Privacy Notice
Version 1.4 – Last updated: 13 July 2026
This notice explains how personal data is processed on the Platform of the IA Working Group SC, an internal collaboration platform for authorised participants of the Working Group Supply Chain. It provides the information required by Articles 13 and 14 of the General Data Protection Regulation (GDPR).
1. Controller
The controller for the processing of personal data on this platform is:
Working Group Supply Chain of the Industrial Alliance on Processors and
Semiconductor Technologies
c/o Opaix GmbH, Grüner Weg 54, 23566 Lübeck, Germany
Email: privacy@ia-sc-sc-wg.eu
The platform is technically operated and maintained by Opaix GmbH on behalf of the working group.
2. What data we process and where it comes from
The platform processes the following categories of personal data:
- Account data: your email address, your assigned roles (e.g. host, administrator, member, content editor, guest) and your account status (active, deactivated, expiry date for guest accounts).
- Authentication and activity records: authentication events (successful and failed logins) and access events describing which resources an authenticated user accessed, including downloads and, for content editors, content changes. Each record contains a timestamp, the user, the role, the event type, the resource and the access decision.
- Download counters: a per-user count of document downloads per calendar day, used to enforce the daily download limit and a rolling 7-day bulk-download limit.
- Access-review contact data: the email address of the person designated by each partner organisation as the responsible contact for the periodic access reviews (see section 4), as entered by a host or administrator.
- Technical server and security logs: the platform's infrastructure components (reverse proxy, sign-in service, email system) additionally record technical request data such as IP address, browser (user-agent) information and technical error details for security monitoring and troubleshooting.
Source of your data: your email address and your initial role assignment are provided by the working-group host of your partner organisation or by a platform administrator when you are admitted to the access list. Subsequent role assignments and changes to your account status are made by authorised hosts or administrators, or are generated automatically according to the platform's account lifecycle rules (see section 6). Authentication and activity records, download counters and technical logs are generated through your use of the platform and the operation of its technical systems.
3. Purposes and legal bases
All processing on this platform is based on legitimate interest (Art. 6(1)(f) GDPR). The specific purposes and the interests pursued are:
- Access management and authentication: maintaining the access list, verifying your identity via one-time login codes sent by email, and enforcing role-based access to protected areas. Legitimate interest: restricting this non-public platform to authorised alliance participants and protecting the shared content from unauthorised access.
- Security and audit logging: recording authentication and access events as described above, and keeping the technical server and security logs. Legitimate interest: detecting and investigating misuse or unauthorised access attempts, ensuring the secure and reliable operation of the platform, and maintaining the auditability that the participating partner organisations require for cross-organisation collaboration.
- Enforcement of download limits: counting downloads per user and calendar day and evaluating them against a daily limit and a rolling 7-day limit. Legitimate interest: preventing bulk extraction of the shared document base, including slow extraction spread over several days.
- Account administration and deletion: automatic expiry of guest access, deactivation of inactive accounts and deletion of deactivated accounts (see section 6), including the related email notifications. Legitimate interest: keeping the access list limited to persons who actually need access.
4. Emails sent by the platform
The platform sends transactional emails only: one-time login codes, security notifications (for example when a daily download limit is reached), account notices (for example before an inactive account is deactivated) and periodic access-review requests to the designated review contact of each partner organisation. No marketing or promotional emails are sent. These emails are delivered through the email delivery service Brevo (Sendinblue SAS, Paris, France) acting as a processor on our behalf; the delivery process generates dispatch metadata (recipient address, time of dispatch, delivery status).
5. Recipients and data location
Personal data is disclosed to the following categories of recipients:
- Opaix GmbH (Lübeck, Germany), which technically operates and maintains the platform on behalf of the working group.
- IONOS SE (Germany), the hosting provider on whose EU data centre infrastructure the platform server runs.
- Brevo (Sendinblue SAS), Paris, France, the email delivery service used to deliver the transactional emails described in section 4.
- Working-group hosts of the participating partner organisations, who can see the access list (email addresses, roles and account status) for the purpose of managing admissions and for the periodic access reviews.
- The designated access-review contact of your partner organisation, who receives the email addresses of that organisation's members with access — and only of that organisation — as part of the quarterly access review.
Activity records and technical logs are accessible only to platform administrators.
The platform itself and its databases are hosted on servers located within the European Union. Brevo may engage affiliated companies and subprocessors located outside the EU/EEA or permit them to access personal data. Where personal data is transferred outside the EU/EEA, Brevo uses the safeguards required under Chapter V GDPR, including adequacy decisions such as the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses together with supplementary measures. Further information about these safeguards or a copy of the relevant safeguards may be requested at privacy@ia-sc-sc-wg.eu. Personal data is not sold or disclosed to third parties for their own marketing purposes.
6. Retention
- Activity records and technical logs: retained for 30 days, then deleted.
- Download counters: retained for up to 7 days, corresponding to the rolling window of the bulk-download limit, and then deleted.
- Email dispatch metadata: retained by the email delivery service (Brevo) for one month, the minimum retention period the service supports, and then deleted. The deletion process may take up to an additional 24 hours.
- Account data: retained for as long as you are on the access list. Guest access expires automatically at the end of its validity period. Accounts with no login for 60 days are deactivated, and deactivated accounts are permanently deleted 30 days after deactivation. Your account is also removed when your organisation's host or an administrator removes you from the access list.
- Access-review contact data: retained until the contact is replaced or removed by a host or administrator, or until the partner organisation is removed from the platform.
7. Cookies and tracking
The platform sets only strictly necessary cookies required by the platform and its sign-in service to authenticate you and maintain secure sessions. These cookies are used exclusively for authentication and session management and are not used for analytics, advertising or cross-site tracking. The platform session cookie expires no later than 12 hours after sign-in; the sign-in service's session cookies expire when the corresponding sign-in session ends and no later than 12 hours after sign-in. As these cookies are strictly necessary for the service you request, no consent is required for them. There is no tracking, no analytics based on personal data and no profiling; usage statistics (such as page views) are compiled only in aggregate and are not linked to an identifiable user.
8. No automated decision-making
The platform does not use solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. Access to platform areas is granted or denied automatically according to the role assignments made by hosts and administrators; these technical access checks do not produce such effects.
9. Is the provision of your data required?
Providing and processing your email address is necessary to operate your access to the platform: without it, no account can be created, no login codes can be delivered and access cannot be granted. There is no statutory or contractual obligation for you personally to provide it; if you do not wish your email address to be processed, contact your organisation's host to be removed from the access list.
10. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6(1)(f) GDPR (Art. 21(1) GDPR). We will then no longer process the data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. To object, contact privacy@ia-sc-sc-wg.eu.
11. Your other rights
Under the GDPR you additionally have the right to obtain access to the personal data we hold about you (Art. 15), the right to rectification of inaccurate data (Art. 16), the right to erasure (Art. 17) and the right to restriction of processing (Art. 18). Where the applicable legal requirements are met, you may also have the right to data portability under Art. 20 GDPR.
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority competent for the controller is the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany (datenschutzzentrum.de). You may however also contact the supervisory authority of the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
To exercise any of these rights, contact privacy@ia-sc-sc-wg.eu.
12. Changes to this notice
We will update this notice when the processing described here changes, for example when a new service provider is engaged. The version published on this page is the current one.