1. Purpose of the Privacy Policy

These guidelines define how personal data is protected, processed, and stored within the company. The aim is to ensure the confidentiality, integrity, and availability of all personal data and to comply with legal requirements (e.g., GDPR).

2. Principles of Data Processing

The company is committed to the following data protection principles:

  • Lawfulness, Transparency, and Fairness: Data is processed only in a lawful manner and in a transparent and fair way.
  • Purpose Limitation: Data is collected only for clearly defined, legitimate purposes and is not used in ways incompatible with those purposes.
  • Data Minimisation: Only the data necessary for the relevant purpose is collected.
  • Accuracy: Personal data is kept up to date, and inaccurate data is corrected without delay.
  • Storage Limitation: Data is stored only as long as necessary for the respective purpose.
  • Integrity and Confidentiality: Appropriate technical and organizational measures protect data against loss, theft, or unauthorized access.

3. Roles and Responsibilities

  • Management holds overall responsibility for data protection.
  • A Data Protection Officer (if required) monitors compliance with these guidelines.
  • Employees must adhere to the guidelines and report any data protection incidents immediately.

4. Technical and Organisational Measures (TOMs)

The company implements appropriate measures, including:

  • Encryption of data during transmission and storage
  • Password and access controls (MFA, role-based access models)
  • Regular backups and secure backup storage
  • Firewalls, antivirus solutions, endpoint security
  • Regular software updates
  • Separation of production and test environments
  • Logging and monitoring of security-relevant events

5. Access and Authorization Management

  • Access is granted based on the need-to-know principle
  • Regular review of access rights
  • Immediate removal of access rights when employees leave the company
  • Documentation of all access-related processes

6. Handling of Personal Data

  • Processing takes place only according to clearly defined processes.
  • Data is shared with third parties only when legally permitted and contractually secured.
  • Transfers of data outside the EU occur only with appropriate legal safeguards (e.g., EU Standard Contractual Clauses).

7. Storage and Deletion

  • Retention periods are defined and documented.
  • After expiration, data is securely deleted or anonymized.
  • Deletion activities are logged.

8. Data Protection Incidents

  • All employees must report incidents immediately to the Data Protection Officer or management.
  • The company maintains a documentation and reporting process.
  • Reportable incidents are notified to the supervisory authority within the legally required timeframe.

9. Employee Training & Awareness

  • Regular data protection training sessions
  • Clear instructions for handling personal data
  • Awareness training on phishing, social engineering, and password security

10. Data Processing by External Providers (Data Processing Agreements)

  • Data Processing Agreements (DPAs) are concluded with external service providers.
  • Service providers are regularly assessed for compliance with data protection standards.

11. Documentation & Accountability

  • Processing activities are documented in the Record of Processing Activities.
  • Data protection measures are regularly reviewed and updated.

12. Continuous Improvement

  • Annual review of the privacy policy
  • Adjustments according to new legal requirements or technical development