Duty to inform in regards to data collection pursuant to Art. 13 General Data Protection Regulation (GDPR)

Responsibility

The following party is responsible for all data processing described here:

DataCo GmbH
Dachauer Str. 65
80335 Munich

info@dataguard.de

The data protection officer can be reached by writing to the same address or to dsb@dataguard.de.

Legal basis

Processing of applicants’ data:

• 88 GDPR in conjunction with § 26 BDSG-neu (Federal Data Protection Act)
• 6(1)(a) GDPR
• 6(1)(b) GDPR

Processing of data of interested parties:

• 6(1)(a) GDPR
• 6(1)(b) GDPR
• 6(1)(f) GDPR

Processing of client data:

• 6(1)(b) GDPR
• 6(1)(f) GDPR

Processing of supplier/service provider data

• 6(1)(b) GDPR
• 6(1)(f) GDPR

• If your personal data are processed, you have the right to receive information from the controller about your personal data which is stored (Art. 15 GDPR).
• If inaccurate personal data are processed, you have the right to rectification (Art. 16 GDPR).
• If the legal requirements allow, you can request the erasure or restriction of processing, and object to the processing (Art. 17, 18, and 21 GDPR).
• If you have consented to the data processing or if there is a data processing contract in place, and the data processing is performed with the aid of automated processes, you may have a right to data portability (Art. 20 GDPR).
• If you have consented, by means of a corresponding declaration, to the processing by the controller, you can withdraw this consent at any time with future effect. The lawfulness of the data processing carried out on the basis of the consent until the withdrawal will not be affected.
• The data subject also has the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

As part of the DataGuard application process, DataGuard collects the following personal data via the upload function provided on the careers page:

• First name and surname
• Salutation
• Email address
• Phone number
• Availability
• Expected salary
• All personal data contained in the application (curriculum vitae, cover letter, certificates, etc.)

DataGuard collects data from interested parties in the following manners:

• Direct application via the DataGuard careers page
• Application via email, addressed directly to a DataGuard employee
• Postal application
• LinkedIn Easy Apply

These personal data will be processed for the following purposes:

• Implementation of the application process and decision on the justification of an employment contract 
• Communication (telephone, email, videotelephony) 
• Implementation of pre-contractual measures (initiation of employment) 
• Recording of applicants’ data in an applicant pool 
• Assertion, exercise, or defence of legal claims resulting from the application process 

Internally, only authorised employees will only receive access to an applicant’s data, via an authorisation process.

The following service providers are involved, as data processors, in our processing of personal data during the application process:

Personio GmbH – Munich, Germany: DataGuard uses the Personio HR system as a central applicant life cycle management tool for the implementation of the application process. It serves as a central storage point for applicants’ data. Personio is integrated into our careers page. The above-mentioned personal data and other data uploaded by you will be stored and processed by Personio on our authority. Data will only be processed in German datacentres. A Data Processing Agreement has been concluded with the service provider. In the event that the application is cancelled by you or DataGuard, your personal data will be erased within 10 weeks. On the basis of consent, an applicant can be included in a pool of applicants, and the applicant data which are transmitted will continue to be stored for this purpose. Consent will be obtained again each year via email. Should the applicant be hired, the personal data will continue to be processed in Personio as part of the employment relationship.

eTermin GmbH – Wallisellen, Switzerland: DataGuard uses the online appointment booking system eTermin to guarantee easier scheduling of appointments between an applicant and DataGuard employees involved in the application process. A Data Processing Agreement has been concluded with the service provider. For the transfer of personal data to Switzerland, a third country, an adequacy decision by the European Union applies. Your personal data which are processed by eTermin GmbH will be erased within three weeks after the respective appointment has taken place.

Microsoft Inc. – Redmond, USA: DataGuard uses the Office 365 service, incl. Microsoft Teams, to carry out interviews via video telephony, and Outlook for communication via email. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded with the service provider as part of the Online Services Terms. Your personal data, which will be forwarded to the processor for the performance of the planning and the actual video call, will be erased within 3 weeks.

LinkedIn Inc. – Sunnyvale, USA: DataGuard uses the Easy Apply service. Applications can be sent directly to DataGuard via this service. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded with the service provider. The applications received via LinkedIn Easy Apply will be further processed in Personio upon receipt. We have no influence on how long LinkedIn itself stores the data you provide.

DataGuard collects and processes data of interested parties via various channels. Data of interested parties are all personal data of people interested in a DataGuard service. The following data are processed in order to establish contact:

• First name and surname
• Salutation
• Email address
• Position within the company
• Phone number

DataGuard collects data from interested parties in the following manners:

• Requests via the contact form on the DataGuard website
• Requests sent via messages to DataGuard employees, e.g. via email, LinkedIn messages, XING messages, and other communication channels
• Requests at trade fairs or other events where data are passed on to DataGuard employees with the aim of establishing contact
• Individual research about potential interested parties in business directories, contact information on websites, and professional networks
• Individual booking of an appointment by an interested party

We will process your personal data for the following purposes:

• To provide information about the services of the DataGuard brand 
• Quote generation 
• Processing of queries from interested parties 
• Preparation and implementation of pre-contractual measures, in particular the forwarding and agreement of contract terms with the aim of entering into a contract 
• Establishment and implementation of a contractual relationship 
• Inclusion in our contact database 
• Establishing contact (email and telephone)

Data collection takes place in the first step on the basis of the legitimate interest. A balancing of interests hereby always takes place. In doing so, we balance the rights and freedoms of the data subject against the interests of DataGuard. Consent will be obtained verbally in further communication, and stored in our CRM tool.

The following service providers are involved, as data processors, in our processing of personal data as part of the process for dealing with interested parties:

PipeDrive OÜ – Tallinn, Estonia: DataGuard uses PipeDrive to manage the process for dealing with interested parties. This enables the easier processing of queries and allocation of internal tasks. A Data Processing Agreement has been concluded with the processor. Personal data of interested parties who have objected to processing by DataGuard or withdrawn their consent will be erased immediately, unless the data subject wishes to be included in a blacklist, in order not to be contacted again. In this case, we will store the subject’s surname, first name, and email address for this purpose. Should there be no interaction between the interested party and DataGuard within 12 months, the personal data will be erased.

HubSpot Inc. – Cambridge, USA, with subsidiary in Ireland: DataGuard uses HubSpot as a central marketing tool in which all data of interested parties from all channels are collected, where they are then qualified. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded. Personal data of interested parties who have objected to processing by DataGuard or withdrawn their consent will be erased immediately, unless the data subject wishes to be included in a blacklist, in order not to be contacted again. In this case, we will store the subject’s surname, first name, and email address for this purpose. Should there be no interaction between the interested party and DataGuard within 12 months, the personal data will be erased.

DemoDesk GmbH – Munich, Germany: DataGuard uses the DemoDesk service to carry out presentations about the services on offer. The data will be erased within 2 weeks. A Data Processing Agreement has been concluded with the service provider.

At DataGuard, personal data are processed primarily in the data protection management platform provided to the clients. This platform was developed in-house by DataGuard. The following personal data of employees who are employed by DataGuard clients will be processed:

• First name and surname
• Title and academic degree
• Gender
• Email address
• Position within the company
• Phone number
• Role assigned within the platform and the according authorisations
• All personal data that are provided to us during communication with clients

DataGuard collects data from people in the following manners:

• Querying of the personal data after concluding a contract with DataGuard from the persons themselves, or receipt of personal data via an employee of the client company. This could also concern employees of service providers used by a client’s company.
• Entry of employees’ personal data by an administrative assistant of the client in the data protection platform

We will process your data for the following purposes:

• Client management and client support – in particular the processing of client queries 
• Direct marketing in the form of telephone calls and emails  
• Issuing of invoices 
• Performance of post-contractual measures 
• Assertion, exercise, or defence of legal claims 
• Establishment, implementation, and termination of a contractual relationship

Data processing takes place on the basis of the contractual relationship and on the basis of the legitimate interest. A balancing of interests hereby always takes place. In doing so, we balance the rights and freedoms of the data subject against the interests of DataGuard, in the form of contract performance for our clients.

Data protection management platform: DataGuard operates a data protection management platform. Employees of clients are invited to access this platform by the relevant DataGuard employees. It could also be the case that we process data of persons who assert their data subject rights against the clients of DataGuard. For the platform, the privacy policy provided therein applies, in the respective valid version.

The following service providers are involved, as data processors, in our processing of client data:

Deutsche Telekom AG – Bonn, Germany: DataGuard uses dedicated servers of the Open Telekom Cloud (OTC) to host the data protection platform. This service is operated by Deutsche Telekom AG. The Open Telekom Cloud has a Trusted Cloud seal from the German Federal Ministry for Economic Affairs and Energy, and numerous certifications, such as ISO 27001:2013, to verify the high security level of the OTC. DataGuard has entered into a Data Processing Agreement with Deutsche Telekom.

Iversity GmbH – Berlin, Germany: In order to perform training for employees of DataGuard clients, we use a training platform operated by service provider Iversity. This service is used to process names and email addresses. This is necessary to be able to issue the according certificates of participation. DataGuard has entered into a Data Processing Agreement with the service provider.

LogMeIn Ireland Limited – Dublin, Ireland: DataGuard uses the telephone conference function of GoToMeeting to perform audits with clients. No client data are passed on to LogMeIn. Clients dial into the conferences themselves via their own telephony systems. No recording takes place. DataGuard has entered into a Data Processing Agreement with LogMeIn.

SevDesk GmbH – Offenburg, Germany: DataGuard uses the SevDesk tool to issue invoices and reminders. We have entered into a Data Processing Agreement with the service provider.

neXenio GmbH – Berlin, Germany: DataGuard uses the Bdrive data exchange service to transfer files. This is a highly secure data and file exchange service developed by the Bundesdruckerei (Federal Printing Office). We have entered into a Data Processing Agreement with the service provider.

Datev GmbH – Nuremberg, Germany: In order to comply with the GoBD (German regulations for the keeping of books and records electronically), we use the services of DATEV. We have entered into a Data Processing Agreement with the service provider.

DemoDesk GmbH – Munich, Germany: DataGuard uses the DemoDesk service to carry out welcome meetings as part of the clients’ on-boarding processes. The data transferred to DemoDesk will be erased within 2 weeks. A Data Processing Agreement has been concluded with the service provider.

GSG Inkasso GmbH – Munich, Germany: When outstanding accounts are being settled, we will also pass on personal data to our collection service provider, GSG, where necessary. DataGuard will initially send two reminders and attempt to reach the point of contact named by the client, in order to find a solution to settle open accounts. If this proves unsuccessful, GSG will be authorised by power of attorney to collect outstanding amounts on behalf of DataGuard.

Microsoft Inc. – Redmond, USA: DataGuard uses the Office 365 service, incl. Microsoft Teams, to carry out audit phone calls via video telephony, and Outlook for communication of appointments via email. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded with the service provider as part of the Online Services Terms. Your personal data, which will be forwarded to the processor for the performance of the planning and the actual video call, will be erased as soon as the purpose of the storage no longer applies.

When processing data of clients and their service providers, we will generally always erase or block your personal data when the purpose of the storage no longer applies. Storage may also take place if required by legal standards to which we are subject, for example in relation to statutory retention and documentation obligations. In such cases, we will erase or block your personal data after the according standards cease to apply. 

DataGuard processes personal data of suppliers and service providers. This is necessary for our business operations. The following data are processed by suppliers:

• First name and surname
• Title
• Gender
• Email address
• Phone number

DataGuard collects data from people in the following manners:

• Receipt of personal data directly from the data subject via establishment of contact by suppliers
• Receipt of personal data directly from the data subject via establishment of contact by DataGuard
• Research in business directories or on websites
• Receipt of personal data from third parties

We will process your data for the following purposes:

• Performance of orders
• Review and optimisation of processes for needs assessment 
• Consultation and data exchange with credit agencies to determine credit and default risks 
• Market and opinion research, provided that you have not objected to the use of these data for this purpose 
• Assertion, exercise or defence of legal claims 
• Measures for business management and further development of our products  

Data processing takes place to initiate or perform a contractual relationship, and on the basis of the legitimate interests of DataGuard.

The following service providers are involved, as data processors, in our processing of supplier/service provider data:

Microsoft Inc. – Redmond, USA: For the forwarding of emails and storage of contact details of suppliers and service providers, DataGuard uses services such as Outlook to store these contact details. These data are used exclusively for communication with service provider/suppliers. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded with the service provider as part of the Online Services Terms.

Datev GmbH – Nuremberg, Germany: In order to comply with the GoBD (German regulations for the keeping of books and records electronically), DataGuard uses the services of DATEV. We have entered into a Data Processing Agreement with the service provider.

Candis GmbH – Berlin, Germany: DataGuard uses the Candis service for document input. This enables easier bookkeeping. We have entered into a Data Processing Agreement with the service provider.