Privacy Policy for Geberit Apps and IoT Services

Changes from the previous version of this document are listed at the end of the document.

2 Controller and Data Protection Officer 

2.1 The operator of the App and the controller responsible for processing your personal data is Geberit Verwaltungs AG, Schachenstrasse 77, 8645 Rapperswil-Jona, Switzerland.

2.2 Our data protection officer can be reached by email at dataprotection@geberit.com or at the postal address above for the attention of “The data protection officer”.

3 Information on processing your data 

This section provides further information on which personal data we collect from you and how we process it:

3.1 Information collected when downloading

When downloading the App, certain essential information is passed on to your chosen app store (such as Google Play or the Apple App Store). This specifically includes your user name, email address, customer account number, time of download, payment details (if appropriate) and the individual ID number of your end device. As this data is processed exclusively through the respective app store, the way it is handled is beyond our control.
The first time you download the App, we also ask you to specify the country in which you intend to use it so that we can offer you services in the appropriate language. The legal basis for this is established in point (b) of Article 6(1) of the GDPR. Without this information, we would not be able to offer you access to the App in your own language.

3.2 Information collected automatically

We collect certain information automatically while the App is in use. This includes the internal device ID, the version and language of your operating system, the screen resolution, the Bluetooth MAC address, and the time of access.
We do not save this data, but it is sent to us automatically (1) to allow you to use the App and its associated functions, (2) to improve the functions and performance characteristics of the App, and (3) to prevent and eliminate misuse and malfunctions. The justification for processing this data is (1) that it is essential to the provision of the App (as stipulated in point (b) of Article 6(1) of the GDPR), and (2) that we have a legitimate interest in not only ensuring the operability and trouble-free operation of the App, but also offering a service in line with market requirements and customer needs. For further information about the balancing of interests in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.

3.3 Information collected while using the App

Within the App, you have the option of voluntarily submitting data relating to you. This data includes personal data and is used by us for the following purposes:

3.3.1 If you use the App to register yourself or your Geberit device, create a service request, order consumables, or submit our contact form, we will collect your personal data (including your title, first name, last name, email address, postal address and phone number). We use this data to provide you with our services and to maintain a contractual relationship with you. The legal basis for this is established in point (a) and point (b) of Article 6(1) of the GDPR.

3.3.2 When you connect the App to your Geberit device, we collect the serial number of your Geberit device. We use the serial number to check whether you use your Geberit device publicly or privately and whether you have already registered it with us. If this is the case, further operating options are automatically activated. The connection between the App and the Geberit device is voluntary and based on your consent. The legal basis for this is established in point (a) of Article 6(1) of the GDPR. You can disconnect the Geberit device from the app again at any time without affecting the lawfulness of processing based on consent before disconnection.

3.3.3 In addition, service technicians commissioned by Geberit can read out anonymized, technical data from your Geberit device via a special app in case of service (this concerns the Geberit ID as well as device, statistical and diagnostic data such as model, article number, serial number, manufacturing date, device settings, profile settings, meter readings from the device components, descaling history, error codes and error history). This can be done on site or via a remote service, during which the serial number of your Geberit device is read out. We require the technical data in order to provide you with our services and to improve our range of services through anonymised data analyses. The legal basis for this is established in points (b) and (f) of Article 6(1) of the GDPR. If you would like further information about the balancing of interests in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.

3.3.4 We – along with other companies associated with the Group – also use your data for advertising purposes, particularly by post or in the form of email newsletters, customer surveys or other forms of contact (such as text message or telephone) if you would like us to contact you in this way. The legal basis for this is established by your consent, provided that we have obtained this, or our legitimate interest in providing relevant advertisements on the basis of points (a) and (f) respectively of Article 6(1) of the GDPR. If you would like further information about the balancing of interests in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.
You can object to the use of your data for advertising purposes at any time. Details of your right to object can be found in Section 5.4 of this privacy policy. Where legislation in individual countries requires us obtain your prior consent for the aforementioned advertising activities, we will of course do so. The legal basis for processing your data is established by your consent in these cases (point (a) of Article 6(1) of the GDPR). You have the right to withdraw your consent at any time. If you wish to do this, please contact us via the details specified above or follow the instructions in our promotional messages. The withdrawal of consent does not affect the lawfulness of any data processing that was carried out based on consent being obtained.

3.4 The App uses one or more of the following tools and technologies

3.4.1 Microsoft App Center Analytics
Our App uses technologies from the Microsoft Analytics App Center (Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA; “Microsoft”) with various functionalities (“Microsoft Analytics”). Microsoft Analytics makes it possible to analyse how our App service is used. It records entirely anonymised information about the use of our App and sends this to Microsoft, where it is then stored. Microsoft uses this information to evaluate how our App is used and provide us with further services associated with the use of apps. Microsoft is certified under the Privacy Shield framework and therefore guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). The legal basis for the use and evaluation of the data and the use of Microsoft is a legitimate interest in the analysis, optimisation and economic operation of our App within the scope of point (f) of Article 6(1) of the GDPR.
You can prevent your activity data from being shared with Microsoft by using the slider below to deactivate the “Send analytics data” setting.

4 Sharing your data with third parties 

Your personal data will never be shared with third parties without your express prior consent. The only exceptions to this apply in the following cases:

4.1 For prosecution reasons

Where required in order to investigate the unlawful use of our services or for the purposes of prosecution, personal data will be disclosed to the relevant law enforcement authorities and, where applicable, to any third-party claimants. However, such a course of action will only take place if there is concrete evidence of unlawful conduct or misuse. In such cases, your data may also be shared if doing so this is required for the fulfilment of terms and conditions of use or other agreements. If requested, we are also legally obliged to disclose such data to certain public authorities, such as law enforcement bodies, authorities that penalise offences, and financial authorities.
In these cases, data is disclosed on the basis of our legitimate interest in combating misuse, aiding the prosecution of criminal offences, and aiding the establishment, assertion and enforcement of claims, in line with point (f) of Article 6(1) of the GDPR. If you require further information about the balancing of interests that must be carried out in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.

4.2 Associated companies within the Geberit Group

Personal data is disclosed to the respective local sales companies associated with the Group to ensure that we are able to provide optimal sales support to Geberit customers in each respective country. In these cases, data is disclosed on the basis of our legitimate interest in ensuring effective customer support in line with point (f) of Article 6(1) of the GDPR. If you require further information about the balancing of interests that must be carried out in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.

4.3 Contract data processors

We rely on contractually bound third-party companies and external service providers (referred to as “processors”) in order to provide our services. In such cases, personal data will be shared with these processors in order to allow them to continue providing their services. The processors have been carefully selected by us and are subject to regular audits. The processors are permitted to use the data only for the purposes specified by us. Furthermore, they are contractually obligated to handle your data exclusively in accordance with this privacy policy and in line with the applicable data protection laws.
More specifically, we use the services of the following processors in particular:

1. other Geberit companies for the purposes of centralised customer administration and order processing
2. other Geberit companies for the purposes of providing centralised IT services for the other companies in the Group
3. cloud computing providers who process the selected usage and device data from your Geberit end device within Europe
4. logistics service providers, for the purpose of sending you products, marketing materials or other items that you have ordered from us
5. payment service providers for the purpose of processing all payments from you to us or vice versa
6. service providers for installation work or after-sales services
7. service providers for the distribution of newsletters or the execution of customer surveys
8. IT service providers for hosting, operation and support for IoT Services

Data is disclosed to processors on the basis of Article 28(1) of the GDPR or, alternatively, on the basis of our legitimate interest in the economic and technical advantages associated with the use of specialised processors and on the basis of circumstances in which your rights and interests in the protection of your personal data are not overridden (see point (f) of Article 6(1) of the GDPR). If you require further information about the balancing of interests that must be car-ried out in accordance with point (f) of Article 6(1) of the GDPR, please contact us using the details provided above.
Personal data is not shared outside of the European Economic Community (with the exception of Switzerland).

5 Your rights 

As an affected party, you are entitled to the rights outlined below with regard to how we process your personal data. If you would like to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

5.1 Right to access

You have the right to request that we provide access to the personal data concerning you that we have processed. You may exercise this right at any time within the scope outlined in Article 15 of the GDPR.

5.2 Right to rectification or erasure

Subject to the prerequisites specified in Articles 16 and 17 of the GDPR, you have the right to request from us the rectification of incorrect data or the erasure of personal data concerning you. The prerequisites provide for a right to erasure in particular where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. The ability to exercise this right is restricted in accordance with Article 17(3) of the GDPR, particularly in cases where we require your data in order to meet a legal obligation or to process legal claims.

5.3 Right to restriction of processing

You have the right to request from us restriction of processing under the terms specified in Article 18 of the GDPR.

5.4 Right to object

In accordance with Article 21 of the GDPR, you have the right to object, on grounds relating to your particular situation and at any time, to the processing of personal data concerning you on the basis of point (e) or (f) of Article 6(1) of the GDPR. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or unless the circumstances involve the establishment, exercise or defence of legal claims.

5.5 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format under the terms specified in Article 20 of the GDPR.

5.6 Right to lodge a complaint with the relevant data protection supervisory authority.

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data relating to you infringes the applicable data protection legislation.

6 Erasure of your data 

If you would like to request the erasure of your data, simply email us at dataprotection@geberit.com. Generally speaking, we erase or anonymise your personal data as soon as it is no longer needed for the purposes for which we collected or used it in accordance with the sections above. If data needs to be retained for legal reasons, it will be blocked. This means that it will no longer be available for further processing. If you require further information regarding our erasure and retention periods, please contact us using the details provided above.

7 Changes of purpose 

Your personal data will only be processed for purposes other than those described if a legal provision requires this course of action or if you have given your consent to the changed purpose of the data processing. In cases of further processing for purposes other than those for which we originally collected the data, we will notify you of these other purposes prior to the data being processed further, and will provide you with all other information that relates to this.

8 Automated individual decision-making or profiling 

We do not use any automated processing systems for coming to specific decisions – including profiling.

9 Changes to this privacy policy 

The current version of this privacy policy is always available in the App under the “Information” menu item.

Version: January 2021

Changes from the previous version of this document are listed at the end of the document.