PortiQ Privacy Policy

The protection of personal data is an important concern for SecCommerce Informationssysteme GmbH (hereinafter „SecCommerce“) and its sub-contractors. We therefore process personal data in accordance with the applicable legal provisions on the protection of personal data and on data security.

Due to the close cooperation between SecCommerce and the Bundesdruckerei Group, individual processing operations may be carried out under the data protection responsibility of another actor. Insofar as SecCommerce is not the data protection controller with regard to individual processing operations, this is indicated at the beginning of the respective processing in each case. This privacy information concerns processing operations under the data protection responsibility of SecCommerce.

Controller and Data Protection Officer

SecCommerce Informationssysteme GmbH
Otto-Wels-Straße 49
22297 Hamburg – Germany
E-mail: info@seccommerce.com

You can reach SecCommerce’s Data Protection Officer by post with the addition „To the Data Protection Officer“ and by e-mail at: datenschutz@seccommerce.com.

In providing the PortiQ signature portal, SecCommerce generally acts as a processor bound by instructions pursuant to Art. 4 No. 8 GDPR for the commissioning actors. We provide the following information in fulfillment of our obligations under Art. 13, 14 GDPR, insofar as we act as a controller pursuant to Art. 4 No. 7 GDPR due to a differing constellation in an individual case.

Description of the Processing Activity

SecCommerce intends to enable natural persons to electronically sign documents – among other means, via the remote signature service sign-me of D-Trust GmbH (hereinafter „D-Trust“). As a sub-contractor of SecCommerce, D-Trust provides users with certificates in accordance with the respective applicable terms of use.

Data Subjects, Origin, and Categories of Personal Data

Data Subjects

• Applying users (employees, customers, or business partners).
• Persons whose personal data are contained in the documents to be signed.

Origin of the Data

Data of the data subjects are:

• collected during self-registration via a web form,
• obtained from identification service providers as a verified data set,
• obtained from customers who communicate with PortiQ via API,
• obtained for customers’ contact persons from contracts and forms,
• obtained from service and support requests of companies that provide support for their own end customers, as well as from direct support requests of the data subjects.

Categories of Data

The following personal data are processed within the scope of D-Trust’s sign-me remote signature system and the provision of certificates for applying remotely triggered signatures (hereinafter „signature creation service“) (the respective scope may vary depending on the individual case):

• ID document data: surname, first name, valid from/to, place of birth, nationality, birth name, date of birth, registered address, ID document number (for reconciling the application, ID document, and proof of identification).
• Further information: title, contact e-mail, e-mail in the certificate, mobile number, billing address, organization, product-specific ID.
• Proofs: VideoIdent proof (recording of the person, identity card/passport/ID document).
• Certificates, IP addresses, access times.
• Where applicable, documentation on transfers pursuant to § 8(2) VDG [German Trust Services Act].
• Where applicable, data to be signed in the self-service area.

Purposes and Legal Basis of the Processing

Personal data are processed for the purpose of contract performance (Art. 6(1) lit. b GDPR), namely the establishment of the applicant’s identity, the application review and processing, ensuring the certificate life cycle including revocation and operation of the directory service (status information service), and in individual cases for troubleshooting, in particular in the case of support requests.

The publication of certificates in the directory service takes place exclusively on the basis of your express consent (Art. 6(1) sentence 1 lit. a GDPR) in the application process. You may object to the publication at any time with effect for the future by sending an e-mail to datenschutz@d-trust.net.

In the case of requests pursuant to § 8(2) VDG, transfers to competent authorities are carried out insofar as those authorities demand the transfer in accordance with the provisions applicable thereto, because the transfer is necessary for the prosecution of criminal offenses or administrative offenses, for averting threats to public safety or order, or for fulfilling the statutory tasks of the constitutional protection authorities of the Federal Government and the federal states, the Federal Intelligence Service, the Military Counterintelligence Service, or the financial authorities, or insofar as courts order the transfer within the scope of pending proceedings. In these cases, the legal basis is § 8(2) VDG in conjunction with Art. 6(1) sentence 1 lit. c GDPR.

Use of Cookies

When individual pages are accessed, so-called temporary cookies are used for the technical provision of the service. These session cookies do not contain any personal data and expire at the end of the session. Techniques such as Java applets or ActiveX controls, which make it possible to trace the access behavior of users, are not used.

Recipients of Personal Data

In order to be able to provide our support services, we pass on the personal data required for this service to the customer service of Bundesdruckerei GmbH, insofar as this is necessary to resolve the support case. Likewise, we will pass on personal data, namely the telephone number, to our sub-contractor responsible for sending SMS, insofar as the support case relates to SMS dispatch in the signature portal. The respective customer service processes the personal data on our behalf and according to our instructions in order to respond to your support requests. Parts of the commercial contract processing are provided by Bundesdruckerei GmbH, and personal data are processed in the course of this.

Pursuant to § 8(2) VDG, D-Trust passes on your personal data to the competent authorities where applicable. In the case of your consent, D-Trust transfers your certificate to the directory service, which publishes your certificate so that it is publicly accessible.

Necessity of Providing Personal Data

We require the data marked as mandatory fields in order to be able to ensure the identity of the certificate holders. If the data are not provided or are provided incorrectly, the requested certificate cannot be issued. Without proof, the data cannot be included in the certificate.

The data subject’s mobile number is mandatory, as the mobile phone is used as a second factor within the scope of authentication for triggering the signature. Without this security mechanism, which is based on the provision of the mobile number, the service cannot be provided.

Duration of Storage

As soon as the personal data are no longer necessary for the purpose or purposes for which they were collected, they are deleted by us and our sub-contractors, unless statutory retention obligations prevent deletion. The traceability of the identification on the basis of which a certificate is issued is a quality feature of the certificate. The retention periods prescribed by law or in certifications are implemented depending on the product.

For qualified signature certificates, the requirements of § 16(4) VDG on permanent retention apply to certificates and certificate verification data including contact data. This corresponds to the entire duration of D-Trust’s operation. Should D-Trust cease its business, the data will be handed over to the Federal Network Agency (Bundesnetzagentur) or another qualified trust service provider, as required by law.

All other certificate verification data and certificates are deleted eight years after the expiry of the validity of the last certificate issued on the data. Documents that users upload to the signature portal for signing are deleted after a duration configurable by the controller following the completion of the respective workflow containing the document. If D-Trust is obliged to transfer data, where applicable, on the basis of § 8(2) VDG in conjunction with Art. 6(1) sentence 1 lit. c GDPR, it retains this documentation for 12 months pursuant to § 8(3) VDG.

Security

We take all necessary technical and organizational security measures to protect your personal data against loss and misuse. Your data are thus stored in a secure operating environment that is not accessible to the public.

Transfer and Disclosure of Personal Data

Personal data are transferred to our sub-contractors where this is necessary to fulfill the purposes mentioned above. Within the Bundesdruckerei Group, personal data that we have transferred to D-Trust are, where applicable, transferred to other group companies for the purposes mentioned above, where this is necessary.

Personal data are also transferred to courts, supervisory authorities, or law firms, insofar as this is legally permissible and necessary in order to comply with applicable law or to assert, exercise, or defend legal claims. Insofar as cooperation with service providers takes place, such as service providers for IT maintenance services, they act only on our instructions and are contractually bound to comply with the applicable data protection requirements. SecCommerce remains responsible for the data processing.

Storage Periods

Insofar as no express storage period is specified during the collection of personal data (e.g., within the scope of a declaration of consent) or within the descriptions of this privacy information, personal data are deleted as soon as they are no longer necessary for achieving the purposes, unless statutory retention obligations (e.g., commercial and tax law retention obligations) prevent deletion. The following general periods apply to retention and archiving under German law:

• 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet, as well as the working instructions and other organizational documents required for their understanding, accounting vouchers and invoices (§ 147(3) in conjunction with (1) Nos. 1, 4, and 4a AO [German Fiscal Code], § 14b(1) UStG [German VAT Act], § 257(1) Nos. 1 and 4, (4) HGB [German Commercial Code]).
• 6 years – other business documents: received commercial or business letters, reproductions of dispatched commercial or business letters, and other documents insofar as they are relevant for taxation (§ 147(3) in conjunction with (1) Nos. 2, 3, 5 AO, § 257(1) Nos. 2 and 3, (4) HGB).
• 3 years – data necessary to take into account potential warranty and damage claims or similar contractual claims and rights are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB [German Civil Code]).

Rights of Data Subjects

Under the GDPR, you have the following rights as a data subject:

• Right of access (Art. 15 GDPR): information about the purposes, the categories of data processed, the specific recipients or categories of recipients, the storage period or the criteria for determining it, as well as, where applicable, the origin of the data.
• Right to rectification (Art. 16 GDPR) of inaccurate data or completion of incomplete data.
• Right to erasure (Art. 17 GDPR), insofar as no ground for exclusion exists.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) in a structured, commonly used, and machine-readable format.
• Right to withdraw consent (Art. 7(3) GDPR) with effect for the future.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) – as a rule, the supervisory authority of your usual place of residence or workplace, or alternatively the supervisory authority of our company’s registered office.

Right to Object (Art. 21 GDPR)

Under Art. 21 GDPR, you have the right to object to the processing of your personal data if we process your personal data solely on the basis of our legitimate interests and there are grounds arising from your particular situation. Should your objection be directed against direct marketing, you have a general right to object without giving any specific reasons. You can declare your objection by e-mail to datenschutz@seccommerce.com.

---

Version: 04.06.2026