Privacy statement

for the App ATOSS Mobile Workforce Management (WFM)

Versioning: v. 02-2022
Thank you for your interest in our products. ATOSS solutions enable companies to optimize their processes providing employees access to important information and functions from the ATOSS Workforce Management software solution via smartphone and tablet - regardless of the time and place of deployment. 
Data security and data protection is an important concern for us, which we take into account in all our business processes. The following data protection information is intended for the users of the app.

In this Privacy Statement the following definitions apply:

App” means the coded symbol or icon, including the software contained therein, by which a user can access important information and functions from the ATOSS Workforce Management Software Solution. The app appears on the smartphone or tablet after downloading.

ATOSS” means the ATOSS Group company referred to as the provider of the App.

ATOSS Workforce Management Software Solution” refers to a standard software solution for efficient workforce management and demand-oriented staff deployment, which is sold and licensed to companies by ATOSS.

User” means an identified or identifiable natural person who uses the App, for example as an employee of a company.

Company” is the client or employer of the user and acquires the necessary licenses by concluding a license agreement with ATOSS in order to use the ATOSS Workforce Management Software Solution for the internal business operations and for the access via the app by the users or to have it used.

Note on gender neutrality: The chosen wording applies without restriction to the other genders.

CON­TACT ATOSS

ATOSS Software AG
Rosenheimer Straße 141 h
81671 Munich
Germany
info@atoss-csd.de

Data protection officer of ATOSS is

Dr. Stefanie Hagemeier
c/o ATOSS Software AG 
Rosenheimer Str. 141 h
81671 Munich
Germany
datenschutz@atoss.com

DATA PRO­CESS­ING IN THE APP

CAT­E­GORIES OF PER­SONAL DATA

The app provides you, the user, with information on the personal data stored and processed in the ATOSS Workforce Management Software Solution in your company. Via the app you can access, edit and supplement this personal data. 

Personal data processed via the app is therefore only information that is stored in the ATOSS Workforce Management Software solution licensed by the company, either by the company itself or by the user. 
With regard to this personal data, the company alone acts as the data controller pursuant to Article 4 Number 7 GDPR. ATOSS processes this data only on behalf of the company in accordance with the Service Agreement and Data Processing Agreement (DPA) concluded with the company. 

Depending on the Service Agreement with the company, the App can be used to retrieve and process the following personal data, among others:

  • Employee master data (e.g. login data, password) and information on time-management
  • Information from staff resource planning
  • Information from application and task management
  • System related information etc.

Details of the categories of this personal data can be found exemplary at “Data Processing Agreement” (DPA).

With the exception of the offline bookings mentioned below and the data mentioned below, which the user authorises to access, no other personal data is processed on behalf of the company.

LOG­GING

In the app, nothing is logged by default. In the course of an error analysis it may be necessary to activate logging in the app or on the server. The activation of the app logging can only be done with the consent of the user, as the user has also to actively upload the logged files from the app to the server. The logged data is usage data. The encrypted password does not appear in the log files.

Logging can be activated individually for each communication component. For the detection of errors, the entire communication path from the app to the installed Workforce Management Software Solution can be logged. The decision to activate logging is made by the company. In this case the company is the data controller in accordance with the applicable data protection laws.

AU­THO­RI­SA­TIONS OF THE APP AND PUR­POSE

Only authorisations that are absolutely necessary for the function of the app are requested. If one of the authorisations is denied by the user, not all functions of the app may be fully available.

The app supports the operating systems iOS and Android and requires the following authorisations:

Camera

Purpose of Access
Required to generate pictures for the workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.

Access to personal data possible?
Yes

Control of access by users
When starting the “Camera” function for the first time after installation of the app, the user can agree or disagree whether the app is allowed to access the camera of his or her mobile device.

Picture gallery

Purpose of Access
Required for saving pictures on the mobile device for workflow functions. Workflow applications can also include attachments provided by the camera or picture gallery. The attachments attached to a workflow are sent encrypted and will then be stored.

Access to personal data possible?
Yes

Control of access by users
When starting the “Picture Gallery” function for the first time after installation of the app, the user can agree or disagree whether the app is allowed to access the camera of his or her mobile device.

Location Based Services (LBS, GPS, location data)

Purpose of Access
To determine the approximate or exact location. This feature must be explicitly enabled by the company and requires the consent of the user, which the company is responsible for obtaining.

Access to personal data possible?
Yes

Control of access by users
When starting the app for the first time (after installation or activation of the location data), the user can agree or disagree whether the app is allowed to access the location of the mobile device.

Push messages

Purpose of Access
By means of the push templates, the company can, for example, send a generic push message to the user containing 'A new leave request is waiting for approval'. The push function must be set up explicitly by the company. This means that if this function is not set up by the company, no push message is sent.

Access to personal data possible?
Yes

Control of access by users
Reception can be controlled depending on the operating system of the mobile device:

With iOS: Request from the user whether he or she allows the sending of push messages.
On android: Consent to send push messages is enabled by default, but can be turned off by setting.

DATA STOR­AGE ON THE MO­BILE DE­VICE

The user can store the following personal data in encrypted form on the mobile device:

  • Offline time bookings or offline cost center change bookings

If the mobile device has no connection to the app, any time bookings that have been made are stored offline on the mobile device with a notification message. When the mobile device is back online, these are transferred automatically to the server on which the ATOSS product is operated.
For offline bookings, the following personal data is stored on the mobile device:

Staff number: Only if specified

Time pair code: Only for a booking with time pair code

Online: Shows whether the booking is an online or offline booking

Location Based Services (LBS, GPS, location data: Only if the transfer of the location is configured in Software and if the user of the app consents to this
Cost centre: Only for cost centre bookings

Comment: Only, if a comment is also entered

Project: Only, if a project is also entered

Date and time of booking: Initialized only for offline bookings

Search history and favourites: Information on searches, e.g. visible cost centres, actions, departments, employees (depending on authorisation)

DATA TRANS­FER TO THIRD PAR­TIES

If the transfer of information via push message to the mobile device is activated by the company, the push message service >Google Firebase Cloud Messaging< of the provider Google Ireland Limited is used. It is up to the company to decide which information is transferred to the push message service. In this case, data processing in third countries in compliance with the GDPR is ensured by the conclusion of EU standard contractual data-protection clauses (Decision 2021/914 - Module Three - Transfer of Processors to Processors) or other guarantees for processors as permitted under Art. 46 (2) lit. c GDPR. As a sine qua non for all provisioning programs on iOS mobile devices, push messages are transmitted over a direct, secure channel through an APN (Apple Push Notification) server.

DATA DELETION

Personal data for offline bookings (see previous section) is automatically deleted from the mobile device after reconnection to the server and successful transfer. As a User, you can delete the App from your device independently at any time. Any existing offline bookings will also be deleted as a result. 
Please note that the App only enables you as an employed person at your Company to access an account already set up at your Company in order to be able to edit and add to your data regardless of location. 
The complete deletion of your user account that is already set up by Company, therefore is only possible in the ATOSS Workforce Management software solution in coordination with your Company as your employer, who has the sole responsibility for the user account management.

RIGHTS OF THE DATA SUB­JECTS

With regard to the processing of personal data, data subjects, i.e. the users, have the following rights against your company as the data controller pursuant to Article 4 Number 7 GDPR:

Upon request, the company must inform a data subject in accordance with the statutory provisions whether and which personal data on the data subject, i.e. the user, are stored and, if applicable, for what purpose they are processed and/or used (Article 15 GDPR). If, despite the information stored, the information is not correct or if the data subject, i.e. the user, wishes for other reasons to have his or her personal data rectified (Article 16 GDPR) or erased (Article 17 GDPR) or to have the processing restricted (Article 18 GDPR) or to receive the personal data relating to him or her (Article 20 GDPR), data subject must make this request to his or her company. At the same time, he or she can also object to the processing of personal data under the statutory provisions (Article 21 GDPR).

Finally, without prejudice to the aforementioned rights, the data subject, i.e. the user, may lodge a complaint with a competent supervisory authority if he or she considers that the processing of personal information relating to him or her infringes the regulations of the GDPR (Article 77 GDPR).

CHANGES TO THIS PRI­VACY STATE­MENT

We reserve the right to amend this Privacy Statement from time to time and to update it in the light of changes in the collection, processing or use of data. The current version of the Privacy Statement is available within the app.