Public privacy statement for everyone pursuant to § 4e of the German Data Protection Act (BDSG)
Protecting the security and privacy of your personal data is very important to innotec. You may be sure that we shall treat your data responsibly.
The German Data Protection Act (BDSG) stipulates in § 4g that the officer responsible for data protection shall make the following information pursuant to § 4e of the BDSG available to everyone in a suitable manner.
1. Name of the person or company responsible
- innotec Marketing GmbH
2. Owners, board members, CEOs or other managers legally appointed pursuant to the company’s statutes and persons commissioned with the management of data processing
- Heinrich Gassen (CEO)
heinrich.gassen@innotec-marketing.de
- Lutz Küper (CEO)
lutz.kueper@innotec-marketing.de
- Dominik Defilippi (IT Administration)
dominik.defilippi@innotec-marketing.de
- Frank Bredul (Data Protection Officer)
frank.bredul@innotec-marketing.de
3. Address of the organisation responsible
Kasinostr. 19-21
42103 Wuppertal
4. Purpose of collecting, processing and using the data
The subject matter of the company is the rendering of services in the areas of:
- Inside account management
- Business value selling
- Campaign selling
- Event invitation
- Profiling
- Deep profiling
- Address screening
innotec Marketing GmbH collects, processes and uses personal data for the purpose of pursuing the above-mentioned intentions in the business-to-business segment.
5. A description of the groups of persons concerned and the corresponding data or data categories
The groups of persons concerned derive from the purposes indicated (No. 4). It involves the following data categories, whereby a fundamental distinction has to be made between external client data and internal data which is necessary for innotec Marketing GmbH’s own purposes.
a) External client data
The processing of external client data is excepted from disclosure requirements since the commissioning party is solely responsible for this data.
b) Internal data
- Client data/Accounts receivable data
- Supplier data/Accounts payable data
- Staff data
- Other person-related data
6. Recipients or categories of recipients that could be informed of the data
- Public offices in as far as legal requirements make such necessary
- Internal departments in as far as such data is required there to enable proper implementation of an assignment
- Service providers (§11 of the BDSG) commissioned so as to allow for a proper handling of the business transaction
- External departments to allow the purposes mentioned under No. 4 to be properly pursued
- Commissioning parties within the scope of the project guidelines
7. Standard periods for the erasure of the data
- The data shall be erased pursuant to the statutory or contractually agreed retention periods
- In as far as data is not affected by this, it shall be erased when the purposes indicated under No. 4 have lapsed (end of project/commission)
8. Planned data transfer to third-party states
- No transfer of data to third-party states is currently planned.
9. Measures established pursuant to § 9 of the German Data Protection Act (BDSG) at contractor, commissioned data processor
Admission control
The following measures exist to control admission:
1) The business premises are only admissible for staff with electronic admission authorisation cards. This applies to all access routes and they are equipped with corresponding card scanning devices. The cards of the operational staff are programmed so that admission is not possible at nights or at weekends.
2) Third-party companies are registered by security staff at the reception desk on the ground floor, are personally welcomed and dismissed there. The central reception area is staffed 24 hours a day. Security staff monitor and inspect the entire rental property. There is an alarm system.
3) Visitors are welcomed in the presentation area, are provided with a temporary visitor’s pass and can only access areas where person-related data is processed and used under supervision.
4) The servers are spatially separated and specifically locked (only management and the IT manager have access to the key).
Access control
The following measures exist to control access to the data:
1) Access to the data processing systems is only possible for staff working on the project with presence being recorded permanently. All PC workplaces with access to the company network (LAN) can only be used with the personal access data of the member of staff.
2) An assignment of authorisation for the user base is ensured via Microsoft Active Directory. There are firewall systems (Microsoft ISA server) at all locations (link via secure VPN connection [IPsec]).
Authorisation control
The following measures exist to control authorisation to the data:
1) A personal identification at the PC workplace and for the data processing system with a user name and password is unavoidable; the logon times in the system being documented.
2) Only after written approval by management can access to project databases be facilitated with a special assignment of authorisation at database level.
3) Reports and database excerpts can only be produced after prior written approval by management. Staff cannot extract data from the database.
4) Network access to project folders or similar are governed by rights management (NTFS) and group guidelines. Any modifications require written approval.
Transmission control
The following measures exist to control transmission of the data:
1) Documentation on the retrieval and transmission programmes as well as the configuration of the PC workplaces allow no extraction of data sets using a USB interface, CD drive or similar.
2) The password protected despatch of database excerpts via email is exclusively implemented by the operations managers.
3) Project data may only be copied to mobile end equipment (notebooks) or mobile mass storage devices after written approval by management.
4) Write access to mobile mass storage devices (USB flash drive) is strictly reserved for management and operations managers.
5) Storage mediums and print material no longer required are completely destroyed.
6) Plausibility, completeness and correctness verifications are carried out regularly.
Entry control
The following measures exist to control data entry:
1) The entry of data can be verifiably assigned and checked by IT/management; changes to data records are logged at the database level by the CRM software.
2) Data modifications in the project folders are recorded with Windows Auditing.
Availability control
The following measures exist to control availability of the data:
1) Daily data backup using Microsoft Data Protection Manager (shadow copy procedure).
2) Backup-to-disk and backup-to-tape procedures are used; an uninterrupted power supply is ensured with a UPS system.
3) There is an HD mirroring process using a RAID system; permanent data availability is ensured through the use of a SAN.
Intended use control
The following measures exist to control the intended use of the data:
A data protection officer permanently monitors adherence to the requirements and provisions and makes adjustments that are always in line with the prevailing legal situation whenever circumstances necessitate such.
Separation control
The following measures exist to control the separation of the data:
The project data are stored in a logically separated manner.
Project-related databases only receive project-related data (access control to database and NTFS level).
Data protection
The following measures exist to verify the intended purpose:
The project data are doubly secured:
- Backup-to-tape
- Backup-to-disk
- Shadow copies and file restore points are used and created several times on a daily basis
- A complete backup is carried out weekly
- Backup as per M
- Microsoft Data Protection Manager
- External backup storage
- Hardware: DELL PowerEdge 2950, DELL PowerVault 124T