Privacy statement

The protection and security of your personal data is important to us, which we take into account in all our business processes. In this privacy policy, we therefore provide you with an overview of the data protection-relevant aspects of our online offerings and data processing as part of contract performance. In the following, we explain:

• What data we collect when you visit or use our online offerings or have concluded a contract with us.
• For which purposes this data is processed by BlueID affiliated companies and third parties.
• What rights and choices you have regarding the processing of your data.· How you can contact us about data protection.

This privacy policy applies to the BlueID GmbH website under the domain https://www.blue-id.com/, https://www.blueid.net/ and https://www.blueid.de (hereinafter “website”), our BlueID app and the social media offerings of BlueID GmbH on LinkedIn, with the exception of social media offers created explicitly for the Klassenalarm app, (hereinafter collectively “social media offers”). It also contains information on the processing of your personal data within the framework of contracts concluded with us.

You can ask them for information about the processing of your personal data by our clients (e.g. your employer). Companies affiliated with us each have their own information about the processing of your personal data.

The person responsible for data processing within the meaning of the EU General Data Protection Regulation (hereinafter “GDPR”) is

BlueID GmbH
Schellingstraße 109a
80798 Munich

When reference is made to “we”, “us” or “BlueID” in this privacy policy, this exclusively means BlueID GmbH.

BlueID's company data protection officer can be reached at datenschutz@blueid.net or by post:

BlueID GmbH
Z.hd. data protection officer
Schellingstraße 109a
80798 Munich

2.1. Automatically collected access data

You can visit our website without giving any information about yourself. Only access data is then collected, which is automatically transmitted to us by your browser. This includes, for example, your online identifiers (e.g. IP address, session IDs, device IDs), information about the web browser and operating system used, if applicable the website from which you accessed our website (i.e. if you accessed our website via a link), the names of the requested files (i.e. which texts, videos, images, etc. you viewed on our website), the language settings of your browser, any error reports and the times of the individual accesses.

The processing of this access data is necessary to enable you to visit and use our website comfortably and to ensure its long-term functionality and security.

The access data is also stored in internal log files for a short time in order to create statistical information about the use of our website. This enables us to continuously optimize and further develop our website with regard to the usage habits and technical equipment of our users and to eliminate faults and security risks. The information stored in the log files does not allow any direct conclusions to be drawn about you personally. This includes information as to whether you have accessed our website directly or accessed ours via other websites, from which country you are reaching us and from which device you are accessing our website.

The legal basis for this data processing is Art. 6 para. 1 lit. f) GDPR (balancing of interests based on our legitimate interests mentioned above).

2.2. Your messages and communications

We collect all information and data that you provide to us via our website or via associated e-mail addresses. For example, you can contact us via functions such as the “contact form” or by telephone. In some cases, you can also send us files (e.g. PDF documents) via various contact channels. Any mandatory information required for these functions is usually identified.

Your information will only be used by us to process your request. We delete the resulting data after storage is no longer necessary, or restrict processing if there are legal storage obligations.

Your message will only be passed on to another BlueID affiliated company or to external third parties insofar as this is necessary to process your request (for example, we will forward your message to our external data protection officer if he is responsible for your request). If you do not want your message to possibly be passed on to another company or third party, you can inform us of this — as a precautionary measure, of course — directly in your message. We will then process your message without such information that can be used to identify you (e.g. name, customer number or contact details). Processing of your personal data in connection with messages and communications that goes beyond the above description may also take place after obtaining your consent or to initiate, fulfill or process a contract.

We sometimes offer you the opportunity to leave a comment on our website (e.g. in our community blog) visible to all users. The comments may be published after an editorial review and deleted at the latest when you withdraw or object. You also have the option to delete the comments yourself. Your name, email address and, if applicable, your profile picture will be publicly displayed after publication. The information that is visible in each case can be found in the settings of your community administration or profile with which you registered (e.g. Microsoft account).

The legal basis for the data processing described above in the event of contract initiation, fulfilment or processing is Art. 6 para. 1 lit. b) GDPR. If you contact us for general purposes or leave a comment on our website or, if applicable, have consented to the transfer or processing of the data you have provided, the legal basis is Art. 6 para. 1 lit. a) GDPR.

2.3. cookies

We use our own and third-party cookies to improve the presentation and content of our website. A cookie is a standardized text file that is stored by your browser for a fixed period of time. Cookies allow information such as language settings and temporary identification features to be stored locally, which can be retrieved by the server that set the cookie during subsequent website visits. Cookies also enable us to statistically record and analyze general usage behavior when visiting our website. In addition, we use services from external service providers who process the access data generated when using our website to enable interest-based advertising to be displayed, for example as part of search queries.

We only use optional cookies and comparable technologies for marketing and analysis purposes if you have given your consent to data processing in accordance with Art. 6 para. 1 lit. a) GDPR, for data transfer to third countries in accordance with Art. 49 para. 1 lit. a) GDPR and for the storage of information or access to existing information on your device in accordance with § 25 para. 1 TTDSG via our cookie banner. For the risks associated with data transfer to third countries, please see section 6.3.

To collect and manage consents and any withdrawals, our website uses a program to document your consent. We use this and other technically necessary cookies on the basis of Art. 6 para. 1 lit. f) GDPR to document your consent. Since these are absolutely necessary cookies, the storage of information or access to existing information on your device in these cases is carried out in accordance with Section 25 (2) TTDSG.

If you delete the cookies, we will ask you for your consent again when you visit the page later.

We use optional third-party cookies for web analysis and advertising purposes. You will find more detailed information about this later in this privacy policy.

2.3.1. Google Tag Manager

On our website, we optionally use Google Tag Manager, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). The Tag Manager is used by us to manage the tools and external services that we use on our website and allows the use of so-called tags. A tag is a code element that is stored in the source code of a website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data and which are further explained in this privacy policy. Some of the data is processed on a Google server in the USA. For more information about Tag Manager, see the Google's privacy policy.

2.3.2. Google Analytics

‍ On our website, we optionally use the web analysis service Google Analytics, which is offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). According to Google, the contact person for all data protection issues is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GoogleAnalytics uses cookies and similar technologies to analyze and improve our website based on your user behavior. The access data is combined into pseudonymous user profiles by Google on our behalf and transferred to a Google server in the USA. Your IP address is anonymized beforehand. We are therefore unable to determine which user profiles belong to a particular user.

Based on the data collected by Google, we can therefore neither identify you nor determine how you use our website. Google will use the information obtained through cookies on our behalf to evaluate the use of our website, compile reports on website activity, and provide us with other services related to website activity and Internet usage. If you have not agreed to the use of analytical cookies, your data will not be collected as part of Google Analytics. In addition to the option set out above to withdraw your consent or adjust the selection of cookies, you also have the following other options to prevent web analysis by Google:

• You can set your browser to block cookies from Google Analytics.
• You can your Google ad settings Customize on Google.
• You can refuse consent in the cookie settings.

3.1. Customer and partner management

To manage our business contacts, we process information about our contract partners (in particular address, any branches, authorized representatives and their contact details, hereinafter “company data”) as well as information about the respective contact persons (in particular name, position, professional contact information, hereinafter “contact details”) and any communication with you. We use this data to be able to reach the appropriate contact person when you contact us, to be able to process your concerns and orders properly and to maintain our business relationship and provide the contractual services. The legal basis is Art. 6 para. 1 lit. b) GDPR.

3.2. Orders, order management and billing

As part of order processing and billing, we collect information on offers, orders and invoice items as well as information on bank details (e.g. for SEPA direct debit mandates). We may also use the data to refund credits. Contact details of contact persons can also be processed in this context. The legal basis is Art. 6 para. 1 lit. b) GDPR.

3.3. Credit checks

If necessary, we will obtain credit checks from a credit agency. This query helps us to better assess the liquidity of our contract partners and to minimize default risks in (partial) orders when paying on account. No credit checks are carried out on employees of the contractual partner. The legal basis for the above data processing is Art. 6 para. 1 lit. f) GDPR.

3.4. Product liability and warranty

In order to verify legal and contractual claims, we may need information about the products covered by the contract, their use and information on invoices. In addition to company and contact details, information about end customers may also be processed as part of the claim review, which is included in the invoice and order documentation submitted. The legal basis is Art. 6 para. 1 lit. b) GDPR.

3.5. Controlling and reporting

We also use information on orders and invoice items for internal cost and performance accounting, controlling and internal reporting, which is used for corporate management and planning. The legal basis is Art. 6 para. 1 lit. f) GDPR. In this context, personal data is generally anonymized by us.

3.6. Other data processing

If necessary, we process your data or the data of users created by you, for example, to inform you about technical innovations in the products you have purchased, provided that, in our opinion, these are necessary for the use of our products in accordance with the contract. The legal basis is Art. 6 para. 1 lit. b) GDPR.

BlueID has its own social media offerings on the following social networks and can be reached by you:

• linkedin

There, we will inform you about BlueID news and activities and are happy to use the options offered by social networks to communicate directly with their members.

Please note, however, that we have no influence on the data processing of social networks. It cannot be ruled out that your data may be transferred to third countries. Please therefore carefully check which personal information and messages you share with us via social networks and, in case of doubt, use other contact options offered by us. We can therefore assume no liability for the conduct of social network operators and other members.

When you communicate with us via our social media offerings, we process the information made available to us by the respective social network (e.g. your name, profile page and the content of your messages addressed to us) in accordance with the purpose of your message (e.g. service concerns, suggestions and criticism).

We delete the resulting data after storage is no longer necessary, or restrict processing if there are legal storage obligations. In the case of public posts on our social media offerings, we decide on a case-by-case basis, taking into account your and our interests, whether and, if so, when to delete them there.

The legal basis for this data processing is Art. 6 para. 1 lit. a) GDPR, Art. 6 para. 1 lit. b) GDPR (including in accordance with Art. 26 GDPR) and Art. 6 para. 1 lit. f) GDPR based on our aforementioned legitimate interest. For the risks associated with data transfer to third countries, please see section 6.3. If you have given your consent for optional cookies, the legal basis for storing information or accessing existing information on your device for optional cookies is Section 25 (1) TTDSG in each case. For absolutely necessary cookies, the legal basis for storing information or accessing existing information on your device is Section 25 (2) TTDSG.

As a precautionary measure, we would like to point out that the respective provider could set absolutely necessary and optional cookies when you visit our site. These differ in part depending on whether you visit the site with a logged-in user account or not. We would also like to point out that we have no influence on the use of cookies on the above-mentioned social media offers.

We use Microsoft Teams to conduct online meetings, telephone or video conferences and/or webinars (hereinafter collectively “Meetings”). Teams is software from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “Microsoft”), which is available as a desktop, web and mobile app.

During a meeting, information about the participant (e.g. display name, first name, last name, telephone, email address, encrypted password or your profile picture), metadata (such as topic and description of the meeting, IP address, your telephone number, type of device/operating system, time of the participant's last activity on teams, number of chat and channel messages, number of meetings attended, length of time for audio, video and screen sharing, text data for display and, if applicable, logging, microphone recording data, Recording data from the video camera, audio, video and screen shares for storage in the cloud/Microsoft Stream when using the telephone: incoming and outgoing phone numbers, country name, start and end time, possibly other connection data, such as the IP address) of your device are processed.

Before a meeting, we will usually send you an email with a link to dial in and a calendar appointment. To participate in a meeting, you must provide at least information about your name and — in the case of telephone use — your telephone number, unless we allow you to participate in meetings anonymously. In the latter case, we will share this opportunity to participate anonymously as part of the invitation. You can deactivate transmission via microphone and camera at any time using the appropriate settings. We only record meetings or log text data with your consent and prior notification. Microsoft may store and use the metadata to allow us to analyze and report on how teams are being used.

As part of order processing, Microsoft may become aware of the above data in order to process it. All data traffic is encrypted (currently MTLS, TLS or SRTP) and data is generally stored on servers in the European Economic Area (EEA). In the event that data is nevertheless processed in the USA, we have concluded EU standard contractual clauses in addition to the above measures to protect your privacy with Microsoft. For more information, please see section 6.3.

For more information, please see Microsoft's privacy policy, available at: https://privacy.microsoft.com/de-de/privacystatement

The legal basis for data processing to conduct meetings across teams is our legitimate interest in the effective conduct of meetings in accordance with Art. 6 para. 1 lit. f) GDPR. Insofar as the meetings are held as part of pre-contractual measures or to implement existing contractual relationships with you, the legal basis is Art. 6 para. 1 lit. b) GDPR. The legal basis for storing information or accessing existing information on your device is Section 25 (2) TTDSG. We are not responsible for further data processing on the Microsoft Teams product website, where the desktop software can be downloaded and the web app can be used. We also have no influence on any metadata processed by Microsoft and its possible transfer to a third country. We are also not responsible for the cookies set there or have any influence on their use.

6.1. maxim

In principle, we only share your data if:

• you have given your express consent in accordance with Art. 6 para. 1 lit. a) DSGVOI,
• the transfer is permitted by law and is required in accordance with Article 6 (1) (b) GDPR to process contractual relationships with you or to carry out pre-contractual measures taken at your request,
• we are legally obliged to disclose data in accordance with Art. 6 para. 1 lit. c) GDPR, or
• The transfer in accordance with Article 6 (1) (f) GDPR is necessary to assert, exercise or defend legal claims by BlueID or an affiliated company and there is no reason to assume that you have an overriding legitimate interest in not sharing your data.

6.2. Transfer of BlueID to external service providers

Some of the data processing described in this privacy policy may be carried out on our behalf by external service providers. In addition to the service providers mentioned in this privacy policy, this may include in particular data centers that store our website and databases, IT service providers who maintain our systems, and consulting companies.

If we pass on data to our service providers, they may only use the data to perform their tasks. The service providers were carefully selected and commissioned by us. They are contractually bound to our instructions, have appropriate technical and organizational measures to protect the rights of data subjects and are regularly checked by us.

If, in addition to this privacy statement, we transfer your data to a service provider based in a country outside the European Economic Area (EEA), we may inform you separately about this fact and what specific guarantees the data transfer is based on. If you would like to receive copies of guarantees to prove an adequate level of data protection, please contact our data protection officer (see section 1).

6.3. Data transfer to third countries

As explained in this privacy policy, we use various services whose providers are partly based in so-called third countries (such as the USA), i.e. states whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate measures to ensure an appropriate level of data protection for any data transfers. These include the European Union's standard contractual clauses or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Article 49 GDPR, in particular your express consent or the need for transmission to fulfill the contract.

If a transfer to a third country is envisaged and there is no adequacy decision or appropriate guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) can gain access to the transmitted data in order to record and analyse it. In addition, it may be that the enforceability of your rights as a data subject cannot be guaranteed. If you obtain your consent via the cookie banner, you may be informed again.

7.1. Newsletters

If you would like to receive a newsletter offered on our website (e.g. community updates), we need an email address from you as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. Further data is not collected or is only collected on a voluntary basis. We use this data exclusively to send the requested information and do not pass it on to third parties.

The data entered in the newsletter subscription form is processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a) GDPR). You can withdraw your consent to store the data, the e-mail address and their use to send the newsletter at any time, for example via the “unsubscribe” or “unsubscribe” link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The data you have provided to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and delete it after you unsubscribe or withdraw your consent to the newsletter.

If we improve, expand or have important service information about the services you have purchased or used, we may also inform you about this via a newsletter. The legal basis for sending such newsletters is our legitimate interest (Art. 6 para. 1 lit. f) GDPR) in providing you with important information, for example about the development of the services you use. You can object to receiving it at any time and, for example, use the “unsubscribe” link in the newsletter.

7.2. Other contact

As part of acquiring new customers, we may contact you by telephone or electronic messages. In such cases, we collect your processed data (e.g. name, function, telephone number, e-mail address) from publicly available sources (e.g. your website) or from contact persons in your company who have provided us with this information. The data is always kept confidential by us and will not be passed on to third parties without your consent. You have the right to withdraw your consent or to object to data processing for the purpose of acquiring new customers at any time. The legal basis for this form of data processing is Article 6 (1) (a) GDPR in conjunction with Section 7 (2) and (3) UWG.

If you are already a customer, we will contact you based on our legitimate interest to inform you or about new products or developments as well as other offers (e.g. supplementary offers) from BlueID. The legal basis for this is Art. 6 para. 1 lit. f) GDPR. You can object to this data processing at any time.

8.1. Data processing when downloading and installing apps

In order to be able to download and install our app from an app store (e.g. Google Play Store or Apple App Store), you must first register for a user account with the provider of the app store and conclude a corresponding user contract with them. We have no influence on this, in particular we are not a party to such a user agreement. When downloading and installing the app, the necessary information is transferred to the respective app store, in particular your username, email address and account customer number, the time of download and the individual device ID. We have no influence on this data collection and are not responsible for it. We only process the data provided to the extent necessary to download and install the app on your mobile device (e.g. smartphone, tablet).

If data processing is part of a contractual obligation, the legal basis for the aforementioned data processing is Art. 6 para. 1 lit. b) GDPR. If you have consented to data processing, the legal basis is Art. 6 para. 1 lit. a) GDPR.

8.2. Data processing when using the app

When you use our app, various technical information is sent to our servers. This includes, for example, the IP address of your device, installation data (e.g. app version and time of installation), information about the content and functions you use, the content you entered (e.g. form entries and click data), the duration of use and information about your device (e.g. device model and operating system).

We use this data so that you can use our app and to provide you with the services you use, to ensure technical security, in particular to prevent attacks and fraud attempts, and to analyze errors.

Insofar as data processing is part of a contractual obligation, the legal basis for the aforementioned data processing is Art. 6 para. 1 lit. b) GDPR. If you have consented to data processing, the legal basis is Art. 6 para. 1 lit. a) GDPR.

8.3. Push notifications

As a user of ios You can send the app messages through push notifications (e.g. when you issue new keys or open a door via a home screen), even if you are not currently using the app in the foreground. The messages can be sent by means of sounds, messages (e.g. in the form of screen banners) and/or symbol tags (an image or a number on the app icon). To prevent this, you can deactivate the sending of push messages via your device settings at any time. To do this, open the iOS “Settings” application and select the “Notifications” menu item. In the following menu, you will find an overview of all apps that are installed on your device and that have push notifications. Select our app. Here you can activate or deactivate push notifications. The legal basis for the above data processing is Art. 6 para. 1 lit. b) and f) GDPR, to implement our contractual obligations and based on our legitimate interest in transparently informing you about activities related to the use of our products.

Push notifications on androiddevices may function using the above information. You can change the settings via the “Settings” app and the “Notifications” sub-item. To do this, move the existing controller for the respective app.

8.4. Permissions

Full functionality requires the app to be able to access certain features of your device. Depending on which operating system you use, this sometimes requires your express permission. You can adjust permission settings in your device's system settings at any time. In the following, we will explain to you which permissions the app requests and why they are required when you use the operating system iOS use:

• “Siri & Search”: Permission is required so that the app can use your device's search function. Siri is used for the search function. If you do not allow access, the search function may not be available or may only be limited.
• “Background update”: The permission is required so that the app can automatically update itself in the background. This automatically updates keys in the background and, if necessary, adds new keys that have been assigned to you. This eliminates the long loading times when you restart an app after a long period of time. If you don't allow access, this feature won't be available to you.
• “Bluetooth”: Authorization is required so that you can transfer your digital keys to your built-in locking systems via the app. Depending on the version of your operating system, this may also require approval of your location data. BlueID has no access to them. If you do not allow this, there may be functional restrictions with regard to our products.
• “Camera”: Authorization is required so that you can scan and activate key activation links via QR code.

In the following, we will explain to you which permissions the app requests and why they are required when you use the operating system Android use:

• “Location services/location data”: Permission to access your device's location services is required so that an app can access the location determined by your device. If you don't allow access, location-based display of content may not be possible or may only be limited.
• “Storage”: Authorization is required to enable the app to store data in the memory or, if applicable, on an additional memory used on your device or read it from there again. If you don't allow access, this feature won't be available to you.
• “Bluetooth”: Authorization is required so that you can transfer your digital keys to your built-in locking systems via the app. Depending on the version of your operating system, this may also require approval of your location data. BlueID has no access to them. If you do not allow this, there may be functional restrictions with regard to our products.
• “Camera”: Authorization is required so that you can scan and activate key activation links via QR code.

The legal basis for the above data processing is Art. 6 para. 1 lit. a), b) and f) GDPR. The legitimate interest results from the uncomplicated provision of technical solutions, which, for example, replaces the manual activation of transmitted keys. You can revoke your consent at any time in the settings of your device.

Unless otherwise stated in this privacy policy, we only store and process your data for as long as is necessary to fulfill our contractual or legal obligations or for the purposes for which the data was collected.

We will then delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidentiary purposes for civil claims or due to legal storage obligations. Even after that, we may still need to store your data for accounting reasons. We are obliged to do so due to legal documentation requirements, which may result from the Commercial Code, the Tax Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The deadlines for storing documents specified there are two to ten years. In such cases, the processing of the data is restricted so that it is no longer processed for further purposes.

The legal basis for this data processing for the purpose of fulfilling legal documentation and storage obligations is Art. 6 para. 1 lit.c) GDPR. If we store your data to ensure legitimate interests, the legal basis is Art. 6 para. 1 lit. f) GDPR.

To assert your legal data protection rights described below, you can contact our data protection officer (see section 1) at any time:

• You have the right to request information about the processing of your personal data by us at any time in accordance with Article 15 GDPR. As part of providing you with information, we will explain the data processing and provide you with an overview of the data stored about your personal data.
• If data stored by us is incorrect or out of date, you have the right to have this data corrected (in accordance with Article 16 GDPR).
• You can also request that your data be deleted. If deletion is exceptionally not possible due to other legislation, the processing of the data will be restricted so that it is only available for legal purposes (in accordance with Article 17 GDPR).
• You can also have the processing of your data restricted, e.g. if you believe that the data we have stored is incorrect (in accordance with Article 18 GDPR).
• You have the right to data portability, i.e. that we will send you a digital copy of the personal data you have provided on request (in accordance with Article 20 GDPR).

You also have the right to complain to a data protection supervisory authority. You can also contact the supervisory authority responsible for your place of residence at any time, which may forward your request to the supervisory authority responsible for us.

‍

In accordance with Article 7 (3) GDPR, you have the right to withdraw your consent in accordance with Article 6 (1) (a) GDPR at any time from us. As a result, we will no longer continue data processing based on this consent in the future. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time in accordance with Article 21 GDPR for reasons arising from your particular situation. When it comes to an objection to data processing for direct marketing purposes, you have a general right of objection, which is implemented by us even without giving reasons. Please note that in order to ensure that you do not contact us again, we may have to process your data even after you have objected.

If you would like to exercise your right of revocation or objection, simply send an informal message to the contact details set out in section 1.

For all data processing, we maintain appropriate technical measures to ensure data security, in particular to protect your data from risks during data transfers and from unauthorized access by third parties. These are adjusted in accordance with the current state of the art. To secure the personal data you provide on our website or in the app, we use Transport Layer Security (TLS), which encrypts the information you enter.

We update this privacy policy from time to time, for example when we adapt our website or when legal or regulatory requirements change.