This privacy notice informs you about how TechGDPR collects, uses, and protects your personal data when you engage with our services or visit our website. We are committed to respecting your privacy and adhering to our obligations under the General Data Protection Regulation (GDPR).

1. Who we are

TechGDPR is a boutique data protection consulting firm specialised in helping businesses comply with data protection regulations and best practices by providing comprehensive solutions for Data Protection Officer (DPO), AI and ethics compliance, and data protection regulatory compliance. We offer a range of services, including data mapping, compliance gap analysis, AI risk assessment, security policies development, training, implementation support, privacy impact and transfer impact assessments amongst others. We prioritise the protection of your personal data and are committed to maintaining adequate standards of privacy and security.

In this privacy notice, we outline how we collect, use, and safeguard your personal data when you interact with our website, engage with our services, or communicate with us. We recognise the importance of transparency and trust in our relationship with you, and we are committed to ensuring that your personal data is handled responsibly and in accordance with applicable data protection laws and regulations.

The data controller responsible for your personal data is:

2. How we use your personal data

This privacy notice applies to the following categories of people:

• Website visitors
• Client representatives
• Data subjects and other stakeholders of our clients.
• Newsletter subscribers
• Registrants of our trainings, webinars and events
• Leads
• Job candidates

We use your personal data for the following purposes:

Processing activity	General description of purposes	Lawful basis	Categories of data	Retention period
Communication, inquiries, outreach and surveys
Conducting outreach activities	We conduct outreach activities to identify companies and individuals who may be interested in our services or training.	Legitimate interest Article 6(1)(f) of the GDPR	– company name – first name – last name – email address – phone number	For up to 90 days in the absence of response, or up to 90 days after the last contact.
Responding to communication sent to us	When you respond to our outreach efforts or contact us through our web forms, we use the information you provide to us to provide a response to you.	Performance of a contract Art 6(1)(b) of the GDPR We process this information for the purpose of the performance of a contract, or in the preparatory stage of entering into a contract.	– company name – first name – last name – email address – phone number – your request message	for 1 year after the last contact, or until you ask us to remove you from the system, whichever is earlier
Conducting surveys and gathering insight	We conduct surveys and distribute questionnaires among specific or broad groups of companies which help us better understand the market, the compliance situation of our client industries and their specific concerns. The data collected in these surveys may contain personal or pseudonymous elements which ensure de-duplication and prevent skewed results.	Legitimate interest Article 6(1)(f) of the GDPR This processing is carried out in our legitimate interest to understand new market areas and the specific needs of our clients in relation to their industry.	– email address – first name – last name – company name – your answers to the survey questions	6 months
Keeping you informed about the latest TechGDPR and privacy news	Depending on whether you are subscribed to our newsletter, we process your personal data for the purpose of delivering the newsletters to your email address. We continue to process your personal data for this purpose until you ‘unsubscribe’ from receiving our newsletters, or contact us at privacy@techgdpr.com to request that we unsubscribe you.	Consent Article 6(1)(a) of the GDPR, Article 6(3) of the ePrivacy Directive 2009/136/EC We rely on your consent to process your personal data to deliver newsletters and other updates to your email. You may unsubscribe at any time.	– email address – first name – last name	deleted as soon as you unsubscribe from the mailing list.
Registering you to webinars and social events	TechGDPR runs regular meetups (remote and in-person events), where we cover different GDPR-related topics and answer any related questions that people may have. Those meetups are advertised on Eventbrite, where interested individuals can register through the purchase of a (free) ticket. Registering individuals onto the events and the data collected as a result are processed for the purpose of limiting the number of participants that can join the event to ensure that allocated resources for webinars and events are sufficient in relation to the attendance.	Performance of a contract Article 6(1)(b) of the GDPR We handle this information on the basis of the performance of a contract according to Art.6(1)(b) GDPR initiated by the purchase of a free ticket. Where we plan to offer refreshment, we may request information on any dietary requirements specific to you.	– full name – email address – order number (auto-generated by Eventbrite) – the amount paid – quantity of tickets purchased – timestamp of purchase	30 days after the event
	Following registration to the Privacy Meetups, we will send you a confirmation email including the link to the webinar for online events. This is done for the purpose of ensuring that registered attendees receive confirmation of their purchase order and where applicable, the link to access the webinar.
	Webinars are run on Zoom. As a result, during the webinar, we process the participant’s information for the purpose of displaying their name, whether full name or pseudonymised as well as the audio/video feed of participants based on their individual choice to turn on/off their camera and microphone. We do this in order to host and moderate the webinar.		– participant’s username chosen for the session – audio/video feed of participants based on their individual choice to turn on/off their camera and microphone	Only for the duration of the webinar as webinars are not recorded
Delivering services
Providing TechGDPR services	We use your information to understand your needs, deliver the services you have requested, and communicate with you regarding your project. TechGDPR may collect personal data provided by leads and clients for the purpose of facilitating a service you request	Performance of a contract Article 6(1)(b) of the GDPR In other cases, we may need to process your data to comply with legal or regulatory requirements and to fulfil our legal obligations.	– first name – last name – company name – work email address – work phone number – picture position – role – invoicing information such as bank details and VAT number	25 months after the end of our DPO or consulting contract
Communication with stakeholders such as data subjects and supervisory authorities as appointed DPO	When we receive enquiries in relation to personal data processing of our DPO-as-a-service clients, we use contact details and identifiers to provide a response to you.	Legal obligation Article 6(1)(c) of the GDPR We process your enquiries and communicate with you or supervisory authorities to comply with our tasks as appointed DPO for our clients under Article 38(4) of the GDPR and Article 39 (1)(d) and (e) respectively.	– email address – name – message – information provided (such as identifiers)	3 years
Requesting and receiving feedback on our services	We process the feedback you give to help us assess the quality of our service provision and guide our decision making (quality management).	Legitimate interest Article 6(1)(f) of the GDPR We process feedback in our legitimate interest to continuously improve our services	– first name – last name – company name – work email address – feedback provided	2 years
Training
Registering participants and delivering the IAPP training	When you sign up to IAPP certification training, we process your personal data for the purpose of registering you to the training program. We also process your personal data in order to invoice you or your organisation for the training. We share your information with the IAPP (Avenue des Arts 56, 1000 Brussels, Belgium) in order to make the training materials and exam voucher available to you.	Performance of a contract Article 6(1)(b) of the GDPR We rely on the performance of a contract for this processing.	– first and surname – email address – phone number – course selection – company name – billing address – country – dietary restrictions – prior data protection experience – comments you leave in the comment box	3 years after the completion of the training Financial transaction data, including the invoice containing the participants name, is kept for 10 years as a legal requirement (GDPR Art. 6.1c) of financial record keeping in Germany.
Website and server security
Securing our servers	Your IP address and your page requests are stored in log files on our servers for the reason of preventing fraud, abuse, and security incidents, as well as monitoring the performance of our servers.	Legitimate interest Article 6(1)(f) of the GDPR We carry out this processing and data retention in our legitimate interest to secure our software environment and infrastructure.	– IP address – browser details – operating system	14 days
Recruiting
Scouting talent and reviewing job applications	We collect personal data in the process of scouting for potential candidates through public professional social networking sites such as LinkedIn. This is done to find potential candidates that might have an interest in working with us based on their education, work experience and skill set. Within this time, we either contact and inform any potential candidate whom we might be interested in interviewing, as required by Article 14(3)(a) of the GDPR and §33 of the BDSG, or immediately erase the information of potential candidates that we determine do not meet our criteria Upon contact, the candidate may object to the processing of data. Where this is the case, we immediately delete their data. Where a potential candidate is interested in proceeding with the interview process, we request additional information as part of the job application process. If a job application is rejected, personal data is deleted in line with our retention policy.	Legitimate interest Article 6(1)(f) of the GDPR We handle this information on the basis of pursuing our legitimate interest to find potential candidates and reach out to them.	– first and last name – link to social networking profile – work and academic history – language proficiency – location	1 month
	We also process the data of the applicants who actively apply to the vacancies we advertise via email and professional social networking sites such as LinkedIn. We do this for the purpose of selecting the most suitable applicants for the vacancy based on education, work experience and skill set.	Performance of a contract Article 6(1)(b) of the GDPR and §26(1) of the BDSG The legal basis for this is the performance of a contract as laid out under the GDPR and §26(1) of the German Federal Data Protection Act, the BDSG.	– applicant’s first and last name – email address – phone number – home address – date of birth – profile picture – academic/work experience – any information contained in the CV and cover letter – references	If we end up hiring you, up to 2 years after the end of your employment Or 6 months from the date we make a decision to not proceed with the application.
	A candidate with strong skills but not quite the right fit for a specific role might be a good fit for a future opening. We may sometimes request permission from unsuccessful candidates to retain their application data for future use in case a job position becomes available. We do this to potentially reconsider unsuccessful candidates for future job openings	Consent Article 6(1)(a) of the GDPR We rely on the consent of candidates to retain their application data.	– applicant’s first and last name – email address – phone number – home address – date of birth – academic/work experience – any information contained in the CV and cover letter – references	12 months

Generally, TechGDPR is under obligation to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Brandenburg. For this reason we may have to collect, process and retain your details for an extended period of time as a legal obligation, Article 6(1)(c) of the GDPR. For instance, information required to track your choices and consent regarding the processing (or use) of your personal data or reception of marketing materials is stored to ensure compliance with Article 7(1) of the GDPR.

3. Statistical data

TechGDPR collects website usage data to analyse trends and improve this website and other services. We collect anonymous statistical data about the use of this website to optimise our online presence as well as for marketing and sales purposes. No cookies are being stored on your device, and only the first 2 bytes of your IP address are stored (e.g. 200.100.x.x).

The data is collected on servers operated by TechGDPR within the European Union. You may further opt-out of tracking by enabling the Do-Not-Track option in your browser. Visit http://donottrack.us/ to learn how.

From time to time, we also collect statistical information through surveys. We, however, separate and where possible remove personal elements from these data sets at the earliest convenience and only do our analysis and reporting on anonymized data sets. We use the anonymized data sets to derive aggregate insights from anonymous reports.

4. Data recipients and international data transfer

We may share your personal data with third-party service providers who assist us in delivering our services or fulfilling legal obligations such as legal and tax consultants. We only share data with providers who have robust data protection practices in place. We ensure that a data processing agreement is in place with the service providers engaged for personal data processing.

We make use of the following services:

• Slack
• Google Workspace
• LinkedIn
• Eventbrite

In the case your personal details are visible on an incoming or outgoing invoice, they may also be transmitted to our tax advisor as well as to the financial authorities (German Finanzamt).

We are committed to ensuring that your privacy is protected across borders. When you interact with our services, your personal data may be transferred to, and processed in, countries outside of the EU. These transfers are conducted in compliance with the GDPR. We take measures to safeguard your data by implementing appropriate safeguards, such as:

• Transferring your data only to countries benefiting from an adequacy decision approved by the European Commission or
• Entering into standard contractual clauses approved by the European Commission with the recipient of data

5. Security measures

At TechGDPR, we prioritise the security and confidentiality of your personal data. We have implemented adequate security measures to safeguard the personal information of all categories of data subjects entrusted to us. Our systems utilise advanced encryption technologies to protect data both in transit and at rest. Access controls and authentication mechanisms are in place to ensure that only authorised personnel have access to your personal data. We are committed to maintaining the integrity and confidentiality of your personal data, employing industry best practices to provide a secure environment for the processing and storage of your data. Your trust is paramount to us, and we continually strive to uphold the highest standards of data protection.

Additionally, our employees play a crucial role in maintaining the security of your personal data, especially when utilising AI technologies. All staff members undergo training that emphasises the importance of data security and privacy. Strict access controls are enforced, limiting access to AI tools and systems only to those employees whose roles require such access. Furthermore, employees are required to adhere to strong password policies and multifactor authentication to prevent unauthorised access. Regular awareness sessions and updates on the latest security practices are conducted to ensure that our team remains vigilant against potential risks. Additionally, all AI-related activities are closely monitored, and any deviations from established security protocols are promptly addressed. We are dedicated to fostering a culture of responsibility and awareness among our employees, reinforcing their commitment to safeguarding your personal data throughout the AI-driven processes.

6. Links to other websites

This website may contain links to external websites. TechGDPR is not responsible for the privacy practices or the content of those websites. We therefore recommend that you familiarise yourself with privacy practices of these organisations by reading their privacy notices.

7. Use of this website by children

Our website and services are not intended for use by children under the age of 16. We do not knowingly collect or solicit personal data from individuals under 16 years of age. If you are under 16, please do not use our website or provide any personal data to us. If we learn that we have collected personal data from a child under 16, we will take prompt steps to delete that data. If you believe that we might have any information from or about a child under 16, please contact us at privacy@techgdpr.com so that we can address the issue promptly.

8. Data subject rights available to you

Under the GDPR, the following rights are available to you:

a. The right of access

You have the right to obtain information about what data we process about you, the purpose(s) of the processing, the recipients of the data and the duration of storage.

b. The right to rectification

You have the right to request the rectification of inaccurate data or incomplete data.

c. The right to erasure

You have the right to request deletion of your data where:

• Data is no longer necessary
• You have objected to the processing under our legitimate interests and no convincing evidence was provided that these interests override your freedoms and liberties
• The processing takes place unlawfully

d. The right to restriction

You have the right to request that your data is restricted for further processing in the following cases:

• You contest the accuracy of the data;
• You believe the processing is unlawful;
• You believe your data is no longer needed in relation to the purpose of its collection.

e. The right to portability

You have the right to receive the personal data we process about you in a structured, commonly used, machine-readable format, and to request the direct transmission of that data to another organisation of your choice.

f. The right to object

You have the right to object to processing carried out in our legitimate interest. Processing will be ceased until we have been able to demonstrate compelling legitimate grounds overriding your rights and freedoms.

g. The right to lodge a complaint with a supervisory authority

You have the right to contact a data protection authority of your choice and formulate a complaint. We kindly request that you contact us first to mutually find a solution in case of any concerns.

We encourage you to contact us at privacy@techgdpr.com if you have any privacy related concerns. If you are not satisfied with the way that we have handled your request, you have the right to lodge a complaint with our supervisory authority, or with the data protection authority of the European member state you live or work in.

The details of the supervisory authority responsible for Brandenburg, Germany, are:

9. Changes to this privacy notice

This privacy notice may be modified at any time to keep up with changing regulations and changes within TechGDPR. The date of the last update is visible at the top of this page. Each visit or interaction with our services will be subject to the latest version of our privacy notice. We encourage you to regularly review our privacy notice to stay informed about our data protection practices.