Data privacy statement for the Wurm Security Center
and the mobile device apps OneID and Serial2Key
We are delighted at the interest you have shown in our company. Data privacy has particularly high importance for Wurm GmbH und Co. KG Elektronische Systeme. With this data protection declaration, our company would like to inform the public about the type, scope, and purpose of the personal data which is collected, used and processed by us. This data protection declaration also explains what your related rights are. If we need to process personal data and there is no legal basis for this in a particular case, we generally ask for your consent first.
This data protection declaration applies to the Wurm Security Center and the mobile device apps OneID and Serial2Key of Wurm GmbH & Co. KG Elektronische Systeme. We also meet our information obligations as defined in the EU General Data Protection Regulation (GDPR).
· Responsible body
· Note on the data protection office
· Data processing on this website
· Processing of personal data
· Transmission of data to third parties
· Note concerning the security and confidentiality of personal data
· Legal bases for the processing of personal data
· Your rights
· Standard deadlines for the deletion of the data
· Right of appeal to a supervisory authority
· Note on topicality
Wurm GmbH & Co. KG
Phone: +49 (0) 2191 - 8847 300
Name and address of the data protection officer
Wurm GmbH & Co. KG has appointed an external data protection officer:
Mr. Arndt Halbach of GINDAT GmbH
Wetterauer Strasse 6
Data processing on this website
Each time the website of Wurm GmbH und Co. KG Electronic Systems is accessed by a particular person or an automated system, it collects a general set of data and information about them. This general data and information is stored in log files on the server. This information can include the
· types and versions of browser used,
· the operating system running on the system accessing our website,
· the website sub-pages you have viewed,
· the date and time of access to the website,
· the internet protocol address (IP address),
· other similar data and information to be used for the purpose of security in case of attacks on our IT systems.
In using this general data and information, Wurm GmbH und Co. KG Electronic Systems draws no conclusions about the person concerned. This information is in fact used for
· presenting content correctly on our website,
· optimising the content on our website,
· ensuring the long-term functionality of our IT systems and technology on our website, and
· providing the law enforcement authorities with the information necessary for prosecution in the case of cyber attacks.
The collected data
and information are therefore evaluated by Wurm GmbH und Co. KG Electronic Systems primarily for the
purpose of increasing the data protection and data security in our company, and
finally ensuring an optimal level of protection for the personal data which is
processed by us.
The IP address of your computer is deleted after 30 days.
Processing of personal data
The subject matter of this declaration is the collection, processing and usage (“Use”) of personal data (“Data”) in the Security Center or in the mobile device apps of Wurm GmbH & Co. KG Electronic Systems.
The personal data concerned are stored in the database of the Security Center. Access to the authorization releases associated with this data for all mobile device applications managed via the Security Center is handled using pseudonymized and encrypted procedures.
This means that when using the corresponding mobile device apps, there is no concrete personal reference (privacy by design). The data required for the binding process of the app OneID is not saved on the mobile device.
The data collected and processed by us when using the security center can generally be divided into the following categories:
· Contact information such as name, address, telephone number, email address, title, place of work, company affiliation etc.
· Profile information if you create a profile or account with us, including username and password
· Technical information such as technical data on use and display, including IP addresses, when you visit our websites or applications, also on third-party websites
· Transaction information such as the transfer of project access data by the querying authorized person
The administration of the users is carried out either by employees of the company Wurm (after release of the operator) or by contact persons of the service companies (hereinafter referred to as ADMIN). These ADMINs receive by the provider of this on-line service ("portal") Wurm GmbH & Co. KG Electronic Systems the administration right for the establishment of the user access of the respective accounts (service company). In the process, personal data of the respective users are recorded, which are then processed further. Only information required for establishing the contractual relationship or for carrying out the services is designated as mandatory information.
The use of Wurm online services is possible i.a. with the login via OneID. With OneID you can use your mobile terminal for authentication for Frigodata, the Infocenter and other applications. To use OneID, you need a unique, personally identifiable email address or mobile phone number and a mobile device running the iOS or Android operating system. Authentication is realized via an application (app) that has to be installed and set up on your mobile device. If the installation was successful, you can bind the used device with your OneID access data and immediately log in to all applications that have been activated for you.
When you start the OneID app for the first time after installation, you will be asked if you want to grant the app the right to use push notifications.If you want to log in to the activated applications using a push message, this right is required for communication with the Security Center.
Note: When using the push services, encrypted messages are transmitted via Apple or Google servers without any personal reference.
Further note: All login attempts via OneID are also logged in the Security Center.
The personal data of the user account include the user name of the user, his mobile number, his company, his email address, an individual device identifier and optionally his full name. The mobile number is used for authentication and authorization check by a request SMS sent by a mobile phone as well as a response with the access data to the requested gateway. Through creating a user account the portal can optionally send an info SMS to the user. The indication of the company of the user is needed for the connection or legal assignment of the service company to the used gateways of the branches to be supervised with refrigeration or technical building equipment. If it is given an email address optionally information required by the employees of the portal operator (e.g. Hotline) can also be sent by e-mail. The individual device identifier is used in the security center for the logical assignment of user and device.
If you use this online service of "Wurm GmbH & Co. KG Electronic Systems", server logs automatically provide technical information, which your browser or your app transmits, that is collected and stored. This is in particular the address of the page called and the IP address of your computer.
All activities are stored in an activity log to monitor the portal for malfunction. In addition, the portal operator uses this data for security reasons to monitor possible misuse (request from a user for unauthorized systems). In the case of accumulations of such requests, both the user in question and the responsible ADMIN can be informed about this infringement. In addition, each ADMIN can view the activities of users created by him.
In addition to the technical data of the requested gateways and the service partners for refrigeration and building services, the activity log records the following personal data: date of inquiry, user name and company in which the user is employed.
When using the Security Center with the mobile device application Serial2Key, in addition to the serial number of the requested gateways (=technical data) the following personal data will be automatically stored on the portal server per use of the SMS request: the username, the mobile phone number and the date of the SMS request.
The storage of a sent SMS happens according to the mechanisms available in the mobile device. In addition to the app settings, no personal data is stored on the mobile device.
You have the right to inspect, correct, supplement complete or delete the personal data and settings of your customer account stored on your person at any time.
If you get in contact with Wurm GmbH & Co. KG Elektronische Systeme by email, please note that we use the STARTTLS encryption process. If your server supports this encryption process, this will ensure secure communication between our email server and yours. Otherwise the data will usually be sent unencrypted. In this case, the confidentiality of the transferred information cannot be guaranteed. We have no control over the path taken by your email over the public internet to our company and cannot therefore guarantee the security of your data. Once your email has reached our email server, we protect your data with highly technical and organisational measures.
Transmission of data to third parties
Wurm GmbH & Co. KG Electronic Systems will not as a matter of principle transmit your personal data to third parties outside the company network, unless:
· transmission is necessary for the purpose of carrying out or billing services, if the service involves making use of the products or services of an independent partner company or if the data is needed for the purpose of carrying out the service for a partner company (if you are not advised otherwise, such vicarious agents are only authorized to use the data that is absolutely necessary for this service); an automatic email is generated and sent to the relevant sales partner for the billing (personal user contract)
· for sending SMS we use the service of Esendex.
· you have given your consent to transmit the information, or prosecuting authorities or courts demand information based on applicable laws for the purpose of prosecution.
· in order to carry out the processing and handling process, if we have to make use of service providers in order to process the contract data, the contractual relations are regulated as stipulated by Art. 28 GDPR, which contains the legally required points relating to data privacy and data protection.
The websites also use a so-called cookie ("session cookie") when logging in so that the visiting customer receives a unique session ID. Cookies are small text files that are normally stored on the PC of the Internet user. Our session cookies are deleted automatically on leaving the website.
Technically necessary cookies help allow you to move around the website by ensuring essential functions such as navigation around the pages and access to secure areas. Without these cookies, the website would not work properly.
The cookies used by our website are deleted from your hard disc at the end of your browser session (these are called session cookies).
If you do not want to have the advantages of cookies, you can change how cookies are handled in the security settings in your browser. Setting options are mostly found in the Tools menu, under Settings or Internet Options.
Note concerning the security and confidentiality of personal data
We guarantee the confidentiality and security of your personal data as follows
· we only use your personal data for fulfilling the purpose described here,
· we have obligated our employees to duties of confidentiality,
· our security provisions correspond to the current state of the art to an appropriate extent,
· our systems are checked regularly for security so that we can effectively protect data retained
· by us from any damage, loss and access,
· and our data protection officer ensures compliance with the "data privacy statement".
Legal basis for the processing of personal data
According to Art. 15-21 GDPR you can claim the following rights in relation to the personal data processed by us.
The right to access your personal information
You are entitled to information about the personal data concerning you that are processed by us.
The right to rectification
You may request the correction of incomplete or incorrectly processed personal data.
The right to erasure
You are entitled to have personal data concerning you deleted, especially if one of the following reasons applies:
• The right to erasure does not exist, however, if if is in conflict with the legitimate interests of the responsible person. This can be, for example, if:
· personal data are required to assert, exercise or defend legal claims.
· deletion is not possible due to storage requirements
However, if data cannot be deleted, there may be a right to restrict processing (see below).
Right to restriction of processing
You have the right to require us to restrict the processing of your personal data if
Right to data portability
You have the right to receive the personal information that you have provided us in a structured, common and machine-readable format and you have the right to transfer this data to another person without hindrance from us, provided the processing is based on your consent or a contract and processing is done by us using automated procedures.
The data subject shall have the right, at any time, to object to the processing of personal data relating to him or her under Article 6 (1) lit. e or f for reasons arising out of their particular situation; this also applies to a profiling based on these provisions. If the processing of your personal data is based on a consent, you have the right to revoke this consent at any time.
Standard deadlines for the deletion of the data
Insofar as a statutory retention provision does not exist, the data will be automatically deleted or destroyed if they are no longer necessary for achieving the purpose of the data processing including billing (cf. regulations regarding cookies). There is a legal retention period for data with tax relevance, which is usually 10 years; other data according to commercial regulations (business letters) are usually kept for 6 years. Finally, the storage period can also be based on the statutory limitation periods, which may usually be three years, for example, according to §§ 195 ff. of the German Civil Code (BGB), but also up to thirty years in some cases.
Right of appeal to a supervisory authority
Each data subject has a right of appeal to a supervisory authority under Article 77 GDPR if they consider that the processing of personal data concerning them infringes the GDPR.
The supervisory authority responsible for us is:
Landesbeauftragte für den Datenschutz und die Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2 - 4
Note on changes and updates
Inasmuch as we roll out new products or services, modify internet procedures or if internet and IT security technology are enhanced, we reserve the right to update the data privacy statement. Any changes will be published here. For that reason, please access this website regularly to obtain information on the current status of the data privacy statement.