Last updated on: April 2025
This Policy governs the data protection policy for all Mimacom-Flowable Group entities to ensure they process and protect Personal Data in accordance with applicable laws and regulations. This includes the right of individuals to be informed and make decisions about the collection, use, disclosure, and any other operations (Processing) concerning Personal Data (as defined below). Mimacom-Flowable Group entities include:
Flowable Holding AG
Flowable Licences AG
Flowable AG Flowable USA Inc.
Flowable Services Spain slu.
Flowable Polska sp. z o.o.
Flowable Deutschland GmbH
Mimacom Management AG
Mimacom AG
Mimacom Deutschland GmbH
Mimacom Ibérica slu.
Mimacom USA Inc.
and any other company that may join the Mimacom-Flowable Group in the future (each individually Local Company, and collectively referred to as Mimacom-Flowable Group)
This Policy, and any other documents referred to in it sets out the minimum standard that shall be complied with by all employees and contractors of Mimacom-Flowable Group entities when processing Personal Data for the Mimacom-Flowable Group (Minimum Privacy Standard). Many countries have enacted laws generally regulating the processing of Personal Data. If local laws deviate from the rules set out in this Policy, local laws shall take precedence over the rules and regulations set out in this Policy. Based on the Minimum Privacy Standard, additional country-, application or process-specific Policies concerning the processing of Personal Data may be implemented (Specific Privacy Policies). They shall apply in addition to, and further detail, the Minimum Privacy Standard. Each Local Company in its capacity as Controller or Processor is responsible for ensuring compliance with the applicable laws and this Policy. Controller is the Local Company, an external contractor or any other body which determines the purposes and means of the processing of Personal Data. Processor is the Local Company, an external contractor or any other body which processes Personal Data on behalf and under instruction of the Controller. This Policy does not form part of any employee’s contract of employment and may be amended at any time (see Section K.). For any questions about this Policy or data protection, please ask please the Point of Contact for Questions relating to Data Protection. The contact details are specified in ANNEX I of this Policy.
Subject to this Policy is only the processing of Personal Data. Personal Data shall mean any information relating to an identified or identifiable individual (Data Subject or Individual), for example name, gender, birthday, financial information, or an email-contact address – whether business-related, private, public or confidential. It also includes data where the individual at issue is identifiable only indirectly by use of secondary sources (e.g., the Internet or other databases) or through an identifier, namely an identification number, location data or an online identifier.
Public document at Mimacom-Flowable GroupPersonal Data in particular includes information on its employees (e.g., personal details such as name, gender and social insurance information, the employee's job position, education, working time and salary information etc.) and customers (e.g., name, contact details, email-address, products and services supplied, credit-card details, communication and information exchanged with customers such as complaints etc.).
Not subject to this Policy and no Personal Data is anonymized data being data that does not permit the reidentification of any individual (e.g. properly aggregated statistical data).
Certain categories of Personal Data include Personal Data on racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data, and biometric data where processed to uniquely identify a person (Sensitive Personal Data), on criminal convictions and offences (Criminal Data), and on Data Subjects younger than 16 years (Children Data).
Whenever we process certain categories of Personal Data, we apply stricter rules (see Section D. 2).
Processing means any activity which is performed on personal data whether or not by automated means, such as collection, recording organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Employees working full time or part time for or on behalf of Mimacom-Flowable Group entities, as well as third parties who are requested or permitted to use and manage Flowable Personal Data (Staff) shall comply with the following Data Protection Principles when processing Personal Data. References to "we", “you” shall mean FlowableGroup and Staff:
1. Lawfulness | We collect Personal Data only if we have a legal basis |
2. Certain categories of Personal Data | We adhere to additional restrictions when Processing certain categories of Personal Data |
3. Fairness and Transparency | We will process Personal Data transparently and provide fair notice when we collect it |
4. Purpose limitation | We collect Personal Data for specified, explicit and legitimate purposes |
5. Data minimization | We process Personal Data proportionate and only as much as necessary |
6. Accuracy | We ensure the accuracy of the Personal Data we process |
7. Storage limitation | We keep Personal Data for no longer than is necessary for the intended purposes |
8. Integrity and Confidentiality | We process Personal Data in a manner that ensures appropriate security and confidentiality |
9. Data Transfers outside the EU | We will not transfer Personal Data within Mimacom-Flowable Group entities or to third parties in countries outside the European Union without having safeguards in place or another sufficient justification. |
We will only process Personal Data lawfully. This is the case, if at least one of the following conditions applies:
the individual has given consent to the purposes of processing,
the processing is necessary for the performance of a contract with the individual,
for compliance with a legal obligation,
or for the purpose of the legitimate interests pursued by the relevant Local Company or by a third party.
For the processing of Sensitive Personal Data, Children’s Data or Criminal Data, we apply the following stricter rules:
Processing of Sensitive Personal Data shall basically be permissible only if the Data Subject has given explicit consent, processing is necessary to comply with a legal obligation specifically in the field of employment and social security and social protection law, or is expressly permitted by a Specific Privacy Policy or by the Point of Contact for Questions relating to Data Protection.
The processing of Sensitive Personal Data is subject to additional safeguards.
We will only process Children Data with the consent or authorization by a holder of parental responsibility or where otherwise permitted or required by applicable law. When addressing children, we will make sure that the language used is adequate in view of their age.
We will only Process Criminal Data where permitted or required by applicable law.
If you are not sure whether you are permitted to process these categories of Personal Data and in which form, please seek advice from the Point of Contact for Questions relating to Data Protection.
We will process Personal Data in a manner transparent to the Individual, including its purpose. We will provide the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information to be provided is specified in ANNEX II.
However, in the following situations, the information as per ANNEX II does not need to be provided:
the Individual already has been informed beforehand,
the collection and disclosure of the Personal Data is expressly regulated by applicable law,
the information would be impossible or involve a disproportionate effort, or
Specific Privacy Policies or applicable data protection law provide for another exemption.
The information shall be provided in writing, by electronic means or other appropriate means. When requested by the Individual, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.
We will provide such notice through Specific Privacy Policies, information on data collection forms, privacy declarations on our websites or other individual notices as appropriate. We will, as possible, document our fair notice (see Section G.).
If we collect Personal Data through third parties, we take reasonable steps to ensure that such third parties have complied with these or comparable notice requirements. At any event, we ensure that such information will be provided to the Individual at the latest within one month after obtaining the Personal Data, unless such information proves impossible or would involve a disproportionate effort.
If you have questions or need support with the creation of the information notice and its form, please get in touch with the Point of Contact for Questions relating to Data Protection.
We will collect Personal Data for specified, explicit and legitimate purposes and not further process Personal Data in a manner that is incompatible with those purposes.
If we intend to further process the Personal Data for a purpose other than that for which the Personal Data were collected, we provide the Individual prior to that further processing with information on that other purpose and with any relevant further information as referred to in Section D. 3.
If you intend to further process the Personal Data for another purpose than the one it was initially processed, and you are not sure whether the other purpose is compatible with the initial purpose, please seek advice from the Point of Contact for Questions relating to Data Protection.
We will process Personal Data proportionate and limit any processing to what is necessary. In particular, we will only collect, retain and otherwise process Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which we are processing or may process such Personal Data.
Whenever we process Personal Data, we take reasonable steps to ensure that such Personal Data is accurate and, where necessary, up-to-date in view of its relevance and the purposes for which we are processing it. This Public document also includes taking every reasonable step to ensure that Personal Data which are inaccurate, are erased or rectified without delay. Moreover, we will ensure that if several copies of the same set of Personal Data exist (e.g., on different systems or with different companies) all such copies remain synchronized, where appropriate.
We will keep the Personal Data for no longer than is necessary for the purposes for which they were collected unless we have a legal obligation (for example a record retention obligation for tax, accounting, code of obligations or other reasons based on specific laws) or a legitimate business interest (defend pending or potential legal claims or disputes etc.), to retain such Personal Data (including records). Further guidance on retention periods and deletion are set out in the Retention and Deletion Policy. Once Personal Data is no longer required or after the retention period, we will take all reasonable steps to securely destroy, anonymize, or erase Personal Data on file and from our systems.
We will process Personal Data in a manner that ensures appropriate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage, using adequate technical and organizational measures, including the following:
Pseudonymization and encryption of Personal Data: We will pseudonymize, encrypt or otherwise replace identifying information with a code so to prevent the identification of the Individual to the extent reasonably possible and adequate;
Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (this includes inter alia that only people on a need to know basis can access the Personal Data);
Restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
We will take privacy and data protection into account whenever we design and develop our systems, products, services and processes and always use only Personal Data needed for each specific purpose with limited storage periods and accessibility to ensure the Minimum Privacy Standard and applicable laws will be complied with at all times ("Privacy by Design and by Default");
A process in place for regularly testing, assessing and evaluating the effectiveness of such measures for ensuring the security of processing.
Before transferring Personal Data to other Local Companies or third parties (e.g., outsourcing service providers) in other countries (including by making available Personal Data through remote access), we will ensure that the recipient is subject to the Flowable Intra Group Data Transfer Agreement (in the case of transfers among Local Companies) or, if this not the case, either other appropriate safeguards (such as the standard EU-ModelClauses) have been put in place or one of the exemptions is met (e.g., the explicit consent of the Individual, the need to transfer the Personal Data for the purpose of a contract, or for defense of legal claims). If we delegate or outsource the processing of Personal Data to a third party, we will furthermore contractually or otherwise ensure that the recipient will process such Personal Data only for our purposes and under our instructions (see Section E.) and that such third party provides for and maintains adequate technical and organizational measures to protect the Personal Data against unauthorized processing and accidental loss.
If you intend to transfer or grant access to Personal Data to any persons in countries outside of Switzerland or the EU, please seek advice from the Point of Contact for Questions relating to Data Protection to ensure a lawful transfer and appropriate safeguards are in place.
We will use only Processors providing sufficient guarantees to implement appropriate technical and organizational measures to ensure processing in line with this Policy and applicable laws. We will with each Processor enter into a contract stipulating inter alia the obligations and technical and organizational measures to be implemented and maintained by the Processor.
If you intend to transfer to or grant access to Personal Data to a Processor processing Personal Data on our behalf and under our instructions, please seek advice from the Point of Contact for Questions relating to Data Protection to ensure protection and security of Personal Data.
We will process all Personal Data in line with Data Subject’s rights being in particular the following:
Individuals have in general the right to be informed about the Personal Data that is processed about them. The information that has to be provided is set out in Section D. 3 and further specified in ANNEX II.
Individuals have in general the right to request a copy of the Personal Data we are maintaining about them in our files ("Right of Access"). The information that has to be provided includes the information specified in ANNEX III.
Individuals may contact us for requesting rectification of their Personal Data as well as raising legitimate objections to any processing of their Personal Data, including requests for deletion and restriction of processing. Insofar Personal Data disclosed to a third party becomes subject to a request for rectification, erasure or restriction to a third party, we will inform such third party of the request, unless this proves impossible or involves a disproportionate effort. Moreover, we will inform the Data Subject about those recipients if the Data Subject requests it.
Furthermore, if Personal Data has been provided to us directly by the Data Subject and where we process such Personal Data on the basis of the Data Subject's consent or to fulfil a contract, and we Process Personal Data by automated means, we will provide the Data Subject upon request such Personal Data in a structured, commonly used and machine readable form or, if so desired and arranged by the Data Subject, directly to a specific third party being the new controller of such Personal Data.
Public document If we process Personal Data for direct marketing purposes (including profiling related to such marketing), we will for any case of such direct marketing provide recipients based on their right to object a method for unsubscribing or opting out from receiving further marketing materials of such type (for example newsletters).
We will not subject individuals to decisions based solely on automated processes (including profiling) if such decisions can have a legal or negative effect on the individual, unless such decisions are necessary for the entry into or performance of a contract, is authorized by applicable law, or is based on the Data Subject's explicit consent. If we do rely on automated decisions, we will put in place safeguards to protect the legitimate interests of the Data Subject, including in any event by giving the Individual the possibility to express his or her point of view and contest the decision vis-à-vis a human.
We will ensure that our systems and processes are able to comply and deal with the foregoing. Prior to complying with a Data Subject's request in particular for access, rectification, restriction, erasure and data portability, we will verify the identity of the individual and assess whether we may refuse, limit or delay such request in particular if such request is abusive, excessive or if it adversely affects the overriding legitimate privacy or secrecy interests of others.
Any response of such requests must occur without undue delay and in any event within one month of receipt of the request. We will document any such request. If it appears that the request also needs to be treated by other companies of the Mimacom-Flowable Group, the Local Company shall forward it accordingly.
Each Local Company shall make available to Data Subjects a point of contact and process for such requests. For any questions or support needed with the handling of such requests, please seek advice from the Point of Contact for Questions relating to Data Protection.
Absent any other instructions, the Point of Contact for Questions relating to Data Protection shall be responsible for handling such requests, and Staff shall forward all such requests to him or her.
Each Local Company is required to document its processing of Personal Data and its compliance with applicable data protection law ("Principle of Accountability").
This includes maintaining a description and compliance assessment of all Processing Activities, which shall mean any regular processing performed on Personal Data as part of an IT application, business process, outsourcing, third party cooperation or structured data file.
Each Local Company shall maintain a record of all Processing Activities controlled, performed or relied upon by its Local Company and report such records to a centralized repository operated under the control of Flowable Holding AG by the Point of Contact for Questions relating to Data Protection. Each Local Company shall in particular maintain a record of:
a) any and all policies, guidelines and similar documentation addressing data protection, privacy and data security within Local Company; Public document
b) any and all registrations, notifications, approvals and other interactions with supervisory authorities concerning the Processing of Personal Data by the Local Company;
c) any and all agreements and contracts with third parties regarding data protection, privacy and data security, including with regard to any internal and external outsourcing and third party co-operations involving the processing of Personal Data;
d) any and all Processing Activities controlled, performed or relied upon by a Local Company (Local Data Protection Inventory), including an assessment of their compliance with the Minimum Privacy Standard and applicable data protection laws, a privacy impact assessment, where necessary, and the decision of the Business Owner to proceed with a new or changed Processing Activity (see Section H);
e) any data breaches detected or suspected (see Section I); and
f) any third party claims and legal matters concerning the processing of Personal Data by the Local Company (but excluding non-contentious Data Subject requests). For Processing Activities extending beyond the Local Company, the Point of Contact for Questions relating to Data Protection of Flowable Holding AG shall be responsible for compiling and maintaining the foregoing documentation and make it available also to the Local Companies involved in the Processing Activities.
For each such new or changed Processing Activity, the Business Owner of the Local Company shall:
describe the Processing Activity for the purposes of the Local Data Protection Inventory,
assess its compliance with the Minimum Privacy Standard and applicable data protection laws and,
perform a data protection impact assessment if it is likely to result in a high risk for Individuals
implement any appropriate measures for any gaps identified before the Processing Activity starts.
In doing so, the Business Owner responsible for the Processing Activity shall follow the guidelines and use the templates provided by the Point of Contact for Questions relating to Data Protection.
Staff shall report any new or changed Processing Activity to the Point of Contact for Questions relating to Data Protection to ensure the processing and documentation in line with this Policy and applicable data protection laws.
Every Staff is obliged to immediately report any potential or observed breach of data security or other provisions of the Minimum Privacy Standards that may lead or have led to an unauthorized access to or disclosure, loss, destruction or modification of Personal Data. The report shall be made to the Point of Contact for Questions relating to Data Protection.
The Point of Contact for Questions relating to Data Protection shall, with the necessary support by any function reasonably requested, assess the breach and arrange for the necessary notifications of supervisory authorities and of Data Subjects and further steps, as required by applicable data protection laws, and to mitigate possible negative consequences for the Individuals and the Mimacom-Flowable Group entities itself.
The breach of the Group Data Protection Policy may result in appropriate disciplinary sanctions, including termination of employment or contract, and, as the case may be, criminal prosecution, civil liability and administrative sanctions.
This Policy shall become effective as of July 12th , 2018. This Policy will be reviewed on a regular basis and may be changed at any time with immediate effect, especially due to the developments of data protection legislations and new technologies. The Staff will be informed about any changes by email or other appropriate means.
Annex I
The Contact details for Questions relating to this policy and data protection are the following:
For employees employed in Switzerland, Germany, Spain and Poland:
Aline Beuret |
|---|
Mimacom management AG |
Baslerstrasse 60, |
8048 Zürich Switzerland |
T +41 31 329 09 00 |
E-Mail: aline.beuret@mimacom.com |
E-Mail: privacy@flowable.com |
E-Mail: privacy@mimacom.com |
Annex II
When collecting Personal Data, we will provide the Individual with fair notice at the time of collection, providing the relevant information on:
a) who we are including contact details of the Local Company or Companies responsible for the collection and processing of the Personal Data at issue and a contact for any privacy related questions;
b) the categories of Personal Data collected;
c) the source from which the Personal Data originates (if not directly obtained from the Data Subject), and if applicable, whether it came from publicly accessible sources;
d) the purpose(s) for which we process Personal Data as well as the legal basis for the processing, including any legitimate interest relied upon (see Sections D. 1 and D. 4);
e) the categories of third parties to whom we may disclose such Personal Data; and
f) whether we intend to disclose Personal Data to recipients outside the country where such Personal Data is collected, and how an adequate level of data protection is ensured.
We will also provide the Data Subjects information on, unless evident from the circumstances or not applicable:
a) the period for which the Personal Data will be stored, or the criteria used to determine that period;
b) their individual data protection rights (see Section F.);
c) their right to withdraw any consent at any time, and, as appropriate, the consequences of such withdrawal for the future (see Section D. 1);
d) their right to lodge a complaint with the competent data protection supervisory authority if such right under applicable local laws exist;
e) whether the collection of Personal Data is due to a statutory or contractual requirement, or a requirement necessary to enter into a contract, or whether it is optional, and of the consequences of not providing their Personal Data; and
f) the existence of any automated decision taking, the logic involved, and the envisaged consequences such Processing may have (see Section F. 6).
Annex III
The information, that we must provide to individuals based on an access request, include the following:
a) the purposes of the Processing;
b) the categories of Personal Data concerned;
c) the recipients or categories of recipients to whom we may disclose such Personal Data (if any) and details about the disclosure of Personal Data to recipients located in other countries or international organizations;
d) the envisaged retention period, or if this is not possible, the criteria used to determine that period;
e) the additional individual rights of the Data Subject;
f) the right to lodge a complaint with a supervisory authority;
g) the source of the data if it has not been collected directly from the Data Subject;
h) the existence of any automated decision taking, the logic involved, and the envisaged consequences such Processing may have,
i) the appropriate safeguards relating to the transfer where Personal Data are transferred to a third country or to an international organization.
Annex IV
Following words and terms used in the Policy, unless the context otherwise requires, shall have the following meanings:
Consent: Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Controller: A Controller is the local company, an external contractor or any other body which determines the purposes and means of the processing of Personal Data.
Data Protection Officer: A Data Protection Officer has formal responsibility for data protection compliance within an organization. Furthermore, a Data Protection Officer must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. Data Protection Officers must also have a reasonable understanding of the organization’s technical and organizational structure and be familiar with information technologies and data security.
Data Subject: A Data Subject is an identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processor: A Processor is the local company, an external contractor or any other body which processes Personal Data on behalf and under instruction of the Controller.
Processing: Processing Personal Data means any activity which is performed, whether or not by automated means, such as collection, recording organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization: Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Third Party: Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.