Privacy Statement for eIDAS-Signer
ecsec GmbH acts as a provider of the "eIDAS-Signer" service and takes the protection of your personal data seriously. In particular, personal information will be strictly collected, processed or used in accordance with the legal regulations, especially those of the General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG) and the German Act for Telemedia Services (TMG).
Aim of the eIDAS-Signer service
The eIDAS-Signer service allows natural and legal persons (Users of the eIDAS-Signer service and other Signatories) to generate electronic signatures via a comfortable web application and/or corresponding web services.
Type of the used personal data and legal basis
User Account
When registering to the eIDAS-Signer service a corresponding User Account is created, which contains personal data (e.g. first name, family name, email address). This information is necessary to found a business relationship with the User who wants to generate electronic signatures using the eIDAS-Signer service.
The legal basis for the processing of the personal data of the User of the eIDAS-Signer service is Art. 6 (1) lit. a) and b) GDPR and, if there will be corresponding invoices, Art. 6 (1) lit. c) GDPR. In line with Art. 7 (3) GDPR the User may revoke its consent to use the eIDAS-Signer by deleting its User Account at any time. This will be independent of processing previously invoked signing requests and related invoices.
Documents to be signed and email addresses of Signatories
In order to generate electronic signatures for documents, the User needs to upload the corresponding documents, which are to be signed, to the eIDAS-Signer portal and specify the email addresses of the designated Signatories. While the documents to be signed may contain personal data, the content of the uploaded documents is within the sole responsibility of the User.
The legal basis for the processing of the email address of a designated Signatory within the eIDAS-Signer service is Art. 6 (1) lit. b) GDPR.
Identification data of the Signatories
Furthermore the eIDAS-Signer service initiates, upon an explicit signing request of a Signatory, the electronic authentication and identification of the Signatory. This is performed using appropriate (internal or external) services, such as "eIDAS-Nodes" according to Article 2 (1) of Commission Implementing Regulation (EU) 2015/1501 for example. This process typically provides the first name and the family name of the Signatory, which will be integrated into the created electronic signature within the eIDAS-Signer service.
Alternatively, the data gathered during authentication and identification may be collected by, or be forwarded to, an external Trust Service Provider according to Art. 3 (19) of Regulation (EU) No. 910/2014 in order to produce a qualified certificate for electronic signature according to Art. 3 (15) of Regulation (EU) No. 910/2014 and a qualified electronic signature according to Art. 3 (12) of Regulation (EU) No. 910/2014 on behalf of the Signatory.
The legal basis for the processing of the identification data of the Signatory within the eIDAS-Signer, and possibly the integrated Trust Service Providers is Art. 6 (1) lit. a) GDPR.
Functionality of the eIDAS-Signer service
Overview
The eIDAS-Signer service is provided under https://Signer.eID.AS. The following functions are available:
- Creation and deletion of User Account
- Upload of documents to be signed
- Specification of designated Signatories
- Invocation of signature generation process
- Administration of configuration parameters for signature and account services
Creation and deletion of User Account
After clicking the "registration" button, a User Account will be created in the eIDAS-Signer service.
If the User Account is no longer required, it can be deleted by the User itself. For this purpose there is a "Delete account" button in the "Account" menu item.
Upload of documents
The User may start a signature generation procedure by uploading a pdf-document, which is to be signed.
Specification of designated Signatories
In the next step the User may specify the set of designated Signatories. The User may create the electronic signature herself and/or specify a set of additional Signatories by providing corresponding email addresses.
Invocation of signature generation process
Next the User may start the signature generation process, which may triggers the sending of according emails to the additional Signatories.
Administration of configuration parameters for signature and administrative services
Last but not least the eIDAS-Signer service allows to maintain technical configuration parameters for the signature generation service as well as further administrative services related to billing for example.
Security
To protect the eIDAS-Signer service and personal data managed therein from accidental or intentional manipulation, loss, destruction or against access by unauthorized persons, ecsec GmbH and the integrated Trust Service Providers use state of the art technical and organizational security measures. For example, all communications channels between the system of the User and the eIDAS-Signer service are protected with suitable versions of Transport Layer Security (TLS). Furthermore the used security measures are continuously monitored and improved according to the technological development.
Protocol Data
To maintain the technical operation, the eIDAS-Signer service creates various technical log data. If in this context personal data will be captured, the affected person has the rights described below.
Links to other Websites
The eIDAS-Signer service is available at https://Signer.eID.AS and may contain links to other websites. These websites are within the responsibility of the respective website operators. When embedding the external links no legal violations were found. The provider has no influence on the current and future design of the linked page. Without specific evidence of violations the permanent monitoring of the external links is not reasonable for the provider. Upon notification of legal violations, the affected external links will be deleted immediately.
Rights of the Concerned Person
The User can revoke the agreement concerning the processing of personal data by the eIDAS-Signer service, manifested by the acceptance of the present privacy statement and the creation of a User Account, at any time. The User has the right to obtain information about the type and scope of the stored personal data and the origin of the data and may request its data in a structured and machine-readable format. This information is available to the user by regular management functions of the eIDAS-Signer service. For further questions the User may use the contact data under the section „Responsible Entity".
Responsible Entity
Responsible entity according to Art. 4 Nr. 7 GDPR for the eIDAS-Signer service is
ecsec GmbH
Sudetenstrasse 16
96247 Michelau, Germany
http://www.ecsec.de
represented by Tina Hühnlein and Dr. Detlef Hühnlein. Further information can be found in the Imprint of ecsec GmbH.
Data Protection Supervisory
The responsible Data Protection Inspectorate according to Art. 51 GDPR for the eIDAS-Signer service is the
Landesamt für Datenschutzaufsicht
Promenade 27
91522 Ansbach
Germany
http://www.lda.bayern.de/ .