Sphereon International BV a limited Dutch company, founded and registered in Amsterdam, The Netherlands, and currently residing at Bisonspoor 8007, 3605 LW Maarssen, The Netherlands, as well as all affiliated entities (hereinafter: “Sphereon”), process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter: “GDPR”).
Sphereon Wallet mobile app
Sphereon provides you with the Sphereon Wallet mobile App (“App”), which you can download and install onto your mobile device.
The protection of personal data is very important to Sphereon. Whether personal data is collected when using the App and for what purpose it is processed, is explained in the following data protection declaration. Processing in this sense means any form of use of the data, e.g. collection, recording, storage, transmission, presentation and deletion.
Personal data is only processed to the extent necessary for communication with the user. We observe the principle of data minimization and comply with all applicable legal provisions for the protection of personal data and data security. Specifically, the corresponding data will only be processed if there is a legal basis.
The legal basis for data processing is the EU General Data Protection Regulation, more precisely: Art. 6 Par. 1 (a), Art. 7, Art. 6 Par. 1 (b) and (f), and Art. 6 Par. 1 (c) of EU 2016/679 (hereinafter “GDPR”).
I. Name and contact details of the entity responsible
The person responsible within the meaning of Art. 4 GDPR for the processing of personal data is:
Sphereon International B.V.
3605 LT Maarssen
II. Type of data processed, purpose of processing, legal basis
1. User and Device Data
We will never have any knowledge of, or have access to, your personal data, unless you contact us using the Sphereon contact-form or the email address provided in the App.
When downloading the App, the necessary information required for this is transferred to the Apple AppStore or GooglePlay Store (the “app Stores”), i.e. in particular the user name, e-mail address and customer number of your account, the time of the download and the individual device code. The above data is required to enable downloading of the App from the app stores. We cannot prevent this, but we do not receive any personal data from this.
We have no influence on this data collection and are not responsible for it. For more information regarding the purpose and scope of data processing in the App stores, we refer to the relevant data protection declarations of the App stores.
After the App has been successfully installed onto your mobile device, it can be used without access to the internet. When you are using the App, we do not collect any personal data. There is no backend server.: the App functions stand-alone. The personal and credential information that you make available to the App for use (e.g. name, address, driver’s license, identity card, educational, or other credential information) is only stored locally and is encrypted on your mobile device. We do not check the data.
It is also your sole responsibility to save the stored content and to carry out data backups.
If you make this information available to other parties (“Issuers”, “Verifiers”, or “Third Party Providers”) for verification or sharing, the data protection declaration of that Issuer, Verifier or Third Party Provider applies with regard to the purpose and scope of the data processing. Sphereon has no access to the data or the data flow here either.
Personal data will only be collected, stored and processed in the event of contact being initiated by you, insofar as this is necessary to answer your request.
The legal basis for data processing is Art. 6 Par. 1 (a), (b) and (f) of the EU GDPR
No cookies are used with this App.
If you contact us via the contact-form provided in the App or via our e-mail address, we will use the contact details you have provided, such as name, e-mail address, and any additional information you have provided for the purpose of answering your request. At the metadata level, your IP address and the version of the App are transmitted.
Here, the processing of the contact data you provide is essential to be able to contact you and answer your request. If data has also been communicated, the processing serves to individualize your request and thus be able to respond in the best possible way.
The legal basis for data processing is Art. 6 Par. 1 (b) and (f) GDPR.
III. Duration of storage
Your data will only be stored for as long as is necessary to fulfill the purposes mentioned above.
As soon as this is no longer the case, e.g. after your request has been fully answered, the data will be deleted or blocked if and for as long as this is required by commercial or tax law retention requirements (Art. 6 Par. 1 (c) GDPR).
From the point in time at which statutory retention requirements no longer conflict, the data will be deleted unless you have expressly consented to further use (Art. 6 Par. 1 (a) GDPR).
IV. Disclosure of data to third parties, transmission to third countries
It is a foundational principle that the data you store or transmit will not be made available to third parties.
In individual cases, however, it may be necessary for the execution of the contract to pass on your personal data to companies that we have entrusted with the provision of individual services (e.g. cloud providers). If we disclose data to third parties as part of our processing, transmit it to them or otherwise grant them access to the data, this is only done based on legal permission, based on your consent, based on a legal obligation, or based on our legitimate interests.
If we commission third-party providers to process data based on a so-called “data processing agreement”, this is done based on Art. 28 GDPR.
For their part, the third parties are obliged to comply with the statutory provisions when handling and processing this data. The seat of a third party may be in a third country, i.e. in a country in which the GDPR does not have direct legal effect. In this case, data will only be transmitted if you have given your consent, an appropriate level of data protection prevails, for example based on individual agreements, the use of EU standard contractual clauses, the existence of an EU adequacy decision, or other legal permission.
Transmission to authorities and state institutions entitled to receive information is also possible, but only within the framework of the statutory information obligations and in the event of a binding court decision. In these cases, Sphereon B.V. can provide the information, e.g. to assert, exercise and defend legal claims, enforce existing contracts, in the context of allegations of fraud, security measures or generally applicable statutory provisions.
Personal data will not be passed on outside of the scope described here without the user’s express consent.
Under no circumstances will we sell or rent personal data to third parties.
V. Third-party services when operating the App
We would like to draw your attention to the following third-party providers, whose services we use to operate the App and to provide our services, and who may come into contact with the above-mentioned personal data:
a. Microsoft 365 , Microsoft Ireland Operations Limited, Attn: Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
b. Atlassian Ltd., Level 6, 341 George Street, Sydney, NSW 2000, Australia
We expressly point out that we have no influence on the scope of the have data that these companies collect. Regarding data protection, we must therefore rely on the information provided by the respective companies, to which we refer in the explanation below.
If required, please obtain further information from the company about the purpose and scope of the data collection and your rights in this regard and setting options for protecting your privacy. We have provided the links to the data protection declarations here.
In the following you will find information on possible data protection effects of the cooperation with the third-party providers as well as further links.
We use the service of Microsoft, a cloud provider, such as Offices 365, to ensure our accessibility via email.
You can find out more about Microsoft’s data protection regulations here: https://privacy.microsoft.com/nl-nl/
We use Atlassian services, such as Jira, to structure and optimize the processing of your technical inquiries. It may be necessary for isolated data on the problems described to be saved and stored in Atlassian’s cloud servers.
VI. Rights of data subjects
As a person affected by the processing of personal data, you are entitled to the rights listed below. These rights result from the provisions of the GDPR and are reproduced here in a partly simplified form.
Right to revoke the declaration of consent
According to Art. 7, Par. (3) GDPR, you have the right to revoke your consent to processing at any time. The lawfulness of the processing carried out based on the consent until the revocation is not affected. The right of withdrawal can be exercised by means of an informal declaration. A written declaration or alternatively an e-mail to the above contact address is sufficient.
Right to information
According to Art. 15 GDPR, you have the right to request confirmation from us as to whether personal data relating to you are being processed. If this is the case, you have a right to information about this personal data and the information specified in Article 15 (1) GDPR. This includes the purpose of the processing, the categories of the processed data, the recipients to whom data have been or will be disclosed, as far as possible the planned duration of storage or the criteria for the duration of storage.
Right to rectification
According to Art. 16 GDPR, you have the right to request us to rectify incorrect personal data concerning you without delay. Considering the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.
Right to erasure
According to Art. 17 GDPR, you have the right to demand that personal data relating to you be erased immediately. We are obliged to delete personal data immediately if one of the provisions of Art. 17 Par. (1) GDPR applies. These reasons include, for example, that the data is no longer necessary for the purposes for which it was collected or otherwise processed.
Right to restriction of processing
According to Art. 18 GDPR, you have the right to demand that we restrict processing if one of the conditions specified in Article 18 GDPR applies. This includes, for example, that you contest the accuracy of the personal data. Then we may only process the data to a limited extent for as long as it takes to check the accuracy of the personal data.
Right to data portability
According to Art. 20 GDPR, you have the right to receive the personal data that you have provided to us in a structured, common, and machine-readable format. You have the right to transmit this data to another person responsible, i.e. another body that processes data, without hindrance, provided that the original processing was based on consent or was necessary for the execution of a contract.
Right of objection
According to Art. 21 GDPR, you have the right to object at any time to the processing of your personal data if this data is processed based on Art. 6 Par. 1 (e) or (f) GDPR and there are reasons that arise from your personal situation. You can object at any time to the processing of data for the purpose of operating direct advertising. Personal data will then no longer be processed for this purpose. The right to object can be exercised by means of an informal declaration. A written declaration or alternatively an e-mail to the contact address in the App is sufficient.
Automated decision-making in individual cases, including profiling
According to Art. 22 GDPR, you have the right not to be subject to a decision based exclusively on automated processing – including profiling – which has legal effect on you or significantly affects you in a similar way. Art. 22 Par. (1) GDPR provides for exceptions to this, whereby Art. 22 Par. (4) GDPR again contains partial exceptions.
Right to lodge a complaint with a supervisory authority
According to Art. 77 GDPR, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority in the member state of your residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data infringes this regulation.
VII. Technical and organizational measures
We take technical and organizational measures to ensure that the security and protection requirements of the GDPR are met and that personal data is protected against loss, destruction, manipulation, or access by unauthorized persons.
VIII. Changes to the data protection declaration
We reserve the right to change this data protection declaration at any time. You are to inform yourself regularly about the content of our data protection declaration.
IX. Final provision
This text is subject to laws of The Netherlands and should be interpreted according to Dutch legal understanding. This English version is for information only. In the event of discrepancies between the Dutch and English versions, only the Dutch version applies.
Version: May 31th 2023