// A3M Privacy

Global Monitoring App

The Global Monitoring App is supplied by:
A3M Global Monitoring GmbH (hereafter referred as A3M)

represented by the CEO Thomas Dillon
Alter Fischmarkt 5
2547 Hamburg, Germany
info(at)a3mobile.com

(Controller according to art. 4 para. 7 GDPR and in the meaning of art. 18 para. 2 MStV (German Medien Staatsvertrag))

Data protection officer: Carsten Fischer, Alter Fischmarkt 5, 20457 Hamburg, Germany, datenschutz(at)a3mobile.com

1.   Data processing aims and purposes through the Global Monitoring App

App´s function:
The Global Monitoring App informs you via push-messages and/or email about dangers and events. Important warnings and behavioral instructions are sent directly to your smartphone.

The app includes following information/functionality:

  • Map overview of current events worldwide
  • Travel Alerts based on the traveler´s current location
  • Travel Alerts of upcoming trips
  • Travel Alerts of countries and/or event categories (Watchlist)
  • Document Safe
  • Location-based local emergency numbers

Depending on the existing licences:

  • Country and health relevant information of upcoming trips
  • Integration of the A3M Country Information
  • E-learning integration, either provided by A3M or by the customer
  • SOS-Button to easily establish contract with the Assistance Provider of the company

If and to the extent that personal data is collected, stored and processed by A3M  for the of the app, this is done exclusively for the purpose of contract execution according to art. 6 para. 1 lit. b) GDPR vis-à-vis the customer.
Depending on the contractual relationship, the customer is the traveller’s employer (company), the traveller’s assistance service provider or the traveller himself.

When installing the app, the user of the app must explicitly consent to the determination of his location in accordance with art. 7 GDPR by granting the location authorization for this app and can deactivate this authorization at any time by setting the authorization for the app or centrally for all apps. When the device or app authorization location is withdrawn, the storage of new location data is immediately terminated.

2.   Processed data

Following data categories are processed via the App: 

2.1   Profile data

In order to be able to use the app, the following information must first be provided:

  • Company key (issued by A3M)
  • First and last name
  • Email address
  • Password

In addition, a unique identification number (app ID) is generated when the app is installed. With each subsequent start of the app, a time stamp is recorded together with this app ID.
The profile data and the app ID are automatically encrypted using HTTPS and sent to our server when a first entry or change has been made to them and the next time you have cellular network or WLAN reception.

2.2   Movement data

Your smartphone or tablet has a GPS sensor and possibly other functions (sensors, WLAN) for determining your position. With the help of these functions – provided with a time stamp and the app ID (and only if and as long as you have granted authorization!) – your current location is regularly recorded (geographic coordinates).

The data collected is collected, stored and processed in accordance with art. 6 para. 1 lit. b GDPR exclusively for the purpose of contract processing.

3.   Automatic data collection and processing

The identification number (app ID) is assigned to the following data on the server:

  • Device type, operating system and app version
  • The geographic coordinates and registration ID of the device for the push notification service
  • Registration data

The app saves certain location points (geographic coordinates) and assigns them to the registration ID of the device for the push notification service.

With the creation of favourite locations, location points (geographic coordinates) are saved and linked to the registration ID of the end device for push notification.

When the GPS function is activated, the user’s position is automatically determined. This position is transmitted to our server after a change of location of 500 meters and not before 15 minutes after the last position transmission. Our server only saves the last updated position of the device, no history is saved. All previous positions are overwritten by the most recent position.

The notification service is provided by the Google Cloud Messaging service for Android or by Firebase Cloud Messaging for iOS via the registration ID of the end device.

Data calls require direct communication between the end device and our server. This communication is secured by end-to-end encryption (HTTPS according to the current and previous TLS standard). The IP address of the end device is only stored in anonymous form – by shortening the last octet – in log files.

To ensure the necessary support services and system improvements, data changes and their content are anonymized and stored in log files for a maximum of 6 months.

Apart from session cookies and possibly Google Maps cookies (see §7), no cookies and no market research data are collected, stored or used.

Our servers are located in German data centers.

4.   Emergency Calls

In the settings, the user can specify whether his data for emergency calls may be passed on to an emergency service provider based on his consent in accordance with art. 6 para 1 lit. a GDPR and, from the start of an active emergency call, to his service provider / subcontractor (emergency services at the user’s location, hospitals at the user’s location, etc.).

In the event that there is no general consent for the data to be passed on, the emergency call service provider first receives the data in the event of an active emergency call on the basis of art. 6 para. 1 lit. d GDPR and can then transfer the data to a service provider / subcontractor (emergency services at the user’s location, hospitals at the user’s location, etc). The emergency telephone call to the contractually agreed service number itself is also regarded as consent in accordance with Art. 6 I a GDPR for data transfer to service providers that are required for emergency measures but outside the scope of art. 6 para. 1 lit. d GDPR (e.g. billing data for doctors, paramedics and hospitals).

5.   Subcontractors

If and to the extent necessary, we will pass on your data to companies that we use exclusively for the purpose of executing the contract in accordance with art. 28 GDPR; these are the following companies:

  • Corporate Trust Business Risk & Crisis Management GmbH, Graf-zu-Castell-Straße 1, 81829 Munich, Germany
  • Falck Global Assistance A/S, Sydhavnsgade 18, 2450 Copenhagen, Denmark
  • MD Medicus Assitance Service GmbH, Industriestraße 2a, 67063 Ludwigshafen am Rhein, Germany
  • med con team GmbH, Gerhard-Kindler-Str. 6, 72770 Reutlingen, Germany
  • Result Group GmbH Global Risk and Crisis Management, Waldstraße 3a, 82343 Pöcking/Starnberger See, Germany
  • Possibly other service providers.

6.   Disclosure due to official request

Otherwise, data will only be passed on in accordance with art. 6 para. 1 lit. c GDPR to sovereign legal entities that are legally entitled to information, such as data protection authorities, in compliance with a corresponding legal obligation or obligation issued by a court.

7.   Data transfer to Google (Google Maps)

If you request position data, exit, or open the submenu with map view and are either connected to WLAN or have activated mobile data transfer, then a map from Google centred on your current position will load. At the minimum, Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) receives the IP address assigned to your smartphone and thus the information about where this IP address is currently located. This information is typically transmitted to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer. If Google Maps is activated, then Google can use Google Fonts to ensure the uniform display of fonts. When you open Google Maps, your browser loads the required web fonts into your browser cache in order to display text and fonts correctly.

Google Maps is used to ensure the attractive presentation of our online products and make it easier to find the places that we have referenced on our website. This represents a legitimate interest within the scope of art. 6 para. 1 lit. f GDPR. If the corresponding consent has been requested, then processing takes place exclusively on the basis of art. 6 para. 1 lit. a GDPR and art. 25 para. 1 TTDSG (German Telecommunications-Telemedia Data Protection Act), such that this consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the scope of the TTDSG. This consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.
You can find more information on the management of user data in Google’s privacy policy: https://policies.google.com/privacy?hl=en.

8.   Analysis tool

This app uses the open-source web analytics tool Countly.

With the help of Countly, we are able to collect and analyse the usage data for our app. This allows us to determine when which page views occurred and from which region they came, among other things. We also collect various log files (e.g., IP addresses, device IDs, referrer, browsers, and operating systems used) and can determine whether our app users perform certain actions (e.g., clicks, etc.).

The use of this analysis tool is based on art. 6 para. 1 lit. f GDPR. The app operator has a legitimate interest in analysing user behaviour in order to optimise both its web/app offering and its advertising. If as the corresponding consent has been requested, then processing is carried out exclusively on the basis of art. 6 para. 1 li. a GDPR and art. 25 para. 1 TTDSG (German Telecommunications-Telemedia Data Protection Act), such that this consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the scope of the TTDSG. This consent can be revoked at any time.

IP Anonymisation

We use IP anonymisation for analysis with Countly. In this case, your IP address is shortened before analysis such that it can no longer be clearly tracked.

Hosting

We host Countly exclusively on our own servers, which means that all analysis data remains with us and is not passed on to a third party.

9.   Deletion

All data stored for an app are deleted automatically if:

  • the app has not been accessed for six months,
  • the app has been deleted on the device and the deletion has been recognized.

If you would like to end your participation and the data that has already been transmitted to be deleted, please first delete your user account and then uninstall the app or contact the contact given below, stating your identification number.

10.   Right to information and contact

You can request information about the data we have stored, including information on the origin and recipient of this data and the purpose of their processing.

Please address your inquiries to:

A3M Global Monitoring GmbH
Hintere Grabenstrasse 26
72070 Tübingen, Germany
Email: info(at)a3mobile.com

11.   User rights

According to applicable laws, you have various rights in regards to your personal data. If you would like to exercise these rights, please address your request by e-mail or by post to the address stated above for the controller and provide clear identification.

In the following, you will find an overview of your rights.

a) Right to confirmation and information

You have the right to receive a confirmation from us at any time regarding whether your personal data is being processed. If this is the case, you have the right to receive information at no charge about your stored personal data and a copy of any such data. In addition, you have the right to the following information:

  1. the purposes for the processing;
  2. the categories of personal data that are being processed;
  3. the recipients or categories of recipients to whom the personal data has been disclosed or is being disclosed, particularly for recipients in non-EU countries or in international organisations;
  4. if possible, the planned duration for the storage of the personal data, or if this is not possible, the criteria for the determination of this duration;
  5. any rights to correct or delete your personal data or to limit of the processing of such data by controllers or to refuse the processing of such data;
  6. any rights to file a grievance with a supervisory authority;
  7. if the personal data was not collected from you, all available information about the source of the data;
  8. the existence of any automated decisions, including profiling in terms of article 22 paragraphs 1 and 4 GDPR and – at least in such cases – significant information about the logic used in such decisions as well as the scope and intended effects of such processing for you.

If personal data is transferred to a non-EU country or an international organisation, you have the right to be informed of the respective guarantees in terms of article 46 GDPR in connection with such transfer.

b) Right to correction

You have the right to demand that we immediately correct any incorrect personal data. In consideration of the purposes of the collected data, you have the right to demand the completion of incomplete personal data – including by means of a supplemental declaration.

c) Right to deletion (“right to be forgotten”)

You have the right to demand that we immediately delete your personal data, and we are required to immediately delete personal data if any of the following reasons occur:

  1. The personal data is no longer required to achieve the purposes for which it was collected.
  2. You revoke the consent that allowed the processing according to art. 6 para. 1 lit. a GDPR ) or art. 9 para. 2 lit. a) GDPR and there is no other legal basis for the processing.
  3. You submit an objection to the processing of your data in accordance with art. 21 para. 1 GDPR and there are no overriding legal grounds for the processing, or you submit an objection to the processing in accordance with art. 21 para. 2 GDPR.
  4. The personal data was unlawfully processed.
  5. The deletion of personal data is required under the legal provisions stated in EU law or the law of a member country to which we are subject.
  6. The personal data was collected in connection to information society services according to art. 8 para. 1 GDPR.

There is no right to deletion if the processing is necessary

  1. to exercise the right to freedom of expression and information;
  2. to fulfil a legal obligation to EU law or the laws of member countries to which the controller is subject, or to fulfil a task that is in the public interest or occurs in the exercise of official authority and requires a transfer of data from the controller;
  3. due to public interest in the area of public health according to art. 9 para. 2 lit. h and I or art. 9 para. GDPR;
  4. for archival purposes that affect the public interest or serve scientific or historical research purposes, or for statistical reasons according to art. 89 para. 1 GDPR, if the relevant right is likely to make it impossible to realise the goals of such processing or to seriously hinder them.
  5. for the assertion, exercise or defence of legal claims.

If we have made the personal data public and if we are required by art. 17 GDPR to delete it, we will take appropriate measures in consideration of the available technologies and their implementation costs to inform the parties responsible for the processing of the personal data that you have requested that they delete all links to such personal data, including copies or replications.

d) Right to the limitation of processing

You have the right to demand that we limit the processing of your data if one of the following conditions occurs:

  1. you contest the accuracy of the personal data (and such data has been stored for a period that has allowed us to check its accuracy),
  2. the processing is unlawful and, instead of deleting the personal data, you have decided to demand that the usage of such data be limited;
  3. we no longer require the personal data to achieve the purposes for which it was collected but you require the data to assert, exercise or protect legal claims, or
  4. you have submitted an objection to the processing of your data according to art. 21 para. 1 GDPR, if it has not yet been determined whether our company’s legitimate purposes override your legitimate purposes.

If the processing of your personal data has been limited, such data – apart from its storage – can only be processed with your consent or for the exercise or protection of legal claims or to protect the rights of another natural or legal entity or for the purposes of an important public interest for the EU or a member country.

e) Right to data portability

You have the right to receive the personal data that we have been provided in a structured, conventional and machine-readable format, and you have the right to transfer such data to another controller through our company with no obstacles on our part, if

  1. the processing is being carried out based on a declaration of consent in accordance with art. 6 para. 1 lit. a GDPR or art. 9 para. 2 lit. a) GDPR or an agreement in terms of art. 6 para. 1 lit. b GDPR, and
  2. the processing takes place using automated procedures.

In exercising your right to data portability according to par. 1, you have the right to ensure that we transfer the personal data directly to another controller, if technically possible.

The right to data portability does not apply to the processing of personal data that is required for the completion of a task that is in the public interest or takes place as part of the exercise of public authority that has been required of the controller.

f) Right of refusal

You have the right to refuse at any time the processing of your personal data for purposes stated in art. 6 para. 1 lit. e or f GDPR for reasons arising from your personal situation; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for such processing that override your interests, rights and freedoms or if the processing serves the assertion, exercise or protection of legal claims.

If we process the personal data for the purpose of direct advertisement, you have the right to enter an objection at any time against the processing of such data for the purposes of such advertisement; this also applies to profiling, if it is in connection to such direct advertising.

You have the right to refuse at any time the processing of your personal data for scientific or historical research purposes or for statistical purposes in terms of art. 89 para. 1 GDPR for reasons arising from your personal situation, unless such processing is necessary to fulfil a task that is in the public interest.

g) Automated decisions including profiling

You have the right to refuse to be subject to a decision that is based exclusively on automated processing, including profiling, that legally affects you or has any similar significant effect.

h) Right to revocation of a declaration of consent regarding personal data

You have the right to revoke a declaration of consent regarding the processing of personal data at any time.

i) Right to submit grievances to a supervisory authority

You have the right to submit grievances to a supervisory authority, particularly in the EU member country in which you live, where your place of work is located or in the location of the supposed infringement if you believe that the processing of your personal data is unlawful.

j) Right to information

If you have exercised the right to information, deletion or limitation of processing by the controller, such party is required to communicate this information, deletion or limitation of the processing to all recipients of the personal data, unless this is proven to be impossible or disproportionately difficult.

You have the right to be informed by the controller of any such recipients.

As from: 01-22-2024