Data privacy statement KHS ConnectApp

Data privacy statement

A. Preface

We, KHS GmbH, Juchostrasse 20, 44143 Dortmund, Germany (company) and our subsidiaries (hereinafter jointly referred to as “the company”, “we” or “us”) take the protection of your personal data seriously and would herewith like to inform you about data privacy at our company.

The entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter “GDPR”) has imposed additional obligations on us within our responsibility to observe data protection regulations to ensure the protection of personal data affected by data processing (hereinafter we shall also refer to you, the person affected, as “customer”, “user”, “you”, “yourself” or “data subject”).

Insofar as we, either alone or jointly with others, determine the purposes and means of data processing, this chiefly includes our obligation to inform you in a transparent manner as to the nature, scope, purpose, duration and legal grounds for data processing (cf. Articles 13 and 14 GDPR). With this declaration (hereinafter “Data Privacy Notice”) we would like to inform you as to how your personal data is processed by us. Please use the following summary of the various sections of our Data Privacy Notice to find the parts of this document that are relevant to you.

B. General information

1. Definitions
According to Article 4 GDPR, this Data Privacy Notice is based on and makes use of the following terms:

• “Personal data” (Article 4 (1) GDPR) is all information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or with the help of one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity. Identification can also be made by combining information such as the above or applying other additional knowledge. How the information originates and which form or manifestation it assumes is not important (photos, video or sound recordings can also contain personal data).
• “Processing” (Article 4 (2) GDPR) means any operation which is performed on personal data, whether with or without the help of automated (i.e. technology-assisted) means. This includes in particular the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data and a change in the objective or purpose for which data processing was originally intended.
• “Controller” (Article 4 (7) GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Third party” (Article 4 (10) GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. These also include other legal persons who belong to the Group.
• “Processor” (Article 4 (8) GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, particularly according to its instructions (such as IT service providers). In particular, a processor in the sense of data protection law is not a third party.
• “Consent” (Article 4 (11) GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Changes to our Data Privacy Notice
(1) To account for all further developments in data protection law and any technological or organizational changes our Data Privacy Notice is regularly checked as to its need for adaptation or supplement. You will be informed of any changes.
(2) This Data Privacy Notice was last updated on April 6, 2023.

3. No obligation to provide personal data
We do not make the conclusion of contracts with KHS conditional on whether you provide us with your personal data beforehand or not. For you as a customer there is principally also no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services in a limited capacity or not at all should you not provide the necessary data in this context. Should, in exceptional circumstances, this be the case regarding the products offered by us and presented in the following, you shall be specifically notified of this.

C. Information on the processing of your data

1. Collection of personal data concerning you
(1) We collect personal data on you when you use our app.
(2) Personal data is all data that refers to you as a person (see General information above). For example, your name, location, IP address, device ID, SIM card number, address and email address all count as personal data. Your fingerprint, photos, films, audio recordings and your user behavior also fall under this category.

2. Legal grounds for data processing
(1) By law, in principle all processing of personal data is prohibited and only permitted if data processing is justified by one of the following situations:

• Article 6 (1a) GDPR (“consent”): if the data subject has given free, informed and unambiguous indication by a statement or by any other clear affirmative action that he or she consents to the processing of his or her personal data for one or more specific purposes;
• Article 6 (1b) GDPR: if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; – Article 6 (1c) GDPR: if processing is necessary for compliance with a legal obligation to which the controller is subject (such as a statutory obligation of retention); – Article 6 (1d) GDPR: if processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Article 6 (1e) GDPR: if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Article 6 (1f) GDPR (“legitimate interests”): if processing is necessary to protect the legitimate interests (especially those of a legal or economic nature) of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a minor). The storage of information in the end user’s terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if this is justified by one of the following situations:
• Section 25 (1) TTDSG [Telecommunications and Telemedia Data Protection Act]: if the end user has consented on the basis of clear and comprehensive information. Consent must be given pursuant to Article 6 (1a) GDPR;
• Section 25 (2), no. 1 TTDSG: if the sole purpose is to carry out the transmission of a communication over a public telecommunications network; or
• Section 25 (2), no. 2 TTDSG: if storage or access is strictly necessary in order for the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

(2) In the following we specify the respective applicable legal grounds for the processing operations we perform. Processing may be justified by several different legal grounds.

3. Data collected during downloading
(1) When downloading this app, certain necessary data about yourself is transmitted to the respective app store (such as the Apple App Store or Google Play).
(2) In particular, your email address, user name, the customer number of the downloaded account, individual device ID, payment information and time of the download are transmitted to the app store.
(3) We have no influence on the collection and processing of this data; this is performed entirely by the app store you have chosen to use. We are therefore not responsible for the collection and processing of such data; responsibility lies solely with the app store.

4. Data collected during use
(1) We can only give you access to the benefits of our app if certain data about yourself that is specified by us and necessary to operate the app is collected during use.
(2) We only collect this data if it is needed to fulfill the contract between yourself and us (Art. 6 (1b) GDPR). Further, we collect this data if it is necessary for the app to function and if your interest in the protection of your personal data does not override this (Article 6 (1f) GDPR) or if you consent to data collection and processing (Article 6 (1a) GDPR).
(3) We collect and process the following data from you:

• Device information: access data includes the IP address, device ID, device type, device-specific settings and app settings and app features, date and time of access, time zone, amount of data transmitted and notification as to whether data exchange was complete or not, app failure, browser type and operating system. This access data is processed in order to enable the app to technically function.
• Data you provide us with: a user account must be created for the app to be used. To this end, you must at least submit your user name, the company location zip code and your customer number.
• Information processed with your consent: we process further information (such as GPS location data) if you allow us to do so.

(4) If it is necessary to store information in your terminal equipment or access information already stored in your terminal equipment in order to process data, this is on the legal grounds of Section 25 (1 & 2) TTDSG.

5. Use of cookies
(1) We use cookies in the operation of our app. Cookies are small text files that are stored in the memory of your mobile device and assigned to the storage of the mobile app you use and through which certain information passes to the place the cookie sets. Cookies cannot run programs nor can they transmit viruses to your computer and inflict damage. They are designed to make our app more user-friendly and more effective – and thus easier for you to use.
(2) Cookies can contain data that enables the device used to be recognized. Some cookies also only include information on certain settings that cannot be linked to a person. However, cookies cannot directly identify a user.
(3) A distinction is made between session cookies that are deleted as soon as you close your browser and permanent cookies that are stored beyond a single session. Cookies are classified further with regard to their function.

• Technical cookies: these are essential for navigation within the app, permission to use basic functions and to ensure app safety; they neither collect information about you for marketing purposes nor do they store which websites you have visited;
• Performance cookies: these collect information on how you use our app, which sections you visit and whether any errors occur while using the app, for instance; they do not collect any information that could identify you – all data collected is anonymous and is only used to improve our app and find out what interests our users;
• Advertising and targeting cookies: these serve to offer the app user appropriate advertising within the app or show offers from third parties and measure the effectiveness of these offers. Advertising and targeting cookies are stored for a maximum of 13 months;
• Sharing cookies: these are designed to improve the interactivity of our app with other services (such as social networks). Sharing cookies are stored for a maximum of 13 months.

Section 25 (2), no. 2 TTDSG forms the legal grounds for cookies that are strictly necessary to provide you with the service you have explicitly requested.

(5) Each use of cookies that is not absolutely technically necessary constitutes a form of data processing that is only permitted with your express and active consent pursuant to Section 25 (1) TTDSG in conjunction with Article 6 (1a) GDPR. This applies in particular to the use of performance, advertising, targeting and sharing cookies. Furthermore, we only pass on your personal data processed by cookies to third parties if you have given your express consent to do so according to Article 6 (1a) GDPR.

6. Cookie guidelines Further information on which cookies we use and how you can manage your cookie settings and deactivate certain tracking processes can be found in our cookie guidelines at the following link: https://www.khs.com/en/cookie-guidelines-for-khs-connectapp

7. Data storage periods
(1) We delete your personal data as soon as it is no longer required for the purposes for which we have collected or used it (see C 4, 5 and 6). We usually store your personal data for the duration of the user or contractual relationship through the app. Your data is always only stored on our servers in the EU subject to transfer thereof if required according to the rules set down in F 1, 2 and 3.
(2) Data may be stored for longer than the given period in the event of a (pending) legal dispute with you or any other legal proceedings.
(3) Third parties appointed by us (see F 1) shall store your data in their systems for as long as is necessary in connection with the provision of services for us according to the respective contract.
(4) Legal requirements governing the retention and deletion of personal data shall remain unaffected by the above provisions (such as Section 257 HGB [German Commercial Code] or Section 147 AO [Fiscal Code of Germany]). When the storage period specified by statutory regulations expires, your personal data is blocked or deleted unless we require it to be stored further and there are legal grounds for the same.

8. Data security
(1) We make use of appropriate technical and organizational security measures to protect your data from accidental or intentional manipulation, partial or full loss, destruction or unauthorized access by third parties, taking into account the state of the art, cost of implementation and nature, scope, context and purpose of processing and the existing risks of a data breach (including the probability and effects thereof) for the data subject. Our security measures are subject to continuous improvement in keeping with technological development.
(2) We would be happy to provide you with more detailed information on request. Please contact our data protection officer to this end (see D 1).

9. No automated decision-making process (including profiling) We do not intend to use personal data collected from you for an automated decision-making process (including profiling).

10. Change in purpose
(1) Your personal data is only processed for purposes other than those described above if this is permitted by legislation or you have consented to the changed purpose of data processing.
(2) In the event that data is processed further for purposes other than those for which the data was originally collected, we shall inform you of these other purposes prior to further processing and provide you with all relevant further information in this respect.

D. Entities responsible for your data and contacts

1. Data controller and contact data
(1) The entity responsible for the processing of your personal data in the sense of Article 4 (7) GDPR is us:
KHS GmbH
Juchostrasse 20
44143 Dortmund, Germany
Phone: +49 231 569 0
Fax: +49 231 569 1541
Email: info[at]khs.com
(2) Our company data protection officer is your contact for all queries about data privacy at KHS and is available at any time. Contact details are as follows:
KHS GmbH c/o data protection officer
Juchostrasse 20
44143 Dortmund, Germany
Email: compliance[at]khs.com
(3) Please contact this entity in particular if you wish to exercise your rights against us as explained in section G.
(4) Please also contact the aforementioned entities should you have any further questions or comments on the collection and processing of your personal data.  

2. Data collection when establishing contact  
(1) If you make contact with us by email or using a contact form, your email address, name and all other personal data you submit while establishing contact are stored by us so that we can contact you in order to answer your query.
(2) We delete this data as soon as it no longer requires storing. Should statutory retention periods apply, your data remains stored but we limit the processing thereof.  

F. Data processing by third parties

1. Order data processing  
(1) Certain functions of our app may require us to fall back on assigned service providers. As in any large company, we also use external service providers both in and outside Germany to process our business transactions (such as for IT, logistics, telecommunications, sales and marketing). They only act according to our instructions and have been obliged by contract to comply with data protection regulations in the sense of Article 28 GDPR.  
(2) The following categories of recipient, usually processors, are given access to your personal data where required:

• Service providers for the operation of our app and processing of the data stored or transmitted by the systems (such as for computer center services, handling of payments and IT security). If these are not processors, Article 6 (1b) or (1f) GDPR then constitutes the legal grounds for data transfer;
• State offices/authorities, if this is necessary for compliance with a legal obligation. Article 6 (1c) GDPR then constitutes the legal grounds for data transfer;
• Entities charged with performing our business operations (such as auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint companies). Article 6 (1b) or (1f) GDPR then constitutes the legal grounds for data transfer;

(3) Furthermore, we only pass on your personal data to third parties if you have given your express consent to do so according to Article 6 (1a) GDPR.
(4) If personal data from you is transferred by us to our subsidiaries or from our subsidiaries to us (for advertising purposes, for example), this takes place on the basis of existing data processing relationships.  

2. Conditions governing transfers of personal data to third countries  
(1) In the course of our business relations your personal data may be passed on or disclosed to third companies. These may also be outside the European Economic Area (EEA), i.e. in a third or non-EU country. Data is only processed in this capacity in order to meet contractual and business obligations and to maintain your business relationship with us (Article 6 (1b) or (1f) in conjunction with Article 44 et seqq. GDPR then constitutes the legal grounds thereof). We shall inform you of the respective details of this data transfer in the following relevant sections of this document.
(2) A number of third countries are certified by the European Commission by means of what are known as adequacy decisions as having a level of data protection that is comparable to the EEA standard. (A list of these countries and copies of the respective adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimensiondata-protection/adequacy-decisions_en). Under certain circumstances, other third countries, to which personal data is transferred where applicable, may not have a consistently high level of data protection owing to a lack of suitable legal regulations to this effect. If this is the case, we take care to ensure sufficient data protection. This is facilitated by binding corporate rules, standard contractual clauses adopted by the European Commission governing the protection of personal data pursuant to Article 46 (1) and (2c) GDPR (the standard contractual clauses from 2021 are available at https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates or recognized codes of conduct. Please contact our data protection officer (see D 1) should you require further information.  

3. Legal obligation to transfer certain data Under certain circumstances, we may be required to comply with a special legislative or legal obligation to provide lawfully processed personal data to third parties, in particular public offices (Article 6 (1c) GDPR).  

G. Your rights

1. Right of access
(1) You have the right to obtain access from us to personal data that concerns you according to the scope of Article 15 GDPR.
(2) You are required to submit a request to this end that you can either send by email or regular mail to the addresses given above (see D 1).  

2. Right to object to data processing and withdrawal of consent
(1) You have the right to object at any time to the processing of personal data concerning yourself according to Article 21 GDPR. We shall then no longer process your personal data unless we can demonstrate compelling grounds meriting protection for the processing thereof which override your interests, rights and freedoms or if processing serves to establish, exercise or defend legal claims.
(2) According to Article 7 (3) GDPR, you have the right at any time to withdraw your consent once given (also prior to entry into force of the GDPR, i.e. before May 25, 2018) – in other words, your free, informed and unambiguous indication given by a statement or by any other clear affirmative action that you consent to the processing of your personal data for one or more specific purposes. This means that in the future we are no longer allowed to process data based on this consent.
(3) Please contact the entity named above (see D 1) in this regard.  

3. Right to rectification and erasure
(1) Should your personal data be inaccurate, you have the right to request rectification thereof without undue delay according to Section 16 GDPR. Please contact the entity named above (see D 1) regarding requests of this nature.
(2) Under the conditions listed in Article 17 GDPR you have the right to request the erasure of personal data concerning yourself. Please contact the entity named above (see D 1) regarding requests of this nature. In particular, you have the right to erasure if the data in question is no longer necessary for the purposes of collection or processing, if the data storage period (see C 7) has elapsed, an objection has been raised (see G 2) or processing is unlawful.  

4. Right to restriction of processing (1) According to the provisions of Article 18 GDPR, you have the right to request restriction of the processing of your personal data.
(2) Please contact the entity named above (see D 1) regarding requests of this nature.  
(3) In particular, you may exercise your right to restriction of processing if the accuracy of your personal data is the subject of dispute between yourself and us. If this is the case, you retain this right for a period enabling the accuracy of your personal data to be verified. The same applies if your successfully exercised right to object (see G 2) is still a matter of dispute between yourself and us. In particular, you also have this right if you have a right to erasure (see G 3) and you request restricted processing in place of erasure.  

5. Right to data portability  
(1) Pursuant to the provisions of Article 20 GDPR, you have the right to receive the personal data concerning yourself that you have provided to us in a structured, commonly used and machine-readable format.
(2) Please contact the entity named above (see D 1) regarding requests of this nature.    

6. Right to lodge a complaint with a supervisory authority
(1) According to Article 77 GDPR, you have the right to lodge a complaint with the responsible supervisory authority regarding the collection and processing of your personal data.
(2) The responsible supervisory authority can be reached at the following address:  
The North Rhine-Westphalia State Commissioner for the Protection of Data and Freedom of Information
Kavalleriestrasse 2–4
40213 Düsseldorf
Germany
Phone: +49 211 38424 0
Fax: +49 211 38424 999
Email: poststelle[at]ldi.nrw.de