Privacy Policy (Third-party users)

‍

‍

‍

1. Scope of application, person responsible

‍

This information applies to all processing of personal data by Paperless GmbH that takes place as part of the process of completing and signing forms and documents via the website submit.paperless.io ("completion interface") or customer-specific domains with the same range of functions (hereinafter "process"). The controller of the process within the meaning of data protection law (see Art. 4 No. 7 GDPR) is

‍

Paperless GmbH

Große Friedberger Straße 13-17

D-60313 Frankfurt am Main

‍

Paperless GmbH ("Paperless", "we" or "us") is subject to the statutory data protection regulations, in particular the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR"), the German Federal Data Protection Act ("BDSG") and the German Telemedia Act ("TMG").

‍

Below you will find, among other things, information about which personal data is processed as part of the process, for what purposes this is done in each case and what rights you are entitled to in this regard as the data subject.

‍

2. Data protection officer

‍

Paperless has appointed a data protection officer whom data subjects can consult on all matters relating to the processing of their personal data or the exercise of their rights under the GDPR, BDSG and other data protection regulations. The data protection officer can be reached at the following contact details

‍

Paperless GmbH

- The Data Protection Officer -

Große Friedberger Straße 13-17

D-60313 Frankfurt am Main

E-mail: datenschutz@paperless.io

‍

3. Processing of your data

‍

In this section, we would like to inform you in detail about the operations within the process in which your personal data is processed by Paperless; for this purpose, we provide you below with all the information required by Art. 13, 14 GDPR for each of these operations.

‍

3.1 Calling up the fill-in interface

‍

The following data is transmitted to us via your computer's web browser each time you call up the fill-in interface in your web browser, i.e. even if you have not yet registered to use certain functions of this website or actively transmit information to us in any other form:

‍

• Your IP address
• Date and time of your request
• Time zone difference to Greenwich Mean Time
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website from which the request comes
• Your browser (incl. language setting and version)
• Operating system and its interface

‍

(hereinafter collectively referred to as "usage data").

‍

Paperless processes your usage data exclusively to enable you to call up the fill-in interface using your web browser. The legal basis for this processing is Art. 6 para. 1 sentence 1 letter f) GDPR. Your usage data will not be transmitted to other recipients. From the time of collection, we store your usage data for the duration of your web browser session. You are under no legal or contractual obligation to provide your usage data, but you cannot use the fill-in interface without processing this data.

‍

Cookies are placed on your end device when you access the fill-in interface. These are small text files that are transferred from our web server to your computer via your web browser and stored there on the permanent memory (hard disk, fixed memory, etc.). Further information on the data processed in this way, the duration and purposes of their processing as well as those responsible and data recipients can be found under 4. cookies.

‍

‍

3.2 Activities of the third-party user

‍

a) Tracking of events

Customers of Paperless GmbH can invite third party users (you) to view, change and/or sign a form or document provided via the completion interface by e-mail, among other things. This e-mail contains, among other things, a hyperlink to the form or document in question. If you activate this hyperlink, the user interface of the Paperless platform will open in a window of your browser. Before you can view or edit the document there, you will be asked whether you agree to the tracking of your activities in connection with the review, modification and signature of this document. You are under no contractual or legal obligation to give this consent. If you confirm your consent, Paperless will collect the time, IP address used (unabbreviated) and your browser user agent for each of the following events (collectively "Event Data"):

‍

• The third-party user opens a form or document provided on the completion interface;
• The third-party user has successfully completed all selection and input fields of a section in the completion interface or the form or document provided by the paperless customer;
• The third-party user has successfully completed all selection and input fields in the completion interface or the form or document provided by the paperless customer;
• The third-party user has signed the form or document provided;

‍

The event data is processed exclusively for the purpose of preventing unauthorized and/or abusive usage behavior (e.g. use of robots) and to provide the Paperless customer with information that is relevant for proving the identity of the third-party user and can be used by the Paperless customer to provide evidence if necessary. The legal basis for this processing is Art. 6 para. 1 sentence 1 letter a) GDPR (i.e. your consent under data protection law). Paperless stores the event data for 10 years in each case.

‍

b) Manual data entry

The fill-in interface of the Paperless platform accessible to third-party users (via the Paperless customer's invitation) includes various selection or input fields in which you can enter data. The same applies to electronic forms or documents that are provided there for you by a Paperless customer. Data entries that you must make in order to use certain functions (e.g. signing an electronic document) are marked accordingly; however, you are not legally obliged to make such entries.

All entries that you make in the selection or input fields of the Paperless platform ("Manual data entry") are processed by the Paperless customer

‍

• for the conclusion, execution and processing of the legal transaction that comes about through your signature; the legal basis for this processing is Art. 6 para. 1 sentence 1 letter b) GDPR (necessity for contract fulfillment);
• to document and manage the declaration of knowledge that you submit to the paperless customer by means of your signature; the legal basis for this processing is Article 6(1)(1)(f) GDPR (legitimate interests).

‍

Paperless will store your Manual Data Inputs at least until the date on which the relevant contract or declaration of intent has been completely fulfilled (e.g. by fulfilling all performance obligations); as a rule, however, Manual Data Inputs are stored for longer; this happens if this data is subject to a statutory retention period (e.g. six or ten years for tax-relevant information) which has not yet expired at the time of completion. In this case, the relevant manual data entries will be deleted once this statutory retention period has expired.

‍

‍

3.3 Network and information security

‍

Paperless processes access data, event data, usage data and Manual Data Entry of the Third Party User to the extent necessary in each individual case to prevent disruptions or unlawful interference with the networks or information systems used by us which (i) would impair the availability, authenticity, completeness and/or confidentiality of the personal data processed hereby or the security of the services operated thereon (including their use for the commission of criminal offenses or administrative offenses).

‍

We process this data on the basis of Art. 6 para. 1 sentence 1 letter f) GDPR, i.e. the legitimate interest of Paperless, its contractual partners and third-party users to ensure the security of the data, services and systems, to be able to offer or use the Paperless SaaS in accordance with the contract and to avert damage to the legal interests of Paperless, its contractual partners and third-party users.

‍

For these purposes, we generally store the access data, event data and usage data of the third-party user for 8 weeks, in each case starting from their collection by or on behalf of Paperless; if during this time there is a reasonable suspicion that the third-party user is involved in an unlawful infringement, we will store your usage data until such time as this suspicion has been dispelled or, failing this, the legal action for this involvement has been concluded.

‍

The event data and usage data of the third-party user may be disclosed to our IT security service providers to prevent disruptions and unlawful intrusions (a current list of these service providers can be found in the list of subcontractors of Paperless GmbH). In the event of reasonable suspicion of involvement of the third party user in an unlawful interference, his usage data and, if necessary in individual cases, other personal data available to Paperless will be disclosed to the competent authorities, courts and persons commissioned to exercise the rights of Paperless (e.g. lawyers) for the purpose of legal prosecution; if the third party user acts for a contractual partner of Paperless, we will also disclose his name and e-mail address and usage data to this contractual partner insofar as this is necessary to protect the contractual partner.

‍

‍

3.4 Compliance

Paperless is also entitled to process the personal data collected from the third-party user insofar as this is necessary to comply with our legal obligations under European or Member State law. In this respect, we will process this data - like any other company - for example to carry out notifications in accordance with Art. 33, 34 GDPR or to comply with direct orders from European and Member State authorities and courts. Our data protection officer will provide information and details of other such legal obligations on request.

‍

Such processing is carried out on the basis of Art. 6 para. 1 sentence 1 letter f) GDPR, i.e. our legitimate interest in complying with our legal obligations. For this purpose, we store personal data of the third-party user until our respective legal obligation is fulfilled or completed. Insofar as we are legally obliged to provide information and/or transfer the personal data of the third-party user to authorities, courts or other bodies, we will also disclose this data to such bodies to the extent prescribed in each case.

‍

4. Cookies

‍

4.1 What are cookies?

‍

A cookie is a small text file that is stored on your computer or mobile device when you visit a website. If you, as a third-party user, view, change or electronically sign an electronic form or document provided for you via the completion interface, cookies are placed on your end device.

‍

‍

4.2 How do we use cookies?

‍

Paperless only uses so-called necessary first-party cookies, which are set, read and controlled exclusively by Paperless, not by external providers. The cookies allow Paperless to remember your user session and settings (such as language, etc.) for a certain period of time. This means that you do not need to re-enter them when navigating the fill-in interface during the same visit.

‍

Cookies to ensure the operational readiness of the website

We need to set these cookies so that the filling interface works. We therefore do not obtain your prior consent for these cookies. These include

• Authentication cookies
• Technical cookies, required for certain IT systems

‍

Authentication cookies

These are stored by our authentication service when you use the completion interface.

‍

Name: _session_id

Service: Paperless platform

Purpose: Authentication to use the fill-in interface

Type of cookie and retention period: First-party session cookie - is deleted after leaving the browser

‍

Technical cookies

These are stored by our authentication service when you use the completion interface. By doing so, you also accept the corresponding data protection policy.

‍

Name: CSRF-TOKEN

Service: Paperless platform

Purpose: Prevents cross-site attacks

Type of cookie and retention period: First-party session cookie - is deleted after leaving the browser

‍

Beyond that, no other cookies are used on the filling interface.

‍

‍

5. Your rights

‍

In the following, we would like to inform you about the rights to which you are entitled as a data subject in accordance with Art. 15-21 GDPR and Art. 77 para. 1 GDPR. To assert these rights, you can contact our data protection officer in particular by email at datenschutz@paperless.io

‍

‍

5.1 Right to information

‍

According to Art. 15 GDPR, you have the right to informally request confirmation from Paperless as to whether and which of your personal data is being processed.

‍

The right to information extends to the following information:

• the categories of your personal data that are processed,
• the purposes for which your personal data is processed,
• Recipients to whom your personal data has been or will be disclosed,
• the existence of your rights to rectification or erasure of your personal data, to restriction of processing and your right to object to processing, and
• the existence of your right to lodge a complaint with a supervisory authority.

‍

If applicable and as far as possible, you are also entitled to the following information:

‍

• The planned duration for which your personal data will be stored or at least the criteria for determining this duration and
• all information available to Paperless about the origin of your personal data, unless it was collected from you.

‍

Paperless is also obliged to provide you, upon request, with a copy of the entirety of your personal data processed by Paperless as controller; the data will be provided in the scope and format in which it is available to Paperless at the time of your request for information.

‍

5.2 Right to rectification

‍

According to Art. 16 GDPR, you have the right to demand that Paperless corrects or completes your personal data if it is incorrect or incomplete. For example, you can have data that is incorrect in terms of content (e.g. due to typing errors/errors in handwriting) corrected.

‍

‍

5.3 Right to erasure

‍

According to Art. 17 GDPR, you have the right to request Paperless to delete your personal data, in particular if

• they are no longer necessary for the purposes for which they were lawfully processed,
• you have withdrawn your consent required for their processing,
• you have objected to the processing of your personal data and this processing is not required for overriding legitimate reasons,
• the processing of your personal data is unlawful, or
• the deletion of your personal data is necessary to fulfill a legal obligation of Paperless under Union or Member State law.

‍
‍

5.4 Right to restriction of processing

‍

According to Art. 18 GDPR, you have the right to request Paperless to restrict the processing of your personal data insofar as

• you have disputed the accuracy of the content of your personal data,
• the processing of your personal data is unlawful and you object to its erasure,
• you no longer require your personal data from Paperless for the establishment, exercise or defense of legal claims, or
• after your objection to the processing of your personal data, it is not yet clear whether the interest asserted by Paperless can justify its further processing.

‍

In cases where processing is restricted, we may only continue to process your data in exceptional cases specified by law. We will inform you in advance if such a restriction is lifted.
‍

‍

5.5 Right to data portability

‍

In accordance with Art. 20 GDPR, you have the right to receive the personal data you have provided to Paperless in a structured, commonly used and machine-readable format.

‍

The right to data portability does not extend to personal data that

• Paperless were provided or transmitted by third parties,
• passwords, payment data or biometric data,
• affect your technical settings in the services you use,
• represent the result of a derivation or other calculation of Paperless on your personal data.

‍

The right to data portability also does not exist if

• the processing is legally justified and this justification is not your consent within the meaning of Art. 6 para. 1 lit. a) GDPR or the execution of the contract within the meaning of Art. 6 para. 1 lit. b) GDPR, or
• a transfer would impair the rights and freedoms of other persons.

‍

Under certain circumstances, you also have the right to transfer your personal data concerned to another controller, including, where technically feasible, directly through Paperless.

‍

5.6 Right of objection

‍

Pursuant to Art. 21 (1) GDPR, you have the right to object to the processing of your personal data by Paperless, insofar as this is legally based on the fact that the processing in question is not necessary.

• necessary for the performance of a task carried out in the public interest (cf. Art. 6 para. 1 lit. e) Alt. 1 GDPR),
• in the exercise of official authority vested in Paperless (cf. Art. 6 para. 1 lit. e) Alt. 2 GDPR), or
• necessary to protect the legitimate, overriding interests of Paperless or a third party (cf. Art. 6 para. 1 lit. f) GDPR).

‍

The objection can be lodged informally, but must be justified; in this respect, the reasons arising from your particular situation that speak against the permissibility of the processing must be explained.

‍

In the event of a justified objection, Paperless will no longer process your personal data unless there are compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
‍

‍

5.7 Right to withdraw your consent

‍

If you have consented to Paperless processing your personal data, you can revoke this consent at any time, either in its entirety or with regard to individual purposes of processing, in each case free of charge and with effect for the future. Please note that the processing that has taken place up to the time of your revocation does not cease retroactively due to your revocation.
‍

‍

5.8 Complaints to supervisory authorities

‍

Finally, in accordance with Art. 77 para. 1 GDPR, you have the right to lodge a complaint with a supervisory authority against the processing of your personal data by Paperless if you believe that the processing of your personal data violates data protection regulations. In particular, you can lodge the complaint with the supervisory authority at your place of residence, workplace or the place of the alleged infringement. The supervisory authority responsible for Paperless is

‍

The Hessian Commissioner for Data Protection and Freedom of Information

P.O. Box 3163, D-65021 Wiesbaden

Phone: +49 611 1408 - 0 / Fax: +49 611 1408 - 900 / 901

E-mail: poststelle@datenschutz-hessen.de

‍

You also have the option of asserting other legal remedies to which you are entitled (e.g. with courts or authorities).
‍

‍

6. Explanations of terms

‍

"Data subject": a natural person whose personal data is the subject of a specific processing operation;

‍

"Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‍

"Recipient": a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party;

‍

"Restriction of processing": the marking of stored personal data with the aim of restricting its future processing (this can be done, for example, by temporarily transferring selected personal data to another processing system, by blocking it for users or by temporarily removing published data from a website, see GDPR recital 67);

‍

"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‍

"Personal data" means any information relating to an identifiable natural person; an identifiable natural person is one who can be identified by the controller with reasonable effort, in particular by reference to and/or combination with other available information;

‍

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‍

"Controller": any person or body that determines the purposes and main means (e.g. storage period, access authorizations) of the processing of personal data or at least has a significant influence on this (together with other controllers) and is therefore obliged to comply with the relevant data protection obligations.