Privacy Policy for appointment booking and online consultation
The protection of your personal data is of great importance to us, this also and especially applies to online counselling. To meet this demand, we have selected an online counselling platform that offers high security standards. In this privacy policy, we wish to inform you about the extent, type and purpose for which your data is collected and processed, as well as about the use of cookies.
The counselling service complements the AWO's Migration Counselling for Adults (MBE) nationwide and is funded by the German Federal Ministry of the Interior and Home Affairs (BMI).
1. Validity
The following privacy policy applies to the use of the website URL awo.flexperto.com (hereinafter platform or online counselling). The platform is operated by Flexperto GmbH (Neue Grünstraße 27, 10179 Berlin) and enables digital communication between those seeking advice and AWO MBE employees (hereinafter "advisor").
2. Responsible bodies
The responsible bodies for data processing are the respective AWO MBE providers with whom those seeking advice have booked an appointment.
3. General, summarized notes
In the context of our online counselling, we use services of Flexperto GmbH (Neue Grünstraße 27, 10179 Berlin) for collaboration, file storage and communication with those seeking advice. This also involves data processing. For example, if you are involved in a video conference via Flexperto, content data such as text, audio, video and image data, but also usage data (e.g. metadata) and functional data (e.g. access data) are processed. The processing is carried out for the fulfillment of a counselling contract or for the initiation of such a contract with you according to Art. 6(1)(b) GDPR. Even if your data is processed by Flexperto in the EU, access from the USA, which is theoretically possible, cannot be completely excluded. In this case, Flexperto has concluded standard contractual clauses with its subcontractors as well as extensive additional measures, such as end-to-end encryption of the video content in particular. To ensure that Flexperto GmbH and its subcontractors handle your personal data conscientiously, we have concluded an agreement in accordance with Art. 28 GDPR. For more information about transfers to a third country, see Section 3.3 below, and for transfers to third countries for other purposes, see Section 6 of this privacy policy. You are entitled to the rights guaranteed under the GDPR in accordance with Art. 15 et seq.
4. Processing your data
4.1 Automated data collection
When accessing the platform, your internet browser automatically transmits data about each access to our platform (server log files) for technical reasons. The following data will be processed:
- IP address for 30 days
- Browser type / version for 30 days
- Operating system used for 30 days
- Date and time of access
- URL of the previously visited website
- Amount of data sent
The retrieval of this data is initially required so that you can access the portal. In individual cases, we also reserve the right to store data for a further 60 days in order to clear up illegal or abusive behaviour.
4.2 Data entered by yourself
To use the platform, you do not need to register with a password. Providing your first and last name and email is sufficient.
Instant call
For an instant call, you can directly communicate digitally with an adviser, providing your first and last name, without giving your email.
Appointment and contact form
To make an appointment, please use our contact form. In addition, you can use the contact form to send a message to your adviser. When this happens, we process the following information from you: First name, last name, email address and the content of the text field. To make an appointment for a phone call, we also ask for your phone number. To make an appointment for an on-site appointment, we also ask for your address. The email address is used to send you notifications of important events such as appointment confirmations.
Data processed during video counselling
Data to make online counselling possible via audio and video chat (streaming data) is always transmitted encrypted according to the state of the art. Exchanged written communication, exchanged files and all contents of the central main screen ("whiteboard"), which is used for visualization and counselling, are transmitted and stored in encrypted form. Please note that personal data such as your name, address or other information may also be stored in this process if you voluntarily choose to share it using the above functions.
Digital signature
The online counselling also offers the possibility to sign forms via digital signature. Within the scope of this "digital signature" service, data is collected with regard to writing behaviour. In detail, these are direction of writing, writing pauses, writing speed and timestamp. Furthermore, any additional personal data, such as name and address, provided when filling out a digitally signed form will be collected and stored in encrypted form.
4.3 Usage analysis
When visiting the website, we create meta-statistics in anonymous form to improve the platform. These comprise, in particular, features concerning information on the beginning and end as well as the scope of the use of the platform. Personal data you enter will not be used. It is not possible to draw any conclusions about your person. The analysis data is transferred to the technical service provider acc. to Section 6.2 of this privacy policy to improve the website.
The online counselling service also uses several Google services (reCAPTCHA, Google Maps, Fonts). For further explanations, please refer to the section "Cookie information".
5. Legal
5.1 Disclosure of data; service providers
In principle, your personal data will only be passed on without your express prior consent in the cases listed below:
If it serves to clarify an illegal platform use or is necessary for legal prosecution, personal data is forwarded to law enforcement authorities and, if necessary, to third parties, for example technological service providers for the evaluation of the data or service providers for legal analysis of the specific case. However, this only happens if concrete indications of illegal or abusive behaviour exist. Disclosure may also occur when it serves to enforce terms of use or other agreements.
5.2 Order processing and hosting locations
The main service provider Flexperto has entered into subcontracting relationships with sub-service providers in accordance with Section 9 of the Order Processing Agreement:
(1) velia.net Internet Services GmbH
Function/activity: Dedicated server hosting for online counselling
Seat [city, country]: Hanau, Germany
Place of data processing of personal data: Germany
Contractual measures/guarantees: Job processing
Certificates: The service provider's colocation space is ISO 27001 certified.
(2) iS2 Intelligent Solution Services AG
Function/activity: E-signature
Seat. Am Bäckeranger 2, 85417 Marzling
Place of data processing of personal data: Germany
Contractual measures/guarantees: Contract
Certificates: iS2 has been certified by VdS in the field of information security with the VdS 10000 seal. The VdS 10000 guidelines are based on the recognized standards ISO 27001 and BSI Basic Protection.
Protection: Strong encryption of data with AES-256 and RSA-2048
(3) Vonage B.V.
Function/activity: PaaS for video audio screensharing streaming architecture (data centre in Frankfurt, Germany (powered by AWS))
Seat: Amsterdam, Netherlands
Place of data processing of personal data: Germany
Contractual measures/guarantees: Job processing
Certificates: The data centre is ISO 27001, 27017 and 27018 certified.
Data that will be processed: RTC media in flight: Video, audio and screen sharing data
Protection: An end-to-end encryption of the data, so that neither Flexperto, nor the service provider Vonage can access the data.
Usage statistics and metadata: The IP address of the session participants is processed separately. The IP address is anonymized within 7 days after the session has been successfully established. The IP address is stored in isolation from all other personal data.
(4) Cronofy Ltd.
Function/Activity: PaaS for synchronization of calendar data (data centre in Frankfurt, Germany (operated by AWS))
Seat: Nottingham, United Kingdom
Place of data processing of personal data: Germany
Contractual measures/guarantees: Job processing
Certificates: The data centre is ISO 27001, 27017 and 27018 certified. The service provider is ISO 27001 certified.
Calendar authentication data: Data required for authentication with the respective calendar system.
Calendar dates: Details of the appointment saved in the calendar. Here, the processing is limited to date, duration and availability.
(5) Telekom Germany GmbH
Function/activity: Provision and operation of IT infrastructure (Open Telekom Cloud)
Seat [city, country]: Bonn, Germany
Place of data processing of personal data: Germany, Netherlands, Hungary, Slovakia
Contractual measures/guarantees: Job processing
Certificates: The service provider is ISO 27001, ISO 27017, ISO 27018 and BSI C5 certified.
5.3 Transfer to third countries
Flexperto GmbH and its subcontractors may be located not only within but also outside the European Economic Area ("EEA"). Currently, only your IP address is transferred to service providers outside the EEA when you use the online counselling to provide digital communication and for usage analysis purposes. Your IP address is completely and irreversibly anonymized after a maximum of 30 days. In the event that personal data is transferred outside the EEA, this will take place exclusively in compliance with the legally regulated conditions of permissibility. In this context, the transfer of your data outside the EEA will be kept to a minimum.
6. Cookies
We use cookies to ensure easy and practical use of the platform. When you visit one of the platform pages, the servers send a cookie to your computer. Cookies are small text files that are usually stored on your computer for the duration of the current session, i.e. until you exit your browser, but in some cases even beyond. By themselves, cookies do not identify you personally. They only recognize your web browser. Unless you identify yourself to us - by filling out an online form - you remain anonymous to us. However, you can delete cookies at any time.
We use cookies in the context of online counselling as follows:
- Identification through session cookies
The moment you use our platform, we automatically set a cookie to recognize your browser (session cookie). Most browsers accept cookies, but it is possible to set the browser to reject all cookies. In this case, the platform will not work properly. However, you can delete cookies at any time.
- Persistent or permanent cookies
These remain stored even after you close your browser or turn off your computer. We use persistent cookies to identify browsers that have already visited our platform. When you provide us with certain personal information, you will be assigned a unique ID. This unique ID is linked to a persistent cookie that we place in your web browser. We pay special attention to the security and confidentiality of information stored in persistent cookies. For example, account numbers or passwords are not stored in persistent cookies. If you disable the receipt of cookies through your web browser, you will not be able to take full advantage of our services.
7. Cookie banner
To request your consent for cookies to be set, we use a cookie banner from our processor Flexperto. Flexperto uses the open source application "KLARO". KLARO does not receive any personal data from you.
A cookie is set on your device to save the selection you have made, so that you do not have to make your selection each time. If you want to withdraw consent you have given, click on the link "Edit cookie settings" in the footer, then the settings window will open where you can use the slider to adjust the settings. In the event that you delete your cookies in the browser, you also delete the cookie about the choice you made, so you will be asked by us again to give your consent.
8. Your rights as a data subject
Under applicable laws, you have various rights regarding your personal information. If you wish to exercise these rights, please address your request by email to your respective advisor, clearly identifying yourself.
Below you will find an overview of your rights:
8.1 Right to confirmation and information
You have the right to obtain confirmation from us at any time as to whether personal data relating to you is being processed. If this is the case, you have the right to obtain from us, free of charge, information about the personal data stored about you, together with a copy of this data.
8.2 Right to rectification
You have the right to request that we correct any inaccurate personal data concerning you without undue delay. Taking into account the purposes, you have the right to request the completion of incomplete personal data - including by means of a supplementary statement.
8.3 Right to erasure ("right to be forgotten")
You have the right to request that we erase personal data relating to you without undue delay, and we are obliged to erase personal data without undue delay if required by law.
8.4 Right to restiction of processing
You have the right to demand that we restrict processing if one of the conditions set out in Article 18 GDPR applies.
8.5 Right to data portability
You have the right to have the personal data concerning you that has been collected or processed provided to you or to third parties. The provision takes place in a structured, common and machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
8.6 Right of objection
You have the right to object to the processing of personal data relating to you at any time for reasons arising from your particular situation, insofar as we base the data processing on our legitimate interest (Art. 6(1)(1)(f) GDPR). We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
8.7 Automated decisions including profiling
We do not use automated processing to make a decision nor profiling.
8.8 Right to withdraw consent under data protection law
You have the right to withdraw your consent to the processing of personal data at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
8.9 Right to complain to a supervisory authoriy
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you to be unlawful.
The authority responsible for us is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
Visitor Entrance: Puttkamerstr. 16 – 18 (5th Floor)
Phone: 030 13889-0
Fax: 030 2155050
Email:
9. Legal basis and storage period
We process your data for the purposes described in this privacy policy on the basis of the following legal principles:
9.1 With your consent
We request your consent to process your data for specific purposes and you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until withdrawal. You can withdraw your consent via the link in the footer "Edit cookie settings".
9.2 Due to legal obligation
We process your data if we are legally obliged to do so, Art. 6(1)(1)(b) GDPR.
9.3 For legitimate interests
- We process your data insofar as we or third parties have a legitimate interest in doing so.
- Storage of necessary, personal data for the fulfilment of the counselling contract, which comes into being through the use of and consent to our services
- Storage of your consent within the cookie banner
- Setting session cookies and persistent cookies
9.4 Storage duration
Unless specifically stated or provided for by law, we store personal data only for as long as necessary to fulfil the purposes pursued.
Thus, as part of your consent, we store the data provided with electronic signature in the system for 7 days. Subsequently, the signed documents and other data are stored for the duration of the legal retention periods. We delete the metadata stored for technical reasons no later than 30 days after the data is created.