Thank you for your interest in our company and for visiting our website. In the following privacy statement, esatus AG (hereinafter referred to as “we”, “us” or “esatus AG”) would like to inform you about the type, scope and purpose of the personal data collected, used, and processed, in order to comply with the obligation of transparency, in particular by providing information about the rights of data subjects.
Personal data is information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified directly or indirectly (e.g., by means of associating him/her with an online identifier). This includes, without being limited to, information such as the name, address, telephone number and e-mail address or other physical characteristics by which a natural person can be identified. For the purposes of this privacy statement, we will refer to you as “you”, “user”, or “data subject”.
This privacy statement applies to the website esatus.com operated by us, to the social media channels we maintain, as well as to all items under section 2.2.
1. Contact details of the Controller and the Data Protection Officer
„Controller” refers to the natural or legal person, public authority, agency, or other body which, on his/her own or jointly with others, determines the purposes and types of personal data processing.
Controller for data processing:
Tel.: +49 6103 9029-0
Data Protection Officer:
tel.: +49 6103 9029-0
2. General information on data processing
2.1. Information on data processing in the context of visiting the website
When the website (esatus.com) is called up, esatus AG processes various personal data, depending on the type of processing. The different types of data processing are explained in the following section.
2.1.1. Operation of the website
This website is hosted by esatus AG. No data is being transferred to a third country. For the secure operation of this website, data is automatically recorded in so-called log files each time the website is called up. The data is automatically transferred to the esatus AG server by the browser you are using. The following data is transmitted:
- Browser type/ and version
- Operating system used
- Referrer URL (the website previously visited)
- IP address of the accessing computer
- Time and date of the server request
The legal basis for this type of processing is Art. 6 (1) sentence 1 lit. f) GDPR (legitimate interest). The provision and operation of the website as well as browser optimization and maintenance of the security of this website represent the legitimate interest of esatus AG. An evaluation of the log files takes place exclusively for the purpose of the security of this website as well as for statistical evaluations. This data is not merged with other data and data sources. To ensure security, esatus AG uses intrusion detection. Article 6 (1) sentence 1 lit. f) GDPR (legitimate interest) constitutes the legal basis for the processing of system logs for intrusion detection.
Intrusion detection involves active monitoring of computer systems and/or networks with the aim of detecting attacks and misuse. Intrusion detection works by filtering out those incidents that indicate potential attacks, attempted misuse or security breaches from all incidents occurring in the monitored area, in order to subsequently investigate them in greater depth. This will allow rapid detection and reporting of harmful incidents. Corresponding log files are created for intrusion detection. If an anomaly is identified by means of intrusion detection, the IP address concerned is traced accordingly.
Apart from esatus AG, no other companies receive the data described above. This data is stored for a period of 28 days. An exception to this is the identification of anomalies by intrusion detection. If, as a result of such incidents (e. g. attacks, attempts of misuse or security breaches), data must be retained to serve as evidence, this data is exempt from deletion until the respective incident has been finally clarified. After expiration of this storage period or final clarification of the incident, all corresponding data is deleted, or the IP address is anonymized.
2.1.2. Contact via the website
You can send us an inquiry at any time via our contact form on our website. The following information will be requested:
- First and last name
- Federal State
- E-mail address
- Free text field, which can be filled in at your discretion
All other data that you communicate to us via the free text field is voluntary. In addition, your IP address, time, and date are automatically transmitted to us. In addition to our contact form, you can contact us via the e-mail addresses published on the website. In this case, the data contained in your message (e-mail) will be processed depending on the purpose of the message. The data is processed exclusively for the respective response to your inquiry and any related communication. Please note that, depending on your provider, e-mails are usually transmitted in unencrypted form. We can therefore not assume any responsibility for the transmission path. If you contact us by telephone, we will process your telephone number as well as all data voluntarily communicated by you during the conversation.
The legal basis for contacting us via our website depends on the content of your inquiry. In principle, the legal basis for contacts via the website is Art. 6 (1) p. 1 lit. f) GDPR (legitimate interest). The legitimate interest here is the provision of the contact functionality as well as the response to your requests transmitted via this tool. The IP address and the timestamp, which are automatically transmitted with your message, serve to prevent and trace misuse of our contact form. All data voluntarily transmitted to us by you via the free text field is processed in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR (consent). As a rule, the data transmitted by you will be deleted after final processing of your request and fulfilling of the purpose.
For information on the process of transmitting data as part of a job application, please refer to section 2.2.2.
Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that allows your browser to be uniquely identified when you return to the website. Our website only uses session ID cookies. Session IDs allow us to identify you while you are visiting our site, for example, to permanently display your preferred language. Session IDs are usually automatically accepted by the browser. You can deactivate this function, but this may impair your use of the website. Session IDs do not contain any information that can be read in plain text. Session IDs are required to make the use of our website more comfortable. The legal basis for this is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). The session IDs are temporarily stored on your computer and deleted after you quit the browser session and subsequently close the browser.
2.1.4. Embedding of YouTube-Videos
YouTube: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
2.2. Information on data processing independent of website visits
For instances other than web page views, esatus AG processes personal data only
- for arranging events (e.g. workshops)
- for meeting data collection obligations of the Corona Contact and Operating Restriction Ordinance of the Federal State of Hesse
- for initiating employment relationships
- for initiating contracts or fulfilling contractual or legal obligations related to the use of the “SOWL” product
- for providing the esatus Wallet App
- for carrying out electronic communication (sending e-mails),
- for external presentation and advertising purposes in social media
- for documenting customer and order history
- for using event photographs for advertising purposes
- for other purposes explicitly stated on declarations of consent.
2.2.1. Event implementation
In the context of arranging and implementing events, esatus AG processes various personal data depending on the type of event, for example
- First and last name
- Contact details (address, telephone number, e-mail address)
- Job title and job description
- Employer or educational institution
All data processed in the context of an event serve the purpose of arranging as well as conducting the respective event. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and fulfillment of a contract). Your data will be deleted after the event has been held. As a rule, no data transfer to third parties takes place. Exempt from this is the notification of the responsible health authority in case a COVID-19 disease becomes known among participants of the respective event. The legal basis for the collection of the data of the participants and the transfer to the competent authority is the fulfillment of the data collection obligations of the Corona Contact and Operational Restriction Ordinance of the State of Hesse in accordance with § 1 para 4 and § 4 CoSchuV in addition to § 28a para 4 IfSG and Art. 6 para 1 p. 1 lit. c) GDPR (fulfillment of a legal obligation). The data required for meeting the data collection obligations of the Corona Contact and Operational Restriction Ordinance of the Federal State of Hesse will be stored for four weeks in accordance with Section 28a (4) IfSG and will be deleted afterwards.
Information on data communicated or transmitted to esatus AG for the purpose of a recruiting event can be found in section 2.2.2.
2.2.2. Initiation of employment relationships
In the context of initiating employment relationships, esatus AG generally processes all personal data that are voluntarily communicated to us by you in electronic form or by post during the application process. These data include, for example, personal data and qualification documents. Depending on the procedure used, the data may be transmitted by the data subject in unencrypted form.
This processing is done for the purpose of performing the application process, including communication via the various channels. The legal basis for this is Art. 6 para. 1 p. 1 lit. a) and b) GDPR (consent and implementation of pre-contractual measures), Art. 88 para. 1 GDPR (data processing in the employment context) and Section 26 para. 1 BDSG (data processing for purposes of the employment relationship). Your data will be deleted after completion of the application process and after expiry of the statutory retention period, unless an employment relationship is established.
2.2.3. External presentation as well as advertising purposes in social media
esatus AG entertains the following presences in social media for the purpose of external presentation and advertising:
- LinkedIn (LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Pl, Dublin 2, Ireland)
- Twitter (Twitter Inc., 1355 Market St #900, San Francisco, CA 94103, United States)
- XING (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)
When using social media, in addition to publishing product- and subject-specific topics, esatus AG also publishes posts about employees with reference to the business (e.g., participation in business events). Employees are usually referenced via a link to the respective profile of the employee. The following types of data are processed in this context:
- Contact data (e.g. e-mail address)
- Content data (e.g. data in a free text field)
Such presences are entertained to communicate with the users of the respective social platform, and to communicate about the services of esatus AG. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Under certain circumstances, you may have given consent to one of the platform operators listed above to process your personal data pursuant to Art. 6 para. 1 p. 1 lit. a) GDPR.
No usage data (e.g. access to websites and content) or metadata (e.g. IP address) are processed by esatus AG. These data are only processed by the respective provider of the social network. We have no influence on the way your personal data are processed within the scope of these websites; in this respect we are not the responsible party within the meaning of Art. 4 No. 7 GDPR. The respective data protection declarations of the operators of the above-mentioned platforms shall apply.
2.2.4. Use of event photographs for advertising purposes
In the context of events, photographs are usually taken by esatus AG or by a service provider commissioned by us. These images are published in accordance with the declaration of consent voluntarily signed by the event participants. esatus AG uses event photographs for advertising purposes on various channels, such as the website and social media. esatus AG would therefore like to draw attention to the fact that, in the event of publication on the internet, personal data (including photos) can be accessed and stored worldwide. The data can thus also be found via search engines, for example. It cannot be ruled out that other persons or companies may link the data with other personal data available on the Internet and thus create a personality profile, modify the data or use it for other purposes.
The legal basis for this processing operation is Article 6 (1) sentence 1 a) GDPR (consent). The data subject can revoke his consent at any time. For this purpose, we ask the data subject to send an e-mail to the following address: firstname.lastname@example.org. All data will be deleted as soon as the consent to use the photographs is revoked. esatus AG will delete the relevant photographs on all its channels accordingly.
2.2.5. Contract initiation procedures and contractual or legal obligations relating to the use of the product "SOWL”
SOWL is a so-called cloud agent, an identity management system for digital identities (credentials). As part of the use of SOWL, personal data is processed by the respective company that uses SOWL. In this context, the data processing may include both the process of issuing identities and credentials, and the identity verification via a corresponding credential.
SOWL can be operated either in-house (hosted by the customer) or by esatus AG (SaaS). The esatus AG has no access to the SOWL instances, which are hosted in the respective customer’s own environment. A daily license sync is performed for SOWL. The daily license sync sends relevant metadata for the respective system to esatus AG. These metadata comprise the following data (no personal reference):
- Number of proofs
- Number of credentials issued
- Number of revocations
- Number of identities
- Number of errors
- Number of warnings
- License ID
For customers where SOWL is hosted by esatus AG, esatus AG can access the respective SOWL instance within the scope of support purposes after appropriate consent by the customer. All productive SOWL instances are hosted on Amazon Web Services (AWS). The AWS services used by esatus AG are provided exclusively within Germany. This involves server capacities that are operated in eu-central-1 (Frankfurt). The deletion of corresponding personal data is the responsibility of the respective customer who uses the SOWL instance.
If you use a product demo of esatus AG (e.g., a SOWL demo access), esatus AG do not process any further personal data from you, apart from technical data to ensure the functionality of SOWL. The data used to demonstrate the functionalities is test data that are in no way related to the identity of the user. All customers of esatus AG are explicitly requested not to use any real data with personal reference in the demo area. The SOWL demo environment is operated at Microsoft Azure, with server capacities being maintained at Microsoft Azure in the Germany West Central region.
2.2.6. Provision of the esatus Wallet App
The purpose of the esatus Wallet app is to enable quick authentication or release of personal, verified data that users store and manage independently on their end device.
Downloading the esatus Wallet app from the Apple App Store or the Google Play Store
The Apple App Store and the Google Play Stores provide esatus AG with information on the downloads made via the customer area. This is anonymized data that is provided exclusively for statistical purposes. The information provided comprises the following data:
- Operating system version
- App version
- Device name
The legal basis for data processing in the context of technical provision is Art. 6 (1) p. 1 lit. f) GDPR. We have no influence on the collection and processing of this data, which is carried out by the app store selected by you. In this respect, we are not the responsible party within the meaning of Art. 4 No. 7 GDPR.
Using the esatus Wallet App
When using the esatus Wallet App, esatus AG or third parties have no access to personal data that users manage via the App. Exempt from this is the explicit release of specific data by the user of the esatus Wallet App. In this case, the user can see which of his data is requested by a third party and must actively agree to this transfer.
In order for a data sharing request to be sent to you, the first step is to scan the corresponding QR code on the website with the esatus Wallet App on your device. After scanning this QR code, you will receive a connection request. In order to be able to continue using the service, it is necessary to accept the connection request. For establishing the connection, unique decentralized identifiers (DIDs), which were generated explicitly for this connection, are exchanged between you and the service provider. Once the connection has been successfully established, you start the actual proof process by scanning another QR code. During this process, you are presented with a request, similar to the connection setup. This request is sent to you via the encrypted connection which has previously been established. Only when you click “share” on the request will the data be transferred. When transferring your data, secure transport encryption (https) as well as asymmetric encryption is used, by applying the DIDComm protocol. For more information, please refer to the documentation provided by the W3C (see DIDComm Messaging Specification DIDComm Messaging Specification (identity.foundation) ).
During this process, the respective third party (service provider) becomes the processor of the data and receives it directly at the specified service endpoint. All data that the user wants to manage via the app will be stored on his/her cell phone and will not be sent unless the user explicitly agrees. In addition, there is the option to give a permanent consent to send data to an existing and known connection. This function is deactivated after installation of the app and the user must actively select it. The legal basis for both processing procedures in this case is Art. 6 (1) p. 1 lit. a) GDPR (consent). This consent can be revoked at any time.
Furthermore, the Wallet App offers the functionality to automatically download credential images. This function is deactivated by default, but you can activate it at your discretion. The legal basis here is Art. 6 (1) sentence 1 lit. a) GDPR (consent). If this function is activated, information such as the IP and credential definition is transmitted to esatus AG.
In the case of processing or transmission of personal data relating to you by a so-called proof (proof request) from third parties, please refer to the relevant data protection statements of the third party for information on the processing of the data relating to you. esatus AG has no access to the incoming and outgoing connections of third parties and cannot view any data in this context.
Ensuring functionality of the esatus Wallet App
To maintain the functionality of the esatus Wallet App and to ensure that personal, verified data arrives at the appropriate recipient, we process technical information such as:
- IP addresses,
- your device ID with your push service operator (Google or Apple), or
- Your operating system used.
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest). Our interest here is to be able to inform the user about activities even when the app is closed and to provide fast response times in the process flow.
Push service for message broadcasting
When processing data in this context, recipients of relevant data are Microsoft Azure for hosting the Notification Hub and Google for the Push Notification Services under Android devices as well as Apple for Push Notification Services under iOS devices.
Verifying the security of the esatus Wallet App
The incoming transmission required for the transport via the server provided by esatus AG (Mediation Agent) always takes place via secure transport encryption (https), as well as via asymmetric encryption using the DIDComm protocol. It can only be decrypted by recipient and sender. For more information on the DIDComm protocol, please refer to the W3C documentation (see www.w3.org/TR/did-core/). For further information on the processing of personal data by the sender of requests (third parties), please refer to the relevant privacy statements of the individual data recipient, who may be processing your personal data and is to be classified as a controller within the meaning of Art. 4 No. 7 GDPR. The Mediation Agent is operated on servers of AWS. These server capacities are maintained in the eu-central-1 (Frankfurt) of AWS.
Using the product demo
If you use a product demo of esatus AG (e.g., the Covid Credential Demo on the website), esatus AG will not process any further personal data from you other than technical data to ensure the functionality of the app and the data already mentioned above (see 2.1 and 2.2.6). The data used to demonstrate the functionalities is test data that has nothing to do with the identity of the user. For more information on the processing of technical data to maintain security and the legal basis of this processing, please refer to the above.
2.2.7. Documentation of customer and order history and related processing purposes
As part of the documentation of customer data and order history, esatus AG processes personal data that has been transmitted to us by our customers or future customers. These are, for example, without being limited to:
- Full name
- Complete address
- Bank data (e.g. IBAN)
- Other information necessary for the performance of the contract.
The purpose of this processing is the proper maintaining of our business activities and traceability of business processes. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest) and Art. 6 para. 1 p. 1 lit. b) GDPR (implementation of pre-contractual measures and contract performance). For all data that you voluntarily transmit to us in this context, Art. 6 para. 1 p. 1 lit. a) GDPR (consent) is to be considered the relevant legal basis. All corresponding data will be stored by esatus AG for the duration of the fulfillment of the purpose. In addition, further processing may be necessary to meet legal obligations. When personal data are processed for the fulfillment of legal requirements (e.g. retention periods under commercial or tax law) in connection with the business activities of esatus AG, Art. 6 para. 1 sentence 1 lit. c) GDPR (legal obligation) forms the relevant legal basis. Processing is carried out until the legal obligations are fulfilled.
In addition, processing of personal data may be necessary for the assertion of legal claims. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDPR (legitimate interest), our interest being the clarification and possible defense of claims. Processing will only take place within the scope of and until the conclusion of the assertion of any claims.
3. Rights of the data subjects
All of the following rights of data subjects can be exercised informally at any time, e.g., by sending a request by e-mail to email@example.com. By addressing the request by e-mail or by contacting an employee, the request will be processed and carried out without delay. The rights mentioned below apply to all processing activities of esatus AG.
The data subject concerned has the right to revoke his or her previously given consent pursuant to Art. 6 (1) p. 1 lit. a) GDPR for the processing of his or her personal data at any time in the future. The legality of processing your personal data before the consent revocation remains unaffected.
3.1. Right of access by the data subject according to. Art. 15 GDPR
Data subjects have the right to obtain confirmation as to whether personal data concerning them are being processed.
In addition, data subjects have the right to request, free of charge, information about the personal data concerning them and to obtain a copy thereof. In addition to the copy, the following information will be provided:
- Purposes of processing
- Categories of personal data
- Recipients or categories of recipients in third countries or international organizations
- If possible, the planned duration of the storage of the personal data and, if this is not possible, the criteria for determining the duration
- The existence of other data subject rights, the existence of a right of appeal to a supervisory authority
- The existence of automated decision-making, including profiling.
- If the personal data has not been collected from the data subject, any available information about the origin of the data
In addition, if the data is transferred to a third country or an international organization, appropriate safeguards, such as the use of EU standard contractual clauses, will be communicated.
3.2. Right to rectification according to Art. 16 GDPR
Data subjects have the right to request rectification of inaccurate personal data and to request completion of incomplete data, taking into account the purposes of the processing.
3.3. Right to erasure or right to be forgotten according to Art. 17 GDPR
Data subjects have the right to request erasure of personal data concerning them, which shall be erased immediately upon request, provided that one of the following reasons applies and the processing is not necessary:
- The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject revokes his or her consent to the processing and there is no other legal basis for the processing.
- The data subject objects to the processing and there are no overriding legitimate grounds for processing, or the data subject objects to direct marketing.
- The personal data have been processed unlawfully.
- The erasure of the data is necessary for compliance with a legal obligation.
- The personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.
If esatus AG has made personal data of the data subject public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, esatus AG shall take reasonable steps, taking into account the available technology and the cost of implementation, to inform other data controllers who process the published personal data, that the data subject has requested from those other data controllers to erase all links to or copies of the personal data, unless the processing is necessary.
3.4. Right to restriction of processing according to Art. 18 GDPR
Data subjects have the right to restrict processing if one of the following conditions is met:
- The accuracy of the personal data is contested by the data subject (for a period of time that permits verification by the controller).
- The processing is unlawful, but the data subject objects to erasure and requests restriction of use.
- The controller no longer needs the data for the purposes of the processing operations, but the data subject needs them to assert or exercise or defend legal claims.
- The data subject has objected to the processing, and it is not yet clear whether the legitimate grounds of the controller or the data subject’s interests worthy of protection prevail.
3.5. Right to data portability according to Art. 20 GDPR
Data subjects have the right to data portability. This right entitles data subjects to receive their respective personal data in a structured, common, and machine-readable format. The data subject thus has the right to transfer this data to another controller or to request the transfer from the old controller to the new controller.
3.6. Right of objection according to Art. 21 GDPR
The data subject may object to the data processing based on Art. 6 (1) p. 1 lit. f) GDPR (legitimate interest). As a result, further data processing will be prohibited unless the esatus AG can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising, or defending legal claims. If the esatus AG processes personal data for direct marketing purposes, the user may object to such processing at any time.
For the notification of an objection, we ask the data subject to send an e-mail to the following address: firstname.lastname@example.org or to contact us by post. The postal address can be found in the contact details of the person responsible and the data protection officer.
3.7. Automated decisions in individual cases including profiling according to Art. 22 GDPR
As a responsible company, we do not use automatic decision-making or profiling.
3.8. Right to complain to the supervisory authority pursuant to Art. 77 GDPR
If you have the impression that the processing of your data violates data protection law or that your data protection rights have been violated in any way, you can complain to the Hessian Data Protection Commissioner: https://datenschutz.hessen.de/service/beschwerde
4. Duration of storage
The duration of the storage of personal data depends on the corresponding statutory retention period and the purpose of the processing. As soon as the legal retention period expires or the purpose of the processing ceases to exist, the personal data will be deleted unless it is required for the performance or initiation of a contract. Justified deviations may arise in the context of individual processing operations, to which we will refer separately.
Editing status: 26.10.2021