Data Pro­tec­tion Poli­cy of Con­ven­to GmbH, Neuss

for users of myconvento

As of May 25, 2018,
Ger­ma­ny and the remai­ning EU mem­ber sta­tes are requi­red to com­ply with and enforce the requi­re­ments of the EU Gene­ral Data Pro­tec­tion Regu­la­ti­on (here­af­ter, GDPR). In Ger­ma­ny, the new Fede­ral Data Pro­tec­tion Act (here­af­ter, “BDSG-new”), which builds on and imple­ments the GDPR, will enter into force at the same time and, tog­e­ther with the GDPR, will replace the cur­rent Fede­ral Data Pro­tec­tion Act (BDSG-old), which remains in effect through May 25, 2018.

As a data pro­ces­sor defi­ned in Art. 4 GDPR, Con­ven­to GmbH (here­af­ter, “Con­ven­to”) pro­ces­ses per­so­nal data which its cus­to­mers as con­trol­lers make available in mycon­ven­to for the per­for­mance of a con­tract to which the data sub­ject is par­ty. Per­so­nal data means any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son (here­af­ter “data sub­ject”); an iden­ti­fia­ble natu­ral per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­ti­cu­lar by refe­rence to an iden­ti­fier such as a name, an iden­ti­fi­ca­ti­on num­ber, loca­ti­on data, an online iden­ti­fier or to one or more fac­tors spe­ci­fic to the phy­si­cal, phy­sio­lo­gi­cal, gene­tic, men­tal, eco­no­mic, cul­tu­ral or social iden­ti­ty of that natu­ral per­son.
Spe­ci­fi­cal­ly, it refers to address and com­mu­ni­ca­ti­on data and other distinc­ti­ve par­ti­cu­lars of jour­na­lists, blog­gers, other “influen­cers” of the cus­to­mer, and publishers.

Con­ven­to respects its cus­to­mers’ right to and owner­ship of their data, ensu­ring full data pro­tec­tion and pri­va­cy for data sub­jects, and is com­mit­ted to do wha­te­ver it takes to mea­su­re up to our cus­to­mers’ expectations.

Ter­ri­to­ri­al scope

Cus­to­mer data are pro­ces­sed exclu­si­ve­ly within the ter­ri­to­ry of the Fede­ral Repu­blic of Ger­ma­ny. Sin­ce 2015, Con­ven­to has ope­ra­ted its cus­to­mer sys­tems at a spe­cia­li­zed data pro­ces­sing cen­ter cer­ti­fied to ISO 27001 in D‑40472 Düs­sel­dorf at myloc mana­ged IT AG (

Dis­clo­sure of per­so­nal infor­ma­ti­on to third par­ties, subcontracts

Con­ven­to its­elf does not use the per­so­nal data pro­vi­ded by its cus­to­mers, but makes them available only to the rele­vant cus­to­mer on the ser­ver farm ren­ted at the data cen­ter of myLoc mana­ged IT AG (data pro­ces­sing cen­ter cer­ti­fied to ISO 27001), Am Gather­hof 44, D‑40472 Düs­sel­dorf. At the cen­ter, the data are inte­gra­ted in the customer’s data­ba­se and then made available exclu­si­ve­ly to the cus­to­mer.
If any part of a con­tract is sub­con­trac­ted – always strict­ly with the pri­or writ­ten con­sent of the cus­to­mer- Con­ven­to will ensu­re that its sub­con­trac­tors com­ply to the same degree with the strin­gent data pro­tec­tion and data secu­ri­ty stan­dards. The rights of inspec­tion and review of the cus­to­mer vis-à-vis Con­ven­to also app­ly to any subcontractors.

While gene­ral sup­p­ly ser­vices (e.g. tele­com­mu­ni­ca­ti­on, main­ten­an­ce, sup­port, clea­ning) are excluded from this pro­vi­si­on, Con­ven­to gene­ral­ly has appro­pria­te data pro­tec­tion and data secu­ri­ty agree­ments in place with such part­ners.
Per­so­nal data will be coll­ec­ted and for­ward­ed to govern­men­tal insti­tu­ti­ons and aut­ho­ri­ties strict­ly within the scope of cur­rent legis­la­ti­on. In such case, Con­ven­to agrees – to the ext­ent per­mit­ted by law – to give the cus­to­mer due noti­ce in wri­ting of the dis­clo­sure. Con­ven­to does not use any ser­vice pro­vi­ders that fall within the ambit of the U.S. Patri­ot Act and the U.S. Free­dom Act.

Obli­ga­ti­ons of the customer

As “con­trol­ler” within the mea­ning of Artic­le 4 no. 7 of the GDPR, the cus­to­mer is respon­si­ble for the lawful­ness of work assi­gned to Con­ven­to and for safe­guar­ding the rights of data sub­jects. The cus­to­mer is requi­red to place or con­firm all orders and add-ons in wri­ting. The same appli­es to- mutual­ly agreed – amend­ments to con­tents, pro­ces­ses, the scope and any other com­pon­ents of the con­tract. Ins­truc­tions issued ver­bal­ly by the cus­to­mer must imme­dia­te­ly be con­firm­ed in writing.

The cus­to­mer will pro­vi­de a respon­si­ble cont­act per­son com­pe­tent to issue ins­truc­tions and make or enforce prompt decis­i­ons on mat­ters rela­ting to the exe­cu­ti­on of the con­tract. This cont­act per­son will ensu­re that the mycon­ven­to users of the cus­to­mer are fami­li­ar and com­ply with this poli­cy.
The customer’s admi­nis­tra­tor spe­ci­fies the users in mycon­ven­to. Each user is pro­vi­ded with per­so­nal log­in data (user ID and pass­word) and urged not to use pass­words that are easy to spy out and not to car­ry with them any writ­ten pass­word remin­ders.
Any access to mycon­ven­to (“user account”) which is no lon­ger requi­red for a user must imme­dia­te­ly be dele­ted by the cus­to­mer. The cus­to­mer will noti­fy Con­ven­to wit­hout undue delay if errors are found in the exe­cu­ti­on of the con­tract or in the job results.

Obli­ga­ti­ons of Con­ven­to GmbH

Con­ven­to pro­ces­ses per­so­nal data strict­ly within the agreed limits and as ins­truc­ted in wri­ting by the cus­to­mer. The data pro­vi­ded will not be used for any other pur­po­ses. No copies or dupli­ca­tes will be made wit­hout the customer’s know­ledge.
Con­ven­to does not gene­ral­ly main­tain or pro­cess data for cus­to­mers and is not, the­r­e­fo­re, requi­red to keep detail­ed data pro­ces­sing records that enable the cus­to­mer to veri­fy pro­per data pro­ces­sing. Con­ven­to will pro­cess data only whe­re so spe­ci­fi­cal­ly ins­truc­ted in wri­ting by the cus­to­mer, in which case, and only then, Con­ven­to will keep basic data pro­ces­sing records. The­se will detail in the con­text of a log report which Con­ven­to employee view­ed or pro­ces­sed which data of which cus­to­mer and when. Con­ven­to will store this docu­men­ta­ti­on for the long term.
Con­ven­to hand­les per­so­nal data in com­pli­ance with all appli­ca­ble pro­vi­si­ons of the Data Pro­tec­tion Act, the Tele­me­dia Act (TMG) and the Tele­com­mu­ni­ca­ti­ons Act (TKG). On request, Con­ven­to will pro­vi­de the cus­to­mer with the infor­ma­ti­on sti­pu­la­ted in Art. 30 (2) GDPR (records of pro­ces­sing acti­vi­ties car­ri­ed out on behalf of a controller).

In accordance with Art. 32 GDPR Con­ven­to uses appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res (TOM) to pro­tect per­so­nal data as best as pos­si­ble against acci­den­tal or unlawful mani­pu­la­ti­on, loss, des­truc­tion or access by unaut­ho­ri­zed per­sons. The­se mea­su­res are con­ti­nuous­ly impro­ved in line with the sta­te of the art.
All employees, sup­pli­ers and part­ners of Con­ven­to are obli­ga­ted to main­tain data con­fi­den­tia­li­ty in accordance with the pro­vi­si­ons of Sec­tion 53 BDSG-new and, in addi­ti­on, bound to pro­fes­sio­nal sec­re­cy, if any (e.g. ban­king sec­re­cy).
Con­ven­to will noti­fy the cus­to­mer prompt­ly if the pro­per­ty of the cus­to­mer at Con­ven­to is at risk as a result of third- par­ty action (such as attach­ment or sei­zu­re, insol­ven­cy or com­po­si­ti­on pro­cee­dings, etc.).

Rights of the Customer

Con­ven­to will grant the cus­to­mer or an audi­tor man­da­ted by the cus­to­mer unhin­de­red access to its pre­mi­ses as nee­ded for moni­to­ring pur­po­ses in accordance with Sec­tion 64 (3) no. 12 BDSG-NEW. In par­ti­cu­lar, Con­ven­to will allow the cus­to­mer to inspect the data stored for the cus­to­mer or in con­nec­tion with the con­tract as well as the pro­ces­sing ope­ra­ti­ons used in order to veri­fy com­pli­ance with the tech­ni­cal and orga­niza­tio­nal mea­su­res (TOM) implemented.

To this end, the audi­tor will be given access equi­va­lent to the rights of the rele­vant cus­to­mer. If in excep­tio­nal cases the cus­to­mer per­mits data to be pro­ces­sed in pri­va­te homes, Con­ven­to will ensu­re that the afo­re­said inspec­tions can also be per­for­med in the­se homes. Con­ven­to affirms that it has obtai­ned the con­sent of all occu­pants of the­se pri­va­te homes to this arrangement.

Rights of data subjects

Any per­sons who­se data are stored on Con­ven­to sys­tems, irre­spec­ti­ve of whe­ther the­se were coll­ec­ted by the con­trol­ler or by Con­ven­to, are entit­led at no cost to obtain infor­ma­ti­on on the data stored about them.

Data sub­ject groups usual­ly include jour­na­lists, blog­gers, other “influen­cers” of the cus­to­mer and/or other cont­acts in public rela­ti­ons, such as cus­to­mers, pro­s­pects, employees as defi­ned by Sec­tion 26 BDSG-new, sub­scri­bers, sup­pli­ers, sales repre­sen­ta­ti­ves or share­hol­ders.
The data sub­ject has the right to rec­ti­fi­ca­ti­on, era­su­re or blo­cking of their data stored in mycon­ven­to. Whe­re Con­ven­to has pro­ces­sed data on behalf of the con­trol­ler, Con­ven­to will prompt­ly for­ward the data and the com­plaint to the con­trol­ler. Alter­na­tively, the cus­to­mer may aut­ho­ri­ze Con­ven­to in wri­ting to deal on its behalf with the com­plaint of the data subject.

Rights of Con­ven­to GmbH

If the cus­to­mer issues Con­ven­to with ins­truc­tions under a con­tract which may vio­la­te appli­ca­ble data pro­tec­tion laws, Con­ven­to will noti­fy the cus­to­mer wit­hout delay and may delay acting on the ins­truc­tions until the mat­ter has been resol­ved.
Whe­re com­pli­ance with data pro­tec­tion and/or data secu­ri­ty mea­su­res is moni­to­red by the cus­to­mer, eit­her its­elf or through ano­ther par­ty, Con­ven­to is entit­led to bill the cus­to­mer for the work per­for­med on time basis for each hour or part the­reof at the stan­dard hour­ly rates appli­ca­ble at Con­ven­to. Veri­fi­ca­ti­ons via the user account are obvious­ly free of charge.

Tech­ni­cal and orga­niza­tio­nal data pro­tec­tion mea­su­res (TOM)

Con­ven­to has imple­men­ted appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res (TOM) in accordance with Sec­tion 64 BDSG-new. In addi­ti­on, all obli­ga­ti­ons to be met under the appli­ca­ble data pro­tec­tion laws and other legal requi­re­ments are moni­to­red by a data pro­tec­tion offi­cer (see below). Con­ven­to under­ta­kes to com­ply with and docu­ment the mea­su­res spe­ci­fied in Sec­tion 64 BDSG-new during ope­ra­ti­on and to make the records available to the cus­to­mer on request. The same appli­es to any mea­su­res agreed with the cus­to­mer for the exch­an­ge, pro­vi­si­on, pro­ces­sing, kee­ping, release and trans­fer of data.

As pro­of of the tech­ni­cal and orga­niza­tio­nal mea­su­res imple­men­ted, Con­ven­to will make available to the cus­to­mer all per­ti­nent records, logs and reports it keeps, inclu­ding tho­se from inde­pen­dent aut­ho­ri­ties. Con­ven­to reser­ves the right to imple­ment mea­su­res reflec­ting the latest tech­ni­cal and orga­niza­tio­nal pro­gress that meet at least the same data pro­tec­tion and data secu­ri­ty requi­re­ments as tho­se spe­ci­fied in the Appen­dix.
A spe­ci­fied chain of com­mu­ni­ca­ti­on ensu­res prompt noti­fi­ca­ti­on of the cus­to­mer in case of con­trol acti­vi­ties, mea­su­res and moni­to­ring in accordance with Sec­tions 4o BDSG-new or in accordance with Art. 83 GDPR. Con­ven­to will also noti­fy the Cus­to­mer prompt­ly of any vio­la­ti­on of regu­la­ti­ons rela­ting to the pro­tec­tion of the customer’s per­so­nal data (e.g. in accordance with Art. 33 GDPR) or of sti­pu­la­ti­ons in the con­tract eit­her by its­elf or by any employees, and of serious dis­rup­ti­ons to ope­ra­ti­ons. The same appli­es even at the mere sus­pi­ci­on of such inci­dents.
Con­ven­to will prompt­ly noti­fy the fol­lo­wing cases, wha­te­ver their reason and even if only suspected:

  • serious dis­rup­ti­on of operations
  • signi­fi­cant irre­gu­la­ri­ties in the hand­ling of the customer’s per­so­nal data
  • per­so­nal data breach in acc. with Art.33 GDPR
  • unlawful trans­mis­si­on of per­so­nal data
  • whe­re per­so­nal data may have come to the know­ledge of third par­ties in an unlawful matter

In agree­ment with the cus­to­mer, Con­ven­to will take appro­pria­te action to pro­tect the data and to mini­mi­ze any adver­se con­se­quen­ces for the data sub­jects. Whe­re appli­ca­ble, Con­ven­to will assist the cus­to­mer as con­trol­ler in ensu­ring com­pli­ance with any spe­ci­fic report­ing obli­ga­ti­ons under Art. 33 or 34 GDPR.

Con­ven­to will regu­lar­ly review all cus­to­mer con­tracts in the con­text of con­tract moni­to­ring tasks to veri­fy their exe­cu­ti­on and com­ple­ti­on. The arran­ge­ments and mea­su­res rela­ting to con­tract exe­cu­ti­on are che­cked for com­pli­ance and amen­ded whe­re necessary.

Type of data, data carriers

The type of data will be spe­ci­fied in the con­tract. The­se may include:

  • Key per­so­nal data, com­mu­ni­ca­ti­on data (e.g. tele­pho­ne, email), cont­act history
  • Key con­tract data (con­trac­tu­al rela­ti­onship, pro­duct or con­tract involvement)
  • Con­tract bil­ling and pay­ment data
  • Infor­ma­ti­on (from third par­ties, e.g. infor­ma­ti­on offices, or from public registers)

Con­ven­to will iden­ti­fy all data car­ri­ers pro­vi­ded by, or used for, the cus­to­mer by name. Their receipt and return will be docu­men­ted. Exter­nal data car­ri­ers for data back­up are also encrypt­ed for secu­ri­ty pur­po­ses in case of trans­port bet­ween loca­ti­ons.
The hand­ling of disu­s­ed data car­ri­ers is gover­ned by the inter­nal data pro­tec­tion con­cept appli­ca­ble to all employees. The­se data car­ri­ers will always be pas­sed to the IT depart­ment. Opti­cal data car­ri­ers are shred­ded, dama­ged hard disks and USB sticks and other data sto­rage devices are kept under lock and key until their des­truc­tion in com­pli­ance with data pro­tec­tion regulations.


In accordance with the sta­tu­to­ry pro­vi­si­ons, Con­ven­to will be lia­ble to the cus­to­mer for any dama­ge cau­sed by its employees or by any par­ty com­mis­sio­ned by it with the exe­cu­ti­on of the con­tract as a result of willful or gross­ly negli­gent action in the per­for­mance of the con­tract. The bur­den of pro­of is on the cus­to­mer. Whe­re dama­ge to pro­per­ty or finan­cial loss is due to negli­gence, Con­ven­to and its vica­rious agents will be lia­ble only whe­re breach of a fun­da­men­tal obli­ga­ti­on has occur­red. In such case, lia­bi­li­ty is limi­t­ed to the fore­seeable, typi­cal­ly occur­ring dama­ge upon con­tract con­clu­si­on. Only one cla­im may be brought for the action of a sin­gle Con­ven­to employee.

The cus­to­mer is pri­ma­ri­ly lia­ble for dama­ges which a data sub­ject has suf­fe­r­ed as a result of unlawful data pro­ces­sing pur­su­ant to the data pro­tec­tion regulations.

Under Art. 82 (2) sen­tence 2 GDPR, Con­ven­to is lia­ble for the dama­ge cau­sed by pro­ces­sing only whe­re it has not com­pli­ed with obli­ga­ti­ons of this Regu­la­ti­on spe­ci­fi­cal­ly direc­ted to pro­ces­sors or whe­re it has acted out­side or con­tra­ry to lawful ins­truc­tions of the con­trol­ler. If both the cus­to­mer as con­trol­ler and Con­ven­to as pro­ces­sor are invol­ved in the same pro­ces­sing, both will be held lia­ble for the enti­re dama­ge in order to ensu­re effec­ti­ve com­pen­sa­ti­on of the data sub­ject in accordance with Art. 82 (4) DSGVO.

End of job and contract

At the end of the con­trac­tu­al rela­ti­onship, Con­ven­to will return all records of the cus­to­mer and any files, data car­ri­ers and docu­ments rela­ting to the con­tract to the cus­to­mer or, in agree­ment with the cus­to­mer, dis­po­se of them in accordance with the data pro­tec­tion regu­la­ti­ons. Con­ven­to will sub­se­quent­ly con­firm the dele­ti­on or des­truc­tion in accordance with the data pro­tec­tion regu­la­ti­ons.
Con­ven­to will retain data pro­vi­ded for pro­ces­sing only as long as sti­pu­la­ted by law or by the cus­to­mer. Records con­tai­ning per­so­nal data that are no lon­ger requi­red will be des­troy­ed in accordance with the data pro­tec­tion regu­la­ti­ons only whe­re so ins­truc­ted in wri­ting by the cus­to­mer. Con­ven­to will keep all test and sub­stan­dard mate­ri­al under lock and key until it is eit­her dele­ted by Con­ven­to in accordance with the data pro­tec­tion regu­la­ti­ons or pas­sed to the cus­to­mer. Con­ven­to will con­firm the des­truc­tion of cus­to­mer records and docu­ment the deli­very of docu­ments to the cus­to­mer.
Con­ven­to may con­ti­nue to store and use data for accoun­ting and bil­ling pur­po­ses bey­ond the end of the con­tract or after the dele­ti­on of per­so­nal data.

The cus­to­mer may ter­mi­na­te the con­tract wit­hout noti­ce at any time if Con­ven­to is found in serious breach of pro­vi­si­ons under the Data Pro­tec­tion Act or the under­ly­ing con­tract, if it can­not or will not com­ply with a lawful ins­truc­tion issued by the cus­to­mer under the Data Pro­tec­tion Act and advi­ses the cus­to­mer the­reof in wri­ting, or con­tra­ry to the con­tract denies the cus­to­mer access.

Auto­ma­tic log­ging of user behavior

mycon­ven­to uses “coo­kies” to make its use more con­ve­ni­ent for the cus­to­mer. Coo­kies store infor­ma­ti­on such as the log­in data of web­site users to save having to re-enter the data on every visit to the web­site. Most brow­sers are set to auto­ma­ti­cal­ly accept coo­kies. In addi­ti­on, mycon­ven­to records the gene­ral inten­si­ty of a customer’s use of mycon­ven­to. This infor­ma­ti­on is used exclu­si­ve­ly to impro­ve cus­to­mer sup­port and to moni­tor and safe­guard the capa­ci­ty of the over­all system.

Cus­to­mer con­sent (mycon­ven­to user company)

By using mycon­ven­to, the user com­pa­ny agrees to Con­ven­to coll­ec­ting and using data to the ext­ent descri­bed abo­ve. The rapid deve­lo­p­ment of the Inter­net makes it neces­sa­ry to amend our data pro­tec­tion poli­cy from time to time. As a cus­to­mer, you will be noti­fied by e‑mail about any amend­ments to our data pro­tec­tion poli­cy. The cur­rent ver­si­on can be view­ed at any time on our web­site at

Fur­ther Information

If you have any queries, requests or comm­ents on the issue of data pro­tec­tion, plea­se email us in the first ins­tance at .

Data pro­tec­tion at Con­ven­to is also con­sis­t­ent­ly moni­to­red and sup­port­ed by our exter­nal data pro­tec­tion officer:

Mr. Axel Krau­se, lawy­er
Law firm Geer­kens – From­men – Krau­se
Dru­su­s­al­lee 84
41460 Neuss

rea­dy to revo­lu­tio­ni­ze your communication?



Bitte wählen Sie Ihren Wunschtermin:

Dienstag, 9. Juli, 15.00 Uhr

Donnerstag, 11. Juli, 11.00 Uhr

Dienstag, 16. Juli, 15.00 Uhr

Freitag, 19. Juli, 11.00 Uhr

Vielen Dank für Ihr Interesse

Füllen Sie das folgende Formular aus und es wird sich so schnell wie möglich jemand aus unserem Team mit Ihnen in Verbindung setzen.