Information on Data Processing for SUSE's Okta Authentication System

Background

As described in the email that you received from SUSE, we are upgrading our authentication system by migrating away from the current system provided by our subprocessor, Micro Focus to the Okta system. In order to continue provisioning your user account and providing the services associated therewith, SUSE Software Solutions Germany GmbH and its corporate affiliates ("SUSE Group") must process certain personal data which you have provided to us in the past or may provide to us going forward ("Personal Data").

Controller

The controller of the processing for the purposes of Article 4(7) GDPR is SUSE Software Solutions Germany GmbH, Maxfeldstraße 5, 90409 Nuremberg, Germany. SUSE's Data Protection Officer is Mr. Stefan Eigler, TÜV Rheinland i-Sec GmbH, Am Grauen Stein, 51105 Cologne, Germany. The SUSE Group privacy policy is available at https://www.suse.com/company/legal/#privacy-policy.

Purpose of Processing

We need to process your Personal Data to create, provision and administer your account with SUSE, to ensure the security of your account, to provide account related services such as password recovery, multi-factor authentication as well as to provision your access to SUSE services which rely on the Okta authentication system. Where necessary, we may need to use the Personal Data processed to contact you with respect to issues with your account.

Categories of Personal Data processed

We expect to process Personal Data such as your chosen username, your first and last name, your email, your company affiliation and role (if applicable), your location (country, postal code) as well as any information you share with us through or relating to Okta, including without limitation in emails, forum, free text fields. Additionally, some metadata used to enhance the security of the system may be collected (see Okta's privacy policy, linked below, for further information). We ask you to never include sensitive categories of Personal Data (see Art 9 GDPR) when you use our Okta authentication system.

Grounds for Processing

Where a contractual relationship (e.g. whereunder SUSE provides product support) exists or is being created between us, we process your Personal Data according to Art 6 1(b) GDPR. Otherwise, we process your Personal Data according to Art 6 1(f) GDPR, under which it is our legitimate interest to process your Personal Data to be able to provide the Okta authentication system and to be able to contact you (see above). Given that we keep the Personal Data we need to process to provide these services to you at a minimum and that we do not believe you are disadvantaged in any way by using our Developer Portal, we believe that this represents a fair balancing of interests.

Recipients of Personal Data

The Personal Data will be processed by those SUSE Group employees who are responsible for the day-to-day running of the Okta authentication system. Transfer of your Personal Data to SUSE Group entities outside the EEA is covered by a multi-entity data processing agreement which incorporates the Standard Contractual Clauses ("model clauses"). Additionally, SUSE uses a processor, Okta, Inc 100 First Street, 6th Floor, San Francisco, CA 94105, USA to provide the service. A data processing agreement is in place between Okta, Inc and SUSE, which incorporates the standard contractual clauses to cover the transfer of your Personal Data to Okta in the USA and other countries used by Okta for data processing. Okta's privacy policy is available at https://www.okta.com/privacy-policy/ and additional documention relating to I.a. technical and organisational measures as well as subprocessors used, can be accessed at https://www.okta.com/trustandcompliance/.

Appendix A (Your Rights)

You have the right:

  • pursuant to Article 7 (3) GDPR, to revoke your consent to us at any time, for Personal Data shared externally. Thereafter, we will not be allowed to continue the data processing based on your revoked consent for the future.
  • pursuant to Article 15 GDPR, to request information about your Personal Data processed by us. In particular, you may request information about the processing purposes, the categories of Personal Data, the categories of recipients to whom your data has been disclosed, the planned retention period, the right of rectification, deletion, limitation of processing or opposition, the existence of a right to complain, the source of their data, if not collected from us, and the existence of automated decision-making, including profiling, and - if necessary - meaningful information about their details.
  • pursuant to Article 16 GDPR, to immediately demand the correction of incorrect or completed Personal Data stored by us.
  • pursuant to Article 17 GDPR, to demand the deletion of your Personal Data stored by us, except where the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.
  • pursuant to Article 18 GDPR, to demand the restriction of the processing of your Personal Data, insofar as the accuracy of such Personal Data is disputed by you; or the processing is unlawful, you reject the deletion of such unlawfully processed Personal Data and we no longer need the Personal Data, but where you assert, exercise or defence of legal claims or you have objected to the processing in accordance with Article 21 GDPR.
  • pursuant to Article 20 GDPR, to receive the Personal Data that you have provided to us in a structured, standard and machine-readable format or to request the transfer to another controller.
  • pursuant to Article 77 GDPR, to complain to a supervisory authority. For example, you can contact the supervisory authority of your location or workplace or our corporate office (see Appendix A)

To exercise any of the rights listed above, please contact privacy@suse.com. For Personal Data shared externally, you can revoke your consent at any time, effective for the future by sending email to privacy@suse.com. This will not affect the legitimacy of processing under the consent up to the time of revocation.

Information about your right of objection under Article 21 GDPR

Case-specific Right of Objection

You have the right at any time, for reasons arising out of your particular situation, to object to the processing of your Personal Data pursuant to Article 6 (1)(e) GDPR (Data Processing in the Public Interest) and Article 6 (1)(f) GDPR (Data processing on the basis of a balance of interests). This also applies to profiling based on this provision within the meaning of Article 4 (4) GDPR. Should you object, we will not further process your Personal Data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, pursuing or defending legal claims. Your objection should be directed to privacy@suse.com.