Privacy Notice
This version is valid from: May 23rd, 2023
When does this Privacy Notice apply?
This Privacy Notice describes how we, as a controller, collect, use and share your personal data. It applies to personal data you voluntarily provide to TechGDPR, or is automatically collected by TechGDPR.
Who we are
The company operating techgdpr.com, its associated websites and social media accounts is TechGDPR DPC GmbH, Heinrich-Roller Str. 15, 10405 Berlin, Germany (“TechGDPR”, “we”, “us”, “our”). Any data protection related questions you might have about how we handle your personal data or if you wish to exercise your data subject rights, please contact us by post or at privacy@staging.dataofficer.eu.
What data we collect and for what purpose
TechGDPR collects data voluntarily provided to TechGDPR by clients, website visitors and candidates applying for open job positions. TechGDPR processes Personal Data as described below:
1. Statistical data
TechGDPR collects anonymous statistical data about the use of its website to optimise its online presence and for marketing and sales purposes. No cookies are being stored on your device, and only the first 2 bytes of your IP address are being stored (e.g. 200.100.x.x). The data is collected on servers operated by TechGDPR in the European Union. This data is not governed by the GDPR as it is anonymous. You may further opt-out of tracking by enabling the Do-Not-Track option in your browser. Visit http://donottrack.us/ to learn how.
2. Information provided by you through web forms, through voice conversations such as phone, videoconferencing and during in-person meetings.
Through web forms on our contact page and on in-page ‘call to action’ forms, we collect your company name, first name, last name, email address and phone number. We process this information for the purpose of the performance of a contract, or in the preparatory stage of entering into a contract as laid out in Art 6(1)(b) of the GDPR. As you actively request us to contact you for more information about our products and services, we will need to record this data to be able to effectively communicate with you for this purpose. This information is submitted to a server operated by TechGDPR, from which it will be deleted 25 months after the last contact we had with you, unless you become a client and we will need to retain your information for other reasons. This information is not shared outside of our organization, and is stored on servers within the European Union.
3. Engage our services
TechGDPR may collect personal information provided by the clients for the purposes of the performance of a contract, Art 6(1)(b) GDPR. The information we may collect is first name, last name, company name, email address, phone number, picture, position and role and invoicing information such as bank details and VAT number. We also process the feedback you give to help us assess the quality of our service provision and guide our decision making (quality management). We carry out this processing in our legitimate interests as per Art 6(1)(f) GDPR.
We store this information for two years after the end of our DPO and consulting contract.
4. Keeping you informed about privacy and GDPR in technology.
When filling out a webform or through other methods and communication you also have the choice to sign up for our marketing communication by selecting the appropriate, optional tick box for this purpose. We only add you to our mailing list once you have passed the double-opt in. The processing of your name and email for this particular purpose are based on your consent Art 6(1)(a) GDPR, which you can revoke at any time. We will continue to process your personal data for this purpose until you revoke this consent by either clicking the ‘unsubscribe’ button, or contact us by post or at privacy@staging.dataofficer.eu to revoke your consent or request we unsubscribe you. However, should another legal base exist for us to process your data, (as outlined above under 2. or 3. for example, should we require your email address in the scope of contract negotiation), we will continue to process your personal data for those purposes.
5. Server administration
Your IP address and your page requests are stored in log files for a duration of maximum 14 days on our servers for the reason of preventing fraud, abuse, and security incidents, as well as monitoring the performance of our servers. After 14 days, these log files will be automatically deleted. We carry out this processing and data retention in our legitimate interest as laid out in Art 6(1)(f) for the GDPR.
6. Internal communication required to deliver services
Internally, we use Google Workspace for our email service, calendar and internal document management. We also use it to communicate and provide our services to our clients, we then collect the client’s name, title and email address.
We use Slack to communicate as a team and generally to improve our response time to client needs. Signed clients can also choose to communicate with us through Slack. The data collected in the scope of this communication is legitimised under performance of a contract as laid out under Art (6)(1)(b) of the GDPR. You can learn more about Slack’s ISO 27001 and ISO 27018 certifications, security policies and procedures on their security page.
Data processed on Slack and GSuite is deleted within 25 months after the end of our engagement with you.
More information around data transfers out of the EEA or to non adequate countries can be found below in the section Security and International Data Transfers.
7. Collection of statistical information through surveys
From time to time, we carry out surveys and questionnaires among specific or broad groups of companies which help us better understand the market, the compliance situation of our target industries and their specific concerns. The data collected in these surveys may contain personal or pseudonymous elements which ensure de-duplication and prevent skewed results. This processing is carried under legitimate interest, as laid out in Art 6(1)(f) of the GDPR. We however separate and where possible remove personal elements from these data sets at the earliest convenience and only do our analysis and reporting on anonymized data sets. We never use such results to target you for sales or marketing reasons and do not share these details outside of our organization. We only use the anonymized data sets to derive aggregate insights from anonymous reports. If you elect to leave your contact details in such surveys we will only use them for the specifically-indicated purpose. Any personal data purposefully given is considered consent as in Art 6(1)(a) of the GDPR and can be revoked at any time by contacting us.
8. Application for a job or internship
During our recruitment process, we collect personal data of active or potential candidates for our vacancies. The recruitment process might take two different forms:
Talent Scouting
We collect personal data in our process of scouting for potential candidates through public professional social networking sites such as LinkedIn. We will either carry out this process ourselves or engage with third-party headhunters to seek out potential candidates. This process serves the purpose of finding potential candidates that might have an interest in working with us based on their education, work experience and skill set. We collect the following information: first and last name, link to social networking profile, work and academic history, language proficiency, and location. We handle this information on the basis of pursuing our legitimate interest to find potential candidates and reach out to them, as laid out in Art.6(1)(f) GDPR and §4(1)(f) of the BDSG. We store this information for up to one month. Within this time, we either contact and inform any potential candidate whom we might be interested in interviewing, as required by Article 14(3)(a) GDPR and §33 of the BDSG, or immediately erase the information of potential candidates that we determine do not meet our criteria,
Upon contact, the candidate can object to the processing of data whereby we delete their data on the spot. As all records, including your communication are deleted, please consider the possibility that you might accidentally be contacted again in the future.
Should a potential candidate be interested in proceeding with our interview and/or assessment process, this then triggers the Active Applicant process described below.
Active applicants
We collect the data of the applicants who actively apply to the vacancies we advertise via email and professional social networking sites such as LinkedIn. This process serves the purpose of selecting the applicants that are most suitable for the vacancy based on education, work experience and skill set. The application is submitted by emailing us. Occasionally, and depending on the recruitment stage, we request and collect additional information. The information collected includes: first and last name, email address, phone number, home address, date of birth, profile picture, work and academic related information contained in CV and cover letters, and when applicable, references and academic records or transcripts. The legal basis for this is the performance of a contract as laid out in Art.6(1)(b) GDPR and §26(1) of the German Federal Data Protection Act, the BDSG. Should we decide to reject your application, or you revoke your interest to continue the process, we store your personal data for 6 months from the date of rejection, based on our legitimate interest to defend ourselves against legal claims, as per Art. 6(1)(f) of the GDPR and §4(1)(f) of the BDSG.
9. Registering you to one of our webinars or events
TechGDPR runs regular Privacy Meetups (remote and in-person events), where we cover different GDPR-related topics and answer any questions that people may have in those regards. Those meetups are advertised on Eventbrite, where interested individuals can register through the purchase of a (free) ticket. By doing this, TechGDPR collects participants’ full name, email address, order number (auto-generated by Eventbrite), the amount paid, quantity of tickets purchased and timestamp of purchase. Registering individuals onto the events and the data collected as a result are processed for the purpose of limiting the number of participants that can join the event, and we handle this information on the basis of the performance of a contract according to Art.6(1)(b) GDPR initiated by the purchase of a ticket. The data is only retained up to 30 days after the event.
10. Sending emails to confirm registration to our webinars or events
Following registration to the Privacy Meetups, TechGDPR will send you a confirmation email including the link to the webinar for online events. We use Gmail for any email communication with participants. This is done for the purpose of ensuring that registered attendees receive confirmation of their purchase order and when applicable, the link to access the webinar, and is done on the basis of the performance of a contract according to Art.6(1)(b) GDPR, initiated by the purchase of a ticket. To do this, TechGDPR processes the participants’ email addresses. This data is retained for 30 days following the event, and is thereafter erased through deletion of the invite email.
11. Data processed during the webinars or events
Privacy Meetup webinars are run on Zoom. As a result, during the webinar we process the participant’s username chosen for the session, for the purpose of displaying their name, whether full name or pseudonymised. TechGDPR may also process the audio/video feed of participants based on their individual choice to turn on/off their camera and microphone. However, note that webinars are not recorded. Therefore, the personal data of participants is only processed for the duration of the webinar. We process this personal data on the basis of the performance of a contract according to Art.6(1)(b) GDPR initiated by the purchase of a (free) ticket.
Ensuring compliance
TechGDPR is under obligation to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Berlin. For this reason we may have to collect, process and retain your details for an extended period of time as a legal obligation (Art 6(1)(c) GDPR).
Information required to track your choices and consent regarding the processing (or use) of your Personal Data or reception of marketing materials is stored to ensure compliance with the GDPR.
Security and international data transfers
We use third party software across several countries, personal data may therefore be transferred to a country outside the EU/EEA. To protect your personal data, we enter into data protection agreements and maintain both technical and organisational safeguards around the processing of your data.
The Standard Contractual Clauses we rely on can be provided on request by reaching out to privacy@staging.dataofficer.eu.
Why am I required to provide Personal Data?
As a general principle, providing personal information and granting consent for our use of this information is done entirely on a voluntary basis. Choosing not to consent or provide personal data is generally not detrimental. However, there are circumstances in which TechGDPR cannot take action without specific data. This is the case, for instance, when data is required to process your order, fulfil a contact request, or provide you with access to a service or newsletter.
Who your data is made accessible to
TechGDPR hosts the majority of its services and systems itself on servers within the EU. We use a transactional email provider and a mailing list service, both located in the EU to deal with our mailing needs.
In the case your personal details are visible on an incoming or outgoing invoice, they may also be transmitted to our tax advisor as well as to the financial authorities (German Finanzamt).
Your rights as a data subject
At any time, you can request from TechGDPR to receive information about which personal data TechGDPR processes about you. You can also request the correction or deletion of such personal data. Please note, however, that TechGDPR can delete your personal data only if there is no statutory obligation or prevailing obligation on TechGDPR to retain it.
If TechGDPR uses your personal data based on consent or the performance of a contract, you may also request a copy of the personal data that you have provided to TechGDPR. To do so, please contact us at privacy@staging.dataofficer.eu and specify the information or processing activities to which your request relates.
Furthermore, you can request that we restrict your personal data from any further processing if:
- You are contesting the accuracy of the data we hold about your, for as long as we need to verify this claim.
- If you believe the processing of the data is unlawful, but you oppose the erasure of the data and request restriction of processing instead.
- If we no longer need your data for the original purpose, but you need them for the establishment, exercise or defense of legal claims.
- If you have objected to the use of your data, while we evaluate if our legitimate grounds for processing your data override yours, as required by Art 21 of the GDPR.
Please direct any such request to privacy@staging.dataofficer.eu
Your right to lodge a complaint
We encourage you to contact us at privacy@staging.dataofficer.eu if you have any privacy related concern. Should you disapprove of the response we have provide you, you have the right to lodge a complaint with our supervisory authority, or with the data protection authority of the European member state you live or work in. The details of the supervisory authority responsible for Berlin, Germany, are:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
Phone: 030/138 89-0
http://www.datenschutz-berlin.de
Use of this website by children
This website is not intended for anyone under the age of 16 years. If you are younger than 16, you may not register with or use this website.
Links to other websites
This website may contain links to external websites(i.e. non-TechGDPR companies and organisation). TechGDPR is not responsible for the privacy practices or the content of those websites. We therefore recommend that you familiarize yourself with privacy practices of these organizations by reading their privacy notices.
Changes to this Privacy Policy
We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date and version at the top of this page. Each visit or interaction with our Services will be subject to the new privacy policy. We encourage you to regularly review our privacy policy to stay informed about our data protection policy. Unless, we implement profound changes that we proactively notify you about, you acknowledge that it is your responsibility to review our privacy policy to be aware of modifications.
Privacy notice for consulting engagements
For our consulting engagements, we process your data according to our privacy notice for consulting engagements.