I. Name and address of the data controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other provisions of data protection law is the data controller:
LEDVANCE GmbH
Parkring 33
85748 Garching
Germany
Phone: +49 89-780673-100
Email: contact@ledvance.com
II. Name and address of the data protection officer
The contact details of the the data controllers designated data protection officer is:
Mr. Matthias LindnerIII. Data processing in the BIOLUX app
On this page, we will inform you about the privacy policy of the BIOLUX App for Android and iOS ("App"). The app is offered by LEDVANCE GmbH, Parkring 33, 85748 Garching, Germany ("LEDVANCE", "we" or "us").
1. Scope of the processing of personal data
The app is used for the registration and configuration of LEDVANCE products. Users can use the app to register a new LEDVANCE product by scanning the QR-code on the device and assigning it to a previously defined room.
After the QR code has been scanned, the geo-location of the LEDVANCE product is determined to an accuracy of 10 kilometers by accessing the geo-location data of the user’s device, so that the course of the sun's position can be calculated in accordance with the time and date of the device. This enables the LEDVANCE products to provide a natural illumination that corresponds with the actual position of the sun. The app checks on the servers of LEDVANCE whether a new firmware is available for the product. If this is the case, the firmware is downloaded and installed on the product. During this process personal data is stored, transferred and analysed. The following data is processed:
• The approximate location (within 10 km)
• The IP address of the user.
The settings are then transferred to the device. These settings can also be exported and sent to other App users via Email. The app creates an encrypted file with the name of the room, the installation code, the time zone, the approximate location and the MAC address of the LEDVANCE product. The app then creates a new Email in the user's standard Email app and adds the encrypted file as an attachment. Other users can import this file into their version of the app after receiving it.
For later processing of possible warranty cases, the app transfers the MAC address and the activation date of the device to LEDVANCE.
2. The purpose of the processing of personal data
The purpose of processing personal data is to enable LEDVANCE products to be easily registered, installed and configured, thus guaranteeing undisturbed technical operation of the product.
3. The legal basis of the processing of personal data
The legal basis for processing by LEDVANCE is Article 6 (1) sentence 1 lit. f GDPR.
4. The duration of storage
After deletion of the app or termination of the use of the service, this data will be stored according to the statutory retention periods.
5. The possibility of objection and removal
LEDVANCE has appointed a data protection officer, to whom you can turn with your inquiries at privacy@ledvance.com6. Hosting
The app is hosted on the servers of a service provider commissioned by us.
Our service provider is:
Microsoft Azure
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
The server of the app is geographically located in the European Union (EU) or the European Economic Area (EEA).
The servers automatically collect and store information in so-called server log files, which are automatically transmitted using the app. The stored information is:
• Time of the server request
• IP address
This data will not be merged with other data sources. This data is collected based on Art. 6 para. 1 lit. f GDPR. We have a justified interest in the technically error-free presentation and optimization of the app - for this purpose, the server log files must be recorded.
We have concluded a data processing agreement with the relevant data processor by obliging the relevant service provider to protect user data and not to pass it on to third parties.
You can find further information on the data protection guidelines of our provider here:
https://privacy.microsoft.com/de-de/privacystatement
Microsoft has also signed and certified a privacy shield agreement between the European Union and the United States. This means that Microsoft is committed to complying with the standards and regulations of the GDPR. More information can be found in the following link:
https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active
7. Use of plugins
Use of Crashlytics
1. Scope of the processing of personal data
The app uses the Crashlytics tracking tool from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as Google). Crashlytics is a software development kit for crash reporting and application logging as well as for online viewing and statistical analysis of application protocols. Crashlytics collects data about the use of the app, protocols about system crashes and errors in the app as well as technical information about the user’s device, the version of the app and other relevant data about the software and hardware of the user. If there is a problem with the app, this technical data is sent to Crashlytics servers for analysis. This allows personal data to be stored, transmitted and analysed, in particular the user's activity (e.g. which pages of the app have been visited and which elements have been clicked on) and device and browser information (e.g. IP address and operating system). This data is not associated with any other data that may be collected or used in connection with the parallel use of authenticated Google services such as Gmail. Further information on the collection and storage of data by Google can be found here:
https://policies.google.com/privacy?gl=DE&hl=en
2. The purpose of the processing of personal data
We use Crashlytics to obtain real-time evaluations of system crashes and relevant device information. This simplifies the maintenance of the app and increases its stability and speed.
3. The legal basis of the processing of personal data
The legal basis for the processing of users' personal data is Art. 6 Para. 1 S.1 lit. f GDPR.
4. The duration of storage
Your personal information will be retained for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.
5. The possibility of objection and removal
You can find information on opposition and removal options vis-à-vis Google at: https://policies.google.com/privacy?gl=DE&hl=de and https://fabric.io/privacy
Google has also signed and certified a privacy shield agreement between the European Union and the United States. This means that Google is committed to complying with the standards and regulations of the GDPR. More information can be found in the following link:https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
IV. Rights of the data subject
If your personal data is processed, you are the data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller:1. The right to information
You can request confirmation from the data controller as to whether personal data relating to you will be processed by us.
In the event of such processing, you may request the following information from the data controller:
• The purposes for which the personal data will be processed;
• The categories of personal data processed;
• The recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed;
• The planned duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this regard, the criteria for determining the retention period;
• The existence of a right to rectify or delete personal data concerning you, a right to limit the processing by the data controller or a right to object to such processing;
• The existence of a right of appeal to a supervisory authority;
• All available information on the origin of the data, if the personal data is not collected from the data subject;
• The existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and at least in these cases meaningful information on the logic involved, and the scope and intended effects of such processing on the data subject.
You have the right to request for information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed on the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
2. The right to rectification
You have the right to have your personal data corrected and/or completed by the data controller if the personal data processed concerning you is inaccurate or incomplete. The data controller must carry out the rectification immediately.
3. The right to limit the data processing
Under the following conditions, you may request that the processing of your personal data be restricted:
• If you dispute the accuracy of the personal data concerning you for a period of time which allows the controller to verify the accuracy of the personal data;
• If the processing is unlawful and you refuse to erase the personal data and instead request that the use of the personal data be restricted;
• If the controller no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defence of legal claims, or
• If you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data apart from their storage may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union (EU) or a Member State.
If the processing has been limited in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.
4. The right to erasure
a) Duty to delete
You may request the data controller to delete the personal data concerning you immediately and the data controller is obliged to delete this data immediately if one of the following reasons applies:
• The personal data relating to you is no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent on which the processing pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR was based and there is no other legal basis for the processing.
• You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing or you object to the processing pursuant to Art. 21 para. 2 GDPR.
• The personal data concerning you have been processed unlawfully.
• The deletion of your personal data is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject.
• The personal data relating to you have been collected in relation to information society services offered pursuant to Article 8 para. 1 GDPR.
b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to delete them in accordance with Art. 17 para. 1 GDPR, they shall take the appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the data processors who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.
c) Exceptions
The right to deletion does not exist if the processing is necessary
• for the exercise of freedom of expression and information;
• to fulfil a legal obligation which processing is subject to under the law of the EU or of the Member States to which the data controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller;
• for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and lit. i as well as Art. 9 para. 3 GDPR;
• for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to in Section a) presumably makes the attainment of the objectives of such processing impossible or seriously impairs them, or
• to assert, exercise or defend legal claims.
5. The right to data portability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to communicate the data to another data controller without being hindered by the data controller to whom the personal data was provided, provided that
• processing was based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or is based on a contract pursuant to Art. 6 para. 1 S.1 lit. b GDPR and
• the processing is carried out by automated means.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data transfer does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
6. The right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 Para. 1 S.1 lit. e or f GDPR; this also applies to profiling based on these provisions.
The data controller will no longer process the personal data relating to you unless they can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
You have the possibility to exercise your right of objection through automated procedures using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.
7. The right to revoke consent under data protection law
You have the right to revoke your consent under data protection law at any time. The revocation of your consent does not affect the legality of the processing carried out based on your consent until you revoke it.
8. Automated decision making, including profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling that has any legal effect on you or similarly significantly affects you. This does not apply if the decision
• is necessary for the conclusion or performance of a contract between you and the data controller,
• (2) is authorised by legislation of the EU or of the Member States to which the data controller is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests; or
• (3) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the data controller shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, including, at least, the right to obtain the intervention of a person on the part of the data controller, to state his own position and to challenge the decision.
9. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is in breach of the GDPR.
The supervisory authority with which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
This privacy policy was created with the assistance of DataGuard.