Certara Germany GmbH (formerly known as "BaseCase Management GmbH", hereinafter referred to as "BaseCase") processes data from users of the BaseCase platform and in the course of rendering its services. This Privacy Policy refers solely to the use of BaseCase's product and the BaseCase Interactive online platform (hereinafter referred to as "platform"). In accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) we are providing you with the following information regarding which personal data we collect when you use the BaseCase platform and, the purposes for which we use this data, and how we utilize it to optimize our services for you.
This Privacy Policy consists of the following sections:
A. General Information
B. Visiting our Website
C. Duration of storage
D. Data subject rights
E. Final provisions
(a) Responsible Controller pursuant to Art. 4 (7) GDPR is
Certara Germany GmbH
Charlottenstr. 16, 10117 Berlin, Germany
Phone +49 30 2014 364 0
Fax +49 30 577 05 67 19
Email: info@basecase.com
(b) For all questions about matters of data protection in connection with the use of our platform you can also contact our Data Protection Officer at any time. He can be reached under the above postal address and under the e-mail address s.baum@bhk-datenschutz.de.
We need your personal data in order to deal with your request or give you access to specific information or services. This data includes such information as:
a) Analytics are based upon the tracking of individual users of the platform. When registering your Company ("Company") can choose whether personal data of Company’s Employees and authorized users of the platform ("Users") shall be tracked and analyzed.
Unless specifically stated, the platform administrator of the Company ("Company Administrator") can choose between the following standard settings:
For BaseCase Portal, the Company Administrator can choose between the following standard settings:
b) Note: BaseCase carries out the processing of analytics data in accordance with company settings on behalf of the Company as a processor in the sense of Article 4 (8) GDPR. As prerequisite BaseCase and Company shall enter into a commissioned data processing agreement pursuant to Art. 28 GDPR. Consequently, the Company is responsible for ensuring that the processing of the personal data of its Users is carried out in accordance with applicable law and applicable company and or works council agreements, where applicable. BaseCase is not obliged to verify whether the processing of personal analysis data of User is lawful.
c) Analytics data can be reviewed by BaseCase (for debugging, performance and compliance reasons) and by duly appointed 'administrators' or 'analysts' within the user's organization. The legal basis is Art. 6 (1) lit. f) GDPR. If the Company would like their account and all tracking data of individual Users to be removed, they can simply send a request by email to support@basecase.com.
d) Cookies are subject to the provision of Section B.
Our website is aimed at visitors and users of the site and online services, including e-commerce functionality for our customers where appropriate. Thus, we process data from the following groups of persons:
a) BaseCase is a SaaS (Software-as-a-Service) provider. When using the services offered by BaseCase (software and server capacity) additional company and business data is transferred to BaseCase (e.g. pictures or description of products) that is not protected under data protection laws.
b) Client contracts regulate the usage of company data by BaseCase.
(1) Your personal data will not be sold, disclosed or otherwise disseminated to any third party without your express consent, except in cases specified in this Privacy Policy.
(2) Within the responsible entity, those persons who need your data in order to fulfill our contractual and statutory duties, or safeguard legitimate interests, are granted access to it. Furthermore, companies affiliated to the Certara, service providers, public authorities or third parties may receive data for such purposes.
(3) Data, which we have collected, are passed on only if:
a) You have given an express declaration of consent for this, pursuant to Art. 6 (1) lit. a) GDPR,
b) Further transmission is necessary, pursuant to Art. 6 (1) lit. f) GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,
c) We have a legal duty to pass on your data pursuant to Art. 6 (1) lit. c) GDPR, or
d) This is legally permissible and requisite, pursuant to Art. 6 (1) lit. b) GDPR, for the handling of contracts with yourself or for the execution of pre-contractual actions which are being carried out at your request.
(4) Should we pass data on to our service providers, assisting in the provision of services, these data may only be used for performance of their tasks. We select and commission these service providers carefully. They are bound contractually to follow our instructions, have suitable technical and organizational measures for the protection of the rights of data subjects. If the service provider provides the agreed service outside the EU/EEA, we ensure the data protection lawfulness by appropriate measures and guarantees according to Art. 44 ff. GDPR.
(5) BaseCase's servers are currently in the USA and are operated by IBM ("IBM"). All of the data more particularly described under A. personal data and company-related data – is processed and stored solely, or at least inter alia, on IBM's servers. IBM’s server centers hold the SOC 2 certification.).
(6) Certara participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively “the Privacy Shield Frameworks” or the “Frameworks”). Certara is committed to processing all personal information it receives in the United States from EU member countries and Switzerland in reliance on the Privacy Shield Frameworks, in accordance with the Frameworks’ applicable principles. To learn more about the Privacy Shield Frameworks, and to view Certara’s certifications, visit the U.S. Department of Commerce’s Privacy Shield List (www.privacyshield.gov/list). Certara is responsible for the processing of personal information it receives under the Privacy Shield Frameworks, and for any such personal information that it subsequently transfers to third parties, including third parties located outside the United States. With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, Certara is subject to the regulatory enforcement powers of the U.S. Department of Commerce and the Federal Trade Commission. In certain situations, Certara may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
(7) BaseCase shall pass on analytics data (see above, A. 3) to the client company for their continual optimization of their apps.
We wish to provide you with the following information regarding which personal data we process when you visit our website, the purpose behind the processing, and the legal basis for it.
We use your personal data for the following purposes:
(1) If you use the website purely for informational purposes, i.e. if you do not register or send information to us in any other way, we will collect only the personal data transmitted automatically by your browser to our server. If you wish to visit our website, we will collect the following data, which we need for technical reasons in order to display our website to you and ensure stability and security (legal basis in the EU is Article 6 (1) f) GDPR):
In addition to the log file data mentioned above, cookies are stored on your computer when you use our website.
(1) What are Cookies?
Cookies are small text files that are allocated to the browser you use and stored on your hard drive, and through which certain information passes to the entity that set the cookie (in this case, us). Cookies are not able to execute any programs, or transfer viruses to your computer. They are used to make the website more user-friendly and more effective overall.
(2) Use of cookies
a) This website uses the following types of cookies, the scope and functionality of which are explained in the following:
(3) Why do we set cookies? What is the legal basis?
a) Necessary cookies
Necessary cookies are important to have activated at all times in order for the website to function properly. An
example would be to identify the currently logged-in user. Necessary cookies include both Session cookies and
Persistent cookies. The legal basis is Article 6 (1) b) GDPR.
b) Preferences and functionality
Cookies are also used for the purposes of storing certain user preferences and improving the functionality of the
website. An example would be to store the last visited page to enable quicker access to relevant content on a future
visit. Both Session cookies and Persistent cookies may be used for these purposes. The legal basis for this is
Article 6 (1) b) GDPR.
(4) Control of cookies
You can adjust your browser settings to meet your preferences and, for example, manage or refuse the acceptance of third-party cookies or all cookies, as you prefer. You can delete existing cookies using your browser settings. Please note that you if you do this, you may not be able to use all the functions on this website.
(1) To access the BaseCase Platform you must register first. During registration, you will be given the required mandatory data. You can be informed by e-mail about information relevant to the registration, such as changes in the scope of the service offer or technical circumstances. If you have cancelled your user account, your data relating to the user account will be deleted, subject to company’s contract, data retention policies, or unless retention is necessary for commercial or tax law reasons in accordance with Art. 6 (1) c) GDPR.
(2) Within the framework of the use of the platform and a User account, we store the IP address at the time of User actions. The storage is based on our legitimate interests as well as those of the user to protect against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties, except Company Administrator(s), unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 (1) c) GDPR.
(1) You can reach our Support team by emailing support@basecase.com.
(2) The legal basis for processing the data is the presence of the user's consent; Article 6 (1) a) GDPR. The legal basis for processing the data that is transferred in the course of sending an e-mail is Article 6 (1) f) GDPR. If the contact is geared towards concluding a contract, the additional legal basis for processing is Article 6 (1) b) GDPR.
(1) You have the option to register for our advertising e-mail communications so that we can send you news on a regular basis, for example, regarding our products.
(2) Our advertising e-mail communication is sent to you only on the basis of your active consent (opt-in). In addition, we store the IP addresses you use for registration and confirmation respectively as well as the registration and confirmation times. The purpose of this is to provide proof of your registration and, if necessary, to highlight any possible misuse of your personal data. Once you have provided confirmation, we store your e-mail address for the purpose of sending advertising e-mail communications.
(3) The legal basis for the aforementioned processing procedures in connection with advertising e-mail communications is your consent (Article 6 (1) a) GDPR).
(4) If you no longer wish to receive advertising e-mail communications from us, you can unsubscribe at any time.
We store personal data only for as long as is necessary to fulfil legitimate interest, contractual and/or statutory duties for which the data were collected. We then erase the data immediately, unless we still need these data until expiry of the statutory period of limitation for purposes of evidence in civil claims or due to statutory duties of storage. If you would like a copy of our Records Retention Schedule, please contact us at the address above.
For purposes of evidence, we must still store contact data for at least three years from the end of the year in which business relations with you end. Any claims will expire, under the normal statutory period of limitation, no earlier than at this time.
Thereafter we must also store some of your data for purposes of book-keeping. We have an obligation to do so under statutory duties of documentation, which may arise under the German Commercial Code, the German Tax Code, the German Credit and Loans Act, and the German Money Laundering Act. The periods stipulated there for storage of documents are two to ten years.
Notwithstanding the above: Session cookies are deleted when you close the browser. All persistent cookies have an expiration date written into their code, but their duration can vary. Analytics data is anonymized after a User is deleted from the platform. Logs are retained for one year.
If the processing of your personal data falls within the scope of the GDPR, you have the following rights, otherwise the statutory provisions applicable to the processing apply. If your personal data is processed, you are a data subject, as defined by GDPR. Accordingly, you have the following rights vis-à-vis us as the responsible entity. If you wish to exercise your rights or obtain further information, please contact our data protection officer or us:
a) Rights pursuant to Article 15 et seq. GDPR
(1) The data subject has the right to request confirmation from the responsible entity as to whether personal data concerning the subject is processed and, if so, the subject has a right to information about this personal data and to the details specified in Article 15 GDPR.
Under certain statutory conditions, you have the right to rectification under Article 16 GDPR, the right to restriction of processing under Article 18 GDPR and the right to erasure ("right to be forgotten") under Article 17 GDPR.
Furthermore, you have the right to receive the personal data in a structured, commonly used, machine readable format (right to data portability) under Article 20 GDPR, provided that processing is automated and based on consent in accordance with Article 6(1a) or Article 9(2a) or on a contract in accordance with Article 6(1b) GDPR.
b) Withdrawal of consent in accordance with Article 7(3) GDPR
If processing is based on consent, you may at any time withdraw the consent you gave us to process personal data. Please be aware that withdrawal of consent has future effect only. It has no effect on processing based on consent before its withdrawal.
c) Right to lodge a complaint
You have the option to send a complaint to us or to a data protection regulatory body (Article 77 GDPR). In this Privacy Policy, you can find information about the company responsible for processing your data, the data protection officer, if applicable, and the relevant regulatory body.
d) Right to object under Article 21 GDPR
In addition to the rights mentioned above, you have the right to object, as follows:
(1) Right to object on a case-by-case basis: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Article 6(1e) GDPR (data processing in the public interest) and Article 6(1f) GDPR (data processing on the grounds of the balance of interests); this includes any profiling on the basis of this provision, as defined in Article 4(4) GDPR.
We will cease processing your personal data if you lodge an objection, unless we can provide compelling legitimate reasons for doing so which outweigh your interests, rights and freedoms, or unless the processing is used for the purposes of asserting, exercising or defending legal claims.
(2) Right of objection to the processing of data for advertising purposes: In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data for the purposes of such marketing; this includes profiling insofar as it is related to such direct marketing. If you object to processing aimed at direct marketing, we will cease processing your personal data for such purposes.
The supervisory authority relevant for Certara Germany GmbH can be contacted as follows:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, DE 10969 Berlin
Tel.: +49 (0)30 13889-0
Fax: +49 (0)30 2155050
E-Mail: mailbox@datenschutz-berlin.de
(1) As a rule, we do not use any automated decision-making pursuant to Article 22 GDPR to justify and implement the business relationship.
(1) We have put in place technical and organizational security measures (in accordance with Articles 24, 32 GDPR for the EU) in order to protect your personal data against loss, destruction, manipulation and unauthorized access. All of our staff and all third parties involved in data processing are obliged to comply with relevant data protection laws and treat personal data confidentially.
(2) This site uses SSL or TLS encryption for security reasons and to protect confidential content during transmission, such as purchase orders or requests you send to us as the site operator.
(3) A part of the data processing can be handled via service providers. Along with the service providers stated in this Privacy Policy, these may include in particular other computer centres, IT service providers which maintain our systems, and consultancy firms. BaseCase undertakes to ensure that all third-party companies commissioned to process or store the data provided to BaseCase, whether currently or in future, use computer centres certified under SOC 2 (or equivalent) or ISO/IEC 27001 for this purpose. The data is transmitted from BaseCase to the computer centres in the USA and data is entered through the user account using an encrypted connection certified by an industry standard Certificate Authority and a SSL encryption. If you or your employees contact us by e-mail, this is not encrypted by default and can therefore in theory be viewed by others because it is transmitted via the Internet depending on your e-mail server configuration. BaseCase supports and accepts secure/encrypted email connections, where the contents of the e-mails are communicated over secure TLS encrypted connections in transit. These secure in-transit TLS e-mail connections are used depending on your email server configuration. BaseCase assumes that you are in agreement with e-mail communication being non-encrypted. However, you have the possibility of objecting to non-encrypted e-mail correspondence in advance.
(4) For Users using non-SSO login, you can change your Password at any time in your personal Account setting or reset your password. For Users using SSO login, you can change your Password at any time by contacting your Company’s Administrator.
We reserve the right to make changes to our security and data protection measures to the extent necessary due to technological advances or changes in law. In such cases, we will also amend our Privacy Policy accordingly. Therefore, please take into account the latest version of our Privacy Policy.
Document version: 1.4
Release date: 2020-06-21