I.       Name and address of the person responsible

The person responsible in terms of the General Data Protection Regulation and other national data protection acts of the EU member states as well as further data protection regulations is the company:

 

Pendix GmbH

Innere Schneeberger Straße 20

08056 Zwickau, Germany

 

represented by its managing directors Thomas Herzog and Christian Hennig

Entry in the commercial register local court of Chemnitz

Registration number: HRB 28452

 

II.            Name and address of the data protection officer

The data protection officer of the person responsible is:

Mr Markus Heckel

Pendix GmbH

Innere Schneeberger Straße 20

08056 Zwickau, Germany

E-mail: datenschutz@pendix.de

III.           General information on data processing

1.      Scope of personal data processing

We only process the personal data of our users to the extent this is necessary for the provision of a functional app as well as for the provision of our contents and services. The personal data of our users are only processed regularly with the consent of the user. An exception is made in case the data processing is permitted by legal provisions.

2.      Legal basis for personal data processing

Provided that we seek the consent of the affected person for personal data processing, art. 6 par. 1(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for personal data processing.

In case of the processing of personal data, which are necessary for the performance of a contract, to which the person concerned is a contractual party, art. 6 par. 1(b) GDPR serves as legal basis. This also applies to processing operations which are necessary for the implementation of precontractual measures.

Provided that the processing of personal data is necessary for the fulfilment of a legal obligation of our company, art. 6 par. 1(c) GDPR serves as legal basis.

If the processing is necessary for ensuring a legitimate interest of our company or of a third party and if the interests, fundamental rights and fundamental freedoms of the affected person do not outweigh the interest mentioned first, art. 6 par. 1(f) GDPR serves as the legal basis for data processing.

3.      Data deletion and storage period

The personal data of the user are deleted or blocked as soon as the purpose of storage ceases to apply. The personal data can also be stored, if this is provided for by the European or national legislature in European Union regulations, laws or other provisions, to which the person responsible is subject. The data are also blocked or deleted when a storage period prescribed by the mentioned standards expires unless it is necessary to further store the data for the conclusion of a contract or the performance of a contract.

IV.          Provision of the app and creation of logfiles

1.      Description and scope of data processing

With each visit to our App, our system automatically collects data and information from the computer system of the mobile phone.

The following data are collected in this process:

 

 

The data are also stored in the logfiles of our system. These data are not stored together with other personal data of the user.

2.      Legal basis for data processing

The legal basis for the temporary storage of the data and the logfiles is art. 6 par. 1(f) GDPR.

3.      Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow the delivery of the app to the mobile phone of the user. For this purpose, the IP address of the user must be stored for the duration of the session.

The data are stored in logfiles in order to ensure the functioning of the app. Furthermore, we use these data for the optimisation of the app and for ensuring the safety of our information technology systems. The data are not analysed for marketing purposes in this context.

 

These purposes also include our legitimate interest in data processing according to art. 6 par. 1(f) GDPR.

4.      Duration of storage

The personal data are deleted as soon as they are no longer necessary for achieving the purpose of their collection. If the data are collected for the provision of the app, this is the case when the respective session is ended. If the data are stored in logfiles, this is the case after twenty-six months at the latest.

5.      Possibility to object and possibility of elimination

The collection of the data for the provision of the app and the storage of the data in logfiles is absolutely necessary for the operation of the app. Therefore, the user has no possibility to object.

V.            Data processing in states outside the European Economic Area

If we process data in third countries (countries outside the EU / EEA) or transfer data to companies in third countries, we will only arrange this if we are authorised by you or by law. If there is no adequacy decision by the European Commission according to art. 45 GDPR for the respective third country, i.e. there is no adequate level of data protection in the third country, we will ensure via contractual regulations (standard contractual clauses by the EU on data protection) or other appropriate guarantees according to art. 46 GDPR that your privacy and your personal data are also protected at the company in the third country adequately and as provided by law.

VI.          Integration of services and contents by third parties

It may happen that third-party contents, such as YouTube videos or maps from Google Maps are integrated within this app. This always assumes that the provider of these contents (hereinafter referred to as “Third-party provider”) see the IP address of the users. Because without the IP address, they would not be able to send the contents to the browser of the respective user. Consequently, the IP address is necessary for the presentation of these contents. We strive to only use those contents, the providers of which only use the IP address for the provision of the contents. However, we have no influence on whether the third-party providers store the IP address e.g. for statistical purposes or not.

VII.         Your rights as affected person

If your personal data are processed, you as the affected person have the following rights against the person responsible. For asserting your following rights, please contact:

Pendix GmbH

Innere Schneeberger Straße 20

08056 Zwickau, Germany

E-mail: dataprotection@pendix.com

1.      Right to information

You can request a confirmation from us if we process your personal data. If we really process your personal data, you can demand the following information from us:

 

(1)       the purposes for which the personal data are processed;

(2)       the categories of personal data, which are processed;

(3)       the recipients resp. the categories of recipients to which your personal data have been disclosed or will be disclosed;

(4)       the intended duration of the storage of your personal data or, if specific information is possible, the criteria for the determination of the storage period;

(5)       the existence of a right of correction or deletion of your personal data, a right of limitation of the processing by the person responsible or a right of objection against this processing;

(6)       the existence of a right of appeal to a supervisory authority;

(7)       all available information on the origin of the data if the personal data are not collected from the affected person;

(8)       the existence of an automatic decision making, including profiling according to art. 22 par. 1 and 4 GDPR and – at least in these cases – conclusive information of the involved logic as well as the scope and the pursued effects of such a processing for the affected person.

You have the right to demand information on whether your personal data are transferred to a third country or to an international organisation. In this context, you may demand to be informed about the adequate guarantees according to art. 46 GDPR in connection with the transfer.

2.      Right of correction

You have a right of correction and/or completion against the person responsible, provided that your personal data are incorrect or incomplete. The person responsible shall correct the data immediately.

3.      Right of limitation of the processing

You can demand the limitation of the processing of your personal data under the following conditions:

(1)       if you deny the accuracy of your personal data for a period which enables the person responsible to check the accuracy of the personal data;

(2)       if the processing is illegal and if you reject the deletion of the personal data and demand the limitation of the use of the personal data instead;

(3)       if the person responsible does no longer need the personal data for the purposes of the processing, but you need these for the assertion, exercise or defence of legal claims, or

(4)       if you filed an objection against the processing according to art. 21 par. 1 GDPR and it is not yet clear if the legitimate reasons of the person responsible outweigh your reasons.

If the processing of your personal data was limited, these data – except for their storage -  may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of a substantial public interest of the European Union or of a member state.

If the processing was limited according to the above-mentioned conditions, you will be informed by the person responsible bevor the limitation is removed.

4.      Right of deletion

a)     Deletion obligation

You can request from the person responsible that your personal data are deleted immediately and the person responsible is obliged to delete these data immediately if one of the following reasons applies:

(1)       Your personal data are not necessary anymore for the purposes for which they were collected or processed in another way.

(2)       You revoke your consent on which the processing according to art. 6 par. 1(a) or art. 9 par. 2(a) GDPR was based and there is no other legal basis for the processing.

(3)       You file an objection against the processing according to art. 21 par. 1 GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing according to art. 21 par. 2 GDPR.

(4)       Your personal data were processed illegally.

(5)       The deletion of your personal data is necessary for the compliance with a legal obligation according to the European Union law or according to the law of the member state to which the person responsible is subject.

(6)       Your personal data were collected with regard to the offered services of the information society according to art. 8 par. 1 GDPR.

b)     Information to third parties

If the person responsible made your personal data public and if he is obliged to the deletion of these data according to art. 17 par. 1 GDPR, he will take appropriate measures, also of a technical nature, under consideration of the available technology and the implementation costs in order to inform the authority responsible for processing the personal data that you as the affected person demanded the deletion of all links to these personal data or of copies or replications of these personal data.

c)      Exceptions

The right of deletion does not apply if the processing is necessary

(1)       for exercising the right to freedom of expression and information;

(2)       for the compliance with a legal obligation which requires the processing according to the law of the European Union or of the member state to which the person responsible is subject, or for the performance of a task which is of public interest or in the exercise of official authority, which was assigned to the person responsible;

(3)       for reasons of public interest in the area of public health according to art. 9 par. 2(h) and (i) as well as art. 9 par. 3 GDPR;

(4)       for archiving purposes of public interest, scientific or historic research purposes or for statistical purposes according to art. 89 par. 1 GDPR, provided that the right mentioned under paragraph a) will likely make impossible or seriously affect the realisation of the objectives of this processing, or

(5)       for the assertion, exercise or defence of legal claims.

5.      Right to information

If you asserted the right of correction, deletion or limitation of the processing against the person responsible, he is obliged to inform all the recipients to which your personal data have been disclosed about this correction or deletion of the data or the limitation of processing, unless this turns out to be impossible or is connected with a disproportionate effort.

You have the right against the person responsible to be informed about these recipients.

6.      Right to data portability

You have the right to receive your personal data, which you have provided to the person responsible, in a structured, common and machine-readable format. Furthermore, you have the right to transfer these data to another person responsible without impeding the person responsible to which the personal data were provided, provided that

(1)       the processing is based on a consent according to art. 6 par. 1(a) GDPR or art. 9 par. 2(a) GDPR or on a contract according to art. 6 par. 1(b) GDPR and

(2)       the data are processed by means of automatic procedures.

With the exercise of this right you also have the right to effect that your personal data are transferred directly from a person responsible to another person responsible, provided this is technically possible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply for a personal data processing which is necessary for the performance of a task of public interest or in exercise of an official authority assigned to the person responsible.

7.      Right of objection

You have the right to file an objection, for reasons resulting from your particular situation, against the processing of your personal data, which takes place on the basis of art. 6 par. 1(e) or (f) GDPR, at any time; this also applies for profiling based on these provisions.

The person responsible does not process your personal data anymore, unless he can proof compelling and legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or unless the data are processed for the assertion, exercise or defence of legal claims.

If your personal data are processed for direct advertising, you have the right to file an objection against the processing of your personal data for the purposes of such advertisement at any time; this also applies for profiling, provided it is connected with such direct advertising.

If you object to processing for purposes of direct advertising, your personal data won´t be processed for these purposes anymore.

You have the possibility to exercise your right of objection by means of an automatic procedure in the context with the use of services from the information society, irrespective of guideline 2002/58/EG, for which technical specifications were used.

8.      Right to revoke the declaration of consent according to the data protection law

You have the right to revoke your declaration of consent according to the data protection law at any time. The revocation of the consent will not affect the legality of the processing prior to the revocation due to the previous consent.

9.      Automatic decision in individual cases including profiling

You have the right not to be subjected to a decision based on an exclusively automatic processing, including profiling, which has a legal effect against you or affects you significantly in a similar way. This does not apply, if the decision

(1)       is necessary for the conclusion or performance of a contract between you and the person responsible,

(2)       is permissible due to the regulations of the European Union or of the member states, to which the person responsible is subject, and if these legal regulations contain appropriate measures for the protection of your rights and freedoms as well as of your legitimate interests or

(3)       is made with your express consent.

These decisions, however, must not be based on special categories of personal data according to art. 9 par. 1 GDPR, unless art. 9 par. 2(a) or (g) applies and appropriate measures have been taken for the protection of your rights and freedoms as well as of your legitimate interests.

The user is not subjected to such an automatic decision in individual cases, including profiling, when he uses our app.

10.   Right of appeal to a supervisory authority

Without prejudice to another administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the member state of your residence, of your workplace or of the location of the presumed infringement, if you think that the processing of your personal data infringes the GDPR.

The supervisory authority to which the appeal has been filed, shall inform the complainant about the status and the results of the appeal, including the possibility of a judicial remedy according to art. 78 GDPR.