Privacy policy for the sign-me remote signature system

For Affected Persons

We are extremely committed to protecting your data. This Privacy Policy contains comprehensive information on how D-Trust GmbH, a subsidiary of Bundesdruckerei Gruppe GmbH, uses your data.

1. How to contact us as the controller :

D-Trust GmbH
Kommandantenstr. 15
10969 Berlin
Tel.: +49 30 25 93 91 0

Company data protection officer:

2. Scope of processing

2.1 Categories of personal data that is processed

  • ID document data: family name, first name, date of expiry, place of birth, nationality, birth name, date of birth, registered address, ID document number (for comparison with request, ID document, proof of ID), issuing authority
  • Other data: Title, academic title, contact e-mail, e-mail certificate, mobile phone number, invoice address, organization, product-specific ID, user name
  • Proof: Video proof of identity (recording of the person, ID card/passport/ID document)
  • Certificate
  • IP addresses, access points
  • If applicable, documentation of information provided pursuant to section 8 (2) of the Trusted Services Act (VDG, Vertrauensdienstegesetz)
  • If applicable, data to be signed via self-service UI

2.2 Sources of personal data

  • The data of the persons concerned is:

    • recorded in a web form during self-registration
    • received from identification service providers as a validated data record
    • received from customers who communicate with the sign-me application via the API
    • in the case of contact persons of customers, taken from contracts and forms
    • taken from service and support requests by companies who provide support services for their own end customers
    • taken from direct support requests by the persons concerned

2.3 Data storage period

The traceability of the identification which serves as the basis for issuing a certificate is a quality feature of the certificate. The statutory storage periods or those specified in certifications depend on the specific product.

In the case of qualified signature certificates, the provisions of section 16 (4) VDG on permanent storage apply to certificates, identification data, including contact data. This corresponds to the entire duration of operations by the trust service provider. Before discontinuing its operations, the trust service provider is required to hand over the data to the Federal Network Agency or another qualified trust service provider.

All other identification data will be deleted eight years after the validity of the last certificate issued on the basis of this data has expired. The same applies to certificates.

The revocation password hash is deleted at the latest one year after the validity of the last certificate issued on the basis of this data has expired.

Invoice data is deleted after ten years.

Documentation of information provided pursuant to section 8 (2) VDG is stored for twelve months.

Documents uploaded to be signed by the sign-me user via the self-service UI will be deleted within 5 days.

2.4 Purpose of processing

Data is processed for the following purposes: to establish the identity of the applicant, to check a request and for handling, billing, observing documentation obligations, to warrant the certificate life cycle including revocation and operation of the repository service (status information service), checking cost efficiency and quality, for statistical purposes (anonymized) and in individual cases for troubleshooting, especially in the case of support requests.

The certificates are used as part of the signature creation service to create signatures for the certificate holder (data subject).

Data processing is also carried out as part of measures to maintain information security, especially to detect and ward off attacks, including internal and external audits, export control and sanctions list checking.

In the case of enquiries pursuant to section 8 (2) VDG, the information provided is sent to the competent offices.

The sign-me user can upload PDF-documents via the self-service UI. The uploaded data is processed to add the sign-me users signature to the document.

2.5 Legal basis for processing

Certificates and identification data, contact data, order data, invoice data, revocation password hashes, documentation of support/service cases and if applicable documents to be signed are processed in order to perform the contract with the data subject.

eIDAS Regulation (No. 910/2014) and the Trusted Services Act provide the legal framework for trust services.

The consent of the data subject is obtained in order to copy the ID card, passport or other ID document.

Section 8 (2) VDG provides the legal basis for sending the information provided to competent offices.

Data subject requests are processed pursuant to Art. 12 - 23 GDPR or sections 32 - 37 of the Federal Data Protection Act (BDSG, Bundesdatenschutzgesetz).

The information provided is sent to affiliated group companies after weighing up the interests of all sides.

2.6 Legitimate interests

D-Trust has a legitimate interest within the meaning of Art. 6 (1) f GDPR in the following cases:

Information security and preventive measures are carried out using technical and organizational measures, including incident handling, in order to assess and prevent possible damage to the company (D-Trust), the data subjects whose data has been processed and to the trust service users.

The controller is part of a company group. Within the meaning of Recital 48 EU GDPR, Bundesdruckerei GmbH, as a subsidiary company of Bundesdruckerei Gruppe GmbH, has a legitimate interest in processing certain data centrally. Sanction list and export control checks, parts of dunning, sales activities and support service are performed by Bundesdruckerei GmbH.

2.7 Necessity to collect data

As a trust service provider, the controller is obliged to ensure the identity of the subscriber. The data marked as mandatory fields must be processed in order to meet with this obligation. If data is incorrect or not provided, it will not be possible to issue the certificate. The same applies to submitting proof, such as organizational affiliation or professional attributes. Without proof, the data cannot be included in the certificate.

The data subject’s mobile phone number or German landline number must be provided because it is used as a second factor as part of authentication to trigger a signature. The service cannot be performed without this security mechanism which is based on provision of this phone number.

2.8 Forwarding and foreign reference

In order to perform support services, the necessary data will be sent to the customer service unit of Bundesdruckerei GmbH and INCO Spólka z o.o. (subsidiary of Bundesdruckerei Gruppe GmbH in Poland).

Customers or partners running partner applications (e.g. portals or shop applications for signature credits) who use the sign-me API can use an user name to query the status of the users‘ certificates (certificate type and validity) and view information on any signature credit. In this way, an operator of partner applications receives information as to whether a user is registered with sign-me and, if so, which certificates are already available for the user.

If the certificate is used for signing, it is important for the recipient of the signature to know whether the signature is in fact from the signatory named and from a trusted source. The software used triggers a certificate status request, for instance, for this check. D-Trust GmbH offers a status query service for this purpose. This service can be used to find out whether or not a certain certificate has been revoked. Additionally the certificate is published in a repository service if the user agrees to this publication. The repository service, similar to a telephone directory, lists the certificates. The certificate is available online.

In addition, officers and identifying persons, auditors, supervisory authorities and, if necessary, competent authorities pursuant to section 8 (2) VDG can access the respective data.

Within the scope of export control, the name and organization are sent to Bundesdruckerei's sanctions list server. If matches fail, the date of birth, place of birth and nationality as well as the name at birth are used. In addition, the dispatch address, the country of dispatch, the invoice recipient’s address and, if applicable, other partners are assessed by Bundesdruckerei with a view to export control law.

Sales activities and dunning procedures are partly carried out by Bundesdruckerei GmbH.

There is no procedure in place nor the intention to transfer personal data to a third country or to an international organization.

3. Use of cookies

When individual pages are called up, so-called temporary cookies are used for technical service provision. These session cookies do not contain any personal data and expire at the end of the session. Techniques such as Java applets or Active-X-Controls, which enable the access behavior of the users to be traced, are not used.

4. Rights of data subjects

If you have any requests for information regarding your data and its correction, deletion or restriction regarding processing, please send this to the postal address shown above or signed to The same applies if you wish to object to processing within the meaning of Art 21 of the GDPR or if you have a query regarding data portability.

If you have any questions or complaints regarding a procedure, please contact us using one of the contact options listed above. If you have any other reason for complaint, you can also contact our supervisory authority (Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, Germany).

5. Whistleblower system

Bundesdruckerei operates a whistleblower management system in order to meet its special responsibility as a federal government security company. This system can be used at any time to report a situation that violates the values or policies of the Group or its business ethics or that has a negative impact on the life or health of individuals ('whistleblowing'). In addition to regular information and reporting channels, suspected cases can also be reported anonymously if necessary. Bundesdruckerei is in charge of this procedure, but it takes place under the joint responsibility of D-Trust GmbH. The point of contact for the persons concerned is Bundesdruckerei. More detailed information on data protection (Art. 13 GDPR) can be found in Bundesdruckerei’s Privacy Policy. The terms of use of the partner engaged by Bundesdruckerei for this purpose can be found in this Document.