Data protection – an integral part of our company

1.1 Data Subjects and Categories of Personal Data

As part of your use of this website, we regularly process the following personal data of website visitors:

• contact details such as first and last name, e-mail address or your telephone number, which you provide voluntarily, such as when registering, making contact requests, participating in surveys, etc.,
• information provided as part of a support request,
• information that is automatically sent to us by your web browser or end device, such as your IP address, device type, browser type, previously visited websites, visited subpages or the date and time of the respective visitor request.

1.2 Purposes and Legal Basis of the Personal Data Processing

We process your personal data to enable you to use the services and functions of this website.

The processing of personal data is necessary to achieve this purpose. More details on this are provided later on in the data protection information. Extensive information is provided on the individual processing activity as well as the legal basis for processing your personal data.

1.3 Use of Cookies

When you visit our website, we collect personal data via your Internet browser and by using session cookies, which are necessary for technical reasons, during your active connection. These session cookies enable us to make the website available. They usually expire at the end of the session.

Most browsers are set to accept cookies automatically. You can also deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent. We receive the following information through the use of session cookies:

• date and time the website was accessed,
• web browser and operating system used and the device type,
• complete IP address of the requesting device and referrer URL,
• volume of data transferred.

The legal basis for the storage of information in the end user’s terminal equipment is Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG). The use of session cookies is an essential requirement for us as the provider of the website (digital service) that enables us to make this digital service available as expressly requested.

1.4 Processing of Log Files

Every time you access this website or retrieve a file, data about this process is temporarily processed in a log file. More specifically, personal data is stored to the same extent as when session cookies are processed.

This data is analysed in the event of attacks (e.g., DDoS attacks) on the communication technology and, if necessary, used to initiate legal and criminal proceedings. These log files are deleted after seven days at the latest. The legal basis for this processing of your personal data is Art. 6 (1) sentence 1 (f) GDPR. Our legitimate interest is the clarification of security-related incidents.

2.1 Newsletter

D-Trust and Bundesdruckerei GmbH are jointly responsible for newsletters and premium content. D-Trust and Bundesdruckerei GmbH have concluded a corresponding agreement for this joint responsibility in accordance with Art. 26 GDPR. The essence of this agreement is disclosed in this section of the data protection information.

The following information explains the content of our newsletter, the registration, dispatch and statistical evaluation process and your rights of revocation. We only send newsletters with promotional information with the recipient’s consent or legal permission. Our newsletters contain information on our products, offers, campaigns and innovations from D-Trust GmbH.

2.1.1 Registration/Double Opt-In Procedure

Your e-mail address is required in order to receive the newsletter. The disclosure of your first name(s) and surname is optional. The registration takes place in what is called a double opt-in procedure. This means that, after subscribing, you will receive an e-mail in which you are requested to confirm your subscription. This confirmation is necessary so that no one can log in with another person’s e-mail address. The subscriptions to the newsletter are logged, allowing us to verify the subscription process in accordance with the statutory requirements. In doing so, we store the IP address, the date and time of the registration and confirmation, and any possible changes. The legal basis for this storage is Art. 6 (1) sentence 1 (f) GDPR due to our legitimate interest in being able to prove in cases of doubt that consent has been given to receive our newsletter.

The legal basis for sending the newsletter and processing your personal data is your voluntary and informed consent in accordance with Art. 6 (1) sentence 1 (a) GDPR.

2.1.2 Shipping Service Provider

The newsletter is sent using the Evalanche application from SC-Networks GmbH, Würmstraße 4, 82319 Starnberg. There is an order processing relationship within the meaning of Art. 28 GDPR. The Evalanche data protection regulations are available for viewing here: SC-Networks GmbH.

2.1.3 Statistical Evaluation

We carry out statistical evaluations of the interaction with our newsletters in order to constantly improve the design of our newsletters and to tailor our content to the interests of our users or to be able to send different content according to the interests of our users. Two cookies called “ewafut” and “ewafutano” are also used for this purpose. Technical information is collected, such as information on the browser type and operating system as well as your IP address and the time of access. The statistical analyses also detect whether the newsletter is opened and which links are clicked. This information can be assigned to individual newsletter recipients. As the legal basis for the use of cookies or the statistical analysis based on them, we rely – as with the processing of your personal data for sending the newsletter – on your voluntary and informed consent, here in accordance with Section 25 (1) TDDDG (use of cookies) or Art. 6 (1) sentence 1 (a) GDPR (data processing). The cookies have an operational lifetime of 24 months.

The query as to whether you wish to subscribe to a newsletter takes place via various survey masks (e.g., pop-up modules). You have the option at this point of granting your consent for the purposes described above or refusing to grant your consent by clicking on “Close window”. We use another cookie called “exit-popup” or “exit-intent” to prevent the pop-up module or exit-intent module from being displayed again immediately if you do not give your consent. This technically necessary cookie has an operational lifetime of 21 days and serves the sole purpose of storing the consent status. The legal basis for the use of this cookie is Section 25 (2) No. 2 TDDDG.

Revocation: Your consent is valid until its revocation, which you are entitled to declare at any time with effect for the future. You can unsubscribe from e-mail communication at any time. The “Unsubscribe” link is provided at the end of each newsletter e-mail. Or you can send us an e-mail to datenschutz@d-trust.net. The revocation of consent has no effect on the lawfulness of the processing carried out on the basis of the consent until the revocation.

Please note that, if you revoke your consent to the use of Evalanche, you will be deleted from our newsletter mailing list and will no longer be able to receive the newsletter. If you revoke your consent, the consent data will be stored for a reasonable period of time in blocked form. The legal basis for this is Art. 6 (1) sentence 1 (f) GDPR due to our legitimate interest in being able to prove, in cases of doubt, that consent was given to receive our newsletter at a certain point in time.

2.2 Premium Content

On our website we provide premium content such as whitepapers for download. Such content relates to specific topics and is extensively processed. In connection with the provision of premium content, we ask you to give your consent to the use of your e-mail address, your first name and surname and your company for the purpose of sending newsletters for D-Trust services. Please refer to point 3.1 of this data protection information to find out what your consent covers in detail, how we proceed in the event of your consent, which evaluations we carry out and the option of revocation.

Your e-mail address is processed on the basis of your consent within the meaning of Art. 6 (1) sentence 1 (a) GDPR. You provide us with your personal data voluntarily in return for the opportunity to use premium content. Once you have completed the registration process (see Section 2.1), we will send a link to the desired content to the e-mail address you have provided.

We can also use the e-mail address to determine whether the user has already been in contact with us or whether they have already registered for other premium content. This assignment is made on the basis of Art. 6 (1) sentence 1 (f) GDPR. Avoiding duplicates and the correlation of which contacts have accessed which content is considered legitimate within the purpose of this regulation.

We have provided a contact form so that you can get in touch with us. You can choose whether to have us respond to your enquiry by telephone or by e-mail. You can specify this in a free text field after you have preselected the topic of your enquiry. This enables us to find the right contacts as quickly as possible. Possible recipients of your data are therefore the internal employees who respond to your request, along with companies belonging to the Group that are affected by your request.

In order for our consultation team to contact you via e-mail, we first need your confirmation that you are the owner of the e-mail address you provided. This confirmation is done by means of a double opt-in procedure. In other words, after making contact, you will receive an e-mail from us asking you to confirm your enquiry. Enquiries are logged to allow us to verify the enquiry process using our contact form in accordance with the statutory requirements. In doing so, we store the IP address, the date and time of the registration and confirmation, and any possible changes.

The legal basis for this storage is Art. 6 (1) sentence 1 (f) GDPR. In cases of doubt, our legitimate interest lies in our being able to prove that we have permission to contact you for the purpose of scheduling a specific consultation appointment.

Some fields are not mandatory. Nevertheless, if you choose to provide the corresponding information, you consent to us processing your personal data for the purpose of responding to your enquiry. If you also agree to receive our newsletter when making an appointment, we will proceed as described in Section 2.1.

The legal basis for processing your personal data in connection with the contact request is Art. 6 (1) sentence 1 (b) GDPR if you are interested in further information about our products. However, if you pursue a different request, we will process your personal data in accordance with Art. 6 (1) sentence 1 (f) GDPR on the basis of our legitimate interest in responding to your request and providing information about our products and services.

Our website integrates videos from YouTube. The provider of the video platform is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland. A connection to the YouTube servers is only established when you call up an embedded video (two-click method). Once you do, the YouTube server is informed about which of our pages you have visited. YouTube also receives your IP address. This is true even if you are not logged in to YouTube or are not a Google account holder. By being logged in to your Google account while on YouTube, you allow Google to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your Google account on YouTube or deactivating the corresponding function in your Google profile settings.

Personal data is also transferred to Google servers (Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA) in the USA and stored there. However, due to the activation of IP anonymisation “anonymiseIp()”, Google’s IP address is shortened beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area.  For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. Google has a corresponding certification in accordance with the DPF. Further information on the handling of personal data is available in the data protection information provided by Google.

The legal basis for the processing is your voluntary and informed consent in accordance with Art. 6 (1) sentence 1 (a) GDPR and Section 25 (1) TDDDG, which you can revoke at any time with effect for the future. The legality of the data processing carried out until the time of such revocation remains unaffected by the revocation.

To obtain information about the behaviour of website visitors, we use the web tracking tool etracker from eTracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany. We only use personal data for the visitor count, which the browser transmits anyway. However, we anonymise this data for the further purpose of “analysing user behaviour”, as we do not create user profiles. Web analysis is therefore not conducted on the basis of personal data but with the help of “cross-device IDs” that cannot be linked to individual users.

The legal basis for processing your personal data for the analysis of your user behaviour is your voluntary and informed consent in accordance with Art. 6 (1) sentence 1 (a) GDPR. You can revoke your consent at any time with effect for the future by sending an e-mail to Datenschutz-Request@bdr.de. Revoking consent has no effect on the lawfulness of the processing carried out on the basis of the consent until the time of revocation.

You can also revoke your consent to the use of the etracker analysis tool at any time with effect for the future by clicking on the following button.

When you visit, follow or explore our LinkedIn company page, LinkedIn processes personal data about this interaction, which enables us to evaluate user behaviour using statistics. This involves the “Page insights” function. For these statistical analyses, LinkedIn primarily processes the data you provide to the platform via information in your profile. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. When we organise polls, i.e., activate topic-related surveys on our company website, we see evaluations of the voting behaviour.

LinkedIn does not provide us with any personal data via page insights. We only have access to summarised page insights that do not allow any conclusions to be drawn about individual members.

The personal data associated with page insights is processed by LinkedIn and us as joint controllers. The evaluation of the actions on our LinkedIn company page supports the constant efforts to align our public relations work with the needs of users and represents a legitimate interest. The legal basis for processing this data is Article 6 (1) (f) GDPR.

We have entered into a joint controllership agreement with LinkedIn, which sets out the allocation of data protection obligations between us and LinkedIn. Click here to view the agreement. Under data protection law, the company is the sole party responsible for processing personal data within the LinkedIn platform. Further information on the processing of personal data by LinkedIn is available here.

Please note that LinkedIn processes personal data in the USA or other third countries. For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. LinkedIn is certified in accordance with the DPF. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

Personal data is processed for the organisation and implementation of customer events at D-Trust. The data may be related to our products and support exchange in the context of projects or cooperations, which can have a promotional character.

Image and sound recordings may be made by D-Trust during the events.

In addition, we may provide participants with information by e-mail or post after the event. This information may contain a reference to our products and services, and therefore have a promotional character.

2.1 Data Subjects

People from D-Trust customers and the following groups of people are invited to customer events:

• Interested parties, including politicians, association members and persons from supervisory authorities
• Along with employees of the Group, third-party speakers at this event include people from the field of politics
• Customers
• Partners
• Employees of the Group

2.2 Data Origin and Categories

As part of the organisation and handling of internal and external events, D-Trust processes in particular the following categories of personal data of the participants who have provided it or which can be retrieved from publicly accessible sources:

• Academic degree
• Contact details (including postal address and e-mail address)
• Name
• Organisational affiliation (e.g., department)
• Position
• Short profile of speakers
• Information on your state of health (e.g., if you have intolerances or photosensitivity and have provided us with this information)

We use the personal data for the targeted invitation to and implementation of D-Trust events. Your personal data is processed for these D-Trust events in order to invite you, plan the framework conditions of the event, control access to Bundesdruckerei's properties if applicable and organise the event. These events are also used to exchange information and as part of customer projects or collaborations. The legal basis for this processing of your personal data is our legitimate interest (Art. 6 (1) sentence 1 (f) GDPR) in the invitation to, planning and implementation of information events.

The processing of personal data is necessary for the aforementioned purposes. If the personal data listed above is not provided or not provided to the extent required, it may not be possible for you to participate due to the need to control access to Bundesdruckerei’s properties.

Photographs and video recordings are used to document the event and for public relations purposes or to promote future events. The legal basis for the processing of your personal data is your consent (Art. 6 (1) sentence 1 (a) GDPR).

In some cases, we process your personal data (e.g., food intolerances) in order to ensure a good and pleasant event experience for you. This personal data is collected during event registration if it is required and you choose to provide it. The legal basis for the processing of your personal data is your consent (Art. 6 (1) sentence 1 (a) GDPR).

Only the departments within D-Trust and in possession of the small group privilege (Recital 48 of the GDPR) of the Bundesdruckerei Group that need your data to fulfil the stated purposes are provided with it.

The data is only passed on to third parties if this is justified by the safeguarding of our legitimate interests (Art. 6 (1) sentence 1 (f) GDPR). For example, it is in our legitimate interest to share the data of the speakers with the people invited to the events.

Your personal data will not be transferred to a third country.

Certificate products that our customers have commissioned us with can be ordered via the application route on our website. As part of the process of verifying the application data, identifying persons, authorised signatories and HR departments or supervisors are contacted and included in clarifying the correctness of the certificate data and authorisations. We also process personal data when handling support and service cases.

2.1 Data Subjects

• Applicants
• Authorised signatories
• Third parties with blocking authorisation 
• Operators (people specially trained for the application portal in our customers’ organisations)

2.2 Data Origin

The data of people involved in the identification or confirmation process is collected directly in the course of their work. You can send us service and support requests via forms or other contact options you have chosen.

2.3 Data Categories

We process the following categories of personal data in the course of our customers applying for and providing certificate products:

• Certificate data
• Contact, order and invoice data
• Blocking password hashes
• Certificate verification data
• IP address pairs and times of access
• Any copies of identity documents (passport, ID card and other ID documents)
• Biometric photos

Where copies of ID cards are not blacked out, the access number (CAN) and special categories of personal data in the form of a photograph (biometric photo) are transmitted. The photograph involves a biometric date that allows clear identification.

Personal data is processed for the purpose of fulfilling the contract (Art. 6 (1) (b) GDPR), namely establishing the identity of the applicant, checking and processing the application, ensuring the certificate life cycle, including revocation and operation of the directory service (status information service), and – in individual cases – for troubleshooting, especially in the case of support requests.

We obtain your consent for the copy of the ID card, passport or other ID document pursuant to Art. 6 (1) (a) GDPR.

The certificates are published in the directory service exclusively on the basis of your express consent (Art. 6 (1) sentence 1 (a) GDPR) during the application process unless you obtain an S/MIME certificate. You can object to publication with effect for the future at any time by sending an e-mail to datenschutz@d-trust.net, or you can send the revocation in writing to D-Trust GmbH, Antragsbearbeitung [Application Processing], Kommandantenstr. 15, 10969 Berlin, Germany.

In the case of requests or enquiries pursuant to Section 8 (2) of the Trust Services Act (Vertrauensdienstegesetz, VDG), data is transferred to the competent authorities if they request the transfer in accordance with the applicable provisions, as the transfer is necessary for the prosecution of criminal offenses or administrative offenses, to avert threats to public security or order, or to fulfil the statutory tasks of the federal and state constitutional protection authorities, the Federal Intelligence Service, the Military Counterintelligence Service or the tax authorities, or if courts order the transfer in the context of pending proceedings in accordance with the applicable provisions. The legal basis for transfers to the competent authorities in these cases is Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR.

We pass on the personal data required for this service to Customer Service of Bundesdruckerei GmbH and Inco Spólka z o.o., also a subsidiary of the Bundesdruckerei Group GmbH, in order to provide our support services. Customer Service processes the personal data on our behalf and in accordance with our instructions in order to respond to your support requests. Parts of commercial contract processing are handled by Bundesdruckerei GmbH, and personal data is processed when this is done.

If the certificates were ordered or brokered via a partner of D-Trust GmbH, the partner receives the necessary personal data for purchase and, if applicable, commission processing.

Pursuant to Section 8 (2) VDG, we may pass on your personal data to the competent authorities (see Section 3).

If you have given your consent (see Section 3), we will send your certificate to the directory service that publishes your certificate so that it is accessible in the public area.

The ability to trace the identification process that forms the basis for issuing a certificate is a quality feature of the certificate. Implementation of the retention periods specified by law or in certifications depends on the product.

With regard to qualified signature and seal certificates, the provisions of Section 16 (4) VDG on long-term storage apply for certificates and certificate verification data, including contact data. This corresponds to the entire duration of our company’s operations. If we ever go out of business, the data will be transferred to the Federal Network Agency or another qualified trust service provider as required by law.

All other certificate verification data and certificates are deleted eight years after the validity of the last certificate issued on the data expires. The revocation password hash is deleted no later than one year after the validity of the last certificate issued on the data expires. The copy of the ID card is scanned after receipt. The paper copy is destroyed 21 days after receipt. The scan is deleted after the certificate has been activated or the application has been cancelled.

If we are obliged to do so on the basis of Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR, we will retain this documentation for 12 months pursuant to Section 8 (3) VDG.

IP address pairs and times of access are stored for two years due to the certification requirement and then deleted.

Personal data is processed in order to provide you with an electronic health professional card (eHBA), institution certificates (SM-B) and an institution ID card (SMC-B). You will receive your card from us once you have applied for your ID card via our portal. We will then provide you with your card for the organisation responsible for you (e.g., Medical Association, Dental Association, Chamber of Psychotherapists, Chamber of Pharmacists or the respective Association of Statutory Health Insurance Physicians). Alternatively, SM-B institution certificates can also be obtained for use as virtual proof of identity. D-Trust acts as a qualified trust service provider for identifying, applying for, producing, issuing and blocking your card in accordance with the requirements of the eIDAS Regulation and the Trust Services Act (Vertrauensdienstegesetz, VDG). D-Trust is responsible for the application process and support services in this context. Our products and services enable card issuers to issue you with your healthcare professional or institutional ID card, or to provide you with the virtual SM-B institution certificate.

We collect your personal data when you contact us, such as when you submit an application or order a product from us. This applies in particular to the submission of applications, contact by telephone or e-mail, the use of our products and services in the context of existing business relationships or if the identification service provider you have selected transmits your personal data to us.

2.1 Persons concerned

• Applicant users of the commissioning organisations

2.2 Data origin

We only process personal data that you have provided to us directly via the application portal or personal data that you have consented to having processed and any personal data that the identification provider has transmitted to us.

2.3 Data categories

D-Trust processes the following personal data of applicants as part of the application and provision process:

• Personal identification details (e.g., first name and surname, academic degree, address, date and place of birth, order and invoice data, practice and institution addresses, proof of certification and any membership number)
• Communication information (e.g., first name and surname, contact details and documentation relating to your support and service case and your requests)
• Data about your online behaviour
• Information about your interests and wishes that you communicate to us
• Biometric photos

Personal data is processed for the purpose of fulfilling the contract (Art. 6 (1) sentence 1 (b) GDPR), namely to establish the identity of the applicant, to check and process the application and, in individual cases, to rectify errors, in particular in the case of support requests. We also inform you by e-mail of the anticipated expiry date before the certificate expires in order to ensure the long-term functionality and validity of your ID card.  When you purchase SMC-B, we guarantee the certificate life cycle of your product. This also includes a revocation initiated by you or your card issuer, status information and, if necessary, publication of the certificate in the directory service and the TI. The certificates are published in the directory service exclusively on the basis of your express consent (Art. 6 (1) sentence 1 (a) GDPR) during the application process. You can object to publication with effect for the future at any time by sending an e-mail to datenschutz@d-trust.net.

In the case of requests or enquiries pursuant to Section 8 (2) of the Trust Services Act (Vertrauensdienstegesetz, VDG), data is transferred to the competent authorities if they request the transfer in accordance with the applicable provisions, as the transfer is necessary for the prosecution of criminal offenses or administrative offenses, to avert threats to public security or order, or to fulfil the statutory tasks of the federal and state constitutional protection authorities, the Federal Intelligence Service, the Military Counterintelligence Service or the tax authorities, or if courts order the transfer in the context of pending proceedings in accordance with the applicable provisions. The legal basis for transfers to the competent authorities in these cases is Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR.

3.1 Data Processing and Analysis for Quality Improvement

We use your support requests in particular for quality assurance and troubleshooting purposes in order to answer them correctly, quickly and to your satisfaction. The processing of your personal data to ensure quality and avoid errors is our legitimate interest (Art. 6 (1) sentence 1 (f) GDPR).

We also use insights from our business relationships, market analyses and market research. Data processing (anonymised) is therefore carried out for statistical purposes in order to check efficiency and quality. We process your personal data on the basis of our legitimate interest in improving our products and services and ensuring their quality (Art. 6 (1) sentence 1 (f) GDPR). You can object to these analyses at any time. Send your objection to datenschutz@d-trust.net.

3.2 Advertising Purposes

We process your personal data in order to know which product we may offer you (e.g., eHBA, SMC-B, SM-B). We are also planning to conduct customer surveys. We use your e-mail address to contact you by e-mail regarding your feedback on our products. You can object to this at any time. Please send your objection to datenschutz@d-trust.net.

We pass on the personal data required for this service to Customer Service of Bundesdruckerei GmbH and Inco Spólka z o.o., also a subsidiary of the Bundesdruckerei Group GmbH, in order to provide our support services. Customer Service processes the personal data on our behalf and in accordance with our instructions in order to respond to your support requests. Parts of commercial contract processing are handled by Bundesdruckerei GmbH, and personal data is processed when this is done.

If the certificates were ordered or brokered via a partner of D-Trust GmbH, the partner receives the necessary personal data for purchase and, if applicable, commission processing.

Pursuant to Section 8 (2) VDG, we may pass on your personal data to the competent authorities (see Section 3).

If you have given your consent (see Section 3), we send your certificate to the directory service, which publishes your certificate so that it can be viewed by the public.

We require the data marked as mandatory in order to ensure the identity of the certificate holder. The requested certificate cannot be issued if this information is not provided or is incorrect. The same applies to the submission of evidence, such as organisational affiliation or professional attributes. The data cannot be included in the certificate without verification.

As soon as the personal data is no longer required for the purpose or purposes for which it was collected, it is deleted – unless statutory retention obligations prevent this. The ability to trace the identification process that forms the basis for issuance of a certificate is a quality feature of the certificate. The retention periods specified by law or in certifications are implemented depending on the product.

Certificates with proof of certification for SMC-B are deleted 8 years after the certificate expires. If we are obliged to do so on the basis of Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR, we will retain this documentation for 12 months pursuant to Section 8 (3) VDG.

Your personal data that we process on the basis of your consent is stored or published in the directory service until you revoke your consent.

The CSM is a web-based, managed PKI service for organisations that request multiple certificates each year and allows them to order, obtain and manage electronic certificate services. This provides access to the following certificate types:

• DV SSL products and SSL/TLS certificates according to the Domain Validation (DV), Organisation Validation (OV) or Extended Validation (EV) standards
• Qualified website certificates according to the eIDAS regulation
• S/MIME certificates for digitally signing and encrypting e-mails and for authenticating users and devices in networks
• Machine certificates for securing the communication of machines or objects with organisational affiliation
• Personal certificates certified according to technical guideline TR-03145 of the Federal Office for Security and Information Technology (BSI) for companies, authorities and institutions with the classification level “Classified – For official use only”

We collect your personal data when you or the organisation commissioning us contact us, such as when you submit an application or order a product from us. This applies in particular to the submission of applications, contact by telephone or e-mail, the use of our products and services in the context of existing business relationships or if the identification service provider you have selected transmits your personal data to us.

One or more authorised persons (hereinafter “operators”) within the organisations that receive the CSM have access to the CSM account created for the respective client company. The operators are responsible for the identification of natural persons in the respective organisations and filing them accordingly in the CSM account and for the final approval of certificate requests from individual users.

2.1 Data Subjects

• Applicant users of the commissioning organisations
• Operators of the commissioning companies

2.2 Data Origin

We only process personal data that you have provided to us directly via the CSM or personal data that you have consented to having processed and any personal data that the identification provider has transmitted to us.

2.3 Data Categories

D-Trust processes the following personal data of officers as part of the application and provision process:

• Shipping address
• Issuing authority
• Identification document number
• Validity period
• Registration address
• Organisational affiliation
• Signature
• E-mail address
• Fax number
• Business phone
• Mobile phone
• Private phone
• Extract from the commercial register
• Academic degree
• Role / job attribute
• Date of birth
• Name at birth
• Place of birth
• Gender
• Surname
• Pseudonym
• Title
• First name
• Application ID

D-Trust processes the following personal data of operators as part of the application and provision process:

• Registration address
• Training data
• Organisational affiliation
• Signature
• E-mail address
• Business phone
• Mobile phone
• Salutation
• Certificate of good conduct
• Date of birth
• Place of birth
• Surname
• First name
• Title

Personal data is processed for the purpose of fulfilling the contract (Art. 6 (1) (b) GDPR), namely establishing the identity of the applicant, checking and processing the application, ensuring the certificate life cycle, including revocation and operation of the directory service (status information service), and – in individual cases – for troubleshooting, especially in the case of support requests. The certificates are published in the directory service exclusively on the basis of your express consent (Art. 6 (1) sentence 1 (a) GDPR) during the application process unless you obtain an S/MIME certificate. You can object to publication with effect for the future at any time by sending an e-mail to datenschutz@d-trust.net, or you can send the revocation in writing to D-Trust GmbH, Antragsbearbeitung [Application Processing], Kommandantenstr. 15, 10969 Berlin, Germany.

For the copy of the ID card, passport or other ID document for the identification of operators, we obtain your consent pursuant to Art. 6 (1) (a) GDPR.

In the case of requests or enquiries pursuant to Section 8 (2) of the Trust Services Act (Vertrauensdienstegesetz, VDG), data is transferred to the competent authorities if they request the transfer in accordance with the applicable provisions, as the transfer is necessary for the prosecution of criminal offenses or administrative offenses, to avert threats to public security or order, or to fulfil the statutory tasks of the federal and state constitutional protection authorities, the Federal Intelligence Service, the Military Counterintelligence Service or the tax authorities, or if courts order the transfer in the context of pending proceedings in accordance with the applicable provisions. The legal basis for transfers to the competent authorities in these cases is Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR.

We pass on the personal data required for this service to Customer Service of Bundesdruckerei GmbH and Inco Spólka z o.o., also a subsidiary of the Bundesdruckerei Group GmbH, in order to provide our support services. Customer Service processes the personal data on our behalf and in accordance with our instructions in order to respond to your support requests. Parts of commercial contract processing are handled by Bundesdruckerei GmbH, and personal data is processed when this is done.

If the certificates were ordered or brokered via a partner of D-Trust GmbH, the partner receives the necessary personal data for purchase and, if applicable, commission processing.

Pursuant to Section 8 (2) VDG, we may pass on your personal data to the competent authorities (see Section 3).

We send your certificate to the directory service, which publishes your certificate so that it is accessible in the public area.

We require the data marked as mandatory in order to ensure the identity of the certificate holder. The requested certificate cannot be issued if this information is not provided or is incorrect. The same applies to the submission of evidence, such as organisational affiliation or professional attributes. The data cannot be included in the certificate without verification.

As soon as the personal data is no longer required for the purpose or purposes for which it was collected, it is deleted – unless statutory retention obligations prevent this. The ability to trace the identification process that forms the basis for issuance of a certificate is a quality feature of the certificate. Implementation of the retention periods specified by law or in certifications depends on the product.

With regard to qualified signature and seal certificates, the provisions of Section 16 (4) VDG on long-term storage apply for certificates and certificate verification data, including contact data. This corresponds to the entire duration of our company’s operations. If we ever go out of business, the data will be transferred to the Federal Network Agency or another qualified trust service provider as required by law.

All other certificate verification data and certificates are deleted eight years after the validity of the last certificate issued on the data expires. The revocation password hash is deleted no later than one year after the validity of the last certificate issued on the data expires. The copy of the ID card is scanned after receipt. The paper copy is destroyed 21 days after receipt. The scan is deleted after the certificate has been activated or the application has been cancelled.

If we are obliged to do so on the basis of Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR, we will retain this documentation for 12 months pursuant to Section 8 (3) VDG.

IP address pairs and times of access are stored for two years due to the certification requirement and then deleted.

It is the client’s intention to enable natural persons to electronically sign information or documents via sign-me. Technically speaking, hash values or PDF documents can be signed. In the case of PDF documents, the signature service requires these to be on file as PDF/A.

D-Trust provides users with certificates in accordance with the applicable terms of use and an interface description – along with sample codes and authentication data for download – and informs the client of the authentication data. The access data for the service portal is sent to the client by encrypted e-mail.

2.1 Data Subjects

• Applying users (employees, customers or business partners)
• Anyone whose personal data is contained in the documents to be signed

2.2 Data Origin

Data of the data subjects are taken

• from a web form during self-registration,
• from identification service providers as a verified data record,
• from customers who communicate with the sign-me application via API,
• from contracts and forms for customer contact persons,
• from service and support requests from companies that provide support for their own end customers and
• from direct support requests from data subjects.

2.3 Data Categories

The following personal data is processed as part of the sign-me remote signature system and the provision of certificates for applying remotely triggered signatures (hereinafter referred to as the “signature creation service”) which are used by the controller (the respective scope may vary depending on the individual case):

• Identification data: surname, first name, valid from to, place of birth, nationality, name at birth, date of birth, registration address, ID number (for comparison of the application, ID, proof of identification)
• Further information: title, contact e-mail, e-mail certificate, cell phone number, billing address, organisation, product-specific ID
• Verifications: VideoIdent verification (admission person, ID/passport/ID document)
• Certificates, IP addresses, access times
• Any documentation on conveyances pursuant to Section 8 (2) VDG
• Any data to be signed in the self-service area

Personal data is processed for the purpose of fulfilling the contract (Art. 6 (1) (b) GDPR), namely establishing the identity of the applicant, checking and processing the application, ensuring the certificate life cycle, including revocation and operation of the directory service (status information service), and – in individual cases – for troubleshooting, especially in the case of support requests.

The certificates are published in the directory service exclusively on the basis of your express consent (Art. 6 (1) sentence 1 (a) GDPR) during the application process. You can object to the publication with effect for the future by directly adjusting your data in the sign-me portal.

In the case of requests or enquiries pursuant to Section 8 (2) of the Trust Services Act (Vertrauensdienstegesetz, VDG), data is transferred to the competent authorities if they request the transfer in accordance with the applicable provisions, as the transfer is necessary for the prosecution of criminal offenses or administrative offenses, to avert threats to public security or order, or to fulfil the statutory tasks of the federal and state constitutional protection authorities, the Federal Intelligence Service, the Military Counterintelligence Service or the tax authorities, or if courts order the transfer in the context of pending proceedings in accordance with the applicable provisions. The legal basis for transfers to the competent authorities in these cases is Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR.

When individual pages are called up, temporary cookies are used for providing technical services. These session cookies do not contain any personal data and expire at the end of the session. Technologies such as Java applets or Active-X controls, which make it possible to track the user’s access behaviour, are not used.

We pass on the personal data required for this service to Customer Service of Bundesdruckerei GmbH and Inco Spólka z o.o., also a subsidiary of the Bundesdruckerei Group GmbH, in order to provide our support services. Customer Service processes the personal data on our behalf and in accordance with our instructions in order to respond to your support requests. Parts of commercial contract processing are handled by Bundesdruckerei GmbH, and personal data is processed when this is done.

If the certificates were ordered or brokered via a partner of D-Trust GmbH, the partner receives the necessary personal data for purchase and, if applicable, commission processing.

Pursuant to Section 8 (2) VDG, we may pass on your personal data to the competent authorities (see Section 3).

If you have given your consent (see Section 3), we send your certificate to the directory service, which publishes your certificate so that it can be viewed by the public.

We require the data marked as mandatory in order to ensure the identity of the certificate holder. The requested certificate cannot be issued if this information is not provided or is incorrect.

The mobile phone number of the person concerned is mandatory, as the mobile phone is used as a secondary factor in the authentication process for triggering the signature. The service cannot be provided without this security mechanism, which relies on the mobile phone number.

As soon as the personal data is no longer required for the purpose or purposes for which it was collected, it is deleted – unless statutory retention obligations prevent this. The ability to trace the identification process that forms the basis for issuance of a certificate is a quality feature of the certificate. Implementation of the retention periods specified by law or in certifications depends on the product.

With regard to qualified signature certificates, the provisions of Section 16 (4) VDG on long-term storage apply for certificates and certificate verification data, including contact data. This corresponds to the entire duration of our company’s operations. If we ever go out of business, the data will be transferred to the Federal Network Agency or another qualified trust service provider as required by law.

All other certificate verification data and certificates are deleted eight years after the validity of the last certificate issued on the data expires. Documents that users upload for signature in the self-service area are deleted after five days at the latest.

If we are obliged to do so on the basis of Section 8 (2) VDG in conjunction with Art. 6 (1) sentence 1 (c) GDPR, we will retain this documentation for 12 months pursuant to Section 8 (3) VDG.

The report can be made anonymously. In this case, no personal data of the whistleblower is processed.

The categories of personal data processed depend on the information reported. If the whistleblower reports personal data about another person, including that of the person or persons being reported on, this personal data is also processed. The following categories of personal data may be processed:

• General personal data (name, address, e-mail address, telephone number, position, etc.)
• Personal data relating to criminal convictions or suspicion thereof
• Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation)

We advise the whistleblower to only report information that is of specific relevance to the reported case and, in particular, to refrain from reporting sensitive information unless it is of central importance for processing the reported case.

The purpose of processing personal data is the management of the whistleblower system, including the detection of serious violations or potential violations of applicable law or other serious matters.

The processing of personal data is necessary for fulfilling legal obligations to which we are subject; see Art. 6 (1) sentence 1 (c) GDPR. This is the law for better protection of whistleblowers (Whistleblower Protection Act – Hinweisgeberschutzgesetz, HinSchG).

The purpose of processing the data is to safeguard our legitimate interest in detecting serious violations or potential violations of applicable law or other serious matters pursuant to Art. 6 (1) sentence 1 (f) GDPR.

As far as the processing of special categories of personal data is concerned, processing on the basis of the Whistleblower Protection Act is necessary for reasons of substantial public interest; see Art. 9 (2) (g) GDPR. Special categories of personal data are processed pursuant to Art. 9 (2) (f) GDPR in conjunction with. Art. 6 (1) sentence 1 (f) GDPR for the establishment, exercise or defence of legal claims.

A data subject is anyone who is the subject of the report. Data subjects may be employees, contractual partners or anyone else who is professionally associated with us. Additionally, we process personal data of the individual providing the information if they share their contact details or any other information that identifies them. Whistleblowers must therefore be aware that we may process personal data about them in connection with processing the reported case.

The reports are documented as a process in the WhistleB System at Bundesdruckerei GmbH. After being evaluated, the processes are passed on internally to the responsible departments, and any necessary

follow-up measures are initiated. If a report concerns one of the Group companies of the Bundesdruckerei Group, these processes are forwarded to the responsible persons of the respective Group company and evaluated internally by the responsible person, and any necessary follow-up measures are initiated. Personal data is only passed on for a specific purpose and in accordance with the principle of data minimisation; in other words, only the personal data that is absolutely necessary to process the notification is passed on.

We disclose personal data about the whistleblower to authorities if this is necessary for dealing with serious offences or serious matters or for ensuring the right of defence of the data subjects. In other cases, personal data about the whistleblower is only passed on with the consent of the whistleblower. Personal data about persons other than the whistleblower is only passed on as part of following up on a reported case or dealing with serious offences or serious matters.

The reporting platform is provided by the processor, WhistleB Whistleblowing Centre AB, Stockholm, Sweden. Further information on WhistleB, Whistleblowing Center AB is available to read in the Terms of Use.

There is no obligation to provide the personal data listed under Section 1 as it is also possible to report anonymously. However, it may not be possible for us to process the report without being provided with personal data.

Personal data that proves to be irrelevant for the processing of a reported case, along with reports that we consider to be unfounded, are immediately categorised as “irrelevant”, and any personal reference (unless it is already an anonymous report) will be removed. This report will then be archived initially (without personal reference) but not yet deleted in order to guarantee the legally required documentation obligation and statutory deletion period arising from Section 11 (1), (5) HinSchG. Archived cases are used exclusively to fulfil documentation obligations and can therefore no longer be called up for processing.

Reports and personal data collected in the course of processing a report form the basis for further processing and are anonymised as soon as possible. However, if the need for follow-up measures within the meaning of Sections 3 (8), (18) HinSchG arises, it is possible for a deviation from anonymisation to become necessary due to an official order or to secure legal claims. In this case, unless otherwise specified (e.g., by a court order), pseudonymisation is generally striven for. The documentation is deleted three years after completion of the proceedings. The documentation may be kept for longer in order to fulfil the requirements of this Act or other legislation – as long as this is necessary and appropriate.

We take all necessary technical and organisational security measures to protect your personal data from loss and misuse. For example, your data is stored in a secure operating environment that is not accessible to the public.

Personal data may be transferred within the Bundesdruckerei Group to other Group companies for the aforementioned purposes, if this is necessary to fulfil the above-mentioned purposes.

Personal data is also disclosed to courts, regulatory authorities or law firms to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend against legal claims.

If we work with service providers, such as providers of IT maintenance services, they only act on our instructions and are contractually obliged to comply with the applicable data protection requirements. The Bundesdruckerei Group remains responsible for the data processing.

If no explicit storage period is specified when personal data is collected (e.g., as part of a declaration of consent) or within the descriptions of this data protection information, personal data is deleted as soon as it is no longer required for the purposes for which it was collected unless statutory retention obligations (e.g., retention obligations under commercial and tax law) prevent such deletion.

The following general time limits apply to storage and archiving in accordance with German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets along with the work instructions and other organisational documents, accounting documents and invoices required for their understanding (Section 147 (3) in conjunction with (1) Nos. 1, 4 and 4a of the Tax Code (Abgabenordnung, AO), Section 14b (1) of the Value Added Tax Act (Umsatzsteuergesetz, UStG), Section 257 (1) Nos. 1 and 4, (4) of the Commercial Code (Handelsgesetzbuch, HGB).
• 6 years – Other business documents: commercial or business letters received, reproductions of commercial or business letters sent, other documents insofar as they are of significance for taxation, such as hourly wage slips, company accounting sheets, calculation documents, pricing, and also payroll accounting documents insofar as they are not already accounting documents and cash register receipts (Section 147 (3) in conjunction with (1) Nos. 2, 3, 5 AO, Section 257 (1) Nos. 2 and 3, (4) HGB).
• 3 years – Data required for considering potential warranty and compensation claims or similar contractual claims and rights and for processing related inquiries based on past business experience and standard industry practices is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).