We are very pleased about your interest in our company. Data protection is a particularly high priority for iSAtech water GmbH. Use of the internet pages of iSAtech water GmbH is generally possible without any indication of personal data. However, if a person wishes to use special services our company provides via our website, it may be necessary to process personal data. We generally obtain the concerned party’s consent if it is necessary to process personal data if there is no legal basis for such processing.
The processing of personal data, such as name, address, e-mail address, or telephone number of a person, is always carried out under basic data protection regulations and in compliance with the country-specific data protection regulations applicable to iSAtech water GmbH. Through this data protection declaration, our company wishes to inform the public about the type, scope, and purpose of the personal data collected, used, and processed by us. Furthermore, this privacy statement informs concerned parties of their rights.
iSAtech water GmbH, as the party responsible for processing, has implemented numerous technical and organizational measures to protect personal data processed via this website. Nevertheless, Internet-based data transmissions may generally have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, everyone concerned can transmit personal data to us by alternative means, e.g., via telephone.
- DEFINITION OF TERMS
The data protection declaration of the iSAtech water GmbH is based on the terms used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy policy is supposed to be easy to read and understand for the public, customers, and business partners. To ensure this, we would like to explain the terms used in advance.
We use the following terms, among others, in this privacy policy:
A) PERSONAL DATA
Personal data describes any information relating to an identified or identifiable natural person (hereinafter called “data subject”). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
B) PERSON CONCERNED
A person concerned is any identified or identifiable natural person whose personal data are processed by the controller.
C) PROCESSING
Processing is any operation or set of operations, performed with or without the aid of automated means, which is performed upon personal data, such as collection, recording, organization, sorting, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
D) RESTRICTION OF PROCESSING
Restriction of processing is the marking of stored personal data to restrict its future processing.
E) PROFILING
Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, conduct, location or change of location of that natural person.
F) PSEUDONYMIZATION
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not attributed to an identified or identifiable natural person.
G) CONTROLLER OR DATA CONTROLLER
A controller or data controller is a natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for his designation may be provided for by Union or national law.
H) PROCESSOR
A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller.
I) RECIPIENT
A recipient is any natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not that person is a third party. However, authorities who may receive personal data in the context of a specific investigation mandate under Union or national law shall not be considered recipients.
J) THIRD PARTY
A third party means any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, under the controller’s or the processor’s direct authority, are authorized to process the personal data.
K) CONSENT
Consent is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by explicit affirmative action, signify agreement to the processing of personal data relating to them.
- NAME AND ADDRESS OF THE DATA CONTROLLER
The controller in the sense of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union, and other provisions of data protection is:
iSAtech water GmbH
Elisenstraße 5
12169 Berlin
Germany
Phone: +49 (0)30 36437545
E-mail: zentrale@isatech.de
Website: www.isatech.de
- COLLECTION OF GENERAL DATA AND INFORMATION
The website of iSAtech water GmbH collects a series of general data and information when a data subject or automated system calls up the website. This general data and information is stored in the server log files. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (the so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems can be recorded.
When using this general data and information, the iSAtech water GmbH does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, the iSAtech water GmbH analyzes this anonymously collected data and information statistically on the one hand and on the other hand to increase our enterprise’s data protection and data security to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
- COOKIES
Cookies are text files placed and stored on a computer system via an Internet browser. Cookies are not used on this website.
- COLLECTION OF DATA BY TOOLS AND OTHER MEANS
iSAtech PayU-Cloud is a service of iSAtech water GmbH. It is not public and is only available with a separate user agreement.
Additional data can be collected when using the iSAtech PayU-Cloud. This includes, in particular, data on water and electricity consumption. Furthermore, personal data such as name, address, telephone number, profile picture, and e-mail address may be collected on a voluntary basis. This data is used to bill water and electricity and for user administration. The user can edit and delete the user administration data. The user can view all data at any time.
Two Android applications are provided by iSAtech water GmbH for the use of iSAtech PayU-Cloud: iSAtech PayU-Manager and iSAtech SMS Gateway. These applications can be downloaded from the Google Play Store. Access is also possible directly via a web interface (also called iSAtech PayU-Manager). The iSAtech PayU-Manager (Android) collects and processes the same data as the iSAtech PayU-Manager (web interface). The iSAtech PayU-Manager (Android) can also store data locally to enable access to data from iSAtech PayU-Cloud without a permanent internet connection.
The iSAtech SMS Gateway is an application for forwarding SMS to the iSAtech PayU-Cloud. This is required for the automated processing of credit transactions using instant payment notification SMS for mobile payment systems (e.g., M-Pesa). If the application is installed, configured with login data, and activated, the phone number of the phone and all incoming SMS are forwarded to the iSAtech PayU-Cloud. The phone number is required to identify the recipient of credit transactions securely. The incoming SMS are analyzed. An SMS containing an instant payment notification for a configured mobile payment system is processed further. The payment information is analyzed to identify the payment’s sender and amount. The payment is only processed further if the sender of the payment is a user registered in the iSAtech PayU-Cloud. No further evaluation or processing of the data and telephone numbers takes place. Data and telephone numbers that are not required for the payment process are only stored for as long as is necessary to rectify possible errors and faults and to ensure the permanent functionality of our information technology systems and technology.
- ROUTINE DELETION AND RESTRICTION OF PERSONAL DATA
The controller processes and stores the data subject’s personal data only for the period necessary to achieve the purpose of this storage or as long as it is granted by the European legislator or other legislators in laws or regulations to which the controller is subject.
If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be routinely blocked or deleted per the statutory provisions.
- RIGHTS OF PERSONS CONCERNED
A) RIGHT OF CONFIRMATION
Each data subject shall have the right granted by the European legislator to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.
B) RIGHT TO INFORMATION
Any person concerned by the processing of personal data has the right granted by the European legislator to obtain, at any time and free of charge, information from the controller concerning the personal data stored about them and a copy of that information. Furthermore, the European legislator has granted the data subject access to the following information:
- purpose of processing
- categories of personal data that are processed
- recipients or types of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- existence of the right to request correction or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- existence of a right to complain to a supervisory authority
- if the personal data are not collected directly from the person concerned: All available information about the origin of the data
- existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the person concerned
Furthermore, the person concerned has the right to know whether personal data has been transferred to a third country or an international organization. If this is the case, the person concerned also has the right to obtain information about the appropriate safeguards concerning the transfer.
If a person concerned wishes to exercise this right to information, they can contact an employee of the data controller at any time.
C) RIGHT OF CORRECTION
Any person concerned by the processing of personal data has the right, granted by the European legislator, to obtain from the controller without undue delay the correction of inaccurate personal data concerning them. Furthermore, the person concerned has the right to request the completion of incomplete personal data, including the use of a supplementary declaration, taking into account the purposes of the processing.
If a person concerned wishes to exercise this right, they can contact an employee of the data controller at any time.
D) RIGHT TO DELETION (RIGHT TO BE FORGOTTEN)
Each data subject has the right granted by the European legislator to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller must erase personal data without undue delay where one of the following grounds applies, as long as processing the specific data is not necessary:
The personal data were collected or otherwise processed for purposes for which they are no longer necessary.
The person concerned withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR and where there is no other legal ground for the processing.
The person concerned objects to the processing according to Art. 21 (1) GDPR, and there are no overriding legitimate grounds for the processing, or the person concerned objects to the processing according to Art. 21 (2) GDPR.
The personal data was processed unlawfully.
The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
The personal data was collected in relation to Information Society services offered according to Art. 8 (1) GDPR.
If one of the reasons above applies, and a person concerned wishes to request the erasure of personal data stored by iSAtech water GmbH, they may, at any time, contact any employee of the controller. An employee of iSAtech water GmbH shall promptly ensure that the erasure request is complied with immediately.
If the personal data has been made public by iSAtech water GmbH and our company, as the controller, is obliged to erase the personal data according to Article 17(1) of the GDPR, iSAtech water GmbH shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, this personal data, as far as processing is not required. An employee of the iSAtech water GmbH will arrange the necessary measures in individual cases.
E) RIGHT TO LIMITATION OF PROCESSING
Any person concerned by the processing of personal data has the right, granted by the European legislator, to require the controller to restrict processing of their personal data where one of the following applies:
The accuracy of the personal data is contested by the person concerned, for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful, and the person concerned opposes the erasure of the personal data and requests the restriction of their use instead.
The controller no longer needs personal data for processing, but it is required by the person concerned to establish, exercise, or defend legal claims.
The person concerned has objected to the processing, according to Art. 21 para. 1 GDPR, and it is unclear whether the controller’s legitimate reasons outweigh those of the person concerned.
If one of the conditions above is met, and a person concerned wishes to request the restriction of the processing of personal data stored by iSAtech water GmbH, they may at any time contact an employee of the controller. The employee of the iSAtech water GmbH will arrange the restriction of the processing.
F) RIGHT TO DATA TRANSFERABILITY
Any person concerned by the processing of personal data has the right, granted by the European legislator, to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent according to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract according to point (b) of Article 6(1) GDPR and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
Furthermore, in exercising their right to data transferability, according to Art. 20 para. 1 GDPR, the person concerned has the right to order the controller to transfer the personal data directly to another controller insofar as this is technically feasible and provided that this does not adversely affect the rights and freedoms of other persons.
To assert the right to data transferability, the data subject may contact any employee of the iSAtech water GmbH at any time.
G) RIGHT TO OBJECT
Any person concerned by the processing of personal data has the right, granted by the European legislator, to object at any time, on grounds relating their particular situation, to the processing of personal data concerning them, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.
iSAtech water GmbH shall no longer process the personal data in the event of an objection unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
If iSAtech water GmbH processes personal data for direct marketing purposes, the person concerned has the right to object at any time to the processing of personal data concerning them for such marketing. This also applies to profiling if it is associated with such direct advertising. If the person concerned objects to iSAtech water GmbH processing the data for direct marketing purposes, iSAtech water GmbH will no longer process the personal data for these purposes.
In order to exercise the right to object, the person concerned may directly contact any employee of iSAtech water GmbH. The person concerned is also free to exercise their right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
H) AUTOMATED DECISION-MAKING IN INDIVIDUAL CASES, INCLUDING PROFILING
Any person concerned by the processing of personal data has the right, granted by the European legislator, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, if the decision (1) is not necessary for entering into, or performance of, a contract between the person concerned and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it must be based on the data subject’s explicit consent. iSAtech water GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and contest the decision.
If the person concerned wishes to assert rights relating to automated decisions, they can contact a controller employee anytime.
I) RIGHT TO WITHDRAW CONSENT UNDER DATA PROTECTION LAW
Any person concerned by the processing of personal data has the right, granted by the European legislator, to withdraw consent to the processing of personal data at any time.
If the person concerned wishes to exercise their right to withdraw consent, they can contact a controller employee at any time.
- LEGAL BASIS OF PROCESSING
Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the person concerned is party, as is the case, for example, with processing operations necessary for the supply of goods or the provision of any other service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations necessary for pre-contractual measures, such as inquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as to fulfill tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, processing personal data may be necessary to protect the vital interests of the person concerned or another natural person. This would be the case, for example, if a visitor were injured in our company and their name, age, health insurance data, or other vital information would has to be passed on to a doctor, hospital, or other third party. Then, the processing would be based on Art. 6 I lit. d GDPR. Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations that are not covered by any of the abovementioned legal grounds if processing is necessary for the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person concerned. We can carry out such processing operations because the European legislator has specifically mentioned them. The European legislator expressed that a legitimate interest could be assumed if the person concerned is a customer of the controller (Recital 47 Sentence 2 GDPR).
- LEGITIMATE INTERESTS IN PROCESSING PURSUED BY THE CONTROLLER OR BY A THIRD PARTY
Where the processing of personal data is based on Article 6, I lit. f GDPR, our legitimate interest is the performance of our business activities to benefit the well-being of all our employees and shareholders.
- DURATION FOR WHICH THE PERSONAL DATA IS STORED
The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period has expired, the corresponding data is routinely deleted, provided it is no longer required for contract fulfillment or initiation.
- LEGAL OR CONTRACTUAL REQUIREMENTS FOR THE PROVISION OF PERSONAL DATA; NECESSITY FOR THE CONCLUSION OF THE CONTRACT; OBLIGATION OF THE PERSON CONCERNED TO PROVIDE THE PERSONAL DATA; POSSIBLE CONSEQUENCES OF FAILURE TO PROVIDE SUCH DATA
We want to inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may also result from contractual regulations (e.g., information on the contractual partner). Sometimes, it may be necessary for a contract to be concluded for a person concerned to provide us with personal data that we must subsequently process. For example, the person concerned must provide us with personal data if our company concludes a contract with them. Failure to provide personal data would mean the contract with the person concerned cannot be concluded. Before personal data is provided by the person concerned, the person concerned must contact one of our employees. Our employee will clarify to the person concerned on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data were not provided.
- USE OF AUTOMATED DECISION-MAKING
As a responsible company, we do not use automated decision-making or profiling.
This Privacy Policy has been generated by the Privacy Policy Generator of the German Association for Data Protection that was developed in cooperation with Lawyers from WILDE BEUGER SOLMECKE, Cologne.