Data Privacy Statement

We are pleased to welcome you to the msg.Check-In App.

The following explains the actions we take when you use the App - naturally in compliance with applicable data security regulations, which information we collect and how we process it.

Should our data privacy statement change, it will be updated on this page in order to keep you informed as to which data msg systems ag stores and uses.

The most important data privacy information can be found below. We have organized the information by topic.

I. General information on data processing

1. Why we use data

We wish to provide our users a personalized experience in our application based on minimal use of personal information. Should you entrust us with your personal information, the application will use it solely for the purpose of displaying user data in the Check-in process (e.g. name and profile picture), to organize locations based on user’s preferred city and to facilitate the creation of teams and following/follower relationships.

2. Information on the collection of personal information

The following provides information on the collection of personal information when using our application. Personal information includes all information that relates to you personally, e.g., name, address, e-mail address, profile photo, check-ins, teams, following/follower relationships etc.

Our use of the data shall be limited to the aforementioned purposes. Information shall not be forwarded to third parties outside msg group.

3. Legal basis for processing personal information

Numeral 6, Para. 1, Item a of the General Data Protection Regulation (GDPR) forms the legal basis for any consent we obtain from relevant persons for the operations involved in processing personal information.

Numeral 6, Para. 1, Item b of the General Data Protection Regulation (GDPR) forms the legal basis for the processing of personal information in order to fulfill a contract when the relevant person is one of the contract parties. This includes processing operations necessary to complete measures that precede the contract.

Numeral 6, Para. 1, Item c of the General Data Protection Regulation (GDPR) forms the legal basis for the processing of personal information to the extent such is necessary in order to comply with legal obligations to which our company is subject.

Numeral 6, Para. 1, Item f of the General Data Protection Regulation (GDPR) forms the legal basis for any processing necessary to ensure a legitimate interest of our company or a third party, as long as such do not outweigh the interests, fundamental rights and fundamental freedoms of the person in question.

4. Data deletion and retention period

The personal information of the relevant person shall be deleted or locked as soon as the purpose for which such was stored is no longer applicable. Storage beyond such is possible if provided by European or national lawmakers in laws or other regulations to which the responsible party is subject under Union law. Data shall also be locked or deleted once the retention period prescribed in the given norms expires, unless storage of the data is still required in order to conclude or fulfill a contract.

In general, the application uses the following principles in respect to data deletion and retention period:

• User data is synchronized upon successful login into the application and on a weekly basis from the Identity Provider (Employee Directory). Once the user is removed from the Identity Provider, during the next synchronization all user related data will be removed from the application. Once the user is removed from the Identity Provider, the maximum retention period for personal data is one week (until the next scheduled synchronization).
• User data is not implicitly deleted by the application as long as the user is active in the Identity Provider. However, at any time, the user has the option to remove all personal information from the application, except for the name and email address.
• Historical Check-In information is stored according to the retention policy set by each customer individually. After this set date, all historical information which is traceable to the end-user is removed from the application. The only Check-In data stored by the application after this date is anonymized and used for Reporting functionality.

II. Accessing the application

1. Collection of personal information when using our application

The only personal information we collect when you use our application is the following:

• Last Name, First Name, Middle Name (if available)
• E-Mail address
• Corporate Photo from Employee Directory (if provided)
• Company (if provided)
• Department Allocation from Employee Directory (if provided)
• Country, City and Street Address of main office allocation for an employee, from Employee Directory (if provided)
• Team memberships
• Workplace and parking reservations (check-ins)
• Following / Follower relationships
• Technical information (username - if it is different from the email address, flag for acceptance of terms of using the app, ...)

At any point in time, the user has the option to export all data which the application has stored regarding him / her.

Additionally, the application collects log data regarding certain actions within the application. Product team has read access to both Infrastructure- and Application- level logs and metrics. Development guidelines are put in place to ensure that no confidential or personal data is written into the application logs.

2. Legal basis for the data processing

Legal basis for the temporary storage of data and log files is Numeral 6, Para. 1, Item f of the General Data Protection Regulation (GDPR).

3. Purpose of the processing

We process the aforementioned data solely for the functional purpose of the application. We process names and profile pictures of users (if provided) solely to provide the users the possibility to connect with their colleagues and to be able to browse through the users directory. By providing access to such information, the users are able to create Following / Follower relationships or Team relationships and exchange their Check-In information. Display of such information in the application is also subject to privacy settings, controllable by each user. By choosing a private profile the user does not share private information (such as name or profile photo) with all colleagues, but only with specific colleagues for which a consent to enter into a Following / Follower or Team relationships was previously given.

We process personal information such as Check-In information solely for the purpose of ensuring a correct assignment of workplaces / parking spaces to users and to be able to keep track of workplaces / parking spaces occupancy.

We process personal information such as City (if provided) in order to better organize office locations for the user, based on the most probable building in which one would need to create a Check-In.

We process personal information such as Teams allocation and Following/Follower relationships solely for the purpose of displaying Check-In information in form of a Social calendar and to allow users to perform group Check-Ins.

We process email address solely for the purpose of sending email notifications (if enabled – subject to privacy settings) upon relevant actions performed in the application: receiving following request, user has been added to a team, user performed a Check-In (workplace / parking space), user is part of a group Check-In, user is removed from a group Check-In.

Other personal information, such as department allocation is only displayed for the user and not used in other contexts of the application.

We process log data solely for the purpose of being able to investigate potential misfunctions of the application and to be able to provide support to the customers. No log data is transmitted to third parties.

4. Retention period

The application does not explicitly remove, at any point, personal information such as profile photo, department allocation or city, nor Following / Follower relationships or Team allocations. The user has the option to remove this information at any time.

Check-In information is stored into the application historically for a number of days decided by each customer. After this date, all personally identifiable Check-In information is deleted from the database. The only Check-In data stored by the application after this date is anonymized and used for Reporting functionality.

Infrastructure-Level logging can be activated on demand for troubleshooting purposes. Detailed logs and metrics are then analyzed using AWS CloudWatch. CloudWatch logs are maintained for troubleshooting purposes for a period of 14 days.

5. Objection and removal options

Name and email address cannot be removed by the user from the application. All other personal information can be edited and removed by the user. Historical data is removed from the application after the number of days decided by each customer.

III. Use of cookies

1. Description and scope of the data collection

Our application uses only strictly necessary, first party session cookies which are necessary for authentication. A brief explanation of what these cookies are can be read below.

Session cookies are temporary and expire once you close your browser (or once your session ends).

First-party cookies are cookies which are put on your device directly by our application, namely the session ID (as opposite to third-party cookies which we do not use).

Strictly necessary cookies are essential for you to login to our application and have a valid session. For this type of cookies explicit consent is not necessary.

2. Legal basis for the data processing

Legal basis for the processing of personal information when using cookies is Numeral 6, Para. 1, Item f of the General Data Protection Regulation (GDPR).

3. Purpose of the data processing

Strictly necessary cookies are essential for you to login to our application and have a valid session.

These purposes form our legitimate interest in processing personal information as set forth in Numeral 6, Para. 1, Item f of the General Data Protection Regulation (GDPR).

4. Retention period

Cookies are stored on the user's computer for as long as the session is open.

5. Objection and removal options

There is no possibility to reject the use of strictly necessary cookies as they are required in the login process. There are no parts of the application which can be accessed by unregistered users.

IV. Feedback form

1. Description and scope of the data collection

The purpose of the feedback form is to allow users to report defects or to request new features for the application. By filling in this form, the users consent to sending personal information such as email address, name or screenshots from the application to the product team, if they chose to fill-in this information.

2. Legal basis for the data processing

Legal basis for processing information once the user's consent has been obtained is Numeral 6, Para. 1, Item a of the General Data Protection Regulation (GDPR).

3. Purpose of the data processing

The purpose of the feedback form is to allow users to report defects or to request new features for the application.

4. Retention period

The information provided via this feedback form is kept by the product team as long as it is necessary to resolve a defect or to provide the newly requested features.

5. Objection and removal options

Once the user has provided his/her name or email address in the feedback form, he/she does not have the option to object. The send action cannot be undone.

V. Where is my information processed?

Your information is processed and hosted in European countries within the legally permissible limits (Germany). There are no plans for transmission to third countries.

VI. How safe is my information?

msg systems ag has taken extensive technical and operational safety precautions in accordance with applicable European law to protect your information from unauthorized access and misuse.

VII. Will my information be shared with third parties?

No information with be shared with third parties, with the exception of the companies of the msg group.

VIII. Rights held by the affected person

Anytime your personal information is processed you are considered an affected person pursuant to the GDPR and you have the following rights in connection with the responsible party:

1. Right to disclosure

You have the right to request information on the scope, origin and recipient of stored information, as well as the purpose of the storage, at no charge to you. At any point in time, you have the option to export all data which the application has stored.

2. Right to correction

You have the right to demand a correction and/or completion from the responsible party should the processed personal information related to you be incorrect or incomplete. The responsible party must make the corrections without delay.

3. Right to deletion

You have the right to request that the responsible party immediately delete any personal information related to you and the responsible party is required to delete said data without delay should any of the following reasons apply:

1. The personal information related to you is no longer required for the purpose it was collected or processed in any other manner.
2. You revoke the consent on which the processing was based pursuant to Numeral 6, Para. 1, Item a or Numeral 9, Para. 2, Item a of the General Data Protection Regulation (GDPR) and there is no other legal basis for the processing.
3. You submit an objection to the processing pursuant to Numeral 21, Para. 1 of the General Data Protection Regulation (GDPR) and no legitimate reasons for the processing that have precedence over your objection exist, or you submit an objection to the processing pursuant to Numeral 21, Para. 2 of the General Data Protection Regulation (GDPR).
4. The personal information related to you was processed unlawfully.
5. The deletion of the personal information related to you is necessary in order to meet a legal obligation under Union law or the law of the member states to which the responsible party is subject.
6. The personal information related to you was collected in relation to services offered by the information company pursuant to Numeral 8, Para. 1 of the General Data Protection Regulation (GDPR).

4. Right to data portability

You have the right to obtain the personal information related to you and which you shared with the responsible party in a structured, commonly used and machine-readable format. At any point in time, you have the option to export all data which the application has stored.

5. Right of objection

You have the right, for reasons arising from your particular situation, to object to the processing of personal information related to you, which was being processed pursuant to Numeral 6, Para. 1, Item e or f of the General Data Protection Regulation (GDPR), at any time; this includes any profiling based on these policies.

The responsible party will cease processing any personal information related to you unless they can provide proof urgent, protection-worthy reasons for the processing that outweigh your interests, rights and freedoms or unless the processing serves the enforcement, exercising or defense of legitimate claims.

You have the right to revoke your privacy consent statement at any time. Revoking your consent shall not affect the legitimacy of the processing that was performed with your consent up to the time your consent was revoked.

6. Right to submit complaint to supervisory body

Notwithstanding other administrative or legal remedy, you will generally have the right to submit a complaint to a supervisory body, specifically in the member state of your place of residence, your place of employment or the location of the alleged breach, if you are of the opinion that the processing of the personal information related to you violates the GDPR.

The supervisory body to which the complaint is submitted shall inform the complainant of the status and results of the complaint, including the option of legal remedy pursuant to Numeral 78 of the GDPR.

Version: 20/05/2021