Privacy Information

I. Data Controller

The controller responsible for processing your personal data is:

VP Compliance GmbH
Heidestr. 22
13467 Berlin
info@vpdata.de

Websites: www.vpdata.de, www.vpcompliance.de, www.vpaml.de, www.vpsec.de

(hereinafter also referred to as “we” or „us”)

You can contact us at any time for any questions on the subject of data protection or in connection with our services or the use of our website. We can be reached at the above postal address as well as at the e-mail address provided.

II. General Information on collected data, legal bases and purposes of storage

1. Use of the website

When you use our website purely for information purposes – i.e. if you do not otherwise contact us – we process only the personal data that your browser transmits to our server and that is technically necessary for displaying our website and ensuring its stability and security. The legal basis for this is Article 6(1)(f) of the GDPR. Our interest lies in enabling you to connect to our website smoothly and use it conveniently, in providing a secure, stable and fast website, and in carrying out the administrative tasks necessary in this context.

2. Data processing when contacting us

You can use the contact form on this website or contact us by email, post or telephone to get in touch with us. We process the personal data collected when you contact us via our contact form and/or by email, post or telephone solely for the purpose of communicating with you. The legal basis is Article 6(1)(b) of the GDPR. The data collected by us when you use the contact form will be deleted once your enquiry has been fully processed, unless we require it to fulfil contractual or legal obligations (for further details, see Section V.).

3. Data processing in the context of initiating and executing a contractual relationship

We process personal data of our (future) customers within the scope of our contractual relationship and its initiation. If our (future) customers are companies, we process personal data of their legal representatives and their employees. We also process personal data of third parties who play a role in the respective matter (e.g. partners, external data protection officers, other parties involved). Typically, this is the following personal data:

  • Master data (e.g. name, address, contact information such as email, telephone number and internet address);
  • customer-related data (e.g. contracts, communications);
  • Consulting data (e.g. contents of enquiries and documents);
  • Activity data (e.g. consultation documentation, performance records, invoices);
  • other data that you voluntarily provide to us within the scope of the contractual relationship;

This data is processed

  • to initiate and execute the contractual relationship;
  • to comply with legal obligations;
  • for acquisition;
  • in order to provide you with appropriate advice;
  • in order to communicate with you;
  • to make operational processes efficient;
  • for accounting and invoicing;
  • to archive files, delete data and document the contractual relationship.

Data processing is carried out in accordance with Article 6(1)(b) of the GDPR.

If you are not or do not wish to become a customer yourself (e.g. because it is not you but the company you work for that has commissioned or wishes to commission us, or if you are, for example, an external data protection officer or other party involved), we process your personal data in accordance with Art. 6(1)(f) GDPR. Our legitimate interests consist of providing appropriate advice for the purposes mentioned, or, for example, establishing contact.

If we are legally obliged to process data, we base this on Art. 6 (1) (c) GDPR in conjunction with the respective legal provision, in particular for the fulfilment of professional, commercial and tax law obligations for documentation and storage.

Under certain circumstances, we may need to process your personal data for the purpose of asserting or defending against claims; the legal basis for this is our legitimate interest pursuant to Article 6(1)(f) GDPR in the efficient defence of legal claims and enforcement of rights.

The provision of your personal data is required if you, or the company you work for, wish to engage our services. If you do not provide your personal data, it will not be possible to establish and fulfil the contractual relationship. Where we are subject to a legal obligation to process certain data, the provision of such data is also essential for the engagement.

4. social media

LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). We operate our LinkedIn company page in joint responsibility with LinkedIn on the basis of an agreement on the joint processing of personal data. You can view this agreement here: https://legal.linkedin.com/pages-joint-controller-addendum. There you will also find information about the processed page insights data and how to contact us in case of data protection inquiries. LinkedIn’s privacy policy is available here: https://www.linkedin.com/legal/privacy-policy.

The legal basis for this data processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in contacting you, maintaining contact with you and informing you about our services. If you contact us via LinkedIn, the enquiry also serves to take steps prior to entering into a contract. The legal basis in this case is Article 6(1)(b) of the GDPR.

As a general rule, we only store personal data that we process through our social media channels for as long as is necessary to handle the relevant interaction or enquiry.

5. applications

You can apply to us by email or post. The purpose of data collection is to carry out the application process with a view to possibly establishing an employment relationship. We collect the data you provide in order to process your application. As confidentiality cannot be guaranteed when sending applications by unencrypted email, you can also apply by post. The legal basis for processing is Art. 6 (1) (b) GDPR. If the application does not result in an employment relationship, this data will be deleted six months after the application process has been completed.

6. newsletter / community lists

We offer the option to subscribe to newsletters and register for our communities. To do this, we need your email address so that we can send you information. In addition, our service provider offers the ability to track whether emails have been successfully delivered and opened. This enables us to identify and rectify any errors that may occur during the sending of emails. The legal basis for processing is your consent, Article 6(1)(a) of the GDPR.

7. Webinars and community meetings

We use Microsoft Teams to host our webinars and community meetings. When using Microsoft Teams, various types of data are processed. The extent of data processing also depends on the information you provide before and during your participation in a meeting. The following personal data is regularly processed: names, email addresses, profile photos, and other information from your Microsoft Teams profile. We also process the start and end times of a meeting. When using the chat, question or poll functions, the text you enter is processed in order to display it in the Teams meeting and, where applicable, to log it. Users can read the chat history retrospectively and without having participated in a meeting, provided the meeting was initiated by a team and the user is a member of that team. The chat history of meetings can therefore generally be viewed retrospectively.

On request, we can issue you with a certificate of attendance for accredited webinars. To do this, we will process your name. Requests are logged on the server for quality assurance and security purposes.

This processing is carried out on the basis of Article 6(1)(b) of the GDPR for the purpose of fulfilling a contract. We process data that is not necessary for the fulfilment of a contract on the basis of Article 6(1)(f) of the GDPR, namely our legitimate interest in the smooth and professional preparation, conduct and follow-up of webinars and meetings.

III. Recipients of data

We will only pass on your data if we are legally permitted to do so. We may pass on your data as follows, unless already mentioned separately above:

  • Hosting service provider for our website: Strato GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin
  • Office products: Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
  • Service provider for the management of email distribution lists and the sending of our newsletters: Klick-Tipp Limited, 15 Cambridge Court, 210 Shepherd’s Bush Road, London W6 7NJ, United Kingdom
  • freelancers

The transfer is based on our legitimate interest in organising our business operations in an entrepreneurial manner and in deciding freely on the personnel and IT service providers used in the interests of efficient and appropriate consulting and organised business operations; the legal basis is Art. 6(1)(f) GDPR.

All recipients to whom we transfer your personal data may only process this data in accordance with our instructions. We carefully select and commission service providers, who are bound by our instructions. Furthermore, we are contractually entitled to monitor compliance with the relevant contractual and legal regulations by the service providers.

We also reserve the right to disclose information about you where we are legally obliged to do so, if we are required to do so by lawfully acting public authorities or law enforcement agencies. The legal basis for this is Article 6(1)(c) of the GDPR.

If we transfer your data to a country that is not a member of the EU or the EEA and for which no adequacy decision has been made by the European Commission, we will take all necessary measures to ensure that the data is processed securely. This includes, for example, concluding standard data protection clauses of the European Commission.

IV. Storage period

We store your personal data for as long as is necessary to achieve the respective purpose stated in this privacy policy, in particular to fulfil our legal and contractual obligations. Once the purpose has been achieved, this data will be deleted, unless the law permits us to continue storing it for specific purposes, including the defence of legal claims. We delete personal data once and to the extent that storage is no longer necessary and there are no legitimate interests or legal obligations on our part, such as statutory retention obligations (Section 147 AO, Section 257 HGB, Section 14b UStG), that prevent deletion. Deletion therefore generally takes place 6 to 10 years after the end of the contractual relationship.

V. Your rights

In accordance with the statutory provisions, you have the following rights with regard to the processing of your personal data:

  • Right of access
  • Right to rectification and erasure
  • Right to restriction of processing
  • Right to object to the processing
  • Right to data portability

You also have the right to complain to a supervisory authority about our data processing. The supervisory authority responsible for us is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

VI. Right of revocation and objection

You have the right to revoke any consent given to us at any time. The processing based on this consent will then no longer be continued in the future. The legality of the processing based on the consent until revocation is not affected by the revocation.

Sollte die Datenverarbeitung durch uns auf Grundlage von berechtigten Interessen geschehen, haben Sie das Recht, jederzeit Widerspruch gegen die Verarbeitung Ihrer Daten einzulegen aus Gründen, die sich aus Ihrer besonderen Situation ergeben.

You can object to the processing of your data for direct marketing purposes at any time, even without stating reasons.

To exercise your right of withdrawal or objection, please send an informal notification to the contact details provided in Section I.

VP_Data-SchneiderLiptakAretz