Privacy Information for the Remote Signature System signFLOW

1. General Information

In today’s fast-paced and increasingly digital world, personal data is a valuable resource. Your data is important and must be handled with care as mandated by various laws and regulations (GDPR, TDDDG, ...).

As a provider of on-premise solutions, the manufacturer of signFLOW, Digital Data GmbH, places a clear emphasis on data protection and data security. For you, this means that only the necessary data is collected and stored (data minimization). Additionally, the processing is done using the latest and considered secure technologies.

Manufacturer's Contact Information:

Contact for Data Protection: privacy-flow@digitaldata.works

2. Responsible Party for Data Processing

Your data will be processed confidentially by:

Contact our Data Protection Officer: privacy-flow@digitaldata.works

3. Data Collection

3.1 The following categories of personal data are processed:

• Names: First and last names, and your digital signature
• Contact details: Phone number, mobile phone number, and email address
• Technical data: IP address, time of access, or attempted access

3.2 Source of personal data

You have previously provided the data listed in 3.1 to your business partner (the responsible party). This submission may have occurred orally by phone, in person, via email, or through a contact form.

You submit your digital signature independently when signing a document.

3.3 Retention periods / storage duration

• Automatic email correspondence is stored for 6 years.
• Signed contracts are stored for the duration of their term plus 10 years.
• The technical process is stored indefinitely in the signFLOW software solution depending on the type of document or contract.

Your personal data will generally be anonymized when:

• The contract has expired and the legal retention period has passed.
• The contract was rejected by you or never signed.

The legal bases for these retention periods include:

• Commercial Code (HGB)
• Tax Code (AO)
• Principles for the proper management and storage of books, records, and documents in electronic form and access to data (GoBD)

3.4 Purpose of processing

The personal data defined in 3.1 is processed to enable the technically necessary process. This includes identity verification, application review, billing, and documentation obligations.

3.5 Lawfulness of processing

Your data is collected based on a developing or existing business relationship.

The legal basis for transferring data to responsible authorities is §8 para. 2 VDG.

3.6 Legitimate interests

There is a legitimate interest of the responsible party according to Art. 6 para. 1 lit. f GDPR, especially in information security and damage prevention.

3.7 Necessity of the data

The data collected represents the minimum necessary for the purpose of a digital signature.

3.8 Data sharing

Data is only shared with the manufacturer in exceptional cases for support services.

4. Use of Cookies

Temporary cookies are used when visiting certain pages, which are necessary for the technical provision of the services.

5. Rights of Data Subjects

If you have questions about your data or wish to request rectification, deletion, or restriction of processing, please send your inquiry by post or email to the address listed above. You can also object to the processing under Art. 21 GDPR.

6. Whistleblower System

We have established an independent, neutral, and confidential whistleblower system that allows internal and external whistleblowers to submit reports anonymously. This system serves to uncover serious violations of applicable law and other significant matters.

6.1 Purpose and legal basis of data processing

The purpose of the processing is to manage the whistleblower system, which fulfills legal obligations under Art. 6 para. 1 lit. c GDPR.

6.2 Categories of personal data

General personal data, data related to criminal convictions, and special categories of personal data may be processed.

6.3 Obligation to provide personal data

Providing personal data is not mandatory, as anonymous reporting is also possible.

6.4 Recipients of personal data

Reports are processed by the relevant department and forwarded to the appropriate divisions. Data is only shared when legally required or with the consent of the whistleblower.

6.5 Retention period

Personal data that proves irrelevant will be anonymized or deleted. Archived reports are deleted after 3 years following the conclusion of the process and documentation obligations.