Data protection information according to Art. 13 and 21 GDPR for the d.velop mobile-app of d.velop AG

                                                                                            

1.            General

We, the d.velop AG, Schildarpstraße 6-8, 48712 Gescher, GERMANY (hereinafter “d.velop”), take the protection of your personal data and the legal obligations that serve to ensure this protection very seriously. The legal provisions require comprehensive transparency in all issues regarding the processing of personal data. Only when the processing is traceable for you as the person concerned (data subject), you can be deemed to be sufficiently informed about the intention, purpose and scope of the processing. That is why our data protection information explains to you in detail which so-called personal data we process when you use the d.velop mobile-app (see definitions below 2.).

 

“Controller” in terms of the General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz – German Federal Data Protection Act (BDSG) as well as other data protection regulations is

 

d.velop AG
Schildarpstraße 6-8
48712 Gescher
Tel.: +492542 9307–0
E-Mail: info@d-velop.de

 

referred to hereinafter as “controller” or “we”.

 

The responsible data protection officer is:

Nils Möllers, Keyed GmbH
Siemensstraße 12
48341 Altenberge
datenschutz@d-velop.de

Please be aware that you may be redirected to other apps or webpages via links in this app which are not operated by us but by third parties. We either clearly mark such links or you can recognise them by the change of the URL in your browser or by the change of the app running on your device. We are not responsible for compliance with the applicable data protection regulations and secure handling of your personal data by third parties operating such other apps or webpages.

2.            Definitions

2.1.      According to the GDPR

This data protection information uses the terms used in the wording of the GPPR. The definitions (Art. 4 GDPR) are available for instance at https://gdpr-info.eu/art-4-gdpr/.

 

2.2.      Cookies

Cookies are small units of information which a website places on your terminal or which are read there. This serves the purpose of being able to use this information again at a later point in time. They contain letter- and number combinations to, for instance when a connection is again established with the website that places the cookies, facilitate the recognition of the user and his settings, to enable you to stay logged into a customer account or to conduct statistical analyses of a certain user behaviour.

3.            General information about data processing

We only process personal data to the extent permitted by law. Disclosure or transfer to third parties takes place only in the cases described below

The personal data is deleted or protected by technical and organisational measures (e.g. pseudonymisation, encryption) as soon as the data processing purpose ceases to exist. This is also the case as soon as a prescribed storage period expires unless continued storage of the personal data is necessary for the purpose of conclusion or performance of a contract.

Unless we are obliged by law to ensure extended storage or disclose or transfer personal data to third parties (including but not limited to criminal prosecution authorities), the decision which personal data is collected by us, how long it is stored and to which extent you may be required to disclose your data depends on which functions and features of the app you use in particular cases.

4.            Data processing in connection with the use of the app

4.1.      Downloading the d.velop mobile-app

When downloading the d.velop mobile-app, the necessary information is transferred to the respective app store operator. Depending on the app store, this information may include the e-mail address or customer number of the user, the time of download and an individual device code. We have no influence on this processing of your data and are not responsible for such data processing. The privacy policy and your settings with the respective app store operator apply.

4.2.      Using the d.velop mobile-app with user access

At the first start the d.velop mobile-app queries the URL of the d.3ecmecm system that is to be accessed with the d.velop mobile-app in addition to general information about the application of the d.velop mobile-app. This can be changed in the d.velop mobile-app settings as well. The d.velop mobile-app also queries the user ID and password that are to be used for access.

 

This information is stored encrypted on your mobile device. The password storage can be deactivated at any time in the login data of the d.velop mobile-app. Other personal data is not stored in the d.velop mobile-app. In particular, this does not apply to identifiers of your device (e.g. the unique device identification number, so-called UDID).

 

You can also define in the login data whether you want to use authentication by biometric data (e.g. fingerprint or face recognition) or your device’s PIN code. In this case, the respective device receives access to your encrypted user ID for the purpose of activating your user access.

 

Insofar as the above-mentioned personal data is processed, such processing is legal in accordance with Art. 6 subs. 1 b) GDPR in order to fulfil the contract with you on the use of the d.velop mobile-app and the services offered by its use.

 

We do not combine this personal data with other data sources. A passing on to third parties does not take place. A transfer to a third country or to an international organisation is not intended and will not take place subject to further provisions of this data protection information.

4.3.      Accessing system functions and contents of your device

In order to ensure the technical functionality of the d.velop mobile-app and for the provision of the services offered by the app various access options and information may be required. For example, the d.velop mobile-app can use the "upload" function to access the camera system functions of the mobile device or content stored on the mobile device, such as photos. Whether or not you allow this access depends on your system settings and your choices made upon the app’s request to grant specific permissions. The d.velop mobile-app can only access the system functions of your mobile device if you explicitly allow this.

 

If you allow the d.velop mobile-app to do so, personal data collected (e.g. content of a photo together with metadata) will be processed and used by the d.velop mobile-app exclusively for the desired function (e.g. upload of a photo from your device to the d.3ecm system). This personal data will not be transferred to d.velop.

4.4.      Receiving push-notifications on Apple devices

If you are using the operating system “iOS” (or “iPadOS”) on your device (iPhone, iPad), you can activate push notifications via the d.velop mobile-app. By using the system function of your device, the d.velop mobile-app can then send you notifications (e.g. if new content is available for you in the d.3ecm system that’s set up in the d.velop mobile-app), so-called “push notifications”. If you activate these push notifications when you start the d.velop mobile-app for the first time, your random device ID will be transferred to the Apple Push Notification Service and stored there in a database operated by Apple. The Apple Push Notification Service returns a Push Notification Identifier, which does not allow any conclusions to be drawn about the device ID or about you as the user. After that, push notifications will be sent exclusively using this Push Notification Identifier.

Push notifications are used by the d.velop mobile-app to inform you about processes within the d.3ecm system.

 

You can revoke the permission to deliver push notifications at any time via the operating system of your device as follows: iOS/settings/<name of app>/messages.

 

Insofar as your personal data is processed, the processing is necessary to provide services you requested and therefore serves the fulfilment of the contract concluded with you. Hence the processing is legal pursuant to Art. 6 subs. 1 b) GDPR. Since Apple in the USA becomes aware that you have activated push notifications for our app through the activation of push notifications, your device ID will be transferred to a third country upon your request. This is legal pursuant to Art. 49 subs. 1 b) GDPR, as we cannot provide the service you requested without the transfer.

4.5.      d.3ecm demo system

The d.velop mobile-app is preconfigured for accessing a d.3ecm demo system. Access to the demo system is unencrypted. The personal data collected and stored during access to the demo system, including any content uploaded by you to the demo system (e.g. photos), will be deleted by d.velop after one hour. Until then such content is publicly accessible. Identification of your person by third parties is only possible if the contents uploaded by you into the demo system are related to your person (e.g. uploading a photo of a document with your address).

 

The processing of the personal data entered by you serves the purpose of making the d.3ecm demo System available to you. This processing is legal because it is necessary to fulfil the contract concluded with you pursuant to Art. 6 subs. 1 b) GDPR.

 

We do not combine this personal data with other data sources. Data will not be passed on to third parties. A transfer to a third country or to an international organisation is not intended and will not take place subject to further provisions of this data protection information.

4.6.      Crashlytics

We have integrated the service Crashlytics of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4 in our apps to detect and report crashes of the app.

 

In the event of a crash, certain information such as device type, operating system version, the approximate location of the mobile device and some technical data about the mobile device is sent to Crashlytics in order to obtain a more reliable analysis, for example, to determine whether the problem is specific to one or more device types. Deletion occurs after 180 days at the latest. The information does not include the IP address, personally identifiable information, or any other data from the mobile device.

 

To the extent that data is processed outside the EEA, where there is no level of data protection equivalent to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection. For more information regarding Google's terms of use and data protection, please visit: https://policies.google.com/privacy.

 

Google Firebase Crashlytics is used to optimize this app and improve our services. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

4.7.      Google Firebase Core

We use Google Firebase Core to integrate third-party content. This is a technical solution, which does not itself store or read any cookies or similar technologies requiring consent. It merely controls the conditions under which the other programs, which are used in the app and described below, are activated.

5.            Passing on of personal data to third parties

Only if you have granted access to a d.3ecm system in the d.velop mobile-app as described in section 4, d.velop will transfer personal data (e.g. user ID and password for authorizing your access to the d.3ecm system) that is generated when accessing the d.3ecm system using the functions provided by the d.velop mobile-app. Transfer will take place exclusively to the operator of the d.3ecm system via the d.velop mobile-app. A transfer of personal data by d.velop to other third parties does not take place. Whether and how the operator of the d.3ecm system handles personal data is not known to d.velop. The d.velop mobile-app insofar is only carrier and means of transport. Please inform yourself on this data processing by the privacy policy of the operator of this d.3ecm system.

6.            Rights of data subjects

You as the person concerned (hereinafter “data subject”) are entitled to a right to information according to Art. 15 GDPR, a right to rectification according to Art. 16 GDPR, a right to erasure according to Art. 17 GDPR, a right to restriction of processing according to Art. 18 GDPR as well as a right to data portability according to Art. 20 GDPR. The right to information as well as the right to erasure are subject to the restrictions under §§ 34, 35 BDSG (German Federal Data Protection Act). In addition, you are entitled to lodge a complaint with a supervisory authority (Art. 77 GDPR in combination with § 19 BDSG).

 

The supervisory authority responsible for us is:

 

Landesbeauftragte für Datenschutz und Informationsfreiheit

Nordrhein-Westfalen

Postfach 20 04 44

40102 Düsseldorf

GERMANY

 

However, you are free to complain to another supervisory authority.

7.            Automated case-by-case decisions including profiling

No automated case-by-case decisions are taken, including profiling.

8.            Controller’s duty to inform

We will inform all recipients to whom your personal data was disclosed of any rectification or erasure of your personal data or any restriction of processing according to Art. 16, Art. 17 subs. 1 and Art. 18 GDPR unless it is impossible or requires unreasonable effort to inform them.

We will also inform you about the identity of the recipients at your request.

9.            Right to oppose

You are entitled for reasons arising from your specific situation to oppose at any time the processing of your personal data which is carried out according to Art. 6 subs. 1 e) or f) GDPR. Where personal data is processed for the purpose of direct marketing, you are entitled at any time to oppose the processing of your personal data for such direct marketing purposes. The objection can be made form-free and is to be addressed to us under the abovementioned address.