Data protection
Data protection for the Spielwarenmesse App
Thank you for our interest in our app. The protection of your personal data when processing it for the use of the app is paramount to us. Your personal data is collected and processed in compliance with the applicable data protection regulations, particularly the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the regulations of the EU member states which apply to us. This Data Protection Declaration provides information on the type, scope and purpose of the personal data processing activities within the scope of the use of the app and related functions. This Data Protection Declaration also explains your rights.
By downloading and installing / using our app, you enter into a contract with us on the use of the app and explicitly agree with the information and methods stated in the Data Protection Declaration.
1. Controller
The controller within the meaning of the General Data protection Regulation, other national data protection laws of the EU member states and other data protection regulations is:
Spielwarenmesse eG
Executive Board: Florian Hess, Jens Pflüger, Christian Ulrich (Spokesperson of the Board)
Data Protection Officer: Michael Horsch
Herderstr. 7
90427 Nürnberg
Germany
2. Data protection officer
The data protection officer responsible for data processing is:
Michael Horsch
Phone: +49-911 99813-13
E-mail: datenschutz@spielwarenmesse.de
Please contact our data protection officer directly should you have questions or suggestions relating to data protection or wish to object to the processing of your data in accordance with this Data Protection Declaration.
3. Terminology
This Data Protection Declaration is based on the terminology of the GDPR. Please refer to the definitions in Art. 4 GDPR in this respect.
a. personal data
'personal data' means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. processing
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c. restriction of processing
'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future.
d. controller
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
e. consent
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. Data processing
a. Device information and events
We process device data to send you push notifications, synchronise your favourites and for crash reporting to determine errors that may have caused the app to crash. This includes the following data: device ID, model and name, operating system, time stamp and error cause.
The data has to be processed as part of the favourites synchronisation process and sending of push notifications in order to fulfil the contract concluded with you and the legal basis for this data processing is therefore Art. 6 (1) lit. b GDPR.
The data is required for crash reporting in order to analyse and correct errors and/or app crashes. This purpose represents our legitimate interest in the data processing activities and the legal basis for the processing is therefore Art. 6 (1) lit. f GDPR.
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. Push notification data is deleted as soon as the query has been processed. You can deactivate the push notification service and thus object to the processing of your personal data. No data is collected if you do not use the favourites synchronisation function. For further information on the favourites synchronisation function go to Section k.
The data is essential for crash reporting; you cannot object to this processing. Please uninstall the app if you object to the data being processed for this purpose. The crash data is deleted as soon as it is no longer required for analysis and error correction purposes.
b. Location data
We need to access the location of your device to provide you with location based services. As part of this service, we send you helpful information relating to your location and the respective event. Your location data is determined via GPS data, Wi-Fi network IDs in the area, mobile communications data and Bluetooth and is only used for the technical implementation of the corresponding functions.
Your location data is not used to create movement profiles other than your current location and we neither log nor store it.
You can object to this access by adjusting the settings of your operating system at any time. Please note that individual functions may not be available if you block access.
c. Calendar access
We need to access your calendar to give you the option to store the dates of your trade fair visit plans in your calendar. We do not read or store any personal data from your calendar during this process. You can object to this access by adjusting the settings of your operating system at any time. Please note that individual functions may not be available if you block access.
d. Address book access (optional)
Access to the address book offers the option of saving the contacts received via the digital business card or the exhibitor directory. The system checks locally on your device whether the contact is already saved in your address book. To save the exhibitor contacts, the app requires access to your address book.
Address book access also offers the option of inviting your own contacts to use the app. As soon as you search for a contact in Networking who is not yet an app user / net-working participant, you can check whether the user exists in the local address book after granting access to the address book and then invite them to use the app.
Access will only take place if you have given your prior consent. The legal basis for this is your consent in accordance with Art. 6 (1) (a) GDPR, which can be revoked at any time. To do so, please deactivate access in the app settings on your device.
e. Camera access
We need to access your camera to read digital business cards in the form of QR codes. The data is stored on your device. You can object to this access by adjusting the settings of your operating system at any time. Please note that individual functions may not be available if you block access.
f. Device storage access
We need to access your device’s storage to store your own digital business card and trade fair visit data created by you. You can object to this access by adjusting the settings of your operating system at any time. Please note that individual functions may not be available if you block access.
g. Gallery access
Access to the gallery is required if you wish to upload a profile photo from your photo album.
g. Social media
Login options for the social networks XING.com and LinkedIn are integrated in our app. These services are provided by XING SE, Dammtorstrasse 30, 20354 Hamburg, Germany (“Xing”), and LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”) (“providers”).
By using such a login option in the app, a direct link is created to the Xing and LinkedIn servers. This enables the providers to obtain information on your app activities.
Please note that we, as the operators of the app, have no knowledge of the contents of the transferred data nor their use by the providers.
The purpose and scope of the data collection activities and further processing and use of the data by the providers as well as your respective rights and settings options to protect your privacy are stated in the data protection policies of the providers.
Xing data protection policy: https://privacy.xing.com/de/datenschutzerklaerung
LinkedIn data protection policy: https://www.linkedin.com/legal/privacy-policy
When using the login option of the social networks, the provider transfers to us the following personal data of the user: forename, surname, position, company, phone number, e-mail address, website and profile picture. We only process this data to set up your digital business card and for matchmaking purposes.
The data has to be processed as part of the setup of the digital business card in order to fulfil the contract concluded with you and the legal basis for this data processing is therefore Art. 6 (1) lit. b GDPR. The data remains stored in the app and is deleted when you uninstall the app. You can object to the processing of the data at any time. Please note that individual functions may not be available if you object to the processing of your personal data.
h. Usage Tracking
This app uses Matomoa (formerly Piwik). Matomo is an open source web analytics application. We use Matomo to record data on the manner, how and which app functions have been used. This includes search requests, advertising banner clicks and which groups of goods and exhibitor entries are called up in the app and at which frequency. The information recorded on the use of this app is transferred to our servers and not to third parties.
We only use Matomo with activated IP anonymisation. The IP address of the user is abbreviated to two bytes. This abbreviation makes it impossible to link the IP address to your person.
The processing of personal data enables us to analyse the behaviour of the users of our app. This data is analysed to continuously optimise our app, its contents and ease of use.
These purposes represent our legitimate interest in the data processing activities and the legal basis for the processing is therefore Art. 6 (1) lit. f GDPR.
The personal data is deleted after 24 months.
You can prevent the collection and processing of your data relating to the use of the app by Matomo by deactivating this function in the App Settings.
i. Miscellaneous
Further to the types of access stated above, we only process personal data within the scope of the use of individual app functions. We do not collect any additional personal data if you do not use these functions.
To make it possible to synchronise the favourites stored in the app with the watch lists in the online exhibitor catalogue, login data is transferred in addition to your favourites during the synchronisation process as an identifier for your user account in relation to the online exhibitor catalogue. You have to enter this login data in the app yourself before the first synchronisation. This login data is stored in the app to make subsequent synchronisation processes easier. The synchronisation process only starts when you press the “Synchronise favourites” button in the app.
In accordance with Art. 6 (1) lit. f GDPR, your data is processed in order to improve the ease of use.
5. Security measures
We have implemented numerous technical and organisational measures for the processing of personal data to ensure that the processed personal data is as fully protected as possible. However, we would like to point out that it is impossible to fully protect the data against third-party access during internet-based data transfer due to the general security gaps of the latter.
6. Transfer to third parties and countries
We generally only use your personal data within our company.
We only disclose or transfer personal data to other persons or companies or grant them any other form of access to the data within the scope of our processing activities if we are permitted to do so by law, have your consent and/or a legal obligation to do so or if this is based on our legitimate interests.
In the event of us engaging a third party with the processing of personal data based on an order processing agreement, the legal basis is Art. 28 GDPR.
We do not, and do not plan to, transfer the data to instances or persons outside the EU, with the exception of the use of Google Analytics. In this case, the data is only processed in a third country under the special terms and conditions stated in Art. 44 et seqq. GDPR. The data is therefore processed on the basis of special guarantees, such as the official determination of a data protection standard which matches that of the EU (in this case the “EU-US Privacy Shield”).
7. Rights of the data subject
The applicable laws give you various rights regarding your personal data. If you wish to assert these rights, please send your request, including a clear identification of your person, via e-mail or mail to the address stated in No. 2.
Below is an overview of your rights.
a. Right to information
You have the right to request confirmation from us if we are processing any personal data relating to you at any time.
If we process your personal data, you have the right to request free-of-charge information on which data is being processed and receive copies of the data. You further have the right to receive the following information:
- Data processing purposes;
- Categories of personal data being processed;
- Recipients or categories of recipients to whom your personal data has been, or will be, disclosed;
- Planned storage period for your personal data or criteria for determining the storage period if it is impossible to specify;
- Existence of the right to correction or deletion of your personal data, the right to limit its processing by us or the right to object against such processing;
- Existence of the right to complain to a supervisory authority;
- All information available on the origin of the data if it has not been collected from the data subject;
- Existence of an automated decision-making process, including profiling, in accordance with Art. 22 (1) and (4) GDPR and meaningful information on the logic involved as well as the consequences and intended effects of such processing on you.
If your personal data is transferred to a third country or international organisation, you have the right to be informed about the suitable guarantees in accordance with Art. 46 GDPR in connection with the transfer.
b. Right to correction
You have the right to request for us to correct any of your personal data that is inaccurate and complete any incomplete personal data relating to you without delay.
c. Right to deletion
You have the right to request for us to delete your personal data immediately and we are obliged to delete such personal data without delay if one of the following reasons applies:
- Your personal data is no longer required for the purposes for which it was collected or processed in any other manner.
- You withdraw your consent for the processing in accordance with Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal basis for such processing.
- You object against the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate interests for the processing or you object to the processing in accordance with Art. 21 (2) GDPR.
- Your personal data has been processed illegally.
- The personal data has to be deleted in order to fulfil a legal obligation under EU law or the law of the member states applicable to us.
- The personal data was collected with regard to services offered by the information company in accordance with Art. 8 (1) GDPR.
If we have published your personal data and are obliged to delete it in accordance with Art. 17 (1) GDPR, we shall implement adequate measures, including technical measures that take into consideration the available technologies and implementation costs, to inform the controllers that are processing the personal data that you, the data subject, have requested the deletion of all links to this personal data, copies or duplicates thereof.
The right to deletion does not exist if the processing is required for
- Exercising the right to freedom of speech and information;
- Fulfilling a legal obligation which is governed by EU law or the law of the member states applicable to us, or performing a task transferred to us which is in the interest of the general public or necessary to enforce the orders of a public authority;
- Reasons of public interest with regard to public health in accordance with Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
- Archiving purposes that are in the interest of the general public, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR if the right to deletion can be expected to make the realisation of the objectives of such processing impossible or if it would significantly impair it; or
- Asserting, enforcing or defending legal claims.
d. Right to limitation of processing
You have the right to request for us to limit the processing of your personal data under the following conditions:
- You dispute the accuracy of your personal data for a period of time which enables us to check its accuracy;
- The processing activities are illegal and you reject the deletion of your personal data and instead request for the use of it to be restricted.
- We no longer require the personal data for the purposes of the processing activities, but you require the data for asserting, enforcing or defending legal claims; or
- You have objected against the processing of the data in accordance with Art. 21 (1) GDPR and it has not yet been asserted if our legitimate interests outweigh yours.
e. Right to data transferability
You have the right to receive your personal data which you provided to us in a structured, standard and machine-readable format. You also have the right to transfer this data to another controller without obstruction from us if the processing is based on consent in accordance with Art. 6 (1) lit. a or Art. 9 (1) lit. a GDPR or on a contract in accordance with Art. 6 (1) lit. b GDPR and automated methods are used for processing the data. In accordance with Art. 6 (2) GDPR, you further have the right to request for us to transfer your personal data to another controller if this is technically possible and does not violate the rights and freedoms of other persons in accordance with Art. 6 (4) GDPR.
f. Right to objection
You have the right to object against the future processing of your personal data which is based on Art. 6 (1) lit. e or f GDPR at any time. This also applies to any profiling based on this provision. In particular, you may object to processing for the purposes of direct advertising.
In the event of an objection, we no longer process your personal data, unless we have proof of compelling reasons for the processing activities that are worth protecting and which outweigh your interests, rights and freedoms, or the processing activities serve to enforce, execute or defend legal claims.
You have the right to object against the processing of your personal data for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR, unless the processing is required for fulfilling a task which is in the interest of the general public.
g. Right to withdraw consent to process personal data
You have the right to withdraw your consent to the processing of your personal data at any time. The withdrawal of this consent does not affect the legality of the processing based on the consent until its withdrawal.
h. Automated decision-making
You have the right not to be subjected to decisions exclusively based on automated processing, including profiling, which have legal implications or similar negative effects on you.
This does not apply if the decision
- Is required for concluding or fulfilling a contract between you and us;
- Is legal in accordance with EU law or the laws of the EU member states which apply to us and these laws contain adequate measures for maintaining your rights and freedoms as well as your legitimate interests; or
- Is made with your explicit consent.
i. Right to complain to a supervisory authority (Art. 77 GDPR)
You have the right to complain to a responsible supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR.
8. Amendments to our Data Protection Declaration
We reserve the right to amend this Data Protection Declaration to ensure that it always meets legal requirements. Please refer to the version number, including date, at the top of the Data Protection Declaration in this respect.