Privacy and ti&m places
When an organization (herein also called a “data controller” or “customer”) is considering relying on ti&m places for booking of a workplace, meeting room, parking space or equipment, privacy is something that needs to be addressed at every level. The questions we answer below should address the privacy concerns you may have when planning your Places implementation, or at any point during Places usage.
What personal data does ti&m places collect and for what purposes does ti&m places use this data?
ti&m processes the personal data in ti&m places to deliver the agreed-upon services defined in the Online Services Terms and ultimately for the purposes determined by the “customer” (“data controller”) obtaining the service. ti&m places, as a cloud-based service, processes various types of personal data as part of delivering the service. This personal data includes:
Content
We save Information about bookings and check-ins. For each booking we save the Workplace-ID, the User-ID and the booking date and time and the date and time of the check-in. Workplace ID refers to a workstation and therefore includes the full location, including building address, the floor, room.
User Data
Data that is shared within your company about you. Name, Surname, Display Name, E-Mail address and Roles/AAD Groups used for Places.
Booking History
A detailed history of the bookings calls you make, which allows Admins to go back and review booking records.
Support/Feedback data
Information related to troubleshooting tickets or feedback submission to ti&m.
Diagnostic and service data
Diagnostic data related to service usage. This personal data allows ti&m to deliver the service (troubleshoot, secure and update the product and monitor performance) as well as perform some internal business operations, such as:
Determine revenue
Develop metrics
Determine service usage
Conduct product and capacity planning
ti&m places does at no time process or store any special categories of personal data as defined in the European GDPR (DSGVO). To the extent ti&m operates on personal data in connection with ti&m's legitimate business operations, ti&m will be an independent data controller for such use and will be responsible for complying with all applicable laws and related controller obligations. ti&m will not use personal data for mailings or similar marketing activities.
Legal Basis of Processing
Our customers are controllers for the data provided to ti&m, as set forth in the Online Services Terms, and they determine legal bases of processing. ti&m, in turn, processes the data on the customers' instructions, as a processor.
To the extent ti&m processes personal data in connection with its own legitimate business operations, as described in the Online Services Terms, ti&m will be an independent controller for such processing, the legal basis of which is legitimate interests. "ti&m legitimate business operations" consist of the following, each as incident to delivery of ti&m places to the customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and reseller incentives); (3) internal reporting and modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect ti&m or ti&m Products; (5) improving the core functionality (accessibility, privacy or energy-efficiency); and (6) financial reporting and compliance with legal obligations.
What third parties have access to personal data?
ti&m will not disclose personal data except:
* the data the customer may derive by use of the API. Please refer to the relevant data privacy statement of the customer;
* as described in the Online Service Terms;
* as required by law.
If law enforcement contacts ti&m with a demand, ti&m will attempt to redirect the law enforcement agency to request that personal data directly from the customer. If compelled to disclose personal data to law enforcement, ti&m will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.
Where does ti&m transfer and store personal data?
The customer can choose the location of personal data and can choose to move the data to a different location at any time.
How long does ti&m places retain personal data?
The customer can define how long ti&m places retains personal data.
Because this data is required to provide the service, this typically means that we retain personal data until the customer stops using ti&m places, or until the customer deletes personal data. If an administrator deletes the data, ti&m will ensure that all copies of the personal data are deleted within 30 days.
If a customer terminates service with ti&m, corresponding personal data will be deleted between 90 and 180 days of service termination.
End user consent
The customer is responsible for informing its users of ti&m places (e.g. employees or partners) about the usage of ti&m places within the applicable legal framework and obtaining their consent.
Profiling
ti&m places does not make any profiling of user data and there is no automatic decision making within ti&m places which would affect the end user.
Data Protection
Data is protected by Microsoft Cloud Services. ti&m regularly performs back-ups of the data stored on Microsoft Cloud Services and retains them in the Microsoft Cloud in the corresponding location. ti&m operations is ISO 27001 certified.
Contact Details of ti&m‘s Data Protection Officer
If you have a privacy concern, complaint or question for the ti&m’s Chief Privacy Officer and EU Data Protection Officer, please contact us by using our web form. Our Data Protection Officer is located at ti&m AG, Data Protection Office, Buckhauserstr. 24, 8048 Zurich, Switzerland, E-Mail dpoffice@ti8m.ch. People living in the European Union may contact our representative: ti&m GmbH, Data Protection Office, Schaumainkai 91, 60596 Frankfurt am Main, Germany, E-Mail: dpoffice@ti8m.ch. You find ti&m’s data privacy rules here https://www.ti8m.com/en/data-protection. You can also raise a concern or lodge a complaint with a data protection authority or other official of your jurisdiction.