Privacy Notes
according to Art. 13, 14 GDPR

Responsible for the processing of your personal data in the context of this contact is

DataCo GmbH
Sandstrasse 33
80335 Munich, Germany

Phone: +49 89 452459 900
E-mail: info@dataguard.de
Website: www.dataguard.com

The designated data protection officer is the

DataCo GmbH
Sandstrasse 33
80335 Munich, Germany
for the attention of the Data Protection Officer

E-Mail:

If your request is specifically directed to DataCo GmbH as the data controller, please write to us at the following e-mail address: dpo@dataguard.de

If your request is directed to one of our customers for whom we are appointed as external data protection officer, please write to us at the following e-mail address: datenschutz@dataguard.de and kindly mention the company name of our customer in this e-mail.

(Art. 15 GDPR)

You may request from the data controller to confirm whether your personal data is processed by them.

If such processing is the case, you can request the following information from the data controller:

• The purpose for which the personal data is processed;
• The categories of personal data being processed;
• The recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed, especially in the case of recipients in third countries or international organizations;
• The planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
• The existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the data controller or a right to object to such processing;
• The existence of a right of appeal to a supervisory authority;
• All available information on the source of the data if the personal data is not collected from the data subject;
• The existence of automated decision-making including profiling under Art. 22 (1) and (4) GDPR and, in certain cases, meaningful information about the data processing system involved, and the scope and intended result of such processing on the data subject.

You have the right to request information on whether your personal data will be transmitted to a third country or an international organisation. In this context, you can then request for the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.

The data controller will provide you with a copy of the personal data that is the subject of the processing. Freedoms and rights of other persons shall not be affected. For any additional copies you request, the data controller may charge a reasonable fee based on administrative costs. If you make the request electronically, the information must be provided in a common electronic format unless you specify otherwise.

(Art. 16 GDPR)

You have the right to obtain from the controller the rectification without delay of inaccurate personal data concerning you and the right to obtain the completion of incomplete personal data.

(Art. 17 GDPR)

a) Obligation to erase

If you request from the data controller to delete your personal data with immediate effect, they are required to do so immediately given that one of the following applies:

• Personal data concerning you is no longer necessary for the purposes for which they were collected or processed.
• You revoke your consent, to which the processing is allowed pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR and there is no other legal basis for processing the data
• According to Art. 21 (1) GDPR you object to the processing of the data given that the processing of the data is justified by a legitimate interest, or you object pursuant to Art. 21 (2) GDPR.
• Your personal data has been processed unlawfully.
• The act of deleting your personal data will invoke a legal obligation under the Union law or the law of the Member States to which the data controller is subject.
• Your personal data was collected in relation to information business services offered pursuant to Art. 8 (1) GDPR.

b) Information to third parties

If the data controller has made your personal data public and has to delete the data pursuant to Art. 17 (1) GDPR, they shall take appropriate measures, including technical means, to inform data processors who process the personal data, that a request has been made to delete all links to such personal data or copies or replications of the personal data, taking into account available technology and implementation costs to execute the process.

c) Exceptions

The right to deletion does not exist if the processing is necessary

• to exercise the right to freedom of speech and information;
• to fulfill a legal obligation required by the law of the Union or of the Member States to which the representative is subject, or to perform a task of public interest or in the exercise of public authority delegated to the representative;
• for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
• for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
• to enforce, exercise or defend legal claims.

(Art. 18 GDPR)

You may request the restriction of the processing of your personal data under the following conditions:

• If you challenge the correctness of your personal data for a period of time that enables the data controller to verify the accuracy of your personal data;
• The processing is unlawful, and you refuse the erasure of the personal data and instead demand the restriction of the use of the personal data;
• The representative no longer needs the personal data for the purpose of processing, but you need it to assert, exercise or defend legal claims; or
• If you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the data controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may with the exception of data storage only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest, interest to the Union, or a Member State.

If the processing has been restricted according to the beforementioned conditions, you will be informed by the data controller before the restriction is lifted.

(Art. 19 GDPR)

If you have the right of rectification, erasure or restriction of processing over the data controller, they are obliged to notify all recipients to whom your personal data have been disclosed of the correction or erasure of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You reserve the right to be informed about the recipients of your data by the data controller.

(Art. 20 GDPR)

You have the right to receive your personal data given to the data controller in a structured, standard and machine-readable format. In addition, you have the right to transfer this data to another person without hindrance by the data controller who was initially given the data, given that the processing is based on a consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and the processing is done by automated means.

In exercising this right, you also have the right to maintain that your personal data relating to you are transmitted directly from one person to another, insofar as this is technically feasible. Freedoms and rights of other persons shall not be affected.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the data controller.

(Art. 21 GDPR)

Subjective to your situation, you have, at any time, the right to object against the processing of your personal data pursuant to Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

The data controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data in regard to such advertising; this also applies to profiling insofar as it is associated with direct mail.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purpose.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

(Art. 7 (3) GDPR)

You have the right to withdraw your consent at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

(Art. 22 GDPR)

You have the right not to subject to a decision based solely on automated processing including profiling that will have legal effect or affect you in a similar manner. This does not apply if the decision

1. is required for the conclusion or execution of a contract between you and the data controller,
2. is permitted by the Union or Member State legislation to which the data controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
3. with your expressed consent.

However, these decisions must not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (a) and (c), the data controller shall take appropriate measures to uphold your rights and freedoms as well as your legitimate interests, including the right to obtain assistance from the data controller or their representative, to express your opinion on the matter, and to contest the decision.

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, if you believe that the processing of the personal data concerning you violates the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

In case of transfer of your personal data to a recipient in a third country or to an international organization, you have the possibility to obtain a copy of the appropriate safeguards pursuant to Article 46 or Article 47 or Article 49 (1) (2) GDPR from us by sending an informal email to dpo@dataguard.de.

As part of the DataGuard application process, DataGuard collects the following personal data from you:

• First name and surname
• Email address
• Phone / mobile number
• Availability
• Expected salary
• All personal data contained in the application (curriculum vitae, cover letter, certificates, etc.)

DataGuard collects personal data from applicants in the following manners:

• Direct application via the DataGuard careers page
• Application via email, addressed directly to a DataGuard employee
• Postal application
• LinkedIn Easy Apply
• Recruitment agencies
• Candidates approached by DataGuard on LinkedIn

Your personal data will be processed for the following purposes:

• Implementation of the application procedure and decision on the establishment of the employment relationship
• Where consent has been given, the interview will be transcribed by an AI notetaker.
• Communication (telephone, e-mail, video telephony)
• Implementation of pre-contractual measures (initiation of the employment relationship)
• Inclusion of applicant data in a talent pool
• Assertion, exercise or defence of legal claims arising from the application process

Processing of special categories of personal data that have been made public – Art. 9 (2) (e) GDPR
If special categories of personal data are processed that you have obviously made public, your data will be processed in accordance with Art. 9 (2) (e) GDPR.

Processing for the purpose of asserting, exercising or defending legal claims or in the event of acts of the courts – Art. 6 (1) (1) (f) GDPR, Art. 9 (1) (f) GDPR
If necessary, your data will be processed for the purpose of asserting, exercising or defending legal claims or in the event of actions of the courts pursuant to Art. 6 (1) (1) (f) GDPR, Art. 9 (1) (f) GDPR.

Processing on the basis of consent – Art. 6 (1) (1) (a) GDPR in conjunction with Art. 7 GDPR, Art. 88 (1) GDPR in conjunction with Art. 26 (2) BDSG (Federal Data Protection Act)
If you have given your consent to data processing, your data will be processed in accordance with Art. 6 (1) (1) (a) GDPR in conjunction with Art. 7 GDPR, Art. 88 (1) GDPR in conjunction with Art. 26 (2) BDSG.

Decision on the establishment of the employment relationship Art. 6 (1) (1) (b) GDPR, Art. 88 (1) GDPR in conjunction with § 26 (1) BDSG
We process your data in order to make a decision on the establishment of the employment relationship. In the case of employment in our company, your data will be processed for the purpose of carrying out and terminating the employment relationship. For this purpose, separate information about the processing of your personal data will be provided.

Processing on the basis of legitimate interest – Art. 6 (1) (1) (f) GDPR
Insofar as the processing is carried out to safeguard a legitimate interest of us or a third party and their interests or fundamental rights and freedoms do not outweigh the first-mentioned interest, Art. 6 (1) (1) (f) GDPR serves us as the legal basis for data processing. Our legitimate interest arises in particular from the following reasons:

• The proper execution and optimization of the application process
• Assertion, exercise or defence of legal claims

Processing of special categories of personal data – Art. 9 (2) (a) GDPR
If you have given your consent to the processing of special categories of personal data, such as health data, religious affiliation or nationality, your data will be processed in accordance with Art. 9 (2) (a) GDPR.

As part of the processing of your personal data, we may pass on the personal data concerning you to the following recipients:

• Internally, only authorized employees are granted access to an applicant's data via an authorization concept.
• Freelancers
• Processor

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• DocuSign, Inc., San Francisco, USA
• SourceWhale Ltd, 86-90 Paul Street, London, EC2A 4NE, United Kingdom (Our recruiting management tool). In the United Kingdom, an adequate level of data protection is provided according to a decision of the European Commission.  

In order to make the third country transfer as data protection-friendly as possible, standard contractual clauses have been concluded with providers in third countries in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending an informal e-mail to dpo@dataguard.de.

The following service providers in the USA are subject to the Trans-Atlantic Data Privacy Framework (TDPF; Data protection agreement between the EU and the USA) to ensure an adequate level of data protection for data processing: 

• Ashby, San Francisco, USA
• Asana, Inc., San Francisco, USA

For the purpose of communication with applicants, we use the Microsoft 365 service, including Microsoft Teams from the service provider Microsoft Operations Ltd. in Dublin, Ireland.  For more information about Microsoft's data processing, see: https://privacy.microsoft.com/de-de/privacystatement 

In addition, your personal data will be transmitted to the following service providers:

• CodeTwo sp. z o.o. sp. k., Jelenia Gora at ul. Wolnosci 16, Poland

We will delete your personal data as soon as the purposes for their storage mentioned under IV. no longer apply, or you object to the use of your personal data (in the case of processing on the basis of legitimate interests) or you revoke your previously given consent. However, your personal data may also be stored beyond this, in particular in the following cases:

• if deletion conflicts with contractual, statutory (in particular from HGB (Commercial Code), StGB (Criminal Code) and AO (Tax code)) or statutory retention periods
• to assert, exercise or defend legal claims
• where required by European or national law to comply with a legal obligation to which we are subject.

Legal provisions result in the following storage periods for us in particular:

• After decision on non-filling: 180 days retention period for application documents (§ 15 (4) General Equal Treatment Act (AGG), § 224 Code of Civil Procedure (ZPO)).

If the applicant has consented, the applicant documents will be included in the talent pool and stored there for a maximum of 1 year from the date of consent. They will be deleted with the loss of purpose or the revocation of consent by the applicant. In the case of employment in our company, your personal data will be deleted when the purpose ceases to apply, at the latest after termination of the employment relationship, unless there are any statutory retention periods to the contrary.

1.1 Your personal data processed by us

Within the framework of the existing customer relationship as well as the contract initiation, we process the following personal data:

• First name
• Last name
• Salutation
• Title and academic degree
• Company Name
• Position within the company
• Business address
• Bank details
• Tax ID
• Customer number
• Your e-mail address
• Your mobile phone number
• Your landline number
• Your fax number
• Role assigned within the platform and the according authorisations
• All personal data that are provided to us during communication with clients
• Creditworthiness data
  
  

Data protection management platform: DataGuard operates a data protection management platform. Employees of clients are invited to access this platform by the relevant DataGuard employees. It could also be the case that we process data of persons who assert their data subject rights against the clients of DataGuard. For the platform, the privacy policy provided therein applies, in the respective valid version.

DataGuard collects data from interested parties and customers in the following manners:

• Requests via the contact form on the DataGuard website
• Requests sent via messages to DataGuard employees, e.g. via email, LinkedIn messages and other communication channels
• Requests at trade fairs or other events where data are passed on to DataGuard employees with the aim of establishing contact
• Individual research about potential interested parties in business directories, contact information on websites, and professional networks
• Individual booking of an appointment by an interested party
• Querying of the personal data after concluding a contract with DataGuard from the persons themselves, or receipt of personal data via an employee of the client company. This could also concern employees of service providers used by a client’s company.
• Entry of employees’ personal data by an administrative assistant of the client in the data protection platform.
• From Dealfront Group GmbH, Durlacher Allee 73, 76131 Karlsruhe, Germany
• Credit rating data is provided by Dun & Bradstreet, Deutschland GmbH (Robert-Bosch-Street 11, 64293 Darmstadt)
• If you are a participant of the Bits & Pretzels event of Startup Events GmbH, Rumfordstraße 15, 80469 Munich, Germany and allow us to scan your name badge during the event in order to contact you afterwards for advertising purposes, we will receive your contact data from Startup Events GmbH afterwards.
  Further information on the handling of your personal data by Startup Events GmbH can be found here: https://www.bitsandpretzels.com/legal/privacy-policy

1.2 Purpose of processing

Within the framework of the existing customer relationship as well as the contract initiation, your personal data will be processed for the following purposes:

• To process your request as an interested party. For this purpose, we use your contact details to be able to answer your request.
• To prepare and carry out pre-contractual measures – this includes, for example, the preparation and sending of an individual offer or individual agreement and transmission of contractual condictions with the aim of concluding the contract.
• To include your contact details in our customer and contactdatabase.
• Contact (e-mail, telephone)
• Establishment, execution and termination of the contractual relationship
• Customer management and customer service – esp. the processing of customer inquiries
• To inform you optimally about our products and services. This also includes sending (direct) advertising by e-mail or telephone .
• In order to optimally serve you as our customer. This includes, in particular, communication with you by e-mail, mobile phone, landline number or fax.
• To ensure smooth billing of the services provided. For this purpose, your personal data will be processed in order to be able to issue invoices. In addition, we forward your personal data to our external service provider Atradius N.V., David Ricardostraat 1, 1066 JS Amsterdam, P.O. Box 8982 , 1006 JD Amsterdam, The Netherlands, for the purpose of debt collection if invoices are not paid within the payment period.
• To comply with our legal obligations. This includes, for example, the transmission of your personal data to the tax office.
• For the performance of credit checks
• For the purpose of providing information about Dataguard branded services.
• For the purpose of carrying out marketing initiatives such as: newsletter dispatch, product updates, invitations to events and webinars
• To fulfil post-contractual measures.
• To assert, exercise or defend legal claims.
• To carry out product testing phases
• To query your satisfaction with our products and services

1.3 Legal basis of data processing

Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data is based on Art. 6 (1) (1) (a) GDPR in conjunction with. Art. 5, 7 GDPR.

Processing for the purpose of implementing the contract with you
Insofar as we process your personal data for the purpose of fulfilling a contract, Art. 6 (1) (1) (b) GDPR serves as our legal basis. This also applies to processing operations that are necessary for the implementation of pre- and post-contractual measures.

Processing for the fulfillment of a legal obligation
Insofar as the processing of your personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as our legal basis. Our legal obligation to process data results e.g. from tax law and/or commercial law retention obligations.

Processing on the basis of legitimate interest
Legal basis for the purpose of direct advertising may be Art. 6 (1) (1) (f) GDPR GDPR if our legitimate interests are present, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legitimate interests pursued by us in this regard - in addition to the purposes listed under 1.2 - include:

• To be able to inform you optimally about our products, offers and services by means of direct marketing;  
• In communicating with you, in particular to be able to answer your inquiries by e-mail, telephone and/or fax;
• In order to be able to carry out a due diligence with our potential business partner.
• We carry out credit checks on our potential business customers. Our legitimate interest lies in the avoidance of payment defaults.
• To receive customer feedback to improve the customer experience, improve our products and services

The legal basis for processing activities in connection with the assertion, exercise or defense of legal claims is also our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR.

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have consented or if this is permitted by law.

External recipients of your personal data are in particular:

• Freelancers
• Data processors
• Potential business partners in the context of a (future) due diligence review
• Authorities e.g. tax offices, courts, trade supervisory office, Data protection supervisory authority, BAFA (Federal Office of Economics and Export Control)
• Settlement partners   
• Collection agencies  
• Credit institutions   
• Parcel service providers   
• Postal service   
• lawyer, tax consultants
• Auditor
• Affiliated companies
  
  

In order to offer you more payment methods and to simplify payments for you, we use the payment processing service provider Adyen N.V. Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, The Netherlands.
Further information about the processing of your personal data by Adyen can be found here: https://www.adyen.com/policies-and-disclaimer/privacy-policy

Your personal data will be transmitted to the following service providers:

• PipeDrive OÜ - Tallinn, Estonia
• Salesforce.com Germany GmbH, Erika-Mann-Strasse 31-37, 80636 Munich, Germany
• decareto GmbH, Mittelweg 144, 20148 Hamburg, Germany
• Demoboost Sp. z o. o., Stawki 2, 00-193 Warsaw, Poland
• Simon-Kucher & Partners Strategy & Marketing Consultants GmbH, Luise-Ullrich-Straße 14, 80636 Munich, Germany
• Dun & Bradstreet, Deutschland GmbH, Robert-Bosch-Straße 11, 64293 Darmstadt, Germany
• GetAccept AB, Västra Varvsgatan 19, 211 77 Malmö, Sweden
• LinkedIn Ireland Unlimited Company, Dublin, Ireland
• Microsoft Operations Ltd. in Dublin, Ireland
• CodeTwo sp. z o.o. sp. k., Jelenia Gora at ul. Wolnosci 16, Poland

DataGuard uses the Office 365 service, including Microsoft Teams, for business communication with customers and prospects.

We also use functionalities of the Microsoft Bookings software from Microsoft. Through Microsoft Bookings, we can make it easier for users to make appointments on our site by displaying and booking free appointments with appropriate employees.

As a result, the following personal data is processed by Microsoft:

• Name
• Forename
• E-mail address
• IP address
• Device and browser information
• A user ID associated with Microsoft
• Refferer URL

For more information about Microsoft's data processing, see: https://privacy.microsoft.com/de-de/privacystatement

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• Chargebee, Inc., California, USA
• Gitlab In., San Francisco, USA
• Atlassian PTY, Ltd, Sydney, Australia

In order to make the transfer to a third country as privacy-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending an informal e-mail to dpo@dataguard.de .

According to a decision of the European Commission, an adequate level of data protection is offered for the following service providers in third countries:

• Cognism Limited, Richmond, United Kingdom
• Our subsidiary DATACO INTERNATIONAL UK LIMITED, London, United Kingdom.

The following service providers in the USA have joined the Trans-Atlantic Data Privacy Framework (TDPF; data protection agreement between the EU and the USA), so that an appropriate level of data protection is guaranteed for data processing:

• HubSpot, Inc., Cambridge, USA
• Asana, Inc., San Francisco, USA
• PandaDoc, Inc., San Francisco, USA
• Outreach Corporation, Seattle, USA
• Fivetran Inc., Oakland, USA
• Figma, Inc., San Francisco, USA

We do not store your personal data longer than is necessary for the purpose for which it was collected. This means that data in our systems will be destroyed or deleted as soon as it is no longer needed. Reasonable measures are taken by us to ensure that your personal data is only processed under the following conditions:

• For the duration that the data is used to provide you with a service
• As required by applicable law, contract, or in light of our legal obligations
• Only as long as necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, using appropriate safeguards.

A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - retention is still necessary, in particular for the fulfillment of legal retention periods of up to ten years (including from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act). In the case of statutory retention obligations, deletion is only considered after the expiry of the respective retention obligation.

For a (planned) conclusion as well as the execution of the contract with you, you must provide those personal data which are necessary for the establishment and execution of the contractual relationship and the fulfillment of the associated contractual obligations or which we are legally obliged to collect (see in particular the standards listed under "III.3." listed standards). This obligation also arises from the law, e.g. § 14 UstG. Without this data, we will generally not be able to conclude and execute the contract with you.

1.1 Your personal data processed by us

DataGuard processes personal data from suppliers and service providers. This is necessary for business operations. The following data is processed in this context:

• First name
• Last name
• Business address
• Company name
• Bank details
• Your e-mail address,
• Your mobile phone number
• Your landline number
• IYour fax number
• Title and academic degree
• Position within the company
• All personal data that are provided to us during communication

DataGuard collects data from people in the following manners:

• Receipt of personal data directly from the data subject via establishment of contact by suppliers / service provider
• Receipt of personal data directly from the data subject via establishment of contact by DataGuard
• Research in business directories or on websites

1.2 Purpose of processing

We will process your data for the following purposes:

• Initiation, execution and termination of a contractual relationship
• Performance of orders
• Review and optimisation of processes for needs assessment 
• Consultation and data exchange with credit agencies to determine credit and default risks 
• Market and opinion research, provided that you have not objected to the use of these data for this purpose 
• Assertion, exercise or defence of legal claims 
• Measures for business management and further development of our products  

1.3 Legal basis of data processing

Processing of your personal data on the basis of consent
Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data is based on Art. 6 (1) (1) (a) GDPR in conjunction with. Art. 5, 7 GDPR.

Processing for the purpose of implementing the contract with you
Insofar as we process your personal data for the purpose of fulfilling a contract, Art. 6 (1) (1) (b) GDPR serves as our legal basis. This also applies to processing operations that are necessary for the implementation of pre- and post-contractual measures.

Processing for the fulfillment of a legal obligation
Insofar as the processing of your personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as our legal basis. Our legal obligation to process data results e.g. from tax law and/or commercial law retention obligations.

Processing on the basis of legitimate interest
The legal basis for direct marketing purposes may be Art. 6 (1) (1) (f) GDPR GDPR if our legitimate interests are present, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The legitimate interests pursued by us in this regard - in addition to the purposes listed under b - include:

• To be able to inform you optimally about our products, offers and services by means of direct marketing;    
• In communicating with you, in particular to be able to answer your inquiries by e-mail, telephone and/or fax;
• In order to be able to carry out a due diligence with our potential business partner.

The legal basis for processing activities in connection with the assertion, exercise or defense of legal claims is also our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR.

In the course of processing your personal data, we may disclose the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have consented or if this is permitted by law. External recipients of your personal data are in particular:

• Freelancers
• Data processors
• Potential business partners in the context of a (future) due diligence review
• Authorities e.g. tax offices, courts, trade supervisory office
• Settlement partners   
• Credit institutions   
• Parcel service providers     
• Postal service   
• Lawyer, tax consultants
• Auditor
• Affiliated companies
  
  

Your personal data will be transmitted to the following service providers:

• Yokoy Deutschland GmbH, Weihenstephaner Str.12 (Building M6), 81673 Munich, Germany
• CodeTwo sp. z o.o. sp. k., Jelenia Gora at ul. Wolnosci 16, Poland

In addition, your personal data may be transferred to the following service providers located in a country outside the EU/EEA:

• Our subsidiary DATACO INTERNATIONAL UK LIMITED, London, United Kingdom. An adequate level of data protection is provided there in accordance with a decision of the European Commission.
• DocuSign, Inc., San Francisco, USA

In order to make the third country transfer as data protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending an informal e-mail to dpo@dataguard.de.

For the transmission of emails and storage of contacts of suppliers and service providers we use the service Microsoft 365, incl. Microsoft Teams of the service provider Microsoft Operations Ltd. in Dublin, Ireland. For more information about Microsoft's data processing, see: https://privacy.microsoft.com/de-de/privacystatement

We do not store your personal data longer than is necessary for the purpose for which it was collected. This means that data in our systems will be destroyed or deleted as soon as it is no longer needed. Reasonable measures are taken by us to ensure that your personal data is only processed under the following conditions:

• As required by applicable law, contract, or in light of our legal obligations
• Only as long as necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, using appropriate safeguards.

A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - retention is still necessary, in particular for the fulfillment of legal retention periods of up to ten years (including from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act). In the case of statutory retention obligations, deletion is only considered after the expiry of the respective retention obligation.

For a (planned) conclusion as well as the execution of the contract with you, you must provide those personal data which are necessary for the establishment and execution of the contractual relationship and the fulfillment of the associated contractual obligations or which we are legally obliged to collect (see in particular the standards listed under "III.3." listed standards). Without this data, we will generally not be able to conclude and execute the contract with you.

1.1 Your personal data processed by us

We process personal data that we receive from you by participating in the event. In particular, we process:

• Livestream recordings
• Video
• Photos
• Forename
• Surname
• Company name
• Affiliation
• E-mail address
• Salutation
• Signature in case of consent given

1.2 Purpose of processing

We process your personal data for the following purposes:

• To carry out the event
• For internal reporting of the event
• For advertising purposes for our company on social networks

In addition, the film and video recordings will be published for marketing purposes after the event:

• On the website https://www.dataguard.de/
• In social or professional networks (YouTube, LinkedIn, Twitter, Kununu, Glassdoor)

It is not intended to process your personal data for any other purpose.

1.3 Legal basis of data processing

Processing based on legitimate interest

The legal basis for the transmission of your personal data (first and last name and company name) to our conference organizers in Berlin (RYDES GmbH, Brunnenstreet 19-21, 10119 Berlin, Germany) and Düsseldorf (ARQIS Rechtsanwälte Partnerschaftsgesellschaft, Breite Street 28, 40123 Düsseldorf, Germany) is our legitimate interest (Art. 6 (1) (1) (f) GDPR) in holding the event at the venue requested by the event participant.

The legal basis for the production of photo and film recordings during our events is our legitimate interest (Art. 6 (1) (1) (f) GDPR) in the subsequent internal and external publication of the photo and film recordings for marketing purposes on our company website https://www.dataguard.de/ and in social or professional networks (YouTube, LinkedIn, Twitter, Kununu, Glassdoor).

If you do not wish to be photographed or filmed, you will receive a coloured lanyard from us at the entrance area of the event, which signals to the photographer / cameraman that you do not want to be photographed or filmed. If you should nevertheless be seen in group shots, you will be made unrecognizable in these shots afterwards.

For the publication of the photo and film recordings, we obtain your consent at the entrance area of the venue, which you can of course give voluntarily.

Processing of your personal data on the basis of consent

The legal basis for the processing of your personal data both for the purpose of participation in the event and for the internal and external publication of film recordings is your consent and thus Art. 6 (1) (1) (a) GDPR in conjunction with Art. 5, 7 GDPR. You have the right to revoke your declaration of consent under data protection law at any time by e-mail to dpo@dataguard.de. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation (Art. 7 (3) GDPR).

If you are depicted on a photo or film recording together with other persons, the deletion or destruction of the photo or film recording is not mandatory if you revoke your consent. It is enough if you are made unrecognizable. Insofar as information about your ethnic origin, religion or health (e.g. skin colour, headgear or glasses) can be seen on a photo or film recording, the consent also expressly refers to this information.

Information on publication on the Internet

If personal data has been made publicly accessible and you revoke your consent, we as the responsible body are only obliged to inform other recipients. This does not affect the obligation of these recipients to delete personal data. You can take direct action against other controllers who process your personal data and request deletion. Information posted on the Internet may never be completely deleted, even if it has been deleted from the original page. In any case, the providers of the main search engines are informed of the request for deletion, so that the personal data can at least no longer appear in search queries without further ado. We would like to point out that photos and/or videos on the Internet can be accessed by anyone. Despite all technical precautions, it cannot be ruled out that such persons may continue to use the photos and/or videos or pass them on to other persons. The Company is not liable for third parties using the photos for other purposes, including in particular by downloading and/or copying photos.

If you would like to participate in our events in Berlin or Düsseldorf, we will transmit your first and last name and the name of your company to our conference organizers in Berlin / Düsseldorf so that registration can be accepted on site and you can be granted admission to the office premises. The transfer of your personal data will take place to the following conference organizers:

For events in Düsseldorf:
ARQIS Rechtsanwälte Partnerschaftsgesellschaft
Breite Street 28
40123 Düsseldorf
Germany

For events in Berlin:
NAVIT GmbH
Brunnenstreet 19-21
10119 Berlin
Germany

If we use a service provider (e.g. an event manager or streaming service provider) in the sense of order processing, we remain responsible for the protection of your data. All processors are obliged to treat your data confidentially and to process it only in the context of the provision of services.

Your personal data will be transmitted to the following service providers:

• CodeTwo sp. z o.o. sp. k., Jelenia Gora at ul. Wolnosci 16, Poland
• EventMobi GmbH, Warschauerplatz 11-13, 10245 Berlin, Germany
• Microsoft Ireland Operations Limited: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
• Descript, Inc., 385 Grove Street, San Francisco, CA 94102, USA.  
  The purpose of use is to create, edit, and publish audio/video content (including recording, transcription, editing, team collaboration, and hosting/streaming). 

The purpose is to register for the event and carry it out as a hybrid event (broadcast of the event, possibility to ask questions, feedback loops to improve the event). Furthermore, it is published on the Internet, on our website and on social or professional networks. Under certain circumstances, further use by third parties or complete deletion cannot be ruled out.

The following data is used:

• Name
• Video footage (if the camera has been turned on)
• E-mail address
• IP address
• Metadata of the end device

For more information about Microsoft's data processing, see: https://privacy.microsoft.com/de-de/privacystatement

In addition, your personal data may be transmitted to the following service providers in the context of the publication of film and video recordings for marketing purposes, provided that you have given your consent:

• LinkedIn Ireland Unlimited Company, Dublin, Irland
• Youtube: Google Ireland Limited, Dublin, Irland
• New Work SE (“Kununu”), Am Strandkai 1, 20457 Hamburg, Germany
• Glassdoor Inc., San Francisco, USA
• Twitter: Twitter Inc., San Francisco, USA  

In order to make the transfer to a third country as privacy-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested by sending an informal e-mail to dpo@dataguard.de.

We would like to point out that we have no influence on the data collection and its further use by the providers of the social networks. You can find more information about objection and removal options vis-à-vis the providers of the social networks here:

• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Youtube: https://policies.google.com/privacy
• Twitter: https://twitter.com/de/privacy
• Kununu: https://privacy.xing.com/en
• Glassdoor: https://hrtechprivacy.com/de/brands/glassdoor#privacypolicy

If we use a service provider (e.g. a Event manager) in the sense of processing, we remain responsible for the protection of your data. All processors are obliged to treat your data confidentially and to process it only in the context of providing the service.

We may share your personal data (e.g. name, company name, email address) with our authorised distributors based on our legitimate interest in identifying and pursuing potential sales opportunities (Art. 6 (1) (f) GDPR).

These distributors act as independent controllers once they receive your data. We do not have control over how they subsequently process your data. Before any further processing or direct contact, the distributor is obliged to obtain your consent in accordance with data protection law. We recommend reviewing the distributor's privacy policy prior to giving consent.

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data in our systems is destroyed or deleted as soon as it is no longer needed. We take reasonable steps to ensure that your personal data is only processed under the following conditions:

• For the duration that the data is used to provide you with a service
• As required by applicable law, contract or in view of our legal obligations
• Only for as long as is necessary for the purpose for which the data was collected, or longer if required by contract, applicable law, applying appropriate safeguards.

If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their - temporary - storage is still necessary.