Mein Account

Bitte wähle...
Beim Abmelden werden alle nicht gespeicherten Projekte und Dein Warenkorb aus Sicherheitsgründen gelöscht.

Privacy policy

dm passport photo app

We, dm-drogerie markt GmbH + Co KG, at dm-Platz 1, 76227 Karlsruhe, phone 0721 5592-0, e-mail: ServiceCenter@dm.de (hereinafter referred to as "dm"), as the controller within the meaning of the General Data Protection Regulation (hereinafter referred to as "GDPR"), take the protection of your personal data very seriously and comply with the statutory provisions on data protection.
This privacy policy covers which data is collected in our application dm Passbild App (hereinafter "App") and for what purpose, and how it is stored and protected.

1. operating and calling up the app
As part of the provision of the app and to ensure error-free operation, the following information is collected when the app is installed and accessed or used:

  • X-country code, e.g. de (used to preselect the correct country in onboarding)
  • Accept-Language / Region, e.g. de-DE,de;q=0.9,en-EN,en;q=0.8 (is used to display the correct language file in the app)
  • X client ID, e.g. 184 (is recorded in order to recognise which software client was used to create the order in the event of an error)
  • X client platform, e.g. Android;34 (14) (is recorded in order to display platform-specific information (iOS or Android) or to exclude incompatible software versions)
  • X client device, e.g. SMA536B, CPU of the device (recorded in order to exclude certain devices)
  • X client version, e.g. 3.1.58-dm (is recorded in order to be able to display update options if necessary)
  • Current IP address of the access
  • Date and time of the visit.

This access data is temporarily stored on our servers and deleted within 7 days at the latest.
The above data processing is necessary for the provision and operation of the app. The legal basis for this data processing is Art. 6 para. 1 b) GDPR.
Insofar as special events are recorded, such as transmission errors, this is done with a view to error-free, technical operation of the app. The legal basis for this data processing is Art. 6 para. 1 f) GDPR, based on our overriding legitimate interest in ensuring and improving the technical functionality of the app.

2. data processing in the context of image recordings and orders as well as access authorisations
The dm passport photo app can essentially be divided into the following functions:

  • Taking a portrait photo
  • Verification of biometric features for biometric passport photos.

When you use these functions, your image data is recorded and processed. A QR code is generated from this, which you can use to print out and purchase the desired passport photos in the desired dm store.
To validate the biometric features, the biometric data of the portrait photograph is compared with the legal requirements. In this context, we use a software solution from Cognitec Systems GmbH. The biometric data is compared in accordance with ISO 19794-5 and ISO 39794-5 standards.
Validated images for which no QR code (order completion) is created are deleted when the software is closed, at the latest after 24 hours. Photos taken for which the customer generates a QR code are stored on our server for the duration of their validity. For biometric and non-biometric images, this is 90 days. Biometric photos of children are stored for a period of 60 days. This is displayed as "valid until" information in the app. You can delete the photos directly in the Αpp at any time before the storage period is reached or ask customer service to delete the image for you.
The above data processing is based on a contractual basis and the legal basis of Art. 6 para. 1 b) GDPR.
To make it easier for you to use our ordering software, we also request access to location information (release of location authorisation). This is used to present a suitable preselection for location-dependent offers, such as the selection of a shop in your neighbourhood.
In addition, access to the camera function of your device is required for image recording. Explicit consent is requested in advance. Otherwise, you can control access to your device's camera at any time by deactivating the release of the function in the device settings.
The legal basis for this data processing is Art. 6 para. 1 a) GDPR, in that you will be asked separately for your consent in accordance with the specifications of your operating system operator. You can revoke this consent at any time with effect for the future in accordance with the above-mentioned options.

3. making contact
You have the option of contacting our customer service team in several ways: By e-mail, by telephone or by post. When you contact us, we use the personal data that you voluntarily provide to us in this context. This is done solely for the purpose of contacting you and to be able to process your enquiry properly.
The legal basis for the associated data processing is Art. 6 para. 1 b) GDPR for contract-related enquiries, otherwise Art. 6 para. 1 f) GDPR, based on our overriding legitimate interest in processing incoming enquiries efficiently and documenting the result of the processing in the event of queries.
Based on the retention period under commercial law, the data will generally be deleted no later than 6 years after the final processing of an enquiry. The legal basis for data processing in the context of this retention is the fulfilment of a legal obligation pursuant to Art. 6 para. 1 c) GDPR.

4. categories of recipients
We do not transfer your data to third parties unless we are legally obliged to do so (e.g. at the request of law enforcement authorities) or we need it to carry out business processes or use it as part of an order processing agreement. In all cases, we strictly observe the legal requirements.
Order processing agreements exist, for example, with web hosting providers, communications agencies, external call centres or IT service providers, also with a view to checking the legal requirements for biometric passport photos.
If there are legal obligations to disclose data (e.g. if requested by law enforcement authorities), we transmit the requested information on the legal basis of Art. 6 para. 1 c) GDPR. If there is no corresponding obligation, after weighing up the interests (e.g. to avert threats to state or public security, to prosecute criminal offences or in connection with civil law claims), data processing for changed purposes and the associated provision of information, e.g. to authorities or courts, may take place on the legal basis of Section 24 (1) BDSG.

5. third country data processing
To ensure the high availability of our customer service, we are occasionally supported by service providers outside the scope of the GDPR (outside the EEA) as part of order processing. Such countries may have data protection regulations that are different and less protective than those of the EU. This may mean, for example, that your data may be processed by authorities for control and monitoring purposes, possibly without the possibility of legal recourse. We implement appropriate safeguards, including the conclusion of EU standard data protection clauses, in the event that personal data is processed outside the EU and there is no adequacy decision by the European Commission. The contractual text of the EU standard data protection clauses and the adequacy decisions can be found on the European Commission's website, the EU standard data protection clauses can be accessed here, the adequacy decisions can be accessed here.
Otherwise, personal data in the context of the app, in particular the image data, is processed exclusively on servers within the EU or in Germany.

6. telemedia data protection and terminal equipment
We offer our telemedia anonymously or under a pseudonym, insofar as this is technically possible and reasonable. Where consent to the storage of or access to information in a user's terminal equipment is required under the German Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG), we will indicate this at the relevant points. Otherwise, information is only accessed or stored in the user's terminal equipment if this is absolutely necessary to provide a telemedia service expressly requested by the user. We base this access or storage on the legal basis of Section 25 (2) No. 2 TDDDG.

7. safety measures
dm uses extensive technical and operational security precautions to protect your personal data managed by us against misuse, accidental or intentional manipulation or against access by unauthorised persons. Our security procedures are continuously improved in line with technological developments. Sensitive data, such as biometric data, is transmitted exclusively via encrypted connections (HTTPS / SSL) and stored on security servers.

8. Data subject rights and data protection officer
In the following, we would like to inform you about the rights to which you are entitled under the GDPR when we process your data. You will also find the contact options for asserting your rights and for enquiries to our data protection officer.
You have the right to information about the processing of personal data concerning you, a right to data portability and, if applicable, rights to erasure, rectification, restriction of processing and/or objection to processing as well as a right to lodge a complaint with a supervisory authority.

Special information on the right to object pursuant to Art. 21 GDPR: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on our overriding legitimate interest with the legal basis of Art. 6 para. 1 f) GDPR. This also applies to profiling based on this legal basis (Art. 4 No. 4 GDPR).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. If you object to the processing of your data for advertising purposes based on Art. 6 para. 1 f) GDPR, we will immediately cease processing without further examination. This also applies to any profiling that takes place in this context.

If you have any questions about data protection or your personal data at dm, please contact our data protection officer:
by e-mail: datenschutz@dm.de
 
or by post:
dm-drogerie markt GmbH + Co KG
Data Protection Team
Am dm-Platz 1
76227
Karlsruhe

Status October 2024