Data Protection

Terms and Conditions for Data Protection and Third-Party Data Storage Rights

1. Introduction and Scope

These Terms and Conditions for Data Protection and Third-Party Data Storage Rights (hereinafter "Data Protection T&Cs") outline how [Your Company Name] ("we," "us," or "our") collects, processes, stores, and protects personal data in the course of providing our consulting services. They also detail the rights of data subjects and our obligations regarding third-party data storage.

We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG neu), as well as any other applicable data protection laws in Germany.

By engaging with our services, you ("Client" or "you") agree to the terms outlined in these Data Protection T&Cs.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Data Subject: The identified or identifiable natural person to whom personal data relates.

Third Party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 GDPR. In Germany, these are the various state data protection authorities.

3. Principles of Data Processing

We adhere to the following principles when processing personal data:

Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.

Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation: Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy: Data is accurate and, where necessary, kept up to date. Every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality (security): Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Accountability: We are responsible for, and able to demonstrate compliance with, the above principles.

4. Types of Personal Data Collected

In the course of our consulting services, we may collect and process various types of personal data, which may include, but are not limited to:

Client identification data: Names, addresses, contact details (email, phone number), job titles, company details.

Communication data: Correspondence, meeting notes, emails, and other communication related to the consultation.

Financial data: Billing information, payment details (only as necessary for invoicing and payment processing).

Project-related data: Any personal data that you, as the Client, provide to us for the purpose of the consultation project. This might include data about your employees, customers, or other stakeholders, depending on the nature of the consultation.

Website usage data: IP addresses, browser type, operating system, referring URLs, access times (collected through cookies and analytics tools, subject to your consent where required).

5. Legal Basis for Processing Personal Data

We process personal data based on one or more of the following legal bases as defined in the GDPR:

Performance of a contract (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This applies to data processed for delivering our consulting services to you.

Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This may include, for example, for internal administrative purposes, security, or improving our services.

Compliance with a legal obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax laws, commercial laws).

Consent (Art. 6(1)(a) GDPR): The data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes. Where consent is the legal basis, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Protection of vital interests (Art. 6(1)(d) GDPR): Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public interest (Art. 6(1)(e) GDPR): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Purposes of Processing Personal Data

We process personal data for the following purposes:

To provide and manage our consulting services as per our agreement with you.

To communicate with you regarding our services, inquiries, and support.

To fulfill our contractual obligations.

To comply with legal and regulatory requirements.

For billing and payment processing.

To improve our services and internal processes.

To respond to data subject requests and inquiries.

For marketing purposes, where explicit consent has been obtained (e.g., newsletters, promotional offers).

7. Third-Party Data Storage and Processing (Processors)

As a consultation company, we may engage third-party service providers (Processors) to assist us in delivering our services, which may involve the storage or processing of personal data. These third parties act on our behalf and under our instructions.

Selection of Processors: We carefully select our Processors based on their ability to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and BDSG neu and ensure the protection of the rights of the data subject.

Data Processing Agreements (DPAs): We enter into written Data Processing Agreements (DPAs) with all our Processors, as required by Art. 28 GDPR. These DPAs stipulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the Controller.

Processor Obligations: Our DPAs ensure that Processors are bound by the same data protection obligations as we are, including:

Processing personal data only on our documented instructions.

Ensuring that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Assisting us in responding to requests from data subjects.

Notifying us without undue delay upon becoming aware of a personal data breach.

Assisting us in conducting Data Protection Impact Assessments (DPIAs) and consulting with supervisory authorities where necessary.

At the end of the service, deleting or returning all personal data to us and deleting existing copies, unless required by Union or Member State law to store the personal data.

Categories of Third-Party Service Providers (Examples):

Cloud storage providers (for document storage, project management)

IT service providers (for infrastructure, software maintenance)

Communication platforms (for video conferencing, email)

Accounting and billing software providers

CRM systems

8. International Data Transfers

In some cases, our Processors or sub-processors may be located outside the European Union (EU) or European Economic Area (EEA). In such instances, we ensure that personal data transfers comply with Chapter V of the GDPR by implementing appropriate safeguards, such as:

Standard Contractual Clauses (SCCs): Implementing the European Commission's approved Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries.

Adequacy Decisions: Transferring data to countries deemed by the European Commission to provide an adequate level of data protection.

Binding Corporate Rules (BCRs): For intra-group transfers, if applicable.

We conduct Transfer Impact Assessments (TIAs) where necessary to assess the risks associated with data transfers to third countries and implement supplementary measures to ensure a level of protection essentially equivalent to that guaranteed within the EU/EEA.

9. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, including, where appropriate:

Pseudonymisation and encryption of personal data.

The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Access controls, firewalls, and other network security measures.

Employee training on data protection and security.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

11. Your Rights as a Data Subject

Under the GDPR and BDSG neu, data subjects have the following rights regarding their personal data:

Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and further information.

Right to rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you.

Right to erasure ('right to be forgotten') (Art. 17 GDPR): You have the right to obtain the erasure of personal data concerning you without undue delay where certain grounds apply.

Right to restriction of processing (Art. 18 GDPR): You have the right to obtain from us restriction of processing where certain conditions apply.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and is carried out by automated means.

Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests or the performance of a task carried out in the public interest, including profiling. You also have an absolute right to object to processing for direct marketing purposes.

Right to withdraw consent (Art. 7(3) GDPR): Where the processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

To exercise any of these rights, please contact us using the details provided in Section 13.

12. Changes to these Data Protection T&Cs

We reserve the right to update or modify these Data Protection T&Cs at any time. Any changes will be posted on our website www.ve-comedus.de and will become effective immediately upon posting. We encourage you to review these Data Protection T&Cs periodically for any updates.

13. Contact Information

If you have any questions about these Data Protection T&Cs, our data processing practices, or if you wish to exercise your data subject rights, please contact us:

VE-comedus UG. Contact: Lord C.G. Rouse of South Clifton. Warendorfer Strasse 20, 17192, Waren Müritz, Mecklenburg Vorpommern, Germany. Email Address: info@ve-comedus.de 

Tel: +49 (0) 160 8124 689

 

 

 All rights reserved ©

According to para.5 TMG

VE-comedus UG

Warendorfer Strasse 20

D-17192                                                                                                                                                                                                                                 

Waren (Müritz)

Email: info@ve-comedus.de

Phone: +49 39959 364 463

Website: https://www.ve-comedus.de

Founder and CEO: Charles George Rouse (Lord of South Clifton)

Responsible for editorial content: Charles George Rouse   

Registered court: Local court Neubrandenburg                                                    Reg.No.HRB21961    Reg. Office Neubrandenburg             VAT No:  DE364157432

 

                                                                                                                                                                                                                               

                                                                                             

Wir benötigen Ihre Zustimmung zum Laden der Übersetzungen

Wir nutzen einen Drittanbieter-Service, um den Inhalt der Website zu übersetzen, der möglicherweise Daten über Ihre Aktivitäten sammelt. Bitte überprüfen Sie die Details in der Datenschutzerklärung und akzeptieren Sie den Dienst, um die Übersetzungen zu sehen.