Privacy Policy for the United Kingdom
- 1. Controller and applicable law
1.1. In the United Kingdom, “my mobile company GmbH”, Kokkolastraße 5, 40822 Ratingen (Germany), is the data processing controller for the service “Mobidoo” according to Art. 4(7) GDPR.
1.2. The data are processed either directly by my mobile company GmbH or by companies the controller has commissioned as processors within the meaning of Art. 4(8) GDPR and as joint responsible controllers (so-called Joint Controllership) according to Art. 4(7) GDPR in conjunction with Art. 26 GDPR. The controller is always and solely legally responsible with respect to the users. A risk-based data protection impact analysis in accordance with Art. 32 and Art. 35 GDPR is performed prior to the processing of data as necessary. The controller, their cooperation partners, and processors have appropriate security concepts and procedures in place that will be followed if the protection of personal data is violated.
1.3. The controller ensures the security and confidentiality of data transmitted by users in accordance with the applicable data protection law. The controller is recipient and processor of such data.
1.4. The controller’s data protection policy guarantees the user the exercise of the legal rights to information, correction, deletion, restriction of processing, the right to object, and the right to data portability according to the applicable law of Art. 15 to 21 GDPR, as well as other data protection rights (according to Art. 12, 13, and 14 GDPR; for more information please refer to item 3 of this privacy policy).
1.5. The controller herewith informs the users according to the provisions of the General Data Protection Regulation (GDPR). The GDPR has direct effect in the UK
from 25 May 2018 until the UK leaves the EU. In addition, the Data Protection Bill, which was announced in the Queen’s Speech on 21 June 2017, will find supplementary application. This Bill updates data protection laws in the UK, supplementing the General Data Protection Regulation (EU) 2016/679 (GDPR), implementing the EU Law Enforcement Directive, as well as extending data protection laws to areas which are not covered by the GDPR, especially in Part. 2, Chapter 2 of the Bill. This Bill is intended to provide a comprehensive package to protect personal data. In addition, more specific data protection provisions may apply, in particular after leaving the European Union.
1.6. The controller requires the mobile phone numbers of the users of its services to operate its mobile services. It may store the mobile phone numbers due to a legitimate interest under Art. 6(1) GDPR and user consent under Art. 7(1) GDPR. The controller will use the mobile telephone numbers entrusted to it for activation, performance, and deactivation of numbers for mobile networks in such a way that exposes them to as little risk as possible. The controller will not link the mobile phone numbers to a person. The user is billed for the services via its mobile service provider, which settles the charges incurred with the controller. The controller and their processors do not perform credit assessments nor are such performed by way of joint controlling.
- 2. General information about data processing
2.1. Having received the contracting party’s electronic consent within the meaning of Art. 7(1) GDPR, the controller collects, processes, or uses personal data and traffic data exclusively for the fulfilment of contractual and legal obligations, in particular for the conclusion, performance, and termination of a contract and the handling of the billing process with the mobile service provider within the meaning of Art. 5 GDPR, if the billing process is not handled via an app store (such as Google Play) or a comparable facility as a processor or joint controller. The controller does not provide personal data within the meaning of Art. 4(1) to third parties without an express legal or contractual obligation and without the user having consented according to the statutory provisions. Mandatory statutory provisions may require the transfer of data to governmental and judicial authorities as well as supervisory authorities.
2.2. Data are only collected, used, and processed in electronic form based on user consent in accordance with Art. 7(1) GDPR.
2.3. User consent pursuant to Art. 7(1) GDPR is made voluntarily in accordance with Art. 7(2) GDPR and revocable at any time according to Art. 7(1) GDPR.
2.4. The personal data legally and legitimately collected and processed by the controller or processor or under a joint controllership within the meaning of Clause 1.2. of this privacy policy for the purpose of fulfilling contractual obligations with respect to the user particularly include mobile phone numbers when using SMS and MMS, names in case a contact exists (also via a call centre acting as processor) with the controller, in some cases email addresses, landline telephone numbers, IP addresses, and in exceptional cases postal addresses.
2.5. The controller’s General Terms and Conditions generally require the user to subscribe to the respective service of the controller so as to be able to use the controller’s services, unless services can be ordered for single use or another service model is offered. This requires the controller to collect personal data. This is done in particular by assigning a user ID, a password, and other information that allows a user to be identified, unless the only personal data collected are a telephone number and/or an email address. Such data will also be used to alert the controller to service malfunctions, service misuse, or other circumstances defined by the contractual terms in line with privacy requirements. Such data are also used for billing and terminating a service.
2.6. The controller collects information on what and how services are used to ensure proper use in accordance with the terms of the contract. Such data may also be used for billing purposes.
2.7. The controller automatically collects certain data that are stored in log files. Such data include IP address, browser type, operating system used, date/time stamp, and clickstream data. The controller uses such data – which do not contain any direct link to a user’s identity – to conduct trend analyses, manage services, track a user’s navigation within a service, and to collect information about a potentially available user community. Automatically collected data are not linked to a user’s personal data and are not used within the meaning of Art. 22 GDPR for automated decisions, such as profiling and/or scoring.
2.8. The controller’s services are aimed primarily at adults over the age of 18 years. Some services may also be used from the age of 16 though not aimed directly at minors. Art. 8 GDPR defines the effectiveness of a minor’s consent to a fixed limit of 16 years, which has been reduced to 13 years in the UK by Section 9 DPA. The services are information society services within the meaning of Art. 4(25) of EU Directive 2015/1535, as the services are regularly provided for a fee, are sold over a distance, are disseminated by electronic means, and are based on individual request. Although not aimed directly at minors, these services, such as dating apps or games, can also be used by minors. Data of people under the age of 16 years may be processed only if the offer is addressed to persons over the age of 16 years and the verifiable approval of a parent or guardian for such consent is available. This does not change the fact that the capacity to contract starts at the age of 18 years.
2.9. The controller uses automated data processing techniques (so-called big data analyses) – known as profiling – to improve products and services, to improve establishing contact, and to analyse user behaviour. These procedures are designed to make it impossible to refer back to a user and their identity. Personal data are anonymised and pseudonymised before they are used for such procedures. These procedures do not lead to automatic decisions within the meaning of Art. 22 GDPR.
2.10. The processing methods may change/develop further due to technical progress and/or organisational and/or legal changes. Against this background, we reserve the right to further develop this privacy policy as necessary. Pursuant to Art. 7(3) GDPR you may, at any time, revoke any consent given and request the deletion of your data pursuant to Art. 17 GDPR if you disagree with the developments occurring over time, unless mandatory statutory requirements require further storage. You can delete a registration at any time without giving reasons.
- 3. Instructions on your rights as a user
Users have the rights to information, correction, deletion, restriction, data portability, revocation, and objection based on Art. 15 to 21 GDPR in conjunction with the extended rights and their restrictions under Bill Section 13 ff DPA, unless Bill Section 15 and Schedules 2, 3, and 4 set out exemptions from the GDPR in accordance with Articles 23, 85, and 89 of the GDPR.
Users can complain to the data protection authority if they think that the processing of their data violates data protection law or otherwise violates their entitlement to data protection. In the UK this is the ICO – Information Commissioner’s Office (https://ico.org.uk), Office for Scotland: https://ico.org.uk/about-the-ico/who-we-are/scotland-office/ and for Wales: https://ico.org.uk/about-the-ico/other-languages/welsh.
3.1. User consent pursuant to Art. 7(1) GDPR is made voluntarily in accordance with Art. 7(2) GDPR. It can be voluntarily revoked at any time according to Art. 7(1) GDPR.
3.2. Confirmation and information
Pursuant to Art. 15 GDPR, users can demand confirmation that their personal data are being processed. If true, the data subject has a right to information on whether and to what extent the controller processes data of the data subject. The right to information requires an explicit request made by the user. The controller must provide the data subject with a copy of the data. The first copy is free of charge. Reasonable fees may be charged for additional copies based on administrative costs.
3.3. Correction and completion
Art. 16 GDPR entitles the user, upon request, to have incomplete or incorrect personal data (e.g. a changed mobile phone number) corrected or completed immediately.
3.4. Deletion
The user can demand that processed personal data be deleted in accordance with Art. 17(1) GDPR (the so-called “right to be forgotten”), provided that one of the reasons specified in Art. 17 (1) (a) to (f) GDPR applies. This applies without limitation if the data processing purpose no longer exists, if data are being processed unlawfully, if the data subject revokes their declaration of consent or, if legal reasons require it. Art. 17(2) GDPR specifies that the controller must meet this obligation in technical terms too. Art. 17(3) GDPR specifies that this does not apply if the data are required for asserting, exercising, or defending legal claims, if the data affect the right to freedom of expression and information, if a legal obligation to store the data exists, or if the data are required in the public interest.
3.5. Restriction of processing
Art. 18 GDPR entitles the user to have the processing of their data restricted on demand if
– the user denies the accuracy of the data (data processing is then restricted for the duration of an appropriate review of the facts),
– the processing of the data is unlawful; however, the user declines deletion of the data but instead demands a restriction of the processing of data only,
– the controller no longer needs the data for its intended purpose, but the data are needed by a user for the pursuit of rights or legal defence purposes,
– the user has filed an objection against the processing of the data within the meaning of Art. 21 GDPR.
3.6. Right to data portability
Art. 20 GDPR entitles the user to demand from the controller that they provide the user with the data they have entrusted to the controller for storage in a structured, common, and machine-readable format, provided these data were processed on the basis of a revocable user consent or for the performance of a contract, and the data are processed by automated means.
3.7. Disclosure requirement
The controller is legally obliged to notify all recipients (to whom personal data have been disclosed to) of any correction or deletion of personal data or of a processing restriction pursuant to Art. 16 to 18 GDPR, unless this proves impossible or would involve a disproportionate effort. The controller informs the user about these recipients at the user’s request.
3.8. Right to object
Without prejudice to the non-time-bound right to revoke consent granted to the controller pursuant to Art. 7(2) GDPR, Art. 21(1) GDPR entitles the user to object to the processing of their data pursuant to Art. 6 GDPR. The controller will then no longer process these data unless the controller can prove mandatory and protective reasons that outweigh the data subject’s interests, rights, and freedoms. This does not apply if the data are required for the assertion and exercise of rights or for legal defence. The data may no longer be processed in case of an effective objection.
3.9. Prohibition of sending advertisements
Art. 21(2) GDPR entitles the user to object to the direct advertising without giving reasons. This also applies to profiling if it is associated with direct advertising.
3.10. Right to complain
The controller kindly asks the user to contact This email address is being protected from spambots. You need JavaScript enabled to view it. if they believe the controller to have violated German or European law when processing data. Every user also has the right to contact a data protection authority within the European Union. The controller may, if in doubt, request additional information confirming the identity of the user. This also serves to protect the rights and privacy of users.
3.11. Excessive use of rights
The controller may demand appropriate processing fees or refuse to process an application if a request is obviously abusive or otherwise completely irrelevant or has been made repeatedly without any foundation.
- 4. Deletion concept
4.1. The master data of users and other personal data are always deleted when a user relationship that is a contractual relationship has been terminated, but at the latest when all statutory retention periods have expired. Such data will be blocked at the end of a contract.
4.2. Traffic data are deleted as soon as legally permissible, but no later than three months after a payment process was concluded. Traffic data are usually deleted within seven days if the user has not objected in writing.
4.3. Data are not deleted during an ongoing legal proceeding, administrative proceeding, criminal proceeding, or proceeding for a misdemeanour, but only after such proceedings have become final and absolute.
4.4. Personal data can be anonymised instead of being deleted. This will permanently and irrevocably remove any personal reference (such as the user’s mobile phone number), so that the deletion regulations under the data protection law no longer apply.
- 5. Cookies and anonymous identifiers
5.1. A cookie is a small text file that can be stored on the mobile telecommunications terminal for logging purposes. The services of Mobidoo may use basic cookies, online marketing cookies, performance cookies, and post-address-matching cookies, as well as anonymous identifiers under certain circumstances. The controller does not link the data stored in such files to a user’s personal data it is permitted to collect, process, and use. The controller uses temporary cookies, session cookies, permanent cookies, and/or anonymous identifiers for mobile applications according to the balance of its interests in safeguarding its legitimate interests under Art. 6(1)(1)(f) GDPR and the user’s fundamental rights. A session cookie expires when the user closes an application. A permanent cookie is stored on the user’s device for an extended period of time. The user can refuse to accept cookies or anonymous identifiers or delete permanent cookies by following the provider’s instructions for receiving telecommunication services on a specific device. An anonymous identifier is a random string. It functions as a cookie on platforms where the cookie technology is not available, such as mobile devices.
5.2 Cookies or anonymous identifiers can be used to analyse a user’s navigation on a web page. The user remains anonymous. Cookies or anonymous identifiers are only used to compile usage statistics for the purpose of improving a service or making it easier for users to use a service. Cookies cannot be read by third parties. Users can configure their browsers to prevent the use of cookies. Please follow the help settings of the respective browser to do so. However, certain parts of the service may only work if cookies or anonymous identifiers are enabled.
5.3. Art. 21 GDPR entitles the user to object to the setting of cookies or anonymous identifiers. However, users may then no longer be able to use the services in accordance with the contract.
- 6. Transmission of data to third countries
Art. 44 to 50 GDPR entitles a controller offering national and international services to transfer personal user data based on the consent given by the user to processors in other EU member states or other contracting states of the Agreement on the European Economic Area which have a comparable level of data protection due to the application of European data protection law. Data are only transmitted to other countries if those countries’ level of data protection is comparable to the level of protection provided by the European Union and the European Economic Community within the meaning of Art. 45 GDPR or if guarantees within the meaning of Art. 46 GDPR exist.
- 7. Advertising and distribution to third parties
7.1. The controller is entitled to inform the user about their services by electronic communication (in particular by email or SMS) if the user has consented to receive by electronic communication, from the controller, advertisements in the context of the existing customer relationship. This consent does not cover telephone advertising, which is not used by the controller.
7.2. The controller may send the user emails or SMSs containing information on subsidiaries and their products and services, provided the user has provided the appropriate consent within the meaning of Art. 7(1) GDPR. Users can revoke their consent to the described use of their email address or mobile phone number by the controller at any time in writing (e.g. by email) without incurring any costs, apart from the costs incurred for transmitting the revocation at applicable basic rates.
7.3. Each piece of information and each newsletter – if the controller offers such a service – sent by the controller shall give the user the option to object to receiving further information without observing any time limit and to submit such a revocation.
7.4. Personal user data are only shared with third parties with the express consent of the data subject. This shall not apply to transferring data to a controller’s service partners as processors or as part of a joint controllership, if and to the extent this is necessary for the execution of contractual relationships with the user.
7.5. The controller’s services may partly be financed by digital advertising. As a result, advertisements from the controller or third parties may be displayed while using the controller’s offers. The controller will send advertising messages from third parties to a user only if they have received a user’s corresponding declaration of consent.
- 8. Google Analytics and Google – AdWords
8.1. The controller may use the analytics service provided by Google Inc. (Google) called Google Analytics or have it used. It provides an analysis of how the user uses the application. The controller will use this information only to ensure the continuous development and improvement of its services.
8.2. Non-personal information on usage behaviour and error messages may be collected for analysis purposes. Such data are anonymised and do not contain any personal data. Data are anonymised by truncating IP addresses the terminals could be identified with. The use of a website or app (movements within an issue, use of features, etc.) is stored and analysed by Google Analytics.
8.3. The above-mentioned analysis generally occurs on servers within the EU or the European Economic Area before transferring the data to Google. Only in exceptional cases, for example in case of technical issues, may a user’s IP address be transferred to a Google server in the United States and then truncated there (see: http://www.google.de/intl/de/analytics/features/mobile-app-analytics.html).
8.4. Data transmitted through Google Analytics will not be merged with other Google data or personal data. These data are not evaluated with the purpose of creating personal usage profiles. The collected data will not be shared with third parties. Users can prevent the collection of data generated by IP addresses that are related to their use of the application as well as the processing of these data by Google by deactivating the usage analysis option in the application settings, provided an application provides such settings.
8.5. At any time, users can object to their data being used in the future for the above purposes by sending their objection to my mobile company GmbH, Kokkolastraße 5, 40822 Ratingen (Germany) or by emailing it to the company commissioned by it at This email address is being protected from spambots. You need JavaScript enabled to view it..
8.6. The controller may also use Google Analytics to evaluate AdWords usage data for statistical purposes. The controller may use anonymous identifiers that work much like cookies to run ads on devices that do not support cookie technology, such as mobile applications. The user can use application advertisement preferences to control the ads the controller runs on their mobile device in applications. Users should follow the instructions for their particular mobile device if they want to change their settings or want to opt out of interest-based ads.
- 9. Data usage in connection with social networks
Users may find references to so-called “social networks” in the context of the controller’s services. These particularly includes the social media portal “Facebook.com”, as well as “Instagram”, and “WhatsApp”. These also include “Twitter”, “Pinterest”", “Linkedin”, “InterNations”, “Tagged”, and many others. The controller reserves the right to constantly expand the use of data to other “social networks” and to adapt this privacy policy accordingly. Appropriate markings (such as the Facebook logo) indicate the corresponding social networks and/or their offers (e.g. “Facebook Connect” and/or social plugins from Facebook).
- 10. Use of social media plugins – Facebook
10.1. The controller may use social plugins (“plugins”) provided by the social network www.facebook.com. The following instructions are included as a precaution. The Facebook controller for Europe is Facebook Ireland Ltd., Hanover Reach, 5 – 7 Hannover Quay, Dublin 2, Ireland. This social network is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.
10.2. These plugins are recognisable through the Facebook logo (white “f” on a blue tile) or are labelled with the addition “Facebook Social Plugin”. The list and look of Facebook social plugins can be viewed at http://developers.facebook.com/plugins. Facebook. Inc. can change this plugin at any time without the controller being able to influence it.
10.3. For the purpose and scope of the data collection and further processing and use of data by Facebook, as well as your related rights and setting options to protect your privacy, please refer to the privacy policy of Facebook only (https://www.facebook.com/about/privacy/), as the controller cannot influence it.
10.4. A distinction must be made with regard to the transfer of data to Facebook between merely using the app and accessing websites via the browser (from within the app or a website). A direct connection to the Facebook servers will be established if you access a website containing such a plugin via an app or a website. The plugin content is then transmitted by Facebook directly to your browser and incorporated into the website. The controller of the service therefore has no influence on the type and extent of data collected by Facebook with the help of this plugin. The integration of the plugins will always provide Facebook with the information that the user has accessed a corresponding website.
10.5. Facebook can assign the visit to the user’s relevant Facebook account if a user is logged into Facebook. The browser used on the mobile device will directly transmit the corresponding information to Facebook and Facebook will store such information if a user interacts with the plugins, for example by pressing the “Like button” or by leaving a comment. Facebook might still be able to identify and store a user’s IP address even if not a member of Facebook.
10.6. The user must log out of Facebook before visiting websites via the application if a user is a Facebook member but does not want Facebook to automatically collect data about the user and link these to the member’s data stored on Facebook.
10.7. Data are not automatically transferred to Facebook when only using the application as opposed to using Facebook plugins on mobile Internet pages. Data will be transferred to Facebook only when using the above-mentioned plugins. The first data transmission also requires an explicit login to Facebook via the app first, as otherwise no data transmission takes place. However, data will always be transmitted to Facebook as soon as a user clicks on a corresponding Facebook button in an app once they have logged in.
- 11. Security measures
Art. 32 GDPR specifies that the controller shall take all necessary technical and organisational measures within the meaning of the applicable data protection law to ensure the data that are stored, managed, or used by the controller are protected against accidental or deliberate changes or unauthorised access. Art. 25 GDPR specifies that, using a risk-based approach, appropriate technical security measures be taken according to the current state of the art to provide data protection by technological design. The controller has the technical service providers use suitable tools and technical measures.
- 12. Change of privacy policy
The controller will notify users of the services it operates by electronic communication of any changes to the privacy policy four weeks prior to implementing any changes.
- 13. Establishing contact
Controller and service provider according to Art. 13 GDPR for the United Kingdom
my mobile company GmbH
Commercial register: HRB 89673 (County Court Düsseldorf)
Kokkolastraße 5
40822 Ratingen
VAT ID No.: DE256314110, Germany
Users can reach the controller’s Data Protection Officer for the European Union (Attorney Ralf Hansen, Düsseldorf) in case of queries, to leave comments, or submit suggestions as follows:
my mobile company GmbH
Kokkolastraße 5
40822 Ratingen