Data Protection Policy for myconvento user of Convento GmbH, Neuss, for myconvento

as of May 25, 2018

As of May 25, 2018, Germany and the remaining EU member states are required to comply with and enforce the requirements of the EU General Data Protection Regulation (hereafter, GDPR). In Germany, the new Federal Data Protection Act (hereafter, “BDSG-new”), which builds on and implements the GDPR, will enter into force at the same time and, together with the GDPR, will replace the current Federal Data Protection Act (BDSG-old), which remains in effect through May 25, 2018.

As a data processor defined in Art. 4 GDPR, Convento GmbH (hereafter, “Convento”) processes personal data which its customers as controllers make available in myconvento for the performance of a contract to which the data subject is party. Personal data means any information relating to an identified or identifiable natural person (hereafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Specifically, it refers to address and communication data and other distinctive particulars of journalists, bloggers, other "influencers" of the customer, and publishers.

Convento respects its customers' right to and ownership of their data, ensuring full data protection and privacy for data subjects, and is committed to do whatever it takes to measure up to our customers’ expectations.

Territorial scope
Customer data are processed exclusively within the territory of the Federal Republic of Germany. Since 2015, Convento has operated its customer systems at a specialized data processing center certified to ISO 27001 in D-40472 Düsseldorf at myloc managed IT AG (www.myloc.de).

Disclosure of personal information to third parties, subcontracts
Convento itself does not use the personal data provided by its customers, but makes them available only to the relevant customer on the server farm rented at the data center of myLoc managed IT AG (data processing center certified to ISO 27001), Am Gatherhof 44, D-40472 Düsseldorf. At the center, the data are integrated in the customer’s database and then made available exclusively to the customer. If any part of a contract is subcontracted - always strictly with the prior written consent of the customer- Convento will ensure that its subcontractors comply to the same degree with the stringent data protection and data security standards. The rights of inspection and review of the customer vis-à-vis Convento also apply to any subcontractors.

While general supply services (e.g. telecommunication, maintenance, support, cleaning) are excluded from this provision, Convento generally has appropriate data protection and data security agreements in place with such partners.

Personal data will be collected and forwarded to governmental institutions and authorities strictly within the scope of current legislation. In such case, Convento agrees - to the extent permitted by law - to give the customer due notice in writing of the disclosure. Convento does not use any service providers that fall within the ambit of the U.S. Patriot Act and the U.S. Freedom Act.

Obligations of the customer
As “controller” within the meaning of Article 4 no. 7 of the GDPR, the customer is responsible for the lawfulness of work assigned to Convento and for safeguarding the rights of data subjects. The customer is required to place or confirm all orders and add-ons in writing. The same applies to- mutually agreed - amendments to contents, processes, the scope and any other components of the contract. Instructions issued verbally by the customer must immediately be confirmed in writing.

The customer will provide a responsible contact person competent to issue instructions and make or enforce prompt decisions on matters relating to the execution of the contract. This contact person will ensure that the myconvento users of the customer are familiar and comply with this policy.

The customer's administrator specifies the users in myconvento. Each user is provided with personal login data (user ID and password) and urged not to use passwords that are easy to spy out and not to carry with them any written password reminders.

Any access to myconvento ("user account") which is no longer required for a user must immediately be deleted by the customer. The customer will notify Convento without undue delay if errors are found in the execution of the contract or in the job results.

Obligations of Convento GmbH
Convento processes personal data strictly within the agreed limits and as instructed in writing by the customer. The data provided will not be used for any other purposes. No copies or duplicates will be made without the customer’s knowledge.

Convento does not generally maintain or process data for customers and is not, therefore, required to keep detailed data processing records that enable the customer to verify proper data processing. Convento will process data only where so specifically instructed in writing by the customer, in which case, and only then, Convento will keep basic data processing records. These will detail in the context of a log report which Convento employee viewed or processed which data of which customer and when. Convento will store this documentation for the long term.

Convento handles personal data in compliance with all applicable provisions of the Data Protection Act, the Telemedia Act (TMG) and the Telecommunications Act (TKG). On request, Convento will provide the customer with the information stipulated in Art. 30 (2) GDPR (records of processing activities carried out on behalf of a controller).

In accordance with Art. 32 GDPR Convento uses appropriate technical and organizational measures (TOM) to protect personal data as best as possible against accidental or unlawful manipulation, loss, destruction or access by unauthorized persons. These measures are continuously improved in line with the state of the art.

All employees, suppliers and partners of Convento are obligated to maintain data confidentiality in accordance with the provisions of Section 53 BDSG-new and, in addition, bound to professional secrecy, if any (e.g. banking secrecy).

Convento will notify the customer promptly if the property of the customer at Convento is at risk as a result of third-party action (such as attachment or seizure, insolvency or composition proceedings, etc.).

Rights of the Customer
Convento will grant the customer or an auditor mandated by the customer unhindered access to its premises as needed for monitoring purposes in accordance with Section 64 (3) no. 12 BDSG-NEW. In particular, Convento will allow the customer to inspect the data stored for the customer or in connection with the contract as well as the processing operations used in order to verify compliance with the technical and organizational measures (TOM) implemented.

To this end, the auditor will be given access equivalent to the rights of the relevant customer. If in exceptional cases the customer permits data to be processed in private homes, Convento will ensure that the aforesaid inspections can also be performed in these homes. Convento affirms that it has obtained the consent of all occupants of these private homes to this arrangement.

Rights of data subjects
Any persons whose data are stored on Convento systems, irrespective of whether these were collected by the controller or by Convento, are entitled at no cost to obtain information on the data stored about them.

Data subject groups usually include journalists, bloggers, other “influencers” of the customer and/or other contacts in public relations, such as customers, prospects, employees as defined by Section 26 BDSG-new, subscribers, suppliers, sales representatives or shareholders.

The data subject has the right to rectification, erasure or blocking of their data stored in myconvento. Where Convento has processed data on behalf of the controller, Convento will promptly forward the data and the complaint to the controller. Alternatively, the customer may authorize Convento in writing to deal on its behalf with the complaint of the data subject.

Rights of Convento GmbH
If the customer issues Convento with instructions under a contract which may violate applicable data protection laws, Convento will notify the customer without delay and may delay acting on the instructions until the matter has been resolved.

Where compliance with data protection and/or data security measures is monitored by the customer, either itself or through another party, Convento is entitled to bill the customer for the work performed on time basis for each hour or part thereof at the standard hourly rates applicable at Convento. Verifications via the user account are obviously free of charge.

Technical and organizational data protection measures (TOM)
Convento has implemented appropriate technical and organizational measures (TOM) in accordance with Section 64 BDSG-new. In addition, all obligations to be met under the applicable data protection laws and other legal requirements are monitored by a data protection officer (see below). Convento undertakes to comply with and document the measures specified in Section 64 BDSG-new during operation and to make the records available to the customer on request. The same applies to any measures agreed with the customer for the exchange, provision, processing, keeping, release and transfer of data.

As proof of the technical and organizational measures implemented, Convento will make available to the customer all pertinent records, logs and reports it keeps, including those from independent authorities. Convento reserves the right to implement measures reflecting the latest technical and organizational progress that meet at least the same data protection and data security requirements as those specified in the Appendix.

A specified chain of communication ensures prompt notification of the customer in case of control activities, measures and monitoring in accordance with Sections 4o BDSG-new or in accordance with Art. 83 GDPR. Convento will also notify the Customer promptly of any violation of regulations relating to the protection of the customer’s personal data (e.g. in accordance with Art. 33 GDPR) or of stipulations in the contract either by itself or by any employees, and of serious disruptions to operations. The same applies even at the mere suspicion of such incidents.

Convento will promptly notify the following cases, whatever their reason and even if only suspected:

  • serious disruption of operations
  • significant irregularities in the handling of the customer’s personal data
  • personal data breach in acc. with Art.33 GDPR
  • unlawful transmission of personal data
  • where personal data may have come to the knowledge of third parties in an unlawful matter

In agreement with the customer, Convento will take appropriate action to protect the data and to minimize any adverse consequences for the data subjects. Where applicable, Convento will assist the customer as controller in ensuring compliance with any specific reporting obligations under Art. 33 or 34 GDPR.

Convento will regularly review all customer contracts in the context of contract monitoring tasks to verify their execution and completion. The arrangements and measures relating to contract execution are checked for compliance and amended where necessary.

Type of data, data carriers

The type of data will be specified in the contract. These may include:

  • Key personal data, communication data (e.g. telephone, email), contact history
  • Key contract data (contractual relationship, product or contract involvement)
  • Contract billing and payment data
  • Information (from third parties, e.g. information offices, or from public registers)

Convento will identify all data carriers provided by, or used for, the customer by name. Their receipt and return will be documented. External data carriers for data backup are also encrypted for security purposes in case of transport between locations.

The handling of disused data carriers is governed by the internal data protection concept applicable to all employees. These data carriers will always be passed to the IT department. Optical data carriers are shredded, damaged hard disks and USB sticks and other data storage devices are kept under lock and key until their destruction in compliance with data protection regulations.

Liability
In accordance with the statutory provisions, Convento will be liable to the customer for any damage caused by its employees or by any party commissioned by it with the execution of the contract as a result of willful or grossly negligent action in the performance of the contract. The burden of proof is on the customer. Where damage to property or financial loss is due to negligence, Convento and its vicarious agents will be liable only where breach of a fundamental obligation has occurred. In such case, liability is limited to the foreseeable, typically occurring damage upon contract conclusion. Only one claim may be brought for the action of a single Convento employee.

The customer is primarily liable for damages which a data subject has suffered as a result of unlawful data processing pursuant to the data protection regulations.

Under Art. 82 (2) sentence 2 GDPR, Convento is liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. If both the customer as controller and Convento as processor are involved in the same processing, both will be held liable for the entire damage in order to ensure effective compensation of the data subject in accordance with Art. 82 (4) DSGVO.

End of job and contract
At the end of the contractual relationship, Convento will return all records of the customer and any files, data carriers and documents relating to the contract to the customer or, in agreement with the customer, dispose of them in accordance with the data protection regulations. Convento will subsequently confirm the deletion or destruction in accordance with the data protection regulations.

Convento will retain data provided for processing only as long as stipulated by law or by the customer. Records containing personal data that are no longer required will be destroyed in accordance with the data protection regulations only where so instructed in writing by the customer. Convento will keep all test and substandard material under lock and key until it is either deleted by Convento in accordance with the data protection regulations or passed to the customer. Convento will confirm the destruction of customer records and document the delivery of documents to the customer.

Convento may continue to store and use data for accounting and billing purposes beyond the end of the contract or after the deletion of personal data.

The customer may terminate the contract without notice at any time if Convento is found in serious breach of provisions under the Data Protection Act or the underlying contract, if it cannot or will not comply with a lawful instruction issued by the customer under the Data Protection Act and advises the customer thereof in writing, or contrary to the contract denies the customer access.

Automatic logging of user behavior
myconvento uses "cookies" to make its use more convenient for the customer. Cookies store information such as the login data of website users to save having to re-enter the data on every visit to the website. Most browsers are set to automatically accept cookies. In addition, myconvento records the general intensity of a customer’s use of myconvento. This information is used exclusively to improve customer support and to monitor and safeguard the capacity of the overall system.

Customer consent (myconvento user company)
By using myconvento, the user company agrees to Convento collecting and using data to the extent described above. The rapid development of the Internet makes it necessary to amend our data protection policy from time to time. As a customer, you will be notified by e-mail about any amendments to our data protection policy. The current version can be viewed at any time on our website at www.myconvento.com.

If you have any queries, requests or comments on the issue of data protection, please email us in the first instance at datenschutz@convento.de. Data protection at Convento is also consistently monitored and supported by our external data protection officer:

Mr. Axel Krause, lawyer
Law firm Geerkens - Frommen - Krause
Drususallee 84
41460 Neuss
Germany
Email: a.krause@advokat-online.de