5. What about BOOST’s solely automated decisions that significantly affect you?
A solely automated decision refers to a decision that has been delivered to you without any of our employees being involved in the process of the decision making. Such processing, involving solely technological mean, allows us to offer you an objective and transparent decision. Please note that BOOST will not provide you with any solely automated decision.
6. For how long will we process your personal data ?
We only keep personal data in an identifiable format for as long as is necessary for the purpose for which we are processing it (see more information on this in section 4.3), and, duly restricted, for as long as prescribed to comply with applicable laws and regulations (e.g. anti-money laundering laws, tax laws).
In particular, where we have a contractual relationship with you, we keep your personal data for as long as this contractual relationship lasts, and thereafter, duly restricted to the cases laid down in Art. 17 (3) GDPR. We may also keep the data for a longer period if required by law.
In any case, we will protect the confidentiality of your data, and where appropriate take steps to anonymise your personal data and any other information.
7. To whom do we communicate or give access to your personal data?
We may transfer data to third parties who process data in the context of performing or offering our Service(s) on our behalf (subcontractors which have integrated our Service(s) into their own platforms or applications and offer them to their customers or merchants with which we do not have a contractual relationship). Those actors act either as processors for us, or for the customers or merchants to which they offer their services. When acting as our processors, they are not authorized to use the data or disclose it in any way except as here above described or to comply with legal requirements. The processors accessing your personal data generally operate in the information systems. We contractually require these third parties and our Partners to appropriately safeguard the privacy and security of personal data they process on our behalf and to only process said personal data in compliance with the GDPR.
If you want more information on the entities to whom we disclose, please contact email@example.com.
8. Do we transfer your personal data to third countries?
BOOST may (i) enter into agreements with Partners located outside the European Economic Area whereby those have access to personal data or (ii) transfer personal data to entities, including group entities to which BOOST belongs, located outside the European Economic Area (such as, for instance, China, Indonesia).
The level of data protection in countries outside the European Economic Area may be less than the level of data protection offered within the European Economic Area and transfers outside the European Economic Area. BOOST shall ensure that an adequate level of protection for such personal data is guaranteed by implementing one or more of the safeguards as set forth in Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”)).
In case BOOST cannot rely on an adequacy decision taken by the European Commission under Article 45 GDPR for a data transfer outside of the European Economic Area, BOOST will enter into Standard Contractual Clauses (as approved by the European Commission) under Article 46.2 GDPR with the recipient of your personal data. In addition and where necessary, BOOST may take supplementary measures in order to ensure compliance with the level of protection guaranteed within the European Economic Area.
We are committed to processing your personal data within the European Economic Area (the “EEA”), but your personal data may be transferred outside the EEA in certain situations, including (without this list being limitative) within the entities to which BOOST belongs or to some of our Partners outside the EEA.
If you want more information on the entities, countries where your data is transferred, and safeguarding measures we take, please contact our DPO (see contact details in section 12. below).
9. Do we receive any information on you from third-parties?
No, we don’t.
10. What are your rights and how can you exercise them?
10.4 Data protection rights
In accordance with applicable regulations, you have the following rights:
a) Right to access, Art. 15 GDPR
At any time, you have the right to access your personal data that we process, meaning that you have the right to obtain a copy of your personal data that is processed by us.
b) Right to rectification, Art. 16 GDPR
You have the right to have inaccurate or incomplete personal data rectified, respectively completed (which may involve providing a supplementary statement to the incomplete data).
c) Your right to erasure, Art. 17 GDPR
You may ask us to erase the personal data concerning you in the following circumstances:
o the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
o you withdraw your consent on which the processing is based and there is no other legal ground we can invoke for the processing activity concerned;
o you object to the processing of personal data concerning you which is based on the necessity of processing for (i) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or (ii) the purposes of the legitimate interests pursued by us or by a third party, which includes profiling based on those provisions, and there are no overriding legitimate grounds for the processing;
o you object to the processing of personal data concerning you for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing;
o the personal data have been unlawfully processed;
o the personal data have to be erased for compliance with a legal obligation to which we are subject;
However, we do not have to agree to delete all your personal data in those situations as prescribed by law where we are allowed or required to keep your personal data for a longer period of time.
d) Your right to restrict processing, Art. 18 GDPR
If you have an issue with the content of the information we hold or with the way we have processed your personal data, you may limit the way we process your personal data.
You have the right to obtain restriction of processing by us in the following circumstances:
o you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
o the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
o we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
o you have objected to the processing of personal data concerning you which is based on the necessity of processing for (i) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or (ii) the purposes of the legitimate interests pursued by us or by a third party, which includes profiling based on those provisions, pending the verification whether our legitimate grounds override yours.
e) Your right to data portability, Art. 20 GDPR
Where legally applicable, you have the right to have the personal data you have provided to us to be returned to you or, where technically feasible, transferred to a third party in a structured, commonly used and machine-readable format. Upon your request, we will provide you or the recipient designated by you in your written request, a copy of such personal data in a CSV or similar format.
f) Your right to object, Art. 21 GDPR
You have the right to object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. In some cases and depending on the legal basis of our processing of your data, your right to object may be limited.
g) Your right to withdraw your consent, Art. 7 (1) GDPR
h) Your right not to be subject to a decision based solely on automated processing, Art 22 GDPR
You have the right to ask that we do not make our decision solely based on automated processes, including profiling. You can object to such an automated decision, and ask that a person reviews it unless such decision is authorised by applicable law to which we are subject.
10.5 How to exercise your data protection rights
• by email: firstname.lastname@example.org
Any information on the identification document not necessary for verification should be blacked out.We will respond to your request within the timeframe put down in Art. 12 (3) GDPR.
We will ensure that you are informed of the changes sufficiently in advance thereof, taking into account the potential impact of the change on you.
12. Questions and complaints – Contact information
• by email: email@example.com
In case you contact us, you are required to provide at least your first and last name. On request (only if absolutely necessary to identify you), please send a copy of your ID card / identification document, when necessary to identify you (passport or other proof of identity). Any information on the identification document not necessary for identifying you should be blacked out. Otherwise we won’t be able to identify you and, consequently, reply to your complaint.
If you feel like we have not addressed your questions or concerns adequately, you have the right to lodge a complaint at any time with any Data Protection Authoritiy, e. g. with the Authority competent for us in Berlin, Germany, using the following contact details:
• by e-mail to firstname.lastname@example.org;
• via their helpline on +49 (0)228-997799-0; or
• by writing to Graurheindorfer Straße 153, 53117 Bonn, Germany.
(namely, what we are doing, why and when)
Categories of personal data used for this purpose, and their source
(See section 3. for more information on each category)
Legal basis for the processing under the GDPR
Fulfilment of Service(s) (when you use our Service(s) and until completion thereof)
·Information about your use of our Service(s).
The processing is necessary for the performance of the contract you concluded with us, Art. 6 (1) lit. b GDPR.
(Direct) Marketing (on a continuous basis as long as you remain a client of ours or until you object to our processing for marketing)
·Information about your use of our Service(s).
The processing for marketing purposes is based on your consent., Art. 6 (1) lit. a GDPR.
Improvement of our Service(s)
·Information about your use of our Service(s).
The processing is based on BOOST’s legitimate interest (being to improve our Service(s)), Art. 6 (1) lit. f GDPR.
For the purpose of the relevant data protection legislation, the data controller responsible for your personal data is BOOST (as further described in section 2. below).
You are welcome to contact us (see our contact information below) if you have any questions relating to our data protection activities that are not answered in this data protection declaration.
2. Who are we?
BOOST Solutions GmbH (the “BOOST”, “we”, “us”, “our”) is registered with Berlin authorities under HRB 220912B, with registered address at Budapester Str. 46, 10787 Berlin, Germany, whose email is email@example.com. BOOST is a software as a service (the “SaaS”) solution provider for digital banking transformation, including mobile banking Apps, configurable marketing, operation platform, and cloud-native core banking system.
3. What personal data do we process and when/how?
3.1 What personal data do we process?
Personal data means any information relating to an identified or identifiable natural person and therefore concerns all information about a (directly identified) customer or on the basis of which the identity of the customer can be derived.
We collect the following personal data from you when you visit our Website and use our Service(s):
• Device-related information: device type, device id, device memory, storage information, hardware information, operating system, platform, screen resolution, color depth, IP address, browser settings, plugins, language setting, font setting, time zone setting, location information, adjust id, Google id, ad block, and similar information about your device settings;
• Contact information: email address, mobile phone number;
• Identification information: your first and last name, your title, your nationalities;
• Information about your use of our Service(s): service details which you have used and how you have used them, and your personal preferences.
3.2 When/how do we collect your personal data?
The personal data described in section 3.1 are either directly collected from you via direct interactions or from your devices, by BOOST or via third parties or publicly available sources, in the following manner:
• device-related information is directly collected from your device when you access our website;
• contact information is directly collected from you when you intend to use our Service(s);
• identification information is directly collected from you when you intend to use our Service(s);
• Information about your use of our Service(s) is directly collected from you when you use our Service(s).
4. On which legal basis and for which purposes do we process your personal data?
4.1 On which legal basis do we process your personal data?
Under this section, we tell on what legal grounds we process your personal data. Depending on this legal basis, your rights with regard to our processing activities may differ.
We will process your personal data on the basis of one of the following legal grounds:
• the processing is necessary for entering into a contract or performing a contract (Article 6(1)(b) of the GDPR);
• the processing is necessary for the purposes of the legitimate interests pursued by the controller (us) or by a third party (Article 6(1)(f) of the GDPR) and does not unduly affect your interests or fundamental rights and freedoms;
• Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interest and your privacy. This data will remain strictly confidential. Such legitimate interests include fraud prevention, marketing, know your customer (“KYC”). You can contact us for more information on how we strike a balance (see section 12. for our contact details).
• the processing is necessary for compliance with a legal obligation to which BOOST is subject (Article 6(1)(c) of the GDPR), for example in limited cases with regard to the prevention of money laundering, or to respond to requests from competent authorities in this context;
• you gave your explicit consent for the processing for one or more specific purposes, it being understood that BOOST will at all times ensure that your consent is compliant with the applicable laws and regulations (Article 6(1)(a) of the GDPR).
4.2 For which purposes do we process your personal data?
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.
Accordingly, we process your personal data for one of the following purposes:
• Fulfilment of Service(s) : we use your personal information (i) to manage our customer relationship with you for each service you use, (ii) to respond to queries, requests and complaints;
• (Direct) marketing: we use your personal information to send or contact you to provide you on the e-mail address you have provided for direct e-mail marketing with commercial information about our Service(s). We will only inform you about Services that are similar to those services you have used in the past and in case you have not objected to the use of your personal data for marketing purposes;
• Improvement of our Service(s): we use, to the extent necessary, any category of personal data to evaluate, improve and ensure our Service(s) are working as intended. This includes but is not limited to (i) communicating with you (customer support, reviews of our products and services, information on new products and features, surveys etc.), (ii) monitoring the usage of the Website after a publicity or marketing campaign, (iii) analysing the use and performance of our products, services and websites, and (iv) tuning, enhancing, improving and facilitating the functionality of the Website;
4.3 Overview of our processing activities