Privacy statement

for the App ATOSS TIME CONTROL (MOBILE)

Version: 02-2023
ATOSS solutions enable companies to optimize their processes providing employees access to important information and functions from the ATOSS Workforce Management software solution via smartphone and tablet - regardless of the time and place of deployment.

Data security and data protection is an important concern for ATOSS, which ATOSS takes into account in all our business processes. The following data protection information is intended for the Users of the app.

In this Privacy Statement the following definitions apply:

“App” means the coded symbol or icon, including the software contained therein, by which a user can access important information and functions from the ATOSS Workforce Management Software Solution. The app appears on the smartphone or tablet after downloading.

“ATOSS” means the ATOSS Group company referred to as the provider of the App.

“ATOSS Workforce Management Software Solution” refers to a standard software solution for efficient workforce management and demand-oriented staff deployment, which is sold and licensed to companies by ATOSS.

“User” means an identified or identifiable natural person who uses the App, for example as an employee of a company.

“Company” is the client or employer of the user and acquires the necessary licenses by concluding a license agreement with ATOSS in order to use the ATOSS Workforce Management Software Solution for the internal business operations and for the access via the app by the users or to have it used.

Note on gender neutrality: The chosen wording applies without restriction to the other genders.

CONTACT ATOSS

ATOSS CSD Software GmbH
Rodinger Straße 19
93413 Cham
Germany
info@atoss-csd.de

Data protection officer of ATOSS is

Klaus Roßmannn
Rodinger Straße 19
93413 Cham
Germany
datenschutz@atoss.com

DATA PRO­CESS­ING IN THE APP

CAT­E­GORIES OF PER­SONAL DATA

The App provides  the User, with information on the personal data stored and processed in the ATOSS Workforce Management Software Solution in his Company. Via the App the User can access, edit and supplement this personal data. 

Personal data processed via the App is therefore only information that is stored in the ATOSS Workforce Management Software Solution licensed by the Company, either by the Company itself or by the User. 

With regard to this personal data, the Company alone acts as the data controller pursuant to Article 4 Number 7 GDPR. ATOSS processes this data only on behalf of the Company in accordance with the service agreement and Data Processing Agreement (DPA) concluded with the Company. 

Depending on the service agreement with the Company, the App can be used to retrieve and process the following personal data, among others:

  • Employee master data (e.g. login data, password) and information on time-management
  • Information from staff resource planning
  • Information from application and task management
  • System related information (e.g. device version, operating system version, app version)

Details of the categories of this personal data can be found exemplary at “Data Processing Agreement” (DPA). The legal basis of the processing is Article 6 para 1 lit b GDPR.

With the exception of the offline bookings mentioned below and the data mentioned below, which the User authorises to access, no other personal data is processed om the App on behalf of the Company.

LOG­GING

Purpose of the processing:
In the app, nothing is logged by default. In the course of an error analysis it may be necessary to activate logging in the App or on the server. The activation of the App logging can only be done with the consent of the User, as the User has also to actively upload the logged files from the App to the server. The logged data is usage data. The encrypted password does not appear in the log files.

Logging can be activated individually for each communication component. For the detection of errors, the entire communication path from the App to the installed ATOSS Workforce Management Software Solution can be logged. The decision to activate logging is made by the company. In this case the company is the data controller in accordance with the applicable data protection laws.

Is access to personal data possible?
Yes

Control of access by Users:
The User can agree or disagree to the data processing in the app. Only after an active consent, the data will be processed.

Legal basis:
The legal basis of the processing is Article 6 para 1 lit a GDPR. If the User does not want the App to access his logging and process or use this data, he can disagree or withdraw his consent at any time with effect for the future.

AUTHORISATIONS OF THE APP AND PURPOSE

Only authorisations that are absolutely necessary for the function of the App are requested. If one of the authorisations is denied by the User, not all functions of the app may be fully available.

The App supports the operating systems iOS and Android and requires the following authorisations:

Camera
Purpose of the processing:
Required to generate pictures for the workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.

Is access to personal data possible?
Yes

Control of access by Users:
When starting the “camera” function for the first time after installation of the app, the user can agree or disagree whether the App is allowed to access the camera of his mobile device.

Legal basis:
The data is processed on the basis of consent as defined in Article 6 para 1 lit a GDPR. If the User does not want the App to access his camera and process or use data relating to it, the User can disagree or withdraw the consent at any time with effect for the future by disabling access to the camera function for the App.

Picture gallery/Photos
Purpose of the processing: 
Required for saving pictures on the mobile device for workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.

Is access to personal data possible?
Yes

Control of access by Users:
When starting the “picture gallery / photos” function for the first time after installation of the App, the User can agree or disagree whether the App is allowed to access the camera of his mobile device.

Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to access the picture gallery / photos on the mobile device and to process or use this data, the User can disagree or withdraw the consent at any time with effect for the future by disabling access to the photos for the App.

Local based services (LBS, GPS, LOCTION DATA)
Purpose of the processing: 
To determine the approximate or exact location. This feature must be explicitly enabled by the Company and requires the consent of the User, which the company is responsible for obtaining.

Is access to personal data possible?
Yes

Control of access by Users:
When starting the app for the first time (after installation or activation of the location data), the user can agree or disagree whether the app is allowed to access the location of the mobile device.

Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to access the picture gallery / photos on the mobile device and to process or use this data, the User can disagree or withdraw the consent at any time with effect for the future by disabling access to the photos for the App.

Push Messages
Purpose of processing: 
By means of the push templates, the company can, for example, send a generic push message to the User containing 'A new leave request is waiting for approval'. This push function must be set up explicitly by the Company for the App. This means that if this function is not set up by the Company, such push message is not sent.

Is access to personal data possible?
Yes

Control of access by Users:
Reception can be controlled depending on the operating system of the mobile device:

  • With iOS: Request from the User whether he or she allows the sending of push messages.
  • On android: Consent to send push messages is enabled by default, but can be turned off by setting.

Legal basis:
The data is processed on the basis of consent according to Article 6 para 1 lit a GDPR. If the User does not want the App to send send push messages to the mobile device, the User can disagree or withdraw the consent at any time with effect for the future by turning off the permission of messages for the App.

FEEDBACK BUTTON

Purpose of processing:
ATOSS strives to always design its products in a user-friendly manner and to continuously improve customer satisfaction. By providing the feedback button, the User has the possibility at any time to indicate his user satisfaction on the "Profile" page via the "Provide feedback" button in the app. If the User taps on the "Not Really" button when indicating his user satisfaction, the app opens a dialogue. In addition, the feedback dialogue appears automatically at regular intervals if the user has not yet given any feedback. In the dialogue, the user can use the stars by clicking them to indicate a tendency to be satisfied with the product. In the text field of the dialogue, the User can enter his suggestions as well as constructive feedback or further suggestions for improvements. The feedback already contains information about the device version, operating system version, customer ID, employee name, employee e-mail address as well as the app version and ATC version. This is data that is stored in the user profile of the app. This information is retrieved directly from the App. However, the data mentioned before enable ATOSS to correctly map the feedback to the User and to understand it on the basis of the functional information and the relevant operating environment. By checking the "Give feedback anonymously" checkbox, any feedback that is sent will be anonymized. By default, this checkbox is set. Clicking the Send button sends the feedback.

Is access to personal data possible?
Yes

Control of access by Users:
Yes, the feedback button can be hidden by permission.

Legal basis:
The data is collected on the basis of consent iSd Art 6 para 1 lit a DSGVO. When clicking the respective feedback button, ATOSS uses the user feedback exclusively for the purpose of processing the feedback as well as for possible follow-up questions. The submission of user feedback is voluntary and can be revoked by the end user at any time with effect for the future.

DATA STORAGE ON THE MOBILE DEVICE

The user can store the following personal data in encrypted form on the mobile device:

  • Offline clocking

If the mobile device has no connection to the app, any clockings that have been made are stored offline on the mobile device with a notification message. When the mobile device is back online, these are transferred automatically to the server on which the ATOSS product is operated.

For offline clockings, the following personal data is stored on the mobile device:

Employee number: Only if specified

Time account: Mandatory

Online: Shows whether the booking is an online or offline booking

Location Based Services (LBS, GPS, location data): Only if the transfer of the location is configured in ATOSS Workforce Management Software Solution and if the User of the app consents to this

Cost centre: Only for cost centre clockings

Comment: Only, if a comment is also entered

Project: Only, if a project is also entered

Project status: Only, if a project status is also entered

Date and time of the clocking: Initialized only for offline clockings

Recently used and favourites: Information on recently used clockings and favourites.

ATOSS TIME CONTROL (MOBILE) NOTIFICATION SERVICE

If the transfer of information via push message to the mobile end device is activated by the company, the push message function >Google Firebase Cloud Messaging< from the service provider Google Ireland Ltd. is used. In this regard, the ATOSS Time Control (Mobile) Notification Service is used by means of an individual token/key (Firebase token), which is generated by integrating Google Firebase Cloud Messaging. This Firebase token acts as a signal/trigger to the ATOSS Time Control (Mobile) app in order to query the latest status of push messages directly via the database connected to the ATOSS Time Control. 
The transfer of the respective push message content takes place exclusively via a secure connection (https) with additional use of a symmetrical encryption procedure between the app on the User's end device and the application server. 
An ATOSS implementation has succeeded in ensuring that no personal data is processed during the required authentication and use of Google Firebase Cloud Messaging.

DATA DELETION

Personal data for offline bookings (see previous section) is automatically deleted from the mobile device after reconnection to the server and successful transfer. As a User, he can delete the App from the device independently at any time. Any existing offline bookings will also be deleted as a result.

Please note that the App only enables the User as an employed person at his Company to access an account already set up at his Company in order to be able to edit and add to his data regardless of location.

The complete deletion of the User´s account that is already set up by the Company, therefore is only possible in the ATOSS Workforce Management Software Solution in coordination with the Company as employer, who has the sole responsibility for the User´s account management.

DISCLOSURE TO THIRD PARTIES

In general, personal data will not be passed on to third parties. Exceptions to this are companies engaged by ATOSS, which are responsible for the technical processing of the feedback or App functions, and the affiliated companies as defined in Section 15 of the German Stock Corporation Act (AktG). 

In accordance with the purpose of use of the App, data is automatically forwarded to the ATOSS Workforce Management Software Solution during active Internet connection.

RIGHTS OF THE DATA SUBJECTS

With regard to the processing of personal data, data subjects, i.e. the users, have the following rights against your company as the data controller pursuant to Article 4 Number 7 GDPR:

Upon request, the company must inform a data subject in accordance with the statutory provisions whether and which personal data on the data subject, i.e. the user, are stored and, if applicable, for what purpose they are processed and/or used (Article 15 GDPR). If, despite the information stored, the information is not correct or if the data subject, i.e. the user, wishes for other reasons to have his or her personal data rectified (Article 16 GDPR) or erased (Article 17 GDPR) or to have the processing restricted (Article 18 GDPR) or to receive the personal data relating to him or her (Article 20 GDPR), data subject must make this request to his or her company. At the same time, he or she can also object to the processing of personal data under the statutory provisions (Article 21 GDPR).

Finally, without prejudice to the aforementioned rights, the data subject, i.e. the user, may lodge a complaint with a competent supervisory authority if he or she considers that the processing of personal information relating to him or her infringes the regulations of the GDPR (Article 77 GDPR).

CHANGES TO THIS PRIVACY STATEMENT

We reserve the right to amend this Privacy Statement from time to time and to update it in the light of changes in the collection, processing or use of data. The current version of the Privacy Statement is available within the app.