Privacy policy
1. Intention
To us, protecting the personal rights and privacy of every individual as well as protecting business and company secrets are the basis for trusting business relationships.
This policy describes how we process data, to whom we pass it on and what rights data subjects and companies have while processing their data. We also describe the measures we use to ensure the security of data and how data subjects and companies can contact us if they have any questions about the practical implementation of our protection of their personal and company data.
2. General
Our employees are obliged to comply with this policy and the guidelines and work instructions deriving from. Each employee is responsible for their implementation in their area of responsibility.
Any data subject can contact our data protection officer (privacy@cardcompact.com) with suggestions, inquiries, requests for information or complaints in connection with data protection or data security issues. Inquiries and complaints are treated confidentially.
The managing partner is fully responsible for any data processing of Card Compact Ltd.
3. Data Protection
This guideline regulates the data protection-compliant processing of personal data of data subjects (any natural person about whom data is processed) and the responsibilities of Card Compact.
The company maintains records of processing activities of our company. At least one person of each department has the responsibility to collect all necessary information of the procedures of the respective department and to document this in accordance with the requirements of Art. 30 GDPR in coordination with the data protection officer.
3.1 Data protection officer
We have appointed a company data protection officer in accordance with Art. 37 GDPR and appointed a representative as well.
Our data protection officer performs the tasks assigned to him by law and from this guideline with the instruction-free application of his specialist knowledge and professional qualifications. Our data protection officer has a sufficiently large time budget to fulfill his obligations.
He teaches and advises management and employees on their data protection obligations. He is responsible for monitoring the compliance with data protection regulations and the strategies of the person responsible for protecting personal data, including raising awareness and training employees.
Our data protection officer is involved in all data protection issues at an early stage and is supported by both management and employees in the performance of their duties. Our data protection officer regularly reports to the managing partner about examinations, complaints and organizational deficiencies that may need to be remedied.
Every employee can contact our data protection officer directly with information, suggestions or complaints, while confidentiality absolutely is maintained.
3.2 Basic principles of processing
When processing personal data, we regard the personal rights (fundamental rights and freedoms) of the data subject taken into account. We legally collect and process personal data.
3.2.1 Permission facts
In principle, the processing of personal data is not permitted. We collect, process and use personal data only on the basis of the following legally permissible conditions according to. Art. 6 GDPR
Contractual performance
The processing of personal data is permitted if data processing is necessary for the performance of a contract between us and the data subject, or when the data subject is initiating the business relationship upon request.
Consent
Data processing can take place based on the consent of the data subject. Data subject will be given extensive information about the processing before consent is given. For reasons of evidence, the declaration of consent is generally obtained in writing or electronically. Under certain circumstances, e.g. in the case of telephone advice, consent can also be given orally. Consent must be documented in any case.
Legal permission
The processing of personal data is also permitted if legal regulations require or allow us to process data. The type and scope of data processing must be necessary for the legally permissible data processing and based on these legal provisions.
Legitimate interest
The processing of personal data is also allowed if this is necessary to fulfill our legitimate interest. Legitimate interests are usually legal (e.g. enforcement of outstanding claims) or economic (e.g. avoidance of contractual disruptions) ones. Processing of personal data on the basis of a legitimate interest may not take place if there is an indication that the interests of the data subject that are worthy of protection outweigh the interest in the processing in individual cases. The legitimate interests are checked for each processing.
3.2.2 Purpose limitation & data minimization
The processing of personal data also only takes place for purposes that were determined before the data was collected. In principle, only those data may be processed that are necessary to achieve the business purpose and that are directly related to the processing purpose. Subsequent changes to the purposes are therefore only possible to a limited extent or require consent or justification. A change of a purpose must be documented in writing.
Before processing personal data, we check whether and to what extent this is necessary in order to achieve the intended purpose. If it is possible to achieve the purpose and the effort is reasonable in relation to the intended purpose, anonymized data will be used. We do not store personal data for potential future purposes unless this is required or permitted by national law.
We delete personal data, whose processing is no longer required after the purpose no longer applies and / or after the expiry of statutory or contractual retention periods. "Deletion" of personal data here means both the final and thus irrevocable, complete removal of data (destruction) and their personal reference to data subject (anonymization). In any case, after the deletion process a reference to specific subjects can no longer be established.
3.2.2.1 Retention and deletion process
- Determination of the obligation whether to delete data in accordance with data protection laws (loss of purpose, exercise of rights of the data subject)
- Determination of the essential storage obligations (legal and contractual)
- Determination of the relevant retention periods (legal and contractual)
- Control and documentation of the deletion
Insofar as data whose original purpose of processing has ceased are subject to additional storage obligations within the meaning of Art. 17 sec. 3 lit. b and e GDPR and whose storage periods have not yet expired, these data must be withdrawn from any further processing at production level in acc. with § 35 sec. 1 BDSG (blocking).
Only with the omission of the original processing purposes, storage obligations and the expiry of the corresponding retention periods data have to be completely and finally deleted from all other systems processing these data or their deletion to be assigned (order processing).
As a matter of principle, personal data must be deleted immediately if they are no longer processed for the original purpose and also if the legal obligation to retain no longer applies or if retention periods have expired.
For reasons of practicability, however, it is not possible to comply exactly with storage obligations and their periods in every individual case and to carry out day-by-day archiving or deletion of individual personal data. For this reason, data is always archived and deleted collectively within reasonable periods of time.
Unless earlier deletion is indicated in individual cases, the following is considered a standard deletion period: data whose retention period expires in or with a certain calendar year will be deleted at the latest by the end of the first quarter of the following calendar year. The following deletion periods apply in the company:
| Time period | immediately | 6 months | 3/10 years | 7/10 years |
|---|---|---|---|---|
| Purpose | Cessation of the purpose of processing | All personal data for the application (CV, letter of application, certificates) | Data required for the defence of civil and criminal claims (statute of limitations) and contained in personnel files | All data related to accounting (balance sheets, payrolls, invoices ) |
| Legal basis | Art. 6 para. 1 p. 1 lit. a, b, f DSGVO | 6 months (Art. 6 para. 1 p. 1 lit. c DSGVO) after rejection or 3 years (Art. 6 para. 1 p. 1 lit. c, f DSGVO) after resignation | 3 years (Art. 6 para. 1 p. 1 lit. f DSGVO) after closure of card account or termination of employment relationship | 7 years (Art. 6 para. 1 p. 1 lit. f DSGVO) after creation of invoices and turnover |
| Processing system | Websites, godaddy | GMail, Indeed, Uni Passau career portal, paper documents | CardBro, Freshdesk, GMail, MS Office, Zoho CRM, GPS, Thames, Veriff, Co-Brand, Collection Paper Documents | Sage, CardBro, paper documents |
| personal data | Usage data (e.g. websites visited, interest in content, access times) Meta / communication data (e.g. device information, unique identifier) | Name, date of birth, address, contact data (e.g. e-mail, telephone numbers), content data (e.g. curriculum vitae, photo). | Name, date of birth, address, contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, history, photo), account data (IBAN), transaction number | Name, address Account data (IBAN), transaction number |
Deletion must ensure that the data or their personal references no longer exist and can no longer be completely and permanently restored. In this sense, a recovery is considered to be no longer possible if it is physically impossible or would only be possible with disproportionately high effort.
The deletion of database entries is done by removing and overwriting the respective entry. E-mails, Freshdesk tickets and Teams messages are deleted by moving the respective entry into the trash and removing it from the trash by overwriting. Continuous electronic documents such as Word or Excel lists for recording personal customer data are modified according to the respective deadlines. For the destruction of documents and electronic data carriers a special shredder is used.
For the individual systems, this means the following.
| Category | Anonymization | Deletion (Archieve) | ||||
|---|---|---|---|---|---|---|
| Period | after | Process | Process | Period | ||
| Zoho CRM | Analysis Data | - | Creation date | - | AUT Anonymization | immediately |
| Customer Contact Core Data | 1 year | Account closure / end of business | MAN restricted Archive | MAN Deletion | 3+1 years | |
| Google Drive | Accounting Documents | 2 years | Creation date | MAN restricted Archive by search filter 'creation date' | AUT Deletion | 7+1 years |
| Any Customer Data | - | Account closure / end of business | - | MAN Deletion by search filter 'closed' | 3+1 years | |
| GMAIL | Any Customer Data | - | Settlement / Abort | - | AUT Deletion | 7+1 years |
| Freshdesk | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| Onepilot | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| CardBro / Portal | Accounting Documents | 7+1 years | Creation date | AUT Anonymization | MAN Deletion | 10+1 years |
| Any Customer Data | 3+1 years | Account closure / end of business | AUT Anonymization | MAN Deletion | 10+1 years | |
| GPS | Accounting Documents | 2 years | Creation date | AUT restricted Archive | AUT Deletion | 7+1 years |
| Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years | |
| Thames | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| Veriff | Any Customer Data | - | Registration | - | AUT Deletion | 3 months |
| Sage | Any Employee Data | Immediately | Creation date | MAN restricted Archive | AUT Deletion | 10+1 years |
| BackUp / Logs | Any Data | |||||
| Webseiten (Cookies) / godaddy | Any Customer Data | - | Creation date / Session | - | AUT Deletion | 1 year |
3.2.2.2 Advertising
The processing of personal data for advertising or market research purposes is only permitted if this is compatible with the purpose for which the data was originally collected or if there was explicit consent before processing.
3.2.2.3 Cookies / tracking
If personal data is collected, processed and used on websites or in apps, the consent of the data subject (opt-in) is required beforehand. It gets informed about the processing in our privacy policy and, if necessary, cookie notices. These instructions are integrated in such a way that they are easily recognizable, immediately accessible and always available to the data subject.
If usage profiles are created to evaluate the usage behavior of websites and apps (tracking), the data subjects will be informed in any case in our privacy policy. Personal tracking may only take place if the data subject has given consent. If the tracking takes place under a pseudonym, the data subject is given the option to object in our privacy policy (opt-out). Completely anonymous tracking is legally permissible based on our legitimate interest.
3.2.2.4 Employees
Personal data may only be processed for the employment relationship if this is necessary for the establishment, implementation and termination of the employment contract. When initiating an employment relationship, personal data of applicants may be processed. After rejection, we will delete the applicant's data, taking into account evidential periods, unless the applicant has consented to further storage for a later selection process.
3.2.3 Transparency
We will provide the data subject with comprehensive information about our processing of their data. In principle, we collect the personal data from the data subject of himself. When the data is collected, the data subject must at least be able to recognize the following or be informed accordingly about:
- The identity of the controller
- The purpose of data processing
- Third parties or categories of third parties to whom the data may be transmitted
If other organizations or authorities request information about the data subject, they will only be released without the data subject's consent if there is a legal obligation for or a legitimate interest of us and the identity of the requester is beyond any doubt. If in doubt, the data protection officer must be contacted.
3.2.4 Accuracy
Personal data is stored correctly, completely and - if necessary - up to date. We have taken reasonable measures to ensure that incorrect, incomplete or outdated data is deleted, corrected, supplemented or updated.
3.2.5 Integrity and Confidentiality
Data secrecy applies to personal data. We treat them personally confidential and protect them with appropriate organizational and technical measures against unauthorized access, unlawful processing or transfer, as well as accidental loss, modification or destruction.
The need-to-know principle applies: employees only have access to personal data if and insofar as this is necessary for their respective tasks. This enables the careful division and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.
3.3 Processor
If external service providers are to be commissioned for the first time with the processing of personal data or individual processing steps (e.g. collection, deletion = disposal) or with activities (e.g. maintenance, repair) in which they gaining knowledge (even they are just able to access) of personal data, then they have to be committed to our data protection level with an data processing agreement. Service providers are carefully selected by us before placing an order.
The processor may only process personal data in accordance with our instructions and must ensure the required technical and organizational protective measures. We remain fully responsible for the correct execution of the data processing.
In the case of cross-border order data processing, the respective national requirements for the transfer of personal data abroad are met. In particular, the processing of personal data from the European Economic Area takes place in a third country only if the processor proves a level of data protection equivalent to this data protection policy. A suitable instrument is the agreement of the EU standard contractual clauses for order data processing in third countries with the processor and possible subprocessors.
As soon as contracts with clients or suppliers (service providers) are to be concluded or modified, it is necessary to check whether the processing of personal data requires an agreement under data protection law. The DPO reviews the DPA of the contractual partner and sends its research request to the process owner via email for evaluation or provides the Card Compact DPA to the partner. The DPO negotiates the data protection agreements with the contractual partner and approaches the managing partner for clearance.
Any planned change of a service provider that processes personal data on behalf of our clients will be notified to the client and requires its approval.
3.4 Rights of the data subject
The data subject can request information about which personal data of which origin are stored about him and for what purpose. If personal data is transmitted to third parties, information about the identity of the recipient or the categories of recipients is also provided.
If personal data is not collected from the data subject itself, we provide the data subject with the necessary information of processing.
If personal data is incorrect or incomplete, the data subject can request their correction or addition.
The data subject can restrict the processing of their personal data, e.g. object to processing for advertising or market research purposes. The further processing of the data is blocked for these purposes. The same applies if the processing of the data is based on consent and this is revoked by an informal declaration with future effect, which is possible at any time. The withdrawal of consent has no negative effects.
The data subject is entitled to request the deletion of their data if the legal basis for the processing is missing or has disappeared. The same applies in the event that the purpose of the processing has expired due to the passage of time or for other reasons. Existing retention obligations and interests that are in conflict with deletion must be observed.
The data subject has a fundamental right to object to the processing of their data, which will be taken into account if their interest worthy of protection outweighs our interest in processing due to a special personal situation. This does not apply if a legal regulation obliges us to carry out the processing.
3.4.1 Process description
All requests received will be forwarded via mail to the DPO immediately and without confirmation of receipt. The DPO checks whether there is corresponding data for the unambiguous identification of the data subject and compares this with the existing data records. The DPO directs its search request or measures to be carried out (e.g. deletion) via email with the priority "high" to the process owner. The DPO sends an acknowledgment of receipt of the request of information to the data subject. In this, reference is made to the ongoing process and the deadline within the requested information is made available.
If the data subject exercises its right to access information, the following information must be made available about the collection of personal data according to Art. 15 GDPR:
- the processing systems;
- the (categories) of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, especially for recipients in third countries;
- planned duration of storage
- and information about process status.
In addition, the data subject must be provided with the allocation of personal data for all processing purposes and processing systems.
If the data subject exercises their right to rectification, the DPO will inform the respective process owner of the data to be changed.
If the data subject exercises its right to restrict / object processing or data deletion, the DPO checks together with the relevant process owner whether the restriction / objection to remaining processing purposes or deletion is legally permissible and whether the data does not have to be further processed due to legal obligations at project level. If the restriction / objection is permissible, the process owner initiates the extraction of the data, of which the purpose is no longer given due to the restriction / objection, from the processing or storage locations to archiving systems and the simultaneous deletion in the processing or storage locations. If the data deletion is also permissible, it will immediately executed.
If the data subject exercises its right to data portability, the DPO will inform the process owner about the data to be transferred.
After coordination / information on the measure to be taken, this is carried out by the relevant process owner.
If personal data of the data subject has been disclosed to third parties (customers, suppliers, clients, etc.), the process owner must also inform them about necessary measures. Processors in particular have to be instructed by the process owner, to provide information, not to process data further or to a limited extent or to delete data and to inform the client about implemented measures. The process owner monitors this process and informs the DPO about success.
After reconciliation and approval of the answer, the DPO will respond to the data subject via mail.
3.5 Privacy incidents
Each of our employees immediately reports cases of violations of this policy or other regulations for the protection of personal data (privacy incidents). In the event of unlawful transmission of personal data to third parties, unlawful access by third parties to or in the event of loss of personal data, the reports provided by Card Compact must be carried out immediately so that legal and contractual reporting obligations are fulfilled.
In addition, our employees, in coordination with the data protection officer and the management, immediately take measures to minimize or eliminate adverse effects for the rights of the data subject. Based on this, measures to avoid future data protection incidents are derived and implemented in existing processes.
3.5.1 Process description
The following incidents are exemplarily relevant to data protection:
- Loss of mobile devices in transit (suspected data breach)
- Unauthorized access to mobile devices (data breach)
- Unauthorized access to business premises (suspected data breach)
- Unauthorized access to Onlineprotal / Reversys / database (data breach)
- Unauthorized disclosure of personal data to third parties such as incorrect email recipients, answering customer requests (data breach)
All notifications from or knowledge of privacy incidents received - regardless of the communication channel (email, telephone, letter, personal, ...), should be sent directly and immediately to the DPO via email to privacy@cardcompact.com with a short description of the incident.
The DPO directs its search request for measures to be carried out (e.g. notification to the supervisory authority or the data subject) via email with the priority "high" to the process owner.
The process owner must immediately start with the search procedure. The documentation is preferably provided with the Privacy incident report. It is supplemented by all information relating to this incident (evidence / images).
The DPO checks whether and to what extent the data subject has to be informed about the incident due to the violation of the protection of their personal data. Information is given in accordance with Art. 34 sec. 1 GDPR only if there is a high risk to the personal rights and freedoms of the data subject.
The DPO coordinates the notification and its necessity with the managing partner.
The data subject is notified immediately after the incident and after the examination by the DPO with the following information:
- What is the injury?
- Which and how much data are affected?
- What measures have been taken to mitigate or remedy the violation of the protection of personal data?
- Which high risk for the rights of the person concerned has arisen or increased?
- Name and contact details of the data protection officer
The DPO checks whether and to what extent the data subject has to be informed about the incident due to the violation of the protection of their personal data. Information is given in accordance with Art. 33 sec. 1 GDPR only if there is a risk to the personal rights and freedoms of the data subject.
The DPO coordinates the notification and its necessity with the managing partner. The supervisory authority is notified within 72h after the incident and after the examination by the DPO.
The DPO checks whether and to what extent the data controller has to be informed about the incident due to the violation of the protection of personal data according to the DPA. The data controller is notified immediately after the incident and after the examination by the DPO.
In the event of a (high) risk to the rights of the data subject, the process owner, will initiate suitable measures to minimize or remove the (high) risk to the personal rights and freedoms of the data subjects as a result of the violation of the protection of personal data, after checking with the DPO.
Such measures are according to Art. 34 sec. 3 lit. b) GDPR technical and organizational security precautions, in particular those that make personal data inaccessible to all persons who have or have had unauthorized access (data protection violation) (suspected data protection violation), such as blocking or deletion.
If personal data of the data subject has been disclosed to third parties (customers, suppliers, clients, etc.), the process owner must also inform them of the necessary measures. Order processors in particular have to be instructed by the process owner, to provide information, not to process data further or to a limited extent or to delete data and to inform the data controller about implemented measures. The process owner monitors this process and informs the DPO of its success.
Successfully implemented measures must be documented by process owner and notified to the DPO.
3.6 Obligation to accountability & documentation
Compliance with the requirements resulting from this policy is provable at any time according to Art. 5 sec. GDPR (accountability). This is done in particular through conclusive and comprehensible written documentation with regard to the measures taken and the associated considerations.
Compliance with data protection guidelines and applicable data protection laws is regularly checked by data protection audits and other controls. We use the knowledge gained from these audits to further develop effective data protection.
4. IT security
Information processing plays a key role in performing tasks. All essential strategic and operational functions and tasks are significantly supported by information technology (IT). A failure of IT systems must be compensated in short term. Since our core competence is within the development of innovative products, the protection of company data against unauthorized access and against unauthorized changes is of existential importance.
The availability of our data and IT systems in all technology-dependent and commercial areas is secured in such a way that expected downtimes can be tolerated. Malfunctions and irregularities in data and IT systems are only acceptable to a limited extent and only in exceptional cases (integrity). The confidentiality requirements are of a level that conforms to the law. Maximum confidentiality requirements apply to data from the development department.
Our security measures are economically justifiable in relation to the value of the information and IT systems worth protecting.
Employees as well as the management are aware of their responsibility when dealing with IT and support the security strategy to the best of their ability. The basis for this is a separate IT Security Guideline.
The data protection laws and the interests of our employees, customers, suppliers and other business partners require that the confidentiality of their data be ensured. Data and IT applications are therefore subject to a high level of confidentiality.
4.1 Safety measures
Buildings and premises are protected by adequate access controls. Access to IT systems is protected by appropriate access controls and access to the data is protected by a restrictive authorization concept.
Computer virus protection programs are used on all IT systems. A suitable firewall secures all internet access. All protection programs are configured and administered in such a way that they represent effective protection and manipulation is prevented. Furthermore, the IT users support these security measures through a security-conscious way of working and inform the correspondingly defined departments in the event of any abnormalities.
Data loss can never be completely precluded. Therefore comprehensive data backup ensures that IT operations can be resumed at short term if parts of the operational database are lost or are obviously faulty. Data is consistently labeled and stored so that it can be found quickly. In order to limit or prevent major damage as a result of emergencies, we have to react quickly and consistently in case of security incidents. Emergency measures are compiled in a separate IT emergency concept. Our goal is to maintain critical business processes even in the event of a system failure and to restore the availability of the failed systems within a tolerable period of time.
If IT services are outsourced to external places, we specify specific security requirements in our service level agreements. The right to control is always established. For extensive or complex outsourcing projects, we create a detailed security concept with specific measures.
Business hardware and software are used for operational tasks, specifically for the intended purposes, and are secured against loss and manipulation. Telephone systems, e-mail addresses, intranet and internet as well as internal social networks are primarily provided by us in the context of the operational tasks. They are work tools and company resources. They may be used within the framework of the applicable legal regulations and internal company guidelines. In the case of permitted use for private purposes, telecommunications secrecy and the applicable national telecommunications law will be observed, insofar as these apply.
5. Improvement of security
This management system of data protection is regularly checked for its topicality and effectiveness by https://www.datenschutz-planung.de/. In addition, the measures are also regularly checked to determine whether they are known by the employees, whether they can be implemented and integrated into the operational process and ultimately lead to certain success.
The desired level of data protection is ensured through continuous revision of the regulations and compliance with them. Deviations are analyzed with the aim of improving the security situation and keeping it up to date with the latest IT security technology.
The management supports the constant improvement of the security level. Employees are required to pass on any improvements or weaknesses to the data protection officer.
6. Secrecy
Our employees, customers, suppliers and other business partners are obliged to keep company data worth protecting (commercial and business secrets). All information, data and documents of any form of our organization, employees, customers, suppliers and other business partners must be treated with secrecy and used only for the agreed purposes. Such information is not made available to third parties in any form.
In the event of a requested by authorities or courts to disclose such information, we will immediately inform those affected before they are made available.
The duty of confidentiality also apply beyond the business or working relationship.
For further details see Obligation to confidentiality, Declaration of secrecy and Non Disclosure Agreement (NDA).
7. Obligation & training of employees
Each of our employees who process personal and company data is obliged to treat personal data confidentially, to keep business and company secrets secret and to comply with this guideline. Employees who are subject to special confidentiality obligations (e.g. telecommunications secrecy according to § 88 TKG) are also required by their superiors in writing.
The data protection officer monitors the obligation of employees to carry out training courses about the correct use of IT services and compliance with data protection regulations. The employees in concern are exempted for the training appointments in coordination with the respective department leads.
For more details see Privacy Training Presentation.
- Version June 2023
Privacy policy
1. Intention
To us, protecting the personal rights and privacy of every individual as well as protecting business and company secrets are the basis for trusting business relationships.
This policy describes how we process data, to whom we pass it on and what rights data subjects and companies have while processing their data. We also describe the measures we use to ensure the security of data and how data subjects and companies can contact us if they have any questions about the practical implementation of our protection of their personal and company data.
2. General
Our employees are obliged to comply with this policy and the guidelines and work instructions deriving from. Each employee is responsible for their implementation in their area of responsibility.
Any data subject can contact our data protection officer (privacy@cardcompact.com) with suggestions, inquiries, requests for information or complaints in connection with data protection or data security issues. Inquiries and complaints are treated confidentially.
The managing partner is fully responsible for any data processing of Card Compact Ltd.
3. Data Protection
This guideline regulates the data protection-compliant processing of personal data of data subjects (any natural person about whom data is processed) and the responsibilities of Card Compact.
The company maintains records of processing activities of our company. At least one person of each department has the responsibility to collect all necessary information of the procedures of the respective department and to document this in accordance with the requirements of Art. 30 GDPR in coordination with the data protection officer.
3.1 Data protection officer
We have appointed a company data protection officer in accordance with Art. 37 GDPR and appointed a representative as well.
Our data protection officer performs the tasks assigned to him by law and from this guideline with the instruction-free application of his specialist knowledge and professional qualifications. Our data protection officer has a sufficiently large time budget to fulfill his obligations. He teaches and advises management and employees on their data protection obligations. He is responsible for monitoring the compliance with data protection regulations and the strategies of the person responsible for protecting personal data, including raising awareness and training employees.
Our data protection officer is involved in all data protection issues at an early stage and is supported by both management and employees in the performance of their duties. Our data protection officer regularly reports to the managing partner about examinations, complaints and organizational deficiencies that may need to be remedied.
Every employee can contact our data protection officer directly with information, suggestions or complaints, while confidentiality absolutely is maintained.
3.2 Basic principles of processing
When processing personal data, we regard the personal rights (fundamental rights and freedoms) of the data subject taken into account. We legally collect and process personal data.
3.2.1 Permission facts
In principle, the processing of personal data is not permitted. We collect, process and use personal data only on the basis of the following legally permissible conditions according to. Art. 6 GDPR
Contractual performance
The processing of personal data is permitted if data processing is necessary for the performance of a contract between us and the data subject, or when the data subject is initiating the business relationship upon request.
Consent
Data processing can take place based on the consent of the data subject. Data subject will be given extensive information about the processing before consent is given. For reasons of evidence, the declaration of consent is generally obtained in writing or electronically. Under certain circumstances, e.g. in the case of telephone advice, consent can also be given orally. Consent must be documented in any case.
Legal permission
The processing of personal data is also permitted if legal regulations require or allow us to process data. The type and scope of data processing must be necessary for the legally permissible data processing and based on these legal provisions.
Legitimate interest
The processing of personal data is also allowed if this is necessary to fulfill our legitimate interest. Legitimate interests are usually legal (e.g. enforcement of outstanding claims) or economic (e.g. avoidance of contractual disruptions) ones. Processing of personal data on the basis of a legitimate interest may not take place if there is an indication that the interests of the data subject that are worthy of protection outweigh the interest in the processing in individual cases. The legitimate interests are checked for each processing.
3.2.2 Purpose limitation & data minimization
The processing of personal data also only takes place for purposes that were determined before the data was collected. In principle, only those data may be processed that are necessary to achieve the business purpose and that are directly related to the processing purpose. Subsequent changes to the purposes are therefore only possible to a limited extent or require consent or justification. A change of a purpose must be documented in writing.
Before processing personal data, we check whether and to what extent this is necessary in order to achieve the intended purpose. If it is possible to achieve the purpose and the effort is reasonable in relation to the intended purpose, anonymized data will be used. We do not store personal data for potential future purposes unless this is required or permitted by national law.
We delete personal data, whose processing is no longer required after the purpose no longer applies and / or after the expiry of statutory or contractual retention periods. "Deletion" of personal data here means both the final and thus irrevocable, complete removal of data (destruction) and their personal reference to data subject (anonymization). In any case, after the deletion process a reference to specific subjects can no longer be established.
3.2.2.1 Retention and deletion process
- Determination of the obligation whether to delete data in accordance with data protection laws (loss of purpose, exercise of rights of the data subject)
- Determination of the essential storage obligations (legal and contractual)
- Determination of the relevant retention periods (legal and contractual)
- Control and documentation of the deletion
Insofar as data whose original purpose of processing has ceased are subject to additional storage obligations within the meaning of Art. 17 sec. 3 lit. b and e GDPR and whose storage periods have not yet expired, these data must be withdrawn from any further processing at production level in acc. with § 35 sec. 1 BDSG (blocking).
Only with the omission of the original processing purposes, storage obligations and the expiry of the corresponding retention periods data have to be completely and finally deleted from all other systems processing these data or their deletion to be assigned (order processing).
As a matter of principle, personal data must be deleted immediately if they are no longer processed for the original purpose and also if the legal obligation to retain no longer applies or if retention periods have expired.
For reasons of practicability, however, it is not possible to comply exactly with storage obligations and their periods in every individual case and to carry out day-by-day archiving or deletion of individual personal data. For this reason, data is always archived and deleted collectively within reasonable periods of time.
Unless earlier deletion is indicated in individual cases, the following is considered a standard deletion period: data whose retention period expires in or with a certain calendar year will be deleted at the latest by the end of the first quarter of the following calendar year. The following deletion periods apply in the company:
| Time period | immediately | 6 months | 3/10 years | 7/10 years |
|---|---|---|---|---|
| Purpose | Cessation of the purpose of processing | All personal data for the application (CV, letter of application, certificates) | Data required for the defence of civil and criminal claims (statute of limitations) and contained in personnel files | All data related to accounting (balance sheets, payrolls, invoices ) |
| Legal basis | Art. 6 para. 1 p. 1 lit. a, b, f DSGVO | 6 months (Art. 6 para. 1 p. 1 lit. c DSGVO) after rejection or 3 years (Art. 6 para. 1 p. 1 lit. c, f DSGVO) after resignation | 3 years (Art. 6 para. 1 p. 1 lit. f DSGVO) after closure of card account or termination of employment relationship | 7 years (Art. 6 para. 1 p. 1 lit. f DSGVO) after creation of invoices and turnover |
| Processing system | Websites, godaddy | GMail, Indeed, Uni Passau career portal, paper documents | CardBro, Freshdesk, GMail, MS Office, Zoho CRM, GPS, Thames, Veriff, Co-Brand, Collection Paper Documents | Sage, CardBro, paper documents |
| personal data | Usage data (e.g. websites visited, interest in content, access times) Meta / communication data (e.g. device information, unique identifier) | Name, date of birth, address, contact data (e.g. e-mail, telephone numbers), content data (e.g. curriculum vitae, photo). | Name, date of birth, address, contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, history, photo), account data (IBAN), transaction number | Name, address Account data (IBAN), transaction number |
Deletion must ensure that the data or their personal references no longer exist and can no longer be completely and permanently restored. In this sense, a recovery is considered to be no longer possible if it is physically impossible or would only be possible with disproportionately high effort.
The deletion of database entries is done by removing and overwriting the respective entry. E-mails, Freshdesk tickets and Teams messages are deleted by moving the respective entry into the trash and removing it from the trash by overwriting. Continuous electronic documents such as Word or Excel lists for recording personal customer data are modified according to the respective deadlines. For the destruction of documents and electronic data carriers a special shredder is used.
For the individual systems, this means the following.
| Category | Anonymization | Deletion (Archieve) | ||||
|---|---|---|---|---|---|---|
| Period | after | Process | Process | Period | ||
| Zoho CRM | Analysis Data | - | Creation date | - | AUT Anonymization | immediately |
| Customer Contact Core Data | 1 year | Account closure / end of business | MAN restricted Archive | MAN Deletion | 3+1 years | |
| Google Drive | Accounting Documents | 2 years | Creation date | MAN restricted Archive by search filter 'creation date' | AUT Deletion | 7+1 years |
| Any Customer Data | - | Account closure / end of business | - | MAN Deletion by search filter 'closed' | 3+1 years | |
| GMAIL | Any Customer Data | - | Settlement / Abort | - | AUT Deletion | 7+1 years |
| Freshdesk | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| Onepilot | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| CardBro / Portal | Accounting Documents | 7+1 years | Creation date | AUT Anonymization | MAN Deletion | 10+1 years |
| Any Customer Data | 3+1 years | Account closure / end of business | AUT Anonymization | MAN Deletion | 10+1 years | |
| GPS | Accounting Documents | 2 years | Creation date | AUT restricted Archive | AUT Deletion | 7+1 years |
| Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years | |
| Thames | Any Customer Data | 1 year | Account closure / end of business | AUT restricted Archive | AUT Deletion | 3+1 years |
| Veriff | Any Customer Data | - | Registration | - | AUT Deletion | 3 months |
| Sage | Any Employee Data | Immediately | Creation date | MAN restricted Archive | AUT Deletion | 10+1 years |
| BackUp / Logs | Any Data | |||||
| Webseiten (Cookies) / godaddy | Any Customer Data | - | Creation date / Session | - | AUT Deletion | 1 year |
3.2.2.2 Advertising
The processing of personal data for advertising or market research purposes is only permitted if this is compatible with the purpose for which the data was originally collected or if there was explicit consent before processing.
3.2.2.3 Cookies / tracking
If personal data is collected, processed and used on websites or in apps, the consent of the data subject (opt-in) is required beforehand. It gets informed about the processing in our privacy policy and, if necessary, cookie notices. These instructions are integrated in such a way that they are easily recognizable, immediately accessible and always available to the data subject.
If usage profiles are created to evaluate the usage behavior of websites and apps (tracking), the data subjects will be informed in any case in our privacy policy. Personal tracking may only take place if the data subject has given consent. If the tracking takes place under a pseudonym, the data subject is given the option to object in our privacy policy (opt-out). Completely anonymous tracking is legally permissible based on our legitimate interest.
3.2.2.4 Employees
Personal data may only be processed for the employment relationship if this is necessary for the establishment, implementation and termination of the employment contract. When initiating an employment relationship, personal data of applicants may be processed. After rejection, we will delete the applicant's data, taking into account evidential periods, unless the applicant has consented to further storage for a later selection process.
3.2.3 Transparency
We will provide the data subject with comprehensive information about our processing of their data. In principle, we collect the personal data from the data subject of himself. When the data is collected, the data subject must at least be able to recognize the following or be informed accordingly about:
- The identity of the controller
- The purpose of data processing
- Third parties or categories of third parties to whom the data may be transmitted
If other organizations or authorities request information about the data subject, they will only be released without the data subject's consent if there is a legal obligation for or a legitimate interest of us and the identity of the requester is beyond any doubt. If in doubt, the data protection officer must be contacted.
3.2.4 Accuracy
Personal data is stored correctly, completely and - if necessary - up to date. We have taken reasonable measures to ensure that incorrect, incomplete or outdated data is deleted, corrected, supplemented or updated.
3.2.5 Integrity and Confidentiality
Data secrecy applies to personal data. We treat them personally confidential and protect them with appropriate organizational and technical measures against unauthorized access, unlawful processing or transfer, as well as accidental loss, modification or destruction.
The need-to-know principle applies: employees only have access to personal data if and insofar as this is necessary for their respective tasks. This enables the careful division and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.
3.3 Processor
If external service providers are to be commissioned for the first time with the processing of personal data or individual processing steps (e.g. collection, deletion = disposal) or with activities (e.g. maintenance, repair) in which they gaining knowledge (even they are just able to access) of personal data, then they have to be committed to our data protection level with an data processing agreement. Service providers are carefully selected by us before placing an order.
The processor may only process personal data in accordance with our instructions and must ensure the required technical and organizational protective measures. We remain fully responsible for the correct execution of the data processing.
In the case of cross-border order data processing, the respective national requirements for the transfer of personal data abroad are met. In particular, the processing of personal data from the European Economic Area takes place in a third country only if the processor proves a level of data protection equivalent to this data protection policy. A suitable instrument is the agreement of the EU standard contractual clauses for order data processing in third countries with the processor and possible subprocessors.
As soon as contracts with clients or suppliers (service providers) are to be concluded or modified, it is necessary to check whether the processing of personal data requires an agreement under data protection law. The DPO reviews the DPA of the contractual partner and sends its research request to the process owner via email for evaluation or provides the Card Compact DPA to the partner. The DPO negotiates the data protection agreements with the contractual partner and approaches the managing partner for clearance.
Any planned change of a service provider that processes personal data on behalf of our clients will be notified to the client and requires its approval.
3.4 Rights of the data subject
The data subject can request information about which personal data of which origin are stored about him and for what purpose. If personal data is transmitted to third parties, information about the identity of the recipient or the categories of recipients is also provided.
If personal data is not collected from the data subject itself, we provide the data subject with the necessary information of processing.
If personal data is incorrect or incomplete, the data subject can request their correction or addition.
The data subject can restrict the processing of their personal data, e.g. object to processing for advertising or market research purposes. The further processing of the data is blocked for these purposes. The same applies if the processing of the data is based on consent and this is revoked by an informal declaration with future effect, which is possible at any time. The withdrawal of consent has no negative effects.
The data subject is entitled to request the deletion of their data if the legal basis for the processing is missing or has disappeared. The same applies in the event that the purpose of the processing has expired due to the passage of time or for other reasons. Existing retention obligations and interests that are in conflict with deletion must be observed.
The data subject has a fundamental right to object to the processing of their data, which will be taken into account if their interest worthy of protection outweighs our interest in processing due to a special personal situation. This does not apply if a legal regulation obliges us to carry out the processing.
3.4.1 Process description
All requests received will be forwarded via mail to the DPO immediately and without confirmation of receipt. The DPO checks whether there is corresponding data for the unambiguous identification of the data subject and compares this with the existing data records. The DPO directs its search request or measures to be carried out (e.g. deletion) via email with the priority "high" to the process owner. The DPO sends an acknowledgment of receipt of the request of information to the data subject. In this, reference is made to the ongoing process and the deadline within the requested information is made available.
If the data subject exercises its right to access information, the following information must be made available about the collection of personal data according to Art. 15 GDPR:
- the processing systems;
- the (categories) of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, especially for recipients in third countries;
- planned duration of storage
- and information about process status.
In addition, the data subject must be provided with the allocation of personal data for all processing purposes and processing systems.
If the data subject exercises their right to rectification, the DPO will inform the respective process owner of the data to be changed.
If the data subject exercises its right to restrict / object processing or data deletion, the DPO checks together with the relevant process owner whether the restriction / objection to remaining processing purposes or deletion is legally permissible and whether the data does not have to be further processed due to legal obligations at project level. If the restriction / objection is permissible, the process owner initiates the extraction of the data, of which the purpose is no longer given due to the restriction / objection, from the processing or storage locations to archiving systems and the simultaneous deletion in the processing or storage locations. If the data deletion is also permissible, it will immediately executed.
If the data subject exercises its right to data portability, the DPO will inform the process owner about the data to be transferred.
After coordination / information on the measure to be taken, this is carried out by the relevant process owner.
If personal data of the data subject has been disclosed to third parties (customers, suppliers, clients, etc.), the process owner must also inform them about necessary measures. Processors in particular have to be instructed by the process owner, to provide information, not to process data further or to a limited extent or to delete data and to inform the client about implemented measures. The process owner monitors this process and informs the DPO about success.
After reconciliation and approval of the answer, the DPO will respond to the data subject via mail.
3.5 Privacy incidents
Each of our employees immediately reports cases of violations of this policy or other regulations for the protection of personal data (privacy incidents). In the event of unlawful transmission of personal data to third parties, unlawful access by third parties to or in the event of loss of personal data, the reports provided by Card Compact must be carried out immediately so that legal and contractual reporting obligations are fulfilled.
In addition, our employees, in coordination with the data protection officer and the management, immediately take measures to minimize or eliminate adverse effects for the rights of the data subject. Based on this, measures to avoid future data protection incidents are derived and implemented in existing processes.
3.5.1 Process description
The following incidents are exemplarily relevant to data protection:
- Loss of mobile devices in transit (suspected data breach)
- Unauthorized access to mobile devices (data breach)
- Unauthorized access to business premises (suspected data breach)
- Unauthorized access to Onlineprotal / Reversys / database (data breach)
- Unauthorized disclosure of personal data to third parties such as incorrect email recipients, answering customer requests (data breach)
All notifications from or knowledge of privacy incidents received - regardless of the communication channel (email, telephone, letter, personal, ...), should be sent directly and immediately to the DPO via email to privacy@cardcompact.com with a short description of the incident.
The DPO directs its search request for measures to be carried out (e.g. notification to the supervisory authority or the data subject) via email with the priority "high" to the process owner.
The process owner must immediately start with the search procedure. The documentation is preferably provided with the Privacy incident report. It is supplemented by all information relating to this incident (evidence / images).
The DPO checks whether and to what extent the data subject has to be informed about the incident due to the violation of the protection of their personal data. Information is given in accordance with Art. 34 sec. 1 GDPR only if there is a high risk to the personal rights and freedoms of the data subject.
The DPO coordinates the notification and its necessity with the managing partner.
The data subject is notified immediately after the incident and after the examination by the DPO with the following information:
- What is the injury?
- Which and how much data are affected?
- What measures have been taken to mitigate or remedy the violation of the protection of personal data?
- Which high risk for the rights of the person concerned has arisen or increased?
- Name and contact details of the data protection officer
The DPO checks whether and to what extent the data subject has to be informed about the incident due to the violation of the protection of their personal data. Information is given in accordance with Art. 33 sec. 1 GDPR only if there is a risk to the personal rights and freedoms of the data subject.
The DPO coordinates the notification and its necessity with the managing partner. The supervisory authority is notified within 72h after the incident and after the examination by the DPO.
The DPO checks whether and to what extent the data controller has to be informed about the incident due to the violation of the protection of personal data according to the DPA. The data controller is notified immediately after the incident and after the examination by the DPO.
In the event of a (high) risk to the rights of the data subject, the process owner, will initiate suitable measures to minimize or remove the (high) risk to the personal rights and freedoms of the data subjects as a result of the violation of the protection of personal data, after checking with the DPO.
Such measures are according to Art. 34 sec. 3 lit. b) GDPR technical and organizational security precautions, in particular those that make personal data inaccessible to all persons who have or have had unauthorized access (data protection violation) (suspected data protection violation), such as blocking or deletion.
If personal data of the data subject has been disclosed to third parties (customers, suppliers, clients, etc.), the process owner must also inform them of the necessary measures. Order processors in particular have to be instructed by the process owner, to provide information, not to process data further or to a limited extent or to delete data and to inform the data controller about implemented measures. The process owner monitors this process and informs the DPO of its success.
Successfully implemented measures must be documented by process owner and notified to the DPO.
3.6 Obligation to accountability & documentation
Compliance with the requirements resulting from this policy is provable at any time according to Art. 5 sec. GDPR (accountability). This is done in particular through conclusive and comprehensible written documentation with regard to the measures taken and the associated considerations.
Compliance with data protection guidelines and applicable data protection laws is regularly checked by data protection audits and other controls. We use the knowledge gained from these audits to further develop effective data protection.
4. IT security
Information processing plays a key role in performing tasks. All essential strategic and operational functions and tasks are significantly supported by information technology (IT). A failure of IT systems must be compensated in short term. Since our core competence is within the development of innovative products, the protection of company data against unauthorized access and against unauthorized changes is of existential importance.
The availability of our data and IT systems in all technology-dependent and commercial areas is secured in such a way that expected downtimes can be tolerated. Malfunctions and irregularities in data and IT systems are only acceptable to a limited extent and only in exceptional cases (integrity). The confidentiality requirements are of a level that conforms to the law. Maximum confidentiality requirements apply to data from the development department.
Our security measures are economically justifiable in relation to the value of the information and IT systems worth protecting.
Employees as well as the management are aware of their responsibility when dealing with IT and support the security strategy to the best of their ability. The basis for this is a separate IT Security Guideline.
The data protection laws and the interests of our employees, customers, suppliers and other business partners require that the confidentiality of their data be ensured. Data and IT applications are therefore subject to a high level of confidentiality.
4.1 Safety measures
Buildings and premises are protected by adequate access controls. Access to IT systems is protected by appropriate access controls and access to the data is protected by a restrictive authorization concept.
Computer virus protection programs are used on all IT systems. A suitable firewall secures all internet access. All protection programs are configured and administered in such a way that they represent effective protection and manipulation is prevented. Furthermore, the IT users support these security measures through a security-conscious way of working and inform the correspondingly defined departments in the event of any abnormalities.
Data loss can never be completely precluded. Therefore comprehensive data backup ensures that IT operations can be resumed at short term if parts of the operational database are lost or are obviously faulty. Data is consistently labeled and stored so that it can be found quickly. In order to limit or prevent major damage as a result of emergencies, we have to react quickly and consistently in case of security incidents. Emergency measures are compiled in a separate IT emergency concept. Our goal is to maintain critical business processes even in the event of a system failure and to restore the availability of the failed systems within a tolerable period of time.
If IT services are outsourced to external places, we specify specific security requirements in our service level agreements. The right to control is always established. For extensive or complex outsourcing projects, we create a detailed security concept with specific measures.
Business hardware and software are used for operational tasks, specifically for the intended purposes, and are secured against loss and manipulation. Telephone systems, e-mail addresses, intranet and internet as well as internal social networks are primarily provided by us in the context of the operational tasks. They are work tools and company resources. They may be used within the framework of the applicable legal regulations and internal company guidelines. In the case of permitted use for private purposes, telecommunications secrecy and the applicable national telecommunications law will be observed, insofar as these apply.
5. Improvement of security
This management system of data protection is regularly checked for its topicality and effectiveness by https://www.datenschutz-planung.de/. In addition, the measures are also regularly checked to determine whether they are known by the employees, whether they can be implemented and integrated into the operational process and ultimately lead to certain success.
The desired level of data protection is ensured through continuous revision of the regulations and compliance with them. Deviations are analyzed with the aim of improving the security situation and keeping it up to date with the latest IT security technology.
The management supports the constant improvement of the security level. Employees are required to pass on any improvements or weaknesses to the data protection officer.
6. Secrecy
Our employees, customers, suppliers and other business partners are obliged to keep company data worth protecting (commercial and business secrets). All information, data and documents of any form of our organization, employees, customers, suppliers and other business partners must be treated with secrecy and used only for the agreed purposes. Such information is not made available to third parties in any form.
In the event of a requested by authorities or courts to disclose such information, we will immediately inform those affected before they are made available.
The duty of confidentiality also apply beyond the business or working relationship.
For further details see Obligation to confidentiality, Declaration of secrecy and Non Disclosure Agreement (NDA).
7. Obligation & training of employees
Each of our employees who process personal and company data is obliged to treat personal data confidentially, to keep business and company secrets secret and to comply with this guideline. Employees who are subject to special confidentiality obligations (e.g. telecommunications secrecy according to § 88 TKG) are also required by their superiors in writing.
The data protection officer monitors the obligation of employees to carry out training courses about the correct use of IT services and compliance with data protection regulations. The employees in concern are exempted for the training appointments in coordination with the respective department leads.
For more details see Privacy Training Presentation.
- Version June 2023
Start your own card programme in no time!
Start your own card programme for your customers now!
Start your own card programme in no time!
Useful links
Get the Card Compact App now!
Useful links
Get the Card Compact App now!
Useful links
Card Compact Ltd.
483 Green Lanes
London N13 4BS
United Kingdom
Get in touch with us!
Get the Card Compact App now!