PRIVACY POLICY CORPORATE WEBSITE, MySSI SYSTEM WEBBASED AND MOBILE APP USE

Version 04.2022

Preamble and scope of this Privacy Policy

SSI International GmbH provides you with a variety of products and services in connection with diving and swimming. These products and services are inter alia offered online within the MySSI System (“MySSI System”) which consists of a corporate website under www.divessi.com (“website”), a browser solution with a registered user area under my.diveSSI.com, including its subdomains and micro-sites, databases and webshops (“MySSI”) as well as the MySSI App for mobile use (“MySSI App”).

This privacy policy applies for the freely accessible use of the website and to the MySSI System including the MySSI and MySSI App’s registered user area.

The following sections 1 to 7 including its Appendix (“Privacy Notice”) explain in general how we collect and use your personal data when you use the website, MySSI and MySSI App. The addendum contained in section 8 (“Californian Provisions”) contain additional provisions in compliance with the California Consumer Privacy Act (“CCPA”) that only apply to Californian residents. The Californian Provisions supplement the General Provisions but in the event of any conflict between the General Provisions and the Californian Provisions, the Californian Provisions shall prevail but only with regard to Californian residents.

If necessary, we will update this Privacy Policy with regards to the development of the MySSI System and according to changes in the legal situation and legal precedents. We therefore review this declaration at regular intervals to ensure that you have read the most up-to-date version.

PRIVACY NOTICE

1. General Provisions

1.0 Controller

The website, MySSI and the MySSI App are operated by SSI International GmbH as a controller pursuant to Art. 4 (7) EU General Data Protection Regulation (“GDPR”). (“SSI”, “we”, “us”). You can reach us as follows:

You can reach our data protection officer as follows:

Please note that we jointly determine the purposes and means of the processing concerning the execution of training, providing training content and issuing certifications, including the delivery of the certifications to the students as well as the administration of certificates and personal data of the students in MySSI and MySSI App with SSI Authorized Training Centers. You can get a copy of the document which describes the essence of this arrangement, by contacting SSI at privacy@diveSSI.com.

1.1. What is personal data?

The GDPR and the corresponding national data protection laws -protect the fundamental rights and freedoms of individuals and their rights to the protection of personal data. Accordingly, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier. Names, addresses, telephone numbers, e-mail addresses, user IDs, credit card numbers, social media account IDs, user names, IP addresses, GPS data etc. are therefore considered as personal data.

1.2. For what purposes do we collect personal data in general and are you obligated to provide your personal data?

We collect specific personal data of our users of MySSI and MySSI App (“user” or “you”) for proactive use of the website and app as explained below in detail.

Please note that you are not legally obligated to provide us with your respective personal data. However, otherwise we cannot offer you the services incorporated in the website, MySSI and the MySSI App.

1.3. Cookies used on retrieving the website

We refer to the ease of use of our website. These cookies include associated cookies, performance cookies (which are used for analysis and statistics), as well as cookies for marketing (such as personalization and advertising) that belong to you personally on our website and help us to offer our online and advertising services manage.

We and third-party providers sometimes use these cookies to process personal data. These third-party providers also include Google LLC, which is based in the USA and carries out data processing there. The European Court of Justice has not certified the USA as having an adequate level of data protection. In particular, there is a risk that your data will be subject to access by US authorities for control and monitoring purposes and that no effective legal remedies are available. By clicking on “Accept all cookies”, you agree that cookies, as shown here, in the data protection information and under cookie settings, may be used on the website by us and by third parties (including in the USA). However, you can also edit your cookie settings - individually for each purpose and each provider - and decide whether and which cookies you want to consent (except for cookies that are absolutely necessary and cannot be deselected). In particular, you can decide whether you want to give your consent to the data transfer to the USA or not. To do this, select the item “Edit cookie settings“. Please note that based on the settings you have made yourself, it is possible that not all functions of the page are available.

Further information can be found in our data protection information and in the cookie settings. You can revoke your consent at any time with future effect by adjusting your preferences under “Cookie Settings“ on our website.

If you have any questions or comments on this subject, please contact us using the contact details provided in point 7.1.

2. Handling personal data of registered users for proactive use of the MySSI system – web based and mobile app use

2.0 Collecting your data, when you contact us

When contacting us by email or via the contact form, we collect personal data that you have provided to us in this regard (e.g., name, email address, etc.) in order to respond to your inquiries. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

2.1. Collection of user data when participating in training programs

SSI provides the members – SSI Training Centers or Resorts (“SSI Authorized Training Centers”) and SSI Professionals or Instructors (“Instructors”) – with a data collection software in the MySSI System on the diveSSI.com Website for training and certification purposes and cooperates with external companies to manage and improve the digital workflows of SSI digital learning products.

SSI provides the user with training programs – also called SSI digital learning products – as a browser solution in the MySSI System on the diveSSI.com Website or in the MySSI App for mobile devices.

SSI, SSI Authorized Training Centers, and/or Instructors can collect the following information from participants in SSI training programs:

2.2. Use of user data when participating in training programs

MySSI LogIn

Your collected personal information, as described above, is automatically stored when you register yourself online in MySSI or in the MySSI App or when a SSI Authorized Training Center or an Instructor has registered you. A user profile with a personalized login (personal email address and password) is also automatically created. The personal account will be activated in order to enable yourself to check the status of your training progress and certification status at any time and to confirm the progress or certification at the respective SSI Authorized Training Center(s) you are affiliated to.

For the purpose of identifying you and to verify that you have all the necessary certificates in place to be eligible to dive we might share with other SSI Authorized Training Centers and potentially their affiliated instructors your personal data as described above, if you have given explicit consent and you have activated this option in your Privacy Settings in the MySSI account as explained in detail under point 2.4. The legal basis for sharing your data with other SSI Authorized Training Centers is your consent (Art. 6(1)(a) GDPR).

Once your data has been collected in MySSI, you will receive an automatically generated email from SSI with your username and password in order to activate your MySSI account. The activation of your account is mandatory for any SSI certification and assurances your access to the teaching content as well as your personal profile information (e.g., learning progress, accomplished certifications, educational level etc.).

The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the Digital Learning Platform

As part of the training and for the purpose of certification, the learning progress, completed performance requirements, examination results, etc. are recorded and stored. This data is accessible by the SSI Authorized Training Center that you have chosen and any affiliated instructors of the SSI Authorized Training Center, SSI, and the external service providers required to provide the service. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

As part of the SSI quality management, the participants/users will populate questionnaires about the training program by email. Additional information/documents like course progress, certification data, etc. and necessary correspondence for quality assurance as well as further educational opportunities. The described processing is based on our legitimate interest to promote further services offered by us to you (Art. 6 (1) (f) GDPR).

Within the Digital Learning System, users can voluntarily provide additional personal information on the individual pages of the training programs, take personal notes and ask questions about specific content, and share them with their SSI Authorized Training Center or instructor upon request. The processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

The MySSI System also allows the user to upload certain documents necessary for training and certification, which can also be viewed by other authorized persons, such as SSI, SSI Authorized Training Centers or instructors. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the Digital Certification and Document Functions

The MySSI System also allows the user to upload certain documents required for training and certification, such as proofs of First Aid, CPR, Oxygen Administration in Diving Emergencies and a 3 page Medical Statement signed by a practitioner, which may also be viewed by other authorized parties such as SSI, SSI Authorized Training Centers or Instructors, based on the personal settings in the Privacy function.

The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR) except for the processing of your medical statement. With regards to the latter the legal basis of the processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

Use of the Digital DiveLog Function with GPS Data Transmission

When using the DiveLog (digital logbook) function with the location/location-sharing-function activated by the user on the user’s smartphone and/or tablet and for the purpose of identifying available dive spots and logging of dives for you, we process when using the DiveLog:

Legal basis for described processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

By activating the Share Functions of the personal profile as a dive buddy, geo gata of the diving spot, maximum depth and time and the name and last name of the diver who shared the data and logged dive data can be shared with the dive buddy via QR Code Scan between the personal mobile devices.

The described processing is necessary for the performance of a contract (Article 6 (1) (b) GDPR).

2.3. Use of user data when using MySSI services

Use of the Equipment Function

You can upload the following information to MySSI and MySSI App:

a) personal equipment and relating data like brand, model, description, serial number, purchase date, dealer/store, etc.,

b) certain equipment related documents such as proofs for service and maintenance, warranty certificates, copies of purchase invoices, etc.,

We process the data specified in points a) – b) for the purpose of being able to offer you the services in the “Equipment” function. Legal basis for this processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the SSI Authorized Training Center Locator and Event Calendar Functions with GPS Data Transmission

GPS information received about a user’s location (when activated by the user) will be used in order to provide the user with the requested information, e.g. the Training Center Locator. The Event Calendar will request GPS data to locate the nearest SSI Authorized Training Center or event. The GPS data will only be used for theses specific purposes and is stored as long as necessary on that account. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Tailored marketing communication from SSI or third parties and product improvement

SSI collects your postcode, city, state, country, date of birth, course type, course progress, SSI authorized training center affiliation, current geodata and the data mentioned above in section 2.3 to identify your interests to provide you with customized advertising materials via newsletters, or in the app, or in your personal dashboard and special offers based on your interests. The legal basis of the processing activity is your consent if provided (Art. 6 (1) (a) GDPR). Additionally, SSI collects the data mentioned in this paragraph to be able to improve MySSI System and SSI products and services. The legal basis for this processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

Subject to your consent SSI shares your postcode, city, state, country, date of birth, course type, course progress, SSI authorized training center affiliation, current geodata and the data mentioned above in section 2.3 a) and b) with Mares and other companies of the Head group (please see section 3 below) to enable them to send you personalised advertising via newsletters, or in the app, or in your personal dashboard related to training, products and services. This includes, for example, advertisements for dive insurance, diver memberships, local training programmes and events conducted by SSI’s authorised training centers, etc. Legal basis for this processing activity is consent (Art. 6 (1) (a) GDPR).

In addition, if you use MySSI equipment you can deposit planned equipment purchases and specific equipment preferences in the app, which can be passed to manufacturers of the corresponding equipment as summarized data, or the individual interests indicated in the dive log and dive sites sections may be used to provide personalized diving travel offers. Legal basis for this processing activity is consent (Art. 6 (1) (a) GDPR).

2.4. Personal Privacy Settings – Disclosure to other App users and processing of anonymised data

Registered users of MySSI and MySSI App can select the confidentiality level of most of their information in their profile settings by defining visibility settings like “Everyone” (visible for everybody), “Buddies” (visible for accepted buddies) or “Private” (only visible to the user). The default pre-setting of the MySSI System for new users is always „Private“, so that the new user must actively allow higher visibility levels. When the profile is set to “Private” only anonymized data is processed about the respective use, in order to determine trends, usage patterns, frequency of use and regional activities.

2.5. Disclosure to other SSI Authorized Training Centers

Subject to your consent, and for the purposes described below we will make available your personal data namely Name, First Name, Street, Postbox, Postcode, City, State, Country, Email Address, Telephone Numbers (optional), Date of Birth, Personal Photo, Language, Gender, SSI Master ID, Course Type, Course Progress, Certification Data, (Number, Date, Instructor, Number of Dives at Certification Time, Year of Commencement of Diving), Training Center Assignment and other personal information provided by you voluntarily via the MySSI and MySSI App, e.g. Insurance Data Of Diving Specific Policies (if applicable) to other SSI Service Centers (please find an overview of all SSI Service Centers here: https://my.divessi.com/ssi) around the world and also Authorized SSI Training Centers, if you choose to affiliate or do business with them (please find an overview of all Authorized SSI Training Centers here: https://my.divessi.com/divecenter).

Subject to your consent we provide access to your data as described above to other Authorized SSI Training Centers worldwide which you are affiliated to or do business with in order to identify you verify or confirm the status of training and certification and to offer you appropriate trainings or services based on your personal status or training progress regarding his/her diving activities and/or certifications.

Please note that not all recipients (SSI Authorized Training Centers) have established an adequate level of data protection. Sharing your data is subject to your freely given consent. Also please note that SSI Authorized Training Centers can only access your data on your request and when providing your name and birthday for identification. Legal basis for the described processing is your consent (Art. 6 (1) (a) GDPR).

2.6. No processing of personal data from individuals who are under the age of 18

SSI does not process personal data from individuals under the age of 18 who participate in SSI training programs.

The conduct of SSI companies on this subject is in accordance with the “Children’s Online Privacy Protection Act” (COPPA) introduced in 2000. This law on the protection of children’s privacy on the internet is respected and applied by SSI. Further information about COPPA can be found at: http://www.coppa.org

3. Transfer of your personal data to third parties

SSI transmits your personal data to external performance agents or service providers. When third parties are processing data on behalf of SSI, SSI will enter into data processing agreements with them to ensure that the user´s/student´s information is used in accordance with the SSI Privacy Policy.

SSI transfers data to the following recipients

4. Transfer of your personal data to third parties outside of the EU/EEA

We transmit your personal data companies and other contractual partners outside of the EU/EEA for the verification of your SSI training status and certifications, for the provision of our services, the operation of the MySSI and MySSI App, the handling of your order, the maintenance of our IT systems and software etc. However, such transmission does not change anything in our obligation to protect your personal data in accordance with this Privacy Notice. If your personal data is transmitted outside of the EU/EEA, we guarantee an adequate measure of security by forwarding them to countries that have an appropriate level of protection based on confirmation by the European Commission or by concluding a transfer agreement incorporating the European Commission’s Standard Contractual Clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=de (for controller to processor transfers) and https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=DE (for controller to controller transfers) between us and the legal person outside of the EU/EEA who receives the data. In other cases, the data transfer might be based Art. 49 (1) 1 GDPR. You may receive a copy of the suitable guarantees by sending an e-mail to privacy@divessi.com.

5. Data Security

MySSI operates in encrypted https-format. Additionally, we take appropriate technical and organisational security measures to protect your personal data from unintentional or unauthorized deletion or modification, and from loss, theft and unauthorized viewing, forwarding, reproduction, use, alteration or access. We and our employees are also bound to data secrecy and confidentiality. Likewise, performance agents and authorized agents who must have access to your personal data to fulfil their professional duties will be subject to the same obligations to observe data secrecy and confidentiality.

6. Data Retention period

SSI stores your data as long as your MySSI account is active and SSI will keep your data for the duration of the contractual relationship you have with us. Laws may require SSI to hold certain information for specific periods. In other cases, SSI may retain data for an appropriate period after any relationship with you ends to protect itself from legal claims, or to administer its business.

In case a registered user does not activate the MySSI account and does not get certified within 12 months after registration, the account and user data will be automatically deleted from the MySSI System.

7. Your rights

You have the following data subject rights in relation to your personal data processed by us:

Your right to object, Art. 21 GDPR:

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If we process your data for legitimate purposes, you also have the right to object this processing at any time if grounds for this arise from your specific situation.

So that we can process your inquiry regarding your rights specified above and ensure that personal data is not given to unauthorized third parties, please address the inquiry with clear identification of your person and with a short description regarding the scope of the exercise of your data subject rights listed above.

Your right to lodge a complaint

You also have the right to lodge a complaint with the competent data protection authority, in particular the data protection authority in the Member State of your habitual residence or place of work, if you are of the opinion that the processing of the personal data about you violates the applicable data protection laws.

Your right to withdraw your consent

If you have given us your consent for a certain processing activity you can withdraw it at any time (Art. 7 (3) GDPR). The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

7.1. Contact details of Controller and Data Protection Officer

If you have any questions about the processing of your personal data, please feel free to contact us or our data protection officer via email: privacy@diveSSI.com or letter: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany.

8. Californian Provisions

8.1. Categories of personal information we collect, where we collect it from, why we collect it, and who we share it with

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“personal information”).

We use the personal information we collect for our operational purposes or other purposes set out in this privacy notice. Those purposes may include:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Undertaking internal research for technological development and demonstration.

(6) Undertaking activities to verify, improve, upgrade, enhance, or maintain the quality or safety of our products or services.

To help you understand our privacy practices, the following table shows, for the past twelve (12) months: which categories of personal information we have collected, the categories of sources from which we collected personal information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we have shared personal information:

8.2. Disclosure of personal information

In the past twelve (12) months, we have disclosed the following categories of personal information of California consumers for a business purpose:

8.3. Do Not Track

Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. Instead, we collect, use, and share information as described in this privacy notice regardless of a “do not track” choice.

8.4. Your rights under California law

You have the right to ask us to send you the following information:

You have the right to ask us to delete the personal information about you that we have collected or that we maintain.

We do not, and will not, sell your personal information. Therefore, we don`t provide a mechanism to opt-out of sales of personal information.

8.5. Non-discrimination

Your privacy rights are important. If you exercise your privacy rights under California law, we will not do anything of the following inresponse:

8.6. How California residents can submit requests

If you are a California resident and you want to submit a request to us regarding your California rights, you can contact us here privacy@divessi.com. If you have a pre-existing account with us, you must submit your request through that account, but you do not have to create an account with us to submit a request.

If you submit a request to delete personal information, you must separately confirm the request. After receiving your request, we will send you a separate communication with instructions on how to confirm your request to delete.

We can only respond to your request if it is verifiable. This means we are obligated to take reasonable steps to verify your identity.

If necessary to verify your identity, we may ask you to provide additional information that will help us do so. We may also require a signed declaration under penalty of perjury, depending on the nature of the request. We will only use that additional information in the verification process, and not for any other purpose. If we cannot verify your request, we will not disclose any personal information.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

8.7. Authorized agents

If you wish to submit a request to know or delete through an authorized agent, we require the following before we can process the request:

Consumers may submit the information listed above to privacy@divessi.com. Authorized agents may also submit the notarized copy of written permission to privacy@divessi.com.

If your authorized agent has a valid power of attorney under California Probate Code sections 4000 to 4465, we may request proof of the power of attorney instead of the foregoing.

We may deny a request from an agent that does not submit proof you authorized them to act on your behalf.

8.8. Changes to this privacy notice

From time to time, we may update this privacy notice. When we do, we will post it on our website and include the effective date of the update. If there are material changes to this privacy notice, we will post a prominent notice on our website and provide other notice as required by law.

APPENDIX

Link to the list of SSI Service Centers – https://my.divessi.com/ssi

Link to the list of Authorized SSI Training Centers – https://www.divessi.com/dealer-locator

Link to the document describing the essence of the applicable joint controller agreement – https://my.divessi.com/ssi_dc_joint_controller_agreement