This data privacy statement explains how your data is processed as well what data privacy rights you have when using the Enterprise Protection System (EPS) with the Enterprise Protection App (EPS app).
1. Who is responsible for data processing? Who should I contact if I have any queries regarding data privacy at T-Systems?
T-Systems International GmbH, Hahnstraße 43d, D – 60528 Frankfurt am Main, Germany is the data controller. The controller ensures that your data is processed in accordance with the data privacy regulations. If you have any queries, please contact the Data Privacy Officer, Dr. Claus D. Ulmer, Friedrich-Ebert-Allee 140, 53113 Bonn, email@example.com.
2. Is use of the Enterprise Protection System and the EPS app voluntary?
Yes, use of the Enterprise Protection System and the EPS app is voluntary. It is entirely your decision whether you install the EPS app, which app features you use and whether you share your data with others. All app features that require data transfer will obtain your express consent in advance. There are no disadvantages for you if you do not give your consent or if you subsequently revoke your permission.
3. On what legal basis is your data processed?
Your data is only processed on the basis of express consent given by you. The legal basis is Art. 6(1) Sentence 1(a) GDPR and, in the case of health data, Art. 9(2)(a) GDPR. After giving your consent, you can revoke it at any time. Further information about your right of revocation can be found under Section 10.
4. Who is the EPS app directed at?
The EPS app is directed at visitors of an event for which the Enterprise Protection System is used as part of the hygiene concept in the fight against the coronavirus pandemic and also at the employees of companies who have provided their staff with the Enterprise Protection System. EPS app users must be at least 15 years of age.
5. Which data is processed?
5.1. Requirements for the Enterprise Protection System
The Enterprise Protection System (EPS) has been developed by T-Systems International GmbH for use in companies and at events in order to check distances between people and for contact tracing in the fight against the coronavirus pandemic. The specific needs of companies were taken into account during development, for example that it is not permitted to carry your cell phone with you in many production environments in order to prevent espionage. A typical tracing app installed on a cell phone would not meet these requirements. The Bluetooth signal which is used by conventional tracing apps can also result in device interference in production environments.
For this reason, the EPS user is equipped with a small tracing device (SafeTag) which operates with ultra wideband technology instead of Bluetooth. The user carries the SafeTag with them for the duration of the event or while at work. The SafeTag can be used both with and without the EPS app. The ultra wideband technology, which provides considerably more accurate results than Bluetooth technology, is used to measure the distance to other SafeTags and warn the user by means of acoustic and/or visual signals (flashing) if a specific distance is no longer maintained. This takes place without interference to other devices.
The EPS app is also part of the Enterprise Protection System. It processes the exposure data collected by the SafeTag and calculates the risk of infection by contacts that pose a risk to health.
5.2. Sequential data processing based on the user story
A user story describes the feature requirements for an app or another product. The EPS app requirements vary depending on whether and how the EPS app is used. This also affects the amount of data processed. The following describes data processing for each of the user stories.
5.2.1. Setting up the app
You have already loaded the EPS app on your smartphone. To start, you are requested to enter a TAN (transaction number) or to scan a QR code which is provided to you by the controller in your location. This ensures that you are authorized to participate in the controller’s Enterprise Protection System. Your smartphone receives a device ID. A device ID is a unique identification number for your device which cannot be changed and which you can use from then on to authenticate yourself to the EPS server. This is also used to brand your EPS app. It can now only be used for the Enterprise Protection System belonging to this one controller (branding). If you want to use the EPS app in another company, you have to uninstall the app and re-brand it using a new TAN from the new controller.
5.2.2. Using the SafeTag
When you arrive at the event or at the company, take a SafeTag of your choice from the collective charging pad. Use the EPS app to scan the QR code found on the SafeTag. The QR code contains the SafeTag’s device ID. Once it has been scanned, and for the remainder of your stay with the controller on the day in question, the SafeTag or its ID are allocated to you as a pseudonym. After scanning, the EPS app connects to the EPS server and, simply put, creates a folder for you using the SafeTag’s ID (log). Only you have access to this folder. You no longer need your smartphone for the time being.
The SafeTag uses ultra wideband technology to send its own ID every second while also receiving the IDs from other SafeTags in the area. This enables the period of time for which you had contact with other SafeTags/users and at what distance to be determined. This data is stored on the SafeTag. Before leaving the event or the company, return the SafeTag by placing it back in the collective charging pad. This charging pad is connected to a computer (edge device) on site, which encrypts your data and transmits it to the EPS server using a secure encrypted connection. Your exposure data is stored there in the folder that was created for you.
5.2.3. Using the EPS app
You and only you can now download your data using your EPS app. You also download the current list with the IDs of those users who have voluntarily reported that they are infected with coronavirus in order to warn other users. Your exposure data is compared with the data of the infected users locally in your EPS app using an algorithm. If you have had a potential exposure over the past 14 days, the app informs you accordingly and requests that you take action.
The “detour” of uploading and downloading the data on the EPS server is necessary because the EPS app and the SafeTag cannot communicate with each other for technical reasons. Temporary storage on the EPS server serves solely as a buffer until the data is transmitted to your smartphone. Your data is deleted from the server immediately after downloading. The EPS server is located in the Open Telekom Cloud which is subject to strict security and data privacy standards. Technical measures have been taken in order to ensure that only your EPS app – and not the event organizer or your employer – can access the exposure data saved there. Your exposure data is also encrypted so that even the administrators who provide technical support for the Open Telekom Cloud cannot view your exposure data.
5.2.4. Warning others
If you yourself test positive for coronavirus, you can voluntarily upload your IDs from the past 14 days, i.e. the device IDs for the SafeTags that you used, to the server in order to warn other users of the risk of infection. To do so, only your IDs are loaded to the server and not your exposure data, i.e. the IDs of the users to which you were exposed. Your name or data that reveals your identity are also not included. Since the SafeTags are not only used by you, but also by other persons at other times, it is necessary to upload the time period in which you used the SafeTag to the server as well as the device ID. In order to prevent users who are actually healthy from registering positive coronavirus tests, your positive test result must be verified. There would otherwise be a risk of numerous users receiving incorrect risk warnings. The EPS controller, i.e. the event organizer or your company, issues a TAN which you have to enter into the app before you can share your data.
The Enterprise Protection System has been designed so that the personal data processed is kept to an absolute minimum. Apart from the voluntary identity sharing (see Section 5.2.5 below), the system does not record any data that would enable the controller or other users to discover your identity, your name, your location or other personal details. The EPS app also refrains from using any analysis tools to evaluate the way you use it.
5.2.5. Identity sharing
If you have become infected with coronavirus or if you have been warned as a result of a possible exposure, you can voluntarily communicate your identity and any exposure data that involves risk in order to support contact tracing. This does not take place automatically. You will be asked specifically about this matter and there are no disadvantages to you if you choose not to use this feature of the EPS app.
If you do want to share your data, you can use a form in the app to specify your first name, last name, e-mail address, telephone number and your company affiliation. You can also voluntarily communicate your exposure to persons who you may have put at risk. This does not include all of your exposures; only those with a duration and proximity that could lead to infection. The IDs of your contacts are not communicated to the server in plain text. Simply put, they take the form of a digit sum (hash value) of the ID and the time of the contact. It is not possible to reconstruct the contact’s ID from the digit sum. Your contact data is written to a back-end database using these digit sums of exposures for 14 days. The back end is a technical system that deals with data processing in the background and cannot be viewed by any users.
If you have shared your positive test result with the EPS system (as described previously under Section 5.2.4), the other users who have possibly been exposed to you are warned of the risk by the EPS app. These persons can then voluntarily also decide to communicate their contact data and the digit sum of their potential exposures in the past 14 days. A check is carried out in the back end after the upload to see whether the digit sums that you uploaded match the digit sums of your possible exposures. If this is the case, your database entry is completed with the contact data for your possible exposure. This information enables the faster detection and breaking of chains of infection. Any other data uploaded by the person with whom you had a possible exposure is not required and is therefore deleted immediately. The persons with whom you had possible exposures are not informed of your identity.
Strict permission management in the back end and with the controller means that access rights to this database are restricted to a very small group of absolutely essential people. The controller’s authorized employees obtain access using two-factor authentication and are only permitted to view the database when supervised by another person and for the purpose of contact tracing and tackling the pandemic. The controller may have to share your data with the competent health authorities. It is prohibited to use the data for other purposes. The data is deleted from the back end after 14 days.
5.2.6. Using the SafeTag without the app
If you have chosen to use the SafeTag without the EPS app, you cannot be warned if another user who you have encountered subsequently voluntarily reports that they have tested positive with coronavirus. You can, however, still use the SafeTag to maintain a safe distance from others. The SafeTag warns you with acoustic and/or visual signals if you come too close to another SafeTag. If a minimum distance of 1.5 meters is not maintained (safety-relevant contact), a red flashing light appears on the SafeTag. If the distance is too small for at least 5 seconds, a beeping noise is also emitted by the SafeTag. For technical reasons, it is not possible to deactivate the feature enabling the SafeTag to also log your exposure data. When you were exposed to which other SafeTag device ID and at what distance is stored temporarily. When you return your SafeTag and it is placed back in the charging pad, your exposure data is transmitted to a computer that is connected on site (edge device). The data is immediately deleted completely from the SafeTag. Since you are not using the app, the computer does not find a folder on the server in which it can place the data for you to download. The computer therefore also deletes the data immediately and completely.
5.3. Data categories processed
The data processed by the Enterprise Protection System can be assigned to the following categories:
5.3.1. Access data
Every time the app exchanges data over the internet with the controller’s server system (or their data processor, see Section 10), the server system processes what is called access data. This is necessary in order for the app to be able to retrieve current data (e.g. for warnings) or transmit specific data that is stored on the smartphone to the server system. The access data includes the following data:
- IP address
- Date and time of retrieval
- Transmitted data volume (or packet length)
- Notification of whether the data exchange was a success
This access data is processed in order to maintain and secure the technical operation of the app and the server system. You are not personally identified as the user of the app and no usage profile is created. The IP address is not saved beyond the end of the usage procedure. In order to prevent unauthorized parties from using your IP address to associate your data with you when you use the app, the app only ever accesses the server system via a special access server. This access server then forwards the data requested or transmitted by the app to the appropriate server, but without your IP address, meaning that your IP address is not processed within the server system.
5.3.2. Using the app for informational purposes
Links to websites in the app are opened and displayed in the standard browser (Android smartphones) or in the app (iPhones). Which data is processed in this context depends on the respective providers of the website accessed.
5.3.3. Exposure data
As soon as you take the SafeTag from the charging pad, it uses ultra wideband technology to send its device ID, which is received and recorded by other SafeTags in your vicinity. In turn, your SafeTag also receives the data from other users.
The data transmitted includes:
- SafeTag device ID
- Time at which the signal is sent
The exposures recorded in the SafeTag include:
- SafeTag device ID for the contact
- Time at which the signal is received
- Exposure distance
The signal travels at the speed of light. The distance between the SafeTags is calculated using the difference between the time of sending and the time of receiving.
5.3.4. Health data
Health data is any data containing information about a person’s health. This includes not only information about past and current illnesses, but also about a person’s risk of illness (such as the risk that a person has been infected with coronavirus). The EPS app processes health data in the following cases:
- If a possible exposure is detected
- If you use the app to warn other users that they may be infected (see Section 5.2.4 above)
- If you communicate your contact data and/or exposure data as a user who is identified as “infected” (see Section 5.2.5 above)
- If a possible exposure communicates your contact data and/or exposure data (see Section 5.2.5 above)
6. Why is your data processed?
6.1. Exposure logging
Exposure logging is part of the app’s main functionality. It serves to warn you of possible exposure to people who have tested positive for coronavirus, to calculate the infection risk for you, and to provide you with health advice and recommendations for what to do next.
6.2. Warning others
If you have tested positive for coronavirus and share the device IDs for the SafeTags that you have used in the past 14 days (including use times) with the Enterprise Protection System using the app, then it is possible to warn other users whom you have encountered.
6.3. Contact tracing
If you have tested positive for coronavirus and voluntarily communicate your identity, the controller or the public health office can contact you in order to establish who you have had contact with in order to trace and stop the chain of infection. If you also voluntarily communicate the digit sums (hash values) of your exposures (see Section 5.2.5 above) and users to whom these digit sums apply also share their identity, these users can also be included in the tracing and stopping of chains of infection.
7. What permissions does the EPS app require?
The EPS app requires access to various features and interfaces on your smartphone. For this purpose, you need to grant the EPS app certain permissions. The permission system depends on your operating system’s specifications. Please note that without the permissions requested by the EPS app, you will not be able to use some or all of the app features.
The app requires an internet connection in order to exchange data with the EPS server.
If you received a QR code instead of a TAN in order to set up the EPS app (branding, see Section 5.2.1 above), the EPS app requires permission to access the camera in order to scan the QR code.
You receive a different SafeTag of your choice every day. To activate the SafeTag, the QR code which is affixed to the tag must be scanned. The EPS app also requires access to the camera for this purpose.
8. When will your data be deleted?
The storage period is based on the purpose of contact tracing in order to prevent coronavirus from spreading further. When determining the storage period, the latest scientific findings published by the Robert Koch Institute (RKI) on the incubation period (up to 14 days) as well as on how long there is a risk of an infected person infecting someone else after the end of the incubation period are taken into account. Unless otherwise specified under Section 5, the following storage periods apply:
When the SafeTag is placed back in the charging pad, a connection is established with the locally connected computer (edge device) and the data is transmitted to the computer. The data is deleted completely from the SafeTag immediately after this transmission.
8.2. Edge device
This computer is connected to the internet (using LTE) and encrypts the data and transmits it to the EPS server. The data is then deleted from the computer immediately. If the computer cannot transmit the data to the EPS server because the EPS app has not created a folder for the SafeTag used, the data is deleted immediately.
8.3. Data on the EPS server
The exposure data collected with the SafeTag is made available on the server for you to download. The data is deleted completely from the server immediately after downloading. Downloading takes place in the following cases:
- Update during check-in
When you scan the QR code of a SafeTag, thereby “checking in” the SafeTag to the system, an update is carried out at the same time. The update involves downloading your exposure data (if there still is any on the server) and downloading the IDs of infected users.
- Planned update
During check-in, the time of the next EPS app update is planned in order to ensure that the update is performed automatically.
- Manual update after notification
You can be informed by push messages if data is available for you to download. You can manually trigger the update and therefore the download process for your data in the app.
- Manual update at discretion
You can of course initiate the update manually at any time, thereby downloading your data and deleting the data from the server.
If you do not use one of the options specified to download the data stored on the EPS server within 14 days (for example because you are sick or on holiday), the data will be deleted after 14 days anyway.
The IDs of the users who have registered as having tested positive for coronavirus, which have been made available for downloading on the server, are also deleted after 14 days.
8.4. Data on your smartphone
All of the data stored on your smartphone (exposure data, data for risk warning) is deleted from the app memory after 14 days.
8.5. EPS app reset
The EPS app also has a reset feature. The feature can be found under the menu item “App information” -> “App reset”. During the reset, a connection is established with the EPS server in order to download any data that may still be located there and to trigger the deletion procedure on the server. All the data is deleted from the EPS app, including the data that was stored in order to brand the app for a specific person controller (see Section 5.2.1 above). If you perform a reset and want to continue to use the app afterwards, you must have the controller issue you with a new TAN and set up the app again.
9. Who will receive your data?
If you warn other users via the app, the SafeTag IDs which you have used in the past 14 days as well as the use time are passed on to other users of the controller's Enterprise Protection System.
If you have used the app to share your identity and/or the digit sums (hash values) of your exposures, the controller (as specified above in Section 1) can access this data and may pass it on to the competent health authorities.
The controller has commissioned T-Systems International GmbH (TSI) as data processor, to operate, maintain and manage the Enterprise Protection System (Art. 28 GDPR). Otherwise, the controller will only pass on your data collected in connection with your use of EPS to third parties if they are legally obliged to do so or if this is necessary for legal action or criminal prosecution in the case of attacks on the app’s technical infrastructure. In other cases, personal data will not generally be passed on by the controller.
10. How can you revoke your consent?
You have the right to withdraw any consent you granted in the EPS app at any time with effect for the future. It is not necessary for you to specify reasons and there will be no disadvantages for you. Please note, however, that any processing of your data that has already been carried out cannot be reversed. In particular, once your IDs have been transmitted, the controller has no way of deleting these from other users’ smartphones.
10.1. Consent to exposure logging
To revoke your consent to exposure logging, you can trigger the reset feature in the app (see Section 8.5 above regarding the reset). Alternatively, you can uninstall the app. However, any exposure data that may still be located on the server is not retrieved and deleted in this case. If you want to use exposure logging again, you can install and set up the app again.
10.2. Consent to “warning others”
Immediately after you provide your consent in the app, the device IDs for the SafeTags that you have used in the past 14 days (including use times) are transmitted to the server and made available to other users to download. The controller has no way of deleting your transmitted IDs from the “positive lists” distributed by the server system or from users’ smartphones. However, the data shared by you is deleted from the server and from users' smartphones automatically after 14 days.
10.3. Consent to communicate your identity and share your possible exposures
In order to revoke your consent to processing your identity and potential exposures for contact tracing, please send your revocation by email to firstname.lastname@example.org. Please note that your data is deleted completely from the server 14 days after the upload triggered by you and we can only implement the enforcement of data subject rights for data that still exists in the system (see also Section 11 below).
10.4. Using the SafeTag without the EPS app
In order to revoke the consent to store your movement data in the SafeTag, you must return the SafeTag so that it can be placed in the charging pad immediately and the deletion process can be started.
11. What other rights do you have under data privacy law?
If your employer processes your personal data, you also have the following data privacy rights:
- The rights under Art. 15 (right of access), Art. 16 (right of rectification), Art. 17 (right to erasure), Art. 18 (right to restriction of processing), Art. 20 (right to data portability) and Art. 21 (right to object) GDPR,
- the right to contact the controller's data privacy officer and raise your concerns (Art. 38(4) GDPR) and
- the right to lodge a complaint with a data privacy supervisory authority.
You also have these data privacy rights vis-à-vis the health authorities responsible for data processing if you have transmitted your identity (see Section 5.2.5).
Please note that the data privacy rights mentioned above can only be fulfilled if the data on which your claim is based can be clearly assigned to you. This would only be possible if the EPS app were used to collect further personal data such as your name that would allow the data transmitted to the EPS server to be clearly assigned to you or your smartphone. Since this is not necessary for the purposes of the app, except for identity sharing (see Section 5.2.5), the controller is not obliged to collect such additional data (Art. 11(2) GDPR). Moreover, this would run counter to the stated objective of collecting as little data as possible. For this reason, it will generally not be possible to fulfill the above data privacy rights even if you provide additional information about your identity. If your name, your email address or another unambiguous identifying feature is not stored in the system, it is not possible to assign a data record to you.
12. Data privacy officer and contact
If you have any questions or concerns regarding data privacy, you are welcome to send them to the controller’s data privacy officer: Dr. Claus D. Ulmer, Friedrich-Ebert-Allee 140, 53113 Bonn, email@example.com
Last revision: Jan. 15, 2021