Privacy Policy for field test

Who we are

The DECiDe project is a cooperation between the Alexander von Humboldt Institute for Internet and Society, the Procivis AG and the Random Sample Working Group. Funded by Advocate Europe and demokratie.io.

 

I. Name and address of the organisazion responsible

The organization responsible within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Alexander von Humboldt Institute for Internet and Society (HIIG)
Französische Straße 9
10117 Berlin
Germany
Phone: +49 (0)30 2007 60 82
E-Mail: decide@hiig.de (PGP: 0x0ba57de84ba3dbef)

II. Name and address of the data protection officer

The data protection officer of the organization responsible is:

Alexander von Humboldt Institut für Internet und Gesellschaft gGmbH (HIIG)
Dr. Jörg Pohle
Französische Straße 9
10117 Berlin
Germany
Phone: +49 (0)30 2007 6082
E-Mail: dsb@hiig.de (PGP: 0x35D2CAA8B646D3AB)

III. General information on the processing of personal data

1. Scope of processing personal data

We only process personal data of users of our app HIIG eID+ if it is necessary to provide a functional performance of the app and to ensure the verification of participants.

The following personal data can be part of the registration and verification process within the app:

  • first, middle and last name
  • email address
  • profile picture

The provision of this data, except for a valid email address used for the European Alternatives mailing lists, is not mandatory.

Our app HIIG eID+ also automatically collects data and information from the system of the client.

The following data can be collected and stored within the app:

  • the IP address of the client
  • the operating system of the client
  • date and time of access
  • connections between client and project servers (verification, notification and voting server)
  • status codes
  • used protocols
  • biometrical data (fingerprint)

The following data can be transmitted to our servers:

  • unique identifier created by the app
  • IP addresses for communication
  • device information (manufacturer, modell)

This data is also stored in the log files of our system and will be deleted after the field test, not later than the 31st of August 2019. This data is kept separated from other personal data of the user. Cloud services provided by Amazon Web Services for app registration and verification; Google Cloud Messaging for push services and Sentry for crash reports, are maintained by Procivis AG

The Random Sample Voting system (which includes the voting as well as the auditing server) runs on Amazon Web Services and is maintained by HIIG.

Every time you visit these websites our system automatically collects data and information from the system of the client computer.

The following data is collected:

  • the IP address of the client computer
  • information about the browser type and version used (user agent)
  • the operating system of the client computer
  • date and time of access
  • websites from which the user’s system reaches our website (referrer)
  • websites accessed by the user’s system via our website
  • status codes
  • amount of data
  • used protocols

This data is also stored in the log files of our system and will be deleted after the field test, not later than the 31st of August 2019. This data is kept separated from other personal data of the user and will not be used for further analysis.

The processing of personal data of users of our app only takes place if the processing of the data is permitted by legal regulations. The processing of personal data is geared to the objective of protecting fundamental rights and freedoms (Article 1(2) GDPR).

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a, GDPR serves as the legal basis.

In the processing of personal data required for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of HIIG, our partners or a third party, and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6(1)(f) GDPR serves as the legal basis for processing.

3. Data erasure and retention period

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases to apply. For the app HIIG eID+ this will be at the end of the field test, not later than 31st of August 2019. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

4. Purpose of data processing

The temporary storage of the email address within the app HIIG eID+ is necessary to verify a user and its connection to European Alternatives.

The data is stored in a database run by our partner Procivis AG. An evaluation of the data for marketing purposes does not take place in this context.

5. Data retention period, possibility to object and to erase

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This will be the case after the field test is finished, the latest on  31st of August 2019.

V. Rights of the data subjects

If personal data relating to you is processed, you are a data subject according to the GDPR, and you have the following rights vis-à-vis the HIIG:

1. Right of access

You have the right to request information from us as to whether we process the personal data relating to you. In a positive case, this also includes information about the data relating to you as well as the information specified in Art. 15 para. 1 lit. a to h GDPR.

2. Right to rectification

You have the right to request that we correct any information you believe is inaccurate. You also have the right to request we complete the information you believe is incomplete. 

3. Right to restriction of processing

You have the right to request we restrict the processing of data relating to you if this request is covered by one of the reasons in Art. 18 para. 1 lit. a to d GDPR.

4. Right to erasure

You have the right to request we delete the data relating to you, provided that this request is covered by one of the reasons in Art. 17 para. 1 lit. a to f GDPR and none of the exceptions in Art. 17 para. 3 lit. a to e GDPR applies.

5. Right to be notified

You have the right to ask us to inform you of the parties to whom we have transmitted data relating to you, unless this involves a disproportionate effort on our part.

6. Right to data portability

You have the right to data transferability if data processing is carried out using automated procedures and the legal basis is Article 6(1)(b) GDPR.

7. Right to object

You have the right to object to the processing insofar as the legal basis of the processing is Art. 6 para. 1 lit. e or f GDPR.

8. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with any supervisory authority if you believe that the processing of data relating to you is illegal.

The data protection supervisory authority responsible for the HIIG is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
Phone: +49 (0)30 13889-0
Fax: +49 (0)30 2155050
E-Mail: mailbox@datenschutz-berlin.de