Privacy statement
for the App ATOSS Staff Center (Mobile)
Version: 02-2023
ATOSS solutions enable companies to optimize their processes providing employees access to important information and functions from the ATOSS Workforce Management Software Solution via smartphone and tablet - regardless of the time and place of deployment.
Data security and data protection is an important concern for ATOSS, which ATOSS takes into account in all business processes. The following data protection information is intended for the Users of the App.
In this Privacy Statement the following definitions apply:
“App” means the coded symbol or icon, including the software contained therein, by which a user can access important information and functions from the ATOSS Workforce Management Software Solution. The app appears on the smartphone or tablet after downloading.
“ATOSS” means the ATOSS Group company referred to as the provider of the App.
“ATOSS Workforce Management Software Solution” refers to a standard software solution for efficient workforce management and demand-oriented staff deployment, which is sold and licensed to companies by ATOSS.
“User” means an identified or identifiable natural person who uses the App, for example as an employee of a Company.
“Company” is the client or employer of the User and acquires the necessary licenses by concluding a license agreement with ATOSS in order to use the ATOSS Workforce Management Software Solution for the internal business operations and for the access via the app by the Users or to have it used.
Note on gender neutrality: The chosen wording applies without restriction to the other genders.
CONTACT ATOSS
ATOSS Software
AG Rosenheimer Straße 141 h
81671 Munich
Germany
info@atoss.com
Data protection officer of ATOSS is
Dr. Stefanie Hagemeier
c/o ATOSS Software AG
Rosenheimer Str. 141 h
81671 Munich
Germany
datenschutz@atoss.com
DATA PROCESSING IN THE APP
CATEGORIES OF PERSONAL DATA
The App provides the User with information on the personal data stored and processed in the ATOSS Workforce Management Software Solution in his Company. Via the App the User can access, edit and supplement this personal data.
Personal data processed via the App is therefore only information that is stored in the ATOSS Workforce Management Software Solution licensed by the Company, either by the Company itself or by the User.
With regard to this personal data, the Company alone acts as the data controller pursuant to Article 4 Number 7 GDPR. ATOSS processes this data only on behalf of the Company in accordance with the service agreement and Data Processing Agreement (DPA) concluded with the Company.
Depending on the service agreement with the Company, the App can be used to retrieve and process the following personal data, among others:
- Employee master data (e.g. login data, password) and information on time-management
- Information from staff resource planning
- Information from application and task management
- System related information (e.g. device version, operating system version, app version)
Details of the categories of this personal data can be found exemplary at 'Data Processing Agreement'. The legal basis of the processing is Article 6 para 1 lit b GDPR.
With the exception of the offline bookings mentioned below and the data mentioned below, which the User authorises to access, no other personal data is processed in the App on behalf of the Company.
LOGGING
Purpose of the processing:
In the app, nothing is logged by default. In the course of an error analysis it may be necessary to activate logging in the App or on the server. The activation of the App logging can only be done with the consent of the User, as the User has also to actively upload the logged files from the App to the server. The logged data is usage data. The encrypted password does not appear in the log files.
Logging can be activated individually for each communication component. For the detection of errors, the entire communication path from the App to the installed ATOSS Workforce Management Software Solution can be logged. The decision to activate logging is made by the Company. In this case the Company is the data controller in accordance with the applicable data protection laws.
Is access to personal data possible?
Yes
Control of access by Users:
The User can agree or disagree to the data processing in the app. Only after an active consent, the data will be processed.
Legal basis:
The legal basis of the processing is Article 6 para 1 lit a GDPR. If the User does not want the App to access his logging and process or use this data, he can disagree or withdraw his consent at any time with effect for the future.
Authorisations of the App and purpose
Only authorisations that are absolutely necessary for the function of the App are requested. If one of the authorisations is denied by the User, not all functions of the app may be fully available.
The App supports the operating systems iOS and Android and requires the following authorisations:
Camera
Purpose of the processing:
Required to generate pictures for the workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.
Is access to personal data possible?
Yes
Control of access by Users:
When starting the “camera” function for the first time after installation of the App, the User can agree or disagree whether the App is allowed to access the camera of his mobile device.
Legal basis:
The data is processed on the basis of consent as defined in Article 6 para 1 lit a GDPR. If the User does not want the App to access his camera and process or use data relating to it, the User can disagree or withdraw the consent at any time with effect for the future by disabling access to the camera function for the App.
Picture gallery/Photos
Purpose of the processing:
Required for saving pictures on the mobile device for workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.
Is access to personal data possible?
Yes
Control of access by Users:
When starting the “picture gallery/ photos” function for the first time after installation of the App, the User can agree or disagree whether the App is allowed to access the camera of his mobile device.
Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to access the picture gallery / photos on the mobile device and to process or use this data, the User can disagree or withdraw the consent at any time with effect for the future by disabling access to the photos for the App.
Location Based Services (LBS, GPS, location data)
Purpose of the processing:
To determine the approximate or exact location. This feature must be explicitly enabled by the Company and requires the consent of the User, which the Company is responsible for obtaining.
Is access to personal data possible?
Yes
Control of access by Users:
When starting the App for the first time (after installation or activation of the location data), the User can agree or disagree whether the App is allowed to access the location of the mobile device.
Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to access the location of the User and to process or use the data, the User can disagree or withdraw the consent at any time with future effect by deactivating the access to the location for the App.
Push messages
Purpose of the processing:
By means of the push templates, the Company can, for example, send a generic push message to the User containing 'A new leave request is waiting for approval' via the ATOSS Workforce Management Software Solution. The push function must be set up explicitly by the Company for the App. This means that if this function is not set up by the Company, no push message is sent.
Is access to personal data possible?
Yes
Control of access by Users:
The reception can be controlled depending on the operating system of the mobile device:
- With iOS: Request from the User whether he allows the receipt of push messages.
- On Android: Consent to receive push messages is enabled by default, but can be turned off by setting.
Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to send send push messages to the mobile device, the User can disagree or withdraw the consent at any time with effect for the future by turning off the permission of messages for the App.
FEEDBACK-BUTTON
Purpose of the processing:
ATOSS strives to design its products always in a user-friendly manner and to continuously improve customer satisfaction. By providing the feedback button, the User has the possibility at any time to indicate his user satisfaction on the page "profile" via the button "Provide feedback" in the App. If the User taps on the "Rather not" button when indicating his user satisfaction, the App opens an e-mail which is automatically addressed to the ATOSS App expert team. In the text field of the e-mail, the User can enter his suggestions as well as constructive feedback or further suggestions for improvements. By clicking on the send button, the e-mail is sent.
The e-mail automatically generated by the App already contains information about the device version, the operating system version, and the app version as well as the ASE/S version. This is data that is stored in the User profile of the App. This information is retrieved directly from the App. The User can delete this information from the text field of the e-mail at any time. However, the data mentioned before enable ATOSS to correctly map the feedback of the User and to understand it on the basis of the functional information and the relevant operating environment. Should the User modify or delete the information that was automatically generated in the e-mail, ATOSS may no longer be able to use the feedback.
Control of access by Users:
Yes
Control of access by Users:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. By clicking the respecitve feedback buttons or sending the generated e-mail, ATOSS uses the feedback exclusively for the purpose of processing the feedback and for possible follow-up questions. The submission of feedback is voluntary and can be revoked by the User at any time with effect for the future.
DATA STORAGE ON THE MOBILE DEVICE
The user can store the following personal data in encrypted form on the mobile device:
- Offline time bookings or offline cost center change bookings
If the mobile device has no connection to the App, any time bookings that have been made are stored offline on the mobile device with a notification message. When the mobile device is back online, these are transferred automatically to the server on which the ATOSS product is operated.
For offline bookings, the following personal data is stored on the mobile device:
Staff number: Only if specified
Time pair code: Only for a booking with time pair code
Online: Shows whether the booking is an online or offline booking
Location Based Services (LBS, GPS, location data: Only if the transfer of the location is configured in ATOSS Workforce Management Software Solution and if the User of the App consents to this
Cost centre: Only for cost centre bookings
Booking details: Date and time of booking
STAFF CENTER (MOBILE) NOTIFICATION SERVICE
If the transfer of information via push message to the mobile end device is activated by the Company, the push message function >Google Firebase Cloud Messaging< from the service provider Google Ireland Ltd. is used. In this regard, the Staff Center (Mobile) Notification Service is used by means of an individual token/key (Firebase token), which is generated by integrating Google Firebase Cloud Messaging. This Firebase token acts as a signal/trigger to the Staff Center (Mobile) app in order to query the latest status of push messages directly via the database connected to the ATOSS Staff Center.
The transfer of the respective push message content takes place exclusively via a secure connection (https) with additional use of a symmetrical encryption procedure between the app on the User's end device and the application server.
An ATOSS implementation has succeeded in ensuring that no personal data is processed during the required authentication and use of Google Firebase Cloud Messaging.
Details can be found in the audit report of an independent security consulting company, which is available to you on our customer lounge (under the heading product Information / ATOSS Staff Center (Mobile) for download at any time.
DATA DELETION
Personal data for offline bookings (see previous section) is automatically deleted from the mobile device after reconnection to the server and successful transfer. As a User, he can delete the App from the device independently at any time. Any existing offline bookings will also be deleted as a result.
Please note that the App only enables the User as an employed person at his Company to access an account already set up at his Company in order to be able to edit and add to his data regardless of location.
The complete deletion of the User’s account that is already set up by the Company, therefore is only possible in the ATOSS Workforce Management Software Solution in coordination with the Company as employer, who has the sole responsibility for the User’s account management.
DISCLOSURE TO THIRD PARTIES
In general, personal data will not be passed on to third parties. Exceptions to this are companies engaged by ATOSS, which are responsible for the technical processing of the feedback or App functions, and the affiliated companies as defined in Section 15 of the German Stock Corporation Act (AktG).
In accordance with the purpose of use of the App, data is automatically forwarded to the ATOSS Workforce Management Software Solution during active Internet connection.
RIGHTS OF THE DATA SUBJECTS
With regard to the processing of personal data, data subjects, i.e. the Users, have the following rights against their Company as the data controller pursuant to Article 4 Number 7 GDPR:
Upon request, the Company must inform a data subject in accordance with the statutory provisions whether and which personal data on the data subject, i.e. the User, are stored and, if applicable, for what purpose they are processed and/or used (Article 15 GDPR). If, despite the information stored, the information is not correct or if the data subject, i.e. the User, wishes for other reasons to have his personal data rectified (Article 16 GDPR) or erased (Article 17 GDPR) or to have the processing restricted (Article 18 GDPR) or to receive the personal data relating to him or her (Article 20 GDPR), data subject must make this request to his Company. At the same time, he can also object to the processing of personal data under the statutory provisions (Article 21 GDPR).
Finally, without prejudice to the aforementioned rights, the data subject, i.e. the User, may lodge a complaint with a competent supervisory authority if he considers that the processing of personal information relating to him infringes the regulations of the GDPR (Article 77 GDPR).
CHANGES TO THIS PRIVACY STATEMENT
ATOSS reserves the right to amend this Privacy Statement from time to time and to update it in the light of changes in the collection, processing or use of data. The current version of the Privacy Statement is available within the App.