Address Search and Privacy Protection
Awarded Data Security
Information on RISER ID Services data protection
Processing data in a safe and reliable way is the core competence of RISER ID Services GmbH. For this reason, we see data security as our highest priority.
This privacy statement provides you with information on what measures are being taken to protect your data as a visitor using the online content provided by RISER ID Services GmbH or as a registered user of the European address verification services we provide (via customer, supplier and registry office portals).
Contents
1. Access to online content provided by RISER ID Services GmbH
1.1 Become a customer
1.2 Newsletter distribution
1.3 Session ID-Number / Cookies
2. Access to RISER European address verification portal
2.1 Use of the customer, supplier or registry office portals
3. Data protection and data security within the client relationship according to section 11 of the BDSG (German Data Protection Act)
3.1 General
3.2 Technical and organisational measures
3.3 Data storage periods for personal data
3.4 Secure data transfer
4. Rights of those concerned
5. Queries about RISER ID Services GmbH data protection
1. Access to online content provided by RISER ID Services GmbH
Each time a visitor accesses online content provided by RISER ID Services GmbH, as well as each time each time a file is accessed, certain data is logged. In particular, the following data is saved:
· browser used
· name of the file accessed
· date and time the item was accessed
· amount of data transferred
· notification of whether the page was accessed successfully
This information is saved for 6 months. The information is statistically analysed using the program AWStats. No data is passed on to third parties, neither when it is saved, nor when it is analysed.
We provide links to our partners' external sites. External content is checked at the time links are set up. However, the possibility that this content may be changed by the corresponding provider later on cannot be ruled out. If you believe that an external site to which we provide links impinges upon applicable law, or that it contains any other inappropriate content, please let us know. Furthermore, this privacy statement applies only to the RISER ID Services GmbH server. A different privacy statement may apply to the servers which the links we provide lead to. In order to check this, you should go to the homepage of the site you are accessing and if necessary, contact the provider directly.
RISER ID Services GmbH accepts no liability for content provided by third parties, or for the level of data protection they provide.
1.1 Become a customer
On the page "Become a customer", you can request information about RISER ID Services GmbH and our services by filling out a contact form. If no client relationship occurs between you and RISER ID Services GmbH, your data will be deleted after 180 days. However, this does not apply if you have subscribed to the RISER Newsletter. Where this is the case, your data will be kept beyond this 180 day period, in order to send you the newsletter. We will never give your e-mail data to third parties.
1.2 Newsletter distribution
If you have subscribed to the RISER Newsletter on the "Become a customer" page, we will use your e-mail address to send you information about the services provided by RISER ID Services GmbH at irregular intervals. You can click on the link provided in the newsletter to opt out of this service.
1.3 Session ID-Number/ Cookies
A unique identification number (session ID number) is created for each user to enable them to access the online content provided by RISER ID Services GmbH. The session ID allows the user to use various functions without having to log in again. The unique session ID, which is created using the Globally Unique Identifier process (GUID process) and which cannot be "guessed", ensures that the user is protected from unauthorised third parties attempting to use the portal under the user's name.
The session ID is saved in the browser cache with the help of "session cookies" and disappears when the browser is closed. Session cookies do not collect information about the user, nor do they read out information from the user's PC.
If the user has deactivated cookies in their browser settings, they can still use the portal without limitations.
2. Access to online content provided by RISER ID Services GmbH
Each time a visitor accesses online content provided by RISER ID Services GmbH, as well as each time each time a file is accessed, certain data is logged:
· IP Address
· browser used
· name of the file accessed
· amount of data transferred
· notification of whether the page was accessed successfully
This information is saved for 6 months. The information is statistically analysed using the program AWStats. No information is passed on to third parties.
2.1 Use of the customer, supplier or registry office portals
When a user carries out the following actions in the RISER ID customer, supplier or registry office portals, certain data is logged within the framework of activity logging:
· login
· uploads/allocation of requests
· communication of information via the registry office portal
· receipt of results from public authorities
· downloads / receiving responses to requests
· modifications to master data
The upload and download of requests is also logged by the web service/SOAP. The following items are logged:
· IP-Address
· time stamp
· customer ID number
· user ID
· methods invoked
The activity logging data is kept for 6 months for the purposes of error analysis and prevention of misuse, after which it is automatically deleted. It is necessary for us to keep the data for this period, as especially in potential cases of misuse (such as use of the account by an unauthorised user or use of the account for personal reasons), misuse is usually only picked up in the accounting validation process and claims are then made against the customer after a considerable length of time. An analysis of the activity logging may be carried out if required. No information is passed on to third parties.
3.1 General information
This appendix to the user agreement on the Registry Information Service on European Residents (RISER) governs the rights and responsibilities of the principal (the customer) and the agent (RISER ID Services GmbH) within the framework of a customer order to collect, process or use personal data.
The customer shall retain responsibility for the data processing.
As principal, the customer is responsible for ensuring that the regulations concerning data processing orders are observed.
The object and the duration of the data processing order, as well as the scope, type and purpose of the intended collection, processing or use of data, the type of data and the data subjects are defined in the user agreement on the Registry Information Service on European Residents (RISER), concluded between the customer and RISER ID Services GmbH.
RISER ID Services GmbH has appointed a data protection officer, who is able to discharge his duties in accordance with sections 4f and 4g BDSG.
RISER ID Services GmbH is obliged to process personal data exclusively in accordance with the services described in the user agreement on the Registry Information Service on European Residents (RISER). RISER ID Services GmbH exclusively processes or uses the data provided by the customer in accordance with the contract terms and the customer’s specific instructions. Where RISER ID Services GmbH believes that a customer instruction breaches data protection regulations, RISER ID Services GmbH is obliged to inform the customer of this immediately.
The competent supervisory authority within the meaning of sec. 38 BDSG is the Data Protection Commissioner for Berlin (Berliner Beauftragter für Datenschutz und Informationsfreiheit).
3.2 Confidentiality
RISER ID Services GmbH is obliged to exclusively employ staff for the processing of personal data who have committed themselves to maintaining confidentiality pursuant to sec. 5 BDSG.
Under no circumstances will RISER ID Services GmbH process or use the personal data collected on behalf of the customer for its own purposes or transfer these data to third parties. In order to perform under the agreement, the agent is authorised, subject to the terms of this agreement, to execute all necessary processing steps and use the data provided by and collected for the customer (e.g. making duplicates of data records to protect against data loss, creating log files, temporary files and workspaces, etc.), provided this does not lead to an alteration in the substance of the data.
3.3 Technical and organisational measures
RISER ID Services GmbH has appointed a data protection officer in accordance with sec. 4f BDSG. The data protection officer’s role is to ascertain the agent's compliance with the Federal Data Protection Act and other regulations relevant to data protection under the contractual relationship. If the data protection officer detects irregularities within this relationship, he or she shall inform the customer immediately in writing. When in doubt, the customer may contact the data protection officer of RISER ID Services GmbH directly.
The customer instructs RISER ID Services GmbH to carry out all necessary technical steps involved in processing the data (e.g. acceptance of inquiry data, submission to the registration authority, retention of inquiry and result data for review), provided this does not lead to an alteration in the substance of the data.
RISER ID Services GmbH undertakes to implement all technical and organisational measures necessary to protect the personal data as required by sec. 9 BDSG and the annex. The agent shall document the technical and organisational measures defined in the preliminary stages of the customer order before processing the data. These should be made available to the principal for review, if requested.
Definition of the technical and organisational measures to be taken
RISER ID Services GmbH provides its data processing services with due care and diligence and guarantees that the necessary security measures are implemented in the execution of the work. The necessary technical and organisational measures in accordance with sec. 9 BDSG and the annex are defined below and shall become part of the agreement. These technical and organisational measures are subject to technological progress and continuing development. Insofar, the agent is authorised to implement adequate alternative measures. In so doing, the security level of the alternative measures may not be lower than that of the originally defined measures. All substantial changes must be documented. The agent shall furnish the information pursuant to sec. 4g (2) No. 1 BDSG to the principal if so requested.
Organisational control and measures for its realisation
In the event of automated processing and use of personal data, the internal organisation of RISER ID Services GmbH must be designed in such a way that the special data protection requirements are fulfilled. In particular, the measures to be taken should be adequate for the types of control described below, which depend on the types and categories of the protected personal data.
The customer has the right to carry out inspections on the premises of RISER ID Services GmbH in order to verify implementation of these measures.
Organisational control: The staff of RISER ID Services GmbH has committed itself to maintaining confidentiality and to observing the non-disclosure regulations. Moreover, RISER ID Services GmbH has obligated all subcontractors by contract to apply a similar procedure for their own employees.
Entry control: Unauthorised persons are barred from entering the data processing facilities of RISER ID Services GmbH in which personal data are processed or used. To this end, RISER ID Services GmbH has relocated its data processing facilities for personal data to a computer centre that meets state-of-the-art a security standards and is equipped with an entry control system (e.g. ID control, doorman, electronic entry controls).
Physical access control: RISER ID Services GmbH has suitable measures in place to prevent unauthorised persons from using the data processing systems. Access to the data processing systems of RISER ID Services GmbH is monitored (e.g. role concept, electronic physical access control, key management).
Access control: Using a role concept, RISER ID Services GmbH guarantees that authorised users of a data processing system can only access data for which they have the appropriate access authorisation, and that personal data cannot be read, copied, modified or deleted by unauthorised persons during processing, use and after saving. All staff of RISER ID Services GmbH must undergo an sign-in procedure before they can use the data processing systems. As part of this procedure, the user is identified and authenticated (entry of username and password).
Transmission control: RISER ID Services GmbH guarantees that, within its sphere of influence, personal data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission, during transportation or when saving to a data storage device, and that it is possible to check and determine to which entities a transmission of personal data is intended with provided data transmission facilities. Therefore, personal data are always transmitted in encrypted form where possible. In cases in which encryption is not possible, a secure alternative method is used. Personal data are not transferred to third parties who are not involved in the data processing procedure. A commitment to adhere to the legal requirements for data processing orders has been obtained from all private-sector subcontractors of RISER ID Services GmbH. Public-sector subcontractors of RISER ID Services GmbH (e.g. municipal computer centres) are equally bound by the legal requirements for data processing orders.
Input control: RISER ID Services GmbH guarantees that, within its sphere of influence, it is usually possible to investigate and ascertain whether personal data have been entered into, modified in or deleted from data processing systems, as well as the identity of the person who carried out the data entry, modification or deletion. A suitable logging system has been deployed, which records any entry, modification or deletion of personal data (e.g. log files).
Order control: RISER ID Services GmbH guarantees that personal data can only be processed as part of a data processing order in accordance with the customer’s instructions. RISER ID Services GmbH will provide evidence that the information received in response to customer inquiries originates from public authorities, if so requested by the customer. RISER ID Services GmbH is not obliged to inform the customer of procedural changes in individual processing steps (e.g. change from written to automated responses).
Availability control: RISER ID Services GmbH guarantees that personal data are protected against accidental destruction or loss. A backup strategy is implemented based on a separate, previously formulated data security concept that defines which data need to be backed up.
Principle of separation: RISER ID Services GmbH guarantees that data collected for different purposes can only be viewed by the customer who submitted the relevant inquiry. It is ensured that customers cannot view, copy or save the personal data of other customers.
3.3 Data storage periods for personal data
Requests relating to individuals and results are made available for collection by the customer 6 weeks after being forwarded by the registry offices. Thereafter, the requests and results data are given "revision data status". This is used only for the purposes of verification and billing with registry offices and customers. The request and results data are kept as revision data for 90 days before the data is made anonymous and the billing information is archived without personal references.
3.4 Secure data transfer
All data transfers occurring within the framework of the customer, supplier or registry office portals are carried out using SSL (Secure Socket Layer) encryption, with a key size of at least 128 bit. This means that the data transferred or collected whilst using the portals cannot be accessed by external third parties.
4. Rights of those concerned
RISER ID Services GmbH does not save data from address verification for its own use, but rather makes the results available only to the customer as the responsible party. The customer is therefore fundamentally responsible for the information held about those concerned, for the processing of this data and for any corrections, deletions or blocking of the data.
5. Queries about RISER ID Services GmbH data protection
If you have any questions about data protection or security at RISER ID Services GmbH, our data protection officer is at your disposal.
Hendrik Tamm
E-Mail: datenschutz@no-spam-pleaseriserid.eu
Tel.: +49 (0)30 - 23 60 769-34
