Privacy Policy for the Hydrema Telematics DataPortal and App
I. Name and address of the responsible party
The responsible party, pursuant to the General Data Protection Regulations and various national data protection provisions of the member states of the European Union and other legal data privacy policies, is:
A/S HYDREMA DISTRIBUTION
Gammel Kirkevej 16
9530 Støvring
Danmark
Phone: +45 98 37 13 33
Email: hydrema@hydrema.com
Website: https://www.hydrema.com
Name and address of the enforcing data controller
For your issues and questions regarding data protection laws as well as for the assertion of your rights as the data subject please contact our data controller using the e-mail address: Privacy.telematics@hydrema.com
II. Data processing in general
1. Scope of personal data processing
We collect and process our user's (data subjects) personal information (data) solely to the extent necessary to maintain an operational DataPortal for providing our products and services. A data subjects' consent is routinely required prior to collecting and processing personal information. An exception applies in circumstances where it is not possible to obtain prior consent due to genuine reasons and the processing of data is permitted by law.
2. Legal basis for the processing of personal data
Once a data subjects' consent for processing personal data has been obtained, Article 6, Section 1 (a) of the EU General Data Protection Regulation (GDPR) serves as the legal regulation for processing personal data.
When processing personal data, required for the performance of a contract whose party to the agreement is the data subject, Article 6, Section 1 (b) of the GDPR shall apply. Such shall also apply to processing activities involving the performance of pre-contractual measures.
To the extent personal data processing becomes necessary to fulfil a legal obligation to which our company is subject, Article 6, Section 1 (c) of the GDPR shall apply. In the event crucial concerns regarding the interests of the data subject or another natural individual require the processing of personal data, Article 6, Section 1 (d) of the GDPR shall apply.
Should the processing be necessary to safeguard legitimate interests of our company or of a third party and should the interests, fundamental rights and freedom of the data subject not outweigh the interests of our company, Article 6, Section 1 (f) of the GDPR shall apply to the processing.
3. Deleting data and data retention
Personal information regarding the data subject will be deleted or blocked once the purpose for storing no longer applies. Furthermore, data may be stored if such storage has been stipulated by the European or national legislature in EU regulations, laws or other provisions under which the responsible party is bound. Data shall also be blocked or deleted in the event a storage period, as stipulated in the aforementioned provisions, expires, unless a need for extended storage of data arises, i.e., in order to conclude a contract or meet contractual obligations.
III. Proemion, Provider of the DataPortal
The DataPortal is provided as Software as a Service (SaaS). The provider is Proemion GmbH, Donaustraße 14, 36043 Fulda. The DataPortal is a service that can be used to process telematics data. The data entered/transmitted by you for the purpose of processing will be stored on Proemion's servers. Possible data categories are:
- Company data
- vehicle or machine information
- GPS data
- user profile data
- CU data.
- Legal basis
The processing of data is based on a contract according to Article 6, Section 1 (b) of the GDPR.
Furthermore, data is processed on the basis of the legitimate interest in ensuring the security and integrity of the system pursuant to Article 6, Section 1 (f) of the GDPR. If a corresponding consent was requested for the further processing of additional voluntary data, the processing of this data is based on Article 6, Section 1 (a) of the GDPR.
Data Retention
The data shall be deleted once these are no longer required for their intended purpose. This is the case for data in the DataPortal for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.
Data Privacy Agreement
We have concluded a Data Privacy Agreement with Proemion GmbH in which we oblige Proemion GmbH (processor) to protect our customers' data and not to pass it on to third parties.
IV. Providing the DataPortal and creating log files
1. Description and scope of data processing
Whenever our DataPortal Login page is accessed, our system automatically collects data and information from the computer system of the visiting party. The following data is collected:
- Information regarding the browser type and current browser version
- The user's operating system
- The user's internet service provider
- The user's IP address
- Access date and time
- Websites from which the user's computer system accesses our website
- Websites which are accessed by the user's computer system via our website
- Username
- Information about the operations (and their parameters) performed by the user
The data is also stored in the log files of our computer system. This data is not stored together with other personal user data.
2. Data processing compliance
The legal basis for the temporary storage of data and log files is Article 6, Section 1(f) of the GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the computer system is necessary to enable the DataPortal to be transmitted to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
The storage in log files is necessary to ensure DataPortal operation. We also use the data to optimize the DataPortal and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes is not performed in this context.
These objectives also include our legitimate interest in data processing in accordance with Article 6, Section1 (f) of the GDPR.
4. Data Retention
The data shall be deleted once these are no longer required for their intended purpose. When a collection of data occurs for the purpose of providing the DataPortal, ending the respective session results in such data being deleted. In case of storage of data in application logs, we delete it after 40 days at the latest. In case of storage of data in access logs, we delete it after 60 days at the latest. Additional data backup is available. In this event, the personal information of the users will be deleted or altered, making it impossible to identify the contacting client.
5. Options regarding objections and deletion
The collection of data required for the availability of the DataPortal and the storage of the data in log files is mandatory for the operation of the DataPortal. Therefore, the user does not have the option to reject the collection of relevant data.
V. Cookie policy
1. Description and scope of data processing
Our DataPortal uses cookies. Cookies are small data files that are stored on your computer or other device when you visit a website. Once a user visits the DataPortal, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters which uniquely identifies the browser on subsequent visits to the DataPortal. We use cookies to improve our DataPortal and enhance user experience. Several of our DataPortal features require visitor browser identification with each new page to navigate around our DataPortal.
We require cookies and local browser storage for the following applications:
- Log-in information
- Language settings
- Track your searches
- User preferences
- Theming
- Timezone
- Last visited page on DataPortal
2. Legal regulations regarding data privacy
Article 6, Section 1 (f) of the GDPR regulates the processing of personal data regarding cookies.
3. Purpose of processing data
The purpose of using technicallly essential cookies is to simplify your visit to our DataPortal. Several features of our DataPortal require the use of cookies. It is essential that the browser is recognized even in the event of navigating to a new page. User data collected for technically essential cookies are not used to create user profiles. These intentions serve as our legitimate interest for the processing of personal data in accordance with Article 6, Section 1(f) of the GDPR.
4. Data Retention, restricting and deleting cookies
Cookies are stored on the user's computer and transmitted to our DataPortal. Therefore, you as a user have full control regarding the use of cookies. By changing the settings in your internet browser, you can deactivate or limit the placement of cookies. Previously stored cookies can be deleted at any time. This can also be performed automatically. In the event cookies are deactivated for our DataPortal, this may result that not all features of our DataPortal can be used to their full extent.
VI. Register/Login DataPortal
1. Description and scope of data processing
On the DataPortal it is possible to log in by entering a user name and a password. The registration and creation of the user data is carried out centrally by an admin. The following data is usually stored by you during registration:
- Name
- First name
- Email (= username)
- Password
- Organization
- Language
- DataPortal permissions
An activity log is created for logged-in users.
2. Data privacy compliance
The legal basis for processing the data is the fulfilment of a contract (or pre-contractual measures) pursuant to Art. 6 (1) lit. b GDPR. The legal basis for storing additional data, such as activity logging, is also based on the legitimate interest in ensuring the integrity of the DataPortal pursuant to Art. 6 (1) lit. f GDPR. The legal basis for the processing of additional voluntary data, if the user has given consent, is Art. 6 (1) lit. a GDPR.
3. Purpose of data processing
Registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures. The login is necessary to ensure secure access to the data in the DataPortal. Furthermore, the user-specific login assigns the user rights within the DataPortal and allows user settings to be saved.
4. Data Retention
The data shall be deleted once these are no longer required for their intended purpose. This is the case for the data stored during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to fulfil contractual or legal obligations.
5. Options regarding objections and deletion
You can have the data stored about you changed at any time. As a user, you have the option to cancel your registration at any time. However, please note that in this case, the telematics services may no longer be fully usable. The end user must send a request to delete the account or change data to the OEM. The OEM will forward the requests for deletion or data modification to Proemion Technical Support, by phone or via the support form posted on Proemion's homepage. If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.
VII. Register/Login Mobile App
The following personal data is automatically transferred to or collected by Hydrema when logging into or using the Mobile Apps:
- Email (= username)
- Password
- Date and time of the request
- Access status / HTTP status code
If you download, access, or use our Apps, we may receive and store certain information about your mobile device(s) automatically using automatic data collection technologies. The information about your mobile device is not stored with your personal data. There is no direct association between the information about your mobile device(s) and your personal data.
Upon Mobile App activation, we automatically gain access to the following authorizations via the user's mobile device operating system:
1. Internets access
Required for downloading map data. The map constitutes an elementary component of the App. Machines are displayed on a map indicating their latest logged position. For this purpose, sections of the map (parts of the entire world map) in which the machines are located, or which are explicitly retrieved by the user by zooming into the map, are downloaded.
Internet access is also required for bilateral Hydrema Data-Platform communication. Machine data is stored directly onto the Hydrema Data-Platform. The App processes this data to make it available to the user. Access is granted upon successful login via a secure interface.
2. Network status information
These are retrieved to detect whether or not an Internet connection can be established. Network status information is also required to ensure App stability and to inform the user in the event of connection issues to, thus, enable the user to independently initiate troubleshooting measures in a timely manner.
3. Alternative option upon special request: 'Biometric information
Used to simplify the login process. The user can opt to log-in via fingerprint as an alternative to username and password. Fingerprints are not stored by the App, only by the operating system. Through this authorization the App acquires permission to compare the fingerprint with the fingerprint stored in the operating system and thus confirms the identity in the event of a positive match.
4. Local storage
Certain information may be stored locally on your mobile device while you use our Apps and their respective features. The scope of locally stored information varies by App. While Hydrema does not transmit information stored locally, please be aware that any information stored on your mobile device may leave your mobile device through automatic backup processes, manual download from your mobile device, and through other means outside of Hydrema’s control.
VIII. Rights of the data subject
In the event your personal data is processed by us, you are a data subject as defined under the GDPR and you are entitled to the following rights towards the responsible party:
1. The right to access of information
You may request confirmation from the responsible party regarding whether personal data on your behalf is being processed by him.
In the event of such processing, you may request the following information from the responsible party:
- the purpose for which the personal data are being processed;
- the categories of personally identifying information being processed;
- the recipients or categories of recipients to whom the personal data regarding oneself has been or will be disclosed;
- the intended duration of personal data storage regarding oneself or, in the event specific details are not possible, criteria for determining the retention period;
- the right to exercise the rectification or erasure of personal data regarding oneself, a right to limit processing by the responsible party and a right to object to such processing;
- the right of appeal with a supervisory authority;
- all available information regarding origin of the data, in the event the personally identifiable data was not collected from the data subject;
- the existence of an automated data processor, including profiling, in accordance with Article 22, Section 1 and 4 of the GDPR and, at least in these events, conclusive information regarding the logic
- involved as well as the scope and intended consequences of such processing for the data subject.
You have the right to request information pertaining to whether personal data concerning you is being disclosed to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR as it relates to the disclosure of information.
2. The right to rectification
You have a right to rectification and/or completion by the responsible party in the event of inaccurate or incomplete processing of your personal data. The party responsible is required to correct the data without delay.
3. The right to restrict processing
You may request the restriction of personal data processing regarding yourself, under the following circumstances:
- when you deny the accuracy of your personally identifying data for a time period in which the responsible party is able to verify the accuracy of the personal data;
- processing proves to be unlawful and you object to the removal of the personal data and request instead the restriction of personal data processing;
- the responsible party no longer requires the personal data for the purpose of processing, but you need them for the establishment, exercise or defence of legal claims, or
- in the event you have objected to the processing pursuant to Article 21, Section 1 of the GDPR and it has not yet been determined whether the legitimate grounds of the responsible party override your interests.
In the event the processing of your personal data has been restricted, such data may, with the exception of being stored, be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal individual or for reasons of substantial public interest of the European Union or a member state.
In the event a limitation of the processing restriction has been imposed in accordance with the above circumstances, you will be informed by the responsible party before the restriction is lifted.
4. The right to request deletion
a) Obligation to delete
You may request the responsible party to delete your personal data without unreasonable delay, and the responsible party is obligated to delete such data without unreasonable delay in the event one of the following reasons apply:
- Your personal data is no longer necessary for the purpose for which they were collected or otherwise processed.
- You revoke your consent for which the processing was based pursuant to Article 6, Section 1 (a) or Article 9, Section 2(a) of the GDPR and there remains no other legal basis for the processing of data.
- You object to the processing pursuant to Article 21, Section 1 of the GDPR and there remain no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21, Section 2 of the GDPR.
- The personal data regarding your information have been processed unlawfully.
- The removal of the personal data concerning you is required for compliance with a legal obligation under European Union or member state law to which the responsible party is subject.
- Your personal data has been collected in connection with a Society Information Services offer pursuant to Article 8, Section 1 of the GDPR.
- Information provided to third parties
In the event the responsible party has made your personal data public and is required to delete it pursuant to Article 17, Section 1 of the GDPR, the responsible party shall take reasonable steps, including technical measures, with regard to available technology and the cost of implementation, to inform those data controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.
b) Exceptions
The right to deletion does not exist insofar as the processing is required;
- to exercise the right to freedom of expression and information;
- to comply with a legal obligation which requires processing under European Union or Member State law to which the responsible party is subject, or for the performance of a task carried out in the interest of the public or in the exercise of official authority vested in the responsible party;
- For reasons of public interest in the scope of public health in accordance with Article 9, Section 2(h) and (i) and Article 9, Section 3 of the GDPR;
- For archival purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89, Section 1 of the GDPR, insofar as the right referred to in Part (a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
- for the enforcement, exercise or defence of legal claims.
5. The right to be informed
In the event you have exercised the right to rectification, deletion or restriction of processing towards the responsible party, the responsible party is obligated to communicate this rectification or deletion of data to all recipients to whom the personal data in your regards have been disclosed, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed in regards to these recipients by the responsible party.
6. The right to transferable data
You have the right to receive the personal data which you have provided to the responsible party in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another responsible party without hindrance from the responsible party to whom the personal data was supplied, provided that;
- the processing is based on consent pursuant to Article 6, Section 1(a) of the GDPR or Article 9, Section (a) of the GDPR or on a contract drawn pursuant to Article 6, Section 1 (b) of the GDPR and
- the processing is carried out with the help of automated procedures.
In exercising this right, you also have the right to obtain those personal data concerning you, which get transferred directly from one responsible party to another responsible party, insofar as this is technically feasible. Freedom and rights of other individuals must not be affected by this.
The right to data portability does not apply to processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible party.
7. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6, Section 1(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The responsible party shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds regarding the processing which override your interests, rights and freedom, or for the establishment, exercise or defence of legal claims.
You have the option, in regard to the use of Information Society Services, irrespective of Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
8. Right to revoke ones' consent to the privacy policy
You have the right to revoke your consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until it is revoked. You may send the revocation either by mail, email or fax to the responsible party.
9. Automated decision regarding individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing - including profiling - which poses legal ramifications for you or any similarly significant manner of impact on you. This does not apply in the event the decision
- is required for the conclusion or performance of a contract between you and the responsible party,
- is permitted by legislation of the European Union or the Member States to which the responsible party is subject and that legislation maintains appropriate measures to safeguard your rights and freedom and your legitimate interests, or
- is done with your express consent.
However, these decisions may not be based on specific categories of personal data pursuant to Article 9, Section 1 of the GDPR, unless Article 9, Section 2(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedom and your legitimate interests.
With regard to the cases referred to in (1) and (3), the responsible party shall take reasonable steps to safeguard the rights and freedom of, and the legitimate interests of the data subject, which shall include, at least, the right to obtain the intervention of an individual on the part of the responsible party, to express his or her point of view and to challenge the decision.
10. Right to file a complaint with a regulatory authority
Without affecting any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, in the event you consider the processing of personal data relating to you infringes the GDPR. The supervisory authority to which the complaint has been submitted shall inform the plaintiff of the status and outcome of the filed complaint, including the option of a judicial appeal pursuant to Article 78 of the GDPR.
IX. SSL encryption
This site uses SSL encryption for security purposes and to protect the disclosure of confidential content, such as the inquiries you send to us as site operator. You will recognize an encrypted connection by the fact that the browser address bar changes from "http://" to "https://" and by the lock symbol in your browser tool bar.
In the event SSL encryption is activated, the data you disclose to us cannot be read by third parties.
X. Amazon Web Services
The DataPortal implements Amazon Web Services for provision of cloud computing and the routing of data. Provider is Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States. Hereinafter referred to as „Amazon Web Services“. Amazon Web Services is a service that can be used for a wide range of cloud computing purposes. The data you create/transmit for the purpose of cloud computing and the routing of data is stored on the servers of Amazon Web Services. For more information about the features of Amazon Web Services please visit: https://aws.amazon.com/de/
1. Legal basis
Article 6, Section 1(f) of the GDPR regulates the processing of the data. The DataPortal operator has a legitimate interest in keeping configuration of the DataPortal available, as it is part of the core functionality, as well as in keeping off-site backups of telematics data for troubleshooting. If a corresponding consent was requested for the further processing of additional voluntary data, the processing of this data is based on Article 6, Section 1 (a) of the GDPR. You may revoke your consent at any time. The lawfulness of the data processing operations already carried out remains unaffected by the revocation.
2. Data retention
The data that you have deposited with us for Amazon Web Services will be stored for up to 60 days after the deletion request has been processed and then deleted. You can find more details in the Amazon Web Services data protection regulations at: https://aws.amazon.com/de/privacy/
3. Data Privacy Agreement
The provider of the DataPortal has concluded a Data Privacy Agreement with Amazon Web Services in which he obliges Amazon Web Services to protect the customers' data and not to pass it on to third parties.
XI. Google Maps
The DataPortal implements Google Cloud Services for maps and other location-related services. Provider is Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as „Google“). Google Cloud Services is a service that provides maps and for a wide range of cloud computing purposes. The data you create/transmit for the purpose of use is stored on the servers Google. For more information about the features of Google please visit: https://cloud.google.com/
1. Legal basis
Article 6, Section 1(f) of the GDPR regulates the processing of the data. The DataPortal operator has a legitimate interest in displaying location data on maps and using other location services like reverse geo-coding, timezones, etc. If a corresponding consent was requested for the further processing of additional voluntary data, the processing of this data is based on Article 6, Section 1 (a) of the GDPR. You may revoke your consent at any time. The lawfulness of the data processing operations already carried out remains unaffected by the revocation. You can find more details in the Google data protection regulations at: https://policies.google.com/privacy?hl=de.
2. Data Privacy Agreement
The provider of the DataPortal has concluded a Data Privacy Agreement with Google in which he obliges Google to protect the customers' data and not to pass it on to third parties.
XII. Mapbox
The DataPortal implements Mapbox for maps and other location-related services. Provider is Mapbox, Inc. 740 15th Street NW, 5thFloor, Washington DC 20005 (hereinafter referred to as „Mapbox“). Mapbox is a service that provides maps and other location-related data. The data you create/transmit for the purpose of displaying maps and other location-related data is stored on the servers of Mapbox. For more information about the features of Mapbox please visit: https://www.mapbox.com/
1. Legal basis
Article 6, Section 1(f) of the GDPR regulates the processing of the data. The DataPortal operator has a legitimate interest in displaying location data on maps and using other location services like reverse geo-coding, timezones, etc. If a corresponding consent was requested for the further processing of additional voluntary data, the processing of this data is based on Article 6, Section 1(a) of the GDPR. You may revoke your consent at any time. The lawfulness of the data processing operations already carried out remains unaffected by the revocation. You can find more details in the Mapbox data protection regulations at: https://www.mapbox.com/legal/privacy
2. Data Privacy Agreement
The provider of the DataPortal has concluded a Data Privacy Agreement with Mapbox in which he obliges Mapbox to protect the customers' data and not to pass it on to third parties.
XIII. Sentry
The DataPortal implements Sentry for reporting faults from the browser running DataPortal for further analysis and fixing. Provider is Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor San Francisco, CA 94105 (hereinafter referred to as „Sentry“). Sentry is a service that can be used to collect fault information from browser-based applications. The data you create/transmit for the purpose of using the DataPortal is stored on the servers of Sentry. For more information about the features of Sentry please visit: https://sentry.io/welcome/
1. Legal basis
Article 6, Section 1(f) of the GDPR regulates the processing of the data. The DataPortal operator has a legitimate interest in collecting faults from DataPortal to enhance the user experience.
If a corresponding consent was requested for the further processing of additional voluntary data, the processing of this data is based on Article 6, Section 1(a) of the GDPR. You may revoke your consent at any time. The lawfulness of the data processing operations already carried out remains unaffected by the revocation.
2. Data retention
The data that you have deposited with us for Sentry will be stored for up to 90 days and then deleted. You can find more details in the Sentry data protection regulations at: https://sentry.io/privacy/
3. Data Privacy Agreement
The provider of the DataPortal has concluded a Data Privacy Agreement with Sentry in which he obliges Sentry to protect the customers' data and not to pass it on to third parties.