Last updated: May 10, 2025
At AutomationNow.io, we are committed to protecting and respecting your privacy and complying with the EU General Data Protection Regulation (GDPR). This GDPR Compliance Statement explains how we ensure compliance with GDPR principles in our business operations.
AutomationNow.io acts as a data controller for personal data collected through our website and services. As a data controller, we are responsible for determining the purposes and means of processing personal data.
Data Controller:
AutomationNow.io
André Deiß
Leutenbergstraße 19
78532 Tuttlingen, Germany
Contact Email: [email protected]
We adhere to the principles set out in the GDPR when processing personal data:
- Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly, and transparently.
- Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes only.
- Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary.
- Accuracy: Personal data shall be accurate and kept up to date.
- Storage limitation: Personal data shall be kept in a form which permits identification for no longer than necessary.
- Integrity and confidentiality: Personal data shall be processed securely to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
We process personal data on the following lawful bases:
3.1 Consent
Where you have given clear consent for us to process your personal data for a specific purpose. For example, when you opt in to receive marketing communications from us.
3.2 Contract
Where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract. This applies when you purchase our services or request a proposal.
3.3 Legal Obligation
Where processing is necessary for us to comply with the law. For example, maintaining records for tax purposes.
3.4 Legitimate Interests
Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not override those interests. We may rely on legitimate interests for activities such as:
- Improving and personalizing our services
- Ensuring network and information security
- Preventing fraud
- Direct marketing of relevant business services
We perform a balancing test for each legitimate interest processing activity to ensure your rights are protected.
Under the GDPR, you have the following rights:
4.1 Right to Access
You have the right to request copies of your personal data that we hold. We will provide this information in a structured, commonly used, and machine-readable format.
4.2 Right to Rectification
You have the right to request that we correct any inaccurate information or complete any incomplete information we hold about you.
4.3 Right to Erasure
You have the right to request the deletion of your personal data under certain conditions, including when the data is no longer necessary for the purposes for which it was collected.
4.4 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data under certain conditions, such as when you contest the accuracy of the data.
4.5 Right to Object to Processing
You have the right to object to the processing of your personal data under certain conditions, particularly for direct marketing purposes or when processing is based on our legitimate interests.
4.6 Right to Data Portability
You have the right to request the transfer of your personal data to another organization or directly to you.
4.7 Rights Related to Automated Decision Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
To exercise any of these rights, please contact us at [email protected] with the subject line "GDPR Rights Request". To help us process your request efficiently, please include:
- Your full name
- Your contact information
- The specific right you wish to exercise
- Any relevant details to help us understand and respond to your request
We will respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have made multiple requests, in which case we will notify you and keep you updated.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data where appropriate
- Regular testing and evaluation of technical and organizational measures
- Staff training on data protection principles and procedures
- Access controls and authentication procedures
- Regular backup procedures
- Data protection impact assessments for high-risk processing activities
Our internal data protection policies are regularly reviewed and updated to maintain compliance with current legal requirements and best practices.
As a business based in Germany, we are subject to strict EU data protection laws. If we transfer your personal data outside the European Economic Area (EEA), we ensure at least one of the following safeguards is in place:
- The country has been deemed to provide an adequate level of protection for personal data by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (BCRs) where applicable
- Specific derogations such as your explicit consent
We regularly review our data transfer mechanisms to ensure they remain valid and appropriate for the protection of your data.
We have procedures in place to detect, report, and investigate personal data breaches. In case of a breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.
Our data breach response plan includes:
- Identification and containment procedures
- Assessment of the risk to individuals
- Notification procedures
- Documentation and follow-up measures
We carry out Data Protection Impact Assessments (DPIAs) for processing that is likely to result in a high risk to individuals, particularly when using new technologies. A DPIA helps us identify and minimize data protection risks at an early stage.
Our DPIA process includes:
- Identifying the need for a DPIA
- Describing the information flow
- Identifying data protection and related risks
- Identifying and evaluating solutions
- Signing off and recording the DPIA outcomes
- Integrating the outcomes into our project plan
- Consulting with the relevant stakeholders as needed
As required by Article 30 of the GDPR, we maintain records of our processing activities that include:
- The name and contact details of our organization
- The purposes of the processing
- A description of the categories of data subjects and personal data
- The categories of recipients to whom the personal data has been or will be disclosed
- Information about international transfers of personal data
- The envisaged time limits for erasure of different categories of data
- A general description of technical and organizational security measures
As part of our business automation services, we may process personal data on behalf of our clients. In these instances:
- We act as a data processor, following the documented instructions of our clients who are the data controllers
- We implement appropriate technical and organizational measures to ensure the security of the data
- We assist our clients in fulfilling their obligations to respond to data subject requests
- We do not use client data for purposes outside the scope of our services
- We have data processing agreements in place with our clients that outline our responsibilities
We ensure that any automation processes we implement for clients are designed with data protection principles in mind, following a "privacy by design and by default" approach.
Based on our current processing activities, we have determined that we are not required to appoint a Data Protection Officer under Article 37 of the GDPR. However, we have assigned responsibility for data protection compliance to designated team members who monitor our adherence to data protection principles.
If you have any questions regarding our data protection practices, please contact us at [email protected].
If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. The supervisory authority in Germany is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
53117 Bonn
Germany
https://www.bfdi.bund.de/
You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
We may update this GDPR Compliance Statement from time to time. We will notify you of any significant changes by posting the new statement on our website and updating the "Last updated" date.
If you have any questions about our GDPR compliance or how we handle your personal data, please contact us at:
- Email: [email protected]
- Address: AutomationNow.io, André Deiß, Leutenbergstraße 19, 78532 Tuttlingen, Germany