Responsible for the LOFINO service
Phone: + 030 / 25 92 49 47-11
Name and address of the data protection officer
60318 Frankfurt am Main
Data protection notice according to Art. 13 DSGVO
§ 1 General
Every citizen has the constitutionally guaranteed right to decide on the use of his or her personal data. For this reason, it is our duty to protect the data you entrust us with when using the app. In the following, we would like to show you what data we collect from you, what happens with this data and what security measures we have taken to protect this data from misuse. By this transparent and comprehensible information of our data protection regulations we want to ensure that customers are well informed about the collection, processing and use of personal data.
- General information on data processing
Unless otherwise specified, the following applies to all processing operations described below:
a) No obligation to provide & consequences of not providing
The provision of personal data is not required by law or contract and you are not obliged to provide data. We will inform you during the input process if the provision of personal data is required for the respective service (e.g. by designating it as a „mandatory field“). If data is required, failure to provide it will result in the inability to provide the service in question. Otherwise, failure to provide data may mean that we cannot provide our services in the same form and quality.
In various cases you have the possibility to give us your consent to further processing in connection with the processing described below (if necessary for part of the data). In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of the consent and about the purposes we pursue with these processing operations. The processing operations based on your consent are therefore not listed here again (Art. 13 para. 4 DSGVO).
c) Transmission of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, the transfer will only take place in compliance with the legal requirements for admissibility.
If the transfer of the data to a third country does not serve to fulfill our contract with you, if we do not have your consent, if the transfer is not necessary for the assertion, exercise or defense of legal claims and if no other exception under Art. 49 DSGVO applies, we will only transfer your data to a third country if an adequacy finding under Art. 45 DSGVO or suitable guarantees under Art. 46 DSGVO are available.
One of these adequacy decisions is Commission Decision (EU) 2016/1250 of 12.07.2016 on the implementation of the so-called „EU-US Privacy Shield“ for the USA. For transmissions to companies certified under the EU-US Privacy Shield, the level of data protection is generally considered adequate within the meaning of Art. 45 DSGVO.
Alternatively or additionally, by concluding the EU standard data protection clauses issued by the European Commission with the receiving body, appropriate guarantees in accordance with Art. 46 para. 2 c) DSGVO and an adequate level of data protection are created. Copies of the EU standard data protection clauses can be obtained from the European Commission’s website, available here.
d) Hosting with external service providers
Our data processing is carried out to a large extent by so-called hosting service providers who provide us with storage space and processing capacities in their computer centres and who also process personal data on our behalf in accordance with our instructions. It may happen that personal data is transferred to hosting service providers for all of the functionalities mentioned below. These service providers either process data exclusively in the EU or we have guaranteed an adequate level of data protection by means of the EU standard data protection clauses (see under c.).
e) Transmission to governmental authorities
We transmit personal data to state authorities (including law enforcement agencies) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 para. 1 c) DSGVO) or if it is necessary to assert, exercise or defend legal claims (legal basis: Art. 6 para. 1 f) DSGVO).
f) Storage period
In the section „Storage period“ you will find information on how long we use the data for the respective processing purpose. After this period has elapsed, the data will no longer be processed by us, but will be deleted at regular intervals unless continued processing and storage is required by law (in particular because it is necessary to fulfill a legal obligation or to assert, exercise or defend legal claims) or you give us consent that goes beyond this.
g) Duration of function of cookies
The data processing described in the following sections is partly carried out with the help of cookies. The information stored in a cookie can only be accessed via the Internet by the operator of the web server that originally set the cookie. Access by third parties in this way is not possible. The cookies have different functional durations. Some cookies are only active during a session and are deleted afterwards, others function for longer periods of time, but usually for less than a year. A cookie is deleted after the function duration has expired. You can manage cookies using the functions (usually under „Options“ or „Settings“). This can deactivate the storage of cookies, make it dependent on your consent in individual cases or otherwise restrict it. You can also delete cookies at any time.
h) Names of data categories
In the following sections, the following summary category names are used for certain types of data:
- Account data: Login/user ID and password
- Person master data: Title, salutation/gender, first name, last name, date of birth
- Address data: Street, house number, address supplements if necessary, postal code, city, country
- Contact details: Phone number(s), fax number(s), e-mail address(es)
- Registration data: Information about the service you have registered for; dates and technical information about registration, confirmation and cancellation; data you provided during registration
- Order data: Ordered products, prices, payment and delivery information
- Payment details: Account data, credit card data, data for other payment services like Paypal
- Usage data press distribution list: Accreditation topic, accreditation date, consent to restriction of use/declaration of consent, downloads of press materials
- Usage profile data newsletter: opening of the newsletter (date and time), contents, selected links, in addition the following information of the accessing computer system: used internet protocol address (IP address), device type, operating system and similar technical information.
- Access data: Date and time of the visit to our service; the page from which the accessing system reached our site; pages called up during use; data for session identification (session ID); also the following information of the accessing computer system: Internet protocol address (IP address) used, device type, operating system and similar technical information.
2. Important terms
Cookies: The stored cookie information can contain both an identification (cookie ID), which is used for recognition, as well as content information such as registration status or information about visited websites.
Third countries: Countries outside the European Union (EU)
DSGVO/GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (basic data protection regulation), available here.
Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, on-line identification, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Profiling: any automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular with a view to analysing or predicting aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, conduct, location or change of location of that natural person
Tracking: The collection of data and its evaluation with regard to the behaviour of visitors to our services.
Tracking technologies: Tracking can be carried out both via the activity protocols (log files) stored on our web servers and by means of data collection from your end device via pixels, cookies and similar tracking technologies.
Processing: Any operation or set of operations performed with or without the use of automated means to collect, collect, organize, organize, store, adapt or modify, retrieve, query, use, disclose by transmission, dissemination or otherwise make available, match or combine, limit, delete or destroy any personal data.
§ 2 Personal data
Personal data is any information relating to an identified or identifiable natural person (e.g. name, address, telephone number, date of birth or e-mail address). In principle, you can use our range of services without providing personal data. However, the use of certain services may require you to provide personal data. These are:
- IP address
- Date and time of the request
- Content of the call (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request comes
- Operating system and its interface
- Language and version of the software
§ 3 Legal basis and processing purposes
- We process your personal data for the following purposes:
- Provision of the service offer and fulfillment of the contract in accordance with the service contract with the employer. (Storage of document data such as name, address, date, time, description of the goods or services of the document manufacturer listed in the document)
- Personnel master data entered by the employer (name, personnel number, business contact data, date of birth) for the provision of the service and fulfillment of the contract
- Contacting for processing your enquiries and the contractually agreed service
- Storage of voucher data established by the service contract
- Registration and use of the LOFINO modules
- An evaluation of the user data for other commercial purposes does not take place. (The users are therefore expressly not made any commercial offers).
The legal basis for data processing is the contract with the employer in conjunction with an agreement on commissioned processing (Art. 28 DSGVO). Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person or your personal consumer behaviour.
§ 4 Establishment of contact
When contacting LOFINO GmbH (e.g. via contact form or e-mail), the user’s details will be stored for the purpose of processing the enquiry and in the event that follow-up questions arise.
§ 5 Passing on of data to third parties
Your personal data will only be given to third parties by us if this is necessary for the fulfillment of the contract. (For example, the voucher data is checked for plausibility and stored on the server to create salary import files).
In addition, data may be transferred to third parties if we should be obliged to do so by law or by an enforceable official or court order.
§ 6 Registration in the LOFINO App
The data entered during registration will be used for the purpose of administration of the service. Users can be informed about information relevant to registration, such as changes in the scope of services or technical circumstances by e-mail or push message. The collected data is visible during the registration process. This includes as restricted data: Personnel number, name, first name, company name and e-mail address. Some services require address, telephone number and date of birth. Only the restricted data is used to create the access.
§ 7 Service provider
We reserve the right to use service providers based in the European Union when collecting or processing data. Service providers are only granted access to personal data that they require for their specific activities. Service providers are usually integrated as so-called contract processors, who may only process personal data of users of this service offer according to our instructions.
§ 8 Duration of storage; retention periods
We store your data for as long as necessary to provide our range of services and associated services. In other cases, we will delete your personal data, with the exception of data that we must continue to hold in order to fulfil contractual or legal (e.g. tax or commercial law) retention periods (e.g. receipts and invoices for examination by tax authorities).
§ 9 Rights of data subjects
You have the right to lodge a complaint with a data protection authority. You can contact the data protection authority responsible for your place of residence or your state or the data protection authority responsible for us. This is:
(1) You have the right to demand information from us at any time about the data stored about you by us, as well as its origin, recipients or categories of recipients to whom the data is passed on and the purpose of storage.
(2) If you have given your consent to the use of data, you can revoke this consent at any time.
(3) Please send all requests for information, requests for disclosure or objections to data processing by e-mail to email@example.com.
§ 10 Right of complaint to the supervisory authority
The State Commissioner for Data Protection and the Right of Access to Files (LDA Bbg)
Stahnsdorf Dam 77, 14532 Kleinmachnow
Tel.: 033203/356-0, Fax: 033203/356-49
§ 11 Contact
For information and suggestions on the subject of data protection, please contact us or our data protection officer at firstname.lastname@example.org. If you would like to contact us, you can reach us via the contact details at the beginning of this data protection policy.
§ 12 Safety precautions and technical information
(1) We maintain current technical measures to ensure data security, in particular to protect your personal data from risks during data transmission and from third parties gaining knowledge of them. These measures are adapted to the current state of the art. Our computer centre, HSB Steuerberatung as well as the IT department continuously adapt the technical security measures to the current circumstances and requirements. Both are subject to control by the data protection officer. Nevertheless, Internet technologies can have security gaps that cannot guarantee comprehensive protection one hundred percent.
(2) All employees of our company are regularly trained in data protection and are committed to data protection. Our computer centre, HSB Steuerberatung as well as the IT department continuously adapt the technical security measures to the current circumstances and requirements. Both are subject to control by the data protection officer. Nevertheless, Internet technologies can have security gaps that cannot guarantee comprehensive protection one hundred percent.
§ 13 Use of Google Analytics
(1) This application uses Google Analytics, a web analysis service of Google Inc. („Google“). Google Analytics uses so-called „cookies“, text files which are stored on your computer and which enable an analysis of your use of the application. The information generated by the cookie about your use of this application is usually transferred to a Google server in the USA and stored there. In the event that IP anonymisation is activated in this application, however, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of Lofino, Google will use this information for the purpose of evaluating your use of the application, compiling reports on website activity and providing other services relating to website activity and internet usage for the time operator.
(2) The IP address transmitted by Google Analytics is not combined with other data by Google.
(3) You can prevent the storage of cookies by adjusting your software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of this application to their full extent.
(4) You can also prevent the collection of the data generated by the cookie and related to your use of the application (including your IP address) to Google and the processing of this data by Google by downloading and installing the plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
(5) This application uses Google Analytics with the extension „anonymizelp()“, which allows IP addresses to be processed in a shortened form, thus excluding any direct personal reference.
§ 14 Push notifications
Below we describe how your personal data is processed when you subscribe to so-called push notifications via our services (i.e. messages that are sent to your mobile device even if you are not using our app at the time).
You can turn these push notifications on and off in the app settings of your mobile device. When you activate push notifications for the first time – e.g. when you start the app for the first time – a unique identification number of your mobile device (device ID) is communicated to the service that provides push functionality with your operating system provider (for Android: „Firebase Cloud Messaging Cloud“, for iOS: „Apple Push Notification Service“). This service returns a so-called identifier („Push Notification Identifier“), which no longer allows any conclusions to be drawn about the device ID and thus about you as a user. The communication with the push server will then always take place with this identifier. This ensures that the Device ID is not used any further within the LOFINO – App.
a) Purpose of data processing and legal basis as well as legitimate interests, storage period
Data category: Push Notification Identifier
Purpose: Delivery of push messages at the request of the user
Legal basis: Article 6(1)(b) DSGVO
Storage period: Duration of the use of the Push Service
(b) the recipient of the personal data
Recipient category: Provider of the push functionality (for Android: „Firebase Cloud Messaging, for iOS: „Apple Push Notification Service“)
Data concerned: Device ID/ device recognition
Legal basis: Article 6(1)(b) DSGVO