As of: 19.09.2024
In today's fast-paced and increasingly digital world, personal data is an important resource. Your data is valuable and must therefore be handled with the care required by various laws and regulations (GDPR, TDDDG, ...).
As a provider of local solutions (OnPremise), the manufacturer of signFLOW, Digital Data GmbH, places a clear focus on data protection and data security. For you, this means that only the necessary data is collected and stored (data minimization). Furthermore, current and secure technologies are used in processing.
Contact details of the manufacturer:
Digital Data GmbHContact the Data Protection Officer: privacy-flow@digitaldata.works
Your data is processed with confidence by:
Digital Data GmbHContact our Data Protection Officer: privacy-flow@digitaldata.works
You have previously provided the data mentioned under 3.1 to your business partner (the responsible entity). This transmission may have occurred verbally over the phone, in personal contact, via email, or via a contact form.
You transmit your digital signature independently when signing a document.
Your personal data will generally be anonymized when:
The legal basis for these retention periods includes:
Depending on the specific type of document, the retention period may vary. Additionally, the periods may be extended in case of irregularities, such as a pending or ongoing legal dispute.
The personal data defined under 3.1 is processed to:
In individual cases, data is processed separately by the IT department, particularly in response to support requests, or possibly forwarded to the manufacturer for further processing.
Data processing also occurs to ensure information security, especially for the identification and prevention of attacks, and for conducting internal and external audits, export controls, and sanctions list checks. Information may also be transmitted to the relevant authorities in accordance with Section 8 (2) VDG.
Your data is collected based on an impending or already existing business relationship.
The legal basis for the transmission to competent authorities is Section 8 (2) VDG. Requests from data subjects are processed in accordance with Articles 12 to 23 of the GDPR and Sections 32 to 37 of the Federal Data Protection Act (BDSG).
A legitimate interest of the responsible entity in accordance with Article 6 (1) (f) GDPR exists in the following cases:
Measures are taken for information security, which include both preventive technical and organizational measures as well as incident handling. The aim is to assess and avoid potential harm to the company, the individuals affected by data processing, and the users of trust services.
The collected data represents the minimum necessary for the digital signature. Without the data mentioned under 3.1, the service cannot be operated.
It is particularly important to provide a mobile number or a German landline number, as this is used for authentication and signature triggering as a second factor. Without this security mechanism, the service cannot be provided.
Systematic data transmission does not take place.
Data is only forwarded to the manufacturer for support services in exceptional cases. A valid data processing agreement (DPA) exists with the manufacturer, which ensures the security and integrity of the handling of your data.
When visiting certain pages, temporary cookies are used, which are necessary for the technical provision of the services. These so-called session cookies do not contain any personal data and are automatically deleted after the session ends. Methods such as Java applets or Active-X controls that could track user behavior are not used.
If you have questions about your data or wish to request correction, deletion, or restriction of processing, please send your request by mail or email to the address provided above. This also applies if you wish to object to the processing in accordance with Article 21 GDPR or request data portability.
If you have questions or complaints about a procedure, you can also contact us using the contact details provided. If you have further grounds for complaint, you can contact our supervisory authority. You can find out which supervisory authority is responsible for you here: Laender-node.html
Compliance with legal regulations and internal guidelines, including our Code of Conduct and the Code of Conduct for Business Partners, is our (the data processing entity's) top priority. This applies both to our own business operations and to our supply chains.
It is important to us to identify risks early and avoid violations. We aim to take appropriate measures in a timely manner to prevent potential harm to affected persons, customers, employees, business partners, and our corporate group.
For this reason, we have established an independent, neutral, and confidential whistleblower system that enables internal and external whistleblowers to submit reports, including anonymously. Through our transparent complaint procedure, we offer the greatest possible protection, especially to the affected persons, whistleblowers, and employees involved in investigating reported incidents.
Under this procedure, any actual or alleged violations of legal requirements, our Code of Conduct, or the Code of Conduct for Business Partners may be reported. Human rights or environmental risks, as well as breaches of duty along the entire supply chain of our group companies and in our own business operations, can also be the subject of a report.
Standardized and swift processes, as well as confidential and professional handling of the reports by internal experts, form the basis of this fair procedure. Discrimination or punishment of whistleblowers and individuals responsible for handling complaints and reports will not be tolerated.
The purpose of processing personal data is to manage the whistleblower system, which also includes identifying serious violations or potential violations of applicable law and other serious matters. The processing of this data is necessary to comply with legal obligations imposed on us, in accordance with Art. 6 para. 1 sentence 1 lit. c) GDPR. This refers to the law that enhances the protection of whistleblowers (Whistleblower Protection Act - HinSchG).
Additionally, the processing serves the legitimate interest of identifying serious violations or potential violations of applicable law and other serious matters, in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.
Regarding the processing of special categories of personal data, this is necessary based on the Whistleblower Protection Act for reasons of significant public interest, in accordance with Art. 9 para. 2 lit. g) GDPR. The processing of such special data is carried out in accordance with Art. 9 para. 2 lit. f) GDPR in conjunction with Art. 6 para. 1 sentence 1 lit. f) GDPR to establish, exercise, or defend legal claims.
Affected persons are those about whom a report is made. These can be employees, contractors, or other individuals in a business relationship with the data processing entity. Furthermore, we process personal data of the whistleblower if they provide their contact details or other identifying information. Whistleblowers should be aware that we may process personal data about them during the handling of the reported case.
Reports can be made anonymously, in which case no personal data of the reporting person will be processed. The type of personal data processed depends on the information provided. If the reporting person provides personal data about another individual, including the reported individual or persons, that data will also be processed. The following categories of personal data may be processed:
We ask the reporting person to only provide information relevant to the case and to avoid reporting sensitive information unless it is essential for handling the reported case.
It is not mandatory to provide the personal data mentioned in section 6.2, as anonymous reporting is also possible. However, please note that we may be unable to process the report if no personal data is provided.
Reports are logged in the system of the data processing entity as cases. After evaluation, these cases are forwarded internally to the relevant departments, and follow-up actions may be initiated. If a report involves one of the group companies of the data processing entity, the relevant cases are forwarded to the responsible individuals at the respective company, who will then conduct an internal evaluation and take action if necessary. When transferring personal data, the principle of data minimization is observed, meaning only the data strictly necessary for handling the report is shared.
Personal data of the whistleblower will be shared with authorities when necessary to address serious violations or issues, or to safeguard the right to defense of the affected persons. In other cases, personal data of the whistleblower will only be shared with their consent. Data about persons other than the whistleblower will only be shared in connection with the investigation of a reported case or to address serious violations or issues.
The reporting platform is provided by the processor WhistleB Whistleblowing Centre AB, based in Stockholm, Sweden. Further information about WhistleB and the corresponding terms of use can be found at: whistleb_terms_of_use.pdf
Personal data that is found to be irrelevant to the processing of a reported case, as well as reports deemed unfounded, will be immediately classified as "not relevant." In this case, the personal reference is removed unless the report was anonymous from the outset. To meet the legally required documentation obligations and deletion periods pursuant to § 11 para. 1 and para. 5 HinSchG, the report is initially archived without personal reference but is not yet deleted. Archived cases serve solely to fulfill these documentation obligations and can no longer be used for further processing.
Reports and personal data collected during the processing of a report form the basis for further handling and are anonymized as soon as possible. However, if it is necessary to take follow-up actions pursuant to §§ 3 para. 8 and 18 HinSchG, it may be necessary to deviate from anonymization, whether due to official orders or to protect legal claims. In such cases, pseudonymization is generally sought, unless other directives apply, such as a court order. Documentation is deleted three years after the conclusion of the process, but it may be retained longer if required to meet the requirements of this law or other legal provisions, as long as it remains necessary and appropriate.