Privacy Policy

The following Privacy Policy describes the ways in which RISA Sicherheitsanalysen GmbH collects, maintains and uses personal and sensitive personal data received from users of the RISA Sicherheitsanalysen GmbH Service (hereinafter "the Service"), which is available for smartphones and other smart mobile devices. The privacy policy was formed based on the European and national legislation on the protection of personal data (General Data Protection Regulation - GDPR 679/2016) (hereinafter "GDPR").

Services

Logging in and using the Service provided requires the disclosure and recording of potentially personal data, as described below. For this reason, we invite you to provide us with your free expert and express consent to the collection, processing and retention of your personal data upon completion of your account creation. Before giving your consent, please read carefully the following:

• Any changes to the Privacy Policy will be notified to users through the Service. Continued use of the Service implies automatic acceptance of the new policy.
• RISA Sicherheitsanalysen GmbH informs you that it does not process nor transmit your personal data to unauthorised third parties, except in cases where the transfer is required by law or by a Public or Judicial Authority or for purposes of public interest.
• The collection, processing and storage of personal data takes place in accordance with the Principles of Transparency, Integrity, Minimisation, as well as the principles of Privacy by Default and by Design, as required by the GDPR.
• RISA Sicherheitsanalysen GmbH, as the Data Controller, undertakes to inform you about the type and nature of the personal data collected through the RISA Sicherheitsanalysen GmbH Services, how they are collected, their accessibility, the purposes of processing, the retention period as well as your rights and any notifications to third parties and in what cases.
• Furthermore, RISA Sicherheitsanalysen GmbH informs you of all the technical and organisational measures it takes to protect your personal data as well as the way to contact it and the person who has been assigned as the Data Protection Officer (hereinafter “DPO”) in order to answer any questions or queries regarding the protection of your personal data (Principle of Transparency).
• RISA Sicherheitsanalysen GmbH embraces the importance of protecting an individual's personal data in order to safeguard their privacy and, in particular, their personal data. For this reason, it has taken all the necessary technical and organisational measures, which correspond to ensuring a high level of protection of personal data.
• During the design and implementation of the RISA Sicherheitsanalysen GmbH Services, RISA Sicherheitsanalysen GmbH, assessing the purpose of processing personal data, created the appropriate fields for completion, so as to collect only those personal data that are necessary to fulfil the purpose of processing and in general for the efficient operation of the Services offered through it (Privacy by Design).
• The collection, processing and storage of personal data in the RISA Sicherheitsanalysen GmbH Service takes place for a period of time that is considered reasonable regarding the operation of the Service, and the compliance of RISA Sicherheitsanalysen GmbH with its statutory obligations.
• For the best control of your personal data, you can login using your username and password, the privacy of which you are called to protect in every way.
• App’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Google API Services User Data Policy

Definitions

Below are some definitions, such as those listed in the GDPR which would be useful for you to study and understand in order to make our privacy policy clearer and more understandable.

Users are the main users of the RISA Sicherheitsanalysen GmbH Service, who maintain a personal account.

Simple personal data are: "any information concerning an identified or identifiable natural person ("data subject"). An identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as name, surname, sex, contact details, etc. The simple personal data do not constitute special category data, as for example, personal data concerning the Subject's Health, or their political, philosophical views, as well as their sexual orientation".

Data Controller is: "the natural or legal person, public authority, Service or other body which alone or together with others, determines the purposes and manner of processing personal data".

Consent of the Data Subject means: "any indication of will, free, specific, express and informed, by which the data subject expresses that they agree, with a statement or with a clear positive action, to process the personal data concerning them".

Personal Data Collection

Data collection

To login to the Service of RISA Sicherheitsanalysen GmbH Service, all users are required to enter their username and password.

The data that you are required to fill in the respective forms and fields are necessary for the quality provision of the RISA Sicherheitsanalysen GmbH Service, observing the principles imposed by the GDPR and in particular the one of minimisation, according to which only those data of the Subject that are necessary to serve the purpose of processing should be collected.

By logging in to the RISA Sicherheitsanalysen GmbH Service, you have direct access to your personal data. You have the ability to correct data that have either changed or have been incorrectly or inaccurately recorded. You can even delete part or all of your personal data, or even deactivate your personal account from the RISA Sicherheitsanalysen GmbH online Service.

Data kept during the use of the Service

For each user, and for the duration of the use of Services, information resulting from the management and use of their account is collected and kept, including, without limitation, their account settings, as well as their discussions’ log files. In addition, the content uploaded by each user is stored, which may include, without limitation, personal diet, fitness or goals; activity data; notification/reminders receipt and user’s related notification preferences. The Services notification/reminder tool is configured based on the preferences provided by the user.

The personal data collected and stored for each user by the Service, are described below:

• User ID.
• User’s pilot participating.
• User history, which includes, but is not limited to, information about the use of the Service, such as IP address, connection or disconnection time.
• User personal goals and feedback that are provided by the user.
• Notification/reminder receipt preferences, as provided by the user.
• History of conversations of the user with the Service that includes date, time, duration and the data exchanged between the user and the Service.

Anonymous data and "Cookies"

Logging in to the Service automatically records data that may include, but not limited to, the user's IP address, browser type, operating system, country and length of stay, as well as other statistics, whether this is a user of the Service. In addition, session cookies may be used to activate certain features of the Service. Session cookies are automatically deleted after logging out of the Service.

Purposes of the Processing of Personal Data

RISA Sicherheitsanalysen GmbH is responsible for the protection of your personal data, which is collected while using the RISA Sicherheitsanalysen GmbH Service.

More specifically, RISA Sicherheitsanalysen GmbH has taken all appropriate and necessary technical security measures, in accordance with the principle of Privacy by Design, according to which the data collected on the one hand are specific and always in accordance with the purpose of processing, and on the other hand RISA Sicherheitsanalysen GmbH has taken the necessary and appropriate technical security measures to protect personal data from illegal access by an unauthorised third party with no legal interest in it, as well as their confidentiality.

The purpose of processing personal data through the RISA Sicherheitsanalysen GmbH Service is to support and enhance the health and wellbeing of the users. It focuses especially on providing tailored relevant information, creating awareness, and helping users realise how they can maximise health benefits by following the provided advice

Data Sharing and Transfer

RISA Sicherheitsanalysen GmbH and its authorised personnel do not forward, nor disclose to unauthorised third parties the personal data of the users. By way of exception this may happen, if required by law, by a court judgement or requested by another state or regulatory authority and exclusively to those authorities. The disclosure of the user's personal data to other users of the RISA Sicherheitsanalysen GmbH Service is done with the action/consent of the user themselves, or upon any pre-authorised access of users.

The protection of the confidentiality of personal data collected in the online Service, in addition to the mandatory security measures taken by RISA Sicherheitsanalysen GmbH, is recommended to be strengthened by the user of the Service. More specifically, the user is advised not to disclose their password to third parties. The login details of the Service (email/username and password) of all users are strictly personal and cannot be shared with other people.

Disclosure of anonymous data

RISA Sicherheitsanalysen GmbH may transmit anonymous data and log data collected to third parties, for purposes such as statistical demographic analysis, research and education. The data shared in this context does not include any personal information or user identification.

Cooperating agencies

RISA Sicherheitsanalysen GmbH may outsource to third party Service providers part or all of the support of its Services, the provision of the Service on its behalf, as well as support Services related to the Service (including, without limitation, maintenance Services, chatbot Services, analysis of data and improvement of application features). These bodies, which act as executors of the processing, have access to the data of the users of the Service only for the execution of the above tasks on behalf of RISA Sicherheitsanalysen GmbH and are required not to disclose or use this data for any other purpose.

Security and Confidentiality

RISA Sicherheitsanalysen GmbH take physical, technical and organisational measures for the security of Service’s users personal data and their protection from loss, misuse, unauthorised access, violation, disclosure, distortion or destruction. However, no security system nor data transmission via the internet can be 100% secure and RISA Sicherheitsanalysen GmbH cannot guarantee the absolute security of the data it maintains.

The technical team of RISA Sicherheitsanalysen GmbH has designed the implementation of all those security measures intended to protect your personal data. More specifically, when creating the user's personal account, a strong password is required to be created. Please do not share these codes with third parties, nor should they be freely accessible or in public view. Each user has the sole responsibility for any action carried out through their account and must protect their login details and confidentiality (username and password) and inform RISA Sicherheitsanalysen GmbH in case of any suspicion of interception of this information or violation of their account. In the event that a third party obtains unauthorised access to your account through your own fault, you are bear the sole responsibility.

Retention time of personal data

RISA Sicherheitsanalysen GmbH does not keep your personal data in its file for a period exceeding the reasonable measure, and always in compliance with the requirements of the GDPR and national legislation. The calculation of the retention period in our records of the said data, took place in accordance with the obligations of RISA Sicherheitsanalysen GmbH, both towards you and towards the competent judicial, prosecutorial and administrative authorities, in case of any violation or criminal offense. More specifically, the identification data-contact details through the RISA Sicherheitsanalysen GmbH Service are stored in our databases for 2 years after your account is closed by you or following a decision of RISA Sicherheitsanalysen GmbH.

The data related to the use of your Service and account, as well as your sensitive personal data, such as your discussion log files, remain in our databases for a period of 7 (seven) months, so that in case of a force majeure or an emergency, such as for example illegal intrusion into your account, they will be available and used appropriately by the competent authorities and always in accordance with international, European and national legislation.

Moreover, our compliance with the law requires the archiving of personal data that are initially stored in our databases. In other words, we are obliged to keep this data in the form of data at rest. More specifically, we keep the data encrypted and/or pseudo-anonymised in a form that cannot be accessed, except by the Data Controller, following a specific technical procedure for accessing them and after an order from a competent administrative, prosecutorial, judicial or tax authority, or for our compliance with European and national legislation. The period of archiving is determined based on the definitions set by the Law on Personal Data Protection.

Data Processing and Deletion

RISA Sicherheitsanalysen GmbH may retain and use the data provided by a user through the Service, if this is necessary to comply with its legal obligations, resolve disputes and enforce its agreements, as discussed above. Users of the Service can update and delete the personal data they have registered and the content they uploaded to their account.

RISA Sicherheitsanalysen GmbH keeps the data of the users of the Service as long as their account remains active and for as long as it is necessary for the provision of the Service to the respective user. Users of the Service can also deactivate their account whenever they wish, by submitting a request to the following email address: info@risa.de. In this case, their personal data are no longer available.

In addition, an archived copy of their data may be kept in accordance with European and national legislation.

User Rights

Under no circumstances is the use of the RISA Sicherheitsanalysen GmbH application mandatory. The provision of data is optional and voluntary. Failure to provide information and/or refusal to consent to the terms of the data processing results in the inability to use the RISA Sicherheitsanalysen GmbH application and its related sub-Services.

In any case, the user has the ability to delete their account, at any time, exercising the rights reserved by the Law, as analysed below.

The user reserves their rights to:

a) receive a written answer to their question to RISA Sicherheitsanalysen GmbH, if personal data concerning them are being or have been processed;

b) be informed again without delay and in a comprehensible and clear manner of all data concerning them, their origin, the purposes of the processing, the recipients or categories of recipients, the progress of the processing over the period from their previous update or information as well as the logic of the automated processing;

c) request the correction, deletion or freezing (locking) of data whose processing is not in accordance with the provisions of the new Regulation on Personal Data Protection (GDPR);

d) withdraw their consent at any time;

e) object at any time to the Data Controller for the processing of data concerning them, to submit a request for limitation of the processing, to know the identity of the controllers and their representative;

f) file a complaint in case of improper processing of their personal data to the competent supervisory authority;

g) request the portability of their personal data as defined in the provisions of the Regulation on Personal Data Protection (GDPR) (EU) 2016/679.

The respective user can contact RISA Sicherheitsanalysen GmbH in order to exercise any of the above rights, by communicating their request to the following email address: info@risa.de

Protection of Minors

The Service is not intended for minors. RISA Sicherheitsanalysen GmbH does not collect nor knowingly keep the personal data of minors. If a parent or guardian realises that their child has provided, through the website or Service, their personal data without their consent, they should contact the company. RISA Sicherheitsanalysen GmbH complies with the legislation on the protection of minors.

Changes to this privacy policy

Things change sometimes, so we do need to make updates to our privacy policy from time to time.  Our most up to date privacy policy will always be published on our website and via the link on our mobile apps. When major changes occur in the way that we collect and disclose your personal information we will notify you of those changes.

Data Controller

The appointed Personal Data Controller of the application and the electronic Service is RISA Sicherheitsanalysen GmbH with legal headquarters in Xantener Straße 11, 10707, Berlin-Wilmersdorf.

Contact

For any questions regarding the operation of the Service, as well as anything related to the terms of use please contact us electronically at info@risa.de or by phone on +49 30 315760.

Finally, in case you fall victim to an illegal attack on your account or notice any movement or access to it without your own action or authorisation to a third party for it, please contact IMMEDIATELY and without any delay from the moment you became aware of the incident the Data Controller or the Data Protection Officer, either through your e-mail or your call to the respective e-mail address or telephone number.