Data protection – an integral part of our company

Responsible for providing this website and related functions as described within this data protection information is

Bundesdruckerei GmbH

Kommandantenstraße 18

10969 Berlin

E-mail: info@bundesdruckerei.de

which decides on and designs the local public image of Xecuro GmbH.

You can contact the Data Protection Officer of Bundesdruckerei GmbH at the above address with the addition “Attn Data Protection Officer” or by e-mail at datenschutz@bdr.de

You can contact the Data Protection Officer of Xecuro GmbH at the address Boris Reibach, LL.M., Scheja und Partner Rechtsanwälte mbB, Adenauerallee 136, 53113 Bonn, or by e-mail at: datenschutz@xecuro.de

2.1    Categories of Data, Purpose of Processing and Legal Basis

When you use this website, we regularly process the following categories of personal data:

• contact details, including your first and last name, e-mail address or telephone number, which you provide voluntarily when registering, making contact requests, participating in surveys, etc.;
• information provided as part of a support request;
• information automatically sent to us by your web browser or device, such as your IP address, device type, browser type, previously visited websites, visited subpages or the date and time of your request.
• to enable you to use the services and functions of this website and
• to process your request.
• date and time the website was accessed,
• web browser and operating system used and the device type,
• complete IP address of the requesting device and referrer URL,
• volume of data transferred.

We process your personal data for the following purposes:

The processing of personal data is necessary to achieve the stated purposes. More details on this are provided later on in the data protection information. Extensive information is provided on the individual processing series and the legal basis for processing your personal data.

2.2   Use of Cookies

When you visit our website, we collect personal data via your Internet browser and by using session cookies – necessary for technical reasons – during your active connection. These session cookies enable us to make the website available. They usually expire at the end of the session.

Most browsers are set to accept cookies automatically. You can also deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent. We receive the following information by using session cookies:

The legal basis for the storage of information in the end user’s terminal equipment is Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG). The use of session cookies is essential for us as the provider of this website (digital service) to ensure its availability as expressly requested.

2.3   Processing of Log Files

Every time you access this website or retrieve a file, data about this process is temporarily processed in a log file. More specifically, personal data is stored to the same extent as when session cookies are processed.

This data is analysed in the event of attacks (e.g., DDoS attacks) on the communication technology and, if necessary, used to initiate legal and criminal proceedings. These log files are deleted no longer than 45 days after being collected. The legal basis for this processing of your personal data is Art. 6 (1) sentence 1 (f) GDPR. Our legitimate interest is the clarification of security-related incidents.

We have provided a contact form for you to get in touch with us. You can choose whether to have us respond to your enquiry by telephone or by e-mail. You can specify this in a free text field after you have preselected the topic of your enquiry. This will enable us to find the right contact person in the Bundesdruckerei Group as quickly as possible. Possible recipients of your data will therefore be the internal employees responding to your enquiry and affiliated companies pertaining to the topic of your enquiry.

Some fields are not mandatory. Nevertheless, if you choose to provide the corresponding information, you consent to us processing your personal data for the purpose of responding to your enquiry.

If you are interested in receiving more information about our products, the legal basis for processing your personal data in connection with the contact request is Art. 6 (1) (b) GDPR. However, if you pursue a different request, we will process your personal data in accordance with Art. 6 (1) sentence 1 (f) GDPR on the basis of our legitimate interest in responding to your request and providing information about our products and services.

We operate a company page on popular business networks to enable us to reach our potential future colleagues in the optimum way. The following data protection information applies to the processing of personal data within the portals.

4.1   LinkedIn

When you visit, follow or explore our LinkedIn company page, LinkedIn processes personal data about this interaction, enabling us to analyse user behaviour through statistical evaluations. This involves the “Page Insights” function. For these statistical analyses, LinkedIn primarily processes the data you provide to the platform via information in your profile. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. When we organise “polls” – post topic-related surveys on our company website – we see evaluations of the voting behaviour.

LinkedIn does not provide us with any personal data via Page Insights. We only have access to summarised Page Insights that do not allow any conclusions to be drawn about individual members.

Personal data from Page Insights is processed by LinkedIn and us as joint controllers. Analysis of the actions on our LinkedIn company page supports our constant efforts to align our public relations work with the needs of users. The legal basis for processing this data is Article 6 (1) (f) GDPR.

Bundesdruckerei GmbH has entered into a joint controllership agreement with LinkedIn, which sets out the allocation of data protection obligations between us and LinkedIn. Click here to view the agreement. Under data protection law, the company is the sole party responsible for processing personal data within the LinkedIn platform. Further information on the processing of personal data by LinkedIn is available here.

Please note that LinkedIn processes personal data in the USA or other third countries. For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. LinkedIn is certified in accordance with the DPF. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

4.2   Integration of YouTube Videos

Our website integrates videos from YouTube. The provider of the video platform is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland. A connection to the YouTube servers is only established when you call up an embedded video (two-click method). Once you do, the YouTube server is informed about which of our pages you have visited. YouTube also receives your IP address. This is true even if you are not logged in to YouTube or are not a Google account holder. By being logged in to your Google account while on YouTube, you allow Google to directly link your browsing behaviour to your personal profile. You can prevent this by logging out of your Google account on YouTube or deactivating the corresponding function in your Google profile settings.

Personal data is also transferred to Google servers (Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA) in the USA and stored there. However, due to the activation of IP anonymisation “anonymiseIp()”, Google’s IP address is shortened beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. Google has a corresponding certification in accordance with the DPF. Further information on the handling of personal data can be found in theGoogle Privacy Policy. The legal basis for the processing of your IP address and associated information is your voluntary and informed consent in accordance with Art. 6 (1) sentence 1 (a) GDPR and Section 25 (1) TDDDG, which you can revoke at any time with effect for the future. The legality of the data processing carried out until the time of such revocation remains unaffected by the revocation. Further information on the handling of personal data is available in the data protection information provided by Google.

Ensuring compliance with legal regulations and internal rules, such as our Code of Conduct and our Code of Conduct for Business Partners, is a top priority for the Bundesdruckerei Group. This applies to both our own business division as well as our supply chains.

It is important to us that risks be identified at an early stage and violations avoided as far as possible. We want to initiate appropriate countermeasures in good time and avoid potential damages for data subjects, customers, employees, business partners and our company Group.

We have therefore established an independent, impartial and confidential whistleblower system that allows internal and external whistleblowers to report anonymously.

We enlist the support of the transparent complaints procedure to ensure the greatest possible protection, particularly for data subjects, the whistleblowers and the employees involved in investigating the reported issues. All actual and alleged violations of legal requirements, the Code of Conduct and the Code of Conduct for Business Partners can be reported under the complaints procedure. Likewise, the subject of a report may involve human-rights or environmental risks or breaches of duty anywhere along the supply chain of our Group companies and in our own business division.

Rapid, standardised processes plus confidential and professional processing of tips by internal experts form the foundation of this system, which is based on the principle of fair proceedings.

Discrimination or punishment of whistleblowers and persons entrusted with the handling of complaints and tips is not tolerated.

The aforementioned complaints procedure is applicable to Bundesdruckerei Group GmbH and the Group companies Bundesdruckerei GmbH, Maurer Electronics GmbH, genua GmbH, D-Trust GmbH, Maurer Electronics Split d.o.o, Inco Sp. z o.o. and Xecuro GmbH (collectively the “Bundesdruckerei Group”).

5.1    Categories of Personal Data

The report can be made anonymously. In this case, no personal data of the whistleblower is processed.

The categories of personal data processed depend on the information reported. If the whistleblower reports personal data about another person, including that of the person or persons being reported on, this personal data will also be processed. The following categories of personal data may be processed:

• General personal data (name, address, e-mail address, telephone number, position, etc.)
• Personal data relating to criminal convictions or suspicion thereof
• Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation)

We advise the whistleblower to only report information that is of specific relevance to the reported case and, in particular, to refrain from reporting sensitive information unless it is of central importance for processing the reported case.

5.2   Purpose and Legal Basis of Data Processing

The purpose of processing personal data is the management of the whistleblower system, including the detection of serious violations or potential violations of applicable law or other serious matters.

The processing of personal data is necessary for fulfilling legal obligations to which we are subject; see Art. 6 (1) sentence 1 (c) GDPR. This is the law for better protection of whistleblowers (Whistleblower Protection Act – Hinweisgeberschutzgesetz, HinSchG).

The purpose of processing the data is to safeguard our legitimate interest in detecting serious violations or potential violations of applicable law or other serious matters pursuant to Art. 6 (1) sentence 1 (f) GDPR.

As far as the processing of special categories of personal data is concerned, processing on the basis of the Whistleblower Protection Act is necessary for reasons of substantial public interest; see Art. 9 (2) (g) GDPR. Special categories of personal data are processed pursuant to Art. 9 (2) (f) GDPR in conjunction with. Art. 6 (1) sentence 1 (f) GDPR for the establishment, exercise or defence of legal claims.

A data subject is anyone who is the subject of the report. Data subjects may be employees, contractual partners or anyone else who is professionally associated with us. Additionally, we process personal data of the individual providing the information if they share their contact details or any other information that identifies them. Whistleblowers must therefore be aware that we may process personal data about them in connection with processing the reported case.

5.3   Recipients of Personal Data

The reports are documented as a process in the WhistleB System at Bundesdruckerei GmbH. After being evaluated, the processes are passed on internally to the responsible departments, and any necessary

follow-up measures are initiated. If a report concerns one of the Group companies of the Bundesdruckerei Group, these processes are forwarded to the responsible persons of the respective Group company and evaluated internally by the responsible person, and any necessary follow-up measures are initiated. Personal data is only passed on for a specific purpose and in accordance with the principle of data minimisation; in other words, only the personal data that is absolutely necessary to process the report is passed on.

We disclose personal data about the whistleblower to authorities if this is necessary for dealing with serious offences or serious matters or for ensuring the right of defence of the data subjects. In other cases, personal data about the whistleblower is only passed on with the consent of the whistleblower. Personal data about persons other than the whistleblower is only passed on as part of following up on a reported case or dealing with serious offences or serious matters.

The reporting platform is provided by the processor, WhistleB Whistleblowing Centre AB, Stockholm, Sweden. Further information on WhistleB, Whistleblowing Center AB is available to read in the Terms of Use.

5.4   Obligation to Provide Personal Data

There is no obligation to provide the personal data listed under section 5.1, as it is also possible to report anonymously. However, it may not be possible for us to process the report without being provided with personal data.

5.5   Storage Duration

Personal data that proves to be irrelevant for the processing of a reported case, along with reports that we consider to be unfounded, are immediately categorised as “irrelevant”, and any personal reference (unless it is already an anonymous report) will be removed. This report will then be archived initially (without personal reference) but not yet deleted in order to guarantee the legally required documentation obligation and statutory deletion period arising from Section 11 (1), (5) HinSchG. Archived cases are used exclusively to fulfil documentation obligations and can therefore no longer be called up for processing.

Reports and personal data collected in the course of processing a report form the basis for further processing and are anonymised as soon as possible. However, if the need for follow-up measures within the meaning of Section 3 (8) and Section 18 HinSchG arises, it is possible that deviating from anonymisation will become necessary due to an official order or to secure legal claims. In this case, unless otherwise specified (e.g., by a court order), pseudonymisation is generally striven for. The documentation will be deleted three years after the proceedings are completed. The documentation may be kept for longer in order to fulfil the requirements of this Act or other legislation – as long as this is necessary and appropriate.

To obtain information about the behaviour of website visitors, we use the web tracking tool etracker from etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany. We only use personal data for the visitor count, which the browser transmits anyway. However, we anonymise this data for the further purpose of “analysing user behaviour”, as we do not create user profiles. Web analysis is therefore not conducted on the basis of personal data but with the help of “cross-device IDs” that cannot be linked to individual users. We use etracker without cookies. Beyond this, etracker does not use any other identifiers. The legal basis for processing your personal data for the analysis of your user behaviour is Art. 6 (1) sentence 1 (f) GDPR. The improvement of our website is to be categorised as a legitimate interest within the meaning of this provision.

7.1      Description of the Processing Activity

We use the “Friendly Captcha” service to make automated access – such as by bots – more difficult. A bot is a computer program that performs repetitive tasks largely automatically without being dependent on any interaction with a human user. When a website protected by “Friendly Captcha” is accessed, the program code integrated into the page generates a short calculation task (“puzzle”). The visitor’s end device receives this puzzle request, calculates a solution and sends it back to our web server, which in turn has the “Friendly Captcha” server validate whether the task has been solved correctly. Website access can only be continued following successful validation. This makes it more difficult for bots to obtain access or call up web pages on a massive scale.

7.2      Data Subjects and Categories of Personal Data

All visitors to our websites on which Friendly Captcha is active are affected by data processing. The following data in particular is processed as part of the puzzle calculation and validation:

• Connection data (e.g., browser type, operating system, user agent, referencing website, timestamp of the request)
• IP address, but only in hashed (one-way encrypted) form
• Environment data (e.g., device properties such as available fonts, screen resolution, browser and language settings, local time)
• Interaction data (e.g., non-content keystrokes of functional keys, scroll movements, window changes)
• Functional data (e.g., session IDs, version and status information on the protection software, number of repeated connection attempts)

7.3      Purposes and Legal Basis for Processing Personal Data

The legal basis for processing the aforementioned data is Art. 6 (1) sentence 1 (f) GDPR. We have a legitimate interest in ensuring the security and functionality of our websites and in offering all users a stable user experience.

The legal basis for the storage of information in the end user’s terminal equipment is Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG). The short-term storage and read processes serve to protect the website from abusive automated access and to thereby ensure the stability of our online offering and are therefore necessary from a technical standpoint.

7.4      Recipients of Personal Data

In the course of the validation process, the data required for the puzzle and its verification are transmitted to our servers and temporarily to the Friendly Captcha servers. Friendly Captcha is our processor within the meaning of Art. 28 GDPR. No further transmission to third parties will take place unless there is a legal obligation for it to be disclosed.

7.5      Storage Duration

The data collected during validation is only stored for as long as is necessary to carry out and document the puzzle request. IP addresses are processed exclusively in hashed form. No long-term analysis is conducted. Temporary log entries may be retained for troubleshooting or security tracking purposes; however, they will be deleted as soon as the respective purpose has been achieved, and no later than after 30 days.

7.6      Necessity of Providing Personal Data

Processing the aforementioned information is necessary for the secure and trouble-free operation of our websites. Without this technical data (e.g., browser information, solved puzzle), it would not be possible to recognise automated access, meaning there would be no effective protection against bots. Accordingly, it is only possible for our website to be used with the provision of this data – in pseudonymised form – which is equally in your and our interest in order to ensure a stable, functional online offering.

Goods or digital services to be provided (e.g., merchandise, software, technology) and the cross-border transfer of them may be subject to German, European, Chinese or US export control regulations. The respective client is responsible for the cross-border provision of the goods and digital services provided by Bundesdruckerei and must ensure that no natural persons or legal entities, organisations or institutions are involved in the execution of the contract or benefit from the execution of the contract that are on an EU or United Nations sanctions list. This also applies with regard to natural persons or legal entities, organisations or institutions that are on the sanctions lists of other governments, with the exception of such listings that are based on the legal acts listed in the Annexes to Regulation (EC) No. 2271/96 and/or that are directed against a state against which neither the United Nations nor the EU nor the Federal Republic of Germany have adopted any economic sanction measures.

If Xecuro GmbH or Bundesdruckerei GmbH is obliged as the actor responsible for exports to carry out export controls and sanctions list comparisons in individual cases due to a deviating constellation, this is done on the basis of Art. 6 (1) sentence 1 (f) GDPR and of our legitimate interest in not entering into business relationships with persons/entities on the relevant sanctions lists and of being able to fully avoid the penalties that would result. In the case of false matches, the date of birth, place of birth, nationality and name at birth are used.

We take all necessary technical and organisational security measures to protect your personal data from loss and misuse. For example, your data is stored in a secure operating environment that is not accessible to the public.

Personal data may be transferred within the Bundesdruckerei Group to other Group companies for the aforementioned purposes if this is necessary to fulfil the aforementioned purposes.

Personal data is also disclosed to courts, regulatory authorities or law firms to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend against legal claims.

If we work with service providers, such as providers of IT maintenance services, they only act on our instructions and are contractually obliged to comply with the applicable data protection requirements. Bundesdruckerei GmbH remains responsible for any data processing.

If no explicit retention period is specified when personal data is collected (e.g., as part of a declaration of consent) or within the descriptions of this data protection information, personal data is deleted as soon as it is no longer required for the purposes for which it was collected unless statutory retention obligations (e.g., retention obligations under commercial and tax law) prevent such deletion.

The following general time limits apply to storage and archiving in accordance with German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets along with the work instructions and other organisational documents, accounting documents and invoices required for their understanding (Section 147 (3) in conjunction with (1) Nos. 1, 4 and 4a of the Tax Code (Abgabenordnung, AO), Section 14b (1) of the Value Added Tax Act (Umsatzsteuergesetz, UStG), Section 257 (1) Nos. 1 and 4, (4) of the Commercial Code (Handelsgesetzbuch, HGB).
• 6 years – Other business documents: commercial or business letters received, reproductions of commercial or business letters sent, other documents insofar as they are of significance for taxation, such as hourly wage slips, company accounting sheets, calculation documents, pricing, and also payroll accounting documents insofar as they are not already accounting documents and cash register receipts (Section 147 (3) in conjunction with (1) Nos. 2, 3, 5 AO, Section 257 (1) Nos. 2 and 3, (4) HGB).
• 3 years – Data required for considering potential warranty and compensation claims or similar contractual claims and rights and for processing related inquiries based on past business experience and standard industry practices is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

You have the following rights in accordance with the GDPR:

Right to Information

You have the right to request information from us at any time about all data that we store about you pursuant to Art. 15 GDPR. In particular, this includes information about 

• the purposes for which we process your data,
• the categories of data that we process concerning you,
• the specific recipients or, if these are not known, the categories of recipients to whom we transfer your data,
• the duration for which we store your data or, if this cannot be determined, the criteria under which we store your data and,
• if applicable, the origin of the data if we have not collected it from you.

Right to Rectification

If your data processed by us is incorrect or incomplete, you may ask us to rectify or complete this data at any time in accordance with Art. 16 GDPR.

Right to Erasure (Being Forgotten)

If the original legal basis for the data processing no longer applies or if you have revoked your consent or objected to the processing or if we are no longer permitted to process your data for another of the reasons stated in Art. 17 (1) GDPR, you can request that we erase the personal data concerning you in accordance with Art. 17 GDPR.

This right does not apply if processing is necessary to exercise freedom of expression and information, protect public interests, comply with a legal obligation or to assert, exercise or defend legal claims.

Right to Restriction

Pursuant to Art. 18 GDPR, you may also request that the processing be restricted. You are entitled to this right if you dispute the accuracy of the data, if the processing is unlawful, if we no longer need the data for the stated purposes or if you have objected to the processing and if we are not otherwise permitted to process the data lawfully in the latter two cases.

Right to Data Portability

You can also ask us to transfer your data to you or another controller in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR.

Right to Revoke Consent

If your consent serves as the legal basis for processing your data, in accordance with Art. 6 (1)(1) (a) or Art. 9 (2) (a) GDPR, you may revoke it at any time pursuant to Art. 7 (3) GDPR. If you revoke your consent, we will cease processing your data; however, the lawfulness of processing conducted prior to the revocation will not be affected.

Right to Lodge a Complaint with a Supervisory Authority

You can also lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, this should be the supervisory authority of your usual place of residence or workplace; alternatively, you can also address your complaint to the supervisory authority of our company headquarters.

RIGHT OF OBJECTION

IN ACCORDANCE WITH ART. 21 GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA IF WE PROCESS YOUR PERSONAL DATA SOLELY ON THE BASIS OF OUR LEGITIMATE INTERESTS AND THERE ARE GROUNDS RELATING TO YOUR PARTICULAR SITUATION. IF YOUR OBJECTION IS DIRECTED AGAINST DIRECT ADVERTISING, YOU HAVE A GENERAL RIGHT TO OBJECT WITHOUT STATING SPECIFIC REASONS.

YOU CAN DECLARE YOUR OBJECTION BY SENDING AN E-MAIL TO DATENSCHUTZ-REQUEST@BDR.DE.