Privacy policy for the application portal for certificate products

Dear Visitor,

In addition to our Privacy Policy, this page provides more information about how your data is processed when you order our certificate products.

1. What data do we process?

When you order certificate products, we process certificate, contact, order and invoice data, revocation password hashes, certificate identification data, results of sanction list checks and export controls, if necessary, copies of ID documents (passport, ID card and other ID documents) as well as documentation of support/service cases.

In the case of copies of ID documents that have not been redacted, the access number (CAN) and special categories of personal data will be transmitted in the form of a photograph (biometric photo). The photograph is a so-called biometric date that enables unambiguous identification. In cases like these, consent to data processing also refers to this date.

In addition, authorized signatories, third parties authorized to revoke and the identifying persons (government employees, chamber employees, notaries [Notarident], officers [WebRA], postal employees [POSTIDENT], embassy employees) process contact data and the confirmation that they have carried out identification.

IP address pairs, access times and encrypted input content of all users of our Internet service are processed.

In legally justified cases, inquiries regarding data subject rights and data transfers will be documented in accordance with section 8 (2) of the German Trusted Services Act (VDG, Vertauensdienstegesetz).

2. Where does the personal data come from?

The data of the requesters, authorized signatories and third parties authorized to revoke is collected directly via the request page or within a WebRA procedure managed by an officer. Within the scope of verifying the request data, identifying persons, authorized signatories, the personnel department or superiors are contacted and involved in clarifying the correctness of the certificate data and authorizations.

The data of persons involved in the identification or confirmation process is collected directly during the course of their work. Service and support enquiries as well as enquiries regarding data subject rights are provided to us in forms or through other contact options chosen by you.

3. How long do we keep your data?

The traceability of the identification which serves as the basis for issuing a certificate is a quality feature of the certificate. The statutory storage periods or those specified in certifications depend on the specific product.

In the case of qualified signature and seal certificates, the provisions of section 16 (4) VDG on permanent storage apply to certificates and identification data including contact data. This corresponds to the entire duration of operations by our company. If we cease to conduct business, the data will be transferred to the Federal Network Agency or another qualified trust service provider, as required by law.

All other certificate identification data will be deleted eight years after the validity of the last certificate issued on the basis of this data has expired. The revocation password hash is deleted at the latest one year after the validity of the last certificate issued on the basis of this data has expired. The copy of the ID card will be scanned after it is received by post. The paper copy will be destroyed 21 days after receipt. The scan will be deleted after the certificate has been activated or the request cancelled.

Documentation of information provided pursuant to section 8 (2) VDG is stored for twelve months.

IP address pairs and access times are kept for two years due to the certification requirement and are then deleted.

4. For what purposes is the data processed?

Your data will be processed for the following purposes: to establish the identity of the applicant, to check a request and for handling, billing, observing documentation obligations, to warrant the certificate life cycle including revocation and operation of the repository service (status information service), checking cost efficiency and quality, for statistical purposes (anonymized) and in individual cases for troubleshooting, especially in the case of support requests.

Data processing is also carried out as part of measures to maintain information security, especially to detect and ward off attacks, including internal and external audits, export control and sanctions list checks.

In the case of enquiries pursuant to section 8 (2) VDG, the information provided is sent to the competent offices.

5. What is the legal basis for processing?

Certificates and certificate identification data, contact data, order data, invoice data, revocation password hashes and documentation of support/service cases are processed in order to perform the contract with you. Art. 6 (1) lit. b GDPR provides the legal basis for this.

eIDAS Regulation (No. 910/2014) and the Trusted Services Act provide the legal framework for trust services.

We request your consent in order to copy the ID card, passport or other ID document.

Section 8 (2) VDG provides the legal basis for sending the information provided to competent offices.

A legitimate interest within the meaning of Art. 6 (1) lit. f GDPR exists in the following cases:

Information security and preventive measures are carried out using technical and organizational measures, including incident handling, in order to assess and prevent possible damage to our company, the data subjects whose data has been processed and to the trust service users.

D-Trust GmbH is part of a company group. Within the meaning of Recital 48 EU GDPR, Bundesdruckerei GmbH, as a company of the Bundesdruckerei Group, has a legitimate interest in processing certain data centrally. Sanctions list and export control checks, dunning, sales activities and parts of the support service are performed by Bundesdruckerei GmbH.

6. Where can your data be forwarded to?

In order to perform support services, the necessary data will be sent to the customer service unit of Bundesdruckerei GmbH and iNCO Spólka z o.o. (a subsidiary of Bundesdruckerei Gruppe GmbH in Poland).

In addition, officers and identifying persons, auditors, supervisory authorities and, if necessary, competent authorities pursuant to section 8 (2) VDG can access the respective data.

Within the scope of export control, the name and, if applicable, the organization are sent to Bundesdruckerei GmbH's sanctions list server. If matches fail, the date of birth, place of birth and nationality as well as the name at birth are used. In addition, the dispatch address, the country of dispatch, the invoice recipient’s address and, if applicable, other partners are assessed by Bundesdruckerei with a view to export control law.

Bundesdruckerei GmbH also performs parts of commercial processing within the scope of contract handling.

If the certificates were ordered or commissioned via a partner of D‑Trust GmbH, the partner will receive the personal data contained in the certificate to process the purchase or commission, respectively.

There is neither a procedure nor any intention to transfer personal data to a third country or to an international organization.