Data Privacy Statement – flex|pos App

flex|pos GmbH & Co. KG
Lindemannstraße 79
44137 Dortmund

Telephone: +49 (0)231 / 847 953-0
Fax: +49 (0)231 / 847 953-78
E-mail: hallo@flex-pos.com
www.flex-pos.de

We are very pleased that you have chosen to use our flex|pos App mobile application (hereinafter: app). Your privacy and the protection of your personal data are important to us. We would therefore like to inform you about:

• the purposes for which your (personal) data is collected, processed and used;
• how we handle and protect your data;
• to whom we provide data; and
• how you can exercise your rights.
  ‍

1. Definitions

We have provided a summary of some key definitions to help make it easier for you to understand this data privacy statement.  

‘Contract data processing’ (‘CDP’ for short) within the meaning of Article 28 of the General Data Protection Regulation (GDPR) simply means a service provided by a service provider (processor under the GDPR) whereby personal data is collected, processed and/or used by order of, and under the instruction of, the ‘controller’. Service providers exclusively process personal data under our instructions and do not acquire ownership of, or have any independent interest in, your data. Before such a contract is awarded to a carefully selected service provider, we conclude a separate special contract with the service provider and ensure further measures are in place to protect your personal data.

‘Cookies’ are small text files that are saved on your terminal device (e.g. tablet or smartphone). They store certain settings and data that are then exchanged with our system via your browser. A cookie normally contains the name of the website visited, which is the website the cookie data was sent from, information about the age of the cookie, and an alphanumeric identifier. Cookies make it possible for systems to recognise the user’s device and ensure that any presets are instantly available.

‍Third parties are any natural or legal persons or bodies other than the data subject, the controller, the processor and persons who are authorised under the direct responsibility of the controller or the processor to process personal data; see Article 4 No. 10 of the GDPR. As an example, if personal data is provided to a service provider as part of contract data processing pursuant to Article 28 of the GDPR, or previously, Section 11 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), such service providers are not considered to be third parties.

IP addresses are numerical sequences that can be assigned to individual IT devices or a group. In a similar way to how postal addresses are used, the IP is used to assign data to the right recipient.

‘Personal data’ is considered to be all information that relates to an identified or identifiable natural person, with particular reference to name and surname, date of birth, e-mail address, home address, bank details and payment details, but also with reference to health data; see Article 4 No. 1 of the GDPR (detailed information concerning an identified or identifiable natural person, previously pursuant to Section 3 Paragraph 1 of the BDSG).

‘Controller’ pursuant to Article 4 No. 7 of the GDPR (previously ‘responsible authority’ pursuant to Section 3 Paragraph 7 of the BDSG) is any person or body that makes decisions about the purpose and means of personal data processing either independently or jointly with others (here: the app operator).

2. Controller

In reference to your personal data that is processed as part of your use of this app, the controller is:
‍
flex|pos GmbH & Co. KG
Lindemannstraße 79
44137 Dortmund

Telephone: +49 (0)231 / 847 953-0
Fax: +49 (0)231 / 847 953-78
E-mail: hallo@flex-pos.com
‍Website: www.flex-pos.de

3. Contact details for flex|pos GmbH & Co. KG’s data protection officer

External data protection officer for flex|pos GmbH & Co. KG
Brands Consulting
Mr. Philipp Schmiereck
Auf dem Hahn 11
56412 Niedererbach
‍
‍flex-pos@brands-consulting.eu
‍ www.brands-consulting.eu

4. Data collected by the app

4.1    Technical data
a) When you download the mobile app, the information required is sent to the app store, with particular reference to the app store user name, e-mail address and customer number for your account, the time of download, payment details and the individual device ID. We have no influence over such data collection and the app store provider’s server location, and are therefore not responsible for this. We only process data if this is necessary for you to be able to download the app on your mobile device.
‍
b) If you use our mobile app, we collect the data listed below, which is required for technical reasons, to be able to offer you the features available on our mobile app, and to ensure stability and security (the legal basis is Article 6Paragraph 1Sentence 1 Letter f of the GDPR):

• the IP address;
• the date and time of request;ifference relative to Greenwich Mean Time (GMT);
• the time zone difference relative to Greenwich Mean Time (GMT); of the request (specific site);
• the content of the request (specific site);
• the access status/HTTP status code;
• the volume of data transmitted;
• the browser;
• the operating system and interface; and
• the browser software language and version.
  ‍

c) Our app only uses cookies to save and maintain the user’s current session (login) in the form of a session token. The app only saves one session token per terminal device per user. The token is replaced as soon as a new session begins. The token is deleted as soon as the user logs out. The token expires after 7 days of inactive app use at the latest.

4.2 Content data
The app is used to collect and transmit relevant data relating to your activities on behalf of flex|pos and to complete your tasks. To do so, personal data must be collected, transmitted and processed. We process your personal data on the basis of Article 6Paragraph 1Sentence 1 Letter f of the GDPR. We have a legitimate interest in designing our work processes efficiently and in collecting, transmitting and processing the resulting job data that relates to this. The app may collect the following personal data, which we may then process:

• the job location;
• the job date;
• working hours;
• travel times and kilometres travelled;
• job completion information;
• details of other persons involved (name and surname, e-mail address, technician no.), where applicable;
• job-related attachments, such as photos or other files;
• the user’s signature; and
• the customer’s name and signature.
  ‍

4.3 Login details
You have to be registered with us and have access to a user account to be able to use the app. When setting up and managing your user account, we process the personal data listed below on the legal basis of Article 6Paragraph 1Sentence 1 Letter f of the GDPR:

• name and surname;
• user name;
• password;
• e-mail address;
• company;
• bearing designation; and
• flex|pos technician no.
  ‍

5. Access to hardware features, such as the camera, the flash and memory

5.1 We ask for your permission before our app accessesyour device’s hardware features for the first time. If you do not grant permission, you can only use our app in a restricted way and you will not be able to use it to its full extent. You can grant or withdraw permission at any time via your operating system settings.
‍
5.2 If you do not grant access to this data, the app will only be able to access your data and send it to our server if this is necessary for functionality. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR.
‍
5.3 Access to hardware features necessary for functionality:
‍
a) Access to the camera, the flash and the photo gallery is necessary

• for documentation purposes for job processing (photo attachments); and
• to be able to record job-specific information such as serial numbers and item numbers (barcode scanner).
  ‍

b) Access to internal memory, restricted to app functionalities, is necessary

• for dto be able to ensure offline app availability and to be able to cache master data and registered form data; and
• to be able to save and select job-related attachments, such as photos.
  ‍

c) Internet and network status access is required

• to communicate with the flex|pos app server.
  ‍

6. Using and sharing your data; using service providers

We collect and use your data in accordance with legal provisions, and we only do so for our own purposes. As part of job fulfilment, we share necessary job-related data with our clients and possibly also calibration authorities. Unless you have been commissioned by flex|pos, the necessary job-related data will also be shared with the respective client. Additionally, we do not share data with third parties unless there is a legal obligation to do so or you have given your consent for this.

If we use other service providers to provide our offering and grant third parties access to your (usually anonymised) data (for example, for the purposes of technical support, maintenance or use analysis for the app), we will ensure that there is a data processing contract in place, pursuant to Article 28 of the GDPR. We are still responsible for protecting your data. Service providers used are not considered to be ‘third parties’ due to the conclusion of a contract.

7. Using Google Analytics

Based on our legitimate interests (within the meaning of Article 6 Paragraph 1 Letter f. of the GDPR) in error analysis and the technical optimisation of our app, we use Google Analytics, which is an analysis service from Google LLC (‘Google’), to be able to monitor the technical functionality of the app.

Information relating to how users use the app is usually sent to a Google server in the USA at regular intervals and saved there.

Google is certified under the Privacy Shield agreement and offers a guarantee that it complies with European data protection law through this. (https://www.privacyshield.gov).Google uses the information to evaluate the use of our app by the user on our behalf. Error reports and data relating to performance (loading times), site navigation and data transmission volumes, are compiled and sent to compile reports concerning activities within the app. The processed data may be used to create pseudonym app use profiles for the user.

We only use Google Analytics if IP anonymisation is enabled. This means that users’ IP addresses are truncated by Google within the European Union Member States or in other signatory states to the Agreement on the European Economic Area. A full IP address is only sent to a Google server in the USA and truncated there in exceptional cases.We never use Google Analytics to carry out cross-device tracking or to show you promotional offers.

We only use Analytics to monitor the app's technical functionalities. The IP address sent from the user’s app is not merged with other Google data. The user can prevent their use data from being transmitted and processed by disabling the Analytics feature in the app’s settings, under the menu item ‘Google Analytics’. Once the feature is disabled, we will no longer receive any information about errors and glitches and will therefore no longer be able to guarantee support and the error-free use of the app.

You can find more information about how Google uses data in its privacy policy (https://policies.google.com). The user’s personal data is erased or anonymised after 14 months.

8. Duration of data use/storage

Your personal data is erased

• if you have asserted a claim for erasure, unless statutory retention duties prevent this;
• if data is no longer required to fulfil the purpose for which it was stored; or
• if storage is not permitted for other legal reasons.
  ‍

9. Location for data use

Unless otherwise stated, your data is processed in Germany. If we, as the controller, deviate from this, we will inform you accordingly.

10. Data security

We would like to clarify to you that there may be security loopholes when transmitting data online. It is therefore not possible to completely protect data against access by third parties. However, we take comprehensive technical and organisational measures (‘TOM’ for short) to secure our IT systems and your personal data against unwanted: entrance, access, sharing, entry, loss, distribution, destruction and alteration by unauthorised parties. These are updated in line with the current state of technological knowledge.

11. External links and information in this app

We assume no liability for external links and third-party offerings that are accessible via such links. In the app, we refer you to the navigation service or services installed on the terminal device that is, or are, available via a navigation button in the job detail view. If you use the navigation button, the selected map will be launched, and only the address data for the job location is sent to that map service. Current location data is not stored or shared in our app. You will find more information about the use and further processing of location data by the map service in the privacy policies and T&Cs for the respective providers. Furthermore, please note that if you use external links, your personal data may be collected by third parties. The respective operator of the external website is responsible for this. Please find out more information about the website’s privacy policy available on the respective website you access.

Information provided in this app is exclusively for informational purposes and is not legally binding.

12. Data subject rights

The contact partner for data subject rights is our data protection officer (for contact details, please see above).

12.1 Right of access
In accordance with the legal provisions of Article 15 of the GDPR, you do, of course, have the right to obtain confirmation at any time as to whether or not we process your personal data. If we process your personal data, you can also request information concerning the circumstances under which data is processed and how data is processed, as well as further details concerning the data processed.

12.2 Right to rectification
In accordance with the provisions of Article 16 of the GDPR, you have the right to obtain the rectification of inaccurate personal data, unless you are able to make the changes yourself.

12.3 Right to erasure
In accordance with the legal provisions of Article 17 of the GDPR, you are entitled to request that we erase personal data relating to you without undue delay. You do not have a right to erasure if the processing of personal data is required to exercise the right to freedom of expression and information, to fulfil a legal obligation that we are subject to (e.g. statutory retention duties) or to assert, exercise or defend legal claims, etc.

12.4 Right to restriction of processing
You may request that the processing of your personal data is restricted pursuant to Article 18 of the GDPR.

12.5 Right to data portability
In accordance with the provisions of Article 20 of the GDPR, you are entitled to receive personal data relating to you, which we process, in a structured, commonly used and machine-readable format.

12.6 Right to object
In accordance with the provisions of Article 21 of the GDPR, you have the right to object to the processing of your personal data and to request that we stop processing. You only have a right to object to the extent prescribed by law. Your objection may be precluded by legitimate interests which require the data to be further processed.

12.7 Right of withdrawal
You may withdraw any consent you have given to the processing of your personal data (e.g. as part of a newsletter subscription) at any time with future effect, without incurring any costs that exceed the costs of transmission in line with basic rates.

12.8 Right to lodge a complaint/supervisory authorities
In accordance with Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority and/or a responsible body if you have grounds to complain, and in particular, if you believe that your personal data is not being processed in compliance with legal requirements and the provisions of this privacy policy.

The contact details for the supervisory authorities responsible for us are:
‍
Landesbeauftragte für Datenschutz und Informationsfreiheit
(State Officer for Data Protection and Freedom of Information)
North Rhine-Westphalia
P.O. Box 20 04 44
40102 Düsseldorf
‍
Tel.: 0211/38424-0
Fax: 0211/38424-10
E-mail: poststelle@ldi.nrw.de
‍

13. Changes to the data privacy statement

Technological advancements, legal requirements or changes in work processes may affect this data privacy statement. We therefore reserve the right to change this privacy policy at any time with future effect.
You will find the respectively current version of the privacy policy at:

• German version: https://flex-pos.de/datenschutz-app.html
• English version: https://www.flex-pos.com/data-protection-app.html
  ‍

or in this app if you have updated it accordingly. In case of doubt, the German version of the privacy policy applies.

Date: June 2018