Punkt has always made it a key priority to protect the privacy of its Users.

This document was drawn up in accordance with article 13 of Regulation (EU) 2016/679 (hereinafter “Regulation”), for users (hereinafter “Users” or “User”) of the products and services owned by Punkt Tronics AG VAT ID CHE-114.634.022 IVA, Reg. No. CH-501.3.011.937-5, with registered office in Via Losanna 4, 6900 Lugano, Switzerland, in its capacity as Controller of the personal data (hereinafter “Controller”).

This document will explain how your personal information is managed when you use the Pigeon Application created specially for the MP02 telephone, and, if necessary, to enable you to give your express, informed consent to your personal data being processed for other apps or functions that require access and interaction.

Specific information is provided in the various sections of the website www.punkt.ch pursuant to article 13 of Regulation (EU) 2016/679 which you will have to review before providing the data requested.

The information and data that you provide or that is otherwise acquired when using the various punkt.ch services will be processed in accordance with the principles of lawfulness, fairness, transparency, purpose limitation and storage limitation, data minimisation, accuracy, integrity and confidentiality.
 

1. The personal data that will be processed

The personal data is collected in order to distribute, maintain and update the Pigeon application.

Even though the entire focus of the MP02 telephone has always been to protect the privacy and personal domain of the User, Pigeon is an application specifically developed to permit the phone to interact with Signal, an instant messaging application where the contents of communications are end-to-end encrypted.

The end-to-end encryption of the data means that communications connected to the Signal account cannot be decoded by the platform managers and information that has to be shared for technical standpoint purposes is also used to the minimum extent possible, with said use informed by the principles of proportionality and necessity.

Communications are designed to be kept confidential throughout their entire life cycle in the MP02 – Pigeon – Signal circuit.

The MP02 phone encrypts data in the device, Pigeon maintains the security and integrity of the data during transmission and the Signal system provides end-to-end encryption. This system allows the user to exchange synchronous and asynchronous confidential communication safely while always maintaining their own privacy and the privacy of others.

Pigeon makes the MP02 phone compatible with the Signal secure communication system. By giving permission when you register, you give Pigeon permission to access your MP02 Contacts list, use and record audio, view SMS messages, access photos/media/files and make/manage phone calls. You may also deny permission. However, the permission is requested to enable certain features from Pigeon to Signal such as finding contacts, reading, receiving and sending messages, and making calls through secure end-to-end encryption communication on Pigeon.

The information and personal data processed to download and install the basic functions of Pigeon are as follows:

• browsing and usage data generated by the device when it interacts with the Punkt infrastructure that can be accessed through the Internet. This concerns information that is not collected to be associated with specific data subjects, but which, by its very nature, could allow users to be identified through processing and association with data held by third parties. IP addresses belong to this category, along with the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used when submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the data response from the server (successful, error, etc.) and other parameters relating to the operating system of the telephone and the User’s ICT environment. This data is generally only used to obtain anonymous statistical information on the use of the resources that can be accessed, to ensure that it works properly and to identify any anomalies and/or abuse. The data may also be used to ascertain responsibility in the event of computer offences.

The optional information and personal data that can be processed for Pigeon to work at an advanced level are as follows:

• Personal contact data such as name, surname and email address which are needed to receive notifications and respond to any faults in the application;

2. Processing purpose

The Controller would like to inform you that the data collected will be processed lawfully in accordance with article 6 of the Regulation, for the following purposes only:

1. To allow the application to be downloaded;
2. To respond to requests for assistance or information that the Controller receives by email, telephone or through the “Contact” page on the website;
3. The need to monitor how the services are provided, including on a computerised basis;
4. The Controller has implemented an automatic control system for the exclusive purpose of security and prevention of fraudulent behaviour which monitors and analyses user behaviour on the support resources of the application, linked to the processing of certain Personal Data, including the IP address.

3. Legal basis and mandatory or optional nature of the processing

The Controller shall process Personal Data relating to the User if one of the following conditions are met:

• The User has given consent for one or more specific purposes [article 6.1 letter a) GDPR] such as advanced ticketing functions, some of which require registration of the Account on the website;
• Processing is needed to provide the basic services requested [article 6.1, letter b) GDPR] such as downloading the application or to resolve technical issues relating to its installation;
• Processing is needed for compliance with a legal obligation to which the Controller is subject, such as communicating the data to authorities who have the right to request them in the event of computer fraud [article 6.1, letter c) GDPR].

In any case, the Controller can always be asked to clarify the legal basis behind any processing that is carried out on his or her data.

The User will always have the option to decide whether or not to provide his or her personal data, but it has to be given to ensure access to certain services such as downloading the application or assistance if any faults arise. Any refusal, even though legitimate, to provide the data required in whole or in part, may make it impossible for Punkt to provide the services requested on a standard basis.

4. Recipients of the personal data

Employees and business partners of the Controller may be aware of and use the Personal Data that will be provided. These employees and business partners shall be authorised in accordance with article 29 of the GDPR for the sole purpose of performing the activities strictly related to achieving the purposes declared in paragraph 2 above.

The Personal Data may also be disclosed to third parties engaged to carry out the lawful processing on behalf of the Controller in their capacity as Processors.

More specifically, the Personal Data of the Users may be disclosed to third parties for the following purposes, strictly necessary to provide the services requested:

• Archiving, hosting, management and maintenance of the back-end infrastructure related to the development and distribution of the application;

A simple request can be addressed to the Controller to obtain the list of any Data Processors engaged to process the data.

5. Data processing and storage place

The Data are processed at the workplaces of the Controller and in any other place where the parties involved in the processing are located.

The personal data may be transferred to the processors located in Switzerland exclusively for the purposes listed in paragraph 2, in full compliance with Chapter V of the GDPR which requires adequate guarantees with regard to transfers, with Switzerland currently offering an adequate level of protection. There is more information available at the offices of the Controller.

6. Processing mechanisms and security measures

The Personal Data is processed using computer and/or online instruments, with organisational mechanisms and methods that are strictly related to the purposes indicated and without any profiling being carried out.

The Processing is carried out in accordance with mechanisms and instruments that can guarantee the security and confidentiality of the data in accordance with the provisions of article 32 of Regulation (EU) 2016/679.

When the data is being processed, all technical, computer, organisational, logistical and procedural security measures will always be implemented to ensure an adequate level of protection of the data as required by law.

7. Storage period

The data will only be processed for the time necessary to fulfil the purposes for which they are requested.

The browsing and use data implicitly collected when the application is downloaded and installed, with the associated logs, will be stored for a maximum period of 60 days for the exclusive purpose of security and the prevention of fraudulent conduct.

The Personal Data may be stored for a longer period if required to fulfil legal obligations or by order of the authorities.

All the Personal Data will be deleted upon expiry of the storage period. At the end of said time period, the rights of access, erasure, rectification and the right to data portability may no longer be exercised.

8. Rights of the data subjects

The data subjects may exercise certain rights with reference to the Data processed by the Controller. More specifically, the right to:

• Withdraw consent at any time;
• Object to the processing of his or her Data;
• Access his or her Data (Article 15 GDPR);
• Confirm and request rectification (Article 16 GDPR);
• Obtain restriction of the processing (Article 18 GDPR);
• Obtain the erasure or removal of his or her Personal Data (article 17 GDPR);
• Receive his or her Data or have them transferred to another controller (Article 20 GDPR);
• Lodge a complaint with the personal data protection supervisory authorities and/or take legal action.

A request can be sent to the following email address to exercise these rights: info@punkt.ch Requests are made on a gratuitous basis and followed up by the Controller in the shortest time possible, and in any case within 30 days.

Most recent update: 8th of April 2021