1. Introduction
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that is processed when you use the MyFlow Score app, including processing purposes and the extent of processing. In addition, we inform you about your rights with regard to any personal data collected and how you can enforce them.
Last updated: November 9th 2021
2. Responsible
OpenReg GmbH (“we”, “us”, “OpenReg”) is responsible for the provision and distribution of the MyFlowScore app and is available to answer any questions you may have at the contact details below.
OpenReg GmbH
c/o Factory Works GmbH
Rheinsberger Str. 76/77
10115 Berlin
Deutschland
Authorized representatives: Dr. Oliver Eidel, Managing Director
E-mail address: [email protected]
Contact data protection officer: [email protected]
3. Overview Of The Processing Operations
No personal data is collected or processed by OpenReg as part of operating MyFlow Score. Users can enter health-related data themselves in the application; however, this data is processed and stored locally on the end device. OpenReg does not gain access to this data.
Categories of processed data
- n.a.
Categories of data subjects
- Users of the application (after download / installation on the user mobile device)
Purposes of processing
- n.a.
4. Relevant Legal Basis
We will only use your personal data if legal provisions allow us to do so. No personal data will be collected or processed by OpenReg in the course of operating MyFlow Score. To the extent that this should change, this section of our privacy policy will inform you of the relevant legal bases of the European General Data Protection Regulation (GDPR). Please note that national data protection regulations may apply in addition to GDPR provisions.
National data protection regulations in Germany:
In addition to GDPR provisions, national data protection regulations apply in Germany. These include in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). The BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of individual federal states may apply.
5. Security Measures
To the extent that personal data is processed, we use appropriate security measures to prevent your personal data from being accidentally lost or used, intercepted, altered or disclosed in an unauthorized manner. We take appropriate technical and organizational measures in accordance with the law, taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the level of threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of and segregation of the data. We have also established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data compromise. We will notify you and relevant government agencies about data privacy incidents in accordance with applicable legal requirements. Furthermore, we take the protection of personal data into account already during the development or selection of hardware, software as well as procedures in accordance with the principles of data protection, through technology design and through data protection-friendly default settings.
Access to personal data is generally restricted to employees and service providers who need such access to perform their duties or to provide services for us. Health information relevant to the use of MyFlow Score is stored exclusively on the end user device and is subject to the security standards of the manufacturer of the terminal device.
6. Data Transfer
Insofar as it occurs in the course of processing personal data that data is transferred and disclosed to external service providers, we comply with legal requirements and conclude appropriate data protection agreements with the recipients of the data. We inform you about such subcontracted processing and any service providers in this section of our privacy policy.
In the course of using the MyFlow Score application, no data is transferred either within or outside OpenReg GmbH. A transfer to countries outside of EU jurisdiction does not take place.
7. Data Retention And Deletion
We generally retain personal information only as long as necessary to fulfill the purposes for which it was collected, as well as for compliance with legal and reporting obligations. When determining data retention periods, we consider the amount, nature, purpose and sensitivity of personal data, as well as applicable legal requirements and the potential risk of harm from unauthorized use or disclosure. In some cases, personal information may be used anonymously without being associated with you for any length of time. In such cases, we may use such information without further notice to you.
Personal data will be deleted by us in accordance with legal requirements as soon as consent on which processing is based is revoked or other permissions cease to apply (e.g. when the purpose of processing has been fulfilled or ceases to apply). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
8. DATA SUBJECT RIGHTS
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR:
Right to information / right of access: you have the right to request a confirmation as to whether data are being processed. You have the right to obtain information about the processing and a copy of the data to verify whether we are processing them lawfully.
- Right to rectification: you have the right to request that data concerning you be completed or that inaccurate data concerning you be rectified.
- Right to object to processing: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR. You have the right to revoke your consent at any time. You have the right to request the restriction of the processing of your personal data, for example, to request that the processing of personal data about you be suspended while the accuracy of the personal data is determined.
- Right to erasure: you have the right to request that data concerning you be erased without undue delay in accordance with legal provisions.
- Right to data portability: you have the right to obtain data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request that it be transferred to another controller in accordance with legal provisions.
- Right to file a complaint with a supervisory authority: you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes GDPR provisions.
9. Change And Update Of The Privacy Policy
We ask you to regularly check the content of our Privacy Policy. We adapt our policy as soon as changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require any act of cooperation on your part (e.g. to give consent) or other individual notification. Where we provide addresses and contact information of companies and organizations in this policy, please note that the addresses may change over time before contacting us.