Important note on use
This document contains an example (sample), provided free of charge, of data protection notices to users/employees concerning the ATINO employee app.
The customer is responsible for the content of the data protection information. ATINO acts as a processor for the “Cloud” option and also as a non-privacy controller for the “On-Premise” function. The customer alone is thus responsible for compliance with the information obligations under the GDPR.
ATINO does not provide legal advice and does not guarantee the legal conformity of the sample. The customer must check the content of the sample himself or through a competent third party and adjust it if necessary.
The passages marked in red must be checked and adapted!
Data protection information for the customer name employee app
With this data protection information we inform you about the processing of your personal data by us when you
– use our employee app name of the employee app (“App”), or
– visit the web interface under domain of the web interface, e.g. to use functions of the app in the browser or to log in as an administrator or editor in the backend.
We will explain to you the information available to you under the EU’s General Data Protection Regulation (GDPR)
The Employee App and the Web Interface are hereinafter collectively referred to as “MAPP”.
Our general data protection information for employees also applies.
2. Responsible person and data protection officer
We are the responsible party: company, address, e-mail, telephone of the customer.
Contact details of the data protection officer: address, e-mail, telephone of the client’s data protection officer, if applicable.
3. User account and master data
To use MAPP, you need a user account. You can either create this yourself or we can create it for you.
The following master data is assigned to the usage account:
– Access data (e.g. e-mail and password)
– Contact details (e.g. name, business email address, telephone number)
– Organisational data (e.g. company, department, groups, role, supervisor)
– Roles and rights (e.g. reading and editing rights of contributions)
Your mobile phone number is not required to use MAPP.
We may also use your email address within MAPP for system-related emails, e.g. notice of changes to privacy notices or workflow notifications (e.g. approvals granted). As part of the registration process, you may receive an email to your business email address asking you to click a link. This is to ensure that the email address is assigned to you.
We generally store the master data in MAPP for the duration of your user account; this corresponds to the time of your employment with or for us. Your data will also be deleted if you or we delete your user account, e.g. if we discontinue the Employee App as a whole or you decide you no longer wish to use MAPP. To delete your user account, please contact us (add contact details for an employee to contact if they wish to delete their user account).
Within MAPP, your contact and organisation data are generally visible to all other MAPP users of our company.
Within MAPP, your contact and organisation data are generally visible to all other MAPP users of our company. However, you cannot use MAPP without your data. There is no obligation to use MAPP.
4. individual app functions
Below we explain how we handle your data when you use individual functions of MAPP. This may also describe functions that are not (yet) available to you.
5. notifications on mobile devices (push notifications)
We can send push notifications to your device if it is running the iOS or Android operating system. Push notifications are messages that are displayed on your end device even if you are not currently using the employee app. It is therefore a function of the operating system provider and not the employee app itself.
You can individually set the receipt of push notifications in the settings menu of the employee app. You can also disable the delivery of our push notifications in the operating system settings of your mobile device.
We use push notifications, e.g. to inform you about incoming messages. MAPP can also be used without the push function.
For the delivery of push notifications, we need to hand over the content of the notifications to a technical service of your operating system provider. In the case of end devices with Android operating system, this is Google Ireland Limited Gordon House, Barrow Street Dublin 4. Ireland and takes place as part of the “Firebase Cloud Messaging” service; in the case of iOS, this is Apple Inc., One Apple Park Way, Cupertino, California, USA, 95014. The addressing of your device takes place technically via a pseudonymous identification number which is provided to us by your operating system provider and which only applies to our app and your specific end device. We do not transmit any information that directly identifies you, such as your name or email address, to the operating system provider.
The basis for a data transfer to the USA, as an unsafe third country within the meaning of the GDPR, is the provision of the push functionality expressly requested by you, Art. 49 (1) b) GDPR (performance of contract).
6. data processing for analysis purposes
6.1. Server log files (web interface)
In principle, we do not keep any server log files. We only activate this when necessary in the event of troubleshooting. In this case:
When you call up an individual page of the web interface, our web servers record in a log file the address (URL) of the page called up, the date and time of the call-up, any error messages and, if applicable, the operating system and browser software of your end device as well as the website from which you are visiting us. We also store the IP address of your computer in our log files.
The log file data is used by us exclusively to ensure the functionality of our services (e.g. error analysis, guarantee of system security and protection against misuse) and deleted after problem resolution, at the latest after 7 days, or shortened in such a way that a personal reference can no longer be established.
Insofar as log file data qualify as personal data in individual cases, the legal basis for the processing of log file data is our legitimate interest (error analysis, ensuring system security and protection against misuse).
6.2. Usage statistics
We collect anonymous usage statistics about which functions and pages were used and how often. These are simple meters. There is no association with your device or your user account or your name and no pseudonymous profiles are created. No third-party service providers are used to compile usage statistics.
7. system permissions (apps)
The staff app requires the following system permissions on your terminal and uses them as follows:
– Camera: to take photos that you take in the employee app and send to us (e.g. holiday application).
– Memory: for sending photos that you have saved on your terminal device (e.g. photo of the holiday application from your gallery).
– Internet access: for communication with our servers, e.g. retrieving content, sending chat messages.
Cookies are small text files that are stored in the browser of your end device and transferred to us each time you visit our website.
When you log in to the web interface with your user account, our server sets a cookie on your computer: this contains a random code and is technically necessary because it serves to recognise you as a logged-in user. This cookie is deleted when you close the browser (so-called “session cookie”).
9 Supplementary information on the obligation to provide data, legal basis, data recipients and storage period
Unless otherwise stated in this privacy notice, the following applies:
9.1. Obligation to provide
You are not obliged to provide data. Mandatory information in input forms is marked as such, e.g. by an asterisk (*).
9.2. Legal basis
MAPP is a working tool. The provision by us is voluntary, as is the use by you. In this respect, we provide you with the work tool to facilitate the fulfilment of your employment contract rights and obligations. In this respect, the legal basis is the implementation of the employment relationship (contract implementation, Art. 6 para. 1 lit. a GDPR, § 26 BDSG).
Insofar as MAPP is not used in the context of a direct employment contract, the provision of data takes place within the framework of the balancing of interests and serves to protect our and your legitimate interest in a modern communication platform that is basically available “everywhere and at all times” on mobile devices to improve and facilitate the exchange of information between our employees.
9.3. Data recipients and data exports
Within the company responsible for data protection, your data will be passed on to the relevant departments, e.g. the human resources department.
For the technical operation of the servers for the administration of push messages and for the provision of the web interface, we may use technical service providers within the EU bound by instructions within the framework of so-called order processing, in particular for the operation and maintenance of the server on which your data is stored and the web interface is provided.
We currently use ATINO GmbH for this purpose, and they in turn use the hosting providers HostEurope and OVH.
Unless otherwise stated in this privacy notice, we do not transfer your data to countries outside the EU and the EEA for which the EU Commission has not determined that they guarantee an adequate level of data protection compared to the EU (no transfers to so-called “unsafe third countries”).
9.4. Storage period
We measure the storage period for your data based on the specific purposes for which we use the data. In addition, we are partly subject to statutory storage and documentation obligations, which result in particular from the German Commercial Code (HGB) and the German Fiscal Code (AO). Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years.
On the device on which you have installed the Employee App, the data stored by the Employee App is deleted when
– you uninstall the app
– your user account ends or is deleted.
Insofar as your data is stored on our server in the backend, the explanations in this data protection information apply.
10. your GDPR rights
By law, we are obliged to inform you of your rights under the GDPR. We explain these rights below. You are entitled to these rights under the conditions of the respective data protection regulations. The following presentation does not grant you any further rights.
You have the right to request confirmation from us as to whether we are processing personal data relating to you; if this is the case, you have a right of access to this personal data and to the information listed in detail in Article 15 of the GDPR.
You have the right to demand that we correct any inaccurate personal data relating to you and, if necessary, complete any incomplete personal data without delay, Art. 16 GDPR.
You have the right to demand that we delete personal data relating to you without delay if one of the reasons listed in detail in Article 17 of the GDPR applies, e.g. if the data is no longer required for the purposes pursued.
10.4. Restriction of processing
You have the right to demand that we restrict processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if you have objected to the processing, for the duration of the review by us.
10.5. Data portability
You have the right, under certain conditions, to receive data concerning you that you have provided to us in a structured, common and machine-readable format, to transmit it and – if technically feasible – to have it transmitted, Art. 20 GDPR.
You have the right to lodge a complaint with a supervisory authority, irrespective of any other administrative or judicial remedy, if you consider that the processing of personal data concerning you by us infringes the GDPR, Art. 77 GDPR. You may exercise this right before a supervisory authority in the Member State of your residence, place of work or the place of the alleged infringement. The contact details of the supervisory authorities in Germany can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
10.7. Revocation (of consent)
If you have given us your data protection consent, you have the right to revoke this at any time with effect for the future. This also applies to data protection consents that you gave us before the GDPR came into force.
10.8. Right of withdrawal
In addition, you have the right to object, which is explained at the end of this document.
11. Appendix: Explanation of terms
Below we explain some of the legal and technical terms used in this privacy notice.
Processors are service providers who process your data according to our instructions and for a specific purpose.
b) Personal data:
Personal data (data) is any information relating to an identified or identifiable natural person.
Processing of personal data is any operation relating to personal data, such as collection via an online form, storage on our servers or use to contact us.
d) IP address:
The IP address is a number that your internet provider assigns to your terminal device, either temporarily or permanently. With a complete IP address, it is possible, for example, to identify the connection owner in individual cases using additional information from your internet access provider.
11.2. Legal basis
The GDPR only allows personal data to be processed if there is a legal basis. We are required by law to inform you of the legal basis for the processing of your data.
In the following, we explain the terms used in this context.
Legal basis / Name / Explanation
Art. 6 para. 1 lit. a) GDPR / Consent / This legal basis allows processing if and insofar as you have given us your consent.
Art. 6 para. 1 lit. b) GDPR / Contract performance / This legal basis allows processing insofar as this is necessary for the performance of a contract with you, including pre-contractual measures (e.g. performance of the employment contract).
Art. 6 para. 1 lit. f) GDPR / legitimate interests / According to this legal basis, we are permitted to process data insofar as this is necessary to protect our legitimate interests (or those of third parties) and your conflicting interests do not outweigh these. Unless otherwise stated, our interests are in pursuance of the stated purposes of processing.
Your right to object
You also have the right to object to the processing of personal data relating to you at any time on grounds relating to your particular situation, provided that we base the processing on Art. 6 (1) lit e. or f GDPR. We will then no longer process this data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims (Art. 21 GDPR).
If your personal data is used by us for direct advertising (e.g. via e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling, insofar as this is connected with direct advertising. Profiling means the use of personal data to analyse or predict certain personal aspects (e.g. interests).