This document is effective from 10 August, 2020
Please note that due to differences between Hong Kong Privacy Law and the EU General Data Protection Regulation, we have created two separate sections to comply with each;
If you are located in the European Union, please click HERE.
If you are located outside of the European Union, please continue reading.
INTRODUCTION
This Hong Kong Privacy Policy Statement (“PPS”) is designated to generally describe how personal data is collected, used, processed and protected in connection with the business operations of GRAPHISOFT ASIA LIMITED (registered address: Admiralty Centre, Tower 2/ Level 11, 18 Harcourt Road, Admiralty, Hong Kong); hereinafter: Graphisoft) acting as data user while complying with the requirements of the Personal Data (Privacy) Ordinance, Cap. 486 of the laws of Hong Kong (the “PDPO”).
This PPS also gives thorough information for the data subjects on their rights pertaining to the processing of their personal data.
This PPS applies to the processing of the personal data of our Website Users, Clients, Users of Our Products and Services, guests and also those data who aim to engage in a contractual relationship and those who were in a contractual relationship earlier; and any other person whom we may contact while operating our business.
Please be advised that GRAPHISOFT may unilaterally amend this PPS from time to time. Please visit https://graphisoft.com/kr/legal/graphisoft-hong-kong-privacy-policy-statement regularly if you want to keep up to date.
DEFINITIONS
What constitutes as “personal data”?
“Personal data” is defined under the PDPO to mean any data:
- relating directly or indirectly to a living individual;
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- in a form in which access to or processing of the data is practicable.
What is data processing?
“Processing” in relation to personal data is defined under the PDPO to include amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.
Who is the data user?
“Data user” in relation to personal data is defined under the PDPO to mean a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
Who is a third party?
“Third party” in relation to personal data is defined under the PDPO to mean any person other than:
- the data subject;
- a relevant person in the case of the data subject;
- the data user; or
- a person authorised in writing by the data user to collect, hold, process or use the data:
- under the direct control of the data user; or
- on behalf of the data user.
What is consent?
“Consent” of a person means the express consent of the person given voluntarily (including an indication of no objection) and does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served).
What is a data breach?
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1 BASIC INFORMATION ABOUT THE DATA USER
1.1 Data user
This PPS regulates the data processing by Graphisoft, and it is therefore GRAPHISOFT who generally qualifies as data user in respect of your personal data. There are however certain cases where GRAPHISOFT does not act as a data user but instead acts as a subordinate of another data user who does not hold, process or use the personal data for any of its own purpose, in which case GRAPHISOFT is understood to be a data processor acting on behalf of the data user (in such case the data user shall adopt contractual or other means to ensure Graphisoft’s compliance with the PDPO).
Please also note that GRAPHISOFT operates and provides its services with close cooperation with its agents and with Graphisoft SE (parent company of GRAPHISOFT, hereinafter agents and GRAPHISOFT SE collectively referred to as: “GRAPHISOFT PARTNERS”) therefore the electronic systems of GRAPHISOFT (where most of our products are marketed and are available) are designed to share the relevant information with Graphisoft PARTNERS. Based on this system structure it may occur that the data processed by Graphisoft are shared with Graphisoft PARTNERS or GRAPHISOFT PARTNERS share personal information with GRAPHISOFT.
In all cases internal policies and procedures regulate the access to the databases to ensure that while we aim to provide the best service possible all data processing are in compliance with the legal regulations.
List of GRAPHISOFT PARTNERS and their contact details are available here: GRAPHISOFT PARTNERS.
1.2 Contact details
Graphisoft’s contact details for data protection and privacy related matters are as follows:
Name: GRAPHISOFT ASIA Limited
Position: Data Protection Officer
Email address: privacy@graphisoft.com
Postal address: Admiralty Centre, Tower 2/ Level 11, 18 Harcourt Road, Admiralty, Hong Kong
Phone number: +852 3975 3260
1.3 Websites and services using this PPS
This PPS applies to the privacy practices of Graphisoft’s websites as well concerning all websites operated by Graphisoft (“Websites”), which include, without limitation, the following:
- http://www.graphisoft.cn,
- http://asiabim.wordpress.com
- https://accounts.graphisoft.com
- https://learn.graphisoft.com/
as well as our products, online services and applications that include a link to this PPS and as such, sets out the basis on which any personal information we collect from you, or that you provide to us whether on the above websites, or otherwise (for example, in connection with the purchase of a product or service from us, or when we purchase service from you), will be processed by us. Importantly, this PPS also applies to Graphisoft’s marketing and advertising practices, as described below. Please be advised that details of each individual data processing include at least the following information:
- identification and contact details of data user if any;
- the purpose of processing; and
- the transferees or categories of transferees of the personal data, if any.
2 GENERAL RULES
2.1 GENERAL PRINCIPLES
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes save for exempted purposes under the PDPO;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods for exempted purposes under the PDPO subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of the data subject;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3 IF YOU ARE USING OUR WEBSITES
Please note that the below description is a general guideline and advisory and specifics of each data process are detailed on the relevant Website.
3.1 WHAT INFORMATION DOES GRAPHISOFT COLLECT ABOUT YOU?
In case you are using our Websites, Graphisoft collects several types of personal, aggregated and anonymous data about you, which may include the following:
Aggregated Data including statistical, demographical or other data which is related to you, but may not be used to directly or indirectly identify you, and which therefore does not fall as personal data.
Contact Data includes postal address (city, ZIP code, state and country), billing address, delivery address, location, company name, e-mail address, phone number, contact preferences.
Eligibility Data includes information about your location, company name, user status, Graphisoft partner data, title, purchase timeframe, purpose, used CAD software and company size data, school data, school website.
Financial Data includes credit card and bank account information, details about your payments and payment defaults, VAT/TAX ID number.
Identity Data includes your full name, position, company name, user status.
Marketing and Communications Data includes your preferences in receiving marketing from GRAPHISOFT and its affiliates and also upon your consent from third parties, and your communication preferences.
Profile Data includesyour username, password, Graphisoft ID (you may create it when registering to use a Graphisoft website and application), purchases or orders made by you, your interests, preferences, feedback and survey responses and other similar interactions, data collected from and via e-mails and phone calls and other communications, and other personal data derived from such data and decisions made on the basis of Profile Data.
Technical Data includes referral URL, internet protocol (IP) address, connection IP address, WIFI network (SSID), your login data, browser type and version, time zone setting and location, operating system and platform and other technology on the devices you use to access our websites indicated above.
Transaction Data includes details about payments made by you and other details of products and services you have purchased from GRAPHISOFT.
Usage Data includes information about how you use our or our partners’ websites, products and services (including data generated during user interactions on GRAPHISOFT and third party websites, such as registrations, likes and comments, and also data collected automatically via normal IT environment operations (such as crash reports etc.).
GRAPHISOFT always indicates whether the provision of a certain data is mandatory or optional. Where the provision of a data is mandatory and you fail to provide it, Graphisoft may not be able to provide the requested service or product, in which case you will be informed accordingly.
3.2 HOW AND WHERE DOES GRAPHISOFT COLLECTS THIS INFORMATION?
3.2.1 Registration on GRAPHISOFT websites and Customer Support – GRAPHISOFT ID
When you register to use a Graphisoft Website or application, provide your GRAPHISOFT ID, or contact us for support or other offerings or submit a claim, Graphisoft collects Identity Data about you. For obtaining certain student and teacher licenses of our applications, further Eligibility Data is required. When you contact us for support, we may request from you to provide us with copies of your files, photos, documents or other data that might not constitute personal data.
3.2.2 GRAPHISOFT support lines
Being subject to individual agreement you may contact us for support in technical issues and other service questions by a designated telephone line or e-mail address. When you call this support line GRAPHISOFT collects Identity Data about you. Based on the type of your request additional information might be required to provide the best solution. Please note that in most cases such support lines are operated by our third party vendors as data processors.
3.2.3 GRAPHISOFT Websites and Applications
We collect Technical and Usage Data, including information about how you use our websites and applications with or without registration or log-in. We collect information that your browser or device typically sends to our servers whenever you use (e.g. input text) on or visit a Graphisoft website, or when a Graphisoft desktop product or application feature takes you online (as when you visit Online help). For example, your browser or device may tell us your IP address (which may also tell us your location) and the type of browser and device you used. When you visit a Graphisoft Website, your browser may also tell us information such as the page that led you to our website (referral URL) and the websites you generally visit. To collect this information, Graphisoft may use cookies (please see our cookie information notice below) and similar technologies, and our servers may collect similar information when you are logged in to the website or application. As mentioned below, you may always refuse or opt out of the use of cookies or similar technologies. If you identified yourself or registered at a Website or application, this information may be associated with you or if you have not identified yourself or registered at a Website or application it will be anonymous.
3.2.4 Development consultations
Consultants participate in the GRAPHISOFT Development Consultation Program (“GDC Program“) organized by Graphisoft to elaborate and discuss specific development themes in connection with planning a product. When you participate in the GDC Program we collect your Identity Data, Contact data, also certain Technical and Usage data.
3.2.5 GRAPHISOFT Forums
For certain products and developments GRAPHISOFT provides platforms for users/consultants to share their ideas, thoughts, questions etc (the “Forums”).
While you are participating in the Forums your information is collected via two ways. Firstly, by browsing the relevant program will cause the phpBB software used by Graphisoft to create a number of cookies. The first two cookies just contain a user identifier and an anonymous session identifier, automatically assigned to you by the phpBB software. A third cookie will be created once you have browsed topics within the relevant program and is used to store which topics have been read, thereby improving your user experience.
The second way in which we collect your information is by what you submit to us. This can be, and is not limited to posting as an anonymous user, registering on the relevant program (hereinafter “your account”) and submitting posts by you after registration and whilst being logged in.
Your account will at a bare minimum contain a uniquely identifiable name (hereinafter “your user name”), a personal password used for logging into your account (hereinafter “your password”) and a personal, valid email address (hereinafter “your email”). Any information beyond your user name, your password, and your email address required by the relevant program during the registration process is either mandatory or optional. In all cases, you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated emails from the phpBB software.
Your password is ciphered (a one-way hash) so that it is secure. However, it is recommended that you do not reuse the same password across a number of different websites. Your password is the means of accessing your accounts, so please guard it carefully and under no circumstance will anyone affiliated with the relevant program, phpBB or another 3rd party, legitimately ask you for your password. Should you forget your password for your account, you can use the “I forgot my password” feature provided by the phpBB software. This process will ask you to submit your user name and your email, then the phpBB software will generate a new password to reclaim your account.
3.2.6 GRAPHISOFT Emails
Emails we send you, on the basis of your prior written (including electronic means) consent if you are an individual, usually include technologies that tell GRAPHISOFT whether you have received or opened the email, or clicked a link within the email. If you do not want us to collect this information from GRAPHISOFT marketing emails, you may withdraw your consent at any time and can either opt out of receiving GRAPHISOFT marketing emails either on the “my profile“, or a similar feature of the website or application you are using, or by clicking “unsubscribe” at the end of the message, or just simply writing an email to the email addresses highlighted at point 8.3.1. Also for more detailed description of your rights, please also refer to clause 8.
3.2.7 GRAPHISOFT Online Advertising
GRAPHISOFT advertises online in a variety of ways, including displaying GRAPHISOFT ads on websites and in apps. We collect your Technical and Usage Data on our websites, including information about which ads are displayed, which ads are clicked on, and on which web page the ad was displayed, and which campaign has generated certain user actions – such as web page views and web page interactions, mobile app interactions, mobile app purchases, file downloads, contact form submissions or registration to Graphisoft’s online services.
3.2.8 Buttons, Tools, and Content from Other Companies
GRAPHISOFT websites and applications may include buttons, tools, or content that link to other companies’ services (for example, a Facebook “Like” button). Using these features is completely voluntary, should you decide to use them then please note that we collect information about your use of these features. In addition, please note that when you see or interact with these buttons, tools, or content, or view a Graphisoft Website containing them, some information from your browser may automatically be sent to the other company (usually at least a JavaScript code snippet is downloaded from the web server of the other company, which action –being a standard web request– sends most of the details listed under the Technical Data ). Please read that company’s privacy policy for more information.
3.2.9 Third-Party Sites and Services
GRAPHISOFT websites, products, online services, and applications may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties − for example, a third-party ARCHICAD add-on. GRAPHISOFT will not transfer any of your data while you are using these links or navigate to third-party website, in such case it will be these third parties who will advise you on their data processing and collect information from you, which may include such things as Contact Data, these data processing are governed by the data privacy practices of these third parties. We encourage you to learn about the data privacy practices of those third parties.
We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, delivery services, advertising networks, analytics providers, search information providers, credit reference agencies, such as Google, Facebook, Linked In, Hotjar, and Sajari Pty Ltd based inside or outside Hong Kong) and may receive Technical Data or information about you from them that we usually combine with other information we have about you.
3.2.10 Public sources
To help keep our databases current and to provide you the most relevant content and experience, we may combine information from you with information from public sources and our trusted partners, in accordance with applicable law.
3.2.11 Events
To update you about our products and services, industry relevant news, we either organize, sponsor or participate in certain events. To build up and start business relation with you, we may collect your contact information verbally or via business cards on various Events either held by us or others. Also, when we sponsor industry specific events, we can gather your registration information from the organizers.
3.2.12 Social Media
We use different social media platforms to interact with you, answer and support your queries and questions. We might collect and use your personal data for such interactions with you. Social media platforms we use are Facebook, WeChat, QQ, LinkedIn and WhatsApp depending on which one is available in your country.
We also operate a BlogPost on https://asiabim.wordpress.com/ to publish relevant and actual information with respect to Graphisoft’s products and services, events and industry specific news, where you have the option to comment on them. Commenting on our blogs does not require any registration, it can be anonym unless you wish to disclose your identity.
3.2.13 Graphisoft classroom or online trainings, seminars
GRAPHISOFT offers different services:
- train the trainer trainings aimed at GRAPHISOFT PARTNERS; and
- trainings to Building Information Modeling managers and end users using Graphisoft Products.
- professional seminars which are available for the public (after registration).
These training services may be offered free of charge or in consideration of certain reimbursement as specified in the relevant terms and conditions.
GRAPHISOFT collects and uses the following personal data:
- first name;
- last name;
- full email address;
- phone number;
- company name;
- position;
- country; and
- face and voice of online training participants (if participant approves such functions by enabling their operation) during the training and storing the recording of face and voice after the training for a limited period of time.
Purpose of data processing:
- registering to participation;
- invoicing;
- issuing / re-issuing certificate / confirming that certificate has been issued;
- issuing targeted newsletters about new trainings (if consent has been given);
- issuing targeted emails for training feedback and follow up;
- statistical purposes;
- online trainings might get recorded for the purpose of supporting the participants in their learning and enabling them to re-watch the training they participated at;
- performing contract entered into between you and GRAPHISOFT; and
- direct marketing (if consent has been given).
Data retention periods:
Save for the data relating to certificates issued for GRAPHISOFT classroom trainings (either online or classroom), the data retention period is 3 years after the last training participation.
The data retention period for data relating to certificates is 10 years after issuance of the certificate. This time period is needed to ensure that GRAPHISOFT can re-issue certificates if someone lost it or to verify the training certifications on request.
Training recordings and course materials are available for the attendees on the webpage for another 7 weeks after the end of the given course, which becomes inaccessible after that. From GRAPHISOFT side the recordings are either deleted or anonymized (meaning that face & voice of participants and other potential personal data in it are removed).
Data transfers:
Personal data of training participants are shared with Graphisoft PARTNER(s) as well as with certified external trainers acting according to Graphisoft’s instructions as Graphisoft’s data processors if the participant is registered for local trainings. The purpose of the data transfer is to provide the training to the participant and follow-up on the course and other trainings.
The training recordings are shared with the participants of the same training course for a limited time period not longer than 7 weeks after the end of the course. The purpose of the data transfer is providing the training to the participant by also enabling the participant to review the course during a limited period of time.
Data transfer activities between GRAPHISOFT, and GRAPHISOFT PARTNERS are contractually agreed.
The collected personal data is shared with the relevant GRAPHISOFT PARTNERS(s) for the purposes of verifying the training certifications on request.
For managing the registrations from technical point of view, Graphisoft might use certain external service platforms (e.g. Eventbrite).
3.2.14 Children’s data
GRAPHISOFT does not offer any of its products or services to children under the age of 16 and does not allow children under the age of 16 to register on the Websites.
3.2.15 GRAPHISOFT webshop
Graphisoft’s products and services can also be purchased through a webshop. GRAPHISOFT collects and processes the following personal data of data subjects purchasing Graphisoft products and services:
- Identity Data;
- Contact Data;
- Financial Data; and
- Transactional Data
for processing and delivering the orders, managing the payments, contacting the end users in relation to the purchase and follow-ups.
For managing payments GRAPHISOFT uses external payment processor processing data subjects’ Financial Data and Transaction Data. GRAPHISOFT does not process and store any Financial Data (e.g. bank card information).
Purpose of data processing:
- performing contract entered into between you and GRAPHISOFT.
- direct marketing (if consent has been given).
For the purposes of providing products and services purchased, Graphisoft uses GRAPHISOFT PARTNERS based in the country of establishment of data subject acting according to Graphisoft’s instructions as Graphisoft’s data processors to whom the Identity Data, Contact Data and Transactional Data are transferred. The data transfer between GRAPHISOFT and the GRAPHISOFT PARTNERS are also required for financial settlement purposes between these entities.
If consent has been given, then either GRAPHISOFT or GRAPHISOFT PARTNERS operating in the same country as data subject is located can approach the data subjects for electronic direct marketing purposes.
Data processing activities between GRAPHISOFT, and GRAPHISOFT PARTNERS are contractually agreed.
Data retention period is in accordance with accounting and taxation rules if the purpose of the data processing is the performance of contract, while if the personal data is processed based on consent until express withdrawal of such consent.
3.2.16 Recruitment
When you apply for a job advertised by Graphisoft, personal data provided by you will be processed for the purposes of managing our recruitment related activities, which include setting up and conducting interviews and tests for applicants, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment and hiring processes. If your application is unsuccessful, Graphisoft may collect and use your contact, identity and profile data up to two years from the date of rejection before destroying the personal data, unless there is a subsisting reason that obliges GRAPHISOFT to do so or you have given your consent to be retained beyond two years.
3.3 FOR WHAT PURPOSES DOES GRAPHISOFT USE THE INFORMATION IT COLLECTS ABOUT YOU?
3.3.1 The below table includes a general overview on relevant purposes for which GRAPHISOFT processes your data in the context of various activities:
Purpose/Activity | Data type |
Verification of eligibility To check your eligibility for certain Graphisoft products and services including events and conferences | (1) Identity Data (2) Contact Data (3) Eligibility Data |
Customer registration To register you as customer | (1) Identity Data (2) Contact Data (3) Profile Data |
Provision of products and services To provide you with the GRAPHISOFT websites and applications for which you have registered, as well as any services, products, support, or information you have requested | (1) Identity Data (2) Contact Data (3) Financial Data (4) Transaction Data (5) Marketing and Communications Data |
Processing orders and managing payments To process and deliver your orders including: (1) Manage payments, fees and charges (2) Manage subscriptions, including informing you about the expiration of your subscription (3) Collect and recover money owed to us | (1) Identity Data (2) Contact Data (3) Financial Data (4) Transaction Data |
Regular (not marketing related) notifications To manage our relationship with you which will include notifying you about changes to our terms or PPS To keep our records updated and to monitor how customers use our products/services | (1) Identity Data (2) Contact Data (3) Profile Data |
Administration of websites To administer and protect the GRAPHISOFT websites (including diagnosing problems, troubleshooting, data analysis, testing, system maintenance, support services, reporting and hosting of data) For the provision of administration and IT services, network security, to prevent information security and personal data breaches To comply with a legal obligation such as e-commerce, electronic communications and data protection legislation | (1) Identity Data (2) Contact Data (3) Technical Data (4) Usage Data |
Data analytics To use data analytics to improve our website, products/services, marketing, customer relationships and experiences To define types of customers for our products and services To keep our website updated and relevant To develop our business and to inform our marketing strategy | (1) Technical Data (2) Usage Data (3) Aggregated Data |
Profiling Incremental collection of data that may fall as personal data to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects concerning your interests, behaviour, preferences To define types of customers for our products and services To keep our website updated and relevant To provide customized service and information To develop our business To [develop] our marketing strategy NOTE: GRAPHISOFT is not engaged in profiling that would pose a high risk or have a high impact on you. In other words, we do not carry out systematic and extensive evaluation of your personal aspects which is based on automated processing, and on which decisions are based that produce legal effects concerning or similarly significantly affect you. | (1) Identity Data (2) Contact Data (3) Eligibility Data (4) Financial Data (5) Profile Data (6) Usage Data (7) Marketing and Communications Data (8) Transaction Data (9) Technical Data |
Customized content With your [prescribed] consent, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising GRAPHISOFT serves you | (1) Identity Data (2) Contact Data (3) Profile Data (4) Usage Data (5) Marketing and Communications Data (6) Technical Data |
Electronic direct marketing With your consent, to contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about the goods or services of GRAPHISOFT and GRAPHISOFT PARTNERS and other parties, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data |
Transfer of personal data to GRAPHISOFT PARTNERS for direct marketing, electronic direct marketing and telemarketing purposes With your consent, to ensure our partners may also contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about their goods or services, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Marketing and Communications Data |
Electronic direct marketing for similar products to existing customers With your consent, to ensure that GRAPHISOFT and GRAPHISOFT PARTNERS may contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about the goods or services of GRAPHISOFT, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data |
Telemarketing With your consent, to ensure that GRAPHISOFT and GRAPHISOFT PARTNERS may contact you via phone to share information about the goods of services of GRAPHISOFT, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data |
Market research With your consent, to contact you for market research and customer satisfaction purposes and also to measure the effectiveness of marketing campaigns | (1) Identity Data (2) Contact Data (3) Profile Data |
Sharing of or publication of personal data with external agencies to combat fraud and piracy To reduce fraud, software piracy, and protecting our customers as well as GRAPHISOFT To protect our intellectual and industrial property rights and economic interests | (1) Identity Data (2) Contact Data (3) Eligibility Data (4) Profile Data (6) Usage Data (7) Transaction Data (8) Technical Data |
Recruitment Managing recruitment related activities | (1) Identity Data (2) Contact Data (3) Profile Data |
Events With your consent, to start and build up business relationship, update you about products, services and news | (1) Identity Data (2) Contact Data (3) Profile Data |
4 WHAT ARE COOKIES AND HOW DOES GRAPHISOFT USE THEM?
4.1 A cookie is a small piece of information that will be stored on your hard disk until you delete it. Like most websites and applications, we use our own cookies and those of third parties, together with similar technologies, to make our websites and applications work, to offer you customized and personalized service, and to learn more about our users and their likely interests. Cookies themselves don’t hold personal information. They only have a unique alphanumeric identifier that sits on your browser. And in many cases, we won’t be able to link the information we collect by using a cookie back to you. They can, however, enable us to link that information back to you and your personal information, for example, when you log in, or choose to register for a service, product or newsletter.
4.2 GRAPHISOFT and third-party vendors including Google and Facebook use first-party and third-party cookies and related user behaviour tracking technologies to measure desktop software, mobile application and website usage; record different user activities in its software and on its web sites; and display advertisements based on the user’s previously recorded activities. GRAPHISOFT does not disclose any personally identifiable information to these third-party vendors. However, third-party vendors automatically receive IP addresses when activity tracking occurs. GRAPHISOFT may connect user activity data gathered by third-party vendors with information collected by its websites and applications and such data may therefore become Profile Data or Usage Data.
4.3 You can set your browser so that the browser informs you about cookies or automatically prevents their storage. If you do not store our cookies, you will still be able to visit our website or use our services; however, the use of individual offers or features might be limited.
4.4 You can also prevent your data from being used by third-party vendors by installing browser extensions, such as:
Alternatively, you can set your preferences at web sites like:
- http://www.youronlinechoices.com/uk/your-ad-choices
- http://www.networkadvertising.org/choices/
- https://www.google.com/settings/u/0/ads/anonymous
4.5 For more information about the cookies please visit GRAPHISOFT currently uses on its websites, please see our COOKIE POLICY at https://www.graphisoft.com/cookie-policy.
5 TRANSFEREES OF PERSONAL DATA
5.1 DISCLOSURE TO DATA PROCESSORS
5.1.1 GRAPHISOFT as a business entity is subject to tax related obligations and also is subject to authority reviews, the course of which we could be obliged to share your data with the authorities. These obligations are imposed on GRAPHISOFT by laws and regulatory decisions, we are legally bound to fulfil these requirements.
5.1.2 GRAPHISOFT also works with companies that help us run our business. Among these are the subsidiaries of GRAPHISOFT and also companies that are not linked to GRAPHISOFT providing services for us. These services vary in subject and term: external consultants, professional advisers such as lawyers or auditors, technical support functions (IT and document storage providers, professionals delivering customer support and sending emails on our behalf). These are called data processors are engaged in all cases based on written contract with appropriate guarantees to safeguard the security of the data and the rights of the data subjects. In some cases, these companies have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes and we ensure by data processing contracts (including electronic format) that your data are being processed in accordance with the legal regulations.
5.1.3 Currently, Graphisoft is using the following data processors:
Name | Full postal address | Activity |
Salesforce.com, Inc. | The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States | CRM software service provider/licensor, marketing automation |
Beijing Cloudcc.Com Technology Co., Ltd. | A-1009,Tower A, No.9, ShangDi Third Street, HaiDian District, Beijing, China, 100085 | CRM software service provider/licensor |
The Rocket Science Group, LLC d/b/a MailChimp | 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, GA 30308, United States | assistance with the conduct of e-mail marketing campaigns |
Eventbrite Inc. | 155 5th Street 7th Floor San Francisco, CA 94103 United States | assistance with registration to Events |
Google, Inc. | 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA | processing of user traffic and analytics data |
Facebook, Inc, | Facebook Headquarters 1 Hacker Way, Menlo Park, CA 94025, USA | processing of user data |
Microsoft Corporation | One Microsoft Way, Redmond, WA 98052-6399, USA | data hosting |
Marketo, Inc. | 901 Mariners Island Boulevard Suite #500 (Reception) San Mateo, CA 94404, USA | marketing automation, including email campaigns, landing pages, profiling |
Stripe Inc | 510 Townsend Street, San Francisco, CA 94103, USA | facilitating payment transactions occurring in Graphisoft webshop |
PayPal Hong Kong Limited | Room 1506-07, 15/F, Central Plaza 18 Harbour Road Wan Chai Hong Kong | facilitating payment transactions |
Tencent Holding Limited | Tencent Binhai Building, No. 33, Haitian Second Road, Nanshan District, Shenzhen | processing of user traffic and analytics data |
Sina Corporation | 88 Jian Wai Da Jie Xian Dai Cheng Building C, 16 Floor Chao Yang District, Beijing | processing of user traffic and analytics data |
ActiveCampaign, LLC | 1 N Dearborn St. 5th Floor Chicago, IL 60602 | Managing sales leads |
Greenhouse Software, Inc | 18 West 18th Street, 11th Floor New York, NY 10011 USA | managing recruitment related activities |
5.1.4 It is Graphisoft’s legitimate interest to prevent and respond to fraud, to defend our Websites and applications against attacks, to protect the property and safety of GRAPHISOFT, our customers, users, the public. That is why our partners and specific companies are retained as data processors to assist us to combat piracy. Please note that it is Graphisoft’s legitimate interest from the above reasons not to identify our service providers. We share your IP address, MAC address, software version and language with them exclusively for the above purposes.
5.1.5 Further to the above as indicated earlier GRAPHISOFT provides its services in close cooperation with its subsidiaries therefore it is frequent that a Graphisoft subsidiary acts as data processor on behalf of GRAPHISOFT.
5.2 DISCLOSURE TO OTHER DATA USERS
5.2.1 In other cases, we provide your data to other entities to use such data under their own name and for their own benefit. Sometimes we may need to do this to comply with a legal obligation (such as when we need to provide certain Transaction Data, Technical Data or Identity Data to the police or other authorities), and in other cases, we rely on other exemptions under the PDPO or your written (including electronic means) consent.
5.2.2 Accordingly, if you consent to the sharing, as indicated above in the table, Graphisoft may also share your Identity Data, Contact Data and Marketing and Communications Data with GRAPHISOFT PARTNERS. Please note that we do not share your personal data with third parties for their own marketing purposes without your written (including electronic means) consent.
5.2.3 We may share or publish Aggregate Data that doesn’t specifically identify you, such as statistical information about visitors to our websites or statistical information about how customers use our applications.
5.2.4 We require all third parties to respect the security of your personal data and to treat it in accordance with the law and the data processing contract if any. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
5.3 MAKING YOUR DATA PUBLICLY AVAILABLE BY YOU
5.3.1 There are several places on Graphisoft’s websites and applications that allow you to post comments, upload pictures, or submit content for others to see. Sometimes you might be able to limit who can see what you share, but there are some places where what you share can be seen by the general public or other members of the website or application. Please be careful when you share your personal information. Do not share anything you do not want publicly known unless you are sure you are posting it within a website or application that allows you to control who sees your post. Please note that when you post messages on certain user forums on our websites and applications, your email address or name may be included and displayed with your message.
5.3.2 To remove content you have shared on our websites and applications, please use the same website or application feature you used to share the content. If another user invites you to participate in shared viewing, editing, or commenting of content, you may be able to delete your contributions, but usually the user who invited you has full control. If you have questions or concerns about this, please contact us.
6 IS MY PERSONAL DATA SECURE, AND WHERE WILL IT BE STORED?
6.1 We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. All information you provide us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot warrant or guarantee the security of your data transmitted to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. In case your data is provided by registering on our websites than we ensure that this registration is completed on a secured platform where we apply our security measures. In case you would like to have more information on the specific security measures taken in order to save your data than please contact us.
6.2 Also, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
6.3 Finally, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
6.4 Your personal information and data files are stored on Graphisoft’s servers and the servers of companies we hire to provide services to us. Your personal information may be transferred across national borders because we have servers located worldwide and the companies we hire to help us run our business are located in different countries around the world (for example, Germany, Ireland, the United States). The data that we collect from you may therefore be transferred to, and stored at, a destination outside Hong Kong. It may also be processed by staff operating outside Hong Kong who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order and the provision of support services.
7 HOW LONG WILL GRAPHISOFT HOLD AND USE MY PERSONAL DATA?
7.1 We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
7.2 To determine the appropriate retention period for personal data, we take into account the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
7.3 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8 YOUR RIGHTS REGARDING YOUR PERSONAL DATA
8.1 Your right to access
8.1.1 You have the right to access your personal data, including requesting information on whether GRAPHISOFT processes your data, which data are processed, and you may also request a copy of the data that you or a third person provided to GRAPHISOFT and which data is being processed by Graphisoft.
8.1.2 If you submit the completed Data Access Request Form (Form OPS003) (the “DAR Form”) specified by the Commissioner to Graphisoft’s Data Protection Officer to confirm whether or not GRAPHISOFT processes your personal data, then you have the right that obliges GRAPHISOFT to confirm that it processes your personal data, or does not process your personal data.
8.1.3 Your right to obtain confirmation whether GRAPHISOFT processes (or does not process) your personal data
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
8.1.4 GRAPHISOFT shall provide you with a copy of your personal data if
(a) you submit the DAR Form to GRAPHISOFT;
(b) GRAPHISOFT confirms that it processes your personal data;
(c) there is no contrary evidence that you do not wish to obtain a copy; and
(d) you agree to and pay the fee imposed by Graphisoft which is directly related to and necessary without being excessive to comply with the data access request.
8.1.5 Please also note that many of our websites and applications allow you to access or edit your personal information by accessing the “my profile,” or a similar feature of the website or application you are using. Likewise, you can access files or photos you have stored in our online services by logging in and using the functions they make available.
8.2 Your right to rectification
8.2.1 You have the right to the correction of your personal data. This enables you to ask that any inaccurate data we hold about you be corrected.
8.2.2 Your right to obtain rectification of your data that are inaccurate
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
8.2.3 GRAPHISOFT shall rectify your personal data if
(a) GRAPHISOFT processes your personal data;
(b) GRAPHISOFT is satisfied that the personal data in question are inaccurate;
(c) you submit a data correction request (“DCR”) to GRAPHISOFT; and
(d) GRAPHISOFT is satisfied that the correction in the DCR is accurate;
8.2.4 GRAPHISOFT may verify any and all data provided to it. GRAPHISOFT shall taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate the rectification of your personal data to recipients of such personal data (if any). However, Graphisoft shall not communicate the rectification of personal data to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
8.2.5 Please also note that many of our websites and applications allow you to edit your personal information by accessing the “my profile,” or a similar feature of the website or application you are using. Likewise, you can edit files or delete photos you have stored in our online services by logging in and using the functions they make available.
8.3 Your right to withdraw consent
8.3.1 Also, you have the right to withdraw your consent at any time where we rely on your consent for processing your data (e.g. for certain electronic direct marketing purposes). You may do this at any time by contacting Graphisoft’s Data Protection Officer at privacy@graphisoft.com and at any of the relevant addresses based on your location (mail@graphisoft.com.sg or mail@graphisoft.com.hk or mail@graphisoft.cn), or by adjusting your preferences in the privacy dashboard provided as part of some of our services (e.g. “my profile“), or by using the ‘unsubscribe’ function at the end of our messages. Remember that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal and that in some cases we may need time to process request.
8.3.2 GRAPHISOFT shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate your objection/withdrawal of consent to recipients of such personal data (if any). However, Graphisoft shall not communicate such restriction to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
8.4 Your right to lodge a complaint
8.4.1 Without prejudice to any other administrative or judicial remedy that you may have (such as the right to claim compensation for damages suffered as a result of Graphisoft’s contravention of the PDPO), you have the right to lodge a complaint with the Commissioner if you consider that the processing of personal data relating to you infringes the PDPO.
8.4.2 The contact details of the Commissioner are currently as follows: Room 1303, 13/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong; phone: +852 2827 2827; fax: +852 2877 7026; e-mail: complaints@pcpd.org.hk; website: www.pcpd.org.hk.
8.4.3 In any case, we would highly appreciate the chance to deal with your concerns before you approach the regulatory authority above, so please contact us in the first instance if you have any problems.
8.5 Contact details
8.5.1 If you wish to exercise any of your rights mentioned above, please contact us at the addresses set out in clause 1.2 above.
8.6 Verification of your identify
8.6.1 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
9 CHANGES TO THIS PPS
This PPS is effective as of the date indicated on the top. Earlier versions may be obtained by contacting us at privacy@graphisoft.com. We will inform you in case of any changes to this PPS in due course.
Graphisoft GENERAL PRIVACY POLICY AND INFORMATION FOR DATA SUBJECTS located in the European Union
INTRODUCTION
This Privacy Policy is designated to generally describe how personal data is collected, used, processed and protected in connection with the business operations of GRAPHISOFT ASIA LIMITED (registered address: Admiralty Centre, Tower 2/ Level 11, 18 Harcourt Road, Admiralty, Hong Kong ]; hereinafter: GRAPHISOFT or Data controller) acting as Data controller and in certain cases as Data processor while complying with the applicable legal regulations.
This Privacy Policy also gives thorough information for the data subjects on their rights pertaining to the processing of their personal data.
This Privacy Policy applies to the processing of the personal data of our Website Users, Clients, Users of Our Products and Services, guests and also those data who aim to engage in a contractual relationship and those who were in a contractual relationship earlier; and any other person whom we may contact while operating our business. This Privacy Policy does not apply to employment related data processings.
Please be advised that Graphisoft may unilaterally amend this Privacy Policy from time to time. Please visit https://graphisoft.com/kr/legal/graphisoft-hong-kong-privacy-policy-statement regularly if you want to keep up to date.
DEFINITIONS
What constitutes as “personal data”?
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is data processing?
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is the data controller?
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Who is the data processor?
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Who is a third party?
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Who is a recipient?
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
What is a consent?
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
What is a data breach?
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1. BASIC INFORMATION ABOUT THE DATA CONTROLLER
1.1 Data controller/processor
This Privacy Policy regulates the data processing by Graphisoft, and it is therefore GRAPHISOFT who generally qualifies as data controller in respect of your personal data. There are however certain cases where GRAPHISOFT does not act as a data controller but instead acts as a subordinate of another data controller, which case GRAPHISOFT is understood to be a data processor (acting on behalf of another controller while processing the personal data – in such case GRAPHISOFT proceeds in accordance and based on the instructions of the data controller and processes data only to the extent as prescribed by the data controller).
Please also note that GRAPHISOFT operates and provides its services with close cooperation with its agents and with Graphisoft SE (parent company of GRAPHISOFT)(hereinafter: “GRAPHISOFT PARTNERS”) therefore the electronic systems of GRAPHISOFT (where most of our products are marketed and are available) are designed to share the relevant information with Graphisoft PARTNERS. Based on this system structure it may occur that the data processed by Graphisoft are shared with Graphisoft PARTNERS or GRAPHISOFT PARTNERS share personal information with GRAPHISOFT.
In all cases internal policies and procedures regulate the access to the databases to ensure that while we aim to provide the best service possible all data processing are in compliance with the legal regulations.
List of GRAPHISOFT PARTNERS and their contact details are available here: GRAPHISOFT PARTNERS.
1.2 Contact details
Graphisoft’s contact details for data protection and privacy related matters are as follows:
Name: GRAPHISOFT ASIA Limited
Position: Data Protection Officer
Email address: privacy@graphisoft.com
Postal address: Admiralty Centre, Tower 2/ Level 11, 18 Harcourt Road, Admiralty, Hong Kong
Phone number: +852 3975 3260
1.3 Designation of data protection officer
Please note that GRAPHISOFT examined the need to appoint a data protection officer according to Article 37 of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, GDPR) and drew the conclusion that GRAPHISOFT is not required to do so in light of the mandatory appointment criteria, in particular, Graphisoft’s core activities do not include processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. However, since GRAPHISOFT has always added considerable weight to the privacy of personal data, Graphisoft appoints a data protection officer and dedicated sufficient staff, resources to ensure that it is able to discharge its obligations under the GDPR.
Availabilities of the data protection officer:
- Position: Data Protection Officer
- E-mail: privacy@graphisoft.com
- Telephone number: +852 3975 3260
1.4 Websites and services using this privacy policy
This Privacy Policy applies to the privacy practices of Graphisoft’s websites as well concerning all websites operated by Graphisoft (“Websites”), which include, without limitation, the following:
- http://www.graphisoft.cn,
- http://asiabim.wordpress.com
- https://accounts.graphisoft.com
- https://learn.graphisoft.com
as well as our products, online services and applications that include a link to this Privacy Policy and as such, sets out the basis on which any personal information we collect from you, or that you provide to us whether on the above websites, or otherwise (for example: in connection with the purchase of a product or service from us, or when we purchase service from you), will be processed by us. Importantly, this Privacy Policy also applies to Graphisoft’s marketing and advertising practices, as described below. Please be advised that details of each individual data processing include at least the following information:
- identification and contact details of data controller if any; identification and contact details of data processor(s);
- the purpose of processing;
- the legal basis for the processing;
- where the processing is based on the legitimate interests pursued by Graphisoft or by a third party then detailed description of this legitimate interest;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the data is being transferred to a third country (including if access is being granted to another controller/processor from a third country) and how suitable safeguards are provided.
The above facts may also be detailed in the product specific End User License Agreements or other documents that may apply to the website or application you are using.
2. GENERAL RULES
2.1. GENERAL PRINCIPLES
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The data controller shall be responsible for, and be able to demonstrate compliance with the above principles (‘accountability’).
2.2. LEGAL BASIS OF THE DATA PROCESSING – LAWFULNESS
Processing shall only be lawful if at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes – i.e. if you signed a consent form or given your consent via electronic means (pressing consent button or link, or giving consent over recorded telephone etc.).
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – i.e. in case you are or want to be in a contractual relationship with Graphisoft and the processing of your data is necessary for the performance of the contract. Please note that in such case your separate consent is not required, and your data is processed as long and to the extent as required for the performance of the contract.
- processing is necessary for compliance with a legal obligation to which the controller is subject – i.e. in case a EU or national piece of legislation prescribes for GRAPHISOFT to process your data (data of invoices, data of customer complaints etc.). Please note that in such case also your separate consent is not required, and your data is processed as long and to the extent as required and prescribed by law.
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
IN ORDER TO MEET THE ABOVE REQUIREMENTS AND TO GIVE YOU PROPER INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA AND YOUR RIGHTS AND OBLIGATIONS, WE COLLECTED THE MOST FREQUENT CASES WHEN WE PROCESS PERSONAL DATA. PLEASE NOTE THAT THE LIST OF DATA PROCESSING IN THIS PRIVACY POLICY IS NOT EXHAUSTIVE; BESIDES WHAT IS DETAILED HEREIN THERE COULD BE OTHER SPECIFIC CASES WHEN WE NEED TO PROCESS YOUR PERSONAL DATA. IN ALL CASES YOU WILL BE ADVISED DULY BEFORE YOUR PERSONAL DATA IS COLLECTED FOR OTHER PURPOSES THAN DESCRIBED IN THIS PRIVACY POLICY. PLEASE BE INFORMED THAT IN CASE YOU ARE USING OUR SERVICES VIA OUR WEBSITES THEN THE DETAILS OF THE DATA PROCESSING ARE DESCRIBED ALSO AT THE GIVEN GRAPHISOFT WEBSITE.
3. IF YOU ARE USING OUR WEBSITES
Please note that the below description is a general guideline and advisory and specifics of each data process are detailed on the relevant Website.
3.1 WHAT INFORMATION DOES GRAPHISOFT COLLECT ABOUT YOU?
In case you are using our Websites, Graphisoft collects several types of personal, aggregated and anonymous data about you, which may include the following:
Aggregated Data including statistical, demographical or other data which is related to you, but may not be used to directly or indirectly identify you, and which therefore does not fall as personal data.
Contact Data includes postal address (city, ZIP code, state and country), billing address, delivery address, location, company name, e-mail address, phone number, contact preferences.
Eligibility Data includes information about your location, company name, user status, Graphisoft partner data, title, purchase timeframe, purpose, used CAD software and company size data, school data, school website.
Financial Data includes credit card and bank account information, details about your payments and payment defaults, VAT/TAX ID number.
Identity Data includes your full name, position, company name, user status.
Marketing and Communications Data includes your preferences in receiving marketing from GRAPHISOFT and its affiliates and also upon your consent from third parties, and your communication preferences.
Profile Data includesyour username, password, Graphisoft ID (you may create it when registering to use a Graphisoft website and application), purchases or orders made by you, your interests, preferences, feedback and survey responses and other similar interactions, data collected from and via e-mails and phone calls and other communications, and other personal data derived from such data and decisions made on the basis of Profile Data.
Technical Data includes referral URL, internet protocol (IP) address, connection IP address, WIFI network (SSID), your login data, browser type and version, time zone setting and location, operating system and platform and other technology on the devices you use to access our websites indicated above.
Transaction Data includes details about payments made by you and other details of products and services you have purchased from GRAPHISOFT.
Usage Data includes information about how you use our or our partners’ websites, products and services (including data generated during user interactions on GRAPHISOFT and third party websites, such as registrations, likes and comments, and also data collected automatically via normal IT environment operations (such as crash reports etc.).
GRAPHISOFT always indicates whether the provision of a certain data is mandatory or optional. Where the provision of a data is mandatory and you fail to provide it, Graphisoft may not be able to provide the requested service or product, in which case you will be informed accordingly.
3.2 HOW AND WHERE DOES GRAPHISOFT COLLECTS THIS INFORMATION?
3.2.1 Registration on GRAPHISOFT websites and Customer Support – GRAPHISOFT ID
When you register to use a Graphisoft Website or application, provide your GRAPHISOFT ID, or contact us for support or other offerings or submit a claim, Graphisoft collects Identity Data about you. For obtaining certain student and teacher licenses of our applications, further Eligibility Data is required. When you contact us for support, we may request from you to provide us with copies of your files, photos, documents or other data (although that might not constitute as personal data).
3.2.2 GRAPHISOFT support lines
Being subject to individual agreement you may contact us for support in technical issues and other service questions by a designated telephone line or e-mail address. When you call this support line GRAPHISOFT collects Identity Data about you. Based on the type of your request additional information might be required to provide the best solution. Please note that in most cases such support lines are operated by our third party vendors as data processors.
3.2.3 GRAPHISOFT Websites and Applications
We collect Technical and Usage Data, including information about how you use our websites and applications with or without registration or log-in. We collect information that your browser or device typically sends to our servers whenever you use (e.g. input text) on or visit a Graphisoft website, or when a Graphisoft desktop product or application feature takes you online (as when you visit Online help). For example, your browser or device may tell us your IP address (which may also tell us your location) and the type of browser and device you used. When you visit a Graphisoft Website, your browser may also tell us information such as the page that led you to our website (referral URL) and the websites you generally visit. To collect this information, Graphisoft may use cookies (please see our cookie information notice below) and similar technologies, and our servers may collect similar information when you are logged in to the website or application. As mentioned below, you may always refuse or opt out of the use of cookies or similar technologies. If you identified yourself or registered at a Website or application, this information may be associated with you or if you have not identified yourself or registered at a Website or application it will be anonymous.
3.2.4 Development consultations
Consultants participate in the GRAPHISOFT Development Consultation Program (“GDC Program“) organized by Graphisoft to elaborate and discuss specific development themes in connection with planning a product. When you participate in the GDC Program we collect your Identity data, Contact data, also certain Technical and Usage data.
3.2.5. GRAPHISOFT Forums
For certain products and developments GRAPHISOFT provides platforms for users/consultants to share their ideas, thoughts, questions etc.
While you are participating in the Forums your information is collected via two ways. Firstly, by browsing the relevant program will cause the phpBB software used by Graphisoft to create a number of cookies. The first two cookies just contain a user identifier (hereinafter “user-id”) and an anonymous session identifier (hereinafter “session-id”), automatically assigned to you by the phpBB software. A third cookie will be created once you have browsed topics within the relevant program and is used to store which topics have been read, thereby improving your user experience.
The second way in which we collect your information is by what you submit to us. This can be, and is not limited to: posting as an anonymous user (hereinafter “anonymous posts”), registering on the relevant program (hereinafter “your account”) and posts submitted by you after registration and whilst logged in (hereinafter “your posts”).
Your account will at a bare minimum contain a uniquely identifiable name (hereinafter “your user name”), a personal password used for logging into your account (hereinafter “your password”) and a personal, valid email address (hereinafter “your email”). Any information beyond your user name, your password, and your email address required by the relevant program during the registration process is either mandatory or optional. In all cases, you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated emails from the phpBB software.
Your password is ciphered (a one-way hash) so that it is secure. However, it is recommended that you do not reuse the same password across a number of different websites. Your password is the means of accessing your accounts, so please guard it carefully and under no circumstance will anyone affiliated with the relevant program, phpBB or another 3rd party, legitimately ask you for your password. Should you forget your password for your account, you can use the “I forgot my password” feature provided by the phpBB software. This process will ask you to submit your user name and your email, then the phpBB software will generate a new password to reclaim your account.
3.2.6 GRAPHISOFT Emails
Emails we send you, on the basis of your prior written (including electronic means) consent if you are an individual, usually include technologies that tell GRAPHISOFT whether you have received or opened the email, or clicked a link within the email. If you do not want us to collect this information from GRAPHISOFT marketing emails, you may withdraw your consent at any time and can either opt out of receiving GRAPHISOFT marketing emails either on the “my profile“, or a similar feature of the website or application you are using, or by clicking “unsubscribe” at the end of the message, or just simply writing an email to the email addresses highlighted at point 9.8. Also, for more detailed description of your rights, please also refer to clause 9.
3.2.7 GRAPHISOFT Online Advertising
GRAPHISOFT advertises online in a variety of ways, including displaying GRAPHISOFT ads on websites and in apps. We collect your Technical and Usage Data on our websites, including information about which ads are displayed, which ads are clicked on, and on which web page the ad was displayed, and which campaign has generated certain user actions – such as web page views and web page interactions, mobile app interactions, mobile app purchases, file downloads, contact form submissions or registration to Graphisoft’s online services.
3.2.8 Buttons, Tools, and Content from Other Companies
GRAPHISOFT websites and applications may include buttons, tools, or content that link to other companies’ services (for example, a Facebook “Like” button). Using these features is completely voluntary, should you decide to use them then please note that we collect information about your use of these features. In addition, please note that when you see or interact with these buttons, tools, or content, or view a Graphisoft Website containing them, some information from your browser may automatically be sent to the other company (usually at least a JavaScript code snippet is downloaded from the web server of the other company, which action –being a standard web request– sends most of the details listed under the Technical Data ). Please read that company’s privacy policy for more information.
3.2.9 Third-Party Sites and Services
GRAPHISOFT websites, products, online services, and applications may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties − for example, a third-party ARCHICAD add-on. GRAPHISOFT will not transfer any of your data while you are using these links or navigate to third-party website, in such case it will be these third parties who will advise you on their data processing and collect information from you, which may include such things as Contact Data, these data processing are governed by the privacy practices of these third parties. We encourage you to learn about the privacy practices of those third parties.
We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, delivery services, advertising networks, analytics providers, search information providers, credit reference agencies, such as Google, Facebook, Linked In, Hotjar, and Sajari Pty Ltd based inside or outside the EU) and may receive Technical Data or information about you from them that we usually combine with other information we have about you.
3.2.10 Public sources
To help keep our databases current and to provide you the most relevant content and experience, we may combine information from you with information from public sources and our trusted partners, in accordance with applicable law.
3.2.11 Events
To update you about our products and services, industry relevant news, we either organize, sponsor or participate in certain events. To build up and start business relation with you, we may collect your contact information verbally or via business cards on various Events either held by us or others. Also, when we sponsor industry specific events, we can gather your registration information from the organizers.
3.2.12 Social Media
We use different social media platforms to interact with you, answer and support your queries and questions. We might collect and use your personal data for such interactions with you. Social media platforms we use are Facebook, WeChat, QQ, LinkedIn and WhatsApp depending on which one is available in your country.
We also operate a BlogPost on https://asiabim.wordpress.com/ to publish relevant and actual information with respect to Graphisoft’s products and services, events and industry specific news, where you have the option to comment on them. Commenting on our blogs does not require any registration, it can be anonym unless you wish to disclose your identity.
3.2.13 Graphisoft classroom or online trainings, seminars
GRAPHISOFT offers different services:
- train the trainer trainings aimed at GRAPHISOFT PARTNERS; and
- trainings to Building Information Modeling managers and end users using Graphisoft Products.
- professional seminars which is available for the public (after registration)
These training services may be offered free of charge or in consideration of certain reimbursement as specified in the relevant terms and conditions.
GRAPHISOFT collects and uses the following personal data:
- first name;
- last name;
- full mail address;
- phone number;
- company name;
- position;
- country and
- face and voice of online training participants (if participant approves such functions by enabling their operation) during the training and storing the recording of face and voice after the training for a limited period of time.
Purpose of data processing:
- registering to participation;
- invoicing;
- issuing / re-issuing certificate / confirming that certificate has been issued;
- issuing targeted newsletters about new trainings (if consent has been given);
- issuing targeted emails for training feedback and follow up;
- statistical purposes;
- online trainings might get recorded for the purpose of supporting the participants in their learning and enabling to re-watch the training
Legal base of the data processing:
- if you as natural person enter into the agreement with Graphisoft then performance of contract (GDPR point b) Article 6(1)) and if your company enters into the contract then the legitimate interest of GRAPHISOFT (GDPR point f) Article 6(1)).
- consent in case of marketing inquires (GDPR point a) Article 6(1)).
Data retention periods:
Save for the data relating to certificates issued for GRAPHISOFT classroom trainings (either online or classroom), the data retention period is 3 years after the last training participation.
The data retention period for data relating to certificates is 10 years after issuance of the certificate. This time period is needed to ensure that GRAPHISOFT can re-issue certificates if someone lost it or to verify the training certifications on request.
Training recordings and course materials are available for the attendees on the webpage for another 7 weeks after the end of the course, which becomes inaccessible after that. From GRAPHISOFT side the recordings are either deleted or anonymized (meaning that face & voice of participants and other potential personal data in it are removed).
Data transfers:
Personal data of training participants are shared with Graphisoft PARTNER(s) as well as with certified external trainers acting according to Graphisoft’s instructions as Graphisoft’s data processors if the participant is registered for local trainings. The purpose of the data transfer is to provide the training to the participant and follow-up on the course and other trainings.
The training recordings are shared with the participants of the same training course for a limited time period not longer than 7 weeks after the end of the course. The purpose of the data transfer is providing the training to the participant by also enabling the participant to review the course during a limited period of time.
Data transfer activities between GRAPHISOFT, and GRAPHISOFT PARTNERS are contractually agreed.
The collected personal data is shared with the relevant GRAPHISOFT PARTNERS for the purposes of verifying the training certifications on request.
For managing the registrations from technical point of view, Graphisoft might use certain external service platforms (e.g. Eventbrite).
3.2.14 Children’s data
GRAPHISOFT does not offer any of its products or services to children under the age of 16 and does not allow children under the age of 16 to register on the Websites.
3.2.15 GRAPHISOFT webshop
Graphisoft’s products and services can be also purchased through a webshop. GRAPHISOFT collects and processes the following personal data of data subjects purchasing Graphisoft products and services:
- Identity Data;
- Contact Data;
- Financial Data; and
- Transactional Data
for processing and delivering the orders, managing the payments, contacting the end users in relation to the purchase and follow-ups.
For managing payments GRAPHISOFT uses external payment processor processing data subjects’ Financial Data and Transaction Data. GRAPHISOFT does not process and store any Financial Data (e.g. bank card information).
Legal base of the data processing:
- if you as natural person enter into the agreement with Graphisoft then performance of contract (GDPR point b) Article 6(1)) and if your company enters into the contract then the legitimate interest of GRAPHISOFT (GDPR point f) Article 6(1)).
- consent in case of marketing inquires (GDPR point a) Article 6(1)).
For the purposes of providing products and services purchased, Graphisoft uses GRAPHISOFT PARTNERS based in the country of establishment of data subject acting according to Graphisoft’s instructions as Graphisoft’s data processors to whom the Identity Data, Contact Data and Transactional Data are transferred. The data transfer between GRAPHISOFT and the GRAPHISOFT PARTNERS are also required for financial settlement purposes between these entities.
If consent has been given, then either GRAPHISOFT or GRAPHISOFT PARTNERS operating in the same country as data subject is located can approach the data subjects for electronic direct marketing purposes.
Data processing activities between GRAPHISOFT, and GRAPHISOFT PARTNERS are contractually agreed.
Data retention period is in accordance with accounting and taxation rules if the purpose of the data processing is the performance of contract, while if the personal data is processed based on consent until express withdrawal of such consent.
3.2.16 Recruitment
When you apply for a job advertised by Graphisoft, personal data provided by you will be processed for the purposes of managing our recruitment related activities, which include setting up and conducting interviews and tests for applicants, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment and hiring processes. If your application is unsuccessful, Graphisoft may collect and use your contact, identity and profile data up to two years from the date of rejection before destroying the personal data, unless there is a subsisting reason that obliges GRAPHISOFT to do so or you have given your consent to be retained beyond two years.
3.3 FOR WHAT PURPOSES AND ON WHAT BASIS DOES GRAPHISOFT USE THE INFORMATION IT COLLECTS ABOUT YOU?
3.3.1 In most cases, Graphisoft will use your personal data on the following legal bases:
Consent: when GRAPHISOFT or GRAPHISOFT PARTNERS send you marketing communications via electronic means, such as e-mail, text messages, personal messages (point a) Article 6(1) GDPR).
Legitimate interest: where processing is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests, and we may verify that a favourable balance of interest test has been carried out (point f) Article 6(1) GDPR).
Performance of contract: where GRAPHISOFT needs to perform the contract we are about to enter into or have entered into with you as natural person (point b) Article 6(1) GDPR).
Legal obligation: where GRAPHISOFT needs to comply with a legal obligation, such as tax or other regulatory obligations and requirements (point c) Article 6(1) GDPR).
3.3.2 By way of background information, in general, legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Please be advised if you need further information on the summary of the balance of interest tests carried out by Graphisoft in relation to the activities set out in the below table, please contact us. Of course, you can always obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
3.3.3 Performance of contract means processing your data where it is necessary for the performance of a contract to which you as a natural person are a party or to take steps at your request before entering into such a contract.
3.3.4 Legal obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
3.3.5 The below table includes a general overview on relevant purposes for which GRAPHISOFT processes your data in the context of various activities, and also the relevant legal basis GRAPHISOFT relies on.
Purpose/Activity | Data type | Legal basis |
Verification of eligibility To check your eligibility for certain Graphisoft products and services | (1) Identity Data (2) Contact Data (3) Eligibility Data | Performance of contract (natural persons)/ Legal obligation and Legitimate Interest |
Customer registration To register you as customer | (1) Identity Data (2) Contact Data (3) Profile Data | Performance of contract (natural persons)/ Legal obligation and Legitimate Interest |
Provision of products and services To provide you with the GRAPHISOFT websites and applications for which you have registered, as well as any services, products, support, or information you have requested | (1) Identity Data (2) Contact Data (3) Financial Data (4) Transaction Data (5) Marketing and Communications Data | Performance of contract (natural persons)/ Legal obligation and Legitimate Interest |
Processing orders and managing payments To process and deliver your orders including: (1) Manage payments, fees and charges (2) Manage subscriptions, including informing you about the expiration of your subscription (3) Collect and recover money owed to us | (1) Identity Data (2) Contact Data (3) Financial Data (4) Transaction Data | (1) Performance of contract (natural persons)/ Legal obligation and Legitimate Interest (2) Legitimate interest to recover debt and outstanding fees |
Regular (not marketing related) notifications To manage our relationship with you which will include notifying you about changes to our terms or Privacy Policy To keep our records updated and to monitor how customers use our products/services | (1) Identity Data (2) Contact Data (3) Profile Data | (1) Performance of contract (natural persons)/ Legal obligation and Legitimate Interest (2) Necessary to comply with a legal obligation, including the requirement to notify you about changes (3) Legitimate interests (to keep our records updated and to monitor how customers use our products/services) |
Administration of websites To administer and protect the GRAPHISOFT websites (including diagnosing problems, troubleshooting, data analysis, testing, system maintenance, support services, reporting and hosting of data) For the provision of administration and IT services, network security, to prevent information security and personal data breaches To comply with a legal obligation such as e-commerce, electronic communications and data protection legislation | (1) Identity Data (2) Contact Data (3) Technical Data (4) Usage Data | (1) Legitimate interests (for the provision of administration and IT services, network security, to prevent information security and personal data breaches) (2) Necessary to comply with a legal obligation such as e-commerce, electronic communications and data protection legislation |
Data analytics To use data analytics to improve our website, products/services, marketing, customer relationships and experiences To define types of customers for our products and services To keep our website updated and relevant To develop our business and to inform our marketing strategy | (1) Technical Data (2) Usage Data (3) Aggregated Data | Legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
Profiling Incremental collection of data that may fall as personal data to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects concerning your interests, behaviour, preferences To define types of customers for our products and services To keep our website updated and relevant To develop our business and to inform our marketing strategy | (1) Identity Data (2) Contact Data (3) Eligibility Data (4) Financial Data (5) Profile Data (6) Usage Data (7) Marketing and Communications Data (8) Transaction Data (9) Technical Data | Legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to provide customized service and information, to develop our business and to inform our marketing strategy) NOTE: GRAPHISOFT is not engaged in profiling that would pose a high risk or have a high impact on you. In other words, we do not carry out systematic and extensive evaluation of your personal aspects which is based on automated processing, and on which decisions are based that produce legal effects concerning or similarly significantly affect you. |
Customized content To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising GRAPHISOFT serves you | (1) Identity Data (2) Contact Data (3) Profile Data (4) Usage Data (5) Marketing and Communications Data (6) Technical Data | Consent |
Electronic direct marketing To contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about the goods or services of GRAPHISOFT and GRAPHISOFT PARTNERS to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data | 1. Consent |
Transfer of personal data GRAPHISOFT PARTNERS for direct marketing, electronic direct marketing and telemarketing purposes To ensure GRAPHISOFT PARTNERS may also contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about their goods or services, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Marketing and Communications Data | Consent |
Electronic direct marketing for similar products to existing customers With your consent, to ensure that GRAPHISOFT and GRAPHISOFT PARTNERS may contact you and send you via electronic means (such as e-mail, text messages, MMS, private messages etc.) newsletters, information about the goods or services of GRAPHISOFT, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data | Consent |
Telemarketing To ensure that GRAPHISOFT and GRAPHISOFT PARTNERS may contact you via phone to share information about the goods of services of GRAPHISOFT, to make suggestions and recommendations to you about goods or services that may be of interest to you | (1) Identity Data (2) Contact Data (3) Profile Data | Consent |
Market research To contact you for market research and customer satisfaction purposes and also to measure the effectiveness of marketing campaigns | (1) Identity Data (2) Contact Data (3) Profile Data | Consent |
Sharing of or publication of personal data with external agencies to combat fraud and piracy To reduce fraud, software piracy, and protecting our customers as well as GRAPHISOFT To protect our intellectual and industrial property rights and economic interests | (1) Identity Data (2) Contact Data (3) Eligibility Data (4) Profile Data (6) Usage Data (7) Transaction Data (8) Technical Data | Legitimate interest (to protect our intellectual and industrial property rights and economic interests). |
Recruiting Managing recruitment related activities | (1) Identity Data (2) Contact Data (3) Profile Data | Consent of the data subject |
Events With your consent to start and build up business relationship, update you about products, services and news | (1) Identity Data (2) Contact Data (3) Profile Data | Consent of the data subject |
4. WHAT ARE COOKIES AND HOW DOES GRAPHISOFT USE THEM?
4.1 A cookie is a small piece of information that will be stored on your hard disk until you delete it. Like most websites and applications, we use our own cookies and those of third parties, together with similar technologies, to make our websites and applications work, to offer you customized and personalized service, and to learn more about our users and their likely interests. Cookies themselves don’t hold personal information. They only have a unique alphanumeric identifier that sits on your browser. And in many cases, we won’t be able to link the information we collect by using a cookie back to you. They can, however, enable us to link that information back to you and your personal information, for example, when you log in, or choose to register for a service, product or newsletter.
4.2 GRAPHISOFT and third-party vendors including Google and Facebook use first-party and third-party cookies and related user behaviour tracking technologies to measure desktop software, mobile application and website usage; record different user activities in its software and on its web sites; and display advertisements based on the user’s previously recorded activities. GRAPHISOFT does not disclose any personally identifiable information to these third-party vendors. However, third-party vendors automatically receive IP addresses when activity tracking occurs. GRAPHISOFT may connect user activity data gathered by third-party vendors with information collected by its websites and applications and such data may therefore become Profile or Usage Data.
4.3 You can set your browser so that the browser informs you about cookies or automatically prevents their storage. If you do not store our cookies, you will still be able to visit our website or use our services; however, the use of individual offers or features might be limited.
4.4 You can also prevent your data from being used by third-party vendors by installing browser extensions, such as: http://www.aboutads.info/PMC; https://tools.google.com/dlpage/gaoptout/. Or setting your preferences at web sites like: http://www.youronlinechoices.com/uk/your-ad-choices; http://www.networkadvertising.org/choices/; https://www.google.com/settings/u/0/ads/anonymous
4.5 For more information about the cookies please visit GRAPHISOFT currently uses on its websites, please see our COOKIE POLICY at https://www.graphisoft.com/cookie-policy.
5. DOES GRAPHISOFT SHARE/DISCLOSE MY PERSONAL DATA?
(A) DISCLOSURE TO DATA PROCESSORS
5.1 GRAPHISOFT as a business entity is subject to tax related obligations and also is subject to authority reviews, the course of which we could be obliged to share your data with the authorities. These obligations are imposed on GRAPHISOFT by laws and regulatory decisions, we are legally bound to fulfil these requirements.
5.2 GRAPHISOFT also works with companies that help us run our business. Among these are the subsidiaries of GRAPHISOFT and also companies that are not linked to GRAPHISOFT providing services for us. These services vary in subject and term: external consultants, professional advisers such as lawyers or auditors, technical support functions (IT and document storage providers, professionals delivering customer support and sending emails on our behalf). These are called data processors are engaged in all cases based on written contract with appropriate guarantees to safeguard the security of the data and the rights of the data subjects. In some cases, these companies have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes and we ensure by data processing contracts (including electronic format) that your data are being processed in accordance with the legal regulations.
5.3 Currently, Graphisoft is using the following data processors:
Name | Full postal address | Activity |
Salesforce.com, Inc. | The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States | CRM software service provider/licensor, marketing automation |
Beijing Cloudcc.Com Technology Co., Ltd. | A-1009,Tower A, No.9, ShangDi Third Street, HaiDian District, Beijing, China, 100085 | CRM software service provider/licensor |
The Rocket Science Group, LLC d/b/a MailChimp | 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, GA 30308, United States | assistance with the conduct of e-mail marketing campaigns |
Eventbrite Inc. | 155 5th Street 7th Floor San Francisco, CA 94103 United States | assistance with registration to Events |
Google, Inc. | 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA | processing of user traffic and analytics data |
Facebook, Inc, | Facebook Headquarters 1 Hacker Way, Menlo Park, CA 94025, USA | processing of user data |
Microsoft Corporation | One Microsoft Way, Redmond, WA 98052-6399, USA | data hosting |
Marketo, Inc. | 901 Mariners Island Boulevard Suite #500 (Reception) San Mateo, CA 94404, USA | marketing automation, including email campaigns, landing pages, profiling |
Stripe Inc | 510 Townsend Street, San Francisco, CA 94103, USA | facilitating payment transactions occurring in Graphisoft webshop |
PayPal Hong Kong Limited | Room 1506-07, 15/F, Central Plaza 18 Harbour Road Wan Chai Hong Kong | facilitating payment transactions |
Tencent Holding Limited | Tencent Binhai Building, No. 33, Haitian Second Road, Nanshan District, Shenzhen | processing of user traffic and analytics data |
Sina Corporation | 88 Jian Wai Da Jie Xian Dai Cheng Building C, 16 Floor Chao Yang District, Beijing | processing of user traffic and analytics data |
ActiveCampaign, LLC | 1 N Dearborn St. 5th Floor Chicago, IL 60602 | Managing sales leads |
Greenhouse Software, Inc | 18 West 18th Street, 11th Floor New York, NY 10011 USA | managing recruitment related activities |
5.4 It is Graphisoft’s legitimate interest to prevent and respond to fraud, to defend our Websites and applications against attacks, to protect the property and safety of GRAPHISOFT, our customers, users, the public. That is why GRAPHISOFT PARTNERS and specific companies are retained as data processors to assist us to combat piracy. Please note that it is Graphisoft’s legitimate interest from the above reasons not to identify our service providers. We share Your IP address, MAC address, software version and language with them exclusively for the above purposes.
5.5 Further to the above as indicated earlier GRAPHISOFT provides its services in close cooperation with its subsidiaries therefore it is frequent that a Graphisoft subsidiary acts as data processor on behalf of GRAPHISOFT.
(B) DISCLOSURE TO OTHER DATA CONTROLLERS
5.6 In other cases, we provide your data to other entities to use such data under their own name and for their own benefit. Sometimes we may need to do this to comply with a legal obligation (such as when we need to provide certain Transaction, Technical or Identify Data to the police or other authorities), and in other cases, we rely on other legal grounds, such as our legitimate interests or your written (including electronic means) consent.
5.7 Accordingly, if you consent to the sharing, as indicated above in the table, Graphisoft may also share your Identity Data, Contact Data and Marketing and Communications Data with GRAPHISOFT PARTNERS. Please note that we do not share your personal data for their own marketing purposes unless the consumer agreed to that sharing.
5.8 We may share or publish Aggregate Data that doesn’t specifically identify you, such as statistical information about visitors to our websites or statistical information about how customers use our applications.
5.9 We require all third parties to respect the security of your personal data and to treat it in accordance with the law and the data processing contract if any. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
(C) MAKING YOUR DATA PUBLICLY AVAILABLE BY YOU
5.10 There are several places on Graphisoft’s websites and applications that allow you to post comments, upload pictures, or submit content for others to see. Sometimes you might be able to limit who can see what you share, but there are some places where what you share can be seen by the general public or other members of the website or application. Please be careful when you share your personal information. Do not share anything you do not want publicly known unless you are sure you are posting it within a website or application that allows you to control who sees your post. Please note that when you post messages on certain user forums on our websites and applications, your email address or name may be included and displayed with your message.
5.11 To remove content you have shared on our websites and applications, please use the same website or application feature you used to share the content. If another user invites you to participate in shared viewing, editing, or commenting of content, you may be able to delete your contributions, but usually the user who invited you has full control. If you have questions or concerns about this, please contact us.
6. INTERNATIONAL TRANSFERS
6.1 As indicated above, we share your personal data within the GRAPHISOFT PARTNERs as follows:
- You provide us with certain personal data when registering at our Websites. In such case, if you consent to the sharing, as indicated above in the table, Graphisoft as data controller may also share your Identity Data, Contact Data and Marketing and Communications Data with GRAPHISOFT PARTNERS too.
- GRAPHISOFT PARTNERS use the online ordering system of GRAPHISOFT SE and when using it may fill in certain personal information about you. This is always the decision of the given GRAPHISOFT PARTNER. In such case the GRAPHISOFT PARTNER is the data controller and GRAPHISOFT SE is only data processor of the partner in order to provide the electronic ordering system.
These transfers will involve transferring your data outside the European Economic Area (EEA).
6.2 Also, since many of our external third parties are based outside the European Economic Area (EEA) (such as Microsoft, Inc., Digital Ocean, Inc., Salesforce.com, Inc.), so their processing of your personal data will involve a transfer of data outside the EEA.
6.3 Whenever we transfer your personal data outside of EEA, we contractually ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- (b) where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- (c) where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
6.4 Please do contact us if you need further information on the specific mechanism used by us when transferring your personal data outside of EEA.
7. IS MY PERSONAL DATA SECURE, AND WHERE WILL IT BE STORED?
7.1 We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. All information you provide us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot warrant or guarantee the security of your data transmitted to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. In case your data is provided by registering on our websites than we ensure that this registration is completed on a secured platform where we apply our security measures. In case you would like to have more information on the specific security measures taken in order to save your data than please contact us.
7.2 Also, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
7.3 Finally, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7.4 Your personal information and data files are stored on Graphisoft’s servers and the servers of companies we hire to provide services to us. As shown in clause 6 above, your personal information may be transferred across national borders because we have servers located worldwide and the companies we hire to help us run our business are located in different countries around the world (for example, Germany, Ireland, the United States). As mentioned in clause 6 above, the data that we collect from you may therefore be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order and the provision of support services.
8. HOW LONG WILL GRAPHISOFT HOLD AND USE MY PERSONAL DATA?
8.1 We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
8.2 To determine the appropriate retention period for personal data, we take into account the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
8.4 More specifically, and without limiting the generality of the foregoing, by law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for at least 5, in certain cases 8 years after they cease being customers for tax, financial auditing, and record keeping purposes.
8.5 In some applicable circumstances you can ask us to delete your data: see the clause dealing with ‘Right To Erasure’ below for further information.
8.6 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
9. YOUR RIGHTS REGARDING YOUR PERSONAL DATA
9.1 Your right to access
You have the right to access your personal data, including requesting information on whether GRAPHISOFT processes your data, which data are processed, and you may also request a copy of the data that you or a third person provided to GRAPHISOFT and which data is being processed by Graphisoft.
If you request that GRAPHISOFT confirm whether or not GRAPHISOFT processes your personal data, then you have the right that obliges GRAPHISOFT to confirm that it processes your personal data, or does not process your personal data.
Your right to obtain confirmation whether GRAPHISOFT processes (or does not process) your personal data
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
GRAPHISOFT shall give you access to your personal data if
(a) you request GRAPHISOFT to confirm whether or not it processes your personal data, and
(b) GRAPHISOFT confirms that it processes your personal data, and
(c) you request access to your personal data.
GRAPHISOFT shall provide you with a copy of your personal data if
(a) you request GRAPHISOFT to confirm whether or not it processes your personal data, and
(b) GRAPHISOFT confirms that it processes your personal data, and
(c) you request a copy of your personal data.
If you request further copies of your personal data, then GRAPHISOFT may charge you the fee of EUR 10, – based on the administrative costs incurred in relation to the accommodation of such request.
Upon your request GRAPHISOFT will give you access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of your right to request from GRAPHISOFT rectification or erasure of your personal data or restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where your data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
Please also note that many of our websites and applications allow you to access or edit your personal information by accessing the “my profile,” or a similar feature of the website or application you are using. Likewise, you can access files or photos you have stored in our online services by logging in and using the functions they make available.
9.2 Your right to rectification
You have the right to the correction of your personal data without undue delay. This enables you to ask that any incomplete or inaccurate data we hold about you be corrected.
Your right to obtain rectification of your data that are inaccurate
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
GRAPHISOFT shall rectify your personal data if
(a) GRAPHISOFT processes your personal data;
(b) the personal data in question are inaccurate; and
(c) you request the rectification of your personal data.
GRAPHISOFT shall complete your personal data if
(a) GRAPHISOFT processes your personal data;
(b) the personal data in question are incomplete; and
(c) you request the completion of your personal data and if necessary you provide supplementary information for completion.
GRAPHISOFT may verify any and all data provided to it. GRAPHISOFT shall taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate the rectification of your personal data to recipients of such personal data (if any). However, Graphisoft shall not communicate the rectification of personal data to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
Please also note that many of our websites and applications allow you to edit your personal information by accessing the “my profile,” or a similar feature of the website or application you are using. Likewise, you can edit files or delete photos you have stored in our online services by logging in and using the functions they make available.
9.3 Your right to erasure (‘right to be forgotten’)
Subject to certain conditions and in certain cases, you have the right to the erasure of your personal data. This means that you may request that we delete your personal data that we may have processed unlawfully or where the use of your data is no longer needed for a purpose. Please keep in mind that GRAPHISOFT may not be able to meet your request for specific legal reasons that will be notified to you, if applicable.
GRAPHISOFT shall erase your personal data without undue delay if
(a) GRAPHISOFT processes your personal data, and
(b) you request to obtain the erasure of your personal data, and
(c) the personal data are no longer necessary to the purposes for which GRAPHISOFT collected them;
GRAPHISOFT shall erase your personal data without undue delay if
(a) GRAPHISOFT processes your personal data based on your consent, and
(b) you request to obtain the erasure of your personal data, and
(c) you withdraw your consent on which the processing of your data is based, and
(d) there is no alternative legal basis for the processing of your data any further.
GRAPHISOFT shall erase your personal data without undue delay if
(a) the processing is based on being necessary for the purposes of the legitimate interests of GRAPHISOFT or a third party, and
(b) you object to Graphisoft’s processing of your personal data, and
(c) the legal ground for the processing of your personal does not override your objection.
GRAPHISOFT shall erase your personal data without undue delay if
(a) you request to obtain the erasure of your personal data, and
(b) the processing by Graphisoft of such data is unlawful, or
(c) if the erasure is required under applicable law, or
(d) your data is collected in relation to the offer of an information society service.
GRAPHISOFT shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate the erasure of your personal data to recipients of such personal data (if any). However, Graphisoft shall not communicate the erasure of personal data to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
Please note that there are certain cases when you may not request erasure of your data. These reasons will be communicated to you if your request for erasure cannot be completed.
Please also note that many of our websites and applications allow you to edit or delete your personal information by accessing the “my profile,” or a similar feature of the website or application you are using. Likewise, you can delete files or photos you have stored in our online services by logging in and using the functions they make available.
9.4 Your right to the restriction of processing
You may also request the restriction of the processing of your personal data. For instance, you may request that we suspend the processing of your personal where our use of the data is unlawful but you do not want us to delete it.
Your right to request the restriction of the processing of your personal data
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
GRAPHISOFT shall restrict the processing of your personal data for a period to verify the accuracy of such data if you request to obtain the restriction of the processing of your personal data, and you contest the accuracy of such data.
GRAPHISOFT shall restrict the processing of your personal data if you request to obtain the restriction of the processing of such data, the processing of which is unlawful, and you opposes the erasure of such data.
GRAPHISOFT shall restrict the processing of your personal data if
(a) you request to obtain the restriction of the processing of such data, and
(b) GRAPHISOFT does not need such data for the purposes of its processing, and
(c) you require your data for establishment, exercise or defence against a legal claim.
GRAPHISOFT shall restrict the processing of your personal data if
(a) you object to the processing of your personal data that are necessary for the purposes of the legitimate interests that GRAPHISOFT pursues, and
(b) you wait to verify that the legitimate ground of Graphisoft’s processing of your personal does not override your objection.
GRAPHISOFT shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate the restriction of processing of your personal data to recipients of such personal data (if any). However, Graphisoft shall not communicate such restriction to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
If GRAPHISOFT restricts its processing of an your personal data, then it may
(a) store such personal data,
(b) process such personal data on the basis of your consent,
(c) process the personal data for establishing, exercise or defend a legal claim, or for protecting the rights of another person.
In case you have obtained restriction of processing as per the above than you shall be informed by Graphisoft before the restriction of processing is lifted.
9.5 Your right to data portability
Where the processing of your data is either based on your consent (e.g. in respect of electronic direct marketing), or is necessary for the performance of a contract (e.g. customer registration data and data relating to your orders), and the processing is carried out by automated means, than you may request the provision of your personal data that you have provided to us in a standard format, and you may also request that such data be transferred to another entity.
Without prejudice to your rights above, you have the right to receive the personal data concerning you, which you provided to GRAPHISOFT, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance (where technically feasible) from GRAPHISOFT, where the processing is based on your consent, or is necessary for the performance of a contract, and the processing is carried out by automated means.
Your right to data portability
(a) does not include data that is anonymous;
(b) includes the personal data that concern you;
(c) does not include personal data that does not concern you; and
(d) includes pseudonymous data that can be clearly linked to you.
9.6 Your right to object
Importantly, when we process your data on the basis of our legitimate interests as indicated in the above table, you may object to such processing and request that any of those activities be stopped. Similarly, you may opt-out of any of our direct marketing activities at any time by contacting Graphisoft’s Data Protection Officer at privacy@graphisoft.com and at any of the relevant addresses based on your location (mail@graphisoft.com.sg or mail@graphisoft.com.hk or mail@graphisoft.cn, or by adjusting your preferences in the privacy dashboard provided as part of some of our services (e.g.”my profile“), or by using the ‘unsubscribe’ function at the end of our messages.
9.7 Your rights in relation to automated decision making and profiling
You have the right to request not to be the subject of automated decision-making including profiling where the decision produces legal effects or equally has a significant effect on you and can insist on human intervention where appropriate.
There are exceptions to this right, which are, if the decision:
- Is necessary for concluding or performing a contract
- Is authorised by law
- Is based on the data subject’s explicit consent
9.8 Your right to withdraw consent
Also, you have the right to withdraw your consent at any time where we rely on your consent for processing your data (e.g. for certain electronic direct marketing purposes). You may do this at any time by contacting Graphisoft’s Data Protection Officer at privacy@graphisoft.com and at any of the relevant addresses based on your location (mail@graphisoft.com.sg or mail@graphisoft.com.hk or mail@graphisoft.cn), or by adjusting your preferences in the privacy dashboard provided as part of some of our services (e.g.”my profile“), or by using the ‘unsubscribe’ function at the end of our messages. Remember that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal and that in some cases we may need time to process request.
GRAPHISOFT shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to communicate your objection/withdrawal of consent to recipients of such personal data (if any). However, Graphisoft shall not communicate such restriction to recipients if the communication to such recipients is either impossible or involves a disproportionate effort.
9.9 Your right to lodge a complaint
Without prejudice to any other administrative or judicial remedy that you may have (such as the right to claim compensation for damages suffered as a result of Graphisoft’s breach of the GDPR), you have the right to lodge a complaint with your local data protection supervisory authority, or another data protection supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
In any case, we would highly appreciate the chance to deal with your concerns before you approach the regulatory authority above, so please contact us in the first instance if you have any problems.
9.10 Restrictions on the above rights
Please be advised that based on GDPR Member States are allowed to restrict by way of a legislative measure the scope of the rights you may have as per the above. In case such restriction is applicable in your respect, we will advise you accordingly when you contact us on exercising any of your above rights.
9.11 Contact details
If you wish to exercise any of your rights mentioned above, please contact us at the addresses set out in clause 1.2 above.
9.12 No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a fee of EUR 30 or in equivalent local currency – if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
9.13 Verification of your identify
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
10. CHANGES TO THIS PRIVACY POLICY
This Privacy Policy is effective as of the date indicated on the top. Earlier versions may be obtained by contacting us at privacy@graphisoft.com. We will inform you in case of any changes to this Privacy Policy in due course.