Privacy and Legal Policy

Nextcloud GmbH (hereinafter collectively referred to as « the controller » or « Nextcloud » or « we » or « us ») as the operator of this website: www.Nextcloud.com (hereinafter also referred to as « our website ») is delighted that you have visited our website. We also have the following social media accounts:

Below we provide information about the processing of personal data when you use our website and our social media channels.

Table of contents

  1. Definitions
  2. Person responsible for processing and data protection officer
  3. General information on data protection in the Nextcloud products
  4. Principles for the processing of personal data
  5. General data processing in connection with visits to our website – creation of log files
  6. Contact us by email, telephone, fax, contact forms on our website or via our social media profiles
  7. Newsletter
  8. Cookies and consent manager
  9. App Store
  10. Events – offline and online (e.g. webinars)
  11. Third party tools: Matomo, Youtube and Vimeo
  12. Nextcloud Forum
  13. Support portal
  14. Applications / Jobs
  15. RSS Feeds
  16. Security scanner
  17. Social media: Links to various offers
  18. Automated decision-making including profiling
  19. Your rights as a data subject
  20. SSL encryption
  21. Subject to change

I. Definitions

Our privacy policy uses terms that are defined in the EU General Data Protection Regulation (GDPR). We have explained these terms below in order to make the privacy policy readable and understandable:

(1) Personal data

According to the GDPR, personal data is any information relating to an identified or identifiable natural person. This includes information such as your name, your date of birth, your address, your email address, your IP address or your telephone number as well as your user behaviour. In contrast, information that is not directly linked to your real identity – like generally preferred websites by all users or the number of users of a website – is not considered personal data.

(2) Person concerned

A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

(3) Processing

Processing refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(4) Restriction of processing

Restriction of processing involves marking stored personal data to limit future processing.

(5) Controller or controller responsible for the processing

« Controller » or « controller responsible for the processing » pursuant to Art. 4 (7) GDPR is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(6) Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(7) Receiver

A recipient is a natural or legal person, public authority, agency or other body, to which personal data is disclosed, whether or not this is a third party. However, public authorities that may receive personal data as part of a specific enquiry in accordance with law are not considered recipients.

(8) Third

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and those persons who, under the direct authority of the controller or processor, are authorised to process personal data.

(9) Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, through a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

(10) Automated decision-making, including profiling

Exclusively automated decision-making – including profiling – in accordance with Art. 22 GDPR refers to decisions made by data processing systems without any human intervention. According to Art. 4 No. 4 GDPR, profiling is any form of automated processing of personal data used to evaluate personal aspects of a natural person.

II. Controller for the processing and data protection officer

(1) Responsible

Nextcloud GmbH
Hauptmannsreute 44a
70192 Stuttgart
Germany

Telephone: +49 711 25 24 28 90

Email: contact (at) nextcloud.com

Web: https://nextcloud.com

Further information about our company can be found in the imprint.

The aforementioned controller is hereinafter collectively referred to as « the controller » or « Nextcloud » or « we » or « us ».

(2) Data Protection Officer

The company data protection officer of Nextcloud.com is Mr Tobias Kaminsky. The data protection officer can be contacted at the above address or at dpo@nextcloud.com.

III General information on data protection in the Nextcloud products

As we do not offer Nextcloud hosting for others, this Privacy Policy cannot cover what happens on individual Nextcloud instances, i.e. when users use the Nextcloud software. In general:

Our software, be it the Nextcloud server or the Android or iOS apps, is designed from the ground up to ensure that no user data, especially personal data, is transferred to us.

The optional Usage Survey app (usage report) can send us statistical data about the use of the instance, such as installed apps. This data helps us improve our services. You have the option of checking and authorising this data before it is transmitted. We store the data in an aggregated form and not on a single server basis. As a result, this data cannot be used to draw conclusions about the information of an individual instance in the event of a data leak.

When the updater app is activated, it sends information including the installed Nextcloud and PHP version, the installation time and the selected update channel to the Nextcloud updater server to obtain information about possible updates. We store a subset of information including the installation time and the installed version of the instance to collect statistical data.

We operate a push proxy service for mobile applications for private users. Notifications are encrypted and signed by the server, checked and re-signed by the push proxy and then forwarded to the mobile device. This ensures minimal data transmission and protects user privacy throughout the process. Details of the transferred data can be found here. We do not store any personal data.

With regard to third-party apps for the Nextcloud software: We cannot accept any responsibility for these apps and the user data stored or used by them. In our app store we have a policy against the misuse of private data. Any app found to be in breach of this policy will be removed from our app store and its author blocked. However, we do not have the capacity to check all the code of third-party apps and therefore advise caution when installing these apps.

Please report problems and infringements related to our products to abuse@nextcloud.com.

IV. Principles for the processing of personal data

(1) Scope of the processing of personal data

We collect and use our users’ personal data only to the extent necessary to provide a functional website and our content and services. The collection and use of your personal data on our website only takes place with your consent. However, an exception applies in cases where it is not possible to obtain prior consent for factual reasons and the processing of the data is nevertheless permitted by law.

(2) Legal basis for the processing of personal data

The data transmitted or collected about you will be collected, used, processed, stored and, if necessary – if required by law or contract – passed on to third parties exclusively within the framework of the applicable data protection laws (GDPR, Federal Data Protection Act, State Data Protection Acts and Telemedia Act).

Art. 6 GDPR provides various legal bases for the processing of your personal data, which are referenced in this privacy policy:

  1. 6 para. 1 a) GDPR serves as the legal basis for the processing of personal data if the data subject has given consent.
  2. 6(1)(b) GDPR serves as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party. This legal basis also applies to processing operations necessary for the performance of pre-contractual measures.
  3. If we have to process personal data to fulfil a legal obligation of our company, the legal basis for this is Art. 6 para. 1 c) GDPR.
  4. 6 (1) d) GDPR serves as the legal basis if the processing of personal data is necessary to protect the vital interests of the data subject or another natural person.
  5. If the processing of personal data is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh this first interest of our company or a third party, this processing is carried out on the legal basis of Art. 6 para. 1 f) GDPR.

Furthermore, your consent may be the legal basis for data processing in the case of express consent for the transfer of personal data to third countries, data processing is also carried out based on Art. 49 para. 1 lit. a GDPR and in the case of Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed in accordance with Art. 9 para. 1 GDPR.

The storage of information in the end user’s terminal equipment, such as via cookies stored on your computer, or access to information that is already stored in the terminal equipment, is only permitted if it is justified by one of the following legal bases:

– Section 25 (1) TDDDG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;

– Section 25 (2) no. 1 TDDDG: If the sole purpose is the transmission of a message via a public telecommunications network or

– Section 25 (2) no. 2 TDDDG: If the storage or access is absolutely necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.

(3) Data erasure and storage duration

As soon as the purpose of storing the respective personal data of the data subject no longer applies, it will be deleted or blocked. However, data may be stored beyond this point in time if this is provided for in European or national regulations, laws or other provisions to which we are subject as the data controller. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless further storage of such data is necessary for the conclusion or fulfilment of a contract.

(4) Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These companies may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer at the relevant points in this privacy policy.

The European Commission certifies that some third countries have data protection standards comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates or recognised codes of conduct as well as if you have given your express consent to the transfer of personal data to third countries (Art. 49 para. 1 lit. a GDPR).

V. General data processing in connection with visits to our website – creation of log files

The scope and type of collection and use of your data differs depending on whether you visit our website only to retrieve information or whether you make use of our offers – such as Nextcloud instant trial, newsletter subscriptions or email contact:

In principle, it is not necessary for you to provide us with personal data in order to use our website for information purposes only. Instead, we automatically collect, use and store information in the server log files during your visit to our website, which is transmitted to us by the browser you are using.

(a) Data collected

The following data is collected:

  • Timestamp (date and time of access)
  • IP address
  • Cache status
  • Content type provided by the server – country of the request
  • Provision ID
  • Domain of the enquiry
  • HTTP method (received and sent information)
  • Amount of data transferred in each case
  • Schema of the connection (HTTP/HTTPS)
  • Access status/HTTP status
  • TTFB (first response time of the server)
  • Time required to deliver the content
  • Requested URL
  • User agent

The data listed above cannot be assigned to specific persons. We do not merge this data with other data sources, i.e. this data is not stored together with other personal data such as your name, address, telephone number or email address. Nextcloud therefore does not use this information to identify its visitors.

(b) Legal basis

The legal basis for this temporary storage of data and log files is Article 6(1)(f) GDPR, as our legitimate interests in this storage as set out below outweigh your interests, fundamental rights and freedoms: The IP address is considered personal data. Temporary storage of the IP address by the system is necessary to transmit our website to your browser. For this purpose, the IP address must remain stored for the duration of the session. It is stored in log files to ensure the functionality of our website. We also use the data to optimise our website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes.

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. For data collected to provide our website, this occurs when the respective session ends. If the data was stored in log files, it is deleted after 7 days at the latest. However, it is also possible to store the data beyond this period. In such cases your IP address will be deleted or anonymised, making personal identification no longer possible.

(d) Possibility of objection and removal

The collection of data for the provision of our website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, you have no option to object.

VI. contact by email, telephone, fax, contact forms on our website or via our social media profiles

(1) Description and scope of data processing

Our website and social media profiles contain information to enable quick contact and communication. If you contact us by email, telephone, fax or via our social media profiles, the personal data you provide (e.g. first name, surname, email address, any other voluntary information) will be stored. Your IP address and the date and time are also stored when you send the message by email. The information and contact details you provide will be stored by us to answer your enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

If you use our profiles in social networks to contact us (e.g. by creating your own posts, responding to one of our posts or sending us private messages), the data you provide, such as your name or email address, will also be collected by the respective social network (see XIX. below).

Our website also contains various contact forms, e.g:

(2) Legal basis for data processing

The legal basis for the processing of the data is, if and insofar as your consent has been given, Art. 6 para. 1 lit. a) GDPR.

The legal basis for the processing of data transmitted to us in the course of sending an email, by telephone, fax or contacting us via our social media presence is also Art. 6 para. 1 lit. f) GDPR.

If such contact is aimed at the conclusion or fulfilment of a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

(3) Purpose of data processing

The processing of personal data on the basis of an email sent to us or contact via telephone, fax, contact forms on our website or social media serves solely to process the respective contact. This also constitutes the necessary legitimate interest in the processing of the data if it is processed on the basis of Art. 6 para. 1 f) GDPR.

(4) Duration of storage

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. This is the case when the respective conversation with the user has ended. The conversation is considered ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

After an objection or cancellation declared by you [see below under (5)], your personal data will be deleted within 7 days.

However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with the processing of customer inquiries or complaints and in order to be able to prove previous consent).

(5) Possibility of objection and removal

You have the option to withdraw your consent to the processing of personal data at any time [see XXI. (8) Right of withdrawal below].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI. (1) Right to object below].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com. Note that this means conversations that are ongoing, instant trials you have started, newsletter subscriptions and other services that require us to have your data, will stop.

VII. Newsletter

(1) Description and scope of data processing

If you register for a newsletter, we will only collect your email address in order to provide this service. The collection and transmission of the email address is only used for sending our newsletter. It is otherwise not possible to use the newsletter. This entire process is documented and stored, including the time of registration and confirmation as well as your IP address. No data is passed on to third parties in connection with the data processing for sending newsletters. Our newsletter is published regularly and contains, for example, information about products and events.

(2) Legal basis for data processing

The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a GDPR if the user has given consent.

Insofar as data is collected as part of the double opt-in described, Art. 6 para. 1 lit. f) GDPR is the legal basis. The collection of this data is necessary so that we can trace the processes in the event of misuse of the email address and therefore serves our legal protection.

(3) Purpose of data processing

The data you provide is used solely for the purpose of sending you the newsletter to which you have subscribed.

(4) Duration of storage

The user’s email address is stored for as long as the subscription to the newsletter is active. The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. This occurs when you no longer wish to subscribe to the newsletter and revoke your consent [see (5) below]. Your personal data will be deleted within 7 days of your cancellation. However, this data will not be deleted if and insofar as we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with proof of your consent to receive the newsletter). The double opt-in data will also be stored for this period so that we can prove this. Thereafter, we will retain the data for a further period of 3 years after cancellation in order to be able to prove the existence of consent to receive the newsletter.

The other personal data collected during the registration process is generally deleted after a period of seven days.

(5) Possibility of objection and removal

The subscription to the newsletter can be cancelled by the user concerned at any time with effect for the future. For this purpose, there is a corresponding link in every newsletter.

VIII Cookies and Consent Manager

(1) Cookies

As part of your use of our website, we use technical aids for various functions, particularly cookies, which can be stored on your end device. When you access our website and at any time thereafter, you have the choice to allow cookies generally or to select specific individual additional functions . You can make changes in your browser settings or via our Consent Manager, accessible at the bottom of every subpage of our website under Cookie settings. In the following, we first describe cookies from a technical perspective (a) before detailing your individual choices by describing technically necessary cookies (b) and cookies that you can voluntarily select or deselect (c).

(a) What are cookies?

Cookies are text files or database information stored on your hard drive and assigned to the browser you are using so that certain information can flow to the location that sets the cookie. Cookies cannot execute programmes or transmit viruses to your computer, but are primarily used to make the website faster and more user-friendly. This website uses the following types of cookies, whose function and legal basis are explained below:

Transient cookies:

These cookies, especially session cookies, are automatically deleted when you close the browser or log out. They contain a session ID that allows various requests from your browser to be assigned to the shared session, enabling your browser to be recognised when you return to our website.

Persistent cookies:

These cookies are automatically deleted after a specified period, which varies depending on the cookie. You can view the cookies set and the duration at any time in your browser settings and delete the cookies manually.

(b) Mandatory cookies, technically necessary functions for displaying the website:

The technical structure of the website requires us to use certain technologies, particularly cookies. Without these technologies, our website cannot be displayed ( correctly) or the support functions could not be enabled. These are essentially transient cookies that are deleted at the end of your visit to the website, at the latest when you close your browser. One such cookie is the choice of website language. These cookies cannot be deselected if you wish to use our website. The individual cookies can be seen in our Consent Manager.

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR and § 25 para. 2 no. 2 TDDDG.

(c) Optional cookies if you have given your consent:

We only set various cookies with your consent, which you can select via our Cookie Consent Manager when you first visit our website. The functions are activated only if you give your consent and can be used in particular to enable us to analyse and improve visits to our website, to make it easier for you to use different browsers or end devices, to recognise you on subsequent visits or to place advertising (possibly also to tailor advertising to your interests, measure the effectiveness of advertisements or show interest-based advertisements).

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with. § 25 para. 1 TDDDG. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We describe the cookies we use and their functions, which you can select and revoke individually via the Consent Manager, both in the Consent Manager itself and additionally in some cases below in this Privacy Policy.

(2) Consent management by our own consent manager

We use our own consent manager to obtain the legally required consent from you for the use of cookies and similar technologies.

If you give your consent to the use of optional cookies, the following data will be logged automatically:

  • Optional: voluntary consent to save the data entered in forms such as name, email, telephone number and preferred language (30 days)
  • Consent to loading external media (Vimeo, Youtube). No cookies are set by YouTube or Vimeo
  • Expiry date of the consent
  • An anonymous, random and encrypted key regarding your consent status – this serves as proof of consent given.
  • The user’s authorised cookies (cookie status), which serves as proof of consent.

Statistics:

In addition, if the statistics cookie is set, the following data is stored:

  • Session ID (will be deleted after 30 minutes)
  • MatomoID (will be deleted after 30 days)
    • Including Matomo Cookie Consent (will be deleted after 30 days)

You can call up the setting you have selected on the homepage on each subpage of the website at the bottom (footer) under cookie settings.

(a) Legal basis for data processing

The legal basis for processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in ensuring the user-friendliness of the website and in fulfillin the legal requirements of the GDPR.

In cases where we are legally obliged to obtain consent, this processing is also necessary to fulfil a legal obligation (Art. 7 para. 1 GDPR) to which we are subject (Art. 6 para. 1 sentence 1 lit. c GDPR).

(b) Purpose of data processing

Through our consent manager, we inform you about the use of cookies on our website and enable you to decide wether to accept or reject them. This also enables us to obtain and manage your consent for data processing. Data is processed using cookies for this purpose.

(c) Duration of storage

The encrypted key and the cookie status are stored on your end device using a cookie to establish the corresponding cookie status on future page views. This cookie is automatically deleted after 30 days. The cookies are also deleted if you adjust your browser settings accordingly. You can change your selected cookie preferences at any time at the bottom of each subpage under “Cookies preferences”.

(d) Possibility of objection and removal

You can change the settings you have selected regarding accepted cookies at any time on each subpage at the bottom under “Cookie preferences”.

You have the option to withdraw your consent to the processing of personal data at any time [see XXI. (8) Right of withdrawal below]. To do this, you can change the settings you have selected regarding accepted cookies on each subpage of our website at the bottom under “Cookie preferences” at any time.

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI. (1) Right to object below].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com.

The user can prevent or cancel the installation of a cookie and its storage, and thus his cookie consent, at any time by changing the settings of his browser. However, the functionality of this website is then not guaranteed.

IX. App Store

(1) Description and scope of data processing

As a developer, you can upload apps you have created to our App Store or update existing apps. You can also write comments and rare apps. An account is required for these actions. Alternatively, you can log in using an existing Github account.

When you register, we process the following data to create your account:

  • Email
  • User name
  • First name
  • Surname
  • Password
  • Security code (SSH/GPG code)

After registering in the App Store, you can write comments and rate apps under your user name. We recommend that you use a pseudonym as your user name instead of your real name.

Other information such as your name and email address is mandatory. This is necessary, for example, in the event that you lose access to your account (e.g. change of name and abandonment of the original email address) and proof must be provided to us that you are the original developer of an uploaded app and are authorised to update or migrate it under a new account.

(c) Comments

Comments are not checked before publication. We reserve the right to delete comments if they are objected to by third parties as unlawful.

(2) Legal basis for data processing

The legal basis for the processing of the data is, if and insofar as your consent has been obtained, Art. 6 para. 1 lit. a) GDPR.

The legal basis for the processing of the data transmitted to us during registration, before the apps are made available or commented on, is also Article 6(1)(c) and (f) GDPR. We have an interest in contacting you in the event of technical problems with the uploaded apps or their updates as well as illegal content in your comments. We need your email address to contact you if a third party objects to your comment as unlawful. We will then carry out a so-called notice-amend-take-down procedure and give your the opportunity to respond.

(3) Purpose of data processing

The processing of personal data serves the purpose of offering a functional app store with open source apps for the Nextcloud software. For security reasons, we cannot allow the anonymous uploading and distribution of apps.

(4) Duration of storage

The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. If you declare an objection or cancellation: [see below under (5)], your personal data will be deleted within 7 days.

However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with the processing of customer enquiries or complaints and in order to be able to prove previous consent).

Once your data has been deleted, your comments and ratings will only be displayed as “Anonymous” and no longer with your user name.

(5) Possibility of objection and removal

You have the option to revoke your consent to the processing of personal data at any time [see below . (8) Right of revocation].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see below XIX. (1) Right to object].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com. In such a case, however, the conversation cannot be continued.

For security reasons, we must also remove the apps you have uploaded when deleting your personal data.

X. Events – offline and online (e.g. webinars)

(1) Description and scope of data processing

From time to time we organise online or offline events for which you can register via our homepage. For this purpose, we collect data necessary for the organisation of the event:

  • Name,
  • Email address,
  • Time of participation in longer events that take place offline

We also ask you to provide additional voluntary information to make it easier for us to organise the event. Your telephone number will only be used to contact you if we have any questions about your registration; it will not be shared with third parties or used it for any other purpose.

We ask about your dietary preferences so that we have enough suitable catering available. The capacity in which you are associated with Nextcloud helps us to assess the composition of the specific audience and plan our event agenda. Both pieces of information are stored separately from your personal data for statistical purposes only.

When organising such events, we also issue calls for speakers in order to give you the opportunity to be selected by us for a presentation at one of our events if you wish. To this end, we ask for information that will enable us to assess whether your presentation is suitable for our event.

(2) Legal basis for data processing

The legal basis for the processing of the data is, if and insofar as your consent has been given, Art. 6 para. 1 lit. a) GDPR.

The legal basis for this is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the smooth organisation of the event.

The legal basis for paid and free events is also Art. 6 para. 1 lit. b) GDPR, as participation is also based on a contract.

(3) Purpose of data processing

The data will be used exclusively for the realisation of the respective event.

(4) Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

After an objection or cancellation declared by you [see below under (5)], your personal data will be deleted within 7 days. However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal basis other than your consent (e.g. in the case of chargeable events on the basis of the AO or the HGB.

(5) Possibility of objection and removal

You have the option to withdraw your consent to the processing of personal data at any time [see XXI.(8) Right of withdrawal below].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI.(1) Right to object below].

You can send both the withdrawal and the objection, e.g. by email to dpo@nextcloud.com. In such a case, however, the conversation cannot be continued.

XI. Third Party Tools

A. Matomo

(1) Description and scope of processing

Our website uses the web analysis service Matomo, which uses the the cookies specified in “Cookies preferences” accessible via the footer of our website. Collection and analysis only occurs if you have authorised this by setting the cookie banner accordingly and thereby declaring your consent. You can revoke this consent at any time by changing the setting of the cookie banner under “Cookies preferences” in the footer of our website.

We store the information collected in this way in the Matomo cloud. We have concluded an order processing agreement for this purpose.

Our website uses Matomo with the “AnonymiseIP” extension. This ensures that IP addresses are processed in abbreviated form, i.e. anonymised, maintaining user anonymity during web analysis. The IP address transmitted by your browser via Matomo is not merged with other data collected by us and is not transmitted to third parties.

The following information is stored in Matomo:

  • Anonymised IP address
  • Browser used (type, version)
  • Operating system used
  • Type of device used (desktop, mobile device, tablet)
  • Screen resolution
  • Duration of the visit
  • Visited entry and exit pages
  • Clicks on external or internal links
  • File downloads
  • Search engine used
  • Interaction with forms

The Matomo programme is an open source project. Information from the third-party provider on data protection can be found at https://Matomo.org/privacy-policy/ and at https://matomo.org/gdpr-analytics/.

(2) Legal basis

The legal basis for the use of Matomo is your consent in accordance with Section 25 (1) TDDDG, Art. 6 (1) (a) GDPR, provided that you have given your consent via our cookie banner. You can revoke your consent at any time. Please make the appropriate settings via our cookie banner. You can access this via the “Cookies preferences” in the footer of our website.

(3) Purpose of data processing

The processing of users’ personal data in anonymised form allows us to analyse their surfing behaviour. By analysing this data, we can compile information about how individual components of our website are used. This helps us to continually improve our website and improve its user-friendliness.

(4) Duration of storage

The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is the case after 365 days. Cookies are deleted after a maximum of 30 days.

(5) Objection and removal options

As a user, you also have full control over the use of Matomo. You can deactivate its use by changing the settings in the cookie banner on this website. You can access this cookie banner via “Cookies preferences” in the footer of our website.

B. Embedding YouTube and Vimeo content in the homepage

(1) Description and scope of processing

We occasionally embed content on our website, including YouTube videos and Vimeo videos behind a click-through wall. Connections to external services to retrieve this data are only made when such external content is activated; no cookies are stored in the user’s browser. We do not pass on any data to these external services, but they may collect some information when a video is played.

(2) Legal basis

The processing takes place exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG, provided you have given your consent to the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. This happens when you access the videos. Consent can be revoked at any time via the “Cookies preferences” in the footer of our website.

(3) Further information

The provider of the video portal YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. Further information on the handling of user data can be found in YouTube’s privacy policy at https://policies.google.com/privacy?hl=de

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to comply with these data protection standards. More information can be found at the following link:

https://www.dataprivacyframework.gov/s/.

The provider is Vimeo Inc. (555 West 18th Street, New York, New York 10011, USA. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. More information on the handling of user data can be found in Vimeo’s privacy policy at https://vimeo.com/privacy.

XII. Nextcloud Forum

(1) Description and scope of data processing

Please note that this forum is intended for private users and for answering questions in the private user area. Enterprise customers should use our support portal.

Our forum, accessible at help.nextcloud.com, is based on the open source software Discourse. This instance is operated by us. We do not publish, share or otherwise distribute data from this instance. By using the forum, you agree to our General Terms and Conditions. Here you will find the complete terms and conditions for the use of our forums.

Our forum can be read without the need to register. To actively participate in our forum, you must register by providing your email address, a chosen password and a chosen user name. There is no obligation to use your real name; it is possible to use a pseudonym.

(a) User account

Users can activate and deactivate their own accounts on this instance if required. A user account is required to post in the forum, create your own profile and view other users’s profiles.

This requires an email address, which is never displayed publicly.

You choose a unique user name.

You can voluntarily enter your name.

We use the double opt-in procedure for this service, i.e. you will receive an email in which you must confirm that you are the owner of the email address provided by clicking on an activation link.

You will only receive notifications if you have activated the link. You can unsubscribe from the notifications at any time, e.g. by clicking on the link contained in the email or by using the contact details provided. We will store the data you provide, the time of your registration for the service and your IP address until you unsubscribe from the notification service.

If you register a forum account, we store all the information you enter in the forum, i.e. public posts, private messages, etc., to operate the forum until you deactivate your account.

(b) Cookies

No cookies are stored unless an account is created. Upon account creation, a session cookie is created. When logged in, several technical cookies store personal preferences, such as dark mode, text size, the page you are redirected to after logging in, etc. No consent is required for these cookies, as they are essential for the functionalities used by the user.

Nextcloud uses your account data to identify you in the forum and to create personalised pages for you, such as your profile page.

(c) Email address in connection with Nextcloud Forum

Nextcloud uses your email address to:

  • Notify you about posts and other activities in the forum (according to your settings)
  • Reset your password and ensure the security of your account
  • to contact you under special circumstances related to your account, especially when carrying out a notice-and-take-down procedure after we have been notified of allegedly illegal content originating from you
  • to inform you about legal requests, such as DMCA requests Digital Millenium Copyright Act) from the USA

(d) User profile – separate setting possible

If you do not set your profile page yourself, your user name will be displayed with your posts.

You can enter additional data for your account on the profile settings page of your account, such as a short biography, your place of residence or your birthday. This information is made available to other registered users of the forum. Your profile will therefore only be displayed to those who are registered users themselves. You do not have to provide this additional information and you can delete it at any time. As long as your account is active, the data will be saved.

(2) Legal basis

The legal basis for data processing is your consent to the creation of your user account and to receiving messages by email in accordance with Art. 6 para. 1 lit a) GDPR.

Another legal basis is the contract concluded with you for the free use of the forum, Art. 6 para. 1 lit b) GDPR with user profile, options for posting etc..

The legal basis for data storage for the double opt-in process is also Art. 6 para. 1 lit f) GDPR.

Insofar as legal obligations exist, e.g. according to the NetzDG or to official orders, Art. 6 para. 1 sentence 1 lit. c GDPR is relevant. The aforementioned data is necessary for us as a host provider under civil law, as this is the only way we can protect ourselves from civil law claims and maintaining business operations would otherwise not be possible.

(3) Purpose of data processing

The personal data you provide will be used to enable you to participate in the forum. An email address and a user name are necessary, as processing is required either to display your contributions or to protect against the rights of third parties.

(4) Duration of storage and options for objection and removal

Your personal data and all your activities such as posts or comments etc. will be labelled with your user name and stored for as long as your user account remains active.

If you deactivate your account, your public statements, especially forum contributions, will remain visible to all readers, but your user profile will no longer be accessible and posts in the forum will be labelled “Anonymous”. All other data will be deleted. If you would like your public posts to be deleted as well, please contact the person responsible using the contact details provided above.

XIII Support Portal

Support Portal

Please note that the https://support.nextcloud.com/ portal is only available to our Enterprise customers. Access requires an existing contractual relationship with us. If you do not have an existing subscription, you will not be able to use this portal.

(1) Hosting

(a) Description and scope of data processing

This website is hosted by an external service provider (hoster). The personal data collected for our support portal is stored on the hoster’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated to fulfil our support obligations under our contracts.

(b) Legal basis

The hoster is used to fulfill the contract with our existing customers (Art. 6 para. 1 lit. b GDPR) and to ensure the secure, fast and efficient provision of our support portal by a professional provider (Art. 6 para. 1 lit. f GDPR).

(c) Purpose of the processing

Our hoster will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

(d) We use the following hoster:

Zammad GmbH, Marienstr. 18, 10117 Berlin

(e) Order processing

We have concluded a data processing agreement (DPA) with the aforementioned hoster. This contract mandated by data protection law, ensures that the host processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

(2) Description and scope of data processing in the portal

We provide our support services with the help of a support portal. Upon signing the contract, you must register your company in the portal.

The contracted company must designate at least one contact person. Their contact details (name and email address) will be stored in the support portal. The company can add or remove contact persons at any time. It is also possible to enter a neutral email such as “nextcloud-support@companyname.com”.

The contact persons will receive security notices and other messages to fulfil the support obligations within the scope of the contractual relationship. The contact persons can request support services (ticket system).

(3) Legal basis for data processing

The processing of personal data takes place for the fulfilment of the contract Art. 6 para. 1 lit. b) GDPR. The use of a well-functioning portal of a third-party provider is in the interest of the customer and in our interest Art. 6 para. 1 lit f) GDPR.

(4) Purpose of data processing

Support is one of the main services included in the subscription contract and data is processed accordingly to fulfil the contract. The problem described in the respective ticket is stored with reference to the company concerned and its contact person. This ensures that the information can be consulted when adressing the problem and in the event of follow-up problems.

(5) Duration of storage

The personal data processed as part of the support measures to fulfil the contract will be deleted as soon as they are no longer required to achieve the purpose for which it was collected. This may occur when the contract is terminated, unless we are obliged to continue storing the data based another legal ground, e.g. statutory retention periods under the German Fiscal Code (AO) and German Commercial Code (HGB).

After an objection or cancellation declared by you [see below under (6)], your personal data will be deleted within 7 days. However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent or despite your objection (e.g. in connection with the processing of mandates).

(6) Possibility of objection and removal

As a company, you can change your contact persons at any time after logging in.

You can also contact us, e.g. by email to dpo@nextcloud.com, if you are not (or no longer) available as a contact person. However, since you were appointed by your company, we request that you seek clarification within the company.

If you do contact us, please understand that we will need to confirm with the company how to proceed, especially if you are the only contact person.

XIV Applications / Jobs

(1) Description and scope of data processing

In the Jobs section, we publish our vacancies and ask you to send your applications by email. In your own interest, we recommend sending encrypted applications by email.

When you apply for a position advertised by us, only our HR department and the relevant department will have access to your data. If you submit an unsolicited application, your details will be made available to all those specialist areas/departments with vacancies matching your applicant profile. Your data will only be shared with third parties if we are legally required to do so in individual cases. If we use processors, we ensure they are contractually obliged to protect your personal data in the same way.

If you are employed by us, the data transmitted will be stored in your personnel file in compliance with the statutory provisions.

(2) Legal basis for data processing

The legal basis for the processing of data transmitted in the course of sending an application by email is Art. 6 para. 1 lit. b) GDPR, as the email contact is aimed at concluding a contract. An additional legal basis for the processing is Art. 6 para. 1 lit. f) GDPR.

(3) Purpose of data processing

The data you provide will be used solely for the purpose of making a decision about your employment and subsequently processing such an employment relationship.

(4) Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. If no employment relationship is established between you and us, the application documents will be automatically deleted 7 days after notification of the rejection decision, provided that no other legitimate interests of ours stand in the way of deletion. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG). All personal data stored in the course of the application will be deleted after a cancellation or objection [see (5) below] within a period of 7 days after receipt of the objection by our company.

In any case, deletion will only take place insofar as no other legitimate interests on our part stand in the way of deletion. Other legitimate interests in this sense are, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

(5) Possibility of objection and removal

You can withdraw your application at any time and you can revoke your consent to the processing of your personal data at any time [see XXI.(8) Right of revocation below]. If you send your application documents by email, you can object to the storage of your personal data at any time [see XXI.(1) Right to object below]. In such a case, however, the conversation and the decision about your employment cannot be continued.

XV. RSS Feeds

In addition, unlike a newsletter, the use of the service does not require registration with an email address.

To read the RSS feed, you need a so-called RSS reader. The RSS reader reads the feeds you have subscribed to and automatically notifies you of new entries. This allows you to keep an eye on new entries in the areas you have selected at all times. If you are interested in a new document, simply click on it and it will open in the browser. There are various technical options for obtaining RSS feeds, e.g. integration into an email client with corresponding functionality. The email client retrieves the latest news at predefined intervals and makes them available to you in a folder similar to new emails.

You can find instructions for integration on the providers’ support pages (enter the name of the email client and the keyword “RSS feed” in a search engine). Alternatively, RSS feeds can also be displayed using special programs (feed readers), which can be more convenient.

XVI Security Scanner

Our security scanner works exclusively on the basis of publicly available information. This includes the list of known vulnerabilities, relevant to ownCloud and Nextcloud releases, as well as all existing hardenings and settings that can be checked without access to your server. Our scanner only checks if necessary and saves the results (server URL and the version of the last scan), but does not update them automatically. Under no circumstances is personal data collected or processed. If you make changes, this will not be taken into account and you will have to perform the query again.

XVII: Social media: Links to various offers

We maintain publicly accessible profiles in various social networks to which links are provided on the homepage:

(1) Description of the social media links

(a) We have included links to our respective social media profiles on our website. By clicking on the respective symbol, you can access our profiles on the respective social media platforms.

(b) Through this link, your data will not be transmitted to the operators of the respective social media platform. If you click on one of these links, you will be redirected to the respective website of the social network and forwarded. Depending on your browser settings, this will happen by opening a new tab or a pop-up. Your data is only collected and processed by the operator of the respective social network when you change the URL.

(2) General data processing in connection with our social media presence

(a) Your visit to these profiles triggers a variety of data processing operations. Below we provide you with an overview of which of your personal data is collected, used and stored by us when you visit our profiles. You are not obliged to provide us with your personal data. However, this may be necessary for individual functionalities of our profiles in social networks. These functionalities will not be available to you, or only to a limited extent, if you do not provide us with your personal data.

If you contact us via our social media presence, we process your data as already described above in VI Contact by email, telephone, fax, contact forms on our website or via our social media profiles.

(b) When you visit our profiles, your personal data is not only collected, used and stored by us, but also by the operators of the respective social network, e.g. your IP address and information stored as cookies in your browser. This happens even if you do not have a profile on the respective social network. The individual data processing operations and their scope differ depending on the operator of the respective social network and they are not necessarily traceable for us. We would therefore like to point out that you use the social networks on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

If you are logged in to the provider of the social network and visit our website there, this data is assigned directly to your account. Typically, the social network provider stores this data as a user profile and uses it for the purposes of advertising, market research and/or customising its website. Such an evaluation is carried out in particular (even for users who are not logged in) to display customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective social media provider to exercise your right to object.

(c) The social networks use cookies for this purpose. We have no influence on the data processing carried out by the social networks in connection with cookies. It is also possible to visit our websites if you configure your browser so that no cookies are stored by the network. Information on how to adjust the settings for cookies in your browser can be found in the help section of the browser you are using.

If you are registered or logged in to a network and wish to prevent the network from linking your visit to our website to your user account, you should first log out of the network or, if possible, deactivate the « stay logged in » function, delete the cookies on your device and close and restart your browser.

For details on the collection and storage of your personal data as well as the type, scope and purpose of its use by the operator of the respective social network, please refer to the data protection declarations of the respective operator:

(3) Addresses of the respective providers and link to their data protection notices:

  1. a) You can view the privacy policy for the social network Facebook, which is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, at https://www.facebook.com/about/privacy/update?ref=old_policy;
  2. b) The privacy policy for the social network Instagram, which is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA, can be found at https://help.instagram.com/155833707900388

(4) Supplementary information on the Facebook fan page

(a) As the operator of a Facebook fan page, we can only view the information stored in your public Facebook profile, provided you have such a profile and are logged into it when you visit our fan page. We are also the administrator of a Facebook group and can access the information posted there.

In addition, Facebook provides us with anonymous usage statistics that we use to improve the user experience when visiting our fan page. We do not have access to the usage data that Facebook collects to compile these statistics. Facebook has undertaken to us to assume primary responsibility under the GDPR for the processing of this data, to fulfil all obligations under the GDPR with regard to this data and to make the essentials of this obligation available to those affected. This data processing serves our (and your) legitimate interest in improving the user experience when visiting our fan page in line with the target group. The legal basis for the data processing is therefore Art. 6 para. 1 lit. f) GDPR.

(b) Facebook also uses so-called cookies, which are stored on your device when you visit our fan page, even if you do not have your own Facebook profile or are not logged into it during your visit to our fan page. These cookies allow Facebook to create user profiles based on your preferences and interests and to show you customised advertising (inside and outside Facebook). Cookies remain on your end device until you delete them. You can find details on this in Facebook’s privacy policy.

We have no influence on the data processing carried out by Facebook Ireland in connection with cookies. For options to protect your data, please refer to the information above in section (2)(c).

(5) Supplementary information on instagram

(a) Instagram is also offered by Facebook Ireland [see (3)(b) above]. In addition to the content you submit, depending on your privacy settings, information about your profile, your likes and your posts may be visible to us.

(b) Facebook Ireland also uses so-called cookies on instagram, which are stored on your end device when you visit our instagram site even if you are not registered or are not logged into your account during your visit. These cookies allow Facebook to create user profiles based on your preferences and interests and to show you customised advertising (inside and outside Facebook). Cookies remain on your device until you delete them. Details on this can be found in Instagram’s privacy policy above in section [see (3)].

We have no influence on the data processing carried out by Facebook Ireland in connection with cookies. We refer you to the options for protection mentioned above in section (2)(c).

(6) Other links

We have also provided links to pages that deal with Nextcloud, such as

  • Github
  • Capterra
  • Go2crowd
  • Alternative.to

The processing of personal data can be found in the respective privacy policy on these pages. Any data collected there is not processed by us.

XVIII. Automated decision-making including profiling

We neither use automated decision-making nor do we carry out profiling within the meaning of Art. 22 GDPR (see the definition of both terms above under Section I No. 10 of this Privacy Policy).

XIX. Your rights as a data subject

If we process your personal data, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as the controller:

 

(1) Right of objection

(a) You have the right to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR for direct marketing purposes without providing reasons. We will then no longer process your personal data for these purposes. This also applies in principle to profiling insofar as it is associated with such direct advertising. However, we do not currently engage in profiling.

(b) You may also object to other processing that we derive from a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f) GDPR by stating reasons related to your particular situation. This also applies in principle to profiling based on this provision However, we do not currently engage in such profiling. We will stop processing your personal data unless we can demonstrate compelling reasons for the processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

(c) Any objection can be made informally. For example, sending an email to dpo@nextcloud.com is sufficient.

 

(2) Right to information

You can request confirmation from us as to whether personal data concerning you is being processed by us.

If such processing has taken place, you can request the following information from us:

  1. the purposes for which the personal data are processed;<
  2. the categories of personal data that are processed;<
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;<
  4. the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;<
  5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;<
  6. the existence of a right to lodge a complaint with a supervisory authority;<
  7. any available information as to the source of the data if the personal data are not collected from you as the data subject<

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

(3) Right to rectification

You have the right to rectification and/or completion vis-à-vis us as the controller or Google, for example, if the personal data processed by us concerning you is incorrect or incomplete. We must make the correction without delay.

(4) Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of your personal data:

(a) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(c) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or

(d) you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet determined whether our legitimate reasons override your reasons. If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been applied in accordance with the above conditions, we will inform you before the restriction is lifted.

(5) Right to erasure

(a) Cancellation obligation

You can request that we delete your personal data immediately, and we are obliged to delete this data immediately if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on which the processing was based according to Art. 6 para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR, and where there is no other legal ground for the processing.
  3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
  4. The personal data concerning you have been unlawfully processed.
  5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.
  6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR

(b) Information to third parties

If we have made the personal data concerning you public and we are obliged to delete it in accordance with Art. 17 para. 1 GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process your personal data that you, as the data subject, have requested them to delete all links to this personal data or copies or replications of this personal data.

(c) Exceptions

The right to erasure does not exist if the processing is necessary

  1. to exercise the right to freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right to erasure referred to in Section XIX (4) (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or 5. for the establishment, exercise or defence of legal claims.

(6) Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis us to be informed about these recipients.

(7) Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to a controller other than the controller to whom the personal data was provided without hindrance from us, provided that

  1. the processing is based on consent pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 lit. b) GDPR and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly by us as a controller to another controller, where technically feasible. This transfer should not affect the freedoms and rights of other persons. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as the controller.

(8) Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. If you wish to exercise your right to withdraw consent, simply send an email to dpo@nextcloud.com.

(9) Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Responsible is:

The State Commissioner for Data Protection and
Freedom of Information Baden-Württemberg

Corporation under public law
Represented by the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg Prof. Dr Tobias Keber.

Lautenschlagerstraße 20
70173 Stuttgart

Phone: 0711/615541-0
Fax: 0711/615541-15

Email: poststelle@lfdi.bwl.de

The supervisory authority with which the complaint has been lodged will inform you as the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

XX. SSL encryption

This website uses SSL encryption for security reasons and to protect the transmission of confidential content that you send to us. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser bar. Activating SSL encryption protects the data you transmit to us from being read by third parties.

XXI. Subject to change

We reserve the right to amend this data protection declaration in order to continually adapt it to the applicable provisions, as well as our offerings on our website.

 

Last updated: July 2024