Compliance.One Privacy Policy
As of October 30, 2022
1. SUBJECT MATTER AND SCOPE OF APPLICATION
We take the protection of your personal data very seriously. With this Privacy Policy, we inform you which personal data we collect and how and for what purposes it is processed. We always treat your personal data in accordance with the statutory data protection regulations and this Privacy Policy.
2. CONTROLLER AND DATA PROTECTION OFFICER
Controller is Compliance.One GmbH, Ledererstr. 19, 80331 Munich, Germany (hereinafter 'Compliance.One').
Our data protection officer is Christian Schmoll. If you have any questions about data protection, you can contact our data protection officer at privacy@compliance.one at any time.
3. ACADEMY
If you set up an account for the use of our Application/SaaS Platform (hereinafter “Platform”) or have us set up an account for you or register as an invited user, we as the controller will collect and process your data to enable you to use the Platform.
In this context, we process your data to make the Platform available or to provide the services we offer. Where applicable, this includes the processing of the surname and first name of the users of the Platform, address(es), contact data (e.g. e-mail address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data collected in the course of providing our services and/or required for the provision of our services.
Your data will be processed for as long as you use your account. If you close/delete your account, the data processed via your account will be deleted (subject to any retention obligations, see below under "Retention and Deletion").
The legal basis for this storage and processing is the fulfillment of the contract or the implementation of pre-contractual measures in accordance with Art. 6 (1) lit. b) GDPR.
4. VISITING OUR WEBSITE
Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer. The following data is logged:
• IP address of the calling computer
• Operating system of the calling computer
• Browser version of the calling computer
• Name of the retrieved file/website
• Date and time of retrieval
• Transferred amount of data
• Referring URL
This data is processed in order to be able to present the website, to ensure the security, availability and integrity of the website (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the website, to be able to identify and correct errors and for statistical purposes.
This data is regularly deleted after 7 days at the latest.
Our website is hosted by a service provider in the EU on the basis of a data processing agreement pursuant to Art. 28 GDPR.
The legal basis for this data processing is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the above purposes.
5. PROSPECTS, CUSTOMERS AND SERVICE PROVIDERS (CRM)
If you contact us, e.g. by e-mail, via a contact form or via live chat, the information you provide will be stored for the purpose of processing the request.
We need the information requested in a contact form or live chat to process your request, to address you correctly and to send you a reply.
The legal basis for this data processing is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the communication with prospects, visitors, and customers. If the purpose of the contact is to conclude a contract, legal basis for processing is Art. 6 (1) lit. b) GDPR.
We process the data of our customers, service providers and suppliers as part of the provision of our contractual services. In this context, inventory data (for example, surname and first name of the contact person(s), address), contact data (for example, e-mail address, telephone number), contract data (for example, subject matter of the contract, term), payment data and data collected in the context of the provision of services and/or required for the provision of services are processed, if applicable.
Inquiries and customer relations are regularly stored and processed in our CRM system. The data processed in this context (surname, first name, title, postal address, date of birth if applicable, your specific interest with regard to our products and services and your interactions with us) may also be used by us for direct marketing purposes, in particular for postal advertising, in compliance with the legal requirements.
The legal basis for this storage and processing is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the marketing of our products and services and the maintenance of our prospect, customer and service provider relationships.
6. NEWSLETTER
6.1 Registration
On our website, you can register to receive a newsletter by e-mail. During registration, the data from the input mask, the IP address of the calling computer and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this Privacy Policy.
In order to verify that a registration for the sending of a newsletter is made by the actual owner of an e-mail address, we use the so-called "double opt-in" procedure. In this process, after registration of an e-mail address, a confirmation e-mail is sent to the registered e-mail address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation e-mail is activated. The IP address of the calling computer and the date and time of activation of the confirmation link are also transmitted to us.
The registration for the newsletter can be terminated at any time by using the unsubscribe link contained in each newsletter or by contacting us at the above contact details.
The legal basis for the processing of data after registration for the newsletter is your consent pursuant to Art. 6 (1) lit. a) GDPR.
6.2 Email Newsletter for Existing Customers
If you register as a user of our app and provide your e-mail address, this may subsequently be used by us to send you an e-mail newsletter if you have not objected to such use. In such a case, the email newsletter will only be used to send direct advertising for our own similar goods or services. You can object to the use of your e-mail address at any time, without incurring any costs other than the transmission costs according to the basic rates, by using the unsubscribe link contained in every newsletter or by contacting us at the above-mentioned contact details.The legal basis for sending the newsletter as a result of the sale of goods or services is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR.
6.3 Newsletter Analytics/Tracking
A statistical analysis of usage data may be carried out for our newsletters. For this purpose, we may record both the openings of the e-mail and the internal clicks. This information serves the purpose of measuring and optimizing the success of our newsletter campaigns by making the newsletter content more relevant to our target group.
The legal basis for this analysis is your consent pursuant to Art. 6 (1) lit. a) GDPR.
6.4 Newsletter Service Provider
We use an external service provider as a data processor for sending and analyzing our newsletter on the basis of a data processing agreement pursuant to Art. 28 GDPR.
7. JOB APPLICATIONS
We collect and process personal data of applicants for the purpose of processing the application process. If an applicant submits his or her application documents to us electronically, they are processed electronically.
If we conclude an employment contract with an applicant, the data transmitted will be processed in order to carry out the employment relationship in compliance with the statutory provisions. If no employment contract is concluded with the applicant, the application documents will be deleted immediately after completion of the application procedure, provided that deletion does not conflict with any overriding legitimate interest, such as the defence of claims or a preservation of evidence function according to the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz - AGG).
The legal basis for this storage and processing is the performance of the contract or the implementation of pre-contractual measures pursuant to Art. 6 (1) lit. b) GDPR, in Germany § 26 BDSG.
8. VIDEO CONFERENCES AND WEBINARS
If you participate in a video conference, webinar or online meeting etc. organized by us. (hereinafter "video conferences") organized by us, we process your personal data in the course of your participation.
When you participate in a video conference, various categories of data are processed. The scope of the data also depends on the data you provide before or during participation in a video conference.
If you participate in a video conference organized by us, you usually have to provide at least a name when registering. However, you can also use a pseudonym. Your IP address will also be processed to enable your participation and login information and device/hardware information will be stored. Your email address and profile picture will also be processed, if provided. If you dial in by phone, your phone number and IP address, if any, will be processed.
To enable participation in the video conference, data from your terminal's microphone and any terminal video camera and, if you share your screen, information from this "screenshare" is processed. You can switch off or mute the camera or microphone yourself at any time. You always decide yourself whether and which parts of your screen are shared.
Audio and video recordings of the video conference can be made. In this case, MP4 files of all video, audio and presentation recordings are processed. There will always be an indication of the recording if one is made and, if necessary, the explicit consent of the participants to the recording will always be obtained.
You may have the opportunity to use the chat, question or survey functions in a video conference. In this respect, the text entries you make are processed in order to display them in the video conference and, if necessary, to record them.
Insofar as personal data of our employees is processed, § 26 BDSG (German Federal Data Protection Act) is the legal basis for data processing, insofar as German law is applicable to the processing of employee data.
If German law is not applicable to the processing of employee data or if, in connection with participation in video conferences, the processing of personal data is not necessary for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component of participation in a video conference, our overriding legitimate interest pursuant to Art. 6 (1) lit. f) GDPR is the legal basis for the data processing. In these cases, our overriding legitimate interest is in the effective implementation of video conferences.
Furthermore, the legal basis for data processing when conducting video conferences is Art. 6 (1) lit. b) GDPR, insofar as the meetings are conducted in the context of contractual relationships or with a view to initiating a contractual relationship (for example, in the case of video conferences with our clients in the context of the implementation of a project or participation in a webinar).
Furthermore, the legal basis for data processing in the context of your participation in a video conference organized by us is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. Our legitimate interest in these cases is the effective implementation of video conferences.
We use one or more service providers as data processors for the implementation of video conferences on the basis of a data processing agreement pursuant to Art. 28 GDPR.
This may involve the transfer of personal data to a third country without an adequate level of data protection. In this case, we ensure that appropriate safeguards are provided for the transfer in accordance with Art. 46 GDPR. We will provide you with proof of the appropriate safeguards (Standard Contractual Clauses) at any time upon request.
9. MERGERS AND ACQUISITIONS (M&A)
If we are involved in a restructuring, acquisition, asset sale, merger, financing, transfer of services to another provider, due diligence, insolvency or receivership, your personal data may be transferred to third parties to the extent legally permitted in connection with and as part of the relevant legal process, subject to the basic principles of data protection law.
10. AGE RESTRICTION
This website is not intended or designed for use by children under the age of 16. We do not knowingly collect personally identifiable information from or about anyone under the age of 16.
11. RECIPIENTS OF DATA
Within our company, those internal departments or organisational units receive your data which they need to fulfil their tasks, to fulfil contracts with you if necessary, for data processing with your consent or to safeguard our overriding legitimate interests.
Data will only be passed on to third parties within the framework of legal requirements. We will only pass on your data to third parties if, for example, this is necessary for contractual purposes on the basis of Art. 6 (1) lit. b) GDPR or to safeguard our overriding legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in the effective conduct of our business operations.
Insofar as we use service providers within the framework of the provision of the website and/or Platform or other services, we take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of your personal data.
12. YOUR RIGHTS
You have the rights explained below with regard to the personal data processed by us concerning you:
12.1 Right of Access
You can request information in accordance with Art. 15 GDPR about your personal data that we process.
12.2 Right to Rectification
If the information concerning you is not (or no longer) accurate, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.
12.3 Right to Erasure
You may request the erasure of your personal data in accordance with Art. 17 GDPR.
12.4 Right to Restriction of Processing
In accordance with Art. 18 GDPR you have the right to request restriction of processing of your personal data.
12.5 Right to Object to Processing.
You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data which is carried out on the basis of Art. 6 (1) lit. e) or lit. f) GDPR in accordance with Art. 21 (1) GDPR. In this case, we will not further process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert and exercise or defend against legal claims (Art. 21 (1) GDPR).
In addition, according to Art. 21 (2) GDPR, you have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing; this also applies to any profiling, insofar as it is related to such direct marketing.
12.6 Right to Withdraw Consent
Insofar as you have given your consent for processing, you have a right to withdraw your consent pursuant to Art. 7 (3) GDPR.
12.7 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format ("data portability") as well as the right to have this data transferred to another controller if the conditions of Art. 20 (1) lit. (a) and (b) GDPR are met.
12.8 Exercise of Rights
You can exercise your rights by notifying the above contact details for the data controller or the data protection officer.
12.9 Right to Complain to the Data Protection Authorities
If you believe that our processing of your personal data violates data protection law, you also have the right to complain to a data protection supervisory authority of your choice pursuant to Article 77 of the GDPR.
13. COMPULSORY DATA AND PROFILING
The provision of personal data is neither required by law nor by contract, and you are not obliged to provide personal data, although the provision of personal information is required for the conclusion of a contract to the extent that certain details are required in order to conclude (and perform) a contract.
We do not perform automated decision making, including profiling.
14. RETENTION AND DELETION
We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law.
If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.
15. INFORMATION SECURITY
We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.
Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.
A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.
16. AMENDMENT OF THIS PRIVACY POLICY
We reserve the right to amend this Privacy Policy from time to time so that it always complies with current legal requirements and/or in order to implement changes to our services in the Privacy Policy, e.g. when introducing new services. When visiting the website or using our services, the current privacy policy always applies.