Privacy Policy

This Privacy Policy applies to our IOS and Android applications.

The protection of personal data is of great importance in our company. We process data only if this is necessary for the functionality of our products.

 

Table of Contents

• I. Controller
• II. General Information on Data Processing
• III. Provision of Our Application
• IV. Registration
• V. E-Mail Contact
• VI. E-Commerce
• VII. User Profiles
• VIII. Permissions of the Application
• IX. Data Security
• X. Data Subject Rights
• XI. App Creation Date

 

I. Controller

The controller (and application provider) in the sense of the General Data Protection Regulation and other national data protection laws of the Member States as well as other provisions under privacy law is:

 

WODOTO GmbH

represented by the managing director: Maya de Silva-Witte, Elroy Das

Herderstr. 92

28203 Bremen

Germany

Tel.: 0179 4962109

E-mail: maya.desilva@wodoto.app

Legal Notice: www.wodoto.app/en/data-protection/

 

II. General Information on Data Processing

1. Terms

Regarding the terminology (e.g. “personal data” or “processing”), we refer the reader to Art. 4 of the General Data Protection Regulation (GDPR).

The following terms are explained in extracts. This is not an exhaustive list of Art. 4 GDPR.

Regarding the used terms,

1. “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factor(s) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
4. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
5. “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
6. “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Scope of Personal Data Processing

We generally process personal data of our users only to the extent that this is necessary to provide our services as well as our contents and performances. Personal data of our users is regularly processed only after the user has given his or her consent. An exception applies in cases where a prior consent cannot be obtained for factual reasons and/or the data may be processed under legal regulations.

3. Legal Basis for Personal Data Processing

To the extent that we obtain a consent from the data subject for processing operations of personal data, point (a) of Art. 6(1) GDPR serves as the legal basis.

If processing personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Art. 6(1) GDPR serves as the legal basis. This also applies to processing operations that are necessary in order to take steps prior to entering into a contract.

To the extent that any processing of personal data is necessary for compliance with a legal obligation to which our company is subject, point (c) of Art. 6(1) GDPR serves as the legal basis.

If processing is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Art. 6(1) GDPR serves as the legal basis.

Where the processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject, point (f) of Art. 6(1) GDPR serves as the legal basis for the processing.

The processing of data for purposes other than those for which it has been collected by us is governed by Art. 6(4) GDPR.

4. Retention Period and Data Erasure

The data subject’s personal data will be erased or blocked once the purpose of retention ceases to be relevant. In addition, data may be retained if this is provided for by the European or national legislator in legal EU regulations, laws or other regulations to which the controller is subject. The data will also be blocked or erased once a retention period prescribed by the aforementioned norms expires, unless further retention of the data is required for the conclusion or performance of a contract.

 

III. Provision of Our Application

The WODOTO application (app) is available via sales platforms (app stores) operated by third parties (Google Play and Apple App Store). The download may require prior registration with the respective app store and installation of the app store software. We do not have any possibility to influence the processing and use of personal data in connection with the installation, registration and provision of downloads in the respective app store and the app store software. The controller in these cases is the operator of the respective app store.

1. Description and Scope of Data Processing

When our app is started, our system automatically collects data and information from the device of the accessing person.

In this context, the following data is collected:

•  device identification (e.g. iPhone X)
•  the user’s operating system (Android/IOS)
•  the version of the user’s operating system
•  the app version
•  access date and time

A session token is generated and assigned to the user. The session token does not contain any device-specific information and neither does it allow for any conclusions to be drawn on the identity of the user. The data is saved and stored in our system. This does not include the user’s IP address or other data allowing to assign the data to a user. This data is not saved or stored together with other personal data of the user.

2. Legal Basis for Personal Data Processing

The legal basis for the temporary data storage is point (f) of Art. 6(1) GDPR.

3. Data Processing Purpose

We use the data to optimise the application and to ensure the security of our IT systems. The data is not evaluated for marketing purposes in this context.

These purposes are also the basis for our legitimate interest in the data processing under point (f) of Art. 6(1) GDPR.

4. Data Retention Period

The data will be erased once it is no longer required to achieve the purpose of its collection. Except for the session token, this is the case once the respective session has been terminated. The session token continues to exist until users log out. It is generated again once they log in again.

5. Objection and Elimination Option

The collection of the data to provide the services and the saving and retention of the data is absolutely necessary to ensure the operation of the application. A right to object exists on the part of the user as per Art. 21(1) GDPR only on grounds relating to the user’s particular situation.

 

IV. Registration

1. Description and Scope of Data Processing

Using our app requires the creation of a user profile (registration) in the app or on our website. We provide users with the possibility to register in our app by indicating personal data. This is done by entering the data in an input mask, after which the data is transmitted to and saved by us. The data is not disseminated to third parties. This process includes the collection of the user's first name and surname as well as the e-mail address and, in encrypted form, the password created by the user (mandatory details). Moreover, we log the device identifier and the registration date and time. Users have the possibility to store further data in their user profile.

A consent to the processing of this data is obtained from the user as part of the download process.

2. Legal Basis for Personal Data Processing

Where a consent of the user is available, the legal basis for the data processing is point (a) of Art. 6(1) GDPR.

Point (b) of Art. 6(1) GDPR serves as an additional legal basis for the data processing.

3. Data Processing Purpose

A registration of the user is required to keep certain contents and services available.

Our applications build on information from the user profiles. It is possible to plan joint tours or to build teams. Moreover, we provide users with an opportunity to interact with each other in different ways. The user’s identification is necessary to ensure the functionality of our application. We provide users with an opportunity to test contents subject to a charge for a limited time. Since this option is only available to new customers, the identification is indispensable to avoid misuse. The user’s e-mail address serves to communicate with us.

The user’s registration is necessary for the performance of a contract or in order to take steps prior to entering into a contract.

We provide users with an opportunity to access extended functions of our app for a consideration. To do so, different contract models (subscriptions) with different terms and prices can be selected. The user's identification is necessary for the contract conclusion. It allows, for ex., the assertion of rights or invoicing.

4. Data Retention Period

The data will be erased once it is no longer required to achieve the purpose of its collection.

This applies to the data collected during the registration process if the registration on our website is cancelled or modified.

This applies to the steps taken during the registration process for the performance of a contract or prior to entering into a contract if the data is no longer necessary for the implementation of the contract. It may be necessary to retain personal data of the contracting partner even after conclusion of the contract to meet contractual or legal obligations. We retain the data throughout the period of our contractual relationship. The contractual relationship with us also includes the agreement to retention of the data entered by the user for 6 further months after the end of the contractual relationship or erasure of the user profile. Apart from that, the legal retention obligations apply. These stipulate that data is to be erased (e.g. as per section 147 AO (Fiscal Code of Germany)) after 6 or 10 years.

5. Objection and Elimination Option

As a user of free contents, you have the possibility to cancel the registration at any time. You may have the data about you stored on our system changed at any time.

The registration can be cancelled by deleting the user profile. The user profile can be deleted under the settings within the user profile. User data can be edited via the settings within the user profile.

If the data is necessary for the performance of a contract or in order to take steps prior to entering into a contract, the data can be erased prematurely only to the extent that the erasure does not conflict with contractual or legal obligations.

 

V. E-Mail Contact

1. Description and Scope of Data Processing

We can be contacted using a provided e-mail address. In this case, the user’s personal data transmitted with the e-mail will be retained.

The data is not disclosed to third parties in this context. The data is exclusively used to process the conversation.

2. Legal Basis for Personal Data Processing

The legal basis for the processing of data transmitted in the course of sending an e-mail is point (f) of Art. 6(1) GDPR. If the e-mail contact is aimed at concluding a contract, point (b) of Art. 6(1) GDPR serves as an additional legal basis for the processing.

3. Data Processing Purpose

The processing of the personal data serves only to process the established contact.

4. Data Retention Period

The data will be erased once it is no longer required to achieve the purpose of its collection. This applies to the personal data sent by e-mail once the respective conversation with the user has been terminated. The conversation is deemed terminated once it can be seen from the circumstances that the relevant issue has been resolved conclusively.

The personal data additionally collected during the sending process will be erased after a period of seven days at the latest.

5. Objection and Elimination Option

If the user contacts us by e-mail, he or she may object to the saving or storage of his or her personal data at any time. In such a case, the conversation cannot be continued.

Revocation of the consent and objection to the retention of data may be declared by a notice to us. Users have the possibility to reach us via the contact options indicated in the Legal Notice.

All personal data retained in the course of contacting us will be erased in this case.

 

VI. E-Commerce (not part of the WODOTO app test versions)

1. Description and Scope of Data Processing

We provide users with the opportunity to conclude contracts with us via our app. We collect personal data of the user as part of the contract conclusion. This includes first name and surname (for business customers the corporate name as well), the date of birth as well as the user’s address data and the e-mail address. Moreover, we collect payment data of the user. This differs depending on the payment system chosen by the user. This generally includes credit card numbers incl. the security code and details about the validity of the card or an e-mail address.

In addition, further data may also be collected, such as VAT ID, fax or phone number. These are optional and not required for contract conclusion.

2. Legal Basis for Personal Data Processing

The legal basis for data processing is point (b) of Art. 6(1) GDPR to the extent that the data is necessary for the performance of a contract or in order to take steps prior to entering into a contract. The legal basis for the processing of further data is point (a) of Art. 6(1) GDPR.

3. Data Processing Purpose

The processing of the personal data serves the performance of contracts with users. The user's identification by the first name and surname as well as the address data (street, house number, postal code and place of residence as well as country) is essential for us to be informed about who our contracting partner is. At the same time, it serves to verify the entered data for plausibility. The date of birth needs to be indicated, since we can only conclude contracts with users of full age according to the law. The payment data serves the contract performance (payment handling). The e-mail address is used by us to communicate with the user in the framework of the contractual relationship (e.g. to send an invoice or to confirm a contract).

The indication of further data allows us to identify and contact users more easily as well as ensure more precise invoicing.

4. Data Retention Period

The data will be erased once it is no longer required to achieve the purpose of its collection.

This applies to the performance of a contract or to steps taken prior to entering into a contract if the data is no longer necessary for the implementation of the contract. It may be necessary to retain personal data of the contracting partner even after conclusion of the contract to meet contractual or legal obligations. We retain the data throughout the period of our contractual relationship. The contractual relationship with us also includes the agreement to retention of the data entered by the user for 6 further months after the end of the contractual relationship or erasure of the user profile. Apart from that, the legal retention obligations apply (e.g. HGB (German Commercial Code), AO, StGB (German Criminal Code)). These stipulate that data is to be erased (e.g. as per section 147 AO (Fiscal Code of Germany)) after 6 or 10 years.

5. Objection and Elimination Option

If the data is necessary for the performance of a contract or in order to take steps prior to entering into a contract, the data can be erased prematurely only to the extent that the erasure does not conflict with contractual or legal obligations.

If the processing is based on a consent, users may withdraw their consent at any time. If you withdraw your consent to the data processing, we will erase and no longer process the relevant data, unless we are obligated to do so by law or the processing is admissible on account of any other legal basis provided for by the GDPR. The withdrawal does not affect the lawfulness of processing based on such consent before its withdrawal.

 

VII. User Profiles

1. General Information

a. Description and Scope of Data Processing

We provide users with a possibility to add different information to their user profile. This includes, for ex., the e-mail address, address data (place of residence, street name, house number, postal code, country), for business customers the corporate name, as well as profile pictures and the date of birth. By making the appropriate settings, the user can decide what data he or she wants to disclose to other users within the app. The data is hidden in the default setting. The entry of this information is optional and not required to create and use the user profile.

b. Legal Basis for Personal Data Processing

Where a consent of the user is available, the legal basis for the data processing is point (a) of Art. 6(1) GDPR.

c. Data Processing Purpose

The data serves as a basis for using different app functions. Depending on the function the user wants to use, different data is required. The data is a prerequisite, for ex., for users to interact with each other within the app (e.g. people search, private message, team building). The data is also required if users want to establish contacts with colleagues within the app. Regarding this, it is possible to enter the user profile in a public database (within the app). Here, users can search for specific co-workers or colleagues. The data (esp. the e-mail address) is used by us for contacting users for different purposes (e.g. sending information and notices, dispatch of documents).

Users have the possibility to limit the disclosure of their data by its type and/or scope by appropriate settings.

d. Data Retention Period

The data will be retained until it is erased or changed by the user. The data may be retained beyond that period if we are obligated to do so due to a legal regulation or the data is necessary for the enforcement of legal claims. If the contractual relationship with us ends without the user erasing the information in the user profile, we will retain the data for another 6 months based on a contractual agreement with the user.

e. Objection and Elimination Option

If the processing is based on a consent, users may withdraw their consent at any time. If you withdraw your consent to the data processing, we will erase and no longer process the relevant data, unless we are obligated to do so by law or the processing is admissible on account of any other legal basis provided for by the GDPR. The withdrawal does not affect the lawfulness of processing based on such consent before its withdrawal.

2. Certificates

a. Description and Scope of Data Processing

Users have the possibility to add different certificates to their user profile. These certificates usually contain proof of a specific qualification or the completion of specific seminars as well as a validity and signatures. They regularly also contain personal data of the user. The relevant data is processed depending on the certificate added by the user. We also process the user’s e-mail address in this context.

Users can add the date of expiry of certificates in the app.

Certificates are added to the user profile in the form of a photo (JPG) or a PDF. To ensure user-friendly handling, the app requires access to both the camera of the user’s device and the storage location (usually images) or the storage location for documents. The certificates added by users are retained by us as a file.

Adding any certificates is optional.

b. Legal Basis for Personal Data Processing

Where a consent of the user is available, the legal basis for the data processing is point (a) of Art. 6(1) GDPR.

c. Data Processing Purpose

The data is necessary for using different app functions. Users can send the certificates within the app to a colleague/employer to prove their qualifications. By stating the validity, users can use our warning functions. Once a certificate reaches a remaining validity of 3 months, we inform the user in the app as well as by e-mail about the forthcoming expiry of the validity. Unless users disable the warning function, we send a second notification in the same way for a remaining validity of one month.

Users can send certificates (for ex. to an employer). This is possible within the app or by e-mail.

d. Data Retention Period

The data will be retained until it is erased or changed by the user in the app. The data may be retained beyond that period if we are obligated to do so due to a legal regulation or the data is necessary for the enforcement of legal claims. If the contractual relationship with us ends without the user erasing the information in the user profile, we will retain the data for another 6 months based on a contractual agreement with the user.

e. Objection and Elimination Option

If the processing is based on a consent, users may withdraw their consent at any time. If you withdraw your consent to the data processing, we will erase and no longer process the relevant data, unless we are obligated to do so by law or the processing is admissible on account of any other legal basis provided for by the GDPR. The withdrawal does not affect the lawfulness of processing based on such consent before its withdrawal.

3. Levels and Rope Hours

a. Description and Scope of the Data

Users can add levels and rope hours to the user profile. This information is an indication of the user’s training level and experience. The user’s level and rope hours are visible for other app users.

b. Legal Basis for Personal Data Processing

The legal basis for the data retention is point (f) of Art. 6(1) GDPR.

c. Data Processing Purpose

The data serves to ensure the functionality of a core area of our services. To connect users with one another efficiently, e.g. to plan specific joint activities, it is vital that we know about the user’s work experience.

These purposes are also the basis for our legitimate interest in the data processing under point (f) of Art. 6(1) GDPR.

d. Data Retention Period

The data will be retained until it is erased or changed by the user. The data may be retained beyond that period if we are obligated to do so due to a legal regulation or the data is necessary for the enforcement of legal claims. If the contractual relationship with us ends without the user erasing the information in the user profile, we will retain the data for another 6 months based on a contractual agreement with the user.

e. Objection and Elimination Option

Users may permanently erase or modify the data in their user profile. Users have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them. We will no longer process the personal data, unless we can demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or serve the establishment, exercise or defence of legal claims.

4. Miscellaneous

a. Description and Scope of Data Processing

Users have the possibility to plan tours or projects. To do so, users can add different data. For instance, date, place of work and working times, colleagues or co-workers can be saved. We process the users’ e-mail address. Moreover, the app requires access to the storage location of the documents on the user’s device.

User can add objects of their personal safety equipment to their user profile (material lists). We also process the date and the users’ e-mail address for the material lists.

The statements are optional and depend on the users’ consent.

b. Legal Basis for Personal Data Processing

Where a consent of the user is available, the legal basis for the data processing is point (a) of Art. 6(1) GDPR.

c. Data Processing Purpose

The data serves to provide functions for our app. The planning of projects serves to facilitate and simplify work processes. It provides users with a possibility, for ex., to indicate own working times or those of co-workers. It is possible to generate an overview in the form of a PDF. For this purpose, the app places a PDF in the document memory of your device. This PDF can be sent (e.g. as an e-mail attachment).

Material lists can be queried or issued by the employer as a requirement for specific activities. It is also possible to enter objects in a checklist and to provide them with the date of the recurring material check. We remind users of the forthcoming check in good time (e.g. by e-mail).

d. Data Retention Period

The data will be retained until it is erased or changed by the user. The data may be retained beyond that period if we are obligated to do so due to a legal regulation or the data is necessary for the enforcement of legal claims. If the contractual relationship with us ends without the user erasing the information in the user profile, we will retain the data for another 6 months based on a contractual agreement with the user.

e. Objection and Elimination Option

If the processing is based on a consent, users may withdraw their consent at any time. If you withdraw your consent to the data processing, we will erase and no longer process the relevant data, unless we are obligated to do so by law or the processing is admissible on account of any other legal basis provided for by the GDPR. The withdrawal does not affect the lawfulness of processing based on such consent before its withdrawal.

5. Countly

a. Description and Scope of Data Processing

This website uses the “Countly” service, which is operated by the Count.ly platform based in Great Britain to analyse the website use by users. Countly uses cookies, which will be saved and stored on your device. The service collects and logs the standard data transmitted by the user’s web browser (IP address, browser type and version, accessed sites, access data and time, time stayed on the site and other details). Countly collects data about your device (device type, operating system, device settings, location data). The recipient of the data is Countly.

b. Legal Basis for Personal Data Processing

The legal basis for using Countly is your consent as per point (a) of Art. 6(1) GDPR.

c. Data Processing Purpose

The data is collected to gain knowledge of the origin of our visitors in order to better customise our web presence to the needs of our visitors.

d. Data Retention Period

The data sent by us will be automatically erased after 14 months. Data, whose retention period has expired, is automatically erased once a month.

e. Objection and Elimination Option

If the processing is based on a consent, users may withdraw their consent at any time. If you withdraw your consent to the data processing, we will erase and no longer process the relevant data, unless we are obligated to do so by law or the processing is admissible on account of any other legal basis provided for by the GDPR. The withdrawal does not affect the lawfulness of processing based on such consent before its withdrawal.

You have the possibility to prevent the saving of the cookies on your device by setting your browser accordingly. We cannot guarantee that you will be able access all function of this website without any restrictions if your browser does not accept cookies.

Furthermore, you can use a browser plug-in to prevent the use of the information collected by the cookies.

Some app functions might not or no longer be fully available after the consent has been withdrawn.

 

VIII. Permissions of the Application

To ensure the proper functioning of the app, it is necessary that users grant access to specific functions of their device and to personal data stored on the device. Users are thus requested to grant the relevant access permission once at the beginning or even only when using the respective function.

1. Network Access and Network Connections

Network access is necessary, since essential functions of the app can be used only in the online mode. By granting this permission, you allow the app to automatically load contents from the Internet which are intended to be displayed in the app (e.g. messages from colleagues).

2. Camera

Access to the camera is necessary in order to use different app functions (e.g. taking a photo of a certificate for the upload). We do not retain any data in this context. Images or videos are retained on the users’ devices.

3. Memory

Access to the photo or document memory of the device is necessary in order to upload stored photos or documents (e.g. PDFs). The app uses this permission, for ex., in order to upload profile pictures or certificates.

4. Calendar

Access to the respective calendars of the devices is necessary to generate entries, where appropriate (e.g. expiration periods or appointments).

 

IX. Data Security

We maintain technical measures to ensure data security pursuant to the state of the art. In particular, data is transmitted only in SSL-encrypted form to protect your personal data against dangers during data transmissions as well as against access by unauthorised third parties.

Information or data is exchanged via our server in Frankfurt (IP: 46.101.XXX.XXX).

 

X. Data Subject Rights

If personal data about you is processed, you are a data subject in the sense of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of Access

You may obtain from the controller confirmation as to whether or not personal data concerning you is being processed by us.

Where that is the case, you may obtain from the controller access to the following information:

1. the purposes for which the personal data is processed;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
4. the envisaged period for which the personal data concerning you will be stored, or, where it is not possible to provide concrete information in this regard, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data is not collected from the data subject, any available information as to its source;
8. the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to obtain access to information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be notified of appropriate safeguards as per Art. 46 GDPR in connection with the transfer.

2. Right to Rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is inaccurate or incomplete. The controller must perform the rectification without delay.

3. Right to Restriction of Processing

You have the right to obtain restriction of processing of the personal data concerning you where one of the following applies:

1. the accuracy of the personal data concerning you is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or
4. you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.

Where processing of the personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted according to the conditions above, you will be informed by the controller before the restriction of processing is lifted.

4. Right to Erasure

a. Erasure Obligation

You may obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase this data without undue delay where one of the following grounds applies:

1. the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
2. you withdraw your consent on which the processing is based according to point (a) of Art. 6(1), or point (a) of Art. 9(2) GDPR, and where there is no other legal ground for the processing;
3. you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
4. the personal data concerning you has been unlawfully processed;
5. the personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

b. Information to Third Parties

Where the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as data subject, have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.

c. Exceptions

The right to erasure does not apply to the extent that processing is necessary

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.

5. Right to Information

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the latter is obliged to notify all recipients to whom your personal data has been disclosed of such rectification or erasure of the data or restriction of processing, unless this turns out to be impossible or requires unreasonable effort.

You have the right to obtain from the controller information about these recipients.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:

1. the processing is based on consent pursuant to point (a) of Art. 6(1) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR; and
2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR, including profiling based on those provisions.

The controller no longer processes the personal data concerning you, unless the controller can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or serve the establishment, exercise or defence of legal claims.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to Withdraw the Consent Given Under Privacy Law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated Individual Decision-Making Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

1. is necessary for entering into, or performance of, a contract between you and the controller;
2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
3. is based on your explicit consent.

However, such decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless points (a) or (g) of Art. 9(2) GDPR apply and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), the controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you are of the opinion that the processing of the personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

 

XI. App Creation Date

The app was created on: 27.11.2019

End of the Privacy Policy

As of November 2019