Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter referred to as “data”) we process, for what purposes, and to what extent within the scope of the Rescue Made Simple App.

The terms used are not gender-specific.

Status: April 26, 2026

Responsible Party

Gleea Educational Software GmbH
Hubert-Dammert-Str. 1
86836 Klosterlechfeld

Authorized representatives: Stefanie Graumann, Christian Brugger, Christoph Graumann, Andreas Voit.

Email address: [email protected].

Legal Notice: https://gleea.de/en/imprint.

Local legislation

Electronic Communications Law: For access to information stored on users’ devices (e.g. local storage, push tokens), the EU ePrivacy Directive 2002/58/EC and its national implementations apply. In Germany, this is implemented through the TDDDG (§ 25). In the United Kingdom, the equivalent rules are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). In all other EU/EEA member states, the relevant national transposition of the ePrivacy Directive applies. Access to device storage is only permitted with prior informed consent (opt-in) or where technically strictly necessary to provide the requested service.

Simple Summary

At any time, you have control over what personal data you want to share with us. You can generally use our apps without logging in and without entering any personal data.

For some features of the RESCUE MADE SIMPLE App (e.g., joining an institution, editing your own cases), you will need an account. You can edit your profile directly in the app and change your data at any time. The only thing we absolutely need is a valid email address. Of course, you are welcome to use services like Apple Private Relay to obscure your address.

The following data can be voluntarily provided in your profile:

• First name
• Last name
• Medical qualifications
• Training status
• Federal state
• Organization

We use this data for statistical purposes to create better case packages for your qualification level and region in the future.

While using the app, additional data is collected that we link to your profile. These are essentially your completed case examples and your results. This data is used so you can view and improve your performance history.

We also collect anonymized usage statistics to further improve our apps. This information is not linked to your profile, and we cannot trace the statistics back to any individual.

Registration with an Institution (Rescue Made Simple only)

You can enter a code in your profile to register with an institution (such as your rescue service school or employer). You will then have exclusive access to case examples within this institution in individual courses.

By entering a code, you agree that your profile data (see above) can be viewed by the institution’s administrators and lecturers. If you complete case examples within a course, your lecturer will have access to your results and how you approached the case examples. Progress from other institutions, purchased case packages, or demo cases is not affected.

App Permissions and Device Access

The app requires the following device permissions to provide its functions:

• Push Notifications: To inform you about new case packages, course updates, and relevant messages from your institution – only with your explicit consent (§ 25 para. 1 TDDDG).
• Internet Access: For synchronization of learning data and communication with the backend server (technically necessary, § 25 para. 2 TDDDG).
• Local Storage (app data): For caching case packages for offline use (technically necessary, § 25 para. 2 TDDDG).

All other device access (e.g., camera, location, microphone) is not used by this app.

Data Deletion upon Request

You can request the deletion of your account and all associated data at any time:

• In the app: Under Profile → Settings → Delete Account
• By email: To [email protected]

After receiving your request, your personal data will be deleted within 30 days, unless statutory retention obligations apply.

Detailed Privacy Policy

The following overview summarizes the types of processed data and the purposes of their processing and refers to the affected individuals.

Types of Processed Data

• Inventory data (e.g., names, addresses).
• Content data (e.g., entries in online forms).
• Contact data (e.g., email, telephone numbers).
• Learning and performance data (e.g., completed case examples, results, learning progress).
• Meta/communication data (e.g., device information, IP addresses).
• Usage data (e.g., visited websites, interest in content, access times).
• Contract data (e.g., contract subject, duration, customer category).
• Payment data (e.g., bank details, invoices, payment history).

Categories of Affected Persons

• Business and contractual partners.
• Interested parties.
• Communication partners.
• Customers.
• Users (e.g., app users, users of online services).
• Students/participants.

Purposes of Processing

• Registration process.
• Provision of our online offerings and user-friendliness.
• Office and organizational procedures.
• Direct marketing (e.g., via email or postal mail).
• Contact requests and communication.
• Learning progress tracking and individual learning experience.
• Security measures.
• Performance of contractual services and customer service.
• Administration and response to requests.

Storage Periods

We store personal data only for as long as it is necessary for the respective processing purposes. The specific retention periods are:

• Account data (email, profile details): For the duration of the active user account; upon account deletion, immediately, at the latest within 30 days.
• Learning and performance data: For the duration of the active user account; upon account deletion, immediately, at the latest within 30 days.
• Learning progress within an institution: Until withdrawal from the institution or until account deletion; institution administrators may arrange earlier deletion upon request.
• Anonymized usage statistics: Indefinite, as no personal identification is possible.
• Server log files / IP addresses: Maximum 7 days, then automatic deletion or anonymization.
• Newsletter consent records: Up to 3 years after unsubscription to defend against potential claims.
• Contract and invoice data: 10 years in accordance with statutory tax retention obligations (§ 147 AO).

Automated Decision-Making and Profiling

We conduct no automated profiling with legal effect pursuant to Art. 22 GDPR. The linking of learning progress with user profiles serves exclusively to display personal learning history for the user themselves and to provide qualification-appropriate content. No automated decision is made that has legal effect or similarly significantly impacts users.

Relevant Legal Bases

Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection provisions may apply in your or our country of residence. Should specific legal bases be applicable in individual cases, we will inform you of this in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions, particularly regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. State data protection laws of individual federal states may also apply.

Regulations for Digital Services (TDDDG): For access to users’ terminal equipment (e.g., storing information on the device or reading device information), the German Telecommunications and Digital Services Data Protection Act (TDDDG) applies. Access to terminal equipment is only permitted on the basis of informed consent (§ 25 para. 1 TDDDG) or – where technically strictly necessary – without consent (§ 25 para. 2 TDDDG). Details are described in the “App Permissions and Device Access” section.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements and considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities and extent of the threat to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Among the measures are, in particular, the securing of confidentiality, integrity, and availability of data through control of physical and electronic access to the data, as well as access to them, their input, transmission, secured availability, and their separation. Furthermore, we have procedures in place that ensure data subject rights, deletion of data, and responses to data threats. We also consider the protection of personal data in the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by default (Art. 25 GDPR).

SSL/TLS Encryption (https): To protect your data transmitted via our online offer, we use SSL/TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser. This also applies to any communication between our app and the backend server.

Transfer of Personal Data

In the context of our data processing, it may happen that data is transferred to other entities, companies, legally independent organizational units, or individuals, or that they are disclosed to them. Recipients of these data can include service providers entrusted with IT tasks or providers of services and content. In such cases, we comply with the legal requirements and conclude appropriate contracts or agreements, which serve to protect your data, with the recipients of your data.

Data transfer within the organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this disclosure is for administrative purposes, the transfer of data is based on our legitimate entrepreneurial and business interests or occurs if it is necessary for the performance of our contractual obligations or if there is consent from the data subjects or a legal permit.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs as part of the use of services from third parties or the disclosure or transfer of data to other individuals, entities, or companies, this only takes place in accordance with legal requirements.

Subject to express consent or contractual or legally required transfer, we process or allow the processing of data only in third countries with a recognized level of data protection, contractual obligation through so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding internal data protection rules (Art. 44 to 49 GDPR, EU Commission Information Page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Deletion of Data

The data we process is deleted in accordance with the legal requirements, once consents that allow the processing are revoked or other permissions cease to apply (e.g., if the purpose of the processing of the data no longer applies or it is not necessary for the purpose anymore).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be limited to these purposes. This means the data is locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or to protect the rights of another natural or legal person.

Specific retention periods for individual data categories are listed in the “Storage Periods” section.

Business Services

We process data from our contractual and business partners, such as customers and interested parties (collectively referred to as “contractual partners”) within the scope of contractual and comparable legal relationships as well as the associated measures and within the scope of communication with the contractual partners (or pre-contractual), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations, safeguard our rights, and for purposes associated with these activities and entrepreneurial organization. We only transmit the data of contractual partners to third parties within the framework of applicable law to the extent necessary for the aforementioned purposes or to fulfill legal obligations, or if it is done with the consent of data subjects (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contract partners will be informed within the scope of this privacy policy about further forms of processing, e.g., for marketing purposes.

We inform the contract partners which data is necessary for the aforementioned purposes before or during data collection, e.g., in online forms, via specific markers (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as they must be retained for statutory archiving reasons (e.g., for tax purposes, generally 10 years). Data that has been disclosed to us in the context of an order by the contract partner will be deleted in accordance with the order specifications, generally after the end of the order.

As far as we use third-party services or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between users and providers.

Customer Account: Contract partners may create an account within our online offer (e.g., customer or user account, briefly referred to as “customer account”). If registration for a customer account is required, contract partners will be informed accordingly, as well as about the required information for registration. Customer accounts are not public and cannot be indexed by search engines. As part of registration and subsequent logins and uses of the customer account, we store the IP addresses of the customers along with the access times to prove registration and prevent misuse of the customer account.

If customers terminate their customer account, the data relating to the customer account will be deleted, subject to statutory retention requirements. It is the responsibility of customers to secure their data upon termination of the customer account.

Educational and Training Services: We process the data of participants in our educational and training offers (uniformly referred to as “trainees”) to provide them with our training services. The data processed in this context, the type, scope, purpose, and necessity of their processing are determined by the contractual and training relationships. Processing forms also include performance evaluation and the evaluation of our services and those of the lecturers.

In the course of our activities, we can also process special categories of data, particularly information relating to the health of trainees and data from which ethnic origin, political opinions, religious or philosophical beliefs are derived. Here we obtain express consent from the trainees when necessary and otherwise only process the special categories of data when it is required for the provision of the training services, for purposes of healthcare, social protection, or protection of the vital interests of the trainees.

Where necessary for our contract fulfillment, to protect vital interests, or by law, or where trainees give consent, we disclose or transfer the data of the trainees under observance of professional requirements to third parties or agents, such as authorities or in the field of IT, office, or similar services.

• Processed data types: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., contract subject, duration, customer category), learning and performance data (e.g., completed case examples, results, learning progress), usage data (e.g., access times, content interest), meta/communication data (e.g., device information, IP addresses).
• Affected persons: Interested parties, business and contract partners, customers, students/participants.
• Purposes of processing: Provision of contractual services and customer service, contact requests and communication, office and organizational procedures, administration and response to inquiries, security measures.
• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Provision of Online Offer and Web Hosting

To provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or managed by them) the online offer can be accessed. For these purposes, we use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The processed data in the context of providing these services includes all data relating to the users of our online offer necessary for communication and usage thereof. Regularly, this includes the IP address necessary to deliver the contents of online offers to browsers and any input made within our online offer or websites.

Collection of Access Data and Log Files: We or our web hosting provider collect data about each access to the server (so-called server log files). The server log files may include the address and name of the retrieved web pages and files, date and time of access, data volumes transmitted, message about successful retrieval, browser type and version, the operating system of the user, referrer URL (the previously visited page), IP addresses, and the requesting provider. Server log files are stored for a maximum of 7 days and then deleted or anonymized.

Server log files may be used for security purposes, e.g., to monitor for overloads on the servers (particularly in cases of abuse attacks, known as DDoS attacks), and to ensure server utilization and stability.

• Processed data types: Content data (e.g., entries in online forms), usage data (e.g., visited websites, content interest, access times), meta/communication data (e.g., device information, IP addresses).
• Affected persons: Users (e.g., app users, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

• Amazon Web Services (AWS): Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA; Website: https://aws.amazon.com; Privacy Policy: https://aws.amazon.com/privacy/; Standard contractual clauses (safeguarding data protection level when processing in third countries): https://d1.awsstatic.com/Processor_to_Processor_SCCs.pdf, https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf; https://aws.amazon.com/compliance/gdpr-center/ (GDPR Compliance Center).

Registration, Login, and User Account

Users can create a user account. During registration, the required mandatory details are communicated to the users and are processed for the purpose of providing the user account based on the fulfillment of contractual obligations. Processed data includes, in particular, login information (username, password, and an email address).

In the course of using our registration and login functions and the use of the user account, we store the IP address and the times of the user actions. The storage is based on our legitimate interests and those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users will be informed about actions that are relevant for their user account, such as technical changes, by email.

Registration with Pseudonyms: Users may use pseudonyms instead of real names as usernames.

User profiles are not public: The profiles of the users are not publicly visible. Learning progress and profile data are only accessible to the user themselves and – within an institution registration – to authorized lecturers and administrators of the respective institution.

Deletion of Data After Termination: If users have terminated their user account, their data concerning the user account will be deleted within 30 days, subject to any statutory retention obligation. It is the responsibility of users to back up their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the contract period.

• Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), meta/communication data (e.g., device information, IP addresses).
• Affected persons: Users (e.g., app users, users of online services).
• Purposes of processing: Provision of contractual services and customer service, security measures, administration, and response to inquiries.
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Single-Sign-On Authentication

“Single-Sign-On” or “Single-Sign-On Authentication” refers to procedures that allow users to log in using a user account with a single sign-on provider (e.g., Apple or Google) also when using our online offer. The prerequisite for single-sign-on authentication is that users are registered with the respective single-sign-on provider and enter the necessary access data into the corresponding online form, or are already logged in at the single-sign-on provider and confirm the single-sign-on login via button.

Authentication takes place directly with the respective single-sign-on provider. As part of such authentication, we receive a user ID with information indicating that the user under this user ID is logged in at the respective single-sign-on provider and a ID that is not further usable by us for other purposes (so-called “user handle”). Whether we receive additional data depends solely on the single-sign-on procedure used, on the selected data releases within the scope of the authentication, and additionally on what data users have released in the privacy or other settings of the user account with the single-sign-on provider. It can be different data depending on the single-sign-on provider and the user’s preferences; as a rule, these are the email address and username. The password entered during the single-sign-on process is neither visible to us nor is it stored by us.

Users are asked to note that their data stored with us can be automatically compared with their user account at the single-sign-on provider, but this is not always possible or actually happens. For example, if users change their email addresses, they must manually change them in their user account with us.

We can use single-sign-on registration, provided it has been agreed with users, in the context of or before contract performance, if users have been asked for their consent, and otherwise based on our legitimate interests and those of users in an efficient and secure authentication system.

If users decide not to use their user account with the single-sign-on provider for single-sign-on anymore, they must cancel the connection with their user account at the single-sign-on provider. If users want to delete their data, they must cancel their registration with us.

• Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers).
• Affected persons: Users (e.g., app users, users of online services).
• Purposes of processing: Provision of contractual services and customer service, registration process.
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

• Apple Single-Sign-On: Authentication service; Service provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Website: https://www.apple.com; Privacy Policy: https://www.apple.com/legal/privacy/en-ww/; Basis for third-country transfer: Standard contractual clauses of the EU Commission.
• Google Single-Sign-On: Authentication service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfer: Standard contractual clauses of the EU Commission.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. If the specific content of the newsletter is described in the context of a subscription, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is usually sufficient to provide your email address. However, we might ask you to provide a name for personal address in the newsletter or further details, if required for the purposes of the newsletter.

Double-Opt-In Procedure: The registration for our newsletter takes place generally in a so-called double-opt-in procedure. This means you will receive an email after registration asking you to confirm your registration. This confirmation is necessary so that no one can register with external email addresses. Registrations for the newsletter are logged to provide proof that the registration process complies with legal requirements. This includes storing the registration and confirmation times as well as the IP address. Changes to your data stored by the shipping service provider are also logged.

Deletion and Restriction of Processing: We can store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to prove previous consent. The processing of this data is limited to the purpose of a possible defense against claims. Individually, a request for deletion is possible at any time, provided the previous existence of consent is simultaneously confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist for this purpose alone.

The logging of the registration process is based on our legitimate interests for purposes of proving its proper procedure. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure sending system.

Notes on Legal Bases: The dispatch of the newsletters takes place based on the receiver’s consent or, if consent is not required, based on our legitimate interests in direct marketing, provided and to the extent it is permitted by law, e.g., with existing customer advertising.

Contents: Information about us, our services, apps, promotions, and offers.

• Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), meta/communication data (e.g., device information, IP addresses).
• Affected persons: Communication partners.
• Purposes of processing: Direct marketing (e.g., via email or postal mail).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Objection possibility (Opt-Out): You can cancel the receipt of our newsletter, i.e., revoke your consent or object to further receipt, at any time. A link to cancel the newsletter can be found either at the end of each newsletter or, you can use any of the contact options listed above, preferably email, for this purpose.

Changes and Updates to the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes to the data processing we perform make it necessary. We inform you as soon as changes require a contribution from you (e.g., consent) or if an individual notification becomes necessary.

Should we provide addresses and contact information for companies and organizations in this privacy policy, please note that the addresses may change, and we ask you to verify the information before contacting us.

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR, in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data which is based on Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is associated with such direct marketing.
• Right to withdraw consent: You have the right to revoke consents at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.
• Right to deletion and restriction of processing: You have the right to request that data concerning you be deleted immediately in accordance with legal requirements, or alternatively to request a restriction of data processing in accordance with legal requirements. You can submit a request for account deletion directly in the app under Profile → Settings → Delete Account or by email to [email protected].
• Right to data portability: You have the right to receive data concerning you, which you provided to us, in a structured, commonly used, and machine-readable format according to legal requirements or to request their transmission to another controller.
• Complaint to supervisory authority: You have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of data concerning you violates the GDPR.

Supervisory authority responsible for us:

Bavarian State Office for Data Protection Supervision
Postfach 1349
91504 Ansbach
Phone: 0981/180093-0
Email: [email protected]

Definitions

In this section, you will find an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and are essentially defined in Article 4 GDPR. The legal definitions are binding. The following explanations are primarily intended to assist understanding. The terms are arranged in alphabetical order.

• Personal Data: “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, particularly by means of association with an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, such as collection, evaluation, storage, transmission, or deletion.