Data privacy statement
Thank you for your interest in our company and your visit to our website. A use of our website is basically possible without providing personal data. However, special services of our website may require the processing of personal data. If processing of personal data is required, there is either a legal basis for processing or we obtain your consent. In doing so, the regulations of the General Data Protection Regulation and country-specific data protection regulations are observed.
In the course of this data privacy statement, esatus AG would like to inform about the type, scope and purpose of the collected, used and processed personal data and comply with the duty of transparency, in particular by clarifying the rights of persons concerned.
1. Contact details of the responsible person and the data protection officer
Responsible for data processing:
Tel.: +49 6103 90295-0
Data protection officer:
Tel.: +49 6103 90295-0
2. General information about data processing
2.1. Information on data processing independent of the website
Regardless of the visit to this website, esatus AG only processes personal data:
- To initiate employment relationships and contractual relationships
- To carry out contractual or legal obligations
- To carry out the electronic communication (e-mailing)
- For documentation of the customer and order history
- To use photos from events for promotional purposes
- For other purposes, which are explicitly indicated on consent declarations
The personal data are processed on the basis of the following legal bases:
- On the basis of a declaration of consent (Art. 6 para. 1 lit. a GDPR), e. g. when using photos of events
- For initiating or fulfilling contractual relationships (Art. 6 para. 1 lit. b GDPR), e. g. in the execution of consulting services
- To fulfill legal obligations (Art. 6 para. 1 lit. c GDPR), e. g. if data is forwarded to appropriate authorities
- To be able to respond to incoming requests in order to safeguard legitimate interest and thus to process e-mail addresses (Art. 6 para. 1 lit. f GDPR)
- For the decision to establish an employment relationship (§26 BDSG)
2.2. Information on data processing by the esatus Wallet App
If you use the esatus Wallet App, neither esatus AG nor third parties have access to personal data that you manage via the App unless you explicitly release it. All data that you wish to manage via the App will be stored on your mobile phone and will not be sent unless you explicitly consent to the sending of such data (declaration of consent according to art. 6 para. 1 lit. a GDPR). It is also possible to give a permanent declaration of consent for sending data to an existing and known connection. This function is deactivated after installation of the app and you must select it actively.
In order to guarantee the functions of the App and to ensure that personal, verified data reaches the appropriate recipient, technical information such as IP addresses, your ID at your push operator (Google or Apple) or the operating system you use is processed. The legal basis for the processing is our legitimate interest in making a functioning App available (art. 6 para. 1 lit. f GDPR). This is also the case, for example, if you activate the function for automatic download of credential images in the settings of your app.
The transmission necessary for the transport via the server provided by esatus AG (Mediation Agent) is always encrypted and can only be decrypted by the recipient and sender. We kindly ask you to consider the corresponding data protection declarations of your individual data recipient, who may process your personal data and who is to be classified as a responsible person in the sense of art. 4 no. 7 GDPR. Only agree to the processing via the esatus Wallet App by third parties if you agree with the corresponding data protection declarations.
If you use a product demo of esatus AG (e.g. the Covid Credential Demo), esatus AG will not process any further personal data of you apart from technical data to ensure the functionality of the App. The data used to demonstrate the functionalities are test data which have nothing to do with the identity of the user.
Only cookies in the form of session IDs are used on our site. These small pieces of information are temporarily stored on your computer and deleted after leaving the browser session. Session IDs are needed to make using our site more comfortable (legitimate interest of the data processing according to Art. 6 para.1 lit. f GDPR). Session IDs allow us to identify you during our visit to our site, for example, to permanently display the language you have selected. Session IDs are usually accepted automatically by the browser. You can deactivate this function, which however can lead to impairments in the usage. Session IDs do not contain any plain text information.
4. Collecting general information
We automatically save information in our logfiles, which your browser transfers during page access. These are:
- Browser type / and version
- Used operating system
- Referer URL (the previously visited website)
- IP address of the accessing computer
- Time and date of the server request
These data serve the statistical evaluation of the use of our service as well as the fight against abuse (in particular by automated mass access) and are not assignable for us to particular and / or determinable persons (legitimate interest of the data processing according to Art. 6 para.1 lit. f GDPR). A combination of this data with other data and data sources will not be made.
5. Contact via the website
If an affected person contacts esatus AG by e-mail or the contact form, personal data voluntarily communicated will be automatically saved for the purpose of processing or contacting (legitimate interest in the processing of data according to Art. 6 para.1 lit. f GDPR). If contacted by contact form salutation, first name, last name and E-Mail address will be automatically saved for the purpose of processing or contacting (legitimate interest in the processing of data according to Art. 6 para.1 lit. f GDPR).
6. Deletion and blocking of personal data
If the purpose of a processing ends or a legally prescribed storage or archiving period expires, the personal data will be deleted or blocked in accordance with the statutory provisions.
7. Rights of persons concerned
All subsequent rights of persons concerned may be claimed at any time, e.g. by request by mail to firstname.lastname@example.org. By addressing by e-mail or addressing an employee, the request will be processed and executed without delay.
7.1. Right to confirmation
Concerned persons have the right to ask for confirmation of the processing of personal data concerning them.
7.2. Right to information
Affected persons have the right to request information about their personal data free of charge and to receive a copy of them. In addition to the copy, the following information is provided:
- Processing purposes
- Categories of personal data
Recipients or categories of
- recipients in third countries or international organizations
- If possible, the planned duration of the storage of personal data and, if this is not possible, the criteria for determining the duration
- The existence of further rights of concerned persons, the existence of a right of appeal with a supervisory authority
- The existence of automated decision making including profiling
- If the personal data were not collected from the concerned person, all available information about the origin of the data
In addition, should the data be transmitted to a third country or an international organization, appropriate guarantees, such as the use of EU standard contractual clauses, will be communicated.
7.3. Right to correction
Concerned persons have the right to request a correction of incorrect personal data and to demand a completion of incomplete data, taking into account the purposes of the processing.
7.4. Right to be deleted or right to be forgotten
Concerned persons have the right to request the deletion of their personal data, which will be deleted immediately upon request, if one of the following reasons applies and processing is not required:
- The personal data has been collected for purposes or otherwise processed for which they are no longer necessary
- The concerned person revokes their consent to processing and it lacks any other legal basis for processing
- The concerned person objects to the processing and there are no high-level legitimate reasons for processing or the concerned person objects to direct mail
- The personal data were processed unlawfully
- The deletion of the data is required to fulfill a legal obligation
- The personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR
If esatus AG has made personal data of the concerned person public and is required to delete it in accordance with Art. 17 para. 1 GDPR, esatus AG takes appropriate measures, taking into account the available technology and the implementation costs, to inform other data controllers who are responsible for the data processing published personal data, to inform that the concerned person has requested the deletion of any links to such personal data or copies of such personal data from these other data controllers unless the processing is required.
7.5. Right to restriction of processing
Concerned persons have the right to restrict processing if one of the following conditions is met:
- The accuracy of the personal data is disputed by the concerned person (for a period that allows an examination by the person in charge)
- The processing is unlawful, but the concerned person refuses to delete it and requires a restriction of use
- The person in charge no longer needs the data for the purposes of the processing, but the concerned person requires it for asserting or exercising or defending legal claims
- The concerned person has objected to the processing and it is not yet clear whether the legitimate reasons of the person responsible or the legitimate interests of the person concerned outweigh
7.6. Right to data portability
Concerned persons have the right to data portability. This right entitles concerned persons to receive their personal data in a structured, common and machine-readable format. The concerned person therefore has the right to transfer this data to another person responsible or to request the transfer from the former person responsible to the new person responsible.
7.7. Right to objection
The concerned person may object to data processing based on a “legitimate interest” (Art. 6 para. 1 lit. f GDPR). As a result, further data processing is prohibited unless it can demonstrate compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the concerned person, or the processing is for the purpose of enforcing, pursuing or defending legal claims. If esatus AG processes personal data for direct mail, an objection can be filed at any time.
7.8. Automated decisions in individual cases including profiling
As a responsible company we refrain from automatic decision-making or profiling.
7.9. Right of withdrawal
Concerned persons have the right to withdraw consent to processing at any time.
7.10. Right of appeal to the supervisory authority
If you have the impression that the processing of your data violates data protection law or your data protection claims have been violated in any way, you can complain to the Hessian Data Protection Officer:
8. Duration of storage
The duration of the storage of personal data depends on the corresponding legal retention period and the purpose of the processing. As soon as the statutory retention period expires or the purpose of the processing expires, the personal data will be deleted unless they are necessary for the fulfillment of the contract or the initiation of the contract.
9. Recipient of personal data
The only recipient of personal data on this website is, besides esatus AG, Microsoft Azure (https://azure.microsoft.com/en-us/) for hosting the Notification Hub. If you are a customer, partner, supplier or other interested party of esatus AG and you are in contact with us through contractual relationships or other requests, it may happen that processors, such as IT support service providers or cloud providers gain access to personal data from you. In addition, cooperations with third parties to fulfill a contractual relationship may be necessary. A transfer of personal data to a third country outside the EU does not take place. In addition, if required by law, your personal information may be forwarded to the appropriate authorities.