Data Protection Policy – MP02

Punkt. is committed to protecting and respecting the User’s Privacy Rights.
This document has been drawn up in compliance with art. 13 of EU Regulation 679/2016 (hereinafter "Regulation"), for users (hereinafter "Users" or "User") of products and services owned by Punkt Tronics AG, Vat Id CHE-114.634.022 VAT, Reg. No. CH-501.3.011.937-5, with headquarters in Via Losanna 4, 6900 Lugano, Switzerland, which acts as the Data Controller of personal data (hereinafter “Data Controller”).

The document details how your personal information is managed when you use the MP02 telephone or any associated applications developed by Punkt., as well as allowing you to give consent, in the event that it is required, to process your personal data by these applications or other features that require access and interaction.

We would like to remind you that, in the relevant sections of the Punkt. website where your personal data is collected, you will find specific information, pursuant to art. 13 of EU Regulation 2016/679, for your acknowledgment and acceptance, before submitting any data requested.

Any information and personal data provided by you or otherwise acquired in the context of various Punkt. services, will be processed in compliance with the key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.

The personal data being processed

The MP02 is a device which aims to protect privacy and personal information of the user and was designed accordingly, based on the principles of privacy by design and by default.

With the MP02 users can store, transmit and manage personal data; the functions of the device allow you to create a contact list with name, surname, and telephone numbers, messages, chats, electronic communications, log files, play and transfer multimedia content, access calendars and make notes with reminders.

Furthermore, the user can enable the GPS function which would allow location data to be transmitted in the event of an emergency call. Note: this service may not be supported by your network provider.

Punkt. recognises the importance and necessity for users to store data safely and communicate securely. To this end:

The physical storage medium is encrypted with a strong symmetric encryption algorithm and the decryption key is stored in the chipset of the device itself. Punkt. has no access to the data stored in the phone, which remains the exclusive property of the owner;
the Software on the device does not share data with third parties and its implementation follows best practices for the development of secure software and guidelines of recognized standards;
transmission channels between the device and the additional applications are also protected by secure protocols encrypted with a digital certificate;

However, for technical reasons relating to the configuration and maintenance of the product’s security, Punkt. may have to process location and usage data which is generated by the device when it interacts with Punkt.’s infrastructure reachable through the network. This is because the MP02 to gain connectivity must be associated with a unique address whose transmission is implicit in the use of communication protocols. The information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the telephone operating system and the user's IT environment. These data are usually used for the sole purpose of obtaining anonymous statistical information on the use of accessible resources and to check their correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical IT crimes against third parties.

In Punkt.’s case, the data processed are:

general billing data, to finalize the sale of the product;
general contact details, name, surname and email address, to manage any reports or requests for information;
navigation data (for example the IP) to optimize, service, monitor the IT infrastructure necessary to guarantee the security of the hardware and software of the product, to provide updates to the operating system and any downloads, updates and maintenance of applications which have been developed.

How we use personal information

The Data Controller advises that the data will be processed lawfully pursuant to art. 6 of the Regulation, and with your explicit consent where necessary, exclusively for the following purposes:

Allow the provision of the requested Services and the carrying out of communications relating to the performance of the established relationship;
requirements relating to the stipulation of contracts and assignments, their execution and subsequent amendments or variations and for any obligation envisaged for the fulfilment of the same;
allow the download and update of applications and the operating system;
respond to requests for assistance or information, which we will receive by email, telephone or through the "Contact Us" page of our website;
operational, organizational, managerial, fiscal, financial, insurance and accounting requirements relating to the contractual and / or pre-contractual relationship established;
monitoring needs, including IT, of the methods of provision of services;
to elaborate studies, research, market statistics;
for the sole purpose of security and prevention of fraudulent conduct.

Legal basis and compulsory or optional nature of consent for provision of data

The Owner processes Personal Data relating to the User if one of the following conditions exists:

The User has given consent for one or more specific purposes, like in the case of certain types of service requests that require the creation of an account on the website;
the processing is necessary for contract execution with the User and/or for the execution of pre-contractual measures, as in the case of billing data for the sale of the device or contact for after-sales assistance;
the processing is necessary to fulfil a legal obligation to which the Data Controller is subject, as in the case of communication to the Competent Authority in the case of computer crimes;
the processing is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, as in the case of promotional communications on products or services that are similar and improved with respect to those already purchased (the so-called "soft spam", provided that the interested party does not exercise his right to object, as indicated in this document).

You have the right to ask the Data Controller to clarify the concrete legal basis of all data in which one is involved.

The provision of personal data by the User is always optional, but it is essential to conclude a purchase agreement or to guarantee access to additional services such as the management of your customer service requests following updates to the Software or applications. Any refusal, albeit legitimate, to provide all or part of the requested data, may make it impossible for Punkt. to carry out the regular provision of the requested services.

Who is your Data is processed by?

Your Personal Data that will be processed by staff specifically trained by Punkt. pursuant to art. 29 GDPR. Your personal data may also be transmitted to third parties that have been appropriately selected and are certified as GDPR-compliant for the sole purposes stated in the previous art. 3.

These third parties have been appointed as data controllers and carry out their activities according to the instructions issued by Punkt. and under its control.
More specifically, the Personal Data of Users may be disclosed to third parties for the following purposes, strictly necessary for the provision of the requested services:

Storage, hosting, management and maintenance of the back-end infrastructure, related to the production and development of the MP02 telephone and applications;
additional security features and real-time monitoring of the integrity of the phone's hardware and software components;
accounting management.

The list of external managers is available upon written request to our email address: info@punkt.ch

Where your data is stored

The Data is processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For more information, contact the Data Controller at the following email address info@punkt.ch.

Extra-EU Data Transfer

Personal Data, collected exclusively for technical purposes related to the execution of specific activities aimed at the correct functioning of the telephone device and for related assistance services, could be transferred to non-EU countries, is stored in compliance with Chapter V of the GDPR.

The personal data that could be transferred are:

billing data, provided when the device is purchased;
contact details, name, surname and email address, provided in the context of user notification or requests to our customer service department for information or assistance;
navigation data (e.g., IP address) to optimize, maintain, monitor the IT infrastructure necessary to ensure the security of hardware and software of the product and to distribute software updates.

In order for the transfer to third countries to be carried out, Punkt. verifies the presence of adequate safeguards such as:

an adequacy decision;
standard Contractual Clauses approved by the European Commission;
or other documentation that appropriately justifies the existence of requirements of "substantial equivalence" of protection.

The lack of an adequate decision or a situation of presumed substantial equivalence generates risks for the interested party, who may not enjoy, the same protection of his personal data in the third country (e.g., due to the absence of supervisory authorities or due to the greater interference of the public authority that could request its transmission).
In these cases, if the transfer is absolutely necessary for technical purposes, as in the case of transfer of the IP address of the telephone device to servers located in the USA, for the technical purpose of updating the System Software, Punkt. will request the explicit consent of the interested party, pursuant to art. 49 paragraph 1, letter a) of the GDPR.
It is not possible, in fact, to waive the transfer of the IP address is not, as it is implicitly necessary for the operation of the internet transport protocols to uniquely identify the communication actors (in this case the device to be updated and the server that must distribute the update); however, the interested party is granted the possibility of not giving consent to the transfer, or to revoke it at any time, yet still being able to use the telephone device without updates.
Further information is available from the Data Controller.

Processing methods and security measures

The processing of Personal Data is carried out using IT and / or telematic tools, using organizational methods and with logic strictly related to the purposes indicated, without profiling characteristics.

The processing is carried out according to methods and with suitable tools to ensure the security and confidentiality of the data in accordance with the provisions of art. 32 of the 2016/679 European Regulation.
In carrying out the processing operations, all technical, IT, organizational, logistical, and procedural security measures will always be adopted so that the adequate level of data protection required by law is guaranteed.

How long is your data retained?

The Data Controller will process Personal Billing Data for the time necessary to fulfil the purposes related to the execution of a contract between the Data Controller and the User and, in any case, not longer than 10 years from the termination of the relationship with the User.
Device usage and navigation data, related to resources and support services for system software updates and application functionalities (download, update, maintenance) and related log data will be kept for 60 months.
Personal Data collected for the pursuit of a legitimate interest of the Data Controller, the Personal Data will be retained until such interest is satisfied.
Personal Data may be kept for a longer period if necessary to comply with a legal obligation or by order of an authority.
All Personal Data will be deleted upon expiry of the retention period. At the end of this term, the right of access, cancellation, rectification, and the right to data portability can no longer be exercised.

Your rights

Users can exercise certain rights at any time with reference to the specific processing of personal data by Punkt.:

You have the right to revoke your consent at any time;
you have the right to object to the processing of your personal data at any time;
you have the right to access your data. (Article 15 of the GDPR);
You have the right to request that your data be corrected or modified; (Article 16 GDPR);
request that the processing of your personal data be temporarily limited. (Article 18 of the GDPR);
You may request the cancellation of your personal data in the cases provided for by current legislation. (Article 17 GDPR);
You may request to receive your data, or have it transferred directly to a third party that you indicate. (Article 20 GDPR);
You may lodge a complaint to the supervisory authority for the protection of personal data and/or take legal action.

To exercise your rights as described above, you can contact us by writing to us at info@punkt.ch. Requests are made free of charge and processed by the Data Controller as soon as possible, in any case within 30 days.

Last updated: April 22, 2022