PRIVACY POLICY CORPORATE WEBSITE, MySSI SYSTEM WEBBASED AND MOBILE APP USE

Version 04.2022

Preamble and scope of this Privacy Policy

SSI International GmbH provides you with a variety of products and services in connection with diving and swimming. These products and services are inter alia offered online within the MySSI System (“MySSI System”) which consists of a corporate website under www.divessi.com (“website”), a browser solution with a registered user area under my.diveSSI.com, including its subdomains and micro-sites, databases and webshops (“MySSI”) as well as the MySSI App for mobile use (“MySSI App”).

This privacy policy applies for the freely accessible use of the website and to the MySSI System including the MySSI and MySSI App’s registered user area.

The following sections 1 to 7 including its Appendix (“Privacy Notice”) explain in general how we collect and use your personal data when you use the website, MySSI and MySSI App. The addendum contained in section 8 (“Californian Provisions”) contain additional provisions in compliance with the California Consumer Privacy Act (“CCPA”) that only apply to Californian residents. The Californian Provisions supplement the General Provisions but in the event of any conflict between the General Provisions and the Californian Provisions, the Californian Provisions shall prevail but only with regard to Californian residents.

If necessary, we will update this Privacy Policy with regards to the development of the MySSI System and according to changes in the legal situation and legal precedents. We therefore review this declaration at regular intervals to ensure that you have read the most up-to-date version.

PRIVACY NOTICE
1. General Provisions

1.0 Controller

The website, MySSI and the MySSI App are operated by SSI International GmbH as a controller pursuant to Art. 4 (7) EU General Data Protection Regulation (“GDPR”). (“SSI”, “we”, “us”). You can reach us as follows:

Address: Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany

Email: info@diveSSI.com

Tel: + 49-9129-909938-0

You can reach our data protection officer as follows:

Address: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany

Email: privacy@diveSSI.com

Please note that we jointly determine the purposes and means of the processing concerning the execution of training, providing training content and issuing certifications, including the delivery of the certifications to the students as well as the administration of certificates and personal data of the students in MySSI and MySSI App with SSI Authorized Training Centers. You can get a copy of the document which describes the essence of this arrangement, by contacting SSI at privacy@diveSSI.com.

1.1. What is personal data?

The GDPR and the corresponding national data protection laws -protect the fundamental rights and freedoms of individuals and their rights to the protection of personal data. Accordingly, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier. Names, addresses, telephone numbers, e-mail addresses, user IDs, credit card numbers, social media account IDs, user names, IP addresses, GPS data etc. are therefore considered as personal data.

1.2. For what purposes do we collect personal data in general and are you obligated to provide your personal data?

We collect specific personal data of our users of MySSI and MySSI App (“user” or “you”) for proactive use of the website and app as explained below in detail.

Please note that you are not legally obligated to provide us with your respective personal data. However, otherwise we cannot offer you the services incorporated in the website, MySSI and the MySSI App.

1.3. Cookies used on retrieving the website

We refer to the ease of use of our website. These cookies include associated cookies, performance cookies (which are used for analysis and statistics), as well as cookies for marketing (such as personalization and advertising) that belong to you personally on our website and help us to offer our online and advertising services manage.

We and third-party providers sometimes use these cookies to process personal data. These third-party providers also include Google LLC, which is based in the USA and carries out data processing there. The European Court of Justice has not certified the USA as having an adequate level of data protection. In particular, there is a risk that your data will be subject to access by US authorities for control and monitoring purposes and that no effective legal remedies are available. By clicking on “Accept all cookies”, you agree that cookies, as shown here, in the data protection information and under cookie settings, may be used on the website by us and by third parties (including in the USA). However, you can also edit your cookie settings - individually for each purpose and each provider - and decide whether and which cookies you want to consent (except for cookies that are absolutely necessary and cannot be deselected). In particular, you can decide whether you want to give your consent to the data transfer to the USA or not. To do this, select the item “Edit cookie settings“. Please note that based on the settings you have made yourself, it is possible that not all functions of the page are available.

This Cookie-Table has been created and updated by CookieFirst consent management platform

Further information can be found in our data protection information and in the cookie settings. You can revoke your consent at any time with future effect by adjusting your preferences under “Cookie Settings“ on our website.

If you have any questions or comments on this subject, please contact us using the contact details provided in point 7.1.

2. Handling personal data of registered users for proactive use of the MySSI system – web based and mobile app use

2.0 Collecting your data, when you contact us

When contacting us by email or via the contact form, we collect personal data that you have provided to us in this regard (e.g., name, email address, etc.) in order to respond to your inquiries. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

2.1. Collection of user data when participating in training programs

SSI provides the members – SSI Dive Centers or Resorts (“SSI Authorized Training Centers”) and SSI Professionals or Instructors (“Instructors”) – with a data collection software in the MySSI System on the diveSSI.com Website for training and certification purposes and cooperates with external companies to manage and improve the digital workflows of SSI digital learning products.

SSI provides the user with training programs – also called SSI digital learning products – as a browser solution in the MySSI System on the diveSSI.com Website or in the MySSI App for mobile devices.

SSI, SSI Authorized Training Centers, and/or Instructors can collect the following information from participants in SSI training programs:

Name, First Name,

Street, Post Box

Postcode, City

State, Country

Email Address

Telephone Numbers (optional)

Date of Birth

Salutation, Gender

Personal Photo

Language

SSI Master ID

Course Type, Course Progress

Certification Data (Number, Date, Instructor, Number of Dives at Certification Time, Year of Commencement of Diving)

SSI Authorized Training Center Affiliation

Current Geodata when Using different MySSI App Functions

Health Data

Insurance Data of Diving Specific Policies (when applicable)

SSI Membership Number (for Professionals)

Quality Assurance Data (for Professionals)

2.2. Use of user data when participating in training programs

MySSI LogIn

Your collected personal information, as described above, is automatically stored when you register yourself online in MySSI or in the MySSI App or when a SSI Authorized Training Center or an Instructor has registered you. A user profile with a personalized login (personal email address and password) is also automatically created. The personal account will be activated in order to enable yourself to check the status of your training progress and certification status at any time and to confirm the progress or certification at the respective SSI Authorized Training Center(s) you are affiliated to.

For the purpose of identifying you and to verify that you have all the necessary certificates in place to be eligible to dive we might share with other SSI Authorized Training Centers and potentially their affiliated instructors your personal data as described above, if you have given explicit consent and you have activated this option in your Privacy Settings in the MySSI account as explained in detail under point 2.4. The legal basis for sharing your data with other SSI Authorized Training Centers is your consent (Art. 6(1)(a) GDPR).

Once your data has been collected in MySSI, you will receive an automatically generated email from SSI with your username and password in order to activate your MySSI account. The activation of your account is mandatory for any SSI certification and assurances your access to the teaching content as well as your personal profile information (e.g., learning progress, accomplished certifications, educational level etc.).

The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the Digital Learning Platform

As part of the training and for the purpose of certification, the learning progress, completed performance requirements, examination results, etc. are recorded and stored. This data is accessible by the SSI Authorized Training Center that you have chosen and any affiliated instructors of the SSI Authorized Training Center, SSI, and the external service providers required to provide the service. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

As part of the SSI quality management, the participants/users will populate questionnaires about the training program by email. Additional information/documents like course progress, certification data, etc. and necessary correspondence for quality assurance as well as further educational opportunities. The described processing is based on our legitimate interest to promote further services offered by us to you (Art. 6 (1) (f) GDPR).

Within the Digital Learning System, users can voluntarily provide additional personal information on the individual pages of the training programs, take personal notes and ask questions about specific content, and share them with their SSI Authorized Training Center or instructor upon request. The processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

The MySSI System also allows the user to upload certain documents necessary for training and certification, which can also be viewed by other authorized persons, such as SSI, SSI Authorized Training Centers or instructors. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the Digital Certification and Document Functions

The MySSI System also allows the user to upload certain documents required for training and certification, such as proofs of First Aid, CPR, Oxygen Administration in Diving Emergencies and a Medical Statement signed by a practitioner, which may also be viewed by other authorized parties such as SSI, SSI Authorized Training Centers or Instructors, based on the personal settings in the Privacy function.

The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR) except for the processing of your medical statement. With regards to the latter the legal basis of the processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

Use of the Digital DiveLog Function with GPS Data Transmission

When using the DiveLog (digital logbook) function with the location/location-sharing-function activated by the user on the user’s smartphone and/or tablet and for the purpose of identifying available dive spots and logging of dives for you, we process when using the DiveLog:

Your GPS or location data, as far as you have activated the location transmission function on the smartphone and/or tablet,

Legal basis for described processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

By activating the Share Functions of the personal profile as a dive buddy, geo gata of the diving spot, maximum depth and time and the name and last name of the diver who shared the data and logged dive data can be shared with the dive buddy via QR Code Scan between the personal mobile devices.

The described processing is necessary for the performance of a contract (Article 6 (1) (b) GDPR).

2.3. Use of user data when using MySSI services

Use of the Equipment Function

You can upload the following information to MySSI and MySSI App:

a) personal equipment and relating data like brand, model, description, serial number, purchase date, dealer/store, etc.,

b) certain equipment related documents such as proofs for service and maintenance, warranty certificates, copies of purchase invoices, etc.,

We process the data specified in points a) – b) for the purpose of being able to offer you the services in the “Equipment” function. Legal basis for this processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

Use of the SSI Authorized Training Center Locator and Event Calendar Functions with GPS Data Transmission

GPS information received about a user’s location (when activated by the user) will be used in order to provide the user with the requested information, e.g. the Dive Center Locator. The Event Calendar will request GPS data to locate the nearest SSI Authorized Training Center or event. The GPS data will only be used for theses specific purposes and is stored as long as necessary on that account. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

Tailored marketing communication from SSI or third parties and product improvement

SSI collects your postcode, city, state, country, date of birth, course type, course progress, SSI authorized training center affiliation, current geodata and the data mentioned above in section 2.3 to identify your interests to provide you with customized advertising materials via newsletters, or in the app, or in your personal dashboard and special offers based on your interests. The legal basis of the processing activity is your consent if provided (Art. 6 (1) (a) GDPR). Additionally, SSI collects the data mentioned in this paragraph to be able to improve MySSI System and SSI products and services. The legal basis for this processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

Subject to your consent SSI shares your postcode, city, state, country, date of birth, course type, course progress, SSI authorized training center affiliation, current geodata and the data mentioned above in section 2.3 a) and b) with Mares and other companies of the Head group (please see section 3 below) to enable them to send you personalised advertising via newsletters, or in the app, or in your personal dashboard related to training, products and services. This includes, for example, advertisements for dive insurance, diver memberships, local training programmes and events conducted by SSI’s authorised training centers, etc. Legal basis for this processing activity is consent (Art. 6 (1) (a) GDPR).

In addition, if you use MySSI equipment you can deposit planned equipment purchases and specific equipment preferences in the app, which can be passed to manufacturers of the corresponding equipment as summarized data, or the individual interests indicated in the dive log and dive sites sections may be used to provide personalized diving travel offers. Legal basis for this processing activity is consent (Art. 6 (1) (a) GDPR).

2.4. Personal Privacy Settings – Disclosure to other App users and processing of anonymised data

Registered users of MySSI and MySSI App can select the confidentiality level of most of their information in their profile settings by defining visibility settings like “Everyone” (visible for everybody), “Buddies” (visible for accepted buddies) or “Private” (only visible to the user). The default pre-setting of the MySSI System for new users is always „Private“, so that the new user must actively allow higher visibility levels. When the profile is set to “Private” only anonymized data is processed about the respective use, in order to determine trends, usage patterns, frequency of use and regional activities.

2.5. Disclosure to other SSI Authorized Training Centers

Subject to your consent, and for the purposes described below we will make available your personal data namely Name, First Name, Street, Postbox, Postcode, City, State, Country, Email Address, Telephone Numbers (optional), Date of Birth, Personal Photo, Language, Gender, SSI Master ID, Course Type, Course Progress, Certification Data, (Number, Date, Instructor, Number of Dives at Certification Time, Year of Commencement of Diving), Dive Center Assignment and other personal information provided by you voluntarily via the MySSI and MySSI App, e.g. Insurance Data Of Diving Specific Policies (if applicable) to other SSI Service Centers (please find an overview of all SSI Service Centers here: https://my.divessi.com/ssi) around the world and also Authorized SSI Training Centers, if you choose to affiliate or do business with them (please find an overview of all Authorized SSI Training Centers here: https://my.divessi.com/divecenter).

Subject to your consent we provide access to your data as described above to other Authorized SSI Training Centers worldwide which you are affiliated to or do business with in order to identify you verify or confirm the status of training and certification and to offer you appropriate trainings or services based on your personal status or training progress regarding his/her diving activities and/or certifications.

Please note that not all recipients (SSI Authorized Training Centers) have established an adequate level of data protection. Sharing your data is subject to your freely given consent. Also please note that SSI Authorized Training Centers can only access your data on your request and when providing your name and birthday for identification. Legal basis for the described processing is your consent (Art. 6 (1) (a) GDPR).

2.6. No processing of personal data from individuals who are under the age of 18

SSI does not process personal data from individuals under the age of 18 who participate in SSI training programs.

The conduct of SSI companies on this subject is in accordance with the “Children’s Online Privacy Protection Act” (COPPA) introduced in 2000. This law on the protection of children’s privacy on the internet is respected and applied by SSI. Further information about COPPA can be found at: http://www.coppa.org

3. Transfer of your personal data to third parties

SSI transmits your personal data to external performance agents or service providers. When third parties are processing data on behalf of SSI, SSI will enter into data processing agreements with them to ensure that the user´s/student´s information is used in accordance with the SSI Privacy Policy.

SSI transfers data to the following recipients

SSI Service Centers (please find an overview of all SSI Service Centers here: https://my.divessi.com/ssi)

SSI Training Centers (please find an overview of all Authorized SSI Training Centers here: https://my.divessi.com/divecenter)

IT service providers and/or providers of data hosting services;

service providers of software solutions who also support us in providing our services (incl. providers of marketing tools, marketing agencies, communication service providers and call centers);

companies of the HEAD group;

Mares SpA (Salita Bonsen 4, 16035, Rapallo (GE), Italy)

LiveAboard.com BV (Keizersgracht 307-2, 1016 ED Amsterdam, the Netherlands)

third parties who are fulfilling our obligations in regard to services provided to you (e.g., parcel service providers for the shipment of your certificate, payment service providers and banks for payment processing);

other third parties (e.g., auditors, insurance companies, legal representatives etc.);

officials and other public bodies if required by law (e.g., tax authorities etc.).

4. Transfer of your personal data to third parties outside of the EU/EEA

We transmit your personal data companies and other contractual partners outside of the EU/EEA for the verification of your SSI training status and certifications, for the provision of our services, the operation of the MySSI and MySSI App, the handling of your order, the maintenance of our IT systems and software etc. However, such transmission does not change anything in our obligation to protect your personal data in accordance with this Privacy Notice. If your personal data is transmitted outside of the EU/EEA, we guarantee an adequate measure of security by forwarding them to countries that have an appropriate level of protection based on confirmation by the European Commission or by concluding a transfer agreement incorporating the European Commission’s Standard Contractual Clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=de (for controller to processor transfers) and https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=DE (for controller to controller transfers) between us and the legal person outside of the EU/EEA who receives the data. In other cases, the data transfer might be based Art. 49 (1) 1 GDPR. You may receive a copy of the suitable guarantees by sending an e-mail to privacy@divessi.com.

5. Data Security

MySSI operates in encrypted https-format. Additionally, we take appropriate technical and organisational security measures to protect your personal data from unintentional or unauthorized deletion or modification, and from loss, theft and unauthorized viewing, forwarding, reproduction, use, alteration or access. We and our employees are also bound to data secrecy and confidentiality. Likewise, performance agents and authorized agents who must have access to your personal data to fulfil their professional duties will be subject to the same obligations to observe data secrecy and confidentiality.

6. Data Retention period

SSI stores your data as long as your MySSI account is active and SSI will keep your data for the duration of the contractual relationship you have with us. Laws may require SSI to hold certain information for specific periods. In other cases, SSI may retain data for an appropriate period after any relationship with you ends to protect itself from legal claims, or to administer its business.

In case a registered user does not activate the MySSI account and does not get certified within 12 months after registration, the account and user data will be automatically deleted from the MySSI System.

7. Your rights

You have the following data subject rights in relation to your personal data processed by us:

you have the right to access your personal information and to receive a copy of the personal data processed by us, Art. 15 GDPRs;

If your personal data which we are processing is incorrect or no longer current, you have the right to rectification, Art. 16 GDPR;

you have the right to obtain erasure of your data (“right to be forgotten”), Art. 17 GDPR;

you have the right to receive your personal data in a structured, commonly used and machine-readable format and you have the right that we transmit your data to another controller Art. 20 GDPR;

you have the right to obtain from us the restriction of processing where the prerequisites are met, Art. 18 GDPR;

you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects, Art. 22 GDPR;

Your right to object, Art. 21 GDPR:

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If we process your data for legitimate purposes, you also have the right to object this processing at any time if grounds for this arise from your specific situation.

So that we can process your inquiry regarding your rights specified above and ensure that personal data is not given to unauthorized third parties, please address the inquiry with clear identification of your person and with a short description regarding the scope of the exercise of your data subject rights listed above.

Your right to lodge a complaint

You also have the right to lodge a complaint with the competent data protection authority, in particular the data protection authority in the Member State of your habitual residence or place of work, if you are of the opinion that the processing of the personal data about you violates the applicable data protection laws.

Your right to withdraw your consent

If you have given us your consent for a certain processing activity you can withdraw it at any time (Art. 7 (3) GDPR). The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

7.1. Contact details of Controller and Data Protection Officer

If you have any questions about the processing of your personal data, please feel free to contact us or our data protection officer via email: privacy@diveSSI.com or letter: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany.

8. Californian Provisions

8.1. Categories of personal information we collect, where we collect it from, why we collect it, and who we share it with

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“personal information”).

We use the personal information we collect for our operational purposes or other purposes set out in this privacy notice. Those purposes may include:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Undertaking internal research for technological development and demonstration.

(6) Undertaking activities to verify, improve, upgrade, enhance, or maintain the quality or safety of our products or services.

To help you understand our privacy practices, the following table shows, for the past twelve (12) months: which categories of personal information we have collected, the categories of sources from which we collected personal information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we have shared personal information:

Category of Personal Information

Sources

Purposes

Third parties shared with

Identifiers such as name, email, address, PTR number, and PPR number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Third parties that help us market or advertise our products and services

Categories of personal information described in Cal. Civ. Code § 1798.80(e) such as name, email, address, credit card number or other payment information, and telephone number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Characteristics of protected classifications under California or federal law such as age and gender.

Consumer

To provide product offerings or services at events we sponsor.

To provide you with newsletters or other mailings.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Commercial information such as, e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

Internet or other electronic network activity information such as e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement

8.2. Disclosure of personal information

In the past twelve (12) months, we have disclosed the following categories of personal information of California consumers for a business purpose:

Identifiers

Categories of personal information described in Cal. Civ. Code § 1798.80(e)

Characteristics of protected classifications under California or federal law

8.3. Do Not Track

Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. Instead, we collect, use, and share information as described in this privacy notice regardless of a “do not track” choice.

8.4. Your rights under California law

You have the right to ask us to send you the following information:

The personal information we have collected, used, or disclosed about you.

The categories of personal information we have collected about you.

The categories of sources from which we collected the personal information.

Our business or commercial purpose for collecting personal information.

The categories of third parties with whom we share personal information.

The specific pieces of person information we have collected about you.

You have the right to ask us to delete the personal information about you that we have collected or that we maintain.

We do not, and will not, sell your personal information. Therefore, we don`t provide a mechanism to opt-out of sales of personal information.

8.5. Non-discrimination

Your privacy rights are important. If you exercise your privacy rights under California law, we will not do anything of the following inresponse:

APPENDIX

Link to the list of SSI Service Centers – https://my.divessi.com/ssi

Link to the list of Authorized SSI Training Centers – https://www.divessi.com/dealer-locator

Link to the document describing the essence of the applicable joint controller agreement – https://my.divessi.com/ssi_dc_joint_controller_agreement