BEGA Smart App – Privacy Policy

The protection and security of your personal data are of the utmost importance to us. Accordingly we observe the statutory regulations in order to provide the best possible protection for your data.

In the context of using the mobile app BEGA Smart app (hereinafter: "app"), as little personal data and device data is processed as possible. Nevertheless, individual functions or services of the app may not be used or may be subject to restriction without personal data.

Below we would like to inform you about the type, scope and purpose of the data collection and its use.
 

I. General notes

1. Function

The BEGA Smart app allows users to control and configure BEGA Smart components luminaires (see https://www.bega.com/de-de/produkte/bega-smart/).

2. Contact details of the Controller

Responsibility for operating the app and thus for processing personal data lies with:

BEGA Gantenbrink-Leuchten KG

P.O. Box 3160

D-58689 Menden

E-mail: info@bega.de

(Hereinafter: "We" or "BEGA")

3. Contact details of the Data Protection Officer

The responsible Data Protection Officer at BEGA is:

Mr M. Helling

c/o BEGA Gantenbrink-Leuchten KG

P.O. Box 3160

D-58689 Menden

E-mail: ds_beauftragter@bega.de

4. Definitions

General terms: This privacy policy uses terms according to the way they are defined in the GDPR. The definitions (Art. 4 GDPR) can be viewed here, for example: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679

BEGA ID is the assigned individual identification number (ID) using which BEGA customers may register in the customer portal. The app does not access plain data on the basis of which the customer could be identified from the app; instead, it only accesses the ID (pseudonymisation)

Cookies are text files that are stored on or read from your device by a website or a mobile application connected to the internet. They contain combinations of letters and numbers in order for example to recognise the user and the user's settings when reconnecting to the service placing the cookie, to make it possible to remain logged in to a customer account, or to statistically analyse a particular user behaviour.

Categories of data that we mention in this privacy policy particularly include

  • BEGA ID
  • Usage data (e.g. activity in the app, use of specific content, log data about accesses);
  • Location data (data that is collected or used in a telecommunications network or by a telecommunications service and which indicates the location of an end device for the user of a publicly accessible telecommunications service);
  • Traffic data (connection data such as IP addresses, device information, information about the operating system, application detection).
Personal data (Art. 4 (1) GDPR) means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5. Retention period

Personal data will be erased as soon as the purpose of processing no longer applies or the BEGA ID is deleted, or a prescribed storage period expires, unless further storage of the personal data is required to fulfil another contractual obligation or general legal obligation vis-à-vis the user.

6. Categories of data recipients

Recipients of personal data are employees at BEGA who need to process data for the processes outlined below based on a differentiated authorisation concept in order to implement the desired services and functions of the app. In addition, processors as defined under Art. 28 GDPR may also obtain data in their capacity as service providers, for example our IT service providers. Our service providers process personal data based on our instructions within the European Union or the European Economic Area or in a third country if this is permitted under an adequacy decision or other suitable guarantees (Art. 44 et seq. GDPR). We contractually oblige our service providers to adopt suitable technical and organisational measures to ensure data protection and preservation of data secrecy. Data processing will not occur in third countries unless this is expressly indicated in this privacy policy. With respect to the transfer of data to additional recipients, we only provide information about users if this is required by statutory provisions, the user has granted consent or we are authorised to carry out the transfer.

7. Data protection rights

As data subjects within the meaning of the GDPR, app users are entitled to various rights that ensure the protection of their privacy. These are: the right to access information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right of data portability pursuant to Art. 20 GDPR. For the right to receive information and the right to erasure, the restrictions of Sections 34 and 35 GDPR apply.

The user also has the right, in respect of consent given (Art. 7, Art. 6 (1) a) GDPR), to withdraw this consent (Art. 7 (3) GDPR). The proper withdrawal of consent does not affect the lawfulness of the collection of data prior to this withdrawal.

In addition, the user has the right, for reasons arising from his or her particular situation, to object (Art. 21 GDPR) at any time to the processing of the personal data concerning him or her on the basis of Art. 6 (1) e) or f) GDPR.

The data subject also has the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with Section 19 BSDG). The supervisory authority with jurisdiction over us is: The Data Protection and Freedom of Information Officer for the State of North Rhine Westphalia, P.O. Box 20 04 44, 40102 Düsseldorf, Germany, E-mail: poststelle@ldi.nrw.de. Data subjects have the right to lodge a complaint with any other supervisory authority for data protection.

8. No automated individual decision-making in individual cases / profiling

We do not useautomated individual decision-making in individual cases including profiling to bring about such decisions pursuant to Art. 22 (1) and (4) GDPR.

II. Individual processing operations

1. Recording log data

(a) Description and purpose of data processing

When activating the app, data is regularly transferred such as the IP address and further information about the end device used (smartphone, tablet, computer etc.), the operating system used (iOS, smartphone, tablet, computer etc.), the operating system used (iOS, Android along with version number), log files about the time of accessing the app, the referrer and the quantities of data transferred. We are not able to identify individual users based on this data. This information helps us to determine the attractiveness of our service and to improve its performance and content, and to make them more interesting, as well as to maintain a suitable level of data and IT security by tracing whether an access to our app is a legal access. We have a legitimate interest in doing so.

(b) Legal basis

Legitimate interests, Art. 6 (1)(f) GDPR

(c) Data categories affected

Usage data, traffic data

(d) Data recipients outside the app

No

(e) Transfer to a third country outside the EU/EEA

No

(f) Retention period

Until the app is deactivated or erased

2. Registration / BEGA ID

(a) Description and purpose of data processing

No registration is necessary in order to use the app.

However, registration with the BEGA ID is technically necessary for individual functions:

  • Transferring a Smart system to another end device (smartphone, tablet)
  • Jointly using a Smart system across more than one end device (smartphone, tablet)

For these types of use, user registration occurs outside the app on the BEGA website. After successful registration, only the BEGA ID and an individual password are recorded within the app. The BEGA ID is the only identifier within the app. Linking with customer data outside the app, e.g. for the purposes of creating a profile or personalised marketing, is excluded.

(b) Legal basis

Consent, Art. 6 (1)(b) GDPR

(c) Data categories affected

BEGA-ID

(d) Data recipients outside the app

Microsoft Deutschland GmbH, Walter-Gropius-Straße 5, 80807 Munich; Hosting Provider (MS Azure-Cloud) ("Microsoft").

(e) Transfer to a third country outside the EU/EEA

Not intended. A processing agreement has been concluded with Microsoft (Art. 28 GDPR) that also covers EU standard contract clauses.

(f) Retention period

Until the app is deactivated or erased

3. Bluetooth connection / Use of location data

(a) Description and purpose of data processing

The app accesses location data by default as soon as the Bluetooth connection required for in-app control of the BEGA luminaires has been activated. No analysis or forwarding of location data occurs.

Data processing is carried out based on the consent granted through data activation in the operating system settings of the user's end device. To exercise the right of withdrawal, the app, location activation or Bluetooth connection can be deactivated in the device settings at any time. However, in this case it will not be possible to use the app or only to a limited extent. The duration of processing is as long as the app or location release are activated.

(b) Legal basis

Consent, Art. 6 (1)(a) GDPR

(c) Data categories affected

Location data

(d) Data recipients outside the app

No

(e) Transfer to a third country outside the EU/EEA

No

(f) Retention period

Until the app or location activation is deactivated or erased.

4. Google Firebase / Google Analytics

(a) Description and purpose of data processing

The Google service “Firebase” is implemented ( https://firebase.google.com). Firebase is a Google company. When using the app, usage data for the app will be transmitted to Ireland Limited, including the user’s IP address, and anonymised there. It cannot be excluded that Google branches outside of Europe may also have access to the data.

This data is used to generate statistics, for instance regarding how often, on which days and on which devices the BEGA Smart app is being used. On our behalf, Google analyses data regarding the manner in which users are using the BEGA Smart app; this data is necessary for us in order to guarantee the stability and security of the BEGA Smart app. Data collected in this way will not be aggregated with the respective user’s other profile information; instead it will be added to statistics that are anonymised using IP anonymisation that help BEGA to better understand user behaviour and better adapt the app to meet their needs (Google Analytics). The legal basis for using Google services is the user's consent. This can be withdrawn at any time by deactivating the app functions.

More information about data protection can be consulted in Google’s privacy policy: https://www.google.com/policies/privacy/.

(b) Legal basis

Consent, Art. 6 (1)(a) GDPR

(c) Data categories affected

Usage data, traffic data

(d) Data recipients outside the app

Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland ("Google")

(e) Transfer to a third country outside the EU/EEA

Not intended. A processing agreement has been concluded with Google (Art. 28 GDPR) that also covers EU standard contract clauses.

(f) Retention period

Until the app is deactivated or erased

5. Google Firebase Crashlytics

(a) Description and purpose of data processing

As part of the BEGA Smart app, an error diagnosis service is used to improve the stability and reliability of our apps. To do so, we rely on anonymised crash reports. To this end, we use "Firebase Crashlytics", a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street Dublin 4, Ireland ("Google").

In the event of a crash, anonymous information is transmitted to the Google servers (condition of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the smartphone, last log data), whereby further processing or access to data including outside the European server environment cannot be excluded.

These reports only refer to users to the extent that the crash report can be allocated based on the IP address or device ID, which are not subject to further processing at Google and are anonymised there. Data transfer only occurs with the express consent of the user that can be withdrawn as follows:

  • iOS: You can withdraw this consent at any time by deactivating the function "Crash Reports" in the settings of iOS apps.
  • Android: For Android apps, deactivation is generally carried out in Android settings. To do so, open the App Settings, select the item "Google" and then the menu item "Use & Diagnosis". Here you can deactivate the data transfer in question.

You can find more information about data protection in the privacy policy of Firebase Crashlytics at https://firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#data-collection-policies

The legal basis for the data transfer is Art. 6 (1)(a) GDPR.

(b) Legal basis

Consent, Art. 6 (1)(a) GDPR

(c) Data categories affected

Traffic data, usage data

(d) Data recipients outside the app

Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland ("Google")

(e) Transfer to a third country outside the EU/EEA

Not intended. A processing agreement has been concluded with Google (Art. 28 GDPR) that also covers EU standard contract clauses.

(f) Retention period

Until the app is deactivated or erased

6. Scandit

(a) Description and purpose of data processing

The integrated application "Scandit" is a mobile barcode scanner used to record product codes for the BEGA devices operated via the app. To this end, the app needs access to functions such as the device camera.

Data will be collected in case troubleshooting is required as well as for statistical analysis and performance monitoring. Licence compliance can also be monitored in this way. We require this function in order to enable the desired scope of use for the app. The creation of analysis and performance data lies in our legitimate interest in ensuring the security of the app.

(b) Legal basis

Consent, Art. 6 (1)(b), (f) GDPR

(c) Data categories affected

Usage data, traffic data; potentially location data

(d) Data recipients outside the app

Scandit AG, Förrlibuckstrasse 181, 8005 Zürich, Switzerland

(e) Transfer to a third country outside the EU/EEA

Switzerland. An adequacy decision of the EU Commission exists whereby Switzerland is a safe third country for data protection.

(f) Retention period

Until the app or location activation is deactivated or erased.


This privacy policy applies exclusively for the BEGA Smart app. If interfaces to other apps are integrated within the app, we are not responsible for any data processing that occurs there. We are not obliged to monitor whether third-party content accessible via the app complies with data protection regulations and we do not undertake any such monitoring.
We reserve the right to change or adjust the privacy policy at any time. We therefore request our users to regularly consult potential changes to the privacy policy here. Changes may occur in particular when we expand or modify functions.