Privacy Policy

BEGA Connect App

The protection and security of your personal data are of the utmost importance to us. Accordingly we observe the statutory regulations in order to provide the best possible protection for your data.

In the context of using the BEGA Connect mobile app (hereinafter: “app”) and your BEGA connectors, as little personal data and device data as possible is processed. Nevertheless, individual functions or services may not be used or may be subject to restriction without personal data.

Below we would like to inform you about the type, scope and purpose of the data collection and its use.


I. General notes

1. Function

The BEGA Connect app allows users to control and configure BEGA components.

2. Contact details of the Controller

Responsibility for operating the app and thus for processing personal data lies with BEGA Gantenbrink-Leuchten KG P.O. Box 3160 D-58689 Menden [email protected] (Hereinafter: “we” or “BEGA”).

3. Contact details of the Data Protection Officer

The responsible Data Protection Officer at BEGA is: Mr M. Helling c/o BEGA Gantenbrink-Leuchten KG P.O. Box 3160 D-58689 Menden [email protected]

4. Definitions

General terms: This privacy policy uses terms according to the way they are defined in the GDPR. The definitions (Art. 4 GDPR) can be viewed here, for example: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679

BEGA ID is the assigned individual identification number (ID) using which BEGA customers may register in the customer portal. The app does not access plain data on the basis of which the customer could be identified from the app; instead, it only accesses the ID (pseudonymisation)

Cookies are text files that are stored on or read from your device by a website or a mobile application connected to the internet. They contain combinations of letters and numbers in order for example to recognise the user and the user's settings when reconnecting to the service placing the cookie, to make it possible to remain logged in to a customer account, or to statistically analyse a particular user behaviour.

Categories of data that we mention in this privacy policy particularly include

  • BEGA ID;
  • Usage data (e.g. activity in the app, use of specific content, log data about accesses);
  • Location data (data that is collected or used in a telecommunications network or by a telecommunications service and which indicates the location of an end device for the user of a publicly accessible telecommunications service);
  • Traffic data (connection data such as IP addresses, device information, information about the operating system, application detection).

Personal data (Art. 4 (1) GDPR) means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5. Retention period

Personal data will be erased as soon as the purpose of processing no longer applies or the BEGA ID is deleted, or a prescribed storage period expires, unless further storage of the personal data is required to fulfil another contractual obligation or general legal obligation vis-à-vis the user.

6. Categories of data recipients

Recipients of personal data are employees at BEGA who need to process data for the processes outlined below based on a differentiated authorisation concept in order to implement the desired services and functions of the app. In addition, processors as defined under Art. 28 GDPR may also obtain data in their capacity as service providers, for example our IT service providers. Our service providers process personal data based on our instructions within the European Union or the European Economic Area or in a third country if this is permitted under an adequacy decision or other suitable guarantees (Art. 44 et seq. GDPR). We contractually oblige our service providers to adopt suitable technical and organisational measures to ensure data protection and preservation of data secrecy. Data processing will not occur in third countries unless this is expressly indicated in this privacy policy. With respect to the transfer of data to additional recipients, we only provide information about users if this is required by statutory provisions, the user has granted consent or we are authorised to carry out the transfer.

7. Data protection rights

As data subjects within the meaning of the GDPR, app users are entitled to various rights that ensure the protection of their privacy. These are: the right to access information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right of data portability pursuant to Art. 20 GDPR. For the right to receive information and the right to erasure, the restrictions of Sections 34 and 35 GDPR apply.

The user also has the right, in respect of consent given (Art. 6, (1) a GDPR), to withdraw this consent (Art. 7 (3) GDPR). The proper withdrawal of consent does not affect the lawfulness of the collection of data prior to this withdrawal.

In addition, the user has the right, for reasons arising from his or her particular situation, to object (Art. 21 GDPR) at any time to the processing of the personal data concerning him or her on the basis of Art. 6 (1) e) or f) GDPR.

The data subject also has the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with Section 19 BSDG). The supervisory authority with jurisdiction over us is: The Data Protection and Freedom of Information Officer for the State of North Rhine Westphalia, P.O. Box 20 04 44, 40102 Düsseldorf, Germany, E-mail: [email protected]. Data subjects have the right to lodge a complaint with any other supervisory authority for data protection.

8. No automated individual decision-making in individual cases / profiling

We do not use automated individual decision-making in individual cases including profiling to bring about such decisions pursuant to Art. 22 (1) and (4) GDPR.

II. Individual processing operations of the BEGA Connect app

The following explanations concern the processing of personal data by the BEGA Connect app.

1. Recording log data

(a) Description and purpose of data processing

When activating the app, data is regularly transferred such as the IP address and further information about the end device used (smartphone, tablet, computer etc.), the operating system used (iOS, smartphone, tablet, computer etc.), the operating system used (iOS, Android along with version number), log files about the time of accessing the app, the referrer and the quantities of data transferred. We are not able to identify individual users based on this data. This information helps us to determine the attractiveness of our service and to improve its performance and content, and to make them more interesting, as well as to maintain a suitable level of data and IT security by tracing whether an access to our app is a legal access. We have a legitimate interest in doing so.

(b) Legal basis

Legitimate interests, Art. 6 (1)(f) GDPR

(c) Data categories affected

Usage data, traffic data

(d) Data recipients outside the app

No

(e) Transfer to a third country outside the EU/EEA

No

(f) Retention period

Until the app is deactivated or erased

2. Registration / BEGA ID

(a) Description and purpose of data processing

No registration is necessary in order to use the app. However, registration with the BEGA ID is technically necessary for individual functions:

  • Transferring a Connect system to another end device (smartphone, tablet)
  • Jointly using a Connect system across more than one end device (smartphone, tablet)

For these types of use, user registration occurs outside the app on the BEGA website. After successful registration, only the BEGA ID is recorded within the app. The BEGA ID is the only identifier within the app. Linking with customer data outside the app, e.g. for the purposes of creating a profile or personalised marketing, is excluded.

(b) Legal basis

Performing contractual services, Art. 6 (1)(b) GDPR

(c) Data categories affected

BEGA ID

(d) Data recipients outside the app

Microsoft Deutschland GmbH, Walter-Gropius-Straße 5, 80807 Munich; Hosting Provider (MS Azure-Cloud) ("Microsoft").

(e) Transfer to a third country outside the EU/EEA

Not intended. A processing agreement has been concluded with Microsoft (Art. 28 GDPR) that also covers EU standard contract clauses. As additional protective measures, data is only transmitted in encrypted form and is strongly pseudonymised, i.e. only a so-called token ID (number sequence) is stored, which cannot be used by third parties to identify persons.

(f) Retention period

Until the app is deactivated or erased

3. Bluetooth connection / Use of location data

(a) Description and purpose of data processing

The app accesses location data by default as soon as the Bluetooth connection required for in-app control of the BEGA luminaires has been activated. No analysis or forwarding of location data occurs. Data processing is carried out based on the consent granted through data activation in the operating system settings of the user's end device. To exercise the right of withdrawal, the app, location activation or Bluetooth connection can be deactivated in the device settings at any time. However, in this case it will not be possible to use the app or only to a limited extent. The duration of processing is as long as the app or location release are activated.

(b) Legal basis Consent, Art. 6 (1)(a) GDPR

(c) Data categories affected

Location data

(d) Data recipients outside the app

No

(e) Transfer to a third country outside the EU/EEA

No

(f) Retention period

Until the app or location activation is deactivated or erased.

4. Google Firebase Crashlytics

(a) Description and purpose of data processing

As part of the BEGA Connect app, an error diagnosis service is used to improve the stability and reliability of our apps. To do so, we rely on anonymised crash reports. To this end, we use “Firebase Crashlytics”, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street Dublin 4, Ireland (“Google”).

In the event of a crash, anonymous information is transmitted to the Google servers (condition of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the smartphone, last log data), whereby further processing or access to data including outside the European server environment cannot be excluded.

The reports do not refer to individuals as a basic principle and are transmitted to Google in an anonymised form. If this data should make it possible to identify persons in individual cases prior to transmission to Google, the data processing for anonymisation purposes served our legitimate interest.

  • iOS: You can switch off the error message at any time by deactivating the function “Crash Reports” in the iOS app settings.
  • Android: For Android apps, deactivation is generally carried out in Android settings. To do so, open the App Settings, select the item "Google" and then the menu item "Use & Diagnosis". Here you can deactivate the data transfer in question.

You can find more information about data protection in the privacy policy of Firebase Crashlytics at https://firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#data-collection-policies

(b) Legal basis

Legitimate interest, Art. 6 (1)(f) GDPR

(c) Data categories affected

Traffic data, usage data

(d) Data recipients outside the app

Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland ("Google")

(e) Transfer to a third country outside the EU/EEA No; data is not transmitted in a personal form.

(f) Retention period

Until the app is deactivated or erased

5. Scandit

(a) Description and purpose of data processing

The integrated application "Scandit" is a mobile barcode scanner used to record product codes for the BEGA devices operated via the app. To this end, the app needs access to functions such as the device camera. Data will be collected in case troubleshooting is required as well as for statistical analysis and performance monitoring. Licence compliance can also be monitored in this way. We require this function in order to enable the desired scope of use for the app. The creation of analysis and performance data lies in our legitimate interest in ensuring the security of the app.

(b) Legal basis

Consent, Art. 6 (1)(b), (f) GDPR

(c) Data categories affected

Usage data, traffic data; potentially location data

(d) Data recipients outside the app

Scandit AG, Förrlibuckstrasse 181, 8005 Zürich, Switzerland

(e) Transfer to a third country outside the EU/EEA

Switzerland. An adequacy decision of the EU Commission exists whereby Switzerland is a safe third country for data protection.

(f) Retention period

Until the app or location activation is deactivated or erased.

III. Individual processing operations of the BEGA connector

The following explanations concern the software-based processing of data by initialising and using the BEGA connector.

1. Recording log data

(a) Description and purpose of data processing

When using the software implemented in the connector, data such as the device ID and log files is transmitted regularly. In the event of serious system errors (crashes etc.), this data may be shared with our software service provider. The information is required to ensure the functionality and optimisation of the software, as well as to guarantee the security of our information technology systems. We are not able to identify individual users based on this data. If this data should make it possible to identify persons in individual cases, the data processing served our legitimate interest.

(b) Legal basis

Legitimate interests, Art. 6 (1)(f) GDPR

(c) Data categories affected

Usage data, traffic data

(d) Data recipients outside the app

IT service providers (Art. 28 GDPR)

(e) Transfer to a third country outside the EU/EEA

No

(f) Retention period

Until the app is deactivated or erased

2. Setting up the connector for remote access

(a) Description and purpose of data processing

As part of the initialisation of the connector for remote access to BEGA luminaires, the BEGA ID token is registered in our cloud database. This transfer takes place automatically.

After successful transfer, only the BEGA ID is recorded. Linking with customer data, e.g. for the purposes of creating a profile or personalised marketing, is excluded.

(b) Legal basis

Performing contractual services, Art. 6 (1)(b) GDPR

(c) Data categories affected

BEGA ID

(d) Data recipients outside the app

Microsoft Deutschland GmbH, Walter-Gropius-Straße 5, 80807 Munich; Hosting Provider (MS Azure-Cloud) ("Microsoft").

(e) Transfer to a third country outside the EU/EEA

Not intended. A processing agreement has been concluded with Microsoft (Art. 28 GDPR) that also covers EU standard contract clauses. As additional protective measures, data is only transmitted in encrypted form and is strongly pseudonymised, i.e. only a so-called token ID (number sequence) is stored, which cannot be used by third parties to identify persons.

(f) Retention period

Until the app is deactivated or erased


Disclaimer This privacy policy is valid for the BEGA Connect app and the BEGA connector. If interfaces to other apps are integrated within the app, we are not responsible for any data processing that occurs there. We are not obliged to monitor whether third-party content accessible via the app complies with data protection regulations and we do not undertake any such monitoring. We reserve the right to change or adjust the privacy policy at any time. We therefore request our users to regularly consult potential changes to the privacy policy here. Changes may occur in particular when we expand or modify functions.