signotec Software Privacy Notice
signotec Software Privacy Notice
As a conscientious company, we at signotec GmbH take the protection of your personal data very seriously.
We process personal data about you when you use our product (hereinafter also referred to as the “App”). Personal data is defined as all information relating to an identified or identifiable natural person, such as your name, address, e-mail address, IP address or usage patterns.
Because the protection of your privacy when using the product is important to us, we would like to take this opportunity to inform you about what personal data we process when you use the product and how we handle this data. In addition, we would like to inform you of the legal basis for processing your data and our legitimate interests, in cases where such processing is necessary to safeguard our legitimate interests. You may access this privacy notice at any time by clicking on the “Privacy Notice” menu item within the App or on our website.
Controller within the meaning of Art. 4(7) GDPR:
Am Gierath 20b
You can reach our data protection officer at:
Data Protection Officer
Am Gierath 20b
Any data subject may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.
3. Information about processing your data
Certain information is processed, in some cases automatically, as soon as you use the product. We have described which exact personal data is subject to processing below.
3.1 Information collected during downloads from the signotec website.
You may need to fill out an HTML form when downloading a software product from our website. The form will request you to enter your personal data (e.g., name, surname, address, telephone number, e-mail address) and other information (e.g., ratings, personal messages, registrations). The data you enter is automatically saved and used to provide the contents associated with the respective form (e.g., downloads). More information can be found in the Privacy Notice available at https://en.signotec.com/.
3.2 Information collected when downloading Apps
When downloading the App, any necessary information is transferred to the App Store or Google Play Store. This includes, in particular, the user name, email address and customer number associated with your account, time of download, unique number of the end device (IMEI), the mobile phone number (MSISDN), the MAC address for WLAN use and the unique number of the network subscriber (IMSI). We have no influence over this data collection and are not responsible for such collection. We process data provided in such manner to the extent necessary for downloading the App to your smartphone. It will not be stored beyond such purpose.
3.4 Information collected automatically when the product is used
When using the product, we automatically collect certain data, especially for licensing-related purposes. This includes, for example, an internal device ID, your operating system version and the time of access. This data is automatically transmitted to us on a regular basis to check your license and is then stored. This data processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you as a data subject and us pursuant to Art. 6(1)(b) GDPR for the use of the product, and (2) we have a legitimate interest in ensuring the proper licensing of our products, which outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6(1)(f) GDPR.
3.5 Information collected when using program functions
As part of using the product, you may, for example, open, edit and sign PDF documents as well as capture, visualise and analyse biometric signatures. A variety of data (“usage data”) is collected and used for these program functions. This includes, in particular, information about your documents, form field entries, biometric signature information and other technical metadata as required.
The following products are essentially offline systems, meaning that usage data is not transmitted to us:
- signotec signoSign/2
- signotec signoSign/Universal (“on premise”)
- signotec Adobe Acrobat Plug-In
- signotec signoSign R5
- signotec signoSign/Logistics
- signotec signoPAD-Tools
- signotec SlideShow-Manager
- signotec PDF-Bridge
- signotec signoFileGrabber
- signotec Biometrie und RSA-Tools
- signotec signoPAD-API
- signotec signoPAD-API/Web (formerly: signotec WebSocket Pad Server)
- signotec signoPOS-API
- signotec Biometrie API
- signotec signoAPI
- signotec signoAPI for Apple iOS
- signotec signoAPI for Android
- signotec signoSign/mobile Android
- signotec signoSign for Apple iOS
- signotec signoSign for Android
- signotec signoCapture
The following products are online systems, in which usage data is processed on our systems:
- signotec signoSign/Universal (SaaS-Hosting)
- signotec signoSign/Universal Apps for Android and iOS (SaaS-Hosting)
The following authorisations may be necessary for use of the products.
- Internet access:
- Internet access is required to provide product functions when using an online system.
- Internet access is required to check your license for validity on a regular basis for products that include an online license.
- Memory: Access to the memory on your device is required to open and save your documents. This authorisation is mandatory.
- Contacts: Access to your contacts is required to read your user name and save it for signature. This authorisation is optional.
- Location: Access to your location is required to store location information in the signature. This authorisation is optional.
- Camera: Access to your camera is required to capture photos and insert them into the document. This authorisation is optional.
- Local network: Access to the local network is required to establish a connection between individual signotec products. This is necessary, for example, with the “signoCapture” App in order to transmit the captured signature to “signoSign/2”.
If you decline these authorisations, we will not use the respective data. However, you will not be able to use the corresponding functions of the product. You can grant or revoke the permission later using the settings. If you allow access to such data, the product will only access this data and, if necessary, transfer it to our server to the extent necessary to provide the relevant functions. We will treat this data confidentially and delete it if you revoke permission to use such data, or if it is no longer required to provide the respective service, and there is no legal obligation to retain it.
3.7 User account
In the event that the product requires the entry of access data, this is done to ensure access to your account, product functions and to manage the user account. Mandatory data needed for registration is marked with an asterisk and is required for the conclusion of a user contract. You will not be able to create a user account if you do not provide this information.
This data processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you as a data subject and us pursuant to Art. 6(1)(b) GDPR for the use of the product, or (2) we have a legitimate interest in ensuring the proper functioning and error-free operation of the product, which outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6(1)(f) GDPR.
3.8 Provision of server infrastructure (SaaS)
We rely on the following external service providers to host our Application in the cloud for the provision of our “Software as a Service” product:
- Microsoft Corporation (“Microsoft Azure”)
This data processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you as a data subject and us pursuant to Art. 6(1)(b) GDPR for the use of the App, or (2) we have a legitimate interest in ensuring the proper functioning and error-free operation of the App, which outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6(1)(f) GDPR. You can find more information in our Data Processing Agreement in accordance with Art. 28 GDPR.
Note: You are not affected by this processing if you host or use online systems on your own or third-party IT infrastructure.
4. Remote maintenance
We use software programs that enable remote control of your computer for the provision of support services (“remote maintenance”). This enables us to analyse problems in relation to our products together with you and to solve them. Such remote control is only possible if you start the program and provide us with your identification number (ID) and a password if necessary. We will never engage in unsupervised or unwanted access.
Programs use for remote maintenance:
During remote maintenance, personal data such as your IP address, location, connection ID, device ID, screen name and session information are transmitted to the respective software provider.
We have no influence over this data collection and are not responsible for it. We process the provided data to the extent necessary for purposes of remote access. It will not be stored beyond such purpose.
Furthermore, the data protection guidelines of the respective software provider will also apply. You can find the current version of such guidelines online on the relevant provider’s website.
5. Information about your responsible use of the product
When you are using our product, we are providing it to you as a technical aid which you may use in an appropriate manner. As a technology supplier and service provider, we provide support in relation to electronic signatures on PDF documents and the capture of biometric signatures. You are responsible for using the product in accordance with the applicable laws, including data protection laws.
6. Sharing and transferring data
Apart from the cases explicitly mentioned in this Privacy Notice, your personal data will only be shared without your express prior consent if it is legally permissible or required. This may be the case, inter alia, if the respective processing is necessary to protect vital interests of the user or another natural person.
6.1 Prosecution of crimes
7. Data transfers to third countries
All our data processing systems are located within the Federal Republic of Germany. No data is transferred to third countries.
8. Change in purpose
Your personal data will only be processed for purposes other than those described above to the extent permitted by law or if you have consented to the changed purpose for such data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of such other purposes before further processing takes place and provide you with any further information relevant to such further processing.
9. Data retention period
We will delete your personal data, or render it anonymous, as soon as it is no longer required for the purposes for which it was collected or used in accordance with the preceding paragraphs. As a rule, we store your personal data for the duration of use or the contractual relationship applicable to the product plus a period of no longer than six months, during which we keep backup copies after deletion, unless such data is required for a longer period in the case of criminal prosecution or for the establishment, exercise or defence of legal claims.
Specific statements in this Privacy Notice or legal requirements for the storage and deletion of personal data, especially data that we are required to retain for tax reasons, remain unaffected.
10. Your rights as a data subject
10.1 Right to confirmation
Every data subject has the right to obtain confirmation as to whether personal data relating to them is being processed. If a data subject wishes to exercise this right of confirmation, they may contact our data protection officer or another employee of the data controller at any time.
10.2 Right of access
Any data subject affected by the processing of personal data shall have the right granted by the European Parliament and Council to obtain, at any time and free of charge, information from the controller concerning the personal data stored on them as well as a copy of that information. Furthermore, the legislature has guaranteed data subjects access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source; The existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
Furthermore, the data subject has a right of access to information as to whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject shall also have the right to obtain information on the appropriate guarantees in connection with the transfer. If a data subject wishes to exercise this right of information, they may contact our data protection officer or another employee of the respective controller at any time.
10.3 Right of rectification
Each data subject shall have the right granted by the European Parliament and Council to request the immediate rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, you have the right to request the immediate rectification of inaccurate personal data concerning the data subject - including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, they may, at any time, contact our data protection officer or any employee of the respective controller.
10.4 Right to erasure (right to be forgotten)
Any data subject affected by the processing of personal data has the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies and to the extent that the processing is not required:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to Art. 6(1)(a) GDPR, or Art. 9 (2)(a) GDPR, and where there are no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
- personal data has been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
If one of the above-mentioned reasons applies and a data subject wishes to have personal data erased that is retained by signotec GmbH, they may contact our data protection officer or another employee of the respective controller at any time. The signotec GmbH data protection officer or other employee will then arrange for the erasure request to be complied with without undue delay.
Where signotec GmbH has made the personal data public our company, as controller, is obligated pursuant to Art. 17(1) GDPR to erase the personal data. signotec GmbH, taking account of available technology and the costs, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, copies or replications of those personal data to the extent that such data is not required for processing. The signotec GmbH data protection officer or another employee will initiate the necessary steps on a case-by-case basis.
10.5 Right to restriction of processing
Any data subject affected by the processing of personal data has the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the above conditions is met and a data subject wishes to have the processing of their personal data retained by signotec GmbH restricted, they may contact our data protection officer or another employee of the respective controller at any time. The data protection officer or other employee will then arrange for processing to be restricted.
10.6 Right to data portability
Any data subject affected by the processing of personal data has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. In addition, the data subject also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising their right to data portability pursuant to Art. 20(1) GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and where doing so does not adversely affect the rights and freedoms of others.
To exercise the right to data portability, the data subject may contact our data protection officer or another employee at any time.
10.7 Right to object
Any data subject affected by the processing of personal data has the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them under Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.
signotec GmbH will no longer process personal data in the event of an objection, unless we can prove compelling grounds for processing that outweigh the interests, rights and freedoms of the data subject or the processing serves to establish, exercise or defend legal claims.
If signotec GmbH processes personal data in order to carry out direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling insofar as it is connected to such direct marketing. If the data subject objects to signotec GmbH’s processing for direct marketing purposes, signotec GmbH will no longer process the personal data for these purposes.
Furthermore, for reasons arising from their particular situation, data subjects have the right to object to the processing of personal data concerning them carried out by signotec GmbH for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, unless such processing is necessary to fulfil a task in the public interest.
To exercise the right of objection, the data subject may directly contact the signotec GmbH data protection officer or another employee. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.
10.8 Automated individual decision-making, including profiling
Every person affected by the processing of personal data has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them to the extent such decision
(1) is not necessary for entering into, or performance of, a contract between the data subject and a data controller; or
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3)is based on the data subject’s explicit consent.
If the decision
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller or
(2) is based on the data subject's explicit consent, signotec GmbH shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to assert rights relating to automated decisions, they may contact our data protection officer or another employee of the respective controller at any time.
10.9 Right to withdraw data protection-related consent
Any data subject affected by the processing of personal data has the right to revoke consent to the processing of personal data at any time.
If the data subject wishes to exercise their right to revoke their consent, they may contact our data protection officer or another employee of the respective controller at any time.
11. Changes to this Privacy Notice
We strive always to keep this Privacy Notice up to date. We therefore reserve the right to change this Privacy Notice from time to time without prior notice and to make changes to the collection, processing or use of your data. The current version of the Privacy Notice is always provided with the product or published on our website.
Last updated: Monday, 14 December 2020