Data Protection Notice about the ePOD App

a) Introduction

In this Data Protection Notice, we would like to inform you about the processing of your personal data and your rights regarding this processing. 

b) Definitions

Definitions of terms used in this Data Protection Notice:

• General Data Protection Regulation: The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the protection of personal data. The information provided here serves to fulfill a legal requirement under the GDPR.
• Personal data: Personal data is all information relating to a data subject. A data subject is an identified or identifiable natural person. An identifiable natural person is a person who can be identified by name or other data. Personal data includes contact details, IP address, age and many other items of information.
• Processing: Under Article 4(2) of the GDPR, processing is any operation which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Controller: Under Article 4(7) of the GDPR, a controller is a natural or legal person who or which determines the purposes and means of, and thus controls, the processing of personal data.

c) Controller

The controller for the purposes of data protection law is:
ASD Ltd (Kloeckner Metals UK)
Valley Farm Road, Stourton
Leeds
LS10 1SD 
E-Mail: enquiries@kloeckner.com

If you have any questions or requests regarding data processing, please contact our Data Protection Officer using the contact details in the next paragraph.

d) Data Protection Officer 

You can contact our Data Protection Officer using the following contact details at any time: 

• E-mail: dataprivacy@kloeckner.com

a) Data categories

We process the following categories of personal data:

1)  Registering in the ePOD app 

• This is done using a delivery run-specific code and a separate run-specific access code. These are randomly generated and are not personal data.
• However, by decoding the route number (last 10 digits), knowledgeable Klöckner employees can trace in the system which driver (name) drove what delivery run with which truck (license number). In the case of outside firms, the data is only traced back to the delivery firm and truck, which means that it is also possible to identify the driver (name) if the driver is always assigned to the same truck. 

2) Using the ePOD app

• Collection of Location Data also when app is in background
  To display the position of the vehicle and the selected route, the location is determined at least once a minute (provided that you have given your consent). Depending on the nature of the route, especially if there are many turns, the location may be determined more frequently for accuracy.
• Camera/access to images
  Certain features (such as recording delivery) require access to the camera and photo album. This must, however, be done with the active involvement of the user. There is no automated access by the ePOD app. Likewise, there is no continuous recording using the camera.
• Other data
  Event notifications: The dispatcher can be notified by the app with information about breaks/delays.
  Documentation: Photos can be taken and information added in a text box to record deliveries. The customer’s name and signature as well as the name and signature of the employee taking delivery are likewise recorded. 

b) Purposes of processing
The above data is used to provide digital documentation of delivery runs and full delivery of material to customers. The data is not used for any other purpose. The only exception to this is for software improvement and technical support for the app.

c) Legal basis of processing 
The processing takes place on the basis of Article 6(1)(b) of the GDPR (performance of contract) and – in the case of Klöckner Group employees – in conjunction with Section 26 (1) of the German Federal Data Protection Act (BDSG).
Software improvement and technical support take place on the basis of our legitimate interest under Article 6(1)(f) of the GDPR, where our legitimate interest is the provision of a functional, error-free app.

d) Mandatory/voluntary provision of data 
Use of the ePOD app as well as processing of the above data is necessary for delivery of the ordered goods to customers and therefore for contract performance.
If the data is not provided, this may in individual cases have consequences with regard to the employment contract and/or supplier contract. 

e) Retention period
The retention period is governed by legal requirements. Data on events (see 2(a)(2), third list item) is retained for a maximum of two months; location data is deleted after one week.
General retention requirements, such as for tax reasons, may call for longer retention periods in individual instances. 

i) Recipients of personal data
The data is not passed on to third parties. Technical support is provided by contract processors in development/maintenance of the app and in hosting the system environment. The processors are under obligation to comply with prevailing data protection law. The relevant Klöckner company remains the controller.

j) Transfer to third countries
Personal data is not transferred to countries outside the EU or EEA or to international organizations.

As a data subject, you can exercise your rights under the GDPR at any time by sending an informal message to our Data Protection Officer (see under heading 1. d) above for contact details). Your rights are as follows: 

• The right to be provided information about the data processing and a copy of the processed data (right of access, Article 15 of the GDPR);
• The right to obtain rectification of incorrect data or to have incomplete data completed (right to rectification, Article 16 of the GDPR);
• The right to obtain erasure of personal data and, where personal data has been made public, to have other controllers informed about the request for erasure (right to erasure, Article 17 of the GDPR);
• The right to obtain restriction of processing (right to restriction of processing, Article 18 of the GDPR);
• The right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format and to transmit that data to another controller (right to data portability, Article 20 of the GDPR);
• The right to object to data processing in order to prevent it (right to object, Article 21 of the GDPR);
• The right to withdraw consent that you have given in order to prevent data processing on the basis of your consent. Withdrawing consent has no bearing on the lawfulness of processing on the basis of the consent before the withdrawal (right of withdrawal, Article 7 of the GDPR);
• The right to lodge a complaint with a supervisory authority if you consider that the processing of personal data infringes the GDPR (right to lodge a complaint with a supervisory authority, Article 77 of the GDPR).