Privacy Notice email encryption service Secure Reader

1. Data Controller & Data Protection Officer

Controller in terms of data protection law is:

PHOENIX International Holdings GmbH
Pfingstweidstraße 10-12
68199 Mannheim, Germany
Telephone: +49 621 8505-0

For all concerns regarding data protection, our Data Protection Officer is at your disposal:

– Data Protection Officer –
PHOENIX International Holdings GmbH
Pfingstweidstraße 10-12
68199 Mannheim, Germany
Telephone: +49 621 8505-0
E-mail: dataprotection(at)

2. Purpose of the processing and Legal Basis

The purpose of the Secure Reader is to provide business partners with a secure channel for electronic communication with PHOENIX. This is achieved by ensuring access only for the authorized users to read (decrypt) encrypted emails addressed to them and process the collected data for the purpose to access the data in the secured environment.

We process your data in the context of business relationships and general business communication on the basis of the following legal bases:

  • to fulfil a contract or to carry out pre-contractual measures in accordance with Article 6 Para. 1 lit. b GDPR;
  • to fulfil a legal obligation pursuant to Article 6 Para. 1 lit. c GDPR (Art. 5 Para. 1 lit f GDPR), 25 and 32 GDPR); and
  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to offer a secure email communication to protect relevant confidential business information.

3. Data being processed

A. Emails and email content.

B. Registration and authentication data:

  • User email address (this is the email address that the secure message is sent to)
  • Name as provided by the registrant.
  • IP Address.

4. How is data being processed?

The data entered in a login form is compared against the data stored with the purpose of validating the user (user authentication). Data is also used internally for authorization to ensure a logged in individual has access only to the emails addressed to him/her.

5. Third Country Transfer

We engage ProofPoint Inc, 892 Ross Drive, Sunnyvale, CA 94089, USA as data processor resided outside the European Economic Area providing the encryption service. The data transfers are especially based on standard data protection clauses/standard contractual clauses in line with the templates adopted by the European Commission (Article 46 Para. 2 lit. c, Para. 5 S. 2 GDPR).

6. Data deletion and storage duration

Encrypted emails are deleted after 14 days of receipt automatically.

Registration and authentication data is stored until we are notified by the data subject to manually delete the data.

7. Your rights as a data subject

You may exercise your rights listed hereafter at any time, towards the body that is designated under Section 1.

  • Right to information

    Within the framework of Article 15 GDPR, you are entitled to request information free of charge and at any time regarding the data that is processed by us, the processing purposes, the categories of recipients, the planned storage period or, in the case of third-country transfers, the appropriate guarantees. You are also entitled to receive a copy of your data.
  • Right to rectification, deletion, restriction of processing

    If your data processed by us is incorrect, incomplete or their processing is inadmissible, you may ask us to correct your data, to supplement it, restrict processing or to delete the data to the extent permitted by law, according to Article 16, 17 and 18 GDPR.

    The right to deletion does not exist, among other reasons, if the processing of personal data is required for (i) the exercise of the right to freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (for example statutory storage obligations) or (iii) enforcement, exercise or defense of legal claims.
  • Right to data portability

    If you provide us with your data based on your consent or contractual relationship with us, upon request we will provide you with that data in a structured, current and machine-readable format or, if technically possible, submit the data to a third party that you have appointed.
  • Right of objection

    If we process your data on the basis of a legitimate interest, you can object to this processing for reasons that arise from your particular situation, according to Article 21 GDPR. The right of objection only exists within the limits provided for in Article 21 GDPR. In addition, our interests may preclude termination of processing, so we may, despite your opposition, still be entitled to process your personal data.
  • Right of appeal

    If you have any questions, suggestions or criticism, please feel free to contact our Data Protection Officer.

    You are also entitled, under the provisions of Article 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged breach, if you believe that the processing of data concerning you violates the GDPR. The right of appeal is without prejudice to any other administrative or judicial remedy.

    The competent supervisory authority for us is:

    The State Commissioner for Data Protection and Freedom of Information
    PO box 10 29 32, 70025 Stuttgart, Germany
    Tel.: +49 (0) 711/615541-0
    Fax: +49 (0) 711/615541-15
    E-mail: poststelle(at)

    However, we recommend that you always lodge a complaint with our Data Protection Officer first.

Last update: November 2023