Language:

Privacy Policy for the Signature Portal

Protecting personal data is important to Bundesdruckerei Gruppe GmbH and its subsidiaries (jointly referred to as “Bundesdruckerei Group”). As such, we process personal data in accordance with the applicable legislation for the protection of personal data and data security.

The Group company where the respective user is employed or where an external user is invited to the signature process is responsible for data processing when the signature portal is used, as described in this data protection information:

Bundesdruckerei GmbH: Kommandantenstraße 18, 10969 Berlin. You can contact the Data Protection Officer of Bundesdruckerei GmbH at the address indicated above, addressing it “To the Data Protection Officer”, by sending an email to: datenschutz@bdr.de or by calling phone number +49 (0)30 2598-0.

D-Trust GmbH: Kommandantenstraße 15, 10969 Berlin. You can contact the Data Protection Officer of D-Trust GmbH via the address indicated above, addressing it “To the Data Protection Officer”, by sending an email to: datenschutz@d-trust.net.

genua GmbH: Domagkstraße 7, 85551 Kirchheim bei München. You can contact the Data Protection Officer of genua GmbH at the address Projekt 29 GmbH & Co. KG, Ostengasse 14, 93047 Regensburg, addressing it “To the Data Protection Officer”, by sending an email to: anfrage@projekt29.de or by calling phone number +49 941 2986930.

iNCO Sp. z o.o.: Wawrów 90, 66-403 Gorzów Wielkopolski, Poland. You can contact the Data Protection Officer of iNCO Sp. z o.o at the address indicated above, addressing it “To the Data Protection Officer”, or by sending an email to: iod@incoscan.com.

Maurer Electronics GmbH: Kommandantenstraße 18, 10969 Berlin. You can contact the Data Protection Officer of Maurer Electronics GmbH at the address Kommandantenstraße 18, 10969 Berlin, addressing it “To the Data Protection Officer”, by sending an email to: datenschutz@bdr.de or by calling phone number +49 (0)30 2598-0.

Xecuro GmbH: Oranienstraße 91, 10969 Berlin. You can contact the Data Protection Officer of Xecuro GmbH at the address Boris Reibach, LL.M., Scheja und Partner Rechtsanwälte mbB, Adenauerallee 136, 53113 Bonn, by sending an email to: datenschutz@xecuro.de or by calling phone number +49 (0)30 2598-0.

2.1 Personal data categories

In the signature portal, users can set up and implement workflows for signing, sealing and time-stamping documents. The signed or sealed documents can be validated as well. The following products and services of D-Trust GmbH (D-Trust) are used for this purpose.

The following data is processed when signature and seal workflows are implemented:

  • Identification data: Surname, first name, valid from/to, place of birth, nationality, name at birth, date of birth, registration address, ID card number (to compare application, ID card, proof of identification), issuing authority
  • Additional data: Title, academic degree, contact email, email certificate, mobile phone number, billing address, organisation, product-specific ID, user name
  • Verifications: VideoIdent verification (recording of person, ID document / passport / ID document)
  • Identification verifications when using QSeal ID
  • Certificate data
  • Log files, including organisation name and IP address
  • IP addresses, access times
  • Any documentation on transmissions pursuant to Sec. 8 (2) VDG (Trust Services Act)
  • Data to be signed in the signature portal’s dashboard

2.2 Personal Data Source

User data

  • of employees is taken from the Active Directory of the responsible Group company
  • during self-registration is recorded via a web form
  • from identity verification service providers is accepted as a verified data set
  • of customers who communicate with the sign-me application via API is accepted
  • of customer contact persons is taken from contracts and forms
  • of companies that provide support for their own end customers is taken from service and support requests
  • is taken from direct user support requests

2.3 Purposes of Processing

The data is processed for the following purposes:

  • To establish the identity of the applicant
  • To establish the identity of authorised representatives when the Qualified Seal ID service is used
  • To review and process applications
  • For billing
  • To ensure compliance with documentation obligations
  • For implementing export control and comparing sanctions lists
  • To ensure the certificate life cycle, including the revocation and operation of the directory service (status information service)
  • In individual cases, for troubleshooting, especially with support requests.

The certificates are used to create signatures / advanced electronic seals for the certificate holder (user) during the process of creating signatures/seals.

In the case of requests pursuant to Sec. 8 (2) VDG, information will be forwarded to the competent authorities.

2.4 Legal basis/bases for processing

Certificates and certificate verification data, contact data, order data, invoice data, documentation on support/service cases and any documents to be signed are processed to fulfil the contract with the respective user. The legal basis for processing is Art. 6 (1) (b) GDPR.

The eIDAS Regulation (No. 910/2014) and the Trust Services Act (VDG) provide the legal framework for trust services. For the copy of the ID card, passport or other ID document, the consent of the user is obtained in accordance with Art. 6 (1) (a) GDPR.

The legal basis for transmitting data to competent authorities is Sec. 8 (2) VDG in conjunction with Art. 6 (1) (c) GDPR.

2.5 Forwarding of personal data

To identify users and provide the signature creation service, D-Trust acts as an instruction-dependent processor in relation to the other Group companies pursuant to Art. 4 (8) GDPR.

As a qualified trust service provider, D-Trust processes personal data according to its commissioning. In addition to processing for the purpose of providing the sign-me remote signature system and seal-me remote sealing service, D-Trust also processes personal data for information security measures. This includes prevention through technical and organisational measures to foresee and prevent possible harm to the responsible Group company and D-Trust.

In line with the legal requirements of Section 8 (2) VDG, D-Trust needs to transmit personal data to the competent authorities or enable them to access it according to the purposes specified therein.

2.6 Necessity of providing personal data

As a trust service provider, D-Trust requires the data marked as mandatory fields in order to verify the identity of the certificate holder. The requested certificate cannot be issued if this information is not provided or is incorrect.

A mobile phone number of the user is mandatory, as the mobile phone is used as the second factor in the authentication process for triggering the signature. Without this security mechanism, which is based on the mobile phone number, it is not possible for the service to be provided.

2.7 Duration of storage

Data in the signature portal that is collected during the workflow is automatically deleted 30 days after completion. This does not affect the data collected for the creation of qualified signature certificates.

Qualified signature certificates are stored permanently pursuant to Sec. 16 (4) of the Trust Services Act. This corresponds to the entire duration of the trust service provider’s operations. Should D-Trust GmbH cease its operations, the data will be transferred to the Federal Network Agency or another qualified trust service provider.

All other certificate verification data and certificates will be deleted 8 years after the validity of the last certificate issued expires.

Documentation on transmissions pursuant to Sec. 8 (2) VDG (Trust Services Act) will be retained for twelve months.

Invoice data will be deleted after ten years.

Under applicable data protection law, you have the following basic rights as a data subject:

The right

  • to request confirmation as to whether personal data concerning you is being processed and to receive information about the personal data processed along with further information (cf. Art. 15 GDPR);
  • to demand the correction of incorrect personal data (cf. Art. 16 GDPR);
  • to demand the erasure of the processed personal data (cf. Art. 17 GDPR);
  • to demand the restriction of the processing of personal data (cf. Art. 18 GDPR);
  • to receive the personal data that you have provided in a structured, commonly used and machine-readable format or to request that the personal data be transmitted to a third party (cf. Art. 20 GDPR);
  • to object to data processing based on Art. 6 (1) (f) GDPR or for direct marketing purposes (cf. Art. 21 GDPR);
  • to revoke your consent at any time with future effect. Such revocation only applies to the future and does not affect the legality of the processing of personal data up until the revocation.

Pursuant to Art. 77 GDPR, you also have the right to lodge a complaint with a data protection supervisory authority.

This Privacy Policy is dated: 27.06.2024.