Information According to Art. 13, 14 GDPR Concerning the Use of Karibu HM

I. General Provisions

1. Applicability of This Privacy Policy  

The Karibu HM App (hereinafter collectively referred to as the "Application") are operated and made available by the Heidelberg Materials, Digital Hub Ghana. By means of the Applications, companies of the Heidelberg Materials, Digital Hub Ghana (individually referred to as “the HC Company") can enable their business customers ("Customers") to create and track orders with the respective HM Company, receive instant updates about products, and view and manage documents, such as invoices. The functionality of the Karibu HM may vary and new features will be available from time to time. The access to the Applications is granted free to the Customers based on a separate contract. The Customer is free to designate the users of the Applications in accordance with the General Terms and Conditions of Use. Below, we provide information on how we process data of the users of the Applications.

2. Controller Pursuant to Data Protection Law

The controller responsible for processing your data within the scope of the use of the Applications is the HC Company from which you receive access to the Applications or from whose customer you receive access (in the following: “we”).

Provided that you grant your consent to participate in our Customer Panel as described in section II. 9 b) below, your data will be processed jointly by Heidelberg Materials, Digital Hub Ghana, the controller and its Group companies listed here (together “Joint Controllers Customer Panel”).

The joint responsibility for the Customer Panel arises from the fact, that the Joint Controllers Customer Panel exchange data or store the personal data of the users in a jointly accessible database and use the data and survey results for analysis of their digital and conventional products and improvement of their business, products and services.
Please also note that when you download the Karibu HM App directly from Google Play or the Apple App Store, your data are processed in a way for which we are not the controller under data protection law. Rather, the operators of the respective app stores are responsible for this processing. Further information is available under  https://policies.google.com/privacy  (for Google Play) and under  https://www.apple.com/legal/privacy/en-ww/  (for the Apple App Store).

3. General Information on Data Processing

We collect and process your personal data that we either receive from third parties or that you make available to us, e.g. via an input form in our application or otherwise, e.g. by e-mail. Moreover, we collect and process the data that accumulates when you use our application. The processing of your data takes place according to the provisions of the EU General Data Protection Regulation (GDPR). "Personal data" means any information relating to an identified or identifiable natural person. In the following, we explain in detail which data we collect and how and on what legal basis we do so. Moreover, we explain which rights you have and for how long your data is stored.

4. Rights of Data Subjects

As a data subject, you may approach us and – in the event you have granted your consent to participate in the Customer Panel – any of the Joint Controllers Customer Panel. You have the following rights:

• The right to receive information about the data processing as well as a copy of the processed data (right of access, Art. 15 GDPR);

• the right to demand that inaccurate data be rectified or incomplete data be completed (right to rectification, Art. 16 GDPR);

• the right to demand the erasure of personal data and, where the personal data have been made public, the notification of other controllers about the request for erasure (right to erasure, Art. 17 GDPR);

• the right to demand restriction of the data processing (right to restriction of processing, Art. 18 GDPR);

• if the conditions specified in Art. 20 GDPR are on hand, the right to receive the personal data of the data subject in a structured, commonly used and machine-readable format and to request the transmission of these data to another controller who is responsible for the processing (right to data portability, Art. 20 GDPR);

• the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which are based on point (f) of Article 6 (1) sentence 1, with effect for the future (right to object, Art. 21 GDPR); in this case, the controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;

• the right to withdraw previously granted consent at any time in order to stop the processing of data that takes place on the basis of your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (right of withdrawal, Art. 7 (3) GDPR);

• the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

5. Forwarding of Data to Third Parties, Order Processing, Transmission to Third Countries

We transmit your personal data to authorities/public bodies where this is required under overriding legal regulations.

The processing within the scope of a transmission to criminal prosecution authorities and other authorities as well as to third parties who have suffered harm or attorneys at law only takes place in exceptional cases, i.e. if there are clear indications of unlawful or abusive use of the Applications and the disclosure or transmission of your data is required for the investigation or legal prosecution of such use, i.e. if we are subject to a legal obligation to forward data to criminal prosecution authorities (point (c) of Art. 6 (1) sentence 1 GDPR) or pursuant to point (f) of Art. 6 (1) sentence 1 GDPR; in these cases, we have a legitimate interest in being able to enforce our General Terms and Conditions of Use and all associated rights and obligations and assert legal claims (e.g. compensation, cease and desist).

We also transmit your personal data to group-internal and external processors in the meaning of Art. 28 GDPR to the extent necessary for the processing. In the case of processors, we conclude contractual agreements with the service providers in order to ensure that the personal data are processed in accordance with the requirements of the GDPR.

The processing of your data in the context of a transmission to processors takes place for the purpose of ensuring efficient and secure operation of the Applications including their maintenance and in order to be able to provide technical support to you in case you encounter problems (point (f) of Art. 6 (1) sentence 1 GDPR). We have a legitimate interest in commissioning professional service providers in order to ensure efficient and secure operation of the Applications, to guarantee professional maintenance of these and to be able to provide support.

Furthermore, your personal data are transmitted to other controllers in compliance with and within the scope of the statutory provisions, e.g. to the respective Customer that you as a user specify during the registration process, so that the admissibility and scope of your access to the data of the respective Customer that you have specified can be checked and approved, or – in case you have granted your consent to participate in the Customer Panes – to the Joint Controllers Customer Panel.

The recipients of the data may also be located in countries outside the EU or outside the European Economic Area ("third countries"). In third countries, it might not be possible to guarantee the data protection level that exists in the EU/European Economic Area. Where data are transmitted to a third country, we make sure that this transmission only takes place in accordance with statutory provisions (Chapter V GDPR). Where this is the case, we comply with current jurisdiction and follow the applicable recommendations of the authorities in order to ensure that your data are protected at a level equivalent to the GDPR. In this connection, please also read 10   d) of this Privacy Policy.


 

6. Amendments to This Privacy Policy

We always keep this Privacy Policy up to date. For this reason, we reserve the right to modify it from time to time and to add amendments with respect to the processing of your data. We will inform you of any amendments. The current version of this Privacy Policy can always be accessed under  https://legal.hconnect.digital/policies/dpp/gh.  Where your consent is required for the processing, we will of course obtain such consent in advance.


 

II. Karibu HM App: Processing of Your Personal Data

7. General Information on the Processing of Your Data upon Download, Registration, Login and Use of the Karibu HM App

The Karibu HM App can be downloaded from Google Play and the Apple App Store.

During the download of the Karibu HM App and during the registration, login, and use of the Applications, we provide a secure environment.

Your user data is stored in a hashed format, i.e. a key is generated from them that enables the allocation of the user data but does not allow them to be read out or makes this difficult. Communication with our servers is encrypted according to the state of the art; thus, the data you enter for the registration and login are always sent to our servers in encrypted form.


 

8. Type of Personal Data Processed

For the download of the Karibu HM App and the registration, login and use of the app, we process the following personal data:

• Communication data (e.g., content of messages)

• Contact details (e.g., name, e-mail address, mobile phone number)

• Contract data

• Login credentials (e.g., password)

• Log files (e.g., last login)

• Authorisation management data (e.g. push notification authorisation)

• Usage data


 

In the context of the registration and use of the Karibu HM App, the data are collected directly from you or your device or entered by our sales team or our back-end customer systems within the scope of an existing contractual relationship.

For the download, registration, login and use of the Karibu HM App, additional personal data (e.g. certain usage data) may be collected, which you can determine in your individual settings on the mobile device.
 

9. Legal Bases; Type, Purpose, and Duration of the Processing of Your Data

a) Purposes

We process the data provided by you or by a third party when you download the Karibu HM App and when you register, log in and use the Applications

• for the purpose of enabling you to use the Applications;

• to set up a user account for you; when registering for a user account, we may contact you for security reasons by telephone on the telephone number you provided before we create your user account;

• to verify the authorisation upon login and when using the user account;

• to process your requests to reset the password and

• to process your call-off of delivery quotas

• to establish a secure environment for the use of the Applications and to protect your data, third-party data, and confidential information of us

• to contact you for the purpose of sending you technical or legal information, updates, security notifications or other messages (also by SMS), e.g., regarding the management of the user account or that are necessary in the context of the registration, the log-in or the technical usage options or functionalities of the Application;

• to contact you to ask about the user-friendliness and the functional scope of our applications and about your experience and wishes about our conventional products and your satisfaction concerning the scope of our services;to be able to show you content that is relevant to you.

b) Legal bases

We process your data for the aforementioned purposes partially on the basis of point (b) of Art. 6 (1) sentence 1 GDPR where the processing is necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The processing partially takes place on the basis of point (f) of Art. 6 (1) sentence 1 because, in fulfilment of our obligations under the user agreement with our customers, we have a legitimate interest in providing you as the user with all functions of the Applications and in protecting both the Applications and the information and data that can be retrieved via these. Moreover, we have a legitimate interest in processing your data where we want to assert claims against you, e.g. due to abusive behaviour within the scope of the registration for and use of the Karibu HM App.

The so-called usage data that accumulate in connection with your use can provide information on how you use the Application, e.g. when and for how long you were logged in or used the Applications, which pages or functions you used when and for how long, etc. In this connection, we process the number of users on the basis of point (c) of Art. 6 (1) sentence 1 GDPR, since for tax reasons, we need to be able to furnish evidence of the number of our users for billing purposes. We process all usage data beyond this scope on the basis of point (f) of Art. 6 (1) sentence 1 GDPR. We have a legitimate interest in keeping the Applications free from errors and protecting them from abuse. Moreover, we have a legitimate interest in further optimising the Applications in order to improve the user experience. For more information, please refer to our Cookie Policy.

The data processing takes place in our Application as well as in our upstream and downstream systems (e.g. SAP, CRM system).

The exact time when your consent was given is tracked. This tracking is based on point f) of Art. 6 (1) sentence 1 GDPR. Our legitimate interest for this tracking is to prove that we have got your consent before contacting you.

Notwithstanding the above data processing in relation to the Customer Panel, we also conduct surveys within our Applications with regard to a specific order or service. Such surveys are conducted on the basis of point (f) of Art. 6 (1) sentence 1 GDPR. Our legitimate interest is to find out about customer satisfaction with regard to a specific order or service, so that we can optimize and improve our user friendliness and services. Your personal data will only be processed for purposes other than those described above in case a legal regulation permits these or you have granted your consent to the changed purpose of the data processing. In the case of further processing for purposes other than those for which the data had originally been collected, we will inform you about these other purposes prior to the further processing and provide you with all other relevant information.
 

c) Duration of the processing of your data

We will erase the data at your request or as soon as they are no longer needed for the above-mentioned purposes unless we are under the obligation to store them longer due to retention and documentation obligations under tax and commercial law pursuant to point (c) of Art. 6 (1) sentence 1 GDPR or further processing is required due to ongoing legal disputes or you have consented to longer storage pursuant to point (a) of Art. 6 (1) sentence 1 GDPR.
 

10. Use of Cookies and Similar Technologies

In our browser-based Applications, we use various cookies, some of which are necessary and some of which you can select or deselect. For detailed information on cookies, please refer to our Cookie Policy.

Your selection is also stored in our Karibu HM App, but not in a cookie. Apart from this, the above information and the following information shall apply accordingly.

Statistics cookies and tracking are used for the purpose of analysing and evaluating your use of our Applications, enabling us to optimise our Applications on this basis. To the extent that we use third-party tools for this purpose, the information in section  I .  5  of this Privacy Policy shall apply.
 

Karibu Privacy Policy

Respect for your privacy is our core responsibility. Since we started Karibu, we’ve aspired to deliver our services with a set of strong privacy principles in mind. When we say “our,” “we,” or “us,” we’re talking about Heidelberg Materials, Digital Hub. This Privacy Policy (“Privacy Policy”) applies to our application (“Karibu”) unless specified otherwise.


Installation

When you install the application for the first time, the application may ask you to update google play services. Additional dependencies may also be downloaded if they are not already available. We do not collect any personal information during this process. However, data charges may apply.

Usage

Karibu HM application is a productive mobile app that is designed to inform all stakeholders and the general public about our products and services. Our sales outlets and depots with respective GPS information are also available. We have media contents for the consumption of our stakeholders. News and quarterly magazines are also published unto our mobile application as well as FAQs. Registered users can also have access to other critical data we want to share.
 

Terms of Use

1. Karibu may use push notification services to notify you about updates and important information. This message is sent to the push notification service provider for delivery to your device. You may however opt out or disable push notification services in Karibu.

2. Karibu may occasionally ask you to provide information on your experience from using the service, which will be used to measure and improve quality. You are at no time under any obligation to provide any of such data. Any and all information which is voluntarily submitted in feedback forms or any survey that you accept to take part in is used for the purpose of reviewing this feedback and improving the Karibu software.


Assignment, Change of Control, And Transfer All of our rights and obligations under our Privacy Policy are freely assignable by us to any of our affiliates, in connection with a merger, acquisition, restructuring, or sale of assets, or by operation of law or otherwise, and we may transfer your information to any of our affiliates, successor entities, or new owner.


 

Updates to our Policy

We may amend or update our Privacy Policy. We will provide you notice of amendments to this Privacy Policy, as appropriate, and update the “Last Modified” date at the top of this Privacy Policy. Your continued use of our Services confirms your acceptance of our Privacy Policy, as amended. If you do not agree to our Privacy Policy, as amended, you must stop using our Services. Please review our Privacy Policy from time to time.