Data Protection Statement
From May 25, 2018, the requirements of the EU General Data Protection Regulation will apply throughout Europe. We would like to inform you about the processing of personal data carried out by our company in accordance with this regulation (see Articles 13 and 14 of the GDPR). If you have any questions or comments about this data protection declaration, you can send them to the e-mail address given under point 2 or 3 at any time.
In this section, you will find information on the scope of application, on the person responsible for data processing, on his data protection officers, and on data security.
1. Scope of application
The data processing by the Open as App GmbH can essentially be divided into two categories:
- All data required for the execution of a contract with the Open as App GmbH will be processed for the purpose of contract processing. If external service providers are also involved in the processing of the contract, your data will be passed on to them to the required extent.
- When you access the Open as App GmbH website, portal, and app client, various information is exchanged between your end device and our server. This may also include personal data. The information collected in this way is also used to optimize our website or to display advertising in your terminal’s browser.
- Our online offer; available at openasapp.com;
- to other offers where we refer to this data protection declaration from one of our offers (e.g. websites, subdomains, mobile applications, web services, or integrations in third-party sites or third-party systems), regardless of how you call it up or use it.
All these offers are collectively referred to as “Services”.
The person responsible for data processing – ie the officer who decides on the purposes and means of processing personal data – in connections with the services of the Data Protection Officer at:
Open as App GmbH,
Amalienstr. 62, 80799 Munich, Germany
Phone: +49 (0)89 3801 2952-1
3. Data Protection Officer
You can contact our data protection officer via this website: https://www.dsextern.de/anfragen
DS EXTERN GmbH
Graduate of Commerce Marc Althaus
Frapanweg 22, D-22589 Hamburg/Germany
4. Data Security
We have established an information security management system in our company in order to develop the measures required in Art. 32 of the GDPR and thus achieve a level of protection appropriate to the risk.
II. The Data Processing in Detail
In this section of the data protection declaration, we inform you in detail about the processing of personal data within the scope of our services. For better clarity, we’ve structured this information according to certain functionalities of our services. In the normal use of the services, different functionalities and thus also different processes can come into effect, either one after the other or simultaneously.
1. General information about data processing
Unless otherwise stated, the following applies to all processing operations described below:
a. No obligation to provide
You are not obliged to provide data. There is no contractual or legal obligation to provide personal data.
b. Consequence of non-provision
Failure to provide the required data, i.e. data that is marked as mandatory during entry, means that the service in question cannot be provided. Otherwise, failure to provide our services available may mean that they cannot be provided in the same form and quality.
In various cases, you also have the option of giving us your consent (where applicable for only part of the data) to further processing in connection with the processing described below. In this case, we’ll inform you separately about all the details, the scope of the consent, and about the purposes which we pursue with these processing steps in connection with the submission of your declaration of consent.
d. Transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, then the transfer takes place exclusively in compliance with the legally-regulated admissibility requirements.
The admissibility requirements are regulated by Articles 44-49 of the GDPR.
e. Hosting with external service providers
To a large extent, our data processing takes place with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centers and also process personal data on our behalf in accordance with our instructions. These service providers process data either exclusively in the EU or we have a guaranteed adequate level of data protection through the EU standard data protection clauses.
f. Transmission to state authorities
We transfer personal data to state authorities (including law enforcement authorities) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 para. 1 c) of the GDPR) or if it is necessary to assert, exercise or defend legal claims (legal basis Art. 6 para. 1 f) of the GDPR).
g. Storage time
We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary storage is still necessary. The reasons for this could be, for example, the following:
- The fulfillment of commercial and tax-related retention obligations
- Obtaining evidence for legal disputes within the framework of the legal statute of limitations
It is also possible for us to continue to store your data with us if you have given your express consent.
h. Data categories – contact and usage-related data
If you work with Open as App, you can submit certain data to us. Some data is also created automatically. This data includes:
- Account information: Login/user ID and password; user ID; automatically-generated device ID; type of use (commercial/non-commercial); preferred language; user role
- Personal master data: Title, Salutation/Gender, First name, Last name, Date of birth
- Company data: Name, VAT number, Purchase Order number
- Address data: Street, house number, address suffixes (if applicable), ZIP, city, country
- Contact information: Telephone number(s), fax number(s), e-mail address(es)
- Login details: Information about the service through which you have logged in; dates and technical information on login, confirmation, and cancellation; data provided by you when you logged in
- Ordering data: Ordered products, prices, payment, and delivery information
- Payment data: Account data, credit card data, data on other payment services such as Paypal
- Access data: Date and time of your visit to our service; the page from which the accessing system came to our Internet site; pages accessed during use; (session ID) and the following information about the accessing computer system: Internet protocol address (IP address) used, browser type and version, device type, operating system, and similar technical information.
- Usage data: List of end devices of the user (e.g. to send transaction-based messages), access logs for contents, changelogs for contents, server logs with direct (user ID) or indirect reference (company ID), like the example, “on 2018-04-20 at 12:46, was called from Germany, page https://cms-staging.openasapp.com/nutzer/123/intern“
- Application data: Curriculum vitae, certificates, proofs, work samples, certificates, pictures
i. Data categories – content data
You can store a variety of data and images in your Open as App account. There is no obligation to upload this data. Open as App does not access this data in your account or will do so only with your explicit permission, e.g. in case of a support request.
This data includes, for example, App user list, user groups, user-created apps, user-stored app conditions (such as a calculated offer), user-created comments, access control lists (list of content to which the user has access), content subscriptions (list of content that the user consumes and for which he wants to receive updates, similar to the “Like/Follow” concept).
2. Accessing the website/application
This section describes how we process your personal data when you access our services. We would particularly like to point out that the transmission of access data to external content providers (see under b.)is unavoidable due to the technical functioning of information transmission on the Internet.
We collect access data in order to ensure the proper functioning of our services, the security of data and business processes, the prevention of misuse, and the prevention of damage caused by interference with the information system. The data is processed to establish a connection, to display the contents of the service, to detect attacks on our site based on unusual activities, and to diagnose errors (according to Art. 6 Para. 1 f) of the GDPR). We store this data for seven days.
To provide and improve our services, we also cooperate with providers who create and compile statistics, as well as providers of IT services (e.g. data centers and providers of hosting, backup and database services). These technical service providers have access to your data only to the extent necessary to perform their tasks. The technical service providers are obliged to treat your data in accordance with this data protection declaration and the applicable data protection laws.
This order processing is carried out in accordance with (Art. 28 of the GDPR). Our service is hosted and provided in the Azure Cloud Europe. Data is hosted and availability and usage data are collected. We use the European provider MailJet SAS (e-mail address) to transmit system messages by e-mail. To improve the user experience and to monitor errors, we use Sentry and AppCues, which process data that can be used to identify the user, e.g. an IP address or App ID. For easy access to content within the app, we use Branch.io to provide deep links that may also be associated with user identification. Branch.io uses various features to recognize your device in order to be able to show you the content intended for you after the app has been installed. An “Opt-Out” for this so-called fingerprinting is possible via the following page: https://branch.app.link/optout.
You can use data you share with other cloud providers to create an app, e.g. Google OAuth/Google Sheets/Google Drive/OneDrive/Dropbox. Interaction with these third parties only takes place with explicit consent.
3. Marketing information
Here you can read what happens to your personal data in connection with a subscription to marketing information in accordance with Art. 6 Para. 1 letter b) of the GDPR. Your data will be stored for the duration of the information subscription, provided there are no further documentation obligations.
To send marketing information by e-mail, you can register with your e-mail address. Your registration will be verified using the double-opt-in procedure. We collect additional personal data to personalize our information. We also document the registration data in order to be able to trace the registration/confirmation or deregistration if required. We use the user profile data for marketing information, the use of the account, or your role in the account to design information according to your needs and interests.
We use third-party systems to process all of the above data. We use HubSpot (Privacy Shield) to improve our services, provide advertising content, and automate information processes. You can make appointments directly with us using the Calendly service. We use Salesforce (Privacy Shield) to manage our sales and customer data. As a payment service for credit card processing, we use Stripe and Quaderno, where contact and financial data is processed. Wista is used to provide videos and marketing information in our services. An IP address is transmitted when a film is viewed.
When you apply to us, we process your personal data in the following way (according to Art. 6 Par. 1 b) of the GDPR: In order to identify, contact us, communicate, initiate contracts and check your age, we require address data, contact data and personal master data that you provide to us in your application. Your application data will be used to select a suitable applicant. The data is processed by the responsible dept. for application management. We delete this data after six months unless you have given us permission to store this data for a longer period of time.
5. Customer Support
This way, we process your personal data if you use our customer service (article 6 paragraph 1 b), f)): In order to process your customer inquiries and user complaints, we require personal master data, contact data as well as the contents of the inquiries/complaints. Your IP address, e-mail address, and your request will be processed with Zendesk. You enter the e-mail address actively when creating the ticket in the help area. We store this data as long as your account exists. On Readme.io you can read technical details about our service. If you leave comments there, your e-mail address may be passed on to Readme.io.
Below we describe how your personal data is processed using tracking technologies to analyze and optimize our services and for advertising purposes.
The description of the tracking procedures also includes information on how you can prevent or object to data processing. Please note that the so-called “Opt-out”, i.e. the rejection of processing, is usually stored via cookies. If you use our services via a new terminal or in another browser, or if you have deleted the cookies set by your browser, you must declare your rejection again.
(1) Purposes of the processing
The analysis of user behavior via tracking helps us to check the effectiveness of our services, to optimize and adapt them to the needs of the users, and to correct errors. It also serves to statistically determine characteristic values about the use of our services (range, the intensity of use, surfing behavior of users) – on the basis of uniform standard procedures – and in this way to obtain market-wide comparable values.
Tracking to measure the success of advertising campaigns serves to optimize our ads for the future and enables marketers and advertisers to optimize their ads accordingly. The purpose of tracking to optimize the display of advertising is to show users advertising tailored to their interests, to increase the success of advertising, and consequently advertising revenues.
(2) Legal basis of the processing
Informed consent within the meaning of the GDPR is required for services that make the behavior of affected persons on the Internet comprehensible and for services for the creation of user profiles.
(3) The tracking procedures used in detail
This website uses Google Analytics, a web analysis service of Google Inc (“Google”), 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie on your use of this website is usually transmitted to the Google server in the US and stored there. In case of activation of the IP anonymization on this website, your IP address will, however, be truncated by Google within Member States of the European Union or in other member states party to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website and Internet use. The IP address transmitted by your browser to Google Analytics is not merged with other Google data. Google Analytics data may not be passed on without the customer’s consent unless special circumstances such as legal requirements exist. To prevent this tracking procedure, you can disallow it at tools.google.com/dlpage/gaoptout?hl=de .
If you choose not to receive interest-based advertising, you can also visit the website http://www.youronlinechoices.com/de/, click on “Preference Management” and follow the instructions to completely or individually prevent the use of data for interest-based advertising by the service providers listed there. You will still receive advertising that is not interest-based.
Marketing cookies are used to follow visitors to websites. The intent is to show ads that are relevant and engaging to the individual user and therefore more valuable to publishers and third-party advertisers.
7. Social Media-Plugins
To enable one single-sign-on, we offer you the option of registering directly at Open as App from your existing Microsoft Active Directory profile. You can also share apps via social media platforms.
This website may contain additional plugins from social networks such as Facebook, Google+, Twitter, or Pinterest, which are operated by third parties and via which messages can be sent to the corresponding social network with the help of a button, e.g. to rate, recommend or share content. In this way, we pursue the purpose and the legitimate interest in making our services better known. We configure our services so that data transmission does not take place until you press the button. The legal basis for data transmission, in this case, is Art. 6 I f) of the GDPR. The respective provider is responsible for processing the transmitted data in compliance with data protection regulations.
- Microsoft, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, https://privacy.microsoft.com/en-us/privacystatement
- Facebook, Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA, https://en-us.facebook.com/about/privacy/
- Twitter, Twitter Inc., 539 Bryant Street, Suite 402, San Francisco, CA 94107, USA, https://twitter.com/en/privacy
- LinkedIn, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, https://www.linkedin.com/legal/privacy-policy
- Xing, XING SE, Dammtorstraße 30, 20354 Hamburg, Deutschland, E-Mail: firstname.lastname@example.org; https://privacy.xing.com/en/your-privacy
8. Implemented Technologies
III. The Rights of Affected Persons
1. Right to object
If we process your personal data for direct marketing purposes, you have the right to object at any time (with effect for the future) to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, if it is associated with such direct marketing.
You also have the right to object at any time, for reasons arising from your particular situation, with future effect, to the processing of personal data concerning you in accordance with Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
You can exercise your right of objection free of charge.
You can contact us using the contact details listed at I.2.
2. The right to information
You have the right to know whether we process personal data concerning you, what personal data this may be, and further information in accordance with Art. 15 of the GDPR.
3. The right of rectification
You have the right to request us to correct any incorrect personal data concerning you without delay (Art. 16 of the GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – even by means of a supplementary declaration. Please contact us on email@example.com
4. The right to cancellation („The right to be forgotten“)
You have the right to demand from us that personal data concerning you be deleted immediately, provided that one of the reasons specified in Art. 17 para. 1 of the GDPR applies and the processing is not required for one of the purposes regulated in Art. 17 para. 3 of the GDPR. Please contact us on firstname.lastname@example.org
5. The right to restriction of procession
You are entitled to demand a restriction on the processing of your personal data if one of the conditions laid down in Article 18, paragraph 1, letters a) to d) of the GDPR is met.
6. The right to data transferability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common, and machine-readable format. You also have the right to transmit this data to another responsible person without any hindrance on our part, or to arrange for direct transmission by us, if this is technically possible. This should always apply if the data processing is based on consent or on a contract and the data is processed automatically. This does not apply to data stored in paper form only.
7. The right of revocation when consent has been given
If the processing is based on your consent, you have the right to revoke your consent at any time. The lawfulness of the processing on the basis of the consent until the revocation will not be affected.
8. The right of appeal
You have the right of appeal to a supervisory authority.