Privacy Notice of BPM&O GmbH

The regulations of the EU General Data Protection Regulation (hereinafter “GDPR”) apply throughout Europe. We would like to inform you about the processing of personal data carried out by our company in accordance with this regulation (see Articles 13 and 14 GDPR). If you have any questions or comments about this privacy policy, please send them to the e-mail address listed in section A.2. at any time.

Content

A. Overview
1. Scope
2. Data controller
3. Data Protection Officer

B. Data processing in detail
1. General information on data processing
2. Visiting our website
3. Contact per e-mail or chat
4. Newsletter
5. Consulting
6. Advaned training
7. Digital collaboration, training and events
8. E-Learning Platform
9. Market studies and White Paper
10. Events
11. Application
12. Tracking

C. Data subjects rights
1. Right to object
2. Right to access to personal data
3. Right of rectification
4. Right to erasure (“right to be forgotten”)
5. Right to restriction of processing
6. Right to data portability
7. Right to rescission
8. Right of appeal

D. Glossary

---

A. Overview

The following privacy notice informs you about the extent and manner of processing so-called personal data by BPM&O GmbH. Personal data is information that can be assigned directly or indirectly to your person.

1. Scope

In this section of the privacy notice, you will find information on the scope and data controller for data processing.

• For purpose of implementation of a contract, all data required to fulfill the contract with BPM&O GmbH will be processed. If external service providers are also involved in the implementation of the contract, e.g. shipping/package delivery companies, or payment service providers, data will be transferred to the extent required.
• When visiting a website which is operated by BPM&O GmbH, various information is exchanged between your device and our server. This data can also contain personal data. The information collected is used, among other things, to optimize our website.

This privacy notice applies for:

• our online consulting services available at www.bpmo.de;
• our online advanced training program available at: www.bpmo-akademie.de;
• our online services for digital collaboration, training and events available at bpmo-digital.de;
• our e-learning platform available at: www.bpmo-elearning.com;
• our internet portal as well as online shop available at www.bpm-expo.de;
• whenever a reference is made to this privacy notice from one of our services (e.g. websites, subdomains, mobile applications, web services or integration in third-party sites), regardless of the manner of access or use.

All above mentioned offers are collectively referred to as “services”.

2. Data controller

Responsible for data processing – i.e. party who decides on purpose and means of processing personal data – in connection with the services is:

BPM&O GmbH
Domstr. 37
50668 Cologne
Phone: +49 (0)221 99787520
Fax: +49 (0)221 99261607
E-mail: akademie@bpmo.de

3. Data Protection Officer

You can contact our data protection officer as follows:

DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
Frapanweg 22
22589 Hamburg
Contact form: https://www.dsextern.de/anfragen

B. Data processing in detail

In this section of the privacy notice, we will inform you in detail about the processing of personal data within the scope of our services. For the sake of clarity, we have subdivided this information to certain functionalities of our services. Within normal use of the services, different functionalities and thus, also different processing can apply one after the other or at the same time.

1. General information on data processing

Unless stated otherwise, the following applies to all data processing described in the following:

a. No obligation to provide personal data

There is neither a contractual nor a legal obligation to provide personal data. You are not obliged to provide information.

b. Consequences of non-provision

In case of required information (data marked as mandatory information), a non-provision of data leads to the service in question unable to be provided. In other respects, a non-provision of data may result in our services unable to be provided in the same form and quality.

c. Consent

In various cases, you have the option of giving us your consent to a further data processing (possibly for parts of the data) in context to the processing described in the following. In this case, we will inform you separately about all modalities, scope of the consent and purposes that we pursue with this processing which follows the respective consent.

d. Transfer of personal information to third countries

If we transfer data to third countries, i.e. countries outside the European Union, the transfer takes place exclusively in compliance with the legally regulated general principle for transfers. The regulations are described by Art. 44-49 GDPR.

e. Hosting with external service providers

Our data processing takes place to a large extent with the involvement of so-called hosting service providers, which provide us with storage space and processing capacities in their data centers and, according to our instructions, also process personal data on our behalf. These service providers process data either exclusively in the EU or guaranteed at an adequate level of data protection with the help of the EU standard contractual clauses.

f. Transmission to state authorities

We transmit personal data to state authorities (including law enforcement authorities) if necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 Para. 1 c) GDPR) or if required to assert, exercise or defend legal claims (legal basis: Art. 6 Para. 1 f) GDPR).

g. Storage period

We do not store your data longer than needed for the respective processing purposes. If data is no longer required for the fulfillment of contractual or legal obligations, they are deleted, unless their limited retention is still necessary. Reasons for this can be, for example:

• fulfillment of commercial and tax retention obligations
• obtaining evidence for legal disputes within the framework of the statutory statute of limitations

It is also possible to continue storing your data if you have given your explicit consent for this.

h. Categories of recipients

In addition to the categories of recipient explicitly listed below, personal data is also transferred to the following categories of recipients: shipping service providers, phone and fax providers.

i. Data Categories

• Personnel master data: title, salutation/gender, first name, last name, date/place of birth
• Address data: street, house number, if necessary, additional address, zip code, city, country
• Contact data: phone number(s), fax number(s), e-mail address(es)
• Access data: date and time of your visit to our service; page from which the accessing system came to our page; pages accessed during use; session identification data (Session ID); in addition, the following information from the accessing computer system: internet protocol address (IP address) used, browser type and version, device type, operating system, and similar technical information
• Account data: login/user ID and password
• Login data: information about the service through which you logged in; times and technical information on registration, confirmation and deregistration; data you provided when registering
• Training data: information about the advanced training (classroom, digital, e-learning) you completed, training progress (certification program, e-learning), certifications obtained
• Order data: ordered products/services, prices, payment and delivery information
• Payment data: bank account details
• Application data: curriculum vitae, references, work samples, certificates, photos

2. Visiting our website

This section describes how we process your personal data when you access our services. In particular, we would like to point out that the transfer of access data to external content providers (see b.) is unavoidable due to the technical functionality of information transmission on the Internet.

a. Information on processing

b. Recipient of personal data

External content providers provide content (e.g. images, videos, embedded postings from social networks, advertising banners, fonts, update information) that is required to display the service.

3. Contact per e-mail or chat

How we process your personal data when you contact us by e-mail or chat is described here:

a. Information on processing

b. Recipient of personal data

4. Newsletter

In the following, we describe what happens to your personal data in context of a subscription to our newsletter:

a. Information on processing

b. Recipient of personal data

5. Cosulting

The following information describe how your personal data is processed when you contact us about consulting services:

a. Information on processing

b. Recipient of personnel data

6. Advanced training

The following information describe how your personal data is processed when you contact us about advanced training of BPM&O Akademie:

a. Information on processing

b. Recipient of personal data

7. Digital collaboration, training and events

The following information describe how your personal data is processed when you contact us about services relating to BPMO.digital:

a. Information on processing

b. Recipient of personal data

8. E-Learning Platform

The following information describe how your personal data will be processed when you contact us about digital training services relating to the BPM&O E-Learning Platform:

a. Information on processing

b. Recipient of personal data

9. Market studies and White Paper

The following information describe how your personal data is processed when you download our market studies and/or white papers at BPM Expo:

a. Information on processing

b. Recipient of personal data

10. Events

The following information describe how your personal data is processed when you contact us for an (online) event, e.g. BPM-Club Meetings, CPO Circle or CPOs@BPM&O:

a. Information on processing

b. Recipient of personal data

11. Application

In an ongoing application process, we process your personal data in the following way:

a. Information on processing

b. Recipient of personal data

12. Tracking

In the following, we describe how your personal data is processed using tracking technologies to analyze and optimize our services and for advertising purposes.

The description of the tracking also contains information on how you can prevent or object to data processing. Please note that this so-called “opt-out”, i.e. rejection to data processing, usually is saved via cookies. If you use our services via a new device or in a different browser, or if you have deleted the cookies set by your browser, you must declare your rejection again.

The tracking described in the following process personal data only in a pseudonymous form. A connection with a specific, identified natural person, i.e. merging of data with information about the person behind the pseudonym, does not take place.

Purpose of the tracking is to analyze and optimize our services and their usage as well as to measure the success of advertising campaigns and optimize the display of advertising.

a. Purpose of data processing

The analysis of user behavior by means of tracking helps us to review the effectiveness of our services, to optimize them and to adapt them to the needs of the users as well as to correct errors. In addition, it is used to statistically determine key values about the usage of our services (range, usage intensity, surfing behavior of users) – based on uniform standard procedures – and thus to obtain values that are comparable across the market.

Tracking to measure the success of advertising campaigns is used to optimize our ads for the future and to enable marketers and advertisers to optimize their ads accordingly. Tracking to optimize the display of advertising has the purpose of showing users advertising tailored to their interests, increasing the success of the advertising and thus also the advertising revenue.

b. Legal basis

Consent according to Art. 6 Para. 1 Letter a in conjunction with Art. 4 No. 11, 7 Para. 3 GDPR in conjunction with Recital 32, 40, 42, 43.

c. Tracking technology used in detail

C. Data subject rights

1. Right to object

If we process your personal data to conduct direct mail, you have the right to object to the processing of your personal data for the purpose of such advertising at any time with effect for the future.

You also have the right, for reasons that arise from your particular situation, to object to the processing of your personal data, which is carried out in accordance with Art. 6 Paragraph 1 Letter e) or f) GDPR at any time with effect for the future.

You can exercise your right to object free of charge. You can contact us using the contact details given under A.2.

2. Right of access to personal data

You have the right to find out whether we are processing your personal data, what kind of personal data this may be, and further information in accordance with Art. 15 GDPR.

3. Right of rectification

You have the right to request from us to rectify any incorrect personal data without delay (Art. 16 GDPR). Taking the purposes of the processing into account, you have the right to request the completion of incomplete personal data – including by means of a supplementary declaration.

4. Right to erasure (“right to be forgotten”)

You have the right to request from us to immediately delete your personal data if one of the reasons stated in Art. 17 Para. 1 GDPR applies and the processing is not required for one of the purposes regulated in Art. 17 Para. 3 GDPR.

5. Right to restriction of processing

You are entitled to request a restriction in the processing of your personal data if one of the conditions in Art. 18 Para. 1 a) to d) GDPR is fulfilled.

6. Right to data portability

You have the right to receive personal data that you have provided to us in a structured, common and machine-readable format. You also have the right to transmit this data to another person responsible without hindrance from us or to have us transmit it directly, provided that this is technically possible. This shall always apply if the basis for data processing is consent or a contract and the data is processed automatically. This does not apply to data that is only kept in paper form.

7. Right to rescission

If the processing is based on your consent, you have the right to withdraw your consent at any time. This does not affect the legality of the processing carried out based on the consent up to the rescission.

8. Right to appeal

You have the right to file a complaint with a supervisor authority..

D. Glossary

Data processor: A natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

Browser: Computer program for visiting websites (e.g. Chrome, Firefox, Safari)

Cookies: In connection with the World Wide Web, a cookie describes a small text file that is stored locally on the user’s computer when a website is visited. This file stores data about the behavior of the user. If the browser is accessed and the corresponding website is visited repeatedly, the cookie is applied and uses the stored data to give the web server information about the user’s surfing behavior.

In this context, cookies are about information that a website saves locally in a small text file on the user’s computer. This can involve settings on a page that the user has made, but also information that the website has collected completely independently from the user. These locally stored text files can later be read out again by the same web server from which they were created. Most browsers accept cookies automatically. You can manage cookies using the browser functions (mostly under “Options” or “Settings”). This means that the storage of cookies can be deactivated, made dependent on your consent in individual cases, or otherwise restricted. You can also delete cookies at any time.

Third countries: Country that is not bound by the legal requirements of the EU data protection directive (country outside the EEA)

Personal data: All information relating to an identified or identifiable natural person. A natural person is regarded as identifiable if the person can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

Pixel: Pixels are also called counting pixels, tracking pixels, web beacons or web bugs. They are small, invisible graphics in HTML e-mails or on websites. When a document is opened, this small image is loaded from a server on the Internet, and the download is registered there. In doing so, the operator of the server can see whether and when an e-mail was opened or a website was visited. This function is usually implemented by activating a small program (Javascript). In this way, certain types of information can be recognized and passed on to your computer system, such as the content of cookies, the time and date of the page view and a description of the page on which the tracking pixel is located.

Services: Our offers to which this privacy notice applies (see A.1. Scope).

Tracking: The collection of data and its evaluation with regard to the behavior of visitors to our services.

Tracking technologies: Tracking can take place both via the activity protocols (log files) stored on our web servers and by collecting data from your device using pixels, cookies and similar tracking technologies.

Processing: Any process or series of processes carried out with or without help of automated procedures in context to personal data such as the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, erasure or destruction.

Download the current version of the Privacy Notice of BPM&O as PDF