Data Protection Policy – Mobile devices

Punkt. is committed to protecting and respecting the User’s Privacy Rights.
This document has been drawn up in compliance with the Federal Data Protection Act and art. 13 of EU Regulation 679/2016 (hereinafter "Regulation"), for users (hereinafter "Users" or "User") of products and services owned by Punkt Tronics AG, Vat Id CHE-114.634.022 VAT, Reg. No. CH-501.3.011.937-5, with headquarters in Via Losanna 4, 6900 Lugano, Switzerland, which acts as the Data Controller of personal data (hereinafter “Data Controller”).
The document details how your personal information is managed when you use Punkt. mobile devices (including but not limited to feature phones, smart phones, tablets, laptops, wearables) or any associated applications developed by Punkt. and/or its partners, as well as allowing you to give consent, in the event that it is required, to process your personal data by these applications or other features that require access and interaction.
We would like to remind you that, in the relevant sections of the Punkt. website where your personal data is collected, you will find specific information, pursuant to the Federal Data Protection Act and art. 13 of EU Regulation 2016/679, for your acknowledgment and acceptance, before submitting any data requested.
Any information and personal data provided by you or otherwise acquired in the context of various Punkt. services, included but not limited to the software and service developed by its partners, , namely AphyOS and Apostrophy Services, (altogether the “Software”), will be processed in compliance with the key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.

  1. The personal data being processed

Punkt.mobile devices aim to protect privacy and personal information of the user and were designed accordingly, based on the principles of privacy by design and by default.
With Punkt mobile devices users can store, transmit and manage personal data; mobile applications may be installed onto the devices to access information databases or web portals where different categories of personal data could also be available. The personal data in question may thus include names, e-mail addresses, telephone numbers, messages, chats, electronics communications, log files, multimedia contents, calendar and notes, traffic and location data, IP addresses and cookies, IMEI (International Mobiile Equipment Identity) numbers, as long as they can identify a natural person. It should also be noted that the personal data may be processed under any form, such as in an e-mail which contains personal data, and with any technology, including Internet protocols. Even in the simplest case, for example when the device is used only for phone communications and SMS, traffic and contact data of the phone users and their communications partners will be processed. In addition, smart phones and tablets utilize a number of techniques that make it possible to identify and track individuals with regard to their physical location and in relation to how they make use of their device and applications (location-based services available on mobile devices phones and tablets collect location information that allows third parties to identify the precise whereabouts of users; this functions may be enabled on feature phones for emergency calls, if the service is supported by the network provider). Moreover, personal data of third parties may be contained in messages and stored calls, e.g. in a voice mail system.

Punkt. recognises the importance and necessity for users to store data safely and communicate securely. To this end:

However, for technical reasons relating to the configuration and maintenance of the product’s security, Punkt. may have to process location and usage data which is generated by the device when it interacts with Punkt.’s infrastructure reachable through the network. This is because the Punkt mobile devices to gain connectivity must be associated with a unique address whose transmission is implicit in the use of communication protocols. The information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data may include IP addresses, IMEI numbers, serial numbers, Device Identifier URI (Uniform Resource Identifier) ​​addresses of the requested resources, Software version number, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the telephone operating system and the user's IT environment. These data are usually used for the sole purpose of obtaining anonymous statistical information on the use of accessible resources and to check their correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical IT crimes against third parties.
In Punkt.’s case, the data processed are is:

  1. How we use personal information

The Data Controller advises that the data will be processed lawfully pursuant to art. 6 of the Regulation, and with your explicit consent where necessary, exclusively for the following purposes:

  1. Legal basis and compulsory or optional nature of consent for provision of data

The Owner processes Personal Data relating to the User if one of the following conditions exists:

You have the right to ask the Data Controller to clarify the concrete legal basis of all data in which one is involved.

The provision of personal data by the User is always optional, but it is essential to conclude a purchase agreement or to guarantee access to additional services such as the management of your customer service requests following updates to the Software or applications. Any refusal, albeit legitimate, to provide all or part of the requested data, may make it impossible for Punkt. and its partners to carry out the regular provision of the requested services.

  1. Who is your Data is processed by?

Your Personal Data that will be processed by staff specifically trained by Punkt. pursuant to art. 29 GDPR. Your personal data may also be transmitted to third parties that have been appropriately selected and are certified as GDPR-compliant for the sole purposes stated in the previous art. 3.

These third parties have been appointed as data controllers and carry out their activities according to the instructions issued by Punkt. and under its control.
More specifically, the Personal Data of Users may be disclosed to third parties for the following purposes, strictly necessary for the provision of the requested services:

The list of external managers is available upon written request to our email address: info@punkt.ch

  1. Where your data is stored

The Data is processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For the most part (and to the greatest extent possible) data are processed in Switzerland. For more information, contact the Data Controller at the following email address info@punkt.ch.

  1. Extra-EU Data Transfer

Personal Data, collected exclusively for technical purposes related to the execution of specific activities aimed at the correct functioning of the Punkt mobile devices and for related assistance services, could be transferred to non-EU countries, is stored in compliance with Chapter V of the GDPR.
The personal data that could be transferred are:

In order for the transfer to third countries to be carried out, Punkt. verifies the presence of adequate safeguards such as:

The lack of an adequate decision or a situation of presumed substantial equivalence generates risks for the interested party, who may not enjoy, the same protection of his personal data in the third country (e.g., due to the absence of supervisory authorities or due to the greater interference of the public authority that could request its transmission). You should be mindful of these residual risks, even if their likelihood in a specific instance is low, as we actively implement additional safeguards, such as requiring service providers to commit to measures like data pseudonymization or challenging governmental access legally requested, in order to mitigate them further.

In these cases, if the transfer is absolutely necessary for technical purposes of updating the System Software, Punkt. will request the explicit consent of the interested party, pursuant to art. 49 paragraph 1, letter a) of the GDPR.
It is not possible, in fact, to waive the transfer of the IP address , as it is implicitly necessary for the operation of the internet transport protocols to uniquely identify the communication actors (in this case the device to be updated and the server that must distribute the update); however, the interested party is granted the possibility of not giving consent to the transfer, or to revoke it at any time, yet still being able to use the Punkt mobile device without updates.
Further information is available from the Data Controller.

  1. Processing methods and security measures

The processing of Personal Data is carried out using IT and / or telematic tools, using organizational methods and with logic strictly related to the purposes indicated, without profiling characteristics.
The processing is carried out according to methods and with suitable tools to ensure the security and confidentiality of the data in accordance with the provisions of art. 32 of the 2016/679 European Regulation.
In carrying out the processing operations, all technical, IT, organizational, logistical, and procedural security measures will always be adopted so that the adequate level of data protection required by law is guaranteed.

  1. How long is your data retained?

The Data Controller will process Personal Billing Data for the time necessary to fulfil the purposes related to the execution of a contract between the Data Controller and the User and, in any case, not longer than 10 years from the termination of the relationship with the User.
Device usage and navigation data, related to resources and support services for system software updates and application functionalities (download, update, maintenance) and related log data will be kept for 60 months.
Personal Data collected for the pursuit of a legitimate interest of the Data Controller, the Personal Data will be retained until such interest is satisfied.
Personal Data may be kept for a longer period if necessary to comply with a legal obligation or by order of an authority.
All Personal Data will be deleted upon expiry of the retention period. At the end of this term, the right of access, cancellation, rectification, and the right to data portability can no longer be exercised.

  1. Your rights

Users can exercise certain rights at any time with reference to the specific processing of personal data by Punkt.:

To exercise your rights as described above, you can contact us by writing to us at info@punkt.ch. Requests are made free of charge and processed by the Data Controller as soon as possible, in any case within 30 days.
Last updated: November 14th, 2023