Data privacy statement
We are very glad about your interest in our enterprise. Data protection is of particular importance to the management of Virtual Solution AG (hereinafter “Virtual Solution” or “we”). Personal data are at all times processed in compliance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (GFDPA). In this data privacy statement, we inform you of the collection of personal data from data subjects in accordance with Article 13 GDPR.
This data privacy statement uses, inter alia, the following terms, as they are defined in the GDPR:
a) Personal data
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c) Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
”Processor” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
h) Third Party
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name und contact details of the controller
The controller for the processing of personal data under this data privacy statement is: Virtual Solution AG Blutenburgstr. 18 80636 Munich Germany Phone +49 89 30 90 57 0 Email: Kontakt@virtual-solution.com Website: www.virtual-solution.com
3. Contact details of the data protection officer
The data protection officer of Virtual Solution AG is: Peggy Seeberger Virtual Solution AG Blutenburgstr. 18 80636 Munich Germany Phone: +49 89 30 90 57 0 Email: email@example.com
4. Processing of personal data on the website of Virtual Solution – Purposes and legal bases; Recipients
a) Collection of personal data and information when accessing the website of Virtual Solution
Upon each access to the website of Virtual Solution by a user, information without any personal reference and personal data of that user will be collected and stored in the log files of the servers of Virtual Solution. The following is collected and stored: (1) the browser types and versions used, (2) the operating system used by the user, (3) the website from which the user accesses our website (“referrer”), (4) the subsites called up by the user on our website, (5) the date and time of the access to our website, (6) the user’s IP address, (7) the user’s Internet service provider, and (8) other similar data and information which serve the defence against attacks on our information systems. That information and those personal data are required to correctly deliver the contents of our website, to optimise the contents of, and advertising for, our website, as well as to warrant the permanent functionality of our information systems and our website and to protect them against attacks and damage. The personal data and information collected on that basis are evaluated by Virtual Solution statistically and for the purpose of enhancing data protection and data security within our enterprise in order to warrant a level of protection for the personal data processed by us which is adequate given the risk. The personal data and information collected when you access the website will be stored separately from other personal data of the data subject, and any personal data collected upon an access to the website, in particular, the user’s IP address, will be deleted, at the latest, seven days from their collection, unless an attack or a threat by the user was discovered. Those personal data will not be disclosed to third parties. To the extent that we collect and use personal data of the user such as, in particular, the user’s IP address, upon an access to the website of Virtual Solution, the legal basis therefor is Article 6(1)(f) GDPR, as that processing is necessary to safeguard the controller’s legitimate interests. The legitimate interests of Virtual Solution pursued thereby are the enhancement of data protection and data security within our enterprise in order to warrant a level of protection for the personal data processed by us which is adequate given the risk, and to protect our information systems and our website against attacks and damage.
b) Registration on, and contact through, the website of Virtual Solution
Data subjects have the option to register on the website of Virtual Solution, while providing personal data, or to contact Virtual Solution. What personal data will be transmitted to Virtual Solution in that respect results from the respective entry mask or contact form for the registration or contacting, respectively. The personal data transmitted by the data subject to Virtual Solution in that respect will only be collected and stored for the purposes pursued by the registration or to process the contact request by the data subject. Those personal data will not be transmitted to third parties. The legal basis for the processing of those personal data is Article 6(1)(b) GDPR, as the processing is necessary for the performance of a contract between Virtual Solution and the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
c) Direct advertising, product information and newsletters of Virtual Solution
On the website, we offer the transmission of direct advertising, product information and newsletters from Virtual Solution by email. To do this, we require the email address of the data subject. We may use the email address received by us from the data subject in connection with a contract for the use of products of Virtual Solution for direct advertising regarding our own similar goods or services, unless the data subject has objected to such use. The legal basis for such use is Article 6(1)(f) GDPR, as the processing is necessary for the purposes of the legitimate interests pursued by Virtual Solution. The legitimate interests pursued by Virtual Solution thereby are the advertising of products and services to clients. Data subjects may any time object to that use in accordance with the note at the end of this document regarding the right to object in accordance with Article 21 GDPR, without incurring any transmission costs other than those under the base rates. In other respects, we will collect and process the email address of the data subject in order to send direct advertising, product information and newsletters from Virtual Solution by email, provided that the data subject has granted their prior consent. That consent will be logged, and the data subject may at any time retrieve the contents of the consent, as well as that note. Data subjects may at any time revoke their consent with effect for the future, as described in the following declaration of consent. The declaration of consent reads as follows: ”I hereby agree that Virtual Solution AG may in future regularly inform me of product news and offers from the area of mobile security by email and may send me email newsletters. To this end, Virtual Solution AG may store and use the email address stated by me. I may at any time revoke that consent with effect for the future. The revocation may be sent by mail to Virtual Solution AG, Blutenburgstr. 18, D-80636 Munich, or by email to firstname.lastname@example.org. In addition, the email advertising and the email newsletter may also be unsubscribed by clicking the link at the end of the email.“ The legal basis for the processing of those personal data is the consent of the data subject (Article 6(1)(a) GDPR). To send direct advertising, product information and the email newsletter of Virtual Solution, we use the services of CleverReach GmbH & Co. KG, Mühlenstr. 43, D-26180 Rastede, as processor. For the purpose of that sending, we transmit to CleverReach the email address and the voluntary data provided by the data subject in connection with the consent to the newsletter.
f) Use of Google AdWords
g) Use of YouTube
Virtual Solution has integrated videos of YouTube on its website, which are stored at http://youtube.com, for the purpose of being able to play those videos directly on our website. Upon each calling-up of a website of Virtual Solution on which a YouTube video was integrated, YouTube and Google will obtain knowledge which specific subsite of our website is used by the user. In addition, the following information and personal data of the user will be transmitted to YouTube: IP address, date and time of the request and the time zone, the website called up, the transferred data volume, the browser, operating system and its surface, the language and version of the browser software. YouTube and Google will always be notified via the YouTube component that a user visited our website if the user is logged in at YouTube or Google at the same time, regardless of whether or not the user clicks on a YouTube video. That information will be allocated to the user’s account with Google or YouTube, respectively. If the user does not wish such a transmission of that information to YouTube and Google, the user can also prevent the transmission by logging off from the user’s YouTube account before accessing our website. YouTube will store the data collected about the users as user profiles and use the same for the purposes of advertising, market research and/or the structure of its website as needed. Any such analysis will be made, in particular, (also for users who have not logged in) to display demand-oriented advertising and to inform other users of Google and YouTube of the activities of the user on our website. Users have a right to object to the creation of those user profiles, which right must be exercised as against YouTube. The legal basis for the use of YouTube by Virtual Solution is Article 6(1)(f) GDPR, as that use is necessary to safeguard the controller’s legitimate interests. The legitimate interests pursued by Virtual Solution thereby are the display of demand-oriented advertising and information in the form of YouTube videos and to inform other users of the social network of the activities of users on our website. YouTube is offered by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube LLC is a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information regarding the purpose and scope of the collection of the data and their processing by YouTube can be called up at https://www.google.de/intl/de/policies/privacy/ and https://www.youtube.com/yt/about/de/. Google has implemented the certification under the EU-US Privacy Shield (see https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI), so that an adequate data protection level exists.
5. Processing of personal data when using the products of Virtual Solution – Purpose and legal basis; Recipients
When clients use the products, ”SecurePIM”, ”SecurePIM Management Portal“ and ”SecurePIM Gateway“, of Virtual Solution, the following personal data about the client will be collected and processed for the following purposes:
The software, ”SecurePIM“, serves the encrypted storage of emails, contacts, appointments and other data on the mobile device of the client, or the client’s employees. As a supplement thereto, the software, ”SecurePIM Management Portal“, serves the central configuration settings of the software, ”SecurePIM“, on the client’s mobile devices. The software, ”SecurePIM Gateway“, serves the secure access of the SecurePIM App to the client’s internal company network. To settle the business relationships with its clients, and for the internal processing of the business transactions, Virtual Solution uses electronic data processing. When installing the software, ”SecurePIM“, and when using the software, ”SecurePIM Management Portal“ and ”SecurePIM Gateway“, only the email addresses of the users will be transmitted by the client to Virtual Solution and be stored there centrally. In addition, the data which are relevant for the operation of the software, for example the validity of the licence, and what modules have been activated, will be stored.
b) SecurePIM Management Portal
In addition, the licence management and the SecurePIM Management Portal serve the purpose of registering the licences and issuing the licence certificates. Furthermore, analyses of the licences and their use may be made in the License Manager (CLM). Through the Secure PIM Management Portal, the following types of personal data of the client and all persons registered by the client in the SecurePIM Management Portal will be collected and processed:- person master data (e.g., first and last name)- communications data (e.g., phone, email)- other:– user name for the log-in at the admin console– public certificates– transport-PIN-protected p12 container– push-notification token– device information (version number of the SecurePIM software release, device type, device number, operating system of the device, version of the operating system, language set in the operating system)- other personal data collected by the client on its own in the portal in addition In the SecurePIM Management Portal, all devices, as well as the configuration of the SecurePIM App, for all SecurePIM users of the client will be managed. When using SecurePIM, the settings made in the SecurePIM Management Portal will be exchanged between that portal and the SecurePIM App. In connection with the user administration, email notifications will be sent from the SecurePIM Management Portal automatically or by an administrator to the SecurePIM App or the user of the SecurePIM Management Portals, respectively. Use of the Auto PKI (Public Key Infrastructure) module: When using the AutoPKI module, a p12 Container (with a public key and private key) will be created for the respective user of the SecurePIM App and a CSR (Certificate Signing Request) to a CA (certificate authority) will be triggered. The created p12 container and the encrypted transport PIN (password for the p12 container) will be stored in the SecurePIM Management Portal and transmitted to the user separately from one another. Use of the SecurePIM LDAP module: When using the SecurePIM LDAP module, the email address and the SMIME certificate of the respective user of the SecurePIM App will be stored on the SecureLDAP (public LDAP, available via the Internet). Use of the email verification module: When using the email verification module, for the purpose of verifying the access to the user’s email account, emails will automatically be sent from Licence Management (CLM) to the email address stored in the SecurePIM Management Portal for the SecurePIM user.
c) Place of data processing
Those personal data will be stored, processed and used exclusively in the territory of the Federal Republic of Germany, a Member State of the European Union or another contracting state of the Agreement on the European Economic Area.
d) Legal basis
Virtual Solution collects, processes and uses those personal data exclusively for the performance of the contract with the client and stores those personal data in a safe place. That processing of personal data of the client by Virtual Solution is necessary for the performance of the contract with the client on the basis of Article 6(1)(b) GDPR.
e) Commissioned processing
If the client has the software, “SecurePIM Management Portal“, hosted by Virtual Solution, the parties shall enter into a separate agreement regarding commissioned data processing in accordance with Article 28 GDPR, under which Virtual Solution acts as a processor of the client.
f) Recipient of personal data
If the software, ”SecurePIM Management Portal“, is hosted by Virtual Solution as a processor, Virtual Solution will, in turn, use subcontractors in accordance with the agreement on commissioned data processing in accordance with Article 28 GDPR. Virtual Solution has commissioned M-net Telekommunikations GmbH, Emmy-Noether-Str. 2, D-80992 Munich, as the operator of the computer centre and hosting provider. In other respects, those personal data will not be disclosed to third parties.
g) Use of “crashlytics” in the SecurePIM App
Virtual Solution has integrated crashlytics in its SecurePIM App. crashlytics is a programme with the purpose of analysing and fixing errors of the SecurePIM App and improving the SecurePIM App. When the SecurePIM App crashes, certain data regarding the incident will be transmitted to crashlytics; those data are the device type, the version of the operating system, data regarding the hardware of the mobile device, as well as the current position in the source code and the time of the crash, and the condition of the application at the time of the crash. crashlytics will neither collect nor transmit the user’s IP address or any other data by which the user or the affected mobile device can be identified. crashlytics is offered by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information regarding the purpose and scope of the collection of the data and their processing by crashlytics can be called up at http://try.crashlytics.com/terms/. Google has implemented the certification under the EU-US Privacy Shield (see https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI), so that an adequate data protection level exists. The legal basis for the use of crashlytics by Virtual Solution use is Article 6(1)(f) GDPR, as the processing is necessary for the purposes of the legitimate interests pursued by Virtual Solution. The legitimate interests pursued by Virtual Solution thereby are the error analysis, error fixing and improvement of the SecurePIM App.
6. Processing of personal data in relation to the support for the products of Virtual Solution – Purpose and legal basis; Recipients
Virtual Solution collects and processes personal data for the purpose of providing support for its products. Clients, or prospective clients, may submit support requests regarding the following topics over the phone, by email or via the website of Virtual Solution:
- questions regarding the configuration
- questions regarding the general functionality
- reporting of technical problems
- questions regarding change requests
- other technical inquiries
The support requests received, and the personal data transmitted by clients, or prospective clients, will be stored in an internal ticket system of Virtual Solution and will be used for the purpose of documenting and processing the support request, as well as for the purpose of contacting the respective client/prospective client in order to provide relevant feedback. Upon the creation of a ticket in the ticket system of Virtual Solution, the system will send an automatic email to the email address from which the notification was sent. That response includes, inter alia, a link through which the client, or prospective client, can look at the created ticket. Employees of Virtual Solution, the distribution partner of Virtual Solution in charge of the client, as well as the email addresses stated upon the creation of a ticket (data subject who created the ticket, as well as “cc” addressees (if any) entered by the data subject), can access a support ticket. The administration of the tickets is logically separated and sorted by organisation, so that a distribution partner of Virtual Solution may only access tickets of the clients supported by the distribution partner. That processing of personal data of the client, or prospective client, by Virtual Solution is necessary for the performance of a contract between Virtual Solution and the data subject or in order to take steps at the request of the data subject prior to entering into a contract and is based on Article 6(1)(b) GDPR.
7. Processing of personal data for distribution purposes – Purpose and legal basis; Recipients
Virtual Solution collects and processes the personal data of prospective clients for the purpose of submitting offers and for distribution purposes, if a prospective client contacts Virtual Solution and expresses his or her interest in the products of Virtual Solution. The contact data submitted by the prospective client to Virtual Solution will be stored and processed in the CRM system of Virtual Solution and will be deleted after one year, at the latest, unless the data are processed for another lawful purpose. Virtual Solution will transmit the personal data of prospective clients collected by Virtual Solution for the purpose of submitting an offer and for distribution purposes to distribution partners for further operational processing and contacting the prospective client. That processing of personal data of prospective clients by Virtual Solution is either based on a consent by the prospective client (legal basis: Article 6(1)(a) GDPR) or is necessary to take steps prior to entering into a contract (legal basis: Article 6(1)(b) GDPR).
8. Processing of personal data in relation to job applications and in application procedures – Purpose and legal basis; Recipients
Virtual Solution collects and processes personal data of applicants for the purpose of carrying out the application procedure. Processing may also be made electronically, for example, if an applicant submits relevant application documents by email or uses the applicant portal, BITE, of BITE GmbH, which is offered on the website, to submit an application online. Virtual Solution has instructed BITE GmbH, Resi-Weglein-Gasse 8, D-89077 Ulm, with the processing of the personal data of an online application as processor, and we transmit to BITE GmbH the data collected from the data subject in connection with an online application to this end. If Virtual Solution enters into an employment contract with the applicant, the transmitted data will be stored for the purpose of performing the employment relationship in compliance with the statutory provisions. If Virtual Solution does not enter into an employment contract with the applicant, the application documents will be deleted two months from the rejection, unless a longer storage is necessary owing to legitimate interests of the controller. Such legitimate interest might exist, for example, in the event of proceedings under the German General Equal Treatment Act. Those personal data will not be disclosed to third parties. That processing of personal data of applicants by Virtual Solution is necessary to carry out an application procedure and is based on Article 6(1)(b) GDPR, as well as § 26 GFDPA.
9. Duty of data subjects to provide personal data and potential consequences of a failure to provide personal data
Data subjects are obliged to provide us with personal data if we enter into a contract with them. A consequence of a failure to provide the personal data would be that the contract with the data subject cannot be entered into. In addition, the provision of personal data is necessary for the use of the products and the website of Virtual Solution. A consequence of a failure to provide the personal data would be that the products or the website of Virtual Solution cannot be used at all, or that the scope of functions will be limited
10. No automated decision-making; No profiling
We do not use automated decision-making or profiling.
11. Storage period and deletion of personal data
Virtual Solution stores personal data of data subjects only as long as this is necessary for the purposes for which they were processed, unless statutory provisions required a longer retention period. If the purpose for which the personal data were collected or stored no longer exists, the data will be routinely deleted.
12. Rights of data subjects
Data subjects have the following rights:
- Right of access to the relevant personal data (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to object to the processing if the processing is made on the basis of Article 6(1)(e) or Article 6(1)(f) GDPR (Article 21 GDPR); see also the note regarding the right to object pursuant to Article 21 GDPR at the end of this document
- Right to data portability (Article 20 GDPR)
- Right of the data subject to revoke a granted consent at any time, without this affecting the lawfulness of the processing made before the revocation, if the processing is based on a consent in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
13. Modifications of this Data Privacy Statement
On a case-by-case basis, it will be necessary to adapt and modify the contents of this Data Privacy Statement. Therefore, Virtual Solution reserves the right to modify this Data Privacy Statement and will transmit the modified version to the data subject before the modified version takes effect and will publish the modified Data Privacy Statement at the same place as this Data Privacy Statement.
Note regarding the right to object pursuant to Article 21 GDPR
1. Right to object on grounds relating to a particular situation
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is made on the basis of Article 6(1)(e) (public interest) or Article 6(1)(f) (data processing on the basis of the weighing of interests) of the GDPR; this applies also to any profiling based on those provisions. Virtual Solution will no longer process the personal data, unless Virtual Solution is able to demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or the processing serves the establishment, exercise of defence of legal claims.
2. Right to object in relation to direct marketing
If Virtual Solution processes personal data for direct marketing purposes, data subjects have the right to object at any time to the processing of personal data concerning them for the purpose of such marketing; this applies also to any profiling related to such direct marketing. If data subjects object to the processing for direct marketing purposes, the personal data will no longer be processed for such purpose.
3. Exercise of the right to object
The right to object may be exercised without a specific form, for example, by a letter to Virtual Solution AG, Blutenburgstr. 18, D-80636 Munich, or by email to email@example.com.