Data protection information according to Art. 13
and 21 GDPR for the d.3 mobile-app of d.velop AG
1.
General
We, the d.velop AG, Schildarpstraße 6-8, 48712 Gescher,
GERMANY (hereinafter “d.velop”), take the protection of your
personal data and the legal obligations that serve to ensure this protection
very seriously. The legal provisions require comprehensive transparency in all
issues regarding the processing of personal data. Only when the processing is
traceable for you as the person concerned (data subject), you can be deemed to
be sufficiently informed about the intention, purpose and scope of the
processing. That is why our data protection information explains to you in
detail which so-called personal data we process when you use the d.3 mobile-app
(see definitions below 2.).
“Controller”
in terms of the General Data Protection Regulation (GDPR), the
Bundesdatenschutzgesetz – German Federal Data Protection Act (BDSG) as well as
other data protection regulations is
d.velop AG
Schildarpstraße 6-8
48712 Gescher
Tel.: +492542 9307–0
E-Mail: info@d-velop.de
referred to
hereinafter as “controller” or “we”.
The
responsible data protection officer is:
Nils Möllersr
Keyed GmbH
Siemensstraße 12
48341 Altenberge
Tel.: +49(2505) 3787
datenschutz@d-velop.de
Please be aware that you may be redirected to
other apps or webpages via links in this app which are not operated by us but
by third parties. We either clearly mark such links or you can recognise them
by the change of the URL in your browser or by the change of the app running on
your device. We are not responsible for compliance with the applicable data
protection regulations and secure handling of your personal data by third
parties operating such other apps or webpages.
2.
Definitions
2.1. According to the GDPR
This data
protection information uses the terms used in the wording of the GPPR. The
definitions (Art. 4 GDPR) are available for instance at https://gdpr-info.eu/art-4-gdpr/.
2.2. Cookies
Cookies are small units of information which a
website places on your terminal or which are read there. This serves the
purpose of being able to use this information again at a later point in time. They
contain letter- and number combinations to, for instance when a connection is
again established with the website that places the cookies, facilitate the
recognition of the user and his settings, to enable you to stay logged into a
customer account or to conduct statistical analyses of a certain user
behaviour.
3.
General
information about data processing
We only process personal data to the extent
permitted by law. Disclosure or transfer to third parties takes place only in
the cases described below
The personal data is deleted or protected by
technical and organisational measures (e.g. pseudonymisation, encryption) as
soon as the data processing purpose ceases to exist. This is also the case as
soon as a prescribed storage period expires unless continued storage of the
personal data is necessary for the purpose of conclusion or performance of a contract.
Unless we are obliged by law to ensure extended
storage or disclose or transfer personal data to third parties (including but
not limited to criminal prosecution authorities), the decision which personal
data is collected by us, how long it is stored and to which extent you may be
required to disclose your data depends on which functions and features of the app
you use in particular cases.
4.
Data
processing in connection with the use of the app
4.1. Downloading the d.3 mobile-app
When downloading
the d.3 mobile-app, the necessary information is transferred to the respective
app store operator. Depending on the app store, this information may include
the e-mail address or customer number of the user, the time of download and an
individual device code. We have no influence on this processing of your data
and are not responsible for such data processing. The privacy policy and your settings
with the respective app store operator apply.
4.2. Using the d.3 mobile-app with user access
At the
first start the d.3 mobile-app queries the URL of the d.3 system that is to be
accessed with the d.3 mobile-app in addition to general information about the
application of the d.3 mobile-app. This can be changed in the d.3 mobile-app
settings as well. The d.3 mobile-app also queries the user ID and password that
are to be used for access.
This
information is stored encrypted on your mobile device. The password storage can
be deactivated at any time in the login data of the d.3 mobile-app. Other
personal data is not stored in the d.3 mobile-app. In particular, this does not
apply to identifiers of your device (e.g. the unique device identification
number, so-called UDID).
You can
also define in the login data whether you want to use authentication by biometric
data (e.g. fingerprint or face recognition) or your device’s PIN code. In this
case, the respective device receives access to your encrypted user ID for the
purpose of activating your user access.
Insofar as
the above-mentioned personal data is processed, such processing is legal in
accordance with Art. 6 subs. 1 b) GDPR in order to fulfil the contract with you
on the use of the d.3 mobile-app and the services offered by its use.
We do not
combine this personal data with other data sources. A passing on to third
parties does not take place. A transfer to a third country or to an
international organisation is not intended and will not take place subject to
further provisions of this data protection information.
4.3. Accessing system functions and contents
of your device
In order
to ensure the technical functionality of the d.3 mobile-app and for the
provision of the services offered by the app various access options and
information may be required. For example, the d.3 mobile-app can use the "upload"
function to access the camera system functions of the mobile device or content
stored on the mobile device, such as photos. Whether or not you allow this
access depends on your system settings and your choices made upon the app’s request
to grant specific permissions. The d.3 mobile-app can only access the system
functions of your mobile device if you explicitly allow this.
If you
allow the d.3 mobile-app to do so, personal data collected (e.g. content of a
photo together with metadata) will be processed and used by the d.3 mobile-app
exclusively for the desired function (e.g. upload of a photo from your device
to the d.3 system). This personal data will not be transferred to d.velop.
4.4. Receiving push-notifications on
Apple devices
If you are
using the operating system “iOS” (or in the future “iPad OS”) on your device
(iPhone, iPad), you can activate push notifications via the d.3 mobile-app. By
using the system function of your device, the d.3 mobile-app can then send you
notifications (e.g. if new content is available for you in the d.3 system
that’s set up in the d.3 mobile-app), so-called “push notifications”. If you
activate these push notifications when you start the d.3 mobile-app for the
first time, your device ID will be transferred to the Apple Push Notification
Service and stored there in a database operated by Apple. The Apple Push
Notification Service returns a Push Notification Identifier, which does not
allow any conclusions to be drawn about the device ID or about you as the user.
After that, push notifications will be sent exclusively using this Push
Notification Identifier.
Push
notifications are used by the d.3 mobile-app to inform you about processes within
the d.3 ecm system.
You can
revoke the permission to deliver push notifications at any time via the
operating system of your device as follows: iOS/settings/<name of
app>/messages.
Insofar as
your personal data is processed, the processing is necessary to provide services
you requested and therefore serves the fulfilment of the contract concluded
with you. Hence the processing is legal pursuant to Art. 6 subs. 1 b) GDPR.
Since Apple in the USA becomes aware that you have activated push notifications
for our app through the activation of push notifications, your device ID will
be transferred to a third country upon your request. This is legal pursuant to
Art. 49 subs. 1 b) GDPR, as we cannot provide the service you requested without
the transfer.
4.5. d.3 demo system
The d.3 mobile-app
is preconfigured for accessing a d.3 demo system. Access to the demo system is
unencrypted. The personal data collected and stored during access to the demo
system, including any content uploaded by you to the demo system (e.g. photos),
will be deleted by d.velop after one hour. Until then such content is publicly
accessible. Identification of your person by third parties is only possible if
the contents uploaded by you into the demo system are related to your person
(e.g. uploading a photo of a document with your address).
The
processing of the personal data entered by you serves the purpose of making the
d.3 demo System available to you. This processing is legal because it is
necessary to fulfil the contract concluded with you pursuant to Art. 6 subs. 1 b)
GDPR.
We do not
combine this personal data with other data sources. Data will not be passed on
to third parties. A transfer to a third country or to an international
organisation is not intended and will not take place subject to further
provisions of this data protection information.
5.
Passing
on of personal data to third parties
Only if
you have granted access to a d.3 system in the d.3 mobile-app as described in
section 4, d.velop will transfer personal data (e.g. user ID and password for
authorizing your access to the d.3 system) that is generated when accessing the
d.3 system using the functions provided by the d.3 mobile-app. Transfer will
take place exclusively to the operator of the d.3 system via the d.3 mobile-app.
A transfer of personal data by d.velop to other third parties does not take
place. Whether and how the operator of the d.3 system handles personal data is
not known to d.velop. The d.3 mobile-app insofar is only carrier and means of
transport. Please inform yourself on this data processing by the privacy policy
of the operator of this d.3 system.
6.
Rights
of data subjects
You as the
person concerned (hereinafter “data subject”) are entitled to a right to
information according to Art. 15 GDPR, a right to rectification according to
Art. 16 GDPR, a right to erasure according to Art. 17 GDPR, a right to
restriction of processing according to Art. 18 GDPR as well as a right to data
portability according to Art. 20 GDPR. The right to information as well as the
right to erasure are subject to the restrictions under §§ 34, 35 BDSG (German
Federal Data Protection Act). In addition, you are entitled to lodge a
complaint with a supervisory authority (Art. 77 GDPR in combination with § 19
BDSG).
The
supervisory authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
Postfach
20 04 44
40102
Düsseldorf
GERMANY
However,
you are free to complain to another supervisory authority.
7.
Automated
case-by-case decisions including profiling
No
automated case-by-case decisions are taken, including profiling.
8.
Controller’s
duty to inform
We will
inform all recipients to whom your personal data was disclosed of any
rectification or erasure of your personal data or any restriction of processing
according to Art. 16, Art. 17 subs. 1 and Art. 18 GDPR unless it is impossible
or requires unreasonable effort to inform them.
We will
also inform you about the identity of the recipients at your request.
9.
Right
to oppose
You are
entitled for reasons arising from your specific situation to oppose at any time
the processing of your personal data which is carried out according to Art. 6
subs. 1 e) or f) GDPR. Where personal data is processed for the purpose of
direct marketing, you are entitled at any time to oppose the processing of your
personal data for such direct marketing purposes. The objection can be made form-free and is to be addressed to us under
the abovementioned address.