Data & Privacy - On Spaces App


Data & Privacy Document - On Spaces App

Document Purpose


This document

· Describes the GDPR-related roles of participants in a Thing-it project, and the software solution configured in this project,

· Provides information how Thing-it is addressing GDPR-related requirements and obligations and

· Provides additional information which is relevant for other GDPR participants and their communication to clients and users.

This document does not contain legal advice nor is Thing-it providing any. It however contains necessary information for the customer to obtain a legal opinion and position towards their customers regarding GDPR responsibilities.



GDPR Roles


Thing-It Technologies Customer as a Controller


ON AG is owning and/or managing a facility or parts of a facility (a buildings). ON AG intends to provide services for purposes specified below to users of that facility via a software solution with a mobile app and a browser portal.


From that perspective, ON AG acts as a Controller of user (personal) data in the sense of GDPR.

Thing-It as Processor


Thing-it provides the Cloud Platform which enables ON AG to configure and operate such solutions for purposes as listed below.


With that regard, Thing-it acts as a processor of user (personal) data to ON AG in the sense of GDPR.


Thing-It Technologies Sub-processors


Thing-it production infrastructure is currently hosted entirely on the Amazon Web Services Cloud Platform. In particular, all personal information is processed and stored on AWS data centres.

Hence, AWS is a sub-processor for Thing-it from a GDPR standpoint.

AWS is certified by the following procedures and standards: ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).

The AWS Standard Contractual Clauses can be obtained from Thing-it separately.



Purpose of Data Processing in Thing-it


Use Cases


1. Smart Booking


e-shelter security supports a variety of booking scenarios from workstations and meeting rooms to parking spaces, etc.


ON AG has chosen the smart booking solution use case to allow the office employees to book desks, meeting rooms, and parking lot spaces. The check-in for the booked desks is possible with blue-up beacons. The client has defined a pre-defined role structure/category to provide access to the users for bookable resources accordingly.


The booking rules are customizable: there is a possibility to configure the time for booking the resources according to the client's requirement.



2. Indoor Navigation


The purpose of the Bluetooth beacon is to find the user's location and perform an automatic check-in for the desks.


With the Bluetooth beacon data, the users can locate themselves and their office employees (if allowed) in a virtually designed environment (in the Thing-it application) and, if desired, even share their location with other users.

Moreover, the user can navigate towards the various point of interest spaces/spots/places by using the use case in the application.



3. Dashboards


The utilization of dashboards allows an analysis of a variety of occupancy KPIs for all the bookable resources. Due to the feature of demand analysis via dicing and slicing capabilities, the dashboards offer detailed occupancy and demand analysis of the building, department, bookable resources, etc.


All occupancy data, secured via the role and rights system, is also available to 3rd party apps via Thing-it API. Access to the dashboards is restricted via role and rights assignments. In this way, occupancy or energy consumption data can be made available to individual tenants exclusively for specific areas.



4. Manual Ticketing Request


It is possible to achieve/enable the flexible configuration of business processes via the business to proceed model and notation (BPMN) 2.0 standard, with the help of the Thing-it platform. All the configured users can start the processes via the Thing-it application.

5. Groupware Integration


Thing-it transparently integrates with key authentication services and identity providers such as SAML (used by ON AG).


It means that security requirements such as multi-factor authentication can be specified and configured independently of the Thing-it by the using company credentials.


Groupware and Booking Systems Integration


Thing-it manages booking information, which in companies is usually also maintained via corresponding groupware or booking system. For transparent synchronization, Thing-it supports bidirectional integration with Google Calendar (Q3/21) and Google exchange calendars for resources.

Users and Customers


One of the main capabilities of Thing-it is to allow interaction between users in many different roles in the many different contexts and purposes listed above. To achieve that;


· Customer, ON AG (i.e., The GDPR Controller) can add users being members or employees of customer or acting on Customer’s behest to Thing-it,

· Configure software solutions (Meshes) in Thing-it (e.g., A building or a city quarter),

· Assign entitlements to perform the above use cases in the solutions to arbitrary users of arbitrary customers, e.g. To invite guests to the building.

According to the context’ (i.e., GDPR Controllers’) the responsibility of ON AG is limited to their (own) users and to whatever arbitrary users do in their solution. ON AG has to obtain the consent from its users according to the described context.

If e.g., ON AG has created a solution – and owns that solution from an IP perspective - for a building, using that solution establishes all GDPR responsibilities between ON AG and the respective user – even though that user might belong to another customer e.g. A tenant in the building or a service provider to the building. The other customers may have configured solutions themselves for their or other users.

Stored and processed Data


The following table contains details about the data processing to fulfil the above purpose:

Use Cases

*Required for Consent Form **Described in more detail below

Platform Administrator in the table above is an Administrator (i.e., A member of the devop’s organization) of Thing-it who has data access for administration purposes.

User Data Deletion

Deletion on User Request


A user may request the immediate deletion of his/her data from ON AG. ON AG passes on the request to e-shelter security to invalidate the user in the Thing-it Portal.

Technically, invalidation of a user is implemented as an anonymization of user data, i.e., Replacement of the users


· First name,

· Last name,

· Gender,

· Alias and

· E-mail/account

By random data as well as deletion of the user’s

· Photo- if provided,

· Phone number- if provided,

· Other personal data - if provided,

· Chat contributions

· As well as deletion of all user location data if any.

Business process data explicitly or implicitly created by the user such

· Contributions to wiki pages,

· Filed incidents or

· Orders of services and products

Are not deleted. However, references to the user (e.g., As author or initiator) are redirected to a single technical user object not related to the user to ensure data integrity but also completely anonymize the user.

Deletion on Termination of the Processor Relationship


In case ON AG terminates the agreement with Thing-it (and hence is intending to use and operate the corresponding software solutions), all the data of ON AG users/employers in Thing-It portal (Meshes) is purged. Users belonging to other customers according to the schema described above will not be purged, however their data regarding participation in all of Customer’s solutions (Meshes) are purged.

Prior to purge, ON AG can obtain a complete copy of the Customer data (including the data of the users/employers of ON AG) on media.

User Consent


Solution-specific Consent


According to the use cases the configuration of a solution (Mesh) supports, ON AG in role is as a Controller, it needs to obtain the user’s consent for the data processing – should the User intend to use the corresponding functionality.

The content of the consent is ON AG sole responsibility, however the content of this document might (and should) be used to assemble the content.

Thing-it allows to specify consent forms and requests grant by the user whenever a new version of the consent form is created for a solution, or the current consent form is amended. Grant is requested on the next attempt of the user to access the solution for which the consent has been created or amended.

Every consent granted by a user is recorded with the time of the grant.

General Service-specific Consents


The consent form may also refer to services of the solution which can be explicitly activated or deactivated by the user later and explain that activation of the service implies consent to corresponding stipulations in the consent form. Should the user activate the corresponding functionality.

These services and the corresponding consent are described following.

Immediately after installation and opening the App, the Login Page is displayed. As Thing-it is using Bluetooth, the Operating System of the phone will almost immediately request consent from the user as shown below:


After the initial login access consent, three more Operating System Services are requested via the corresponding Operating System Dialogs. Thing-It is also providing an additional information on every specific page during the installation of an App. and configuration after login related to the Location Services.


Thing-It uses Phone Motion Data functionality to optimize battery usage. In iOS the same function is referred as ‘Fitness- and Motion Data’.


In the next step, the user receives an option to activate the Push Notification. The option is activated or deactivated according to the user preference.


Only after the above shown dialogs, a configurable solution-specific consent dialog is issued by Thing-application. It displays the consent request for the user. The order of the dialog boxes is different for every Operating System.

After confirming the solution-specific consent dialog, User can use the App. During the use of an App, there are two more places where an additional consent is required to activate functionality (and can be revoked at any time after), i.e., is ‘Find me’ functionality.


In the ‘Setting’ section, following options are available as seen in the screenshot. By selecting the ‘Visibility Preference’ the confirmation to share the ‘user location’ is activated.


After the activation of the services the dialog box appears with the confirmation of the activation of the service.


With the help of the service i.e., disabling/enabling of the indoor location services (to find other people and things) and geofence services (to activate the App when approaching a building), the operating system of the phone gets the consent to use the user location.



Profiling via Sensor Data


Although sensor data are not personal data of a user, it contains the data for the following:


· Use of room controls or

· General occupancy of a room or space

Together with data of room assignments, specifically for offices with a small number of employees or fixed desk assignments is used to create long term profiles about user behaviour.

To avoid this kind of profiling, Thing-it allows you to configure sensor data processing for the following purposes:


· Data from sensors in rooms of a certain category (e.g., Office) and capacity (e.g., Less, or equal 4) are not recorded at all or

· Are only collected temporarily/transiently and immediately cumulated to more coarse-grained aggregates.

Indoor Location Data


Users of the Thing-it App can opt in/out to share their indoor location with other users to be found in offices or other facilities.


When the user opts in, a Thing-it-specific Device ID for the user’s mobile devices and henceforth location data for these devices are stored by Thing-it with that user and the locations are exposed to other users.


Once the user opts out, the connection between the location data, the devices and the user are purged instantaneously, and the user cannot be located anymore by other users.


Use of Geolocation Data


As of Release 2.24.0 of the Thing-it Mobile App, Thing-it is not obtaining or storing

any of the user’s geolocation data anymore. However, we ask the user to agree to the use of geolocation data via the phone’s operating system for the sole purpose of

starting the App (in background) once approaching a building’s geofence to e.g.

support Access Control scenarios. With this mechanism, no geolocation data are

passed to Thing-it except the (implicit) fact, that the User is in the Geofence.


iOS might show User’s presence in the geofence as follows:


Whereby in the above screenshots user had access to the buildings at the respective locations. The fact that the Operating System of the smart phone records these data does not imply that Thing-it does – we do not.

Use of Motion Data


Thing-it requests access to the phone’s motion data for the sole purpose of optimizing the App’s activities regarding Beacon Ranging for Access Control, Point of Interest (POI) and Indoor Location processing (if activated) to ultimately optimize the App’s battery consumption. Thing-it is not processing motion data for any other purpose and is never recording those data persistently.