- 1. Controller and applicable law
1.1. In the United Kingdom, “my mobile company GmbH”, Kokkolastraße 5, 40822 Ratingen (Germany), is the data processing controller for the service “Mobidoo” according to Art. 4(7) GDPR.
1.2. The data are processed either directly by my mobile company GmbH or by companies the controller has commissioned as processors within the meaning of Art. 4(8) GDPR and as joint responsible controllers (so-called Joint Controllership) according to Art. 4(7) GDPR in conjunction with Art. 26 GDPR. The controller is always and solely legally responsible with respect to the users. A risk-based data protection impact analysis in accordance with Art. 32 and Art. 35 GDPR is performed prior to the processing of data as necessary. The controller, their cooperation partners, and processors have appropriate security concepts and procedures in place that will be followed if the protection of personal data is violated.
1.3. The controller ensures the security and confidentiality of data transmitted by users in accordance with the applicable data protection law. The controller is recipient and processor of such data.
1.5. The controller herewith informs the users according to the provisions of the General Data Protection Regulation (GDPR). The GDPR has direct effect in the UK
from 25 May 2018 until the UK leaves the EU. In addition, the Data Protection Bill, which was announced in the Queen’s Speech on 21 June 2017, will find supplementary application. This Bill updates data protection laws in the UK, supplementing the General Data Protection Regulation (EU) 2016/679 (GDPR), implementing the EU Law Enforcement Directive, as well as extending data protection laws to areas which are not covered by the GDPR, especially in Part. 2, Chapter 2 of the Bill. This Bill is intended to provide a comprehensive package to protect personal data. In addition, more specific data protection provisions may apply, in particular after leaving the European Union.
1.6. The controller requires the mobile phone numbers of the users of its services to operate its mobile services. It may store the mobile phone numbers due to a legitimate interest under Art. 6(1) GDPR and user consent under Art. 7(1) GDPR. The controller will use the mobile telephone numbers entrusted to it for activation, performance, and deactivation of numbers for mobile networks in such a way that exposes them to as little risk as possible. The controller will not link the mobile phone numbers to a person. The user is billed for the services via its mobile service provider, which settles the charges incurred with the controller. The controller and their processors do not perform credit assessments nor are such performed by way of joint controlling.
- 2. General information about data processing
2.1. Having received the contracting party’s electronic consent within the meaning of Art. 7(1) GDPR, the controller collects, processes, or uses personal data and traffic data exclusively for the fulfilment of contractual and legal obligations, in particular for the conclusion, performance, and termination of a contract and the handling of the billing process with the mobile service provider within the meaning of Art. 5 GDPR, if the billing process is not handled via an app store (such as Google Play) or a comparable facility as a processor or joint controller. The controller does not provide personal data within the meaning of Art. 4(1) to third parties without an express legal or contractual obligation and without the user having consented according to the statutory provisions. Mandatory statutory provisions may require the transfer of data to governmental and judicial authorities as well as supervisory authorities.
2.2. Data are only collected, used, and processed in electronic form based on user consent in accordance with Art. 7(1) GDPR.
2.3. User consent pursuant to Art. 7(1) GDPR is made voluntarily in accordance with Art. 7(2) GDPR and revocable at any time according to Art. 7(1) GDPR.
2.5. The controller’s General Terms and Conditions generally require the user to subscribe to the respective service of the controller so as to be able to use the controller’s services, unless services can be ordered for single use or another service model is offered. This requires the controller to collect personal data. This is done in particular by assigning a user ID, a password, and other information that allows a user to be identified, unless the only personal data collected are a telephone number and/or an email address. Such data will also be used to alert the controller to service malfunctions, service misuse, or other circumstances defined by the contractual terms in line with privacy requirements. Such data are also used for billing and terminating a service.
2.6. The controller collects information on what and how services are used to ensure proper use in accordance with the terms of the contract. Such data may also be used for billing purposes.
2.7. The controller automatically collects certain data that are stored in log files. Such data include IP address, browser type, operating system used, date/time stamp, and clickstream data. The controller uses such data – which do not contain any direct link to a user’s identity – to conduct trend analyses, manage services, track a user’s navigation within a service, and to collect information about a potentially available user community. Automatically collected data are not linked to a user’s personal data and are not used within the meaning of Art. 22 GDPR for automated decisions, such as profiling and/or scoring.
2.8. The controller’s services are aimed primarily at adults over the age of 18 years. Some services may also be used from the age of 16 though not aimed directly at minors. Art. 8 GDPR defines the effectiveness of a minor’s consent to a fixed limit of 16 years, which has been reduced to 13 years in the UK by Section 9 DPA. The services are information society services within the meaning of Art. 4(25) of EU Directive 2015/1535, as the services are regularly provided for a fee, are sold over a distance, are disseminated by electronic means, and are based on individual request. Although not aimed directly at minors, these services, such as dating apps or games, can also be used by minors. Data of people under the age of 16 years may be processed only if the offer is addressed to persons over the age of 16 years and the verifiable approval of a parent or guardian for such consent is available. This does not change the fact that the capacity to contract starts at the age of 18 years.
2.9. The controller uses automated data processing techniques (so-called big data analyses) – known as profiling – to improve products and services, to improve establishing contact, and to analyse user behaviour. These procedures are designed to make it impossible to refer back to a user and their identity. Personal data are anonymised and pseudonymised before they are used for such procedures. These procedures do not lead to automatic decisions within the meaning of Art. 22 GDPR.
- 3. Instructions on your rights as a user
Users have the rights to information, correction, deletion, restriction, data portability, revocation, and objection based on Art. 15 to 21 GDPR in conjunction with the extended rights and their restrictions under Bill Section 13 ff DPA, unless Bill Section 15 and Schedules 2, 3, and 4 set out exemptions from the GDPR in accordance with Articles 23, 85, and 89 of the GDPR.
Users can complain to the data protection authority if they think that the processing of their data violates data protection law or otherwise violates their entitlement to data protection. In the UK this is the ICO – Information Commissioner’s Office (https://ico.org.uk), Office for Scotland: https://ico.org.uk/about-the-ico/who-we-are/scotland-office/ and for Wales: https://ico.org.uk/about-the-ico/other-languages/welsh.
3.1. User consent pursuant to Art. 7(1) GDPR is made voluntarily in accordance with Art. 7(2) GDPR. It can be voluntarily revoked at any time according to Art. 7(1) GDPR.
3.2. Confirmation and information
Pursuant to Art. 15 GDPR, users can demand confirmation that their personal data are being processed. If true, the data subject has a right to information on whether and to what extent the controller processes data of the data subject. The right to information requires an explicit request made by the user. The controller must provide the data subject with a copy of the data. The first copy is free of charge. Reasonable fees may be charged for additional copies based on administrative costs.
3.3. Correction and completion
Art. 16 GDPR entitles the user, upon request, to have incomplete or incorrect personal data (e.g. a changed mobile phone number) corrected or completed immediately.
The user can demand that processed personal data be deleted in accordance with Art. 17(1) GDPR (the so-called “right to be forgotten”), provided that one of the reasons specified in Art. 17 (1) (a) to (f) GDPR applies. This applies without limitation if the data processing purpose no longer exists, if data are being processed unlawfully, if the data subject revokes their declaration of consent or, if legal reasons require it. Art. 17(2) GDPR specifies that the controller must meet this obligation in technical terms too. Art. 17(3) GDPR specifies that this does not apply if the data are required for asserting, exercising, or defending legal claims, if the data affect the right to freedom of expression and information, if a legal obligation to store the data exists, or if the data are required in the public interest.
3.5. Restriction of processing
Art. 18 GDPR entitles the user to have the processing of their data restricted on demand if
– the user denies the accuracy of the data (data processing is then restricted for the duration of an appropriate review of the facts),
– the processing of the data is unlawful; however, the user declines deletion of the data but instead demands a restriction of the processing of data only,
– the controller no longer needs the data for its intended purpose, but the data are needed by a user for the pursuit of rights or legal defence purposes,
– the user has filed an objection against the processing of the data within the meaning of Art. 21 GDPR.
3.6. Right to data portability
Art. 20 GDPR entitles the user to demand from the controller that they provide the user with the data they have entrusted to the controller for storage in a structured, common, and machine-readable format, provided these data were processed on the basis of a revocable user consent or for the performance of a contract, and the data are processed by automated means.
3.7. Disclosure requirement
The controller is legally obliged to notify all recipients (to whom personal data have been disclosed to) of any correction or deletion of personal data or of a processing restriction pursuant to Art. 16 to 18 GDPR, unless this proves impossible or would involve a disproportionate effort. The controller informs the user about these recipients at the user’s request.
3.8. Right to object
Without prejudice to the non-time-bound right to revoke consent granted to the controller pursuant to Art. 7(2) GDPR, Art. 21(1) GDPR entitles the user to object to the processing of their data pursuant to Art. 6 GDPR. The controller will then no longer process these data unless the controller can prove mandatory and protective reasons that outweigh the data subject’s interests, rights, and freedoms. This does not apply if the data are required for the assertion and exercise of rights or for legal defence. The data may no longer be processed in case of an effective objection.
3.9. Prohibition of sending advertisements
Art. 21(2) GDPR entitles the user to object to the direct advertising without giving reasons. This also applies to profiling if it is associated with direct advertising.
3.10. Right to complain
3.11. Excessive use of rights
The controller may demand appropriate processing fees or refuse to process an application if a request is obviously abusive or otherwise completely irrelevant or has been made repeatedly without any foundation.
- 4. Deletion concept
4.1. The master data of users and other personal data are always deleted when a user relationship that is a contractual relationship has been terminated, but at the latest when all statutory retention periods have expired. Such data will be blocked at the end of a contract.
4.2. Traffic data are deleted as soon as legally permissible, but no later than three months after a payment process was concluded. Traffic data are usually deleted within seven days if the user has not objected in writing.
4.3. Data are not deleted during an ongoing legal proceeding, administrative proceeding, criminal proceeding, or proceeding for a misdemeanour, but only after such proceedings have become final and absolute.
4.4. Personal data can be anonymised instead of being deleted. This will permanently and irrevocably remove any personal reference (such as the user’s mobile phone number), so that the deletion regulations under the data protection law no longer apply.
- 5. Cookies and anonymous identifiers
5.1. A cookie is a small text file that can be stored on the mobile telecommunications terminal for logging purposes. The services of Mobidoo may use basic cookies, online marketing cookies, performance cookies, and post-address-matching cookies, as well as anonymous identifiers under certain circumstances. The controller does not link the data stored in such files to a user’s personal data it is permitted to collect, process, and use. The controller uses temporary cookies, session cookies, permanent cookies, and/or anonymous identifiers for mobile applications according to the balance of its interests in safeguarding its legitimate interests under Art. 6(1)(1)(f) GDPR and the user’s fundamental rights. A session cookie expires when the user closes an application. A permanent cookie is stored on the user’s device for an extended period of time. The user can refuse to accept cookies or anonymous identifiers or delete permanent cookies by following the provider’s instructions for receiving telecommunication services on a specific device. An anonymous identifier is a random string. It functions as a cookie on platforms where the cookie technology is not available, such as mobile devices.
5.3. Art. 21 GDPR entitles the user to object to the setting of cookies or anonymous identifiers. However, users may then no longer be able to use the services in accordance with the contract.
- 6. Transmission of data to third countries
Art. 44 to 50 GDPR entitles a controller offering national and international services to transfer personal user data based on the consent given by the user to processors in other EU member states or other contracting states of the Agreement on the European Economic Area which have a comparable level of data protection due to the application of European data protection law. Data are only transmitted to other countries if those countries’ level of data protection is comparable to the level of protection provided by the European Union and the European Economic Community within the meaning of Art. 45 GDPR or if guarantees within the meaning of Art. 46 GDPR exist.
- 7. Advertising and distribution to third parties
7.1. The controller is entitled to inform the user about their services by electronic communication (in particular by email or SMS) if the user has consented to receive by electronic communication, from the controller, advertisements in the context of the existing customer relationship. This consent does not cover telephone advertising, which is not used by the controller.
7.2. The controller may send the user emails or SMSs containing information on subsidiaries and their products and services, provided the user has provided the appropriate consent within the meaning of Art. 7(1) GDPR. Users can revoke their consent to the described use of their email address or mobile phone number by the controller at any time in writing (e.g. by email) without incurring any costs, apart from the costs incurred for transmitting the revocation at applicable basic rates.
7.3. Each piece of information and each newsletter – if the controller offers such a service – sent by the controller shall give the user the option to object to receiving further information without observing any time limit and to submit such a revocation.
7.4. Personal user data are only shared with third parties with the express consent of the data subject. This shall not apply to transferring data to a controller’s service partners as processors or as part of a joint controllership, if and to the extent this is necessary for the execution of contractual relationships with the user.
7.5. The controller’s services may partly be financed by digital advertising. As a result, advertisements from the controller or third parties may be displayed while using the controller’s offers. The controller will send advertising messages from third parties to a user only if they have received a user’s corresponding declaration of consent.
- 8. Google Analytics and Google – AdWords
8.1. The controller may use the analytics service provided by Google Inc. (Google) called Google Analytics or have it used. It provides an analysis of how the user uses the application. The controller will use this information only to ensure the continuous development and improvement of its services.
8.2. Non-personal information on usage behaviour and error messages may be collected for analysis purposes. Such data are anonymised and do not contain any personal data. Data are anonymised by truncating IP addresses the terminals could be identified with. The use of a website or app (movements within an issue, use of features, etc.) is stored and analysed by Google Analytics.
8.3. The above-mentioned analysis generally occurs on servers within the EU or the European Economic Area before transferring the data to Google. Only in exceptional cases, for example in case of technical issues, may a user’s IP address be transferred to a Google server in the United States and then truncated there (see: http://www.google.de/intl/de/analytics/features/mobile-app-analytics.html).
8.4. Data transmitted through Google Analytics will not be merged with other Google data or personal data. These data are not evaluated with the purpose of creating personal usage profiles. The collected data will not be shared with third parties. Users can prevent the collection of data generated by IP addresses that are related to their use of the application as well as the processing of these data by Google by deactivating the usage analysis option in the application settings, provided an application provides such settings.
8.6. The controller may also use Google Analytics to evaluate AdWords usage data for statistical purposes. The controller may use anonymous identifiers that work much like cookies to run ads on devices that do not support cookie technology, such as mobile applications. The user can use application advertisement preferences to control the ads the controller runs on their mobile device in applications. Users should follow the instructions for their particular mobile device if they want to change their settings or want to opt out of interest-based ads.
- 9. Data usage in connection with social networks
- 10. Use of social media plugins – Facebook
10.1. The controller may use social plugins (“plugins”) provided by the social network www.facebook.com. The following instructions are included as a precaution. The Facebook controller for Europe is Facebook Ireland Ltd., Hanover Reach, 5 – 7 Hannover Quay, Dublin 2, Ireland. This social network is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.
10.2. These plugins are recognisable through the Facebook logo (white “f” on a blue tile) or are labelled with the addition “Facebook Social Plugin”. The list and look of Facebook social plugins can be viewed at http://developers.facebook.com/plugins. Facebook. Inc. can change this plugin at any time without the controller being able to influence it.
10.4. A distinction must be made with regard to the transfer of data to Facebook between merely using the app and accessing websites via the browser (from within the app or a website). A direct connection to the Facebook servers will be established if you access a website containing such a plugin via an app or a website. The plugin content is then transmitted by Facebook directly to your browser and incorporated into the website. The controller of the service therefore has no influence on the type and extent of data collected by Facebook with the help of this plugin. The integration of the plugins will always provide Facebook with the information that the user has accessed a corresponding website.
10.5. Facebook can assign the visit to the user’s relevant Facebook account if a user is logged into Facebook. The browser used on the mobile device will directly transmit the corresponding information to Facebook and Facebook will store such information if a user interacts with the plugins, for example by pressing the “Like button” or by leaving a comment. Facebook might still be able to identify and store a user’s IP address even if not a member of Facebook.
10.6. The user must log out of Facebook before visiting websites via the application if a user is a Facebook member but does not want Facebook to automatically collect data about the user and link these to the member’s data stored on Facebook.
10.7. Data are not automatically transferred to Facebook when only using the application as opposed to using Facebook plugins on mobile Internet pages. Data will be transferred to Facebook only when using the above-mentioned plugins. The first data transmission also requires an explicit login to Facebook via the app first, as otherwise no data transmission takes place. However, data will always be transmitted to Facebook as soon as a user clicks on a corresponding Facebook button in an app once they have logged in.
- 11. Security measures
Art. 32 GDPR specifies that the controller shall take all necessary technical and organisational measures within the meaning of the applicable data protection law to ensure the data that are stored, managed, or used by the controller are protected against accidental or deliberate changes or unauthorised access. Art. 25 GDPR specifies that, using a risk-based approach, appropriate technical security measures be taken according to the current state of the art to provide data protection by technological design. The controller has the technical service providers use suitable tools and technical measures.
- 13. Establishing contact
Controller and service provider according to Art. 13 GDPR for the United Kingdom
my mobile company GmbH
Commercial register: HRB 89673 (County Court Düsseldorf)
VAT ID No.: DE256314110, Germany
Users can reach the controller’s Data Protection Officer for the European Union (Attorney Ralf Hansen, Düsseldorf) in case of queries, to leave comments, or submit suggestions as follows:
my mobile company GmbH