You may also do so by sending us an e-mail to the relevant privacy e-mail address as stated below. We shall then permanently remove your personal information from our database.
Lodging a complaint. You have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, about our processing of your personal information. You can find a complete list of supervisory authorities here.
At UTAX, we have privacy professionals available, including a Data Protection Officer, to assist you with your queries. If you wish to exercise any of your rights, or you have a question about this document, please contact us via e-mail, or send us a letter to:
TA Triumph-Adler GmbH
Attn.: Data Protection Officer
In the event that we modify this document, we will publish it on our website with a revised publication date and, if applicable, notify you of the changed document via your user account.