Alevate Classic App

Data Protection Declaration of Serrala Cloud Solutions GmbH for the “Alevate” App

 

We, the Serrala Cloud Solutions GmbH, take the protection of your personal data very seriously and strictly adhere to the rules of the applicable data protection laws.

During the use of the “Alevate” software, personal data is collected at different points. The collection of data will only be carried out to a technically necessary extent. If the processing of personal data is necessary and there is no legal basis for such processing, we shall, in general, request consent of the data subject. The data will be treated in a strictly confidential manner and may be used solely for the communicated purpose. Under no circumstances will the data be sold, used for other purposes or given to a third party for other reasons.

With this Data Protection Declaration, our company would like to inform you about the form, extent and purpose of personal data we collect, use and process. Furthermore, the Data Protection Declaration should aim to inform the data subjects about all their rights.

 

1. General

 

The provider of the “Alevate” software is Serrala Cloud Solutions GmbH, based in Berlin (hereinafter also referred to as "we").

“Alevate” is an application for smartphones (App), with which one can render an electronic signature without additional Smartcard, USB stick or disk on payment files in accordance with the EBICS standard. The App serves as an additional option to the payment transaction portal “Alevate”, which is designed as a web application. During the usage of the application, the data of the account holder and information concerning payment transactions will exclusively be exchanged between the payment transaction portal und the mobile device of the user (e.g. iPhone). The user’s personal data and the payment transaction information will not be collected, saved or processed by Serrala Cloud Solutions GmbH in the course of the regular operation for any other purpose at any time.

 

2. Type of data

 

Within the framework of use of the “Alevate” App it is possible and desirable that you send technical log files to Serrala Cloud Solutions GmbH by e-mail. Before sending them off to Serrala Cloud Solutions GmbH, the content of the log files will be available for you to view. You can also delete the log files from the device.

In addition, the following data are collected, stored and processed during the regular use.

 

Personal data

  1. Name, first name (possibly in the e-mail of the sender)
  2. E-mail address (sender of the log files)
  3. Device identification
  4. Time point of the communication between the mobile device and the payment transaction portal
  5. Information about the bank(s) of the user 6. Information about the accounts of the user
  6. Information about the transactions in the accounts 8. Information about payments (credit and debit notes) with details of the recipient, the amount of payment, the purpose of the transfer etc.

 

3. Usage of the data

 

The contents of the technical log files that can be generated during the usage and transmitted to Serrala Cloud Solutions GmbH serve to analyze possible technical problems. The data will not be used for any other purposes. When we use this general data and information, no conclusions regarding the data subject are drawn.

All the other data will be needed for the functionality of the App and will merely be stored in the App (in an encrypted manner on the smartphone) and in the payment transaction portal. The communication between the App and the portal is also encoded. The anonymous data of the server log files is stored separately from any personal information provided by the data subject.

 

4. Time limits for the deletion of data

 

Serrala Cloud Solutions GmbH processes and stores personal data of the subject only for the time period necessary to fulfill the purpose for which they were collected or if this is provided for in laws and legal provisions by the European regulators and issuers of directives or other legislators to which the controller is subject.

After the respective storage purpose ceases to apply or after the data-retention period expires, the corresponding personal data shall be locked or deleted routinely and in accordance with the statutory provisions.

 

5. Consent / Revocation

 

With accepting this Data Protection Declaration, you agree that we are allowed to use the data indicated for the aforementioned purposes. If you have consented to the use of your personal data, you may revoke this consent at any time by sending an e-mail to dataprotection@serrala.com or in writing to the address of Serrala Cloud Solutions GmbH.

 

6. Transfer of your data to a third party

 

As a matter of principle, we do not transfer any personal data collected to a third party.

 

7. Technical security

 

We continuously check and update our technical and organizational security measures to protect your data. These procedures are to avoid unauthorized access, unlawful deletion and manipulation and the accidental loss of this data in the best possible manner.

 

8. Rights of the data subject

8.1. Right to obtain confirmation

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If the data subject would like to exercise this right to obtain confirmation, he or she may contact a staff member of the controller at any time.

 

8.2. Right to information

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to obtain from the controller– at any time and free of charge – information about the personal data stored about him or her as well as a copy of this information.

Furthermore, the data subject has a right to be informed whether personal data were transferred to a third country or to an international organization. If that is the case, the data subject is entitled to receive also information about appropriate guarantees in connection with the transfer. If the data subject would like to exercise this right to information, he or she may contact a staff member of the controller at any time.

 

8.3. Right to rectification

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall additionally have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If the data subject would like to exercise this right to rectification, he or she may contact a staff member of the controller at any time.

 

8.4. Right to erasure (right to be forgotten)

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to obtain from the controller the erasure of personal data concerning him or her without undue delay if the processing of the data subject’s personal data is no longer necessary, if the data subject withdraws consent, if there are no legitimate grounds for the processing or if the personal data have been unlawfully processed.

If any of the reasons mentioned above apply and a data subject demands the deletion of the personal data stored at Serrala Cloud Solutions GmbH, he or she may contact a staff member of the controller at any time. Serrala Cloud Solutions GmbH’s staff member will ensure that the order to delete the respective personal data will immediately be complied with.

 

8.5. Right to restriction of processing

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to obtain from the controller restriction of processing where one of the following preconditions applies:

The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.

The data subject has objected to processing pursuant to Article 21, Paragraph 1, DS-GVO pending the verification whether the legitimate grounds of the controller override those of the data subject.

If any of the preconditions mentioned above apply and a data subject demands the restriction of the personal data stored at Serrala Cloud Solutions GmbH, he or she may contact a staff member of the controller at any time. Serrala Cloud Solutions GmbH’s staff member will ensure that the order to restrict the processing will be immediately complied.

 

8.6. Right to data portability

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where, the processing is based on consent pursuant to Article 6, Paragraph 1, Letter (a) DS-GVO or Article 9, Paragraph 2, Letter (a) DS-GVO or on a contract pursuant to Article 6, Paragraph 1, Letter (b) DS-GVO and the processing is carried out by automated means. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In exercising his or her right to data portability pursuant to Article 20, Paragraph 1 DS-GVO the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible, provided that it does not adversely affect the rights and freedoms of others.

If the data subject would like to exercise this right to data portability, he or she may contact a staff member of Serrala Cloud Solutions GmbH at any time.

 

8.7. Right to object

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6, Paragraph 1, Letter (e) or (f) DS-GVO.

If the data subject would like to exercise this right to object, he or she may directly contact a staff member of Serrala Cloud Solutions GmbH or any other staff member at any time.

 

8.8. Automated individual decision-making, including profiling

Any data subject whose personal data is processed shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or (3) is based on the data subject’s explicit consent. If the decision as referred to in point (1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or is it based on the data subject’s explicit consent, Serrala Cloud Solutions GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. If the data subject would like to exercise rights in the context of automated decision-making, he or she may contact a staff member of the controller at any time.

 

8.9. Right of revocation of the consent concerning data protection regulations

Any data subject whose personal data is processed shall have the right, granted by the European regulators and issuers of directives, to revoke consent to processing his/her personal data at any time.

If the data subject would like to exercise this right of revocation of the consent, he or she may contact a staff member of the controller at any time.

 

9. Lawfulness of processing

Our company’s legal basis for confirming the lawfulness of the respective processing operations for which we must obtain the data subject’s consent for a certain purpose of processing can be found in Article 6 I lit. (a) DS-GVO. If the processing is necessary for the performance of a contract to which the data subject is party, as it is the case for example during processing procedures that are necessary for the delivery of goods or any other performance or counterperformance to be made, the processing is based on Article 6 I lit. (b) DS-GVO. The same applies to processing procedures which are necessary for the implementation of pre-contractual measures, for example in cases of enquiries regarding our products or services. If our company is subject to a legal obligation through which a processing of personal data becomes necessary, such as for example for compliance with tax obligations, the processing is based on Article 6 I lit. (c) DS-GVO. In rare cases, the processing of personal data could become necessary to protect the vital interests of the data subject or another natural person. This would be for example the case if a visitor were injured in our company and then his or her name, age, health insurance data or other vital information had to be passed on to a physician, a hospital or any other third party. The legal basis for such a processing would be Article 6 I lit. (d) DSGVO. Ultimately, processing procedures could be based on Article 6 I lit. (f) DS-GVO. This is the legal basis for any types of processing which are not included in the aforementioned legal bases if the processing is necessary for the protection of the legitimate interests of our company or of a third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. Such processing operations are especially permitted because they have been particularly mentioned by the European legislator. The legislator considered that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 DS-GVO).

 

10. Legitimate interests in processing

If the processing of personal data is based on Article 6 I lit. (f) DS-GVO, our legitimate interest is conducting our business to the benefit of all of our employees and shareholders.

 

11. Existence of automated decision-making

As a responsible company, we do not use automated decision-making or profiling.

 

12. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other data protection and privacy laws that are applicable in the Member States of the European Union and other provisions relating to data protection is the following:

Serrala Cloud Solutions GmbH
Am Borsigturm 12
13507 Berlin, Germany

 

13. Contact partner

Any enquiries, comments and queries regarding the use of data should be sent by email to dataprotection@serrala.com in writing to the address of Serrala Cloud Solutions GmbH.