Data protection notices for clients, employees, Website visitors and other stakeholders

With the following information, we would like to give you an overview of how FTI-Andersch Assurance GmbH Wirtschaftsprüfungsgesellschaft ("FTI-Andersch Assurance") processes your personal data and of your rights under data protection law. Which individual data is processed and how it is used depends substantially on your relationship with us, whether you are a client, an applicant, employee, website visitor or otherwise affected data subject (such as a freelancer employed by us for a certain project or parties interested in our services). For this reason, not all parts of this information will apply to you.

Note

For reasons of better readability, we use the masculine form (generic masculine) for gender-specific designations and personal nouns. We always mean all genders in the sense of equal treatment. The abbreviated language form has editorial reasons and does not contain any value judgements.

Who is responsible for data processing and whom can I contact?

The controller is:

FTI-Andersch Assurance GmbH
Wirtschaftsprüfungsgesellschaft
Marienturm
Taunusanlage 9-10
60329 Frankfurt am Main
Germany

You can reach our data protection officer at:

Attorney at Law
Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
50672 Cologne
Germany

privacy@fti-assurance.de


What data and sources do we use?

We process personal data that we receive from our clients in the course of our business relationship and from applicants and employees (including interns and working students) for hiring decisions or carrying out the employment relationship, from visitors to our website or other data subjects. In addition, we process – insofar as necessary for the provision of our service – personal data that we have obtained legally from publicly accessible sources (e.g. commercial and company registers, land registers, press, Internet) or which have been made available to us by third parties (e.g. by a credit agency).

Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality) and identification data (e.g. information on passports or ID cards). In addition, this may also include engagement information (e.g. from our engagement letter), data from fulfilling our contractual obligations (e.g. from our payment transactions), documentation data (e. g. consultation report) as well as other data comparable with the categories mentioned.


Why and on which legal basis do we process your data?

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

(1) Within the scope of employment (Art. 6 para. 1 lit. b GDPR)

We process personal data of our employees (including interns and working students) for the purpose of hiring, carrying out and terminating the respective employment relationship.

(2) Based on consent (Art. 6 para. 1 lit. a GDPR)

If you have given us your consent to process personal data for certain purposes (e.g. contacting), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

(3) To fulfill (pre)contractual obligations (Art. 6 para. 1 lit. b GDPR)

The processing of personal data of our clients and freelancers employed by us on a project basis is carried out for the provision of our services in the context of the performance of our contracts with our clients or for the implementation of pre-contractual measures, which are carried out upon request. Further details on the data processing purposes can be found in the relevant contractual documents and terms and conditions.

(4) Based on legal obligations (Art. 6 para. 1 lit. c GDPR)

In addition, we are subject to various legal obligations (e.g. in the German Commercial Code (HGB), German Limited Liabilities Company Act (GmbHG), German Money Laundering Act (GwG), tax laws, Public Accountant Act (WPO)). Processing purposes include, among others, the identification obligation for the prevention of money laundering and the fulfillment of reporting obligations under tax law.

(5) Based on legitimate interests (Art. 6 para. 1 lit. f GDPR)

If required in order to safeguard legitimate interests on our part, we will process your data beyond the purposes stated above, especially for:

  • Measures for business management and further development of services and products,
  • Advertising (also by way of direct approach) and market research insofar as you have not objected to the use of your data,
  • Assertion of legal claims and defense in legal disputes.
Who gets my data?

At FTI-Andersch Assurance, access to your data is granted to those persons who need it to fulfill our contractual and legal obligations. Also service providers engaged by us outside our company (esp. freelancers and IT service providers) and vicarious agents may receive data for these purposes and are contractually obligated to maintain confidentiality and comply with data protection regulations in this regard. If the requirements for this are met, we also conclude data processing agreements. Other data recipients may be those entities for which you have given us your consent to transfer data or to which we are authorized to transfer personal data based on our legitimate interest.


Will data be transferred to a third country?

A data transfer to entities in countries outside the European Union (in so-called "third countries") does not take place in principle, unless,

  • it is required by law (e.g. due to reporting obligations under tax law, regulations to combat money laundering, terrorist financing and other criminal acts),
  • you have given us your consent to do so, or
  • it is necessary for ensuring the IT operation and the CRM system at FTI-Andersch Assurance to transfer your personal data to an IT service provider in the USA or another third country in compliance with the European data protection level.
How long will my data be stored?

We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which in any case is intended to last for several months and in many cases for years.

If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted, unless their (temporary) further processing is necessary for the following purposes:

  • Fulfillment of retention obligations under commercial and tax law, which may arise especially from the German Commercial Code, the German Money Laundering Act, the German Securities Trading Act and the German Fiscal Code. The periods specified there for the retention of corresponding documentation are generally two to ten years.
  • Preservation of evidence within the limits of the statutory limitation provisions. According to Sec. 195 et seqq. of the German Civil Code, these limitation periods can be up to 30 years, whereby the regular limitation period being three years.
What data protection rights do I have?

Each data subject has the

  • Right to withdraw consent according to Art. 7 para. 3 GDPR,
  • Right of access according to Art. 15 GDPR,
  • Right to rectification according to Art. 16 GDPR,
  • Right to erasure according to Art. 17 GDPR,
  • Right to restriction of processing according to Art. 18 GDPR,
  • Right to object according to Art. 21 GDPR,
  • Right to data portability according to Art. 20 GDPR.

Regarding the right of access and the right to erasure, the restrictions pursuant to Sec. 34 and 35 BDSG apply. In addition, there is a right of appeal to a competent data protection supervisory authority pursuant to Art. 77 GDPR in conjunction with Sec. 19 BDSG. The data protection supervisory authority responsible for FTI-Andersch Assurance is the Hessian Commissioner for Data Protection and Freedom of Information. He can be reached at the following contact details:

The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box (Postfach) 3163
65021 Wiesbaden
Germany
Phone: +49 611 1408 - 0

You can revoke your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

How is the right to be object under Art. 21 GDPR designed?

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of a balance of interests (Art. 6 para. 1 lit. f GDPR); this also applies to profiling based on this provision within the meaning of Art. 4 no. 4 GDPR. In the case of so-called "profiling", we process your data partly automatically with the aim of evaluating certain personal aspects, for example in order to be able to provide you with targeted information and advice about our products and services. This enables us to provide needs-based communication, advertising and market research.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

In individual cases, we process your personal data in order to conduct direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling, insofar as it is connected with such direct advertising.

If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made informally with the subject "objection", stating your name and (e-mail) address and should be addressed to our data protection officer (see above).

Is there an obligation for me to provide data?

In the context of your business relationship with FTI-Andersch Assurance, you must provide all personal data that is necessary for the establishment, performance and termination of a business relationship and for the fulfillment of the associated contractual obligations, or which we are legally obligated to collect. Without this data, we will generally not be able to enter into, perform or terminate a contract with you.

If we are obliged to do so under the money laundering regulations, you must identify yourself using your identification document prior to the establishment of the business relationship and we will collect and record your name, place of birth, date of birth, nationality, address and identification data (cf. sec. 11 para. 1, 4, 5 of the German Money Laundering Act). In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the German Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship requested by you.


To what extent does automated decision-making or profiling take place?

For the establishment and performance of business relationships, FTI-Andersch Assurance does not use fully automated decision-making pursuant to Art. 22 GDPR.

We process your data partly automatically with the aim of evaluating certain personal aspects (so-called profiling), for example, in order to be able to inform and advise you specifically about our products and services. This enables us to provide needs-based communication, advertising and market research.

What data is collected, processed or used for what purposes on the FTI-Andersch Assurance Website?
(1) Cookies

The Internet pages of FTI-Andersch Assurance use cookies. They are used to recognize the users of our Internet pages (website visitors) and to make our offer user-friendly, effective and secure. Cookies are text files that are stored on the end device via the Internet browser.

The use of technically required cookies is based on the legitimate interest of FTI-Andersch Assurance pursuant to Art. 6 para. 1 lit. f GDPR or Sec. 25 para. 2 nr. 2 of the German Telecommunication Digital Services Data Protection Act (TDDDG).

The use of technically not required cookies is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Sec. 25 para. 1 TDDDG.

Website visitors can prevent the setting of cookies by our Internet pages at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. It may then not be possible to use all the functions of our Internet pages to their full extent.

Furthermore, cookies that have already been set can be deleted via the Internet browser or other software programs. In addition, you can revoke your consent to the setting of cookies on our websites at any time via the cookie preferences settings at the bottom of our website (by clicking on “Cookies preferences”). For the rest, please refer to our cookies preferences under “Cookies” at the bottom of our websites.

Cookie consent with Usercentrics

This website uses the cookie consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in accordance with data protection law. Provider is

Usercentrics GmbH
Sendlinger Str. 7
80331 Munich
Germany
Website: usercentrics.com
(hereinafter "Usercentrics")

When you enter our website, the following personal data is transferred to Usercentrics:

  • Your consent(s) or the revocation of your consent(s)
  • Information about your browser
  • Information about your end device
  • Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consent you have given or its revocation to you. The data collected in this way is stored until you request us to delete it, until you delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. The consent data (consent and revocation) are stored for three years. Mandatory legal storage obligations remain unaffected.

Usercentrics is used to obtain legally required consents for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

Data processing by Usercentrics takes place within the EU/EEA. For a data transfer outside the EU/EEA, written consent by FTI-Andersch Assurance is required.

Conclusion of a data processing agreement

A so-called data processing agreement (hereinafter: DPA) has been concluded with Usercentrics, in which Usercentrics is obliged to protect the data of our website visitors. Through the DPA, Usercentrics undertakes to implement technical and organizational measures to protect the data.

Standard contractual clauses

For the provision of those services, Usercentrics uses Google Cloud EMEA Ltd. for hosting as a sub-processor with whom Usercentrics has agreed standard contractual clauses. The servers are located in the EU.

(2) Logging

The websites of FTI-Andersch Assurance collect a series of general data and information with each access. This general data and information is stored in the server's log files. The following can be recorded

  • the browser types and versions used,
  • the operating system used by the accessing system,
  • the website from which an accessing system arrives at our website (so-called Referrer),
  • the sub-websites that are accessed via an accessing system on our website,
  • the date and time of an access to the website,
  • an Internet Protocol (IP) address,
  • the Internet service provider of the accessing system and
  • other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, FTI-Andersch Assurance does not draw any conclusions about the data subject. Rather, this information is needed to

  • display the contents of our websites correctly,
  • optimize the content of our websites and the advertising for them,
  • ensure the long-term functionality of our information technology systems and the technology of our website, and
  • provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.

Therefore, FTI-Andersch Assurance analyzes anonymously collected data and information on the one hand for statistical purposes and on the other hand for the purpose of increasing the data protection and data security of our company, with the aim of ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

(3) Login data

To contact you as offered on our websites or similar we ask for your name and e-mail address via a form-like input mask. By entering your data, you give us your consent to store the data as well as to use it for the respective purpose above. Consent given can be revoked at any time.

(4) Contact form, contacting per e-mail and contact management

You can contact us using a form provided on our website or by e-mail. The data you provide (in particular your e-mail address, your first and last name and the text of your request and, if applicable, other information you have provided in the contact form or by e-mail) will be stored by us when you contact us in order to process your request and respond to your concern.

The data processing is justified under Art. 6 para. 1 lit. f GDPR. We have an interest in contacting you through the website to address your concern. Insofar as your request is aimed at the fulfillment of a contractual or pre-contractual measure with you as a natural person, Art. 6 para. 1 lit. b GDPR is legal basis for data processing.

We will delete the data generated during your concern/contact as soon as it is no longer required for processing your concern. Insofar as legal storage obligations exist, the data will be stored for the duration of the legally prescribed storage obligation. The use of the contact form is completely voluntary for you.

Contact form by Parlant

FTI-Andersch Assurance uses the web form services of Parlant GmbH to enable contacting FTI-Andersch Assurance via contact forms.

Parlant GmbH
Großgörschener Str. 15
06686 Lützen
Germany
(hereinafter: “Parlant“)

Data processing by Parlant

Parlant stores the information you provide via the contact forms so that FTI-Andersch Assurance can contact you afterwards and process your request. In addition, Parlant analyzes the information provided in the contact forms and connection data for the purpose of sorting unwanted contract form entries.

Therefore, Parlant processes the following categories of personal data:

  • Names
  • Telephone numbers
  • E-mails
  • Behavioral data
  • Communication data
  • All personal data that you additionally and voluntarily enter in the free text field of the contact form

Group of persons affected by the data processing:

  • Visitors
  • Interested parties
  • Customers
  • Clients
  • Applicants

Legal basis

Data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR, as we have an interest in responding to your request. Insofar as your request is aimed at the fulfillment of a contractual or pre-contractual measure, we base the processing on Art. 6 para. 1 lit. b GDPR.

Storage period

Parlant deletes the personal data stored in the context of your request/your contact via the contact form as soon as it is no longer required for processing your request/your contact, at the latest after three months, provided that this deletion does not conflict with any further statutory retention period.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Parlant, in which Parlant is obliged to protect the data. The transfer of your personal data by Parlant to third parties such as service providers occurs only in limited circumstances. The service providers to whom data is transferred are contractually obligated to comply with the level of data protection and to ensure an adequate level of security.

In addition, Parlant processes your personal data exclusively in the EU/EEA.

You can find more information here.

Contact management with GEDYS

If you provide us with your business card e.g. through an employee of FTI-Andersch Assurance, we will take over your contact information from this business card into our data base so we can stay in contact.

To manage and maintain this contact information we use the CRM solution of GEDYS IntraWare GmbH.

GEDYS IntraWare GmbH
Eigilstraße 2
36043 Fulda
Germany
(hereinafter: “GEDYS”)

Data processing by GEDYS

GEDYS stores the contact information. In addition, the contacts entered into the GEDYS CRM solution can be linked to Microsoft Outlook, so that they are listed under the Outlook contacts of the managing directors of FTI-Andersch Assurance.

The following categories of personal data are processed:

  • Name, first name
  • Form of address
  • Firm
  • Position/function
  • Address
  • E-mail address
  • Phone number
  • Cell phone number
  • URL

The following persons are affected by the data processing:

  • Clients
  • Customers
  • Interested parties
  • Contracting parties

Legal basis

The data processing is based on your consent according to Art. 6 para. 1 lit. a GDPR. The handing over of your business card to a contact person of FTI-Andersch Assurance constitutes such consent to the data processing.

Storage period

Your personal data will be stored until your request us to delete it. FTI-Andersch Assurance can also arrange an earlier deletion. This applies as long as no legal retention periods prevent such deletion.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with GEDYS, in which GEDYS is obliged to protect the data. If personal data is transferred to other service providers, they are contractually obligated to comply with the level of data protection and to ensure an adequate level of security.

Standard Contractual Clauses

For the provision of services, it may be necessary for GEDYS to transfer data to other countries, including countries outside the EU or EEA, and to process data there. The data may be transferred to subcontractors for this purpose. In such a case GEDYS uses standard contractual clauses.

You can find more information here.

(5) Sanity AS

The content management system hosting service of Sanity AS is used to provide information.

Sanity AS
Trondheimsveien 2
0560 Oslo (Norway)
(hereinafter: “Sanity”)

Data processing by Sanity

FTI-Andersch Assurance uses the service of Sanity to manage the content to be displayed on the websites of FTI-Andersch Assurance. For this purpose, FTI-Andersch Assurance uploads texts, photos and videos to the Sanity service. Sanity thus also processes personal data. Sanity processes the following personal data, among others:

  • Name
  • Photo recording
  • Video recording

Group of persons affected by the data processing:

  • Employees
  • Customers/clients

This data is always stored on servers within the EU operated by Sanity's contracted processor, Google Cloud Platform. However, it is possible that this data may be temporarily stored or cached in a country where Google or its agents maintain facilities.

Sanity, as a data controller within the meaning of the GDPR, processes data when accessing Sanity services.

For the purposes of security, troubleshooting, and overall statistics, the following data is processed without being associated with any specific individual:

  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • URL of the previously visited website
  • Amount of data
  • Performance data such as latency and caching

For logged-in users of Sanity services (e.g., employees of FTI-Andersch Assurance), authentication information is transmitted via cookies, among other things, so that the Sanity system can authenticate and authorize the request and make decisions based on the logged-in user.

Data that a user enters via the customer account, e.g. in the free text field, is also processed.

The data that Sanity, as data controller, processes may also be processed outside the EU, primarily in the United States.

For such transfers to third countries, adequate safeguards are in place, including data processing contracts that are compatible with the standard contractual clauses.

Legal basis

The data processing, for which FTI-Andersch Assurance is responsible under data protection law, is based on our legitimate interest in managing the FTI-Andersch Assurance websites (Art. 6 para. 1 lit. f GDPR).

Storage period

Data is stored for as long as necessary for the purposes for which it is collected and processed.

Access logs are deleted or anonymized within 90 days of their collection. If a user account is deleted, the data will be deleted within 90 days, unless legal retention periods prevent deletion. In certain cases, the data may remain in the systems of the subcontracted processor Google Cloud Platform for up to 180 days.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Sanity, in which Sanity is obliged to protect the data.

You can find more information here.

(6) Vercel Inc.

FTI-Andersch Assurance uses services of the provider

Vercel Inc
440 N Barranca Ave #4133
Covina
91723 California (USA)
(hereinafter: “Vercel”)

Vercel offers a cloud platform for on-demand delivery and related hosting and sharing services.

Data processing by Vercel

Vercel operates and hosts the FTI-Andersch Assurance websites. To provide its services, Vercel processes the information that FTI-Andersch Assurance provides to Vercel. Vercel processes the following personal data, among others:

  • Name
  • Photo recording
  • Video recording
  • IP addresses
  • System configuration information

Group of persons affected by the data processing:

  • Employees
  • Customers/clients

Vercel's data processing takes place primarily in the USA. The data may also be processed in all other jurisdictions where Vercel operates.

Legal basis

Data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR, as we have an interest in providing the FTI-Andersch Assurance websites.

Storage period

Prior to the termination of the agreement with Vercel, Vercel will process the stored data for the purpose of providing the services until FTI-Andersch Assurance decides to delete these data through the Vercel services. Deletion will not occur if legal retention obligations prevent it.

Standard contractual clauses

In case of transfer of personal data by Vercel to third countries, the standard contractual clauses apply.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Vercel, which is based on the standard contractual clauses. In this agreement, Vercel is obligated to protect personal data and, in the case of subcontracted processing, to enter into data protection regulations corresponding to the data processing agreement.

Where Vercel transfers personal data to sub-processors in third countries, Vercel uses standard contractual clauses if no ordinary adequacy decision applies to the transfer of personal data to a third country and a transfer requires such a decision under applicable data protection legislation.

You can find more information on the data protection provisions here.

(7) Microsoft 365

FTI-Andersch Assurance uses Office applications and cloud services from Microsoft 365, among others Microsoft Exchange (e-mail, address book, calendar, tasks), SharePoint (file storage and editing, application platform), Microsoft Teams (file sharing, chat, telephony, video conferencing solution) and Microsoft Forms (survey creation and execution).

The operating company of Microsoft 365 is the

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
Ireland
(hereinafter: "Microsoft")

Data processing by Microsoft

The purpose of the processing by Microsoft is to provide a workplace that enables collaboration and communication within and outside of FTI-Andersch Assurance. Collaboration here is understood to mean, for example, joint work on files, e-mail communication, meetings, live broadcasts and innovative tools.

The processing of personal data refers to employees of FTI-Andersch Assurance and all persons such as customers and contractors (current, former, future) who communicate with FTI-Andersch Assurance via Microsoft 365 applications.

Microsoft processes among others the following categories of personal data:

  • Professional contact, work, and organizational data (e.g. first name, last name, e-mail, company, social media identifiers, if applicable photo)
  • Private telephone numbers and private data that users enter into the system
  • Authentication data (e.g. user name, password or PIN code, security question)
  • Unique identification numbers and signatures (e. g. IP addresses, signature)
  • Position data and location data (e.g. location at start/end of call)
  • Administrative events (e.g. joining a team, creating a channel, sending an e-mail, etc.)
  • Photos, videos and audio
  • Contents (e.g. contents of the files and communications you enter, upload, receive, create, and control)
  • Metadata (for example, about calls and meetings (e.g. network status, date/time/duration, end devices used, audio quality data))
  • Internet activities (e.g. browsing history, search history)
  • Device identification (e.g. SIM card number)

Data processing especially with the use and application of Microsoft Forms

FTI-Andersch Assurance regularly uses Microsoft Forms as part of Microsoft Office 365 for the purpose of conducting internal anonymous and non-anonymous online surveys (employee surveys). Surveys can be addressed in different ways (via hyperlink, QR code, embedding in web page or e-mailing). Participation in surveys is voluntary and possible without user registration with Microsoft.

An employee survey is considered anonymous if FTI-Andersch Assurance cannot draw any conclusions about the responding employee (e.g. Team Call surveys). On the basis of the survey results, anonymous evaluations are made by the processor, which have no reference to the respondent.

In the case of a non-anonymous employee survey, FTI-Andersch Assurance can draw conclusions about the responding employee and identify him or her (e.g. query participation/content of jour fix, query participation in events and related information such as overnight stays, meal requests, allergies, etc.). In this case, the recipients of the personal data are the creator of the employee surveys and other persons at FTI-Andersch Assurance, if required for the purpose of the employee survey.

If personal data is specifically collected and further processed via surveys, FTI-Andersch Assurance will inform the employees separately in advance and - if necessary - ask for their consent. You can find more information about privacy for Microsoft Forms here.

In particular the following personal data is processed by Microsoft Forms:

  • Name and contact details
  • Login information
  • Demographic data
  • Device and usage data
  • Position data
  • contents specified in the employee survey and, if applicable
  • Health data

In the case of anonymous employee surveys, FTI-Andersch Assurance may view the following data:

  • Content specified in the employee survey

In the case of non-anonymous employee surveys, FTI-Andersch Assurance may view the following data depending on the purpose of the query/survey:

  • Name, first name
  • Content specified in the employee survey
  • Health data (e.g. allergies, food preferences)

Data processing specifically when deploying and using Microsoft Teams

Through the Microsoft Teams video conferencing solution, FTI-Andersch Assurance can offer participation via video/audio in online events. FTI-Andersch Assurance uses Microsoft Teams to conduct online events, enable collaborative work on files and internal company communication. In doing so, FTI-Andersch Assurance uses the Team Meetings mode with Microsoft Teams. In general, there is no recording of the event.

In exceptional cases, recording may take place under the following conditions:

  • Prior explicit announcement of the planned recording to the participants twice (firstly when inviting and secondly before the start of the event to be recorded)
  • Participants will be provided with this general data protection information

Participants are provided with the following supplemental privacy information:

  • Concrete purpose of the recording
  • Person responsible for recording (function, role)
  • Authorized users of the recording or Addressees to whom the recording is to be made available
  • Location and duration of the recording

In particular the following personal data is processed by Microsoft Teams:

  • Communication data (e.g. e-mail address, if this is specified on a personal basis)
  • Log files, log data
  • Metadata (e.g. IP address, time of participation, etc.)

Microsoft implements and maintains technical and organizational measures to protect your personal data from destruction, loss, or unauthorized access or other forms of unauthorized or unlawful processing of personal data.

Cookies

Microsoft uses cookies and similar technologies to store and maintain preferences and settings.

Legal basis

The data processing is carried out for the fulfillment of (pre)contractual obligations according to Art. 6 para. 1 lit. b GDPR for external parties and internal employees, in the case of image and sound recordings, on the basis of consent in accordance with Art. 6 para. 1 lit. a GDPR. Processing within the scope of log files and metadata is carried out on the basis of legitimate interest pursuant to. Art. 6 para. 1 lit. f GDPR (legitimate interest to detect misuse and ensure IT security and continuous improvement of services).

You can revoke your consent at any time, among others by sending an e-mail to privacy@fti-assurance.de. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

Storage period

The personal data will be processed and stored as long as FTI-Andersch Assurance uses Microsoft 365 applications.

Metadata from calls and meetings are stored by Microsoft for a maximum of 120 days (depending on the date). Here the data will be deleted automatically. Adjustment for deadlines for live events (120 days) and teams meetings/calls (90 days) is not available.

If FTI-Andersch Assurance deletes the personal data itself, it will also be deleted by Microsoft after 180 days at the latest, provided that this deletion does not conflict with any further statutory retention period.

If no active deletion of the personal data takes place on the part of FTI-Andersch Assurance, the personal data will be deleted no later than 180 days after the expiration of the termination of a Microsoft 365 subscription.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Microsoft, in which Microsoft is obliged to process the data of our employees etc. in accordance with the data protection laws. The standard contractual clauses are included in this data processing agreement.

Standard contractual clauses

It cannot be excluded that in individual cases personal data may also be transferred to other countries outside the EU (e.g. to the USA) and processed there. The data may also be transferred to subcontracted processors for this purpose. In such a case Microsoft uses standard contractual clauses.

You can find more information here.

(8) Realtimeboard Inc. dba Miro

FTI-Andersch Assurance uses an online whiteboard tool for the purpose of collaboration and common exchange on specific topics, i.a. in workshops with (potential) clients.

The provider of the online whiteboard tool is

Realtimeboard Inc. dba Miro
201 Spear Street
Suite 1100
San Francisco, CA94105
United States
(hereinafter: "Miro")

Data processing by Miro

Data is processed when accessing the Miro website, registering and using the tool:

  • Service metadata of authorized users
  • Log data (i.a. IP address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences)
  • Device data (i.a. device type, operating system used, device settings, application ID, unique device identifiers, crash data; whether some or all of the data is collected often depends on the device type and its settings)
  • Location data
  • Name of registered user
  • E-mail address of registered user
  • All personal data entered into the online whiteboard

Miro uses cookies and similar technologies on its own website and services. You can find more information about these technologies and how you can opt out of them in the Miro Cookies Policy.

Legal basis

Data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the common exchange, e.g. during a workshop, as well as in the preparation and provision of the results afterwards.

Storage period

Miro stores the personal data for as long as the tool is used. The personal data will be stored for 180 days after termination or expiry of the agreement with Miro.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Miro, in which Miro is obliged to protect the data. The standard contractual clauses are included in this data processing agreement.

Data processing in third countries

Miro customer content is hosted in Europe, including computing infrastructure, production data and backup data. This data residency in the EU also applies to the sub-processors Amazon Web Services, Inc. (Hosting) and Zendesk, Inc. (Support).

However, it cannot be excluded that personal data may also be transferred to other countries outside the EU (e.g. to the USA) and processed there. The data may also be transferred to sub-processors for this purpose. In such a case, Miro takes steps to ensure that suitable guarantees are in place to guarantee the protection of personal data, e.g. by entering into standard contractual clauses.

You can find more information here.

(9) Box

FTI-Andersch Assurance uses a collaboration tool for the purpose of exchanging data with external parties (including service providers).

The provider of the collaboration tool is

Box, Inc.
900 Jefferson Ave
Redwood City, CA 94063
USA
(hereinafter: "Box")

Data processing by Box

Data is processed when registering and using the Box tool:

  • Name
  • User name
  • E-mail address
  • Any contact information or other information you provide

Box also processes data that is automatically collected relating to the use of the tool and the devices with which the tool is accessed:

  • Usage data (i.a. size and name of files or folders uploaded, downloaded, shared or accessed while using the tool, content accessed and any actions taken in connection with accessing and using the information and content in the tool)
  • Log information (i.a. IP address, access time, browser type and language, Internet service provider)
  • Device data (i.a. hardware model, operating system and version, unique device identifiers)

Box uses cookies and similar technologies on its own website and services. You can find more information about these technologies and how you can refuse them in the Box Cookies Policy.

Legal basis

Data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the effective exchange of data within engagements.

Storage period

Box stores the data for as long as necessary to provide the tool and for as long as the Box account is active or as necessary to provide the tool.

Conclusion of an agreement for data processing

A so-called data processing agreement has been concluded with Box, in which Box is obliged to protect the data.

Data processing in third countries

The data is hosted in Germany. However, it cannot be excluded that personal data may also be transferred to other countries outside the EU and processed there. The data may also be transferred to sub-processors for this purpose. In such a case, Box takes steps to ensure that suitable guarantees are in place to guarantee the protection of personal data.
Box is certified under the EU-US Data Privacy Framework.

You can find more information here.

(10) FTI-Andersch AG

FTI-Andersch Assurance takes among others administrative services from its external partner

FTI-Andersch AG
Taunusanlage 9-10
60329 Frankfurt am Main
Germany
(hereinafter: "FTI-Andersch")

This includes, e.g. services relating to personnel support and development as well as IT.

Data processing by FTI-Andersch

FTI-Andersch processes all data of FTI-Andersch Assurance, i.e. e.g. personal data that FTI-Andersch Assurance processes from its customers and employees via the systems provided by FTI-Andersch or that are subject of the administrative services commissioned by FTI-Andersch Assurance. This may include the following data in particular:

  • Person master data (e.g. name, address, date of birth, titel)
  • Contact data (e.g. telephone, e-mail , address)
  • Electronic communication data (IP address, details of the end device used, operating system and browser)
  • Contract data (contract details, services, customer number)
  • Other employee/applicant data (e.g. application documents, salary data, certificate of good conduct, photos, performance evaluation, absences, social security data, wage tax data
  • Support correspondence
  • Offer data
  • Call history
  • Financial data
  • Transaction data
  • Information data (from third parties, e.g. credit agencies or public registers)
  • User name and password
  • Other: All personal data stored by FTI-Andersch Assurance at its own discretion in the systems provided by FTI-Andersch

Legal basis

Data processing is carried out on the basis of the data processing agreement concluded between FTI-Andersch and FTI-Andersch Assurance (Art. 6 para. 1 lit. b GDPR).

Storage period

FTI-Andersch stores the data for as long as necessary for the provision of the services.

Conclusion of an agreement for data processing

We have concluded a so-called data processing agreement with FTI-Andersch, in which we oblige FTI-Andersch to protect the data.

Data processing in third countries

The processing of data generally takes place in the EU/EEA. Processing in a third country cannot be excluded, but requires the consent of FTI-Andersch Assurance and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met (e.g. adequacy decision, standard contractual clauses, if necessary in combination with other measures, approved code of conduct).

You can find more information here.