• EN
  • Data protection for the STEAG Insights App

    We attach great importance to protecting personal data. Therefore, STEAG GmbH processes your data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the other applicable statutory provisions on the protection of personal data and data security.

    The following information applies to our app (hereinafter referred to as “app”). The paragraphs below provide you with an overview of what personal data we collect from you through the app, and for what purposes and in what way we use such data. In addition, we provide you with information about the rights you have in relation to your personal data.

    1. Controller under data protection law

    STEAG GmbH
    Rüttenscheider Str. 1-3
    45128 Essen

    info@steag.com
    www.steag.com

    2. Contract details of our Data Protection Officer

    STEAG GmbH
    Group Data Protection Officer
    Rüttenscheider Straße 1-3
    45128 Essen

    datenschutz@steag.com 

    3. Purposes and legal basis of processing

    3.1 Purposes

    The app allows you to access content published in the app and view the content available there on your device.

    For STEAG employees, there is an area in the app that can only be viewed after successful login to the app. Internal company information is communicated there.

    3.2 Legal basis

    The legal basis is our legitimate interest in publishing our own information about our company and, in relation to the internal area, to enable our employees to access further company information (Art. 6 para. 1 sentence 1 lit. f) GDPR).

    4. Functionalities

    4.1 Logging in and using the app

    When you log in to the app, we use your login credentials (username and password) to allow you to access the app. If you do not enter these credentials, you will not be able to log in and will not be able to access the internal area of the app. You will then only be able to view the publicly accessible area of the app.

    A hash value is generated for each of your user name and password. These hash values are transmitted to the service provider. To authenticate the user, the system compares the hash values with the values stored in its database. Thus, your access credentials are not processed as plain text.

    In addition, we automatically process the following personal data gathered from you:

    • Device ID
    • Session ID
    • User ID
    • IP address
    • Information about the operating system you are using
    • App version number
    • Device model
    • Access time
    • Auth token
    • Local user settings

    These data allow

    • you to make use of the app and its functions,
    • us to improve the functions and performance features of the app, and 
    • prevent and eliminate misuse and malfunctions.

    4.2 Comments and likes

    For app users who are not logged in: You have the opportunity to comment and like selected articles.

    You can write comments without having to enter personal data. By providing your name in comments, you agree that we may store your personal data and by publishing your comment disclose it to other users of the app (Art. 6 para. 1 sentence 1 lit. a) GDPR).

    In the internal area of the app, comments are only possible using the user’s real name. The first and last name of the user are stored on the server together with the content of the comment.

    4.3 Information about new posts in the app

    If you consent (the app will automatically ask for your consent), the app will send you push messages to inform you about new posts in the app. You can also give or withdraw your consent at any time later in the settings of your device.

    To send out the push messages, we process the following personal data gathered from you:

    • Device-ID
    • Push-Token

    The legal basis for the processing is your consent in accordance with Art. 6 para. 1 sentence 1 a) GDPR.

    4.4 Google Analytics

    Google Analytics

    If you have given your consent, this website uses Google Analytics, a web analytics service provided by Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

    Scope of processing

    Google Analytics uses cookies that enable an analysis of your use of our websites. The information gathered by means of the cookies about your use of this website is usually transmitted to a Google server in the USA and stored there.

    We use the function ‘anonymizeIP’ (so-called “IP masking”): Due to the activation of IP anonymization on this website, your IP address will be truncated by Google within EU member states and in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser as part of Google Analytics will not be aggregated with other data of Google.

    During your visit to the website, the following data is collected, among other things:

    While you are visiting the website, among other things, the following data is captured:

    • achievement of “website goals” (conversions, e.g., newsletter sign-ups, downloads, purchases)
    • your user behavior (for example, clicks, length of stay, bounce rates)
    • your approximate location (city, country)
    • your IP address (in truncated form)
    • technical information about your browser and the end devices you use (e.g., language setting, screen resolution)
    • your Internet provider
    • the referrer URL (via which website/advertising medium you came to this website)

    Purposes of processing

    On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our app and the success of our marketing campaigns.

    Recipient

    The recipient of the data is

    Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    as a data processor. For this purpose, we have concluded a data processing agreement with Google. Google LLC, based in California, USA, and, if applicable, US authorities may access the data stored by Google.

    Storage period

    The data is automatically deleted after 14 months. The deletion of data whose retention period has expired takes place automatically once a month.

    Legal basis and withdrawal of consent

    Your consent, Art.6 para.1 sentence1 lit.a GDPR is a prerequisite for such processing of data. You can withdraw your consent at any time with effect for the future; to do so, you can withdraw your consent to tracking in the app settings (right-hand menu) in the "Anonymized user data" section.

    You can find more information on the terms of use of Google Analytics and on Google's data protection policy

    at https://marketingplatform.google.com/about/analytics/terms/de/ and
    at policies.google.com

    5. Recipients of your data / transfer to third countries

    We use IT and support service providers to provide the App. These service providers are carefully selected by us and act as processors on our behalf.

    The provider of the app service is L.N. Schaffrath DigitalMedien GmbH, Marktweg 42-50, 47608 Geldern, Germany. This company uses other service providers.

    The sub-service provider for data center services is Amazon Web Services EMEA Sàrl, 38 Avenue John F. Kennedy, L-1855 Luxembourg. The servers are located in Frankfurt am Main.

    The processing of data will be carried out generally within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA). Transfer of personal data to a third country or access to such data from a third country will only take place if the special requirements of Art. 44 ff. GDPR are satisfied (e.g., by agreement of Standard Contractual Clauses or if the recipient acts on a legal basis adopted by the European Commission pursuant to Art. 45 (1) GDPR (so-called “adequacy decision”)).

    6. Duration of storage 

    DThe hash values collected during login (see 4.1) are deleted at the latest when you leave the company.
    Other data collected in accordance with 4.1 above (except for the device ID) will be retained for support purposes for up to 72 hours after the end of the session. The device ID is deleted when the user deactivates the push notification in his/her settings or uninstalls the app. In the case of uninstalling the app, the deletion takes place only at the time when a new push notification is sent out, at the latest after 31 days. We delete your comments under articles only if an article is deleted for editorial reasons or if the app is discontinued. 
    Data stored in the app on your device, such as articles downloaded from the server, favorite articles, and local app settings, will be deleted when you remove the app from your device.

    7. Your rights

    You have a right of access, i.e. you may request that we disclose to you all your personal information that we have collected and hold for a certain period of time (Art. 15 GDPR). Furthermore, you may also request rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) and have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).

    If we process your personal data on the basis of your consent, you may withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to your withdrawal of consent but prevents future processing.

    Notices of withdrawal of consent and other requests can be addressed to our Group Data Protection Officer.

    We take your inquiries and concerns very seriously and always endeavor to comply with them.

    Furthermore, you have the right to lodge a complaint with a data protection authority pursuant to Article 77 GDPR in conjunction with Section 19 BDSG. In North Rhine-Westphalia, the competent data protection supervisory authority is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
    (North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information) Kavalleriestr. 2 - 4, 40213 Düsseldorf, Germany.

    Last updated: Februrary 2021