For the provision of the HelloBonnie card program by HelloBonnie Technologies GmbH
In the following sections (1) to (12), HelloBonnie Technologies GmbH, Eppebndorfer Baum 44, 20249 Hamburg (“HelloBonnie,” “we,” and “us”) explains what types of personal data are processed from data subjects (“data subjects,” individually “data subject”) for what purposes and to what extent are processed in the context of providing the HelloBonnie card program. Data subjects are the managing directors/board members and authorized representatives of the corporate customer, as well as the employees or freelancers of the corporate customer who are invited by the corporate customer to use the smart card (these data subjects are also referred to as “cardholders”).
(1) Responsibility under data protection law:
HelloBonnie Technologies GmbH
Eppendorfer Baum 44
20249 Hamburg
In the context of interaction with HelloBonnie and the use of our services, we process certain personal data as the controller within the meaning of Art. 4 No. 7 DSGVO and are subject to independent legal obligations with regard to the protection of personal data in accordance with the applicable legal provisions and, in particular, in accordance with the Datenschutzgrundverordnung („DSGVO“). In our capacity as controller, we determine the purposes and means of processing personal data as explained in this privacy policy. In addition, we may also process personal data on behalf of our customers as a processor. In this role, we process personal data in accordance with the customer's instructions and on the basis of a separate data processing agreement concluded with the customer.
(2) Contact details of the data protection officer:
(3) Legal basis for data processing: HelloBonnie processes the personal data of data subjects on the basis of the following legal grounds of the DSGVO:
(a) Processing for the performance of contractual services and the implementation of contractual measures, Art. 6 (1) lit. b. DSGVO;
(b) Processing for the fulfillment of our legal obligations, Art. 6 (1) lit. c. DSGVO; and
(c) Processing for the protection of legitimate interests; Art. 6 (1) lit. f. DSGVO.
(4) Types of personal data processed: HelloBonnie processes the following personal data of data subjects for the respective purposes of processing:
(a) Data collected as part of CDD requirements (in particular, company name and contact details of the corporate customer's representatives, identity data, data provided by the cardholder for onboarding and the provision of our services);
(b) Data required for HelloBonnie to create, personalize, and/or recharge a smart card (in particular, name, email address, and address of the cardholder, identity data, data provided by the cardholder for onboarding and the provision of our services);
(c) Data required to send smartcards directly to cardholders (in particular, the cardholder's name, email address, and other contact and/or identity data); and/or
(d) Data required by HelloBonnie to perform its corporate customer service (financial data related to account information, name, contact details, usage data and circumstances of communication and conversation history, including technical interaction data, transaction data related to the use of customer cards, user data).
(5) Purposes of processing: HelloBonnie processes the personal data of data subjects and cardholders, including data collected as part of CDD requirements, for the following purposes:
(a) to provide, deliver, and fulfill our services: We process all types of personal data for the provision and fulfillment of our services, including
§ the creation of smart cards and their personalization and/or loading;
§ the execution of corporate customer services and operation of the card program;
(b) to improve our services and systems: We process all types of processed personal data in order to gain insights into our offered services and to maintain and ensure security in the information technology systems;
(c) to comply with and fulfill legal obligations: Where necessary, we process all types of processed personal data on the basis of legal obligations, i.e., on the basis of legal requirements.
HelloBonnie processes the personal data of the data subjects exclusively for the above-mentioned purposes and only to the extent necessary for the stated purposes.
(6) Automated processing: HelloBonnie does not generally use automated decision-making within the meaning of Art. 22 DSGVO that has legal effects or significantly affects the data subject in a similar manner. Likewise, no profiling is carried out that is used to evaluate or predict personal aspects. Should we use such procedures, we will inform you separately and as required by law.
(7) Data security measures: When processing data, HelloBonnie takes all necessary measures to secure personal data and the security of processing, in particular taking into account the state of the art and to mitigate possible adverse consequences for data subjects. The measures to be taken include, in particular, measures to ensure appropriate pseudonymization and encryption, as well as measures to protect the confidentiality, integrity, availability, and resilience of the systems, and measures to ensure the continuity of processing after incidents.
(8) Transfer of personal data: In the course of processing personal data, it may happen that personal data is transferred to or disclosed to other bodies, companies, legally independent organizational units, or persons. The recipients of personal data may include, for example, service providers commissioned with IT tasks or service providers that HelloBonnie uses to fulfill its contractual obligations. In such cases, HelloBonnie complies with the legal requirements and, in particular, concludes appropriate contracts or agreements (order processing contracts) with the recipients of the personal data to ensure the protection of personal data.
(9) Data processing in third countries: If HelloBonnie processes data in a third country (i.e., outside the European Union (EU) and the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this will only be done in accordance with the legal requirements. Subject to express consent or contractually or legally required transfer, HelloBonnie only processes or has data processed in third countries with a recognized level of data protection, contractual obligations through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 DSGVO).
(10) Deletion of data: The personal data processed by HelloBonnie will be deleted in accordance with legal requirements. If personal data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted to these purposes.
(11) Rights of data subjects: The rights of data subjects under the DSGVO arise in particular from Articles 15 to 21 DSGVO:
(a) Right to object (Article 21 DSGVO): Where data processing is based on Article 6(1)(e) and (f) DSGVO, the data subject has the right to object to the processing of data at any time for reasons arising from their particular situation. If the data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of data concerning them for such marketing purposes.
(b) Right to withdraw consent (Article 7(3) DSGVO): Consent that has already been given can be withdrawn at any time with future effect.
(c) Right of access (Art. 15 DSGVO): The data subject has the right to request confirmation as to whether personal data is being processed and to obtain information about the data, as well as further information and a copy of the data in accordance with the legal requirements.
(d) Right to rectification (Art. 16 DSGVO): The data subject has the right to request the completion of data concerning them or the rectification of inaccurate data concerning them.
(e) Right to erasure and restriction of processing (Art. 17 DSGVO): The data subject has the right, in accordance with legal requirements, to request that data concerning them be erased immediately or, alternatively, in accordance with legal requirements, to request a restriction on the processing of the data.
(f) Right to data portability (Art. 20 DSGVO): The data subject has the right to receive data provided to HelloBonnie in a structured, commonly used, and machine-readable format in accordance with legal requirements or to request that it be transferred to another controller.
(g) Complaint to the supervisory authority: In the event of violations of the DSGVO, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of the data subject's habitual residence, place of work, or place of the alleged violation. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.
(12) Competent supervisory authority:
Der Hamburgische Beauftragte für
Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22
20459 Hamburg