Privacy policy of
HAVASS Academy & Coaching

• 1 Meaning, aim, accessibility

(1) This Corporate Directive is the binding basis for legally compliant and sustainable protection of personal data in the company.

(2) The purpose of this Corporate Directive is to safeguard and protect the fundamental rights and freedoms of data subjects, in particular their right to the protection of personal data.

(3) Company policy must be readily available to all employees and officers at all times.

• 2 Scope

(1) This Policy applies personally to all employees and officers of the Company.

(2) The requirements and prohibitions of this Corporate Directive apply to all handling of personal data, regardless of whether this is done electronically or in paper form. They also apply to all types of data subjects (customers, employees, suppliers, etc.).

• 3 Definitions

(1) Personal data is any information relating to an identified or identifiable natural person (data subject). Customer data is just as much personal data as personnel data of employees. For example, the name of a contact person can also be used to identify a natural person, as can his or her e-mail address. It is sufficient if the information in question is linked to the name of the person concerned or can be established independently of this from the context. A person can also be identified if the information must first be linked to additional knowledge, e.g., in the case of a license plate number. The origin of the information is irrelevant for a reference to a person. Photos, video or audio recordings can also constitute personal data.

(2) Special types of personal data are information that may reveal racial and ethnic origin, political opinions, religious or philosophical beliefs, and possible trade union membership, as well as genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation.

(3) Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(4) Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

(5) Profiling means any kind of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

(6) Pseudonymization means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(7) Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

(8) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(9) Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party.

(10) Third party means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.

(11) Consent of the data subject shall mean any freely given, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

 

• 4 Data protection organization

(1) Our company has appointed a data protection officer. You can reach him under the following contact details:

Attorney at law Sascha Weller

Institute for Data Protection Law

Ziegelbräustraße 7

85049 Ingolstadt

Tel.: +49 (0)841 – 885 167 15

Fax: +49 (0)841 – 885 167 22

E-mail: ra-weller@idr-datenschutz.de

(2) The Data Protection Officer shall monitor compliance with the GDPR as well as other legal requirements, including the requirements of this and other company policies on data protection. The Data Protection Officer advises and informs the company management regarding existing data protection obligations and is responsible for communicating with supervisory authorities. Selected processes are monitored by him on a random, risk-oriented basis and at appropriate intervals to ensure that they comply with data protection requirements.

(3) The Data Privacy Officer shall perform his or her duties free from instructions and using his or her specialist knowledge. He shall report directly to the management.

(4) The company or its employees shall support the data protection officer in the performance of his/her duties.

 

• 5 Handling of personal data

(1) The processing of personal data is generally prohibited, unless a legal norm explicitly permits the data handling. Personal data may in principle be processed under the GDPR:

–    In case of an existing contractual relationship with the data subject.

Example: The storage and use of required personal data in the context of a loan agreement.

–    In the course of pre-contractual measures at the request of the data subject as well as the execution of the contract with the data subject.

Example: Customer K requests information about product X and purchases it. The data required to send the information material and to process the legal transaction (delivery of the goods and payment of the purchase price) may be processed.

–    If and to the extent that the person concerned has consented.

Example: The data subject signs up to receive a newsletter.

–    If there is a legal obligation to which the company is subject.

Example: Statutory retention periods according to the German Commercial Code (HGB) and the German Fiscal Code (AO).

–    If legitimate interests of the company exist, unless the interests or fundamental rights of the data subject prevail, in particular if the data subject is a child. However, data processing invoking a legitimate interest should not be carried out without prior consultation with the data protection officer.

Example: The use of the postal address for sending advertising letters.

(2) Data subjects shall not be subject to a decision based solely on automated processing, including profiling, which produces a legal effect concerning them or similarly significantly affects them.

(3) Personal data shall be processed for a previously defined, clear and legitimate purpose. Data retention without a purpose, such as the retention of data, is not permitted.

(4) If possible, personal data processing should be dispensed with. Pseudonymous or anonymous data processing is preferable.

(5) The change of a goal and purpose on which a data handling was originally based is – in addition to the declared consent by the data subject – only permissible if the purpose of the further processing is compatible with the original purpose. In particular, the reasonable expectations of the data subject with regard to such further processing vis-à-vis the company, the type of data used, the consequences for the data subject as well as possibilities of encryption or pseudonymization must be taken into account.

(6) The data subject shall be comprehensively informed about the handling of his/her personal data when it is collected. The information shall include the purpose, the identity of the controller, the recipients of his or her personal data and any other information within the meaning of Art. 13 GDPR in order to ensure fair and transparent processing. The information shall be provided in a comprehensible and easily accessible form and in the simplest possible language.

(7) If personal data is not collected from the data subject, but is obtained from another company, for example, the data subject must be informed subsequently and comprehensively about the handling of his or her data in accordance with Art. 14 of the GDPR. This also applies to changes in the purpose of the data processing.

(8) Personal data must be factually correct and, if necessary, up to date. The scope of data processing should be necessary and relevant with regard to the defined purpose. The respective specialist department must ensure implementation by establishing appropriate processes. Likewise, data inventories must be regularly checked for accuracy, necessity and up-to-dateness.

 

• 6 Special categories of personal data

Special categories of personal data may generally only be collected, processed or used with the consent of the data subject or, in exceptional cases, on the basis of explicit legal permission. Furthermore, additional technical and organizational measures (e.g., encryption during transport, minimal assignment of rights) must be taken to protect special categories of personal data.

 

• 7 Data transmission

(1) The transfer of personal data to third parties is only permitted on the basis of legal permission or the consent of the data subject.

(2) If the recipient of personal data is located outside the European Union or the European Economic Area, special measures are required to protect the rights and interests of data subjects. A data transfer shall be omitted if an adequate level of data protection does not exist at the receiving agency or cannot be established, for example, by means of special contractual clauses.

 

• 8 External service providers

(1) If external service providers are to be given access to personal data, the data protection officer must be informed in advance.

(2) Service providers with potential access to personal data shall be carefully selected before the contract is awarded. The selection must be documented and should consider the following aspects in particular:

–    Professional suitability of the contractor for the concrete data handling

–    Technical-organizational security measures

–    Experience of the provider in the market

–    Other aspects that indicate reliability of the provider (data protection documentation, willingness to cooperate, response times, etc.)

(3) If a service provider is to collect, process or use personal data on behalf of a customer, a contract for commissioned processing must be concluded. Data protection and IT security aspects must be regulated in this contract.

(4) The service provider shall be reviewed regularly with regard to the technical and organizational measures contractually agreed with it. The result shall be documented.

 

• 9 Data minimization, privacy by design/privacy by default

(1) Personal data shall be handled with the aim of collecting, processing or using as little data as possible from a data subject (“data minimization”). In particular, personal data shall be anonymized or pseudonymized to the extent possible according to the purpose of use. For example, in the context of a statistical analysis of data, it will not be necessary to know and use the full name of a data subject. Rather, this information can be replaced by a random value, which can also ensure that the underlying information is distinguishable.

(2) The same shall apply to the selection and design of data processing systems. Data protection shall be integrated into the specifications and architecture of data processing systems from the outset in order to facilitate compliance with the principles of privacy and data protection, such as in particular the principle of data minimization.

 

• 10 Rights of data subjects

(1) Data subjects have the right to information about the personal data stored about them in the company.

(2) When processing applications, the identity of the person concerned must be established beyond doubt. If there is reasonable doubt about the identity, additional information may be requested from the applicant.

(3) The information shall be provided in writing, unless the data subject has made the request for information electronically. The information shall be accompanied by a copy of the data of the data subject, which, in addition to the data available on the person, also includes the recipients of data, the purpose of storage and all other legally required information pursuant to Art. 15 DS-GVO, in order to make the data subject aware of the processing and to allow him or her to assess the lawfulness himself or herself. Upon special request of the data subject, the data will be provided in a structured, common and machine-readable format. The responsible IT department shall determine the standard to be provided for this purpose.

(4) Data subjects have a right to have their personal data corrected if it proves to be inaccurate. Likewise, they may request the completion of incomplete personal data.

(5) The data subject shall have the right to have his/her personal data deleted under the following conditions:

–    the knowledge of the data is no longer necessary for the fulfillment of the purpose of the storage.

–    the data subject has revoked consent and there is no other legal basis for processing

–    their processing is inadmissible,

–    the data subject objects to processing for advertising purposes or invokes a right to object on the basis of a specific – to be justified – personal situation,

–    it concerns special personal data whose accuracy cannot be proven, or

–    there is another legal obligation to delete the data.

If there is an obligation to erase and if the personal data have previously been made public, further data controllers shall be informed of an erasure request from the data subject regarding all copies of his/her data as well as all links to such data.

(6) The data subject may request the restriction of the processing of his/her data if

–    the accuracy of the personal data is disputed, but only for as long as the accuracy is verified by the competent department, or

–    the processing is unlawful, but the data subject refuses the data erasure, or

–    the company no longer needs the personal data for the purposes of processing, but the data subject requires the data for the assertion, exercise or defense of legal claims, or

–    the data subject has objected to the processing on the grounds of a particular situation and the competent department is still examining the objection.

(7) The person concerned shall be informed within one month at the latest of all measures taken at his/her request.

(8) The data protection officer shall be available to advise on the protection of the rights of the data subjects.

 

• 11 Requests for information from third parties about data subjects

If an entity requests information about data subjects, such as customers or employees of that entity, disclosure of information is permitted only if

– the party providing the information can demonstrate a legitimate interest in doing so, and

– a legal norm obliges to provide information, as well as

– the identity of the inquirer or the inquiring body is established beyond doubt.

 

• 12 Directory of processing activities

(1) The company shall keep a register of all data processing operations. Each department shall name a responsible person who documents all necessary information on the procedures of the respective department in accordance with the legal requirements of Art. 30 DS-GVO. The data protection officer may be consulted for advice regarding the information required by law.

(2) The company shall make the directory available to the supervisory authority upon request. The data protection officer shall be responsible for this in agreement with the company management.

 

• 13 Advertising

(1) Addressing data subjects for advertising purposes by letter, telephone, fax or e-mail is generally only permissible if the data subject has previously consented to the use of his or her data for advertising purposes.

(2) Exceptions are only permitted if a permission standard exists. Please consult the data protection officer in this regard.

 

• 14 Training

Employees who have permanent or regular access to personal data, collect such data or develop systems for processing such data shall be trained in an appropriate manner on the requirements of data protection law. The data protection officer decides on the form and frequency of the corresponding training.

 

• 15 Data secrecy

(1) Employees are prohibited from collecting, processing or using personal data without authorization. Before taking up their duties, they shall be obliged to handle personal data confidentially. The obligation shall be made by the management using the form provided for this purpose.

(2) Employees with special secrecy obligations (e.g., telecommunications secrecy pursuant to Section 3 TTDSG) shall be additionally obligated to do so in writing by the management.

 

• 16 Complaints

(1) Every data subject has the right to complain about the processing of his or her data if he or she feels that his or her rights have been violated. Likewise, employees may report violations of this Corporate Policy at any time.

(2) The competent body for the above-mentioned complaints shall be the Data Protection Officer as an internal independent body not subject to directives.

 

• 17 Internal investigations

(1) Measures to clarify the facts and to prevent or uncover criminal offenses or serious breaches of duty in the employment relationship shall be carried out in strict compliance with the relevant statutory data protection provisions. In particular, the associated collection and use of data must be necessary, appropriate and proportionate with regard to the interests of the data subject that are worthy of protection in order to achieve the purpose of the investigation.

(2) The person concerned shall be informed as soon as possible about the measures carried out on his person.

(3) In all forms of internal investigations, the data protection officer shall be involved in advance with regard to the selection and design of the measures.

 

• 18 Availability, confidentiality and integrity of data

(1) Depending on the type, scope, circumstances and purposes of the processing as well as the probability of occurrence, a documented protection requirement assessment and analysis with regard to the risks for data subjects shall be carried out for each procedure.

(2) To safeguard the availability, confidentiality and integrity of data, a general security concept shall be drawn up depending on the protection needs assessment and risk analysis, which shall be binding for all processes. This shall take into account, in particular, the state of the art as well as means and measures for encryption and data backup. The security concept must be regularly reviewed, assessed and evaluated with regard to the effectiveness of the technical and organizational measures provided for therein.

(3) It must be prevented that data processing systems can be used by unauthorized persons. Doors to unoccupied rooms shall be locked. Effective measures to control access to devices must be in place and activated. System accesses shall always be locked in the absence of persons.

(4) Passwords enable access to systems and the personal data stored therein. They represent a personal identifier of the user and are not transferable. It must be ensured that passwords are always kept under lock and key. Passwords must have a minimum length of eight characters and consist of a mix of characters. Passwords must not appear in a dictionary or be formed from easily guessed terms, especially terms related to the company.

(5) Access to personal data shall be granted only to those persons who need to know the respective data in the course of their duties (“need-to-know principle”). Access authorizations must be precisely and completely defined and documented.

(6) Data transmissions through public networks shall be encrypted if possible. Encryption shall be mandatory if the need to protect personal data so requires.

(7) Personal data collected for different purposes shall be processed separately. The separation of data shall be ensured by appropriate technical and organizational measures.

(8) Maintenance work on systems or telecommunications equipment by external service providers shall be supervised. Furthermore, it must be ensured that service providers cannot access personal data without authorization. Remote maintenance access shall only be granted in individual cases and shall follow the principle of minimal assignment of rights. Remote maintenance activities must be recorded or logged if possible.

 

• 19 Data protection impact assessment

(1) Each department shall be required to conduct data protection impact assessments for processes under its responsibility if a high risk to the rights and freedoms of data subjects is to be expected as a result of the data processing. The data protection impact assessment shall contain all legally required descriptions of Article 35 (7) of the GDPR.

(2) The Data Protection Officer shall advise the departments on carrying out the data protection impact assessment and on the question of when processing operations may involve a high risk for data subjects.

 

• 20 Violations of the protection of data (“data breach”)

(1) If company data has been unlawfully disclosed to third parties, the management must be informed immediately. The management shall immediately involve the data protection officer in the clarification of the facts.

(2) The notification shall include all relevant information to clarify the facts, in particular the receiving agency, the data subjects and the type and scope of the data transmitted.

(3) The fulfillment of any duty to inform the supervisory authority shall be carried out exclusively by the data protection officer. Data subjects shall be informed by the management, with the data protection officer being consulted in an advisory capacity.

 

• 21 Consequences of violations

A negligent or even willful violation of this policy may result in employment action, including termination without or without notice. Criminal sanctions and civil consequences such as compensation for damages are also possible.

 

• 22 Accountability

Compliance with the requirements of this guideline must be verifiable at all times. In this context, particular attention must be paid to the traceability and transparency of the measures taken, for example by means of associated documentation.

 

• 23 Updating of the guideline; verifiability

(1) In the context of the further development of data protection law and technological or organizational changes, this Policy shall be reviewed regularly to determine whether it needs to be adapted or supplemented.

(2) Amendments to this policy shall be effective informally. The employees and officers shall be informed immediately and in an appropriate manner of the amended specifications.

Munich, 07.21.2023                    

Mrs. Uguray Akcan