PRIVACY POLICY CORPORATE WEBSITE, MySSI SYSTEM WEBBASED AND MOBILE APP USE

Version 04.2022

Preamble and scope of this Privacy Policy

SSI International GmbH provides you with a variety of products and services in connection with diving and swimming. These products and services are inter alia offered online within the MySSI System (“MySSI System”) which consists of a corporate website under www.divessi.com (“website”), a browser solution with a registered user area under my.diveSSI.com, including its subdomains and micro-sites, databases and webshops (“MySSI”) as well as the MySSI App for mobile use (“MySSI App”).

This privacy policy applies for the freely accessible use of the website and to the MySSI System including the MySSI and MySSI App’s registered user area.

The following sections 1 to 7 including its Appendix (“Privacy Notice”) explain in general how we collect and use your personal data when you use the website, MySSI and MySSI App. The addendum contained in section 8 (“Californian Provisions”) contain additional provisions in compliance with the California Consumer Privacy Act (“CCPA”) that only apply to Californian residents. The Californian Provisions supplement the General Provisions but in the event of any conflict between the General Provisions and the Californian Provisions, the Californian Provisions shall prevail but only with regard to Californian residents.

If necessary, we will update this Privacy Policy with regards to the development of the MySSI System and according to changes in the legal situation and legal precedents. We therefore review this declaration at regular intervals to ensure that you have read the most up-to-date version.

PRIVACY NOTICE
1. General Provisions

1.0 Controller

The website, MySSI and the MySSI App are operated by SSI International GmbH as a controller pursuant to Art. 4 (7) EU General Data Protection Regulation (“GDPR”). (“SSI”, “we”, “us”). You can reach us as follows:

Address: Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany

Email: info@diveSSI.com

Tel: + 49-9129-909938-0

You can reach our data protection officer as follows:

Address: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany

Email: privacy@diveSSI.com

Please note that we jointly determine the purposes and means of the processing concerning the execution of training, providing training content and issuing certifications, including the delivery of the certifications to the students as well as the administration of certificates and personal data of the students in MySSI and MySSI App with SSI Authorized Training Centers. You can get a copy of the document which describes the essence of this arrangement, by contacting SSI at privacy@diveSSI.com.

1.1. What is personal data?

The GDPR and the corresponding national data protection laws -protect the fundamental rights and freedoms of individuals and their rights to the protection of personal data. Accordingly, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier. Names, addresses, telephone numbers, e-mail addresses, user IDs, credit card numbers, social media account IDs, user names, IP addresses, GPS data etc. are therefore considered as personal data.

1.2. For what purposes do we collect personal data in general and are you obligated to provide your personal data?

We collect specific personal data of our users of MySSI and MySSI App (“user” or “you”) for proactive use of the website and app as explained below in detail.

Please note that you are not legally obligated to provide us with your respective personal data. However, otherwise we cannot offer you the services incorporated in the website, MySSI and the MySSI App.

1.3. Cookies used on retrieving the website

We refer to the ease of use of our website. These cookies include associated cookies, performance cookies (which are used for analysis and statistics), as well as cookies for marketing (such as personalization and advertising) that belong to you personally on our website and help us to offer our online and advertising services manage.

We and third-party providers sometimes use these cookies to process personal data. These third-party providers also include Google LLC, which is based in the USA and carries out data processing there. The European Court of Justice has not certified the USA as having an adequate level of data protection. In particular, there is a risk that your data will be subject to access by US authorities for control and monitoring purposes and that no effective legal remedies are available. By clicking on “Accept all cookies”, you agree that cookies, as shown here, in the data protection information and under cookie settings, may be used on the website by us and by third parties (including in the USA). However, you can also edit your cookie settings - individually for each purpose and each provider - and decide whether and which cookies you want to consent (except for cookies that are absolutely necessary and cannot be deselected). In particular, you can decide whether you want to give your consent to the data transfer to the USA or not. To do this, select the item “Edit cookie settings“. Please note that based on the settings you have made yourself, it is possible that not all functions of the page are available.

This Cookie-Table has been created and updated by CookieFirst consent management platform

Further information can be found in our data protection information and in the cookie settings. You can revoke your consent at any time with future effect by adjusting your preferences under “Cookie Settings“ on our website.

If you have any questions or comments on this subject, please contact us using the contact details provided in point 7.1.

2. Handling personal data of registered users for proactive use of the MySSI system – web based and mobile app use

2.0 Collecting your data, when you contact us

When contacting us by email or via the contact form, we collect personal data that you have provided to us in this regard (e.g., name, email address, etc.) in order to respond to your inquiries. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).

2.1. Collection of user data when participating in training programs

SSI provides the user with training programs – also called SSI digital learning products – as a browser solution in the MySSI System on the diveSSI.com Website or in the MySSI App for mobile devices.

SSI provides the members – SSI Dive Centers or Resorts (“SSI Authorized Training Centers”) and SSI Professionals or Instructors (“Instructors”) – with a data collection software in the MySSI System on the diveSSI.com Website for training and certification purposes and cooperates with external companies to manage and improve the digital workflows of SSI digital learning products.

SSI, SSI Authorized Training Centers, and/or Instructors can collect the following information from participants in SSI training programs:

Name, First Name,

Street, Post Box

Postcode, City

State, Country

Email Address

Telephone Numbers (optional)

Date of Birth

Salutation, Gender

Personal Photo

Language

SSI Master ID

Course Type, Course Progress

3. Transfer of your personal data to third parties

SSI transmits your personal data to external performance agents or service providers. When third parties are processing data on behalf of SSI, SSI will enter into data processing agreements with them to ensure that the user´s/student´s information is used in accordance with the SSI Privacy Policy.

SSI transfers data to the following recipients

SSI Service Centers (please find an overview of all SSI Service Centers here: https://my.divessi.com/ssi)

SSI Training Centers (please find an overview of all Authorized SSI Training Centers here: https://my.divessi.com/divecenter)

IT service providers and/or providers of data hosting services;

service providers of software solutions who also support us in providing our services (incl. providers of marketing tools, marketing agencies, communication service providers and call centers);

companies of the HEAD group;

Mares SpA (Salita Bonsen 4, 16035, Rapallo (GE), Italy)

LiveAboard.com BV (Keizersgracht 307-2, 1016 ED Amsterdam, the Netherlands)

third parties who are fulfilling our obligations in regard to services provided to you (e.g., parcel service providers for the shipment of your certificate, payment service providers and banks for payment processing);

other third parties (e.g., auditors, insurance companies, legal representatives etc.);

officials and other public bodies if required by law (e.g., tax authorities etc.).

4. Transfer of your personal data to third parties outside of the EU/EEA

We transmit your personal data companies and other contractual partners outside of the EU/EEA for the verification of your SSI training status and certifications, for the provision of our services, the operation of the MySSI and MySSI App, the handling of your order, the maintenance of our IT systems and software etc. However, such transmission does not change anything in our obligation to protect your personal data in accordance with this Privacy Notice. If your personal data is transmitted outside of the EU/EEA, we guarantee an adequate measure of security by forwarding them to countries that have an appropriate level of protection based on confirmation by the European Commission or by concluding a transfer agreement incorporating the European Commission’s Standard Contractual Clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=de (for controller to processor transfers) and https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=DE (for controller to controller transfers) between us and the legal person outside of the EU/EEA who receives the data. In other cases, the data transfer might be based Art. 49 (1) 1 GDPR. You may receive a copy of the suitable guarantees by sending an e-mail to privacy@divessi.com.

5. Data Security

MySSI operates in encrypted https-format. Additionally, we take appropriate technical and organisational security measures to protect your personal data from unintentional or unauthorized deletion or modification, and from loss, theft and unauthorized viewing, forwarding, reproduction, use, alteration or access. We and our employees are also bound to data secrecy and confidentiality. Likewise, performance agents and authorized agents who must have access to your personal data to fulfil their professional duties will be subject to the same obligations to observe data secrecy and confidentiality.

6. Data Retention period

SSI stores your data as long as your MySSI account is active and SSI will keep your data for the duration of the contractual relationship you have with us. Laws may require SSI to hold certain information for specific periods. In other cases, SSI may retain data for an appropriate period after any relationship with you ends to protect itself from legal claims, or to administer its business.

In case a registered user does not activate the MySSI account and does not get certified within 12 months after registration, the account and user data will be automatically deleted from the MySSI System.

7. Your rights

You have the following data subject rights in relation to your personal data processed by us:

you have the right to access your personal information and to receive a copy of the personal data processed by us, Art. 15 GDPRs;

If your personal data which we are processing is incorrect or no longer current, you have the right to rectification, Art. 16 GDPR;

you have the right to obtain erasure of your data (“right to be forgotten”), Art. 17 GDPR;

you have the right to receive your personal data in a structured, commonly used and machine-readable format and you have the right that we transmit your data to another controller Art. 20 GDPR;

you have the right to obtain from us the restriction of processing where the prerequisites are met, Art. 18 GDPR;

you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects, Art. 22 GDPR;

Your right to object, Art. 21 GDPR:

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If we process your data for legitimate purposes, you also have the right to object this processing at any time if grounds for this arise from your specific situation.

So that we can process your inquiry regarding your rights specified above and ensure that personal data is not given to unauthorized third parties, please address the inquiry with clear identification of your person and with a short description regarding the scope of the exercise of your data subject rights listed above.

Your right to lodge a complaint

You also have the right to lodge a complaint with the competent data protection authority, in particular the data protection authority in the Member State of your habitual residence or place of work, if you are of the opinion that the processing of the personal data about you violates the applicable data protection laws.

Your right to withdraw your consent

If you have given us your consent for a certain processing activity you can withdraw it at any time (Art. 7 (3) GDPR). The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

7.1. Contact details of Controller and Data Protection Officer

If you have any questions about the processing of your personal data, please feel free to contact us or our data protection officer via email: privacy@diveSSI.com or letter: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany.

8. Californian Provisions

8.1. Categories of personal information we collect, where we collect it from, why we collect it, and who we share it with

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“personal information”).

We use the personal information we collect for our operational purposes or other purposes set out in this privacy notice. Those purposes may include:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Undertaking internal research for technological development and demonstration.

(6) Undertaking activities to verify, improve, upgrade, enhance, or maintain the quality or safety of our products or services.

To help you understand our privacy practices, the following table shows, for the past twelve (12) months: which categories of personal information we have collected, the categories of sources from which we collected personal information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we have shared personal information:

Category of Personal Information

Sources

Purposes

Third parties shared with

Identifiers such as name, email, address, PTR number, and PPR number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Third parties that help us market or advertise our products and services

Categories of personal information described in Cal. Civ. Code § 1798.80(e) such as name, email, address, credit card number or other payment information, and telephone number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Characteristics of protected classifications under California or federal law such as age and gender.

Consumer

To provide product offerings or services at events we sponsor.

To provide you with newsletters or other mailings.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Commercial information such as, e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

Internet or other electronic network activity information such as e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement

8.2. Disclosure of personal information

In the past twelve (12) months, we have disclosed the following categories of personal information of California consumers for a business purpose:

Identifiers

Categories of personal information described in Cal. Civ. Code § 1798.80(e)

Characteristics of protected classifications under California or federal law

8.3. Do Not Track

Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. Instead, we collect, use, and share information as described in this privacy notice regardless of a “do not track” choice.

8.4. Your rights under California law

You have the right to ask us to send you the following information:

The personal information we have collected, used, or disclosed about you.

The categories of personal information we have collected about you.

The categories of sources from which we collected the personal information.

Our business or commercial purpose for collecting personal information.

The categories of third parties with whom we share personal information.

The specific pieces of person information we have collected about you.

You have the right to ask us to delete the personal information about you that we have collected or that we maintain.

We do not, and will not, sell your personal information. Therefore, we don`t provide a mechanism to opt-out of sales of personal information.

8.5. Non-discrimination

Your privacy rights are important. If you exercise your privacy rights under California law, we will not do anything of the following inresponse:

APPENDIX

Link to the list of SSI Service Centers – https://my.divessi.com/ssi

Link to the list of Authorized SSI Training Centers – https://www.divessi.com/dealer-locator

Link to the document describing the essence of the applicable joint controller agreement – https://my.divessi.com/ssi_dc_joint_controller_agreement