Data Privacy | esatus AG

Privacy Statement (esatus AG)

Thank you for your interest in our company and for visiting our website. In the following privacy statement, esatus AG (hereinafter referred to as “we”, “us” or “esatus AG”) would like to inform you about the type, scope and purpose of the personal data collected, used, and processed, in order to comply with the obligation of transparency, in particular by providing information about the rights of data subjects.

Click here to go to the privacy statement for Switzerland.

Personal data is information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified directly or indirectly (e.g., by means of associating him/her with an online identifier). This includes, without being limited to, information such as the name, address, telephone number and e-mail address or other physical characteristics by which a natural person can be identified. For the purposes of this privacy statement, we will refer to you as “you”, “user”, or “data subject”.

This privacy statement applies to the website esatus.com operated by us, the online presences in the social media maintained by us, as well as all points under section 2.2. esatus Schweiz AG is a 100% subsidiary of esatus AG in Switzerland. The EU has certified that Switzerland has an adequate level of data protection in accordance with Art. 45 GDPR. The data processing is carried out under joint responsibility in accordance with Art. 26 GDPR. The provisions of the privacy statement of esatus Schweiz AG must also be observed if Swiss data protection law is affected.

1. Contact details of the Controller and the Data Protection Officer

„Controller” refers to the natural or legal person, public authority, agency, or other body which, on his/her own or jointly with others, determines the purposes and types of personal data processing.
Controller for data processing:

esatus AG
Rheinstraße 5
63225 Langen

Tel.: +49 6103 9029-0
E-Mail: info@esatus.com
Website: www.esatus.com

Data Protection Officer:

Tel.: +49 6103 9029-0
E-Mail: dsb@esatus.com

2. General information on data processing

2.1. Information on data processing in the context of visiting the website

When the website esatus.com is called up, esatus AG processes various personal data, depending on the type of processing. The different types of data processing are explained in the following section.

2.1.1. Operation of the website

This website is hosted by esatus AG. No data is being transferred to a third country. For the secure operation of this website, data is automatically recorded in so-called log files each time the website is called up. The data is automatically transferred to the esatus AG server by the browser you are using. The following data is transmitted:

Browser type/ and version
Operating system used
Referrer URL (the website previously visited)
IP address of the accessing computer
Time and date of the server request

The legal basis for this type of processing is Art. 6 (1) sentence 1 lit. f) GDPR (legitimate interest). The provision and operation of the website as well as browser optimization and maintenance of the security of this website represent the legitimate interest of esatus AG. An evaluation of the log files takes place exclusively for the purpose of the security of this website as well as for statistical evaluations. This data is not merged with other data and data sources. To ensure security, esatus AG uses intrusion detection. Article 6 (1) sentence 1 lit. f) GDPR (legitimate interest) constitutes the legal basis for the processing of system logs for intrusion detection.

Intrusion detection involves active monitoring of computer systems and/or networks with the aim of detecting attacks and misuse. Intrusion detection works by filtering out those incidents that indicate potential attacks, attempted misuse or security breaches from all incidents occurring in the monitored area, in order to subsequently investigate them in greater depth. This will allow rapid detection and reporting of harmful incidents. Corresponding log files are created for intrusion detection. If an anomaly is identified by means of intrusion detection, the IP address concerned is traced accordingly.

Apart from esatus AG, no other companies receive the data described above. This data is stored for a period of 7days. After this period, the IP address will be anonymized (“IP-masking”). An exception to this is the identification of anomalies by intrusion detection. If, as a result of such incidents (e. g. attacks, attempts of misuse or security breaches), data must be retained to serve as evidence, this data is exempt from deletion until the respective incident has been finally clarified. After expiration of this storage period or final clarification of the incident, all corresponding data is deleted, or the IP address is anonymized.

2.1.2 Contacting us via the website

You can send us an inquiry at any time using our contact form on our website. The following information will be requested:

Salutation
First name and surname
E-mail address
Free text field (e.g. subject), which you fill in yourself

All other data that you send us via the free text field is voluntary. In addition, your IP address, time and date are automatically transmitted to us. In addition to our contact form, you can contact us via the e-mail addresses communicated on the website. The data contained in your message (e-mail) will be processed depending on the purpose of the message. The data is processed exclusively for the purpose of responding to your inquiry and the associated communication. Please note that, depending on your provider, e-mails are generally transmitted unencrypted. We can therefore accept no responsibility for the transmission path. If you contact us by telephone, we will process your telephone number and any data you communicate voluntarily during the conversation.

The legal basis for contacting us via our website depends on the content of your request. In principle, the legal basis for contacting us via the website is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). The legitimate interest here consists in providing the contact functionality and responding to your inquiries sent via the website. The IP address and the time stamp, which are automatically transmitted with your message, are used to prevent and trace misuse of our contact form. The processing of all data that you voluntarily transmit to us in the free text field is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). The data transmitted by you will generally be deleted after final processing of your request and fulfillment of the purpose.

Information on the process of transmitting data as part of an application can be found in section 2.2.2.

2.1.3. Cookies

Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that allows your browser to be uniquely identified when you return to the website. Our website only uses session ID cookies. Session IDs allow us to identify you while you are visiting our site, for example, to permanently display your preferred language. Session IDs are usually automatically accepted by the browser. You can deactivate this function, but this may impair your use of the website. Session IDs do not contain any information that can be read in plain text. Session IDs are required to make the use of our website more comfortable. The legal basis for this is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). The session IDs are temporarily stored on your computer and deleted after you quit the browser session and subsequently close the browser.

2.1.4 Analysis in the context of website use

We use the third-party tool Matomo to analyze the use of our website. We respect the rights of visitors to our website and use the tool with the best possible data protection settings. We therefore only collect the absolute minimum of data and also anonymize some of it. No cookies are set and the tool runs in a local environment without any data transfer.

We do not pass on any personal data to third parties.

The following data is collected:

User IP address (anonymisiert)
Date and time of the request
Page Title
Page URL
Referrer URL (anonymisiert)
Screen resolution being used
Time in local user’s timezone
Files that were clicked and downloaded
Links to an outside domain that were clicked
Pages generation time
Location of the user
Main Language of the browser
User Agent of the browser

The legal basis for processing is our legitimate interest in accordance with Art. 6 S.1 lit. f) GDPR. Our legitimate interest is the analysis of our website to improve our online presence. A balancing of interests with the interests of the data subject has been carried out.

The data is stored by us as long as the purpose of the processing (see above) continues to exist.

For further information, please also refer to the Matomo documentation and privacy policy.

2.2. Information on data processing independent of website visits

Irrespective of the visit to this website, esatus AG processes personal data in parts under joint responsibility with esatus Schweiz AG only:

for arranging events (e.g. workshops)
for meeting data collection obligations of the Corona Contact and Operating Restriction Ordinance of the Federal State of Hessen
for initiating employment relationships
for initiating contracts or fulfilling contractual or legal obligations related to the use of the “SOWL” product
for providing the esatus Wallet App
for carrying out electronic communication (sending e-mails),
for external presentation and advertising purposes in social media
for documenting customer and order history
for using event photographs for advertising purposes
for other purposes explicitly stated on declarations of consent.

In addition, this data protection declaration also applies to joint presences on social media (LinkedIn, X (former Twitter) and XING) of esatus AG and esatus Schweiz AG.

2.2.1. Event implementation

In the context of arranging and implementing events, esatus AG processes various personal data depending on the type of event, for example:

First and last name
Contact details (address, telephone number, e-mail address)
Job title and job description
Employer or educational institution

All data processed in the context of an event serve to initiate and implement the corresponding event. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and fulfilment of a contract). Your data will be deleted after the event has taken place. As a matter of principle, no data is transferred to third parties. Information on data communicated or transmitted to esatus AG in the context of events for the purpose of a job application can be found in section 2.2.2.
We use Eventbrite Inc ("Eventbrite") to register for events. If you click on the relevant link to register for an event, you will automatically be redirected to the Eventbrite website.

The Eventbrite event platform is provided by Eventbrite Inc. 155 5th Street, Floor 7, San Francisco, CA 94103, USA. The responsible company for consumers in Europe who use a paid service is Eventbrite Operations (IE) Ltd, an Irish limited liability company with its registered office at Unit 3100, Citywest Business Campus Dublin 24, Citywest, Dublin, D24AK82, Ireland. Eventbrite maintains a branch office in Berlin: Eventbrite DE GmbH, Oranienstraße 25, 10999 Berlin, Germany.

In the course of using and visiting the Eventbrite website, Eventbrite automatically collects further personal data for which Eventbrite, as the operator of the website, is responsible. This concerns your IP address, browser identification, terminal device information, characteristics of your access device and/or browser, statistical data about your activities on the services, information about how you access the services.
Eventbrite is the sole controller of this automated processing and we have no control over these processing operations. This applies equally to all data collected during registration and login to the website. Please refer to the Eventbrite privacy policy (https://www.eventbrite.de/help/de/articles/460838/datenschutzrichtlinien-von-eventbrite/).

In the course of booking an event, Eventbrite collects personal data on behalf of esatus AG:

Surname and first name
employer
e-mail address
Information on the events booked and attended

The purpose of the data collection is the proper implementation of events, the proper identification and authentication of you as a participant in the event and the fulfilment of the service offer before and during the implementation of the event.

The legal basis for the processing is your consent in accordance with Art. 6 Para. 1 lit. a) GDPR. You give this consent during registration by entering and confirming your personal data. Alternatively, the processing is based on our legitimate interest according to Art. 6 para. 1 lit. f) GDPR. The legitimate interest is the proper implementation of the event and identification of the participants in order to enable an optimal range of services. A balancing of interests has taken place.

Eventbrite acts as a processor for esatus AG. As part of the reference within the terms of use, a corresponding order processing agreement has been concluded (https://www.eventbrite.de/help/de/articles/429030/datenverarbeitungsnachtrag-fuer-veranstalter/).

It cannot be ruled out that Eventbrite also processes the data for its own purposes. In this regard, reference should also be made to the linked document as well as to Eventbrite's privacy policy (https://www.eventbrite.de/help/de/articles/460838/datenschutzrichtlinien-von-eventbrite/).

Eventbrite processes the personal data in the USA. The transfer of personal data takes place in accordance with Art.46 para.2 lit. c) GDPR on the basis of the applicable standard contractual clauses of the EU. Eventbrite has signed a corresponding contract and makes it available online (https://cdn.evbstatic.com/s3-s3/static/images/en_US/legal_policies/Eventbrite_Organiser_Standard_Contractual_Clauses.pdf).

In addition, Eventbrite is certified under the new Data Privacy Framework between the US and the EU (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TNl5AAG&status=Active).

Similarly, it should be noted that you do not have the same effective remedies available to you as within the EU. For further information, please refer to Eventbrite's privacy policy.

The data collected will not be passed on to third parties by esatus AG. esatus AG has no influence on the passing on of data by Eventbrite. In this regard, please refer to the Eventbrite data protection declaration.

The deletion of the data collected by esatus AG takes place after the completion of the respective event. esatus AG has no influence on the deletion of data processed at and by eventbrite.

2.2.2. Initiation of employment relationships

In the context of initiating employment relationships, esatus AG generally processes all personal data that are voluntarily communicated to us by you in electronic form or by post during the application process. These data include, for example, personal data and qualification documents. Depending on the procedure used, the data may be transmitted by the data subject in unencrypted form.

A corresponding application can be made both via electronic contact (e.g. unsolicited application by e-mail) and in the context of a job fair. We would like to point out that if an application is made via LinkedIn, for example, the personal data transmitted by the applicant will be processed at this point by a third-party provider. The legal basis for this is the applicant's consent pursuant to Art. 6 (1) p. 1 lit. a) DSGVO. Processing on the part of esatus AG is carried out in accordance with this section. We have no influence on the processing by LinkedIn. In this respect, please refer to section 2.2.3.
In the context of providing the application documents that are submitted to us via a dedicated form on our website, the following personal data are processed:

Salutation
First and last name
E-mail address
All personal and non-personal data transmitted to us in the free text field
All personal and non-personal data provided as part of the document upload. This concerns, for example, the CV and/or qualification papers and the data contained therein.

This processing is done for the purpose of performing the application process, including communication via the various channels. The legal basis for this is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and implementation of pre-contractual measures), Art. 88 para. 1 GDPR (data processing in the employment context) and Section 26 para. 1 BDSG (data processing for purposes of the employment relationship).

Your data will be deleted after completion of the application process and after expiry of the statutory retention period, unless an employment relationship is established.

See section 2.2.9 for further information on this topic.

2.2.3. External presentation as well as advertising purposes in social media

esatus AG entertains the following presences in social media for the purpose of external presentation and advertising:

LinkedIn (LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Pl, Dublin 2, Ireland), privacy policy: https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy , order processing agreement and standard contractual clauses: https://de.linkedin.com/legal/l/dpa
X, formerly Twitter (Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland & Twitter Inc., 1355 Market St #900, San Francisco, CA 94103, United States), Privacy Policy: https://twitter.com/de/privacy
XING (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany), Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung
YouTube: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://policies.google.com/privacy

In the context of the use of social media, esatus AG as well as esatus Schweiz AG publish, in addition to product and technical topics, posts about employees in a professional context (e.g. participation in business events). The naming of employees is usually done by linking to the respective profile of the employee. The following types of data are processed in this context:

Contact data (e.g. e-mail address)
Content data (e.g. data in a free text field)

Such presences are entertained to communicate with the users of the respective social platform, and to communicate about the services of esatus AG and esatus Schweiz AG. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Under certain circumstances, you may have given consent to one of the platform operators listed above to process your personal data pursuant to Art. 6 para. 1 p. 1 lit. a) GDPR.

No usage data (e.g. access to websites and content) or metadata (e.g. IP address) are processed by esatus AG. These data are only processed by the respective provider of the social network. We have no influence on the way your personal data are processed within the scope of these websites; in this respect we are not the responsible party within the meaning of Art. 4 No. 7 GDPR. The respective data protection declarations of the operators of the above-mentioned platforms shall apply.

2.2.4. Use of event photographs for advertising purposes

In the context of events, photographs are usually taken by esatus AG, esatus Schweiz AG or by a service provider commissioned by us. These images are published in accordance with the declaration of consent voluntarily signed by the event participants. esatus AG and esatus Schweiz AG uses event photographs for advertising purposes on various channels, such as the website and social media. esatus AG and esatus Schweiz AG would therefore like to draw attention to the fact that, in the event of publication on the internet, personal data (including photos) can be accessed and stored worldwide. The data can thus also be found via search engines, for example. It cannot be ruled out that other persons or companies may link the data with other personal data available on the internet and thus create a personality profile, modify the data or use it for other purposes.

The legal basis for this processing operation is Article 6 (1) sentence 1 a) GDPR (consent). The data subject can revoke his consent at any time. For this purpose, we ask the data subject to send an e-mail to the following address: dsb@esatus.com. All data will be deleted as soon as the consent to use the photographs is revoked. esatus AG will delete the relevant photographs on all its channels accordingly.
esatus AG as well as esatus Schweiz AG have no influence on the deletion of the corresponding recordings stored by third parties.

2.2.5. Contract initiation procedures and contractual or legal obligations relating to the use of the product "SOWL”

SOWL is a so-called cloud agent, an identity management system for digital identities (credentials). As part of the use of SOWL, personal data is processed by the respective company that uses SOWL. In this context, the data processing may include both the process of issuing identities and credentials, and the identity verification via a corresponding credential.
SOWL can be operated either in-house (hosted by the customer) or by esatus AG (SaaS). The esatus AG has no access to the SOWL instances, which are hosted in the respective customer’s own environment. A daily license sync is performed for SOWL. The daily license sync sends relevant metadata for the respective system to esatus AG. These metadata comprise the following data (no personal reference):

Number of proofs
Number of credentials issued
Number of revocations
Number of identities
Number of errors
Number of warnings
License ID

For customers where SOWL is hosted by esatus AG, esatus AG can access the respective SOWL instance within the scope of support purposes after appropriate consent by the customer. All productive SOWL instances are hosted on Amazon Web Services (AWS). The AWS services used by esatus AG are provided exclusively within Germany. This involves server capacities that are operated in eu-central-1 (Frankfurt). The deletion of corresponding personal data is the responsibility of the respective customer who uses the SOWL instance.

If you use a product demo of esatus AG (e.g., a SOWL demo access), esatus AG do not process any further personal data from you, apart from technical data to ensure the functionality of SOWL. The data used to demonstrate the functionalities is test data that are in no way related to the identity of the user. All customers of esatus AG are explicitly requested not to use any real data with personal reference in the demo area. The SOWL demo environment is operated at Microsoft Azure, with server capacities being maintained at Microsoft Azure in the Germany West Central region.

2.2.6. Provision of the esatus Wallet App

The purpose of the esatus Wallet app is to enable quick authentication or release of personal, verified data that users store and manage independently on their end device.

Downloading the esatus Wallet app from the Apple App Store or the Google Play Store

When personal data is processed upon downloading the app from the Apple App Store or the Google Play Store to your mobile device, we cannot influence the way this data is processed. On the part of esatus AG, no data is processed in this context. For information on the processing of your personal data in the context of store downloads, please refer to the privacy policy of the respective provider.
The Apple App Store and the Google Play Stores provide esatus AG with information on the downloads made via the customer area. This is anonymized data that is provided exclusively for statistical purposes. The information provided comprises the following data:

Manufacturer
Operating system version
App version
Device name
Country

The legal basis for data processing in the context of technical provision is Art. 6 (1) p. 1 lit. f) GDPR. We have no influence on the collection and processing of this data, which is carried out by the app store selected by you. In this respect, we are not the responsible party within the meaning of Art. 4 No. 7 GDPR.
Privacy policy Google Play Store: https://policies.google.com/privacy
Privacy policy Apple App Store: https://www.apple.com/de/legal/privacy/

Using the esatus Wallet App

When using the esatus Wallet App, esatus AG or third parties have no access to personal data that users manage via the App. Exempt from this is the explicit release of specific data by the user of the esatus Wallet App. In this case, the user can see which of his data is requested by a third party and must actively agree to this transfer.

In order for a data sharing request to be sent to you, the first step is to scan the corresponding QR code on the website with the esatus Wallet App on your device. After scanning this QR code, you will receive a connection request. In order to be able to continue using the service, it is necessary to accept the connection request. For establishing the connection, unique decentralized identifiers (DIDs), which were generated explicitly for this connection, are exchanged between you and the service provider. Once the connection has been successfully established, you start the actual proof process by scanning another QR code. During this process, you are presented with a request, similar to the connection setup. This request is sent to you via the encrypted connection which has previously been established. Only when you click “share” on the request will the data be transferred. When transferring your data, secure transport encryption (https) as well as asymmetric encryption is used, by applying the DIDComm protocol. For further information, please refer to the W3C documentation (see www.w3.org/TR/did-core/).

During this process, the respective third party (service provider) becomes the processor of the data and receives it directly at the specified service endpoint. All data that the user wants to manage via the app will be stored on his/her cell phone and will not be sent unless the user explicitly agrees. In addition, there is the option to give a permanent consent to send data to an existing and known connection. This function is deactivated after installation of the app and the user must actively select it. The legal basis for both processing procedures in this case is Art. 6 (1) p. 1 lit. a) GDPR (consent). This consent can be revoked at any time.
Furthermore, the Wallet App offers the functionality to automatically download credential images. This function is deactivated by default, but you can activate it at your discretion. The legal basis here is Art. 6 (1) sentence 1 lit. a) GDPR (consent). If this function is activated, information such as the IP and credential definition is transmitted to esatus AG.
In the case of processing or transmission of personal data relating to you by a so-called proof (proof request) from third parties, please refer to the relevant data protection statements of the third party for information on the processing of the data relating to you. esatus AG has no access to the incoming and outgoing connections of third parties and cannot view any data in this context.

Ensuring functionality of the esatus Wallet App
To maintain the functionality of the esatus Wallet App and to ensure that personal, verified data arrives at the appropriate recipient, we process technical information such as:

IP addresses,
your device ID with your push service operator (Google or Apple), or
Your operating system used.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Our interest here is to be able to inform the user about activities even when the app is closed and to provide fast response times in the process flow.

Push service for message broadcasting when the app is closed

The Push Service is a functionality of an internal operating system or notifications that are sent to your mobile device even if you are not currently using our app. You can turn these push notifications on and off at any time in the app settings of your mobile device (Apple device). If you activate push notifications or allow the sending of push notifications when starting the app for the first time, a unique identification number of your mobile device (device ID) is communicated to the service that provides the push functionality at your operating system provider (for Android: “Firebase Messaging Cloud”, for iOS “Apple Push Notification Service”). The consent for sending push notifications can vary depending on the provider, the previously explained process regarding the consent when opening the app for the first time corresponds to Apple’s procedure. The push service returns a so-called identifier (“Push Notification Identifier”), which no longer allows any conclusions to be drawn about the device ID and thus about you as the user. Afterwards, communication with the push server always takes place via this identifier. The sole purpose of processing the identifier is to provide the Push Service. For information on the Push Service, please refer to the privacy policy of your respective operating system provider, as this is an internal operating systems process.

When processing data in this context, recipients of relevant data are Microsoft Azure for hosting the Notification Hub and Google for the Push Notification Services under Android devices as well as Apple for Push Notification Services under iOS devices.

Mediation Agent

The incoming transmission required for the transport via the server provided by esatus AG (Mediation Agent) always takes place via secure transport encryption (https), as well as via asymmetric encryption using the DIDComm protocol. It can only be decrypted by recipient and sender. For more information on the DIDComm protocol, please refer to the W3C documentation (see www.w3.org/TR/did-core/). For further information on the processing of personal data by the sender of requests (third parties), please refer to the relevant privacy statements of the individual data recipient, who may be processing your personal data and is to be classified as a controller within the meaning of Art. 4 No. 7 GDPR. The Mediation Agent is operated on servers of AWS. These server capacities are maintained in the eu-central-1 (Frankfurt) of AWS.

Using the product demo

If you use a product demo of esatus AG (e.g., the Covid Credential Demo on the website), esatus AG will not process any further personal data from you other than technical data to ensure the functionality of the app and the data already mentioned above (see 2.1 and 2.2.6). The data used to demonstrate the functionalities is test data that has nothing to do with the identity of the user. For more information on the processing of technical data to maintain security and the legal basis of this processing, please refer to the above.

2.2.7 Conducting demos of esatus SSI solutions at events

In the context of conducting demonstrations of esatus SSI solutions (SOWL and Wallet) at events, esatus AG processes personal data provided by the participants of the event via credential (proof from his Wallet). The legal basis for the processing of personal data is usually Art. 6 (1) a GDPR (consent). Data processing within SOWL and the esatus Wallet is explained in sections 2.2.5 and 2.2.6.

2.2.8. Documentation of customer and order history and related processing purposes

As part of the documentation of customer data and order history, esatus AG processes personal data that has been transmitted to us by our customers or future customers. These are, for example, without being limited to:

Full name
Salutation
Complete address
Bank data (e.g. IBAN)
Other information necessary for the performance of the contract.

The purpose of this processing is the proper maintaining of our business activities and traceability of business processes. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest) and Art. 6 para. 1 p. 1 lit. b) GDPR (implementation of pre-contractual measures and contract performance). For all data that you voluntarily transmit to us in this context, Art. 6 para. 1 p. 1 lit. a) GDPR (consent) is to be considered the relevant legal basis. All corresponding data will be stored by esatus AG for the duration of the fulfillment of the purpose. In addition, further processing may be necessary to meet legal obligations. When personal data are processed for the fulfillment of legal requirements (e.g. retention periods under commercial or tax law) in connection with the business activities of esatus AG, Art. 6 para. 1 sentence 1 lit. c) GDPR (legal obligation) forms the relevant legal basis. Processing is carried out until the legal obligations are fulfilled.

In addition, processing of personal data may be necessary for the assertion of legal claims. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest), our interest being the clarification and possible defense of claims. Processing will only take place within the scope of and until the conclusion of the assertion of any claims.

2.2.9. Conducting online meetings and communication

For the purpose of communicating and conducting online meetings/webinars with potential applicants and/or customers, we use Microsoft Teams.
The following personal data may be processed in the process:

Full name
Display name
E-mail address
Phone number, if applicable
External appearance, if applicable
Meeting metadata, such as meeting ID, date, time, location
Audio and video data
Any data that you voluntarily submit to us during the meeting (e.g. submitted documents)

The user has the sole freedom of decision to activate his microphone and/or camera.

The legal basis for the processing is the user's consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR or our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest is the implementation of the respective meeting. A consideration of interests was undertaken.
We will not pass on your data to third parties unless there is a processing procedure with a corresponding legal basis.

The processed data will be deleted after the purpose has been fulfilled, unless there is a legal obligation to retain data to the contrary.

There may be further data processing by Microsoft. We have no influence on this data processing. Please refer to Microsoft's privacy policy for more information: https://privacy.microsoft.com/de-de/privacystatement
Microsoft is certified under the EU-US Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active
A corresponding order processing contract exists. For further information, please refer to Microsoft's privacy policy: https://privacy.microsoft.com/de-de/privacystatement#mainwherewestoreandprocessdatamodule

3. Rights of the data subjects

All of the following rights of data subjects can be exercised informally at any time, e.g., by sending a request by e-mail to dsb@esatus.com. By addressing the request by e-mail or by contacting an employee, the request will be processed and carried out without delay. The rights mentioned below apply to all processing activities of esatus AG as well as esatus Schweiz AG. Insofar as Swiss data protection law is affected, additional reference is made to the corresponding section 3 of the privacy statement of the esatus Schweiz AG.

3.1. Right of access by the data subject according to. Art. 15 GDPR

Data subjects have the right to obtain confirmation as to whether personal data concerning them are being processed.
In addition, data subjects have the right to request, free of charge, information about the personal data concerning them and to obtain a copy thereof. In addition to the copy, the following information will be provided:

Purposes of processing
Categories of personal data
Recipients or categories of recipients in third countries or international organizations
If possible, the planned duration of the storage of the personal data and, if this is not possible, the criteria for determining the duration
The existence of other data subject rights, the existence of a right of appeal to a supervisory authority
The existence of automated decision-making, including profiling.
If the personal data has not been collected from the data subject, any available information about the origin of the data

In addition, if the data is transferred to a third country or an international organization, appropriate safeguards, such as the use of EU standard contractual clauses, will be communicated.

3.2. Right to rectification according to Art. 16 GDPR

Data subjects have the right to request rectification of inaccurate personal data and to request completion of incomplete data, taking into account the purposes of the processing.

3.3. Right to erasure or right to be forgotten according to Art. 17 GDPR

Data subjects have the right to request erasure of personal data concerning them, which shall be erased immediately upon request, provided that one of the following reasons applies and the processing is not necessary:

The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
The data subject revokes his or her consent to the processing and there is no other legal basis for the processing.
The data subject objects to the processing and there are no overriding legitimate grounds for processing, or the data subject objects to direct marketing.
The personal data have been processed unlawfully.
The erasure of the data is necessary for compliance with a legal obligation.
The personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

If esatus AG or esatus Schweiz AG has made personal data of the data subject public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, esatus AG or esatus Schweiz AG shall take reasonable steps, taking into account the available technology and the cost of implementation, to inform other data controllers who process the published personal data, that the data subject has requested from those other data controllers to erase all links to or copies of the personal data, unless the processing is necessary.

3.4. Right to restriction of processing according to Art. 18 GDPR

Data subjects have the right to restrict processing if one of the following conditions is met:

The accuracy of the personal data is contested by the data subject (for a period of time that permits verification by the controller).
The processing is unlawful, but the data subject objects to erasure and requests restriction of use.
The controller no longer needs the data for the purposes of the processing operations, but the data subject needs them to assert or exercise or defend legal claims.

The data subject has objected to the processing, and it is not yet clear whether the legitimate grounds of the controller or the data subject’s interests worthy of protection prevail.

3.5. Right to data portability according to Art. 20 GDPR

Data subjects have the right to data portability. This right entitles data subjects to receive their respective personal data in a structured, common, and machine-readable format. The data subject thus has the right to transfer this data to another controller or to request the transfer from the old controller to the new controller.

3.6. Right of objection according to Art. 21 GDPR

The data subject may object to the data processing based on Art. 6 (1) p. 1 lit. f) GDPR (legitimate interest). As a result, further data processing will be prohibited unless the esatus AG or esatus Schweiz AG can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject, or the processing serves the purpose of asserting, exercising, or defending legal claims. If esatus AG or esatus Schweiz AG processes personal data for direct marketing purposes, the user may object to such processing at any time.

For the notification of an objection, we ask the data subject to send an e-mail to the following address: dsb@esatus.com or to contact us by post. The postal address can be found in the contact details of the person responsible and the data protection officer.

3.7. Automated decisions in individual cases including profiling according to Art. 22 GDPR

As a conscientious company, we do not use automatic decision-making or profiling.

3.8. Right to complain to the supervisory authority pursuant to Art. 77 GDPR

If you have the impression that the processing of your data violates data protection law or that your data protection rights have been violated in any way, you can complain to the Hessian Data Protection Commissioner: https://datenschutz.hessen.de/service/beschwerde

3.9 Right of withdrawal

The data subject has the right to withdraw his or her consent (Art. 6 Abs. 1 S.1 lit. a) GDPR) at any time, should the processing be carried out on the basis of previously given consent. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out since the consent was given until the withdrawal.

4. Duration of storage

The duration of the storage of personal data depends on the corresponding statutory retention period and the purpose of the processing. As soon as the legal retention period expires or the purpose of the processing ceases to exist, the personal data will be deleted unless it is required for the performance or initiation of a contract. Justified deviations may arise in the context of individual processing operations, to which we will refer separately.

Data security

We take appropriate technical and organizational measures, taking into account the state of the art and in accordance with legal requirements, to ensure an adequate level of protection.

Due to the ongoing development of our website as well as our other offers, or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy.

Editing status: 01.08.2023

Privacy Statement (esatus Schweiz AG)

General information

Thank you for your interest in our company and your visit to our website. In the course of this data protection declaration, esatus Schweiz AG (hereinafter "we", "us" or "esatus Schweiz AG") would like to inform you about the type, scope and purpose of the personal data collected, used and processed and comply with the obligation of transparency, in particular by clarifying the rights of data subjects.

Personal data is information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly (e.g. by reference to an online identifier). This includes, but is not limited to, information such as the name, address, telephone number and e-mail address or other physical characteristics by which a natural person can be identified. In this privacy statement, we refer to you as "you", "user" or "data subject".

This privacy statement applies to the esatus.com website operated by us, the relevant online presences maintained by us in the social media, as well as all points under section 2.2. esatus Schweiz AG is a wholly owned subsidiary of esatus AG. Data processing is carried out under joint responsibility. Due to the scope of data protection law and the relevant points of contact, reference is made below to the General Data Protection Regulation of the European Union (GDPR). In the event of deviations and the need for additions or relevant Swiss data protection law requirements, reference is made to the Swiss Data Protection Act (DSG).

1. Contact details of the controller and the data protection officer

esatus Switzerland AG

Tribschenstrasse 62a

CH-6005 Lucerne

info@esatus.ch

Phone: +41 614115588

Represented by: Dr. André Kudra (President), Jürgen Eichhöfer, Cordula Bettina Lisa Fey

UID: CHE-130.392.745 MWST

CH-ID: CH-100-3814535-5

Information about esatus AG: Imprint

2. General information on data processing

2.1 Information on data processing when visiting the website

When you visit the website (esatus.com), esatus Schweiz AG processes various personal data, depending on the type of processing. These processing operations are explained in the following section.

2.1.1 Operation of the website

This website is hosted by esatus AG. Data processing by esatus AG takes place in Germany. For the secure operation of this website, data is automatically recorded in log files when it is accessed. Data is automatically transferred to the esatus AG server by the browser you use. The following data is transmitted:

Browser type and version
Operating system used
Referrer URL (the previously visited website)
IP address of the accessing computer
Time and date of the server request

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). The provision and operation of the website as well as browser optimization and maintaining the security of this website represent the legitimate interest of esatus Schweiz AG and esatus AG. The log files are analyzed solely for the purpose of ensuring the security of this website and for statistical evaluations. This data is not merged with other data and data sources. esatus AG uses an intrusion detection system to ensure security. The legal basis for the processing of system logs for intrusion detection is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest).

Intrusion detection is the active monitoring of computer systems and/or networks with the aim of detecting attacks and misuse. The aim of intrusion detection is to filter out those events that indicate attacks, attempted misuse or security breaches from all events taking place in the monitored area in order to subsequently investigate them in depth. This should enable events to be detected and reported promptly. Corresponding log files are created for intrusion detection. If an anomaly is detected by the intrusion detection, the affected IP address is traced accordingly.

Apart from esatus AG and esatus Schweiz AG, no other companies receive the data listed above. This data is stored for a period of 28 days. An exception to this is the detection of anomalies by intrusion detection. If, due to corresponding events (e.g. attacks, attempted misuse or security breaches), data must be stored for reasons of proof, this data is excluded from deletion until the respective incident has been finally clarified. After expiry of this storage period or final clarification of the incident, all corresponding data is deleted or the IP address is anonymized.

2.1.2 Contacting us via the website

You can send us an inquiry at any time using our contact form on our website. The following information will be requested:

Salutation
First name and surname
E-mail address
Free text field, which you fill in yourself

2.1.3 Cookies

Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you return to the website. Only cookies in the form of session IDs are used on our website. Session IDs enable us to identify you during your visit to our website, for example to permanently display the language you have selected. Session IDs are usually accepted automatically by the browser. You can deactivate this function, but this may impair your use of the website. Session IDs do not contain any information that can be read in plain text. Session IDs are required to make the use of our website more convenient. Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest) forms the legal basis for this. The session IDs are temporarily stored on your computer and deleted after you leave the browser session and close the browser. No other cookies are used.

2.1.4 Embedding of YouTube videos

YouTube videos are technically embedded on our website. Data processing by YouTube only begins when the data subject independently activates the content by clicking on it. The legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). Since personal data is only transmitted when the content is activated, please refer to YouTube's privacy policy.

YouTube: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

2.2 Information on data processing independent of the website

Irrespective of visits to this website, esatus Schweiz AG processes personal data only

for the organization of events (e.g. workshops)
for the initiation of employment relationships
for the execution of contract initiation and contractual or legal obligations in the context of the use of the "SOWL" product of esatus AG
to carry out electronic communication (sending e-mails)
for external presentation and for advertising purposes in social media via esatus AG channels
to document the customer and order history
for the use of photographs of events
for advertising purposes via esatus AG channels
for other purposes that are explicitly stated on declarations of consent.

The esatus AG privacy policy applies to appearances on social media (LinkedIn, Twitter and XING).

2.2.1 Implementation of events

As part of the initiation and implementation of events (e.g. webinars), esatus AG processes various personal data depending on the type of event, such as

First name and surname
Contact details (address, telephone number, e-mail address)
Job title and job title
Employer or educational institutions

All data processed in the context of an event is used to initiate and carry out the corresponding event. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a) and b) GDPR (consent and performance of a contract). Your data will be deleted after the event has been held. The data is processed by the joint controllers in Switzerland and Germany.

Information on data communicated or transmitted to esatus Schweiz AG in the context of events for the purpose of an application can be found in section 2.2.2.

2.2.2 External presentation and advertising purposes in social media

esatus Schweiz AG does not maintain its own social media channels. Communication takes place entirely via the channels of esatus AG. The following social media presences are operated for the purpose of external presentation and advertising:

LinkedIn (LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Pl, Dublin 2, Ireland)
Twitter (Twitter Inc., 1355 Market St #900, San Francisco, CA 94103, United States)
XING (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

As part of the use of social media, esatus Schweiz AG and esatus AG publish posts about employees in a professional context (e.g. participation in business events) in addition to product- and subject-specific topics. Employees are generally named via a link to the employee's profile.
The following types of data are processed in this context:

Contact data (e.g. e-mail address)
Content data (e.g. data in a free text field)

The purpose of maintaining these presences is to communicate with the users of the respective social platform and to communicate about the services of the two companies. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest). You may have given your consent to one of the platform operators listed above to process your personal data in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

esatus Schweiz AG and esatus AG do not process any usage data (e.g. access to websites and content) or metadata (e.g. IP address). This data is only processed by the respective provider of the social network. We have no influence on the other processing of your personal data within the scope of the aforementioned websites and are therefore not the controller within the meaning of Art. 4 No. 7 GDPR. The respective data protection declarations of the operators of the above-mentioned platforms apply.

2.2.3 Use of photographs of events for advertising purposes

As a rule, esatus AG or an appropriately commissioned service provider will also take photographs at events. These images are published in accordance with the declaration of consent voluntarily signed by the event participants. esatus Schweiz AG uses photographs of events for advertising purposes on various channels, such as the website and social media. esatus Schweiz AG would therefore like to point out that personal data (including photos) can be accessed and stored worldwide when published on the Internet. The data can therefore also be found via search engines, for example. It cannot be ruled out that other persons or companies may link the data with other personal data available on the Internet and thus create a personality profile, change the data or use it for other purposes.

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a) GDPR (consent). Consent can be withdrawn by the data subject at any time. Due to the joint responsibility, we ask the data subject to send an email to the following address: dsb@esatus.com. The data will all be deleted as soon as consent to the use of the photographs is revoked. esatus AG will delete the corresponding photographs on all its channels accordingly. esatus Schweiz AG and esatus AG have no influence on the deletion of the corresponding images stored by third parties.

2.2.4 Execution of contract initiation and contractual or legal obligations in the context of the use of the "SOWL" product of esatus AG

In connection with the initiation of a contract as well as contractual or legal obligations in the context of the use of the "SOWL" product, the corresponding data will be forwarded to esatus AG for technical provision.

SOWL is a cloud agent, an identity management system for digital identities (credentials). When using SOWL, personal data is processed by the respective company that uses SOWL. The data processing may include both the process of issuing identities and credentials and the identity verification via a corresponding credential.

SOWL can be operated both in-house (hosted by the customer) and by esatus AG (SaaS). esatus AG has no access to the SOWL instances that are hosted by the respective customer. A daily license sync is performed for SOWL. The daily license sync sends esatus AG corresponding metadata for the respective system. This metadata is the following data (no personal reference):

Number of proofs
Number of credentials issued
Number of revocations
Number of identities
Number of errors
Number of warnings
License ID

For customers who have the hosting of SOWL operated by esatus AG, esatus AG can access the respective SOWL instance for support purposes after appropriate approval by the customer. All productive SOWL instances are hosted by Amazon Web Services (AWS). The AWS services used by esatus AG are provided exclusively within Germany. These are server capacities that are operated in eu-central-1 (Frankfurt). The deletion of corresponding personal data is the responsibility of the respective customer using the SOWL instance.

If you use a product demo (e.g. SOWL demo access), esatus AG will not process any of your personal data other than technical data to ensure the functionality of SOWL. The data used to demonstrate the functionalities is test data that has nothing to do with the identity of the user. All esatus Schweiz AG customers are explicitly instructed not to use real data in the demo area. The SOWL demo environment is operated at Microsoft Azure. This involves server capacities that are operated at Microsoft Azure in the Germany West Central region.

The esatus Wallet App is provided by esatus AG. All information can be found in the privacy statement of esatus AG.

2.2.5 Documentation of customer and order history and associated processing purposes

As part of the documentation of customer data and the order history, esatus Schweiz AG processes personal data that has been transmitted to us by our customers or future customers. These are for example and not exhaustive:

Full name
Salutation
Full address
Bank details (e.g. IBAN)
Further information necessary for the execution of the contract

The purpose of this processing is the proper maintenance of our business activities and the traceability of business processes. The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest) and Art. 6 para. 1 sentence 1 lit. b) GDPR (implementation of pre-contractual measures and contract fulfillment). For all data that you voluntarily transmit to us in this context, Art. 6 para. 1 sentence 1 lit. a) GDPR (consent) is to be regarded as the relevant legal basis. All corresponding data will be stored by esatus AG for the duration of the purpose fulfillment. In addition, further processing may be necessary to fulfill legal obligations. In the context of the processing of personal data for the fulfillment of legal requirements (e.g. commercial or tax retention periods) in connection with the business activities of esatus AG, Art. 6 para. 1 sentence 1 lit. c) GDPR (legal obligation) forms the relevant legal basis. Processing takes place until the legal obligations are fulfilled.

In addition, it may be necessary to process personal data in order to assert legal claims. The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest), whereby our interest is the clarification and possible defense of claims. Processing only takes place within the scope of and until the conclusion of the assertion of any claims.

3. Rights of the data subjects

Right to information Art. 8 DSG

Pursuant to Art. 8 FADP, any person may request information from the controller of a data file as to whether data relating to them is being processed. To do so, please contact the office named above or in the legal notice or send an email to dsb@esatus.com

The data subject receives information about the following content:

all data available about them in the data collection, including the available information about the origin of the data;
the purpose and, where applicable, the legal basis of the processing as well as the categories of personal data processed, the parties involved in the collection and the data recipients.

Depending on the form of the request, this information will be provided in writing or in text form and free of charge once you have been identified.

Further provisions and restrictions on the right to information are set out in the law.

Right to rectification, blocking and erasure

You have the right to request the correction, blocking and deletion of your data at any time. You also have the right to data portability.

Right of withdrawal

The data subject has the right to withdraw their consent at any time if the processing is based on previously given consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority at any time.

As a responsible company, we do not use automated decision-making or profiling.

4. Duration of storage

The duration of the storage of personal data depends on the corresponding statutory retention period and the purpose of the processing. As soon as the statutory retention period expires or the purpose of the processing expires, the personal data will be deleted unless it is required for the fulfillment or initiation of a contract. Justified deviations may arise in the context of individual processing procedures, which we will point out separately.

Due to the further development of our website and our other offers or due to changes in legal or official requirements, it may become necessary to amend this privacy statement.

Editing status: 27.03.2023