WISeKey Privacy Notice
This WISeKey Privacy Notice relates to the services provided by WISeKey for the issuance of digital certificates and the provision of related security solutions, including mobile Application and other online services.
We take your privacy seriously and will only use your personal data to deliver the products and services requested.
Who are we?
WISeKey SA is a company incorporated in Geneva, Switzerland, and member of the WISEKEY International Group, the ultimate parent Company of which, WISeKey International Holding Ltd. is registered in Zug Switzerland.
The entity acts as Controller of personal data in relation to the provision of our products and services.
Other companies in the WISeKey Group can establish their own Privacy Notices, always in compliance with the applicable regulations.
Who are our Privacy Officers?
Our Data Protection Officer (DPO) is Pedro Fuentes. The DPO is registered at the Dutch Data Protection Agency (Autoriteit Persoonsgegevens), which act as “Lead Supervisory Authority” for WISeKey’s activities in the European Union.
Contact email: firstname.lastname@example.org
What data is collected?
We collect the data necessary for the provision of the services. The main service is the provision of digital identities, mainly in form of X509 Digital Certificates. WISeKey also provides other related security services around these digital identities.
Personal data that may be included in Digital Certificates can include:
- First Name
- Last Name
- Common Name
- E-mail address
- Title (e.g. Mr./Mrs. /Dr.)
- Job title (professional title)
- Pseudonym (if relevant)
- Company/Organization name (if relevant)
- Organizational Unit (if relevant)
- Government issued ID document number (e.g. passport, driving license). Only if explicitly requested by the customer.
Personal data that is not included in Personal Digital Certificates but that may be requested as part of the Certificate issuance process (e.g. for vetting the identity of an individual). This data can include:
- Telephone number (home/mobile)
- Identification document details (used for identity vetting)
- Company registration number and data
Personal data is also needed in order to create a user account on our account or certificate management systems in order to log in to the system. This Personal Data consists of:
- First Name
- Last Name
- Phone number(s)
- Password (chosen by user)
Certain Digital Certificates such as device certificates for the Internet of Things do not contain any personal data, but personal data may be requested as part of the application for such certificates. This includes the name, title, email address and telephone number of the relevant people involved with the certificate request and approval process.
Other security solutions, such as the WISeID mobile applications or other on-line services, capture Personal Data as part of the user registration process. This Personal Data includes:
- Email address
- PIN and/or One Time Password secret
- Mobile phone number
- Identification document details
- Details to be included in the Digital Certificate, which can be issued after registration process completed. See above for the data included in a digital certificate.
Note that we do not obtain or manipulate other data such as documents to be signed or encrypted with our security services, this data remains under exclusive control of the end user.
Why do we collect information? / Lawful Basis for processing
We rely on a variety of information to run our business. In some cases, this information may include data that relates to an identified or identifiable natural person, which is referred to as Personal Data.
The reason that we collect your Personal Data is that we need it in order to provide you with our products and services, which include the provision of digital certificates and signing services.
The lawful basis for us processing Personal Data in relation to these services is that processing is necessary for the performance of a contract or to take steps to enter into a contract.
Who is collecting it?
We collect data directly from you or indirectly from those organisations who have entered into a contract with us (for example to request certificates for their employees or customers). This indirect collection is considered a “Processor” role activity and requires appropriate compliance of current regulations.
How will it be used?
We use your personal data only for the provision of the products and services that we have contracted to provide.
WISeKey can also use your personal data to send marketing information, news or other information related to our products and services. We offer an explicit “opt-in” subscription mechanism, so these messages will only be sent to the persons that gave their previous authorization.
Where will it be processed?
Processing activities performed by WISeKey will happen in Switzerland, as main location, or in EU countries. Switzerland is considered by the EU as a country with adequate data protection regulations, and therefore not subject to additional data transfer controls.
Who will it be shared with?
We do not share your personal data with anyone save to deliver the agreed services (please refer to section “Who is collecting it?”).
How is your data protected?
We use a combination of technical, administrative, organizational and physical safeguards to protect your personal data. Access to your personal data is restricted to those who are necessary for the delivery of the services.
These safeguards are tested as part of our annual audits and accreditations. For further details please see details of the our accreditations.
The WISeKey CP/CPS (available at https://www.wisekey.com/repository) requires that audit logs are retained for at least seven years after the expiration of the digital certificate.
We comply with all relevant Data Protection/ Privacy legislation. These provide a number of rights with regard to your personal data.
You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.
You have the right to lodge a complaint with the appropriate Data Protection Authority if you believe that we have not complied with our legal obligations. For further information see here.
Please email email@example.com to make a request under these provisions. In order to help us deal with such request please provide details of the product/service that the request relates to, the relevant WISeKey office/contact person and any other details (such as customer number etc). Please note that we will perform steps to verify your identity before providing any information.
Automated Decision Making and Profiling
The GDPR defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’. We do not perform any profiling.
WISeKey does not use automated decisions in the processing of personal of data.
This Privacy Notice
As our organisation grows, this Privacy Notice is also expected to change over time. This Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our personal information practices. You should check our site frequently to see the current Privacy Notice that is in effect.
The Privacy Notice was last updated on 17th May 2018.
If you have questions regarding this Privacy Notice, please contact us via email at: firstname.lastname@example.org.