Data protection information
(Version: 1.1 (sign) – 31.01.2022)
1. AUTHADA Identification Service
AUTHADA sign allows the user to digitally sign PDF documents using a qualified electronic signature (“QES”). AUTHADA GmbH (hereinafter also referred to as AUTHADA) collects the personal data of the person to be identified (user) from the identity card (nPA), electronic residence permit (eAT) or EU citizen card (eID card) (hereinafter also jointly referred to as eID cards) as part of the identification required for this purpose for its clients (e.g. signature service providers). The identification is carried out in accordance with § 18 Identity Card Act (PAuswG) and is carried out via a mobile and NFC-capable end device using the AUTHADA App. This service is provided by AUTHADA GmbH as a service provider within the meaning of § 2 para. 3 PAuswG for its clients, so that they can meet legal requirements, e.g. from the Money Laundering Act, or to increase the security of the user’s identity. AUTHADA GmbH carries out these activities as a processor in accordance with Art. 28 ff GDPR and the instructions of its clients. Furthermore, AUTHADA GmbH offers the user the possibility of retrieving the data stored on the electronic identity card and displaying it on the mobile device (self-disclosure).
2. Personal data
Personal data from the ID chip is transferred exclusively for the purpose of electronic proof of identity to the extent of the authorization granted, after the user has given his consent by entering his ID PIN. Personal data from the documents to be signed or for the creation of a QES are processed solely for the purpose of generating a QES and signing the documents accordingly. In the case of self-disclosure, the data is displayed on the mobile device but not stored there. Further processing is not carried out.
AUTHADA GmbH uses state-of-the-art technical and organizational security measures to protect AUTHADA sign as well as the identification service and the personal data processed therein against incidental or intentional manipulation, loss, destruction or access by unauthorized persons. For example, all communication channels between the identification chip and the client of AUTHADA GmbH are protected with state-of-the-art Transport Layer Security (TLS) mechanisms. Furthermore, the security measures used are continuously monitored and improved in accordance with technological developments.
4. Logging data
The AUTHADA sign Webapp uses the analysis tool Matomo to detect errors at an early stage and to continuously improve the App. In addition, the tool supports the tracking of user behavior in the AUTHADA sign Webapp by creating anonymous usage reports. This data is stored on the server of AUTHADA GmbH in Germany. The analysis tool is configured in such a way that only data regarding the use of the AUTHADA Webapp and the used end device are collected. The data is anonymized (IP address) in such a way that no conclusion can be drawn about a person. After six months this data is automatically deleted.
The AUTHADA sign Webapp uses the analysis tool Sentry to evaluate possible buggy behaviour of the web app. After a buggy behaviour, a report is created that sends the affected code sections and the device information to AUTHADA. This data is stored on the AUTHADA GmbH server in Germany. The data is anonymised (IP address) in such a way that no conclusion can be drawn about a person. After six months, this data is automatically deleted.
5. Signature creation process
The AUTHADA sign user uses a compatible mobile device (e.g. his smartphone or tablet) to read the ID document (nPA/eAT/eID card) with the help of the NFC interface. In the following, AUTHADA sign is explained with the corresponding steps and the associated data processing:
The user is informed of the option of signing with AUTHADA sign on the website of the AUTHADA GmbH client.
The user now carries out the identification process according to section 6.
The user will then be requested to enter his mobile phone number and e-mail address in the field provided or to check these if the information has already been sent to AUTHADA in the first step.
In the next step, the user is given the opportunity to view the documents to be signed. The user is now required to accept the signatures that are to be provided in the individual documents individually by means of a checkbox.
The user then receives a One Time Password (OTP) via SMS to the number he or she has given. The OTP must be entered in the field provided. The process must then be confirmed by the user. After successful verification of the OTP, the QES is applied to the documents to be signed.
The client can then retrieve the result from the sign service by entering the result token. The result of a signature or identification is not stored by AUTHADA, but is deleted by the sign service after successful retrieval by the client or after a specified period of time has elapsed.
The AUTHADA sign process is now complete. The read-out data is forwarded directly to the AUTHADA GmbH client.
All personal data collected by AUTHADA is used exclusively to identify the user, to apply the QES to the document to be signed and to check that the data has been properly processed. During each AUTHADA sign process, the user releases the data that will be transmitted to the principal. The user’s personal data is not processed beyond the scope of the legal permissions.
6. identification process
The user of the AUTHADA Identification Service uses a compatible mobile device (e.g. his smartphone or tablet) to read the identification document (nPA/eAT/eID card) with the help of the NFC interface. The identification process with the corresponding steps and the associated data processing works as follows:
On the website of the client of AUTHADA GmbH, the user is made aware of the option of identification by AUTHADA GmbH.
The user starts the identification process. Within the framework of this process, both the PIN of the identity card (nPA/eAT/eID card) and the data of the identity card (nPA/eAT/eID card) are collected via NFC function.
The user authorizes the collection of the data for transmission to the client of AUTHADA GmbH and for the stated purpose.
As soon as the data has been extracted and sent, the user is shown a TAN number, which he must enter in a designated field on the client’s website.
The identification is now complete. The extracted data will be forwarded directly to the client of AUTHADA GmbH.
All data collected by AUTHADA is used exclusively to identify the user, as well as to check the proper processing of the data. During each identification process, the user authorizes the data, which will be transmitted to the client. A processing of the user’s personal data beyond the scope of the legally permitted activities does not take place.
7. Support service and incident management
The user may contact AUTHADA GmbH by e-mail at email@example.com with questions regarding the AUTHADA Identification Service. To process these inquiries AUTHADA GmbH uses the helpdesk software of weclapp SE, Neue Mainzer Straße 66 – 68, 60311 Frankfurt am Main. weclapp SE hosts its data in the data center 1 & 1 IONOS Cloud GmbH, Greifswalder Straße 207, 10405 Berlin.
Personal data collected by AUTHADA this way may be:
E-mail address in case of user request by e-mail
All personal data contained in the e-mail
In case of a support request the data will be stored on the systems of weclapp SE. Personal data will solely be used to answer the respective request. The contents of the support request are stored and used to improve the AUTHADA Identification Service. The processing of this data at AUTHADA GmbH is governed by Art. 6 Para. 1 lit. a GDPR and Art. 6 Para. 1 lit. f GDPR.
The personal data of each support request will be automatically deleted after 6 months.
8. Storage and usage
The data obtained by the identification service as well as through AUTHADA sign is transmitted to the client and deleted from the servers of AUTHADA GmbH immediately after transmission. The storage and processing of this data by the client arises from the legal requirements applicable to it (e.g.: Money Laundering Act) and is described in the corresponding data protection policies of the client.
In the case of self-disclosure, the data is only displayed on the mobile device, but not stored. Further processing does not take place. The processing of this data at AUTHADA GmbH is governed by Art. 6 para. 1 lit. b GDPR.
The data of the analysis tool Matomo is automatically deleted after six months.
The personal data of each support request will be automatically deleted after 6 months.
9. Rights of data subjects
(a) Right of information and confirmation
You have the right to receive free information and confirmation of the personal data stored about you and a copy of this information at any time.
(b) Right of rectification
You have the right to demand the immediate correction of incorrect personal data concerning you. You also have the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.
c) Deletion rights
You have the right to obtain the immediate deletion of personal data relating to you if one of the following reasons applies and provided that the processing is not necessary
the personal data have been collected or otherwise processed for purposes for which they are no longer necessary
you withdraw the consent on which the processing was based and there is no other legal basis for the processing.
you object to the processing in accordance with Article 21para 1 GDPR and there are no overriding legitimate reasons for processing, or you object to the processing in accordance with Article 21 para 2 GDPR.
the personal data were processed unlawfully.
The deletion of the personal data is necessary to comply with a legal obligation under European Union law or the law of the Member States to which AUTHADA is subject.
(d) Right to limit processing
You have the right to request the limitation of the processing if one of the following conditions is met:
You contest the accuracy of the personal data, for a period of time that allows us to verify the accuracy of the personal data.
The processing is unlawful, you object to the deletion of the personal data and instead demand the limitation of the use of the personal data.
AUTHADA no longer needs the personal data for the purposes of processing, but you need the personal data to assert, exercise or defend legal claims.
You have lodged an objection to the processing in accordance with Art. 21 para. 1 GDPR and it is not yet clear whether AUTHADA’s legitimate reasons outweigh yours.
e) Right to object to the processing
You have the right to object at any time to the processing of personal data concerning you that is carried out based on 6 para. 1 letters e or f GDPR.
In the event of an objection, AUTHADA will no longer process the personal data, unless AUTHADA can prove compelling reasons for processing worthy of protection that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
You have the right to object at any time to the processing of personal data for the purpose of direct marketing.
(f) Right to data portability
You have the right to receive the personal data concerning you, which have been provided to AUTHADA, in a structured, common and machine-readable format. You also have the right to transfer this data to another responsible party without impediment from AUTHADA, provided that the processing is based on the consent pursuant to Art. 6 para 1 letter a GDPR or Art. 9 para 2 letter a GDPR or on a contract pursuant to Art. 6 para 1 letter b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a duty that is in the public interest or is carried out in the exercise of official authority delegated to the responsible party.
Furthermore, when exercising your right to data transfer pursuant to Art. 20 para 1 GDPR, you have the right to request that personal data be transferred directly from one controller to another controller, insofar as this is technically feasible and provided that the rights and freedoms of other persons are not affected.
g) Right to withdraw data protection consent
You have the right to withdraw your consent to the processing of personal data at any time.
(h) Right of appeal to the supervisory authority
You have the right to appeal at any time to a supervisory authority in the Member State of your place of residence or employment or of the alleged breach, if you believe that the processing of personal data relating to you is in breach with the General Data Protection Regulation.
10. Data protection officer
You may contact our data protection officer at the above-mentioned postal or e-mail address.
11. Competent data protection authority
You have the option of contacting the above-mentioned data protection officer or a data protection supervisory authority. The data protection supervisory authority which is competent for us:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 31 63