Privacy Notes according to Art. 13, 14 GDPR

The following party is responsible for all data processing described here:

DataCo GmbH
Dachauer Str. 65
80335 Munich
Tel.: +49 (0)89 7400 45840
E-Mail: info@dataguard.de
Webseite: www.dataguard.com

You can reach our data protection officer as follows:

DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
for the attention of the Data Protection Officer

E-Mail: datenschutz@dataguard.de

If your personal data is processed, you have the right to obtain information from the controller about the data stored about you (Art. 15 GDPR).

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed (Art. 16 GDPR).

If the legal requirements are met, you can request the immediate deletion of your personal data or restriction of processing (Art. 17 and 18 GDPR).

If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients (right to information, Art. 19 GDPR).

If you have consented to data processing or if there is a contract for data processing and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR). In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other persons must not be adversely affected by this.

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, which is based on Art. 6 para. 1 sentence 1 lit. e or f GDPR ; this also applies to profiling based on these provisions. The controller shall no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR).

If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is related to such direct marketing (Art. 21 (2) GDPR). If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation (Art. 7 (3) GDPR).

You have the right not to be subject to a decision based solely on automated processing, including profiling , which produces legal effects concerning you or similarly significantly affects you. In this case, if the legal requirements are met, you have the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision (Art. 22 GDPR).

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you infringes the GDPR (Art. 77 GDPR). The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR. If you wish, you can also contact the supervisory authority responsible for us, who you can contact as follows:

The Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach
Postal address: Postfach 1349, 91504 Ansbach
Phone: 0981/ 180093-0
Fax: 0981/ 180093-800
E-Mail: poststelle@lda.bayern.de
Web: www.lda.bayern.de

As part of the DataGuard application process, DataGuard collects the following personal data from you:

• First name and surname
• Email address
• Phone / mobile number
• Availability
• Expected salary
• All personal data contained in the application (curriculum vitae, cover letter, certificates, etc.)

DataGuard collects data from interested parties in the following manners:

• Direct application via the DataGuard careers page
• Application via email, addressed directly to a DataGuard employee
• Postal application
• LinkedIn Easy Apply
• Recruitment agencies
• Candidates approached by DataGuard on LinkedIn

Your personal data will be processed for the following purposes:

• Implementation of the application procedure and decision on the establishment of the employment relationship
• Communication (telephone, e-mail, video telephony)
• Implementation of pre-contractual measures (initiation of the employment relationship)
• Inclusion of applicant data in a talent pool
• Assertion, exercise or defence of legal claims arising from the application process

Processing of special categories of personal data that have been made public – Art. 9 (2) (e) GDPR
If special categories of personal data are processed that you have obviously made public, your data will be processed in accordance with Art. 9 (2) (e) GDPR.

Processing for the purpose of asserting, exercising or defending legal claims or in the event of acts of the courts – Art. 6 (1) (1) (f) GDPR, Art. 9 (1) (f) GDPR
If necessary, your data will be processed for the purpose of asserting, exercising or defending legal claims or in the event of actions of the courts pursuant to Art. 6 (1) (1) (f) GDPR, Art. 9 (1) (f) GDPR.

Processing on the basis of consent – Art. 6 (1) (1) (a) GDPR in conjunction with Art. 7 GDPR, Art. 88 (1) GDPR in conjunction with Art. 26 (2) BDSG (Federal Data Protection Act)
If you have given your consent to data processing, your data will be processed in accordance with Art. 6 (1) (1) (a) GDPR in conjunction with Art. 7 GDPR, Art. 88 (1) GDPR in conjunction with Art. 26 (2) BDSG.

Decision on the establishment of the employment relationship Art. 6 (1) (1) (b) GDPR, Art. 88 (1) GDPR in conjunction with § 26 (1) BDSG
We process your data in order to make a decision on the establishment of the employment relationship. In the case of employment in our company, your data will be processed for the purpose of carrying out and terminating the employment relationship. For this purpose, separate information about the processing of your personal data will be provided.

Processing on the basis of legitimate interest – Art. 6 (1) (1) (f) GDPR
Insofar as the processing is carried out to safeguard a legitimate interest of us or a third party and their interests or fundamental rights and freedoms do not outweigh the first-mentioned interest, Art. 6 (1) (1) (f) GDPR serves us as the legal basis for data processing. Our legitimate interest arises in particular from the following reasons:

• The proper execution and optimization of the application process
• Assertion, exercise or defence of legal claims

Processing of special categories of personal data – Art. 9 (2) (a) GDPR
If you have given your consent to the processing of special categories of personal data, such as health data, religious affiliation or nationality, your data will be processed in accordance with Art. 9 (2) (a) GDPR.

As part of the processing of your personal data, we may pass on the personal data concerning you to the following recipients:

• Internally, only authorized employees are granted access to an applicant's data via an authorization concept.
• Freelancers
• Processor

Otherwise, data will only be passed on to recipients outside the company if this is permitted or required by law, the transfer is necessary to fulfil legal obligations or if we have your consent.

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• Linkedin Inc., Sunnyvale, USA:
  DataGuard uses the Easy Apply service. Applications can be sent directly to DataGuard via this service. A Data Processing Agreement with Standard Contractual Clauses (in accordance with European Union specifications) has been concluded with the service provider. The applications received via LinkedIn Easy Apply will be further processed in Personio (Personio GmbH – Munich, Germany) upon receipt. We have no influence on how long LinkedIn itself stores the data you provide.
• Asana, Inc., San Francisco, USA:
  In the course of using our project management software Asana, we may process personal data from you in Asana.
• DocuSign, Inc., San Francisco, USA
  (for signing contracts)
• SourceWhale Ltd, 86-90 Paul Street, London, EC2A 4NE, United Kingdom (Our recruiting management tool). In the United Kingdom, an adequate level of data protection is provided according to a decision of the European Commission.

In order to make the third country transfer as data protection-friendly as possible, there is a data processing agreement with all providers in unsafe third countries with standard contractual clauses in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending us an informal e-mail. Adjustments to the judgment of the ECJ of 16.07.2020 (Schrems II, Az. C-311/18) including additional safety precautions are currently being sought by us.

Hazard statements in the context of transfers to third countries

When using some service providers, personal data may be stored on servers in third countries outside the EU, such as e.g. the United States. For the USA, there is no adequacy decision pursuant to Art. 45 (3) GDPR. We would like to point out that a transfer of data without an adequacy decision entails certain risks, about which we may inform you below:

U.S. intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these messaging services have already collected information about you, with the help of which the data transmitted here can be traced back to you.

Providers of electronic communications services headquartered in the United States are subject to surveillance by U.S. intelligence services pursuant to 50 U.S. Code § 1881a ("FISA 702"). Accordingly, providers of electronic communications services headquartered in the United States have the obligation to provide personal data to the U.S. authorities pursuant to 50 U.S. Code § 1881a, without you having any legal remedies. Even encryption of the data in the data centres of the electronic communications service provider cannot provide adequate protection, since a provider of electronic communications services has a direct obligation to provide access to or surrender the imported data in its possession, custody or control. This obligation may also explicitly extend to cryptographic keys, without which the data cannot be read.

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713).

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713 ).

For the following service providers within the EU, the Cloud Act may pose risks to your rights and freedoms:

• Microsoft Operations Ltd. – Dublin, Ireland and
  Microsoft Corporation – Redmond, Washington (USA) when using Microsoft 365:
  DataGuard uses the Office 365 service, including Microsoft Teams, to conduct job interviews via video telephony and Outlook for communication by e-mail.

DataGuard uses the Office 365 service, including Microsoft Teams, to conduct job interviews via video telephony and Outlook for communication by e-mail.

We will delete your personal data as soon as the purposes for their storage mentioned under IV. no longer apply, or you object to the use of your personal data (in the case of processing on the basis of legitimate interests) or you revoke your previously given consent. However, your personal data may also be stored beyond this, in particular in the following cases:

• if deletion conflicts with contractual, statutory (in particular from HGB (Commercial Code), StGB (Criminal Code) and AO (Tax code)) or statutory retention periods
• to assert, exercise or defend legal claims
• where required by European or national law to comply with a legal obligation to which we are subject.

Legal provisions result in the following storage periods for us in particular:

• After decision on non-filling: 180 days retention period for application documents (§ 15 (4) General Equal Treatment Act (AGG), § 224 Code of Civil Procedure (ZPO)).

If the applicant has consented, the applicant documents will be included in the talent pool and stored there for a maximum of 1 year from the date of consent. They will be deleted with the loss of purpose or the revocation of consent by the applicant. In the case of employment in our company, your personal data will be deleted when the purpose ceases to apply, at the latest after termination of the employment relationship, unless there are any statutory retention periods to the contrary.

Within the framework of the existing customer relationship as well as the contract initiation, we process the following personal data:

• First name
• Last name
• Salutation
• Title and academic degree
• Company Name
• Position within the company
• Business address
• Bank details
• Tax ID
• Customer number
• Your e-mail address
• Your mobile phone number
• Your landline number
• Your fax number
• Role assigned within the platform and the according authorisations
• All personal data that are provided to us during communication with clients
• Creditworthiness data
  
  

Data protection management platform: DataGuard operates a data protection management platform. Employees of clients are invited to access this platform by the relevant DataGuard employees. It could also be the case that we process data of persons who assert their data subject rights against the clients of DataGuard. For the platform, the privacy policy provided therein applies, in the respective valid version.

DataGuard collects data from interested parties and customers in the following manners:

• Requests via the contact form on the DataGuard website
• Requests sent via messages to DataGuard employees, e.g. via email, LinkedIn messages and other communication channels
• Requests at trade fairs or other events where data are passed on to DataGuard employees with the aim of establishing contact
• Individual research about potential interested parties in business directories, contact information on websites, and professional networks
• Individual booking of an appointment by an interested party
• Querying of the personal data after concluding a contract with DataGuard from the persons themselves, or receipt of personal data via an employee of the client company. This could also concern employees of service providers used by a client’s company.
• Entry of employees’ personal data by an administrative assistant of the client in the data protection platform.
• Credit rating data is provided by Dun & Bradstreet, Deutschland GmbH (Robert-Bosch-Street 11, 64293 Darmstadt)

Within the framework of the existing customer relationship as well as the contract initiation, your personal data will be processed for the following purposes:

• To process your request as an interested party. For this purpose, we use your contact details to be able to answer your request.
• To prepare and carry out pre-contractual measures – this includes, for example, the preparation and sending of an individual offer or individual agreement and transmission of contractual condictions with the aim of concluding the contract.
• To include your contact details in our customer and contactdatabase.
• Contact (e-mail, telephone)
• Direct marketing in the form of telephone calls and e-mails   
• Establishment, execution and termination of the contractual relationship
• Customer management and customer service – esp. the processing of customer inquiries
• To inform you optimally about our products and services. This also includes sending (direct) advertising by e-mail or telephone .
• In order to optimally serve you as our customer. This includes, in particular, communication with you by e-mail, mobile phone, landline number or fax.
• To ensure smooth billing of the services provided. For this purpose, your personal data will be processed in order to be able to issue invoices. In addition, we will forward your personal data to our external service provider Atradius N.V., David Ricardostraat 1, 1066 JS Amsterdam, P.O. Box 8982 , 1006 JD Amsterdam, The Netherlands, in the event that invoices are not paid within the payment period.
• To comply with our legal obligations. This includes, for example, the transmission of your personal data to the tax office.
• For the purpose of providing information about Dataguard branded services.
• For the purpose of carrying out marketing initiatives such as: newsletter dispatch, product updates, invitations to events and webinars
• To fulfil post-contractual measures.
• To assert, exercise or defend legal claims.
• For the purpose of carrying out credit checks

Legal basis for the processing of data in the context of [purposes of 2.] we process on the basis of Art. 6 (1) (1) (a-f) GDPR

Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data is based on Art. 6 (1) (1) (a) GDPR in conjunction with. Art. 5, 7 GDPR.

Processing for the purpose of implementing the contract with you
Insofar as we process your personal data for the purpose of fulfilling a contract, Art. 6 (1) (1) (b) GDPR serves as our legal basis. This also applies to processing operations that are necessary for the implementation of pre- and post-contractual measures.

Processing for the fulfillment of a legal obligation
Insofar as the processing of your personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as our legal basis. Our legal obligation to process data results e.g. from tax law and/or commercial law retention obligations.

Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 (1) (1) (f) GDPR GDPR if our legitimate interests are present, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legitimate interests pursued by us in this regard - in addition to the purposes listed under b - include:

• To be able to inform you optimally about our products, offers and services by means of direct marketing;  
• In communicating with you, in particular to be able to answer your inquiries by e-mail, telephone and/or fax;
• In order to be able to carry out a due diligence with our potential business partner.
• We carry out credit checks on our potential business customers. Our legitimate interest lies in the avoidance of payment defaults.

The legal basis for processing activities in connection with the assertion, exercise or defense of legal claims is also our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR.

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have consented or if this is permitted by law.

External recipients of your personal data are in particular:

• Freelancers
• Data processors
• Potential business partners in the context of a (future) due diligence review
• Authorities e.g. tax offices, courts, trade supervisory office, Data protection supervisory authority, BAFA (Federal Office of Economics and Export Control)
• Settlement partners   
• Collection agencies  
• Credit institutions   
• Parcel service providers   
• Postal service   
• lawyer, tax consultants
• Auditor
• Affiliated companies
  
  

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• Chargebee, Inc. – California, USA (Invoicing and accounts receivables tool)
• HubSpot, Inc. – Cambridge, USA
  DataGuard uses HubSpot as a central marketing tool in which all data of interested parties from all channels are collected, where they are then qualified.
• Asana, Inc. – San Francisco, USA (our project management software)
• Salesforce, Inc. – San Francisco, USA (our CRM-System)
• PandaDoc, Inc. – San Francisco, USA (contract creation, Document management service)
• Linkedin Inc. – Sunnyvale, USA (Using the LinkedIn extension for outbound activities)
• Outreach Corporation – Seattle, USA (Supports outbound activites)
• Cognism Limited – Richmond, Vereinigtes Königreich (Supports outbound activites)
  In the United Kingdom, an adequate level of data protection is provided according to a decision of the European Commission.
• We also transfer personal data to the United Kingdom to our subsidiary DATACO INTERNATIONAL UK LIMITED, Suite 1, 7th Floor, 50 Broadway, London, United Kingdom, SW1H OBL. There, an adequate level of data protection is provided in accordance with a decision of the European Commission.
• Fivetran Inc., Oakland, USA (Verarbeitung von Interessentendaten)
  
  

In order to make the third country transfer as data protection-friendly as possible, there is a data processing agreement with all providers in unsafe third countries with standard contractual clauses in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending us an informal e-mail. Adjustments to the judgment of the ECJ of 16.07.2020 (Schrems II, Az. C-311/18) including additional safety precautions are currently being sought by us.

Hazard statements in the context of transfers to third countries

When using some service providers, personal data may be stored on servers in third countries outside the EU, such as e.g. the United States. For the USA, there is no adequacy decision pursuant to Art. 45 (3) GDPR. We would like to point out that a transfer of data without an adequacy decision entails certain risks, about which we may inform you below:

U.S. intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these messaging services have already collected information about you, with the help of which the data transmitted here can be traced back to you.

Providers of electronic communications services headquartered in the United States are subject to surveillance by U.S. intelligence services pursuant to 50 U.S. Code § 1881a ("FISA 702"). Accordingly, providers of electronic communications services headquartered in the United States have the obligation to provide personal data to the U.S. authorities pursuant to 50 U.S. Code § 1881a, without you having any legal remedies. Even encryption of the data in the data centres of the electronic communications service provider cannot provide adequate protection, since a provider of electronic communications services has a direct obligation to provide access to or surrender the imported data in its possession, custody or control. This obligation may also explicitly extend to cryptographic keys, without which the data cannot be read.

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713).

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713 ).

For the following service providers within the EU, the Cloud Act may pose risks to your rights and freedoms:

• PipeDrive OÜ – Tallin, Estland (contract and deal management) and Pipedrive, Inc, 490 1st Ave South, Suite 800 St. Petersburg, FL 33701, USA
• Microsoft Operations Ltd. in Dublin, Ireland and Microsoft Corporation - Redmond, Washington (USA) when using Microsoft 365:

DataGuard uses the Office 365 service, incl. Microsoft Teams, to carry out audit phone calls via video telephony, and Outlook for communication of appointments via email. 

We also use functionalities of the Microsoft Bookings software of Microsoft. Through Microsoft Bookings, we are able to provide users on our site with a simplified way to make appointments by displaying and booking available appointments with appropriate staff.

The following personal data is processed by Microsoft: 

• Name
• First name
• E-mail address
• IP address
• Device and browser information
• A user ID assigned by Microsoft
• Refferer URL

We do not store your personal data longer than is necessary for the purpose for which it was collected. This means that data in our systems will be destroyed or deleted as soon as it is no longer needed. Reasonable measures are taken by us to ensure that your personal data is only processed under the following conditions:

• For the duration that the data is used to provide you with a service
• As required by applicable law, contract, or in light of our legal obligations
• Only as long as necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, using appropriate safeguards.

A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - retention is still necessary, in particular for the fulfillment of legal retention periods of up to ten years (including from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act). In the case of statutory retention obligations, deletion is only considered after the expiry of the respective retention obligation.

DataGuard processes personal data from suppliers and service providers. This is necessary for business operations. The following data is processed in this context:

• First name
• Last name
• Business address
• Company name
• Bank details
• Your e-mail address,
• Your mobile phone number
• Your landline number
• IYour fax number
• Title and academic degree
• Position within the company
• All personal data that are provided to us during communication

DataGuard collects data from people in the following manners:

• Receipt of personal data directly from the data subject via establishment of contact by suppliers / service provider
• Receipt of personal data directly from the data subject via establishment of contact by DataGuard
• Research in business directories or on websites

We will process your data for the following purposes:

• Initiation, execution and termination of a contractual relationship
• Performance of orders
• Review and optimisation of processes for needs assessment 
• Consultation and data exchange with credit agencies to determine credit and default risks 
• Market and opinion research, provided that you have not objected to the use of these data for this purpose 
• Assertion, exercise or defence of legal claims 
• Measures for business management and further development of our products  

Legal basis for the processing of data in the context of [purposes of 2.] we process on the basis of Art. 6 (1) (1) (a-f) GDPR

Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data is based on Art. 6 (1) (1) (a) GDPR in conjunction with. Art. 5, 7 GDPR.

Processing for the purpose of implementing the contract with you
Insofar as we process your personal data for the purpose of fulfilling a contract, Art. 6 (1) (1) (b) GDPR serves as our legal basis. This also applies to processing operations that are necessary for the implementation of pre- and post-contractual measures.

Processing for the fulfillment of a legal obligation
Insofar as the processing of your personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as our legal basis. Our legal obligation to process data results e.g. from tax law and/or commercial law retention obligations.

Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 (1) (1) (f) GDPR GDPR if our legitimate interests are present, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legitimate interests pursued by us in this regard - in addition to the purposes listed under b - include:

• To be able to inform you optimally about our products, offers and services by means of direct marketing;    
• In communicating with you, in particular to be able to answer your inquiries by e-mail, telephone and/or fax;
• In order to be able to carry out a due diligence with our potential business partner.

The legal basis for processing activities in connection with the assertion, exercise or defense of legal claims is also our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR.

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have consented or if this is permitted by law. External recipients of your personal data are in particular:

• Freelancers
• Data processors
• Potential business partners in the context of a (future) due diligence review
• Authorities e.g. tax offices, courts, trade supervisory office
• Settlement partners   
• Credit institutions   
• Parcel service providers     
• Postal service   
• Lawyer, tax consultants
• Auditor
• Affiliated companies
  
  

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• We also transfer personal data to the United Kingdom to our subsidiary DATACO INTERNATIONAL UK LIMITED, Suite 1, 7th Floor, 50 Broadway, London, United Kingdom, SW1H OBL. There, an adequate level of data protection is provided in accordance with a decision of the European Commission.
• DocuSign, Inc., San Francisco, USA (for signing contracts)
  
  

In order to make the third country transfer as data protection-friendly as possible, there is a data processing agreement with all providers in unsafe third countries with standard contractual clauses in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending us an informal e-mail. Adjustments to the judgment of the ECJ of 16.07.2020 (Schrems II, Az. C-311/18) including additional safety precautions are currently being sought by us.

Hazard statements in the context of transfers to third countries

When using some service providers, personal data may be stored on servers in third countries outside the EU, such as e.g. the United States. For the USA, there is no adequacy decision pursuant to Art. 45 (3) GDPR. We would like to point out that a transfer of data without an adequacy decision entails certain risks, about which we may inform you below:

U.S. intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these messaging services have already collected information about you, with the help of which the data transmitted here can be traced back to you.

Providers of electronic communications services headquartered in the United States are subject to surveillance by U.S. intelligence services pursuant to 50 U.S. Code § 1881a ("FISA 702"). Accordingly, providers of electronic communications services headquartered in the United States have the obligation to provide personal data to the U.S. authorities pursuant to 50 U.S. Code § 1881a, without you having any legal remedies. Even encryption of the data in the data centres of the electronic communications service provider cannot provide adequate protection, since a provider of electronic communications services has a direct obligation to provide access to or surrender the imported data in its possession, custody or control. This obligation may also explicitly extend to cryptographic keys, without which the data cannot be read.

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713).

In addition, U.S. security authorities are also entitled to access data of European companies with parent companies in the U.S. through the Cloud Act (Clarifying Lawful Overseas Use of Data - Act, regulation 18 U.S.C. § 2713 ).

For the following service providers within the EU, the Cloud Act may pose risks to your rights and freedoms:

• Microsoft Operations Ltd. in Dublin, Ireland and Microsoft Corporation - Redmond, Washington (USA) when using Microsoft 365:

For the forwarding of emails and storage of contact details of suppliers and service providers, DataGuard uses services such as Outlook to store these contact details.

We do not store your personal data longer than is necessary for the purpose for which it was collected. This means that data in our systems will be destroyed or deleted as soon as it is no longer needed. Reasonable measures are taken by us to ensure that your personal data is only processed under the following conditions:

• As required by applicable law, contract, or in light of our legal obligations
• Only as long as necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, using appropriate safeguards.

A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - retention is still necessary, in particular for the fulfillment of legal retention periods of up to ten years (including from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act). In the case of statutory retention obligations, deletion is only considered after the expiry of the respective retention obligation.

For a (planned) conclusion as well as the execution of the contract with you, you must provide those personal data which are necessary for the establishment and execution of the contractual relationship and the fulfillment of the associated contractual obligations or which we are legally obliged to collect (see in particular the standards listed under "III.3." listed standards). Without this data, we will generally not be able to conclude and execute the contract with you.

We process personal data that we receive from you by participating in the event. In particular, we process:

• Livestream recordings
• Video
• Photos
• Forename
• Surname
• Affiliation
• E-mail address
• Salutation
• Signature in case of consent given

We process your personal data for the following purposes:

• To carry out the event
• For internal reporting of the event
• For advertising purposes for our company on social networks

In addition, the film and video recordings will be published for marketing purposes after the event:

• On the website https://www.dataguard.de/
• In social or professional networks (YouTube, LinkedIn, Twitter, Kununu, Glassdoor)

It is not intended to process your personal data for any other purpose.

Processing based on legitimate interest

The legal basis for the transmission of your personal data (first and last name and company name) to our conference organizers in Berlin (RYDES GmbH, Brunnenstreet 19-21, 10119 Berlin, Germany) and Düsseldorf (ARQIS Rechtsanwälte Partnerschaftsgesellschaft, Breite Street 28, 40123 Düsseldorf, Germany) is our legitimate interest (Art. 6 (1) (1) (f) GDPR) in holding the event at the venue requested by the event participant.

The legal basis for the production of photo and film recordings during our events is our legitimate interest (Art. 6 (1) (1) (f) GDPR) in the subsequent internal and external publication of the photo and film recordings for marketing purposes on our company website https://www.dataguard.de/ and in social or professional networks (YouTube, LinkedIn, Twitter, Kununu, Glassdoor).

If you do not wish to be photographed or filmed, you will receive a coloured lanyard from us at the entrance area of the event, which signals to the photographer / cameraman that you do not want to be photographed or filmed. If you should nevertheless be seen in group shots, you will be made unrecognizable in these shots afterwards.

For the publication of the photo and film recordings, we obtain your consent at the entrance area of the venue, which you can of course give voluntarily.

Processing of your personal data on the basis of consent

The legal basis for the processing of your personal data both for the purpose of participation in the event and for the internal and external publication of film recordings is your consent and thus Art. 6 (1) (1) (a) GDPR in conjunction with Art. 5, 7 GDPR. You have the right to revoke your declaration of consent under data protection law at any time by e-mail to datenschutz@dataguard.de. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation (Art. 7 (3) GDPR).

If you are depicted on a photo or film recording together with other persons, the deletion or destruction of the photo or film recording is not mandatory if you revoke your consent. It is enough if you are made unrecognizable. Insofar as information about your ethnic origin, religion or health (e.g. skin colour, headgear or glasses) can be seen on a photo or film recording, the consent also expressly refers to this information.

Information on publication on the Internet

If personal data has been made publicly accessible and you revoke your consent, we as the responsible body are only obliged to inform other recipients. This does not affect the obligation of these recipients to delete personal data. You can take direct action against other controllers who process your personal data and request deletion. Information posted on the Internet may never be completely deleted, even if it has been deleted from the original page. In any case, the providers of the main search engines are informed of the request for deletion, so that the personal data can at least no longer appear in search queries without further ado. I am aware that photos and/or videos on the Internet can be accessed by anyone. Despite all technical precautions, it cannot be ruled out that such persons may continue to use the photos and/or videos or pass them on to other persons. The Company is not liable for third parties using the photos for other purposes, including in particular by downloading and/or copying photos.

If you would like to participate in our events in Berlin or Düsseldorf, we will transmit your first and last name and the name of your company to our conference organizers in Berlin / Düsseldorf so that the registration can be accepted on site and you can be granted admission to the office premises. The transfer of your personal data takes place to the following conference organizers:

For events in Düsseldorf:
ARQIS Rechtsanwälte Partnerschaftsgesellschaft
Breite Street 28
40123 Düsseldorf
Germany

For events in Berlin:
RYDES GmbH
Brunnenstreet 19-21
10119 Berlin
Germany

If we use a service provider (e.g. an event manager) for order processing, we remain responsible for the protection of your data. All processors are obliged to treat your data confidentially and to process it only in the context of the provision of services.

To carry out our event we use the platform: Microsoft Ireland Operations Limited: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Your data will be transferred to Microsoft servers in the United States. Part of the order processing contract with Microsoft are so-called EU standard data protection clauses (Art. 46 (2) (c) GDPR). These are to be classified as an appropriate guarantee for the protection of the transfer and processing of personal data outside the EU. A copy of the standard data protection clauses can be requested by sending us an informal e-mail.

For more information about Microsoft's data processing, see: https://privacy.microsoft.com/de-de/privacystatement

The following data is used:

• Name
• Video footage (if the camera is turned on)
• E-mail address
• IP address
• Metadata of the end device

The purpose is the registration for the event and its execution as a hybrid event (transmission of the event, possibility to ask questions, feedback loops to improve the event). Furthermore, a publication takes place on the Internet on our website and on social or professional networks. Under certain circumstances, further use by third parties or complete deletion cannot be ruled out.

• LinkedIn:
  Linkedin Inc., Sunnyvale, USA
  On our site we provide information and offer users the possibility of communication.
  The corporate identity is used for applications, information/PR, marketing and active sourcing.
  We do not have any information on the processing of your personal data by the companies jointly responsible for the corporate identity. Further information can be found in the privacy policy of LinkedIn: https://www.linkedin.com/legal/privacy-policy
  If you carry out an action on our corporate identity (e.g. Comments, posts, likes, etc.) It may be that you thereby collect personal data (e.g. Real name or photo of your user profile).
  You can object to the processing of your personal data, which we collect in the context of your use of our corporate identity, at any time and assert your data subject rights as stated in this privacy notes. Please send us an informal e-mail to datenschutz@dataguard.de.
  Further information on objection and removal options can be found here:
  LinkedIn: https://www.linkedin.com/legal/privacy-policy

   

• Youtube:
  YouTube, LLC, San Bruno, USA
  On our company page we provide information and offer YouTube users the possibility of communication. If you carry out an action on our YouTube website (e.g. Comments, posts, likes, etc.) It may be that you thereby collect personal data (e.g. Real name or photo of your user profile). However, since we usually or to a large extent have no influence on the processing of your personal data by YouTube, which is jointly responsible for the DataCo GmbH corporate identity, we cannot provide any binding information on the purpose and scope of the processing of your data.
  Our corporate presence in social networks is used for communication and information exchange with (potential) customers. In particular, we use the corporate identity to provide information about products and services.
  You can object to the processing of your personal data, which we collect in the context of your use of our YouTube corporate identity, at any time and assert your data subject rights as stated in this privacy notes. You can find further information on the processing of your personal data by YouTube and the corresponding objection options here: https://policies.google.com/privacy?gl=DE&hl=de

   

• Twitter:
  Twitter Inc., San Francisco, USA
  On our company page we provide information and offer Twitter users the possibility of communication. If you carry out an action on our Twitter website (e.g. Comments, posts, likes, etc.) It may be that you thereby collect personal data (e.g. Real name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by Twitter, the companies jointly responsible for the company's appearance, we cannot provide any binding information on the purpose and scope of the processing of your data.
  Our corporate presence in social networks is used for communication and information exchange with (potential) customers.
  The publications about the company's appearance may contain the following content:
  • Information about products
  • Information about services
  • Sweepstakes
  • Advertising
  • Customer
  Every user is free to publish personal data through activities.
  The data generated by the company's identity is not stored in our own systems.
  You can object to the processing of your personal data, which we collect in the context of your use of our Twitter corporate identity, at any time and assert your data subject rights as stated in this privacy notes. Please send us an informal e-mail to datenschutz@dataguard.de.
  You can find further information on the processing of your personal data by Twitter and the corresponding objection options here: https://twitter.com/de/privacy

Hazard statements in the context of transfers to third countries

When using some service providers, personal data may be stored on servers in third countries outside the EU, such as e.g. the United States. For the USA, there is no adequacy decision pursuant to Art. 45 (3) GDPR. We would like to point out that a transfer of data without an adequacy decision entails certain risks, about which we may inform you below:

U.S. intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these messaging services have already collected information about you, with the help of which the data transmitted here can be traced back to you.

Providers of electronic communications services headquartered in the United States are subject to surveillance by U.S. intelligence services pursuant to 50 U.S. Code § 1881a ("FISA 702"). Accordingly, providers of electronic communications services headquartered in the United States have the obligation to provide personal data to the U.S. authorities pursuant to 50 U.S. Code § 1881a, without you having any legal remedies. Even encryption of the data in the data centres of the electronic communications service provider cannot provide adequate protection, since a provider of electronic communications services has a direct obligation to provide access to or surrender the imported data in its possession, custody or control. This obligation may also explicitly extend to cryptographic keys, without which the data cannot be read.

In addition, the Cloud Act (Clarifying Lawful Overseas Use of Data – Act, Regulation 18 U.S.C. § 2713 ) also allows US security authorities to access data of European companies with parent companies in the USA.

In order to make the third country transfer as data protection-friendly as possible, there is an order processing contract with all providers in unsafe third countries with standard contractual clauses in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending us an informal e-mail. Adjustments to the judgment of the ECJ of 16.07.2020 (Schrems II, Az. C-311/18) including additional safety precautions are currently being sought by us.

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data in our systems is destroyed or deleted as soon as it is no longer needed. We take reasonable steps to ensure that your personal data is only processed under the following conditions:

• For the duration that the data is used to provide you with a service
• As required by applicable law, contract or in view of our legal obligations
• Only for as long as is necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, applying appropriate safeguards.

If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their - temporary - storage is still necessary.