Data Protection Policy of Convento GmbH, Neuss

for users of myconvento

As of May 25, 2018,
Ger­many and the remain­ing EU mem­ber states are required to com­ply with and enforce the require­ments of the EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (here­after, GDPR). In Ger­many, the new Fed­er­al Data Pro­tec­tion Act (here­after, “BDSG-new”), which builds on and imple­ments the GDPR, will enter into force at the same time and, togeth­er with the GDPR, will replace the cur­rent Fed­er­al Data Pro­tec­tion Act (BDSG-old), which remains in effect through May 25, 2018.

As a data pro­cessor defined in Art. 4 GDPR, Con­vento GmbH (here­after, “Con­vento”) pro­cesses per­son­al data which its cus­tom­ers as con­trol­lers make avail­able in mycon­vento for the per­form­ance of a con­tract to which the data sub­ject is party. Per­son­al data means any inform­a­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (here­after “data sub­ject”); an iden­ti­fi­able nat­ur­al per­son is one who can be iden­ti­fied, dir­ectly or indir­ectly, in par­tic­u­lar by ref­er­ence to an iden­ti­fi­er such as a name, an iden­ti­fic­a­tion num­ber, loc­a­tion data, an online iden­ti­fi­er or to one or more factors spe­cif­ic to the phys­ic­al, physiolo­gic­al, genet­ic, men­tal, eco­nom­ic, cul­tur­al or social iden­tity of that nat­ur­al per­son.
Spe­cific­ally, it refers to address and com­mu­nic­a­tion data and oth­er dis­tinct­ive par­tic­u­lars of journ­al­ists, blog­gers, oth­er „influ­en­cers” of the cus­tom­er, and publishers.

Con­vento respects its cus­tom­ers’ right to and own­er­ship of their data, ensur­ing full data pro­tec­tion and pri­vacy for data sub­jects, and is com­mit­ted to do whatever it takes to meas­ure up to our cus­tom­ers’ expectations.

Territorial scope

Cus­tom­er data are pro­cessed exclus­ively with­in the ter­rit­ory of the Fed­er­al Repub­lic of Ger­many. Since 2015, Con­vento has oper­ated its cus­tom­er sys­tems at a spe­cial­ized data pro­cessing cen­ter cer­ti­fied to ISO 27001 in D‑40472 Düs­sel­dorf at myloc man­aged IT AG (

Disclosure of personal information to third parties, subcontracts

Con­vento itself does not use the per­son­al data provided by its cus­tom­ers, but makes them avail­able only to the rel­ev­ant cus­tom­er on the serv­er farm ren­ted at the data cen­ter of myLoc man­aged IT AG (data pro­cessing cen­ter cer­ti­fied to ISO 27001), Am Gath­er­hof 44, D‑40472 Düs­sel­dorf. At the cen­ter, the data are integ­rated in the customer’s data­base and then made avail­able exclus­ively to the cus­tom­er.
If any part of a con­tract is sub­con­trac­ted – always strictly with the pri­or writ­ten con­sent of the cus­tom­er- Con­vento will ensure that its sub­con­tract­ors com­ply to the same degree with the strin­gent data pro­tec­tion and data secur­ity stand­ards. The rights of inspec­tion and review of the cus­tom­er vis-à-vis Con­vento also apply to any subcontractors.

While gen­er­al sup­ply ser­vices (e.g. tele­com­mu­nic­a­tion, main­ten­ance, sup­port, clean­ing) are excluded from this pro­vi­sion, Con­vento gen­er­ally has appro­pri­ate data pro­tec­tion and data secur­ity agree­ments in place with such part­ners.
Per­son­al data will be col­lec­ted and for­war­ded to gov­ern­ment­al insti­tu­tions and author­it­ies strictly with­in the scope of cur­rent legis­la­tion. In such case, Con­vento agrees – to the extent per­mit­ted by law – to give the cus­tom­er due notice in writ­ing of the dis­clos­ure. Con­vento does not use any ser­vice pro­viders that fall with­in the ambit of the U.S. Pat­ri­ot Act and the U.S. Free­dom Act.

Obligations of the customer

As “con­trol­ler” with­in the mean­ing of Art­icle 4 no. 7 of the GDPR, the cus­tom­er is respons­ible for the law­ful­ness of work assigned to Con­vento and for safe­guard­ing the rights of data sub­jects. The cus­tom­er is required to place or con­firm all orders and add-ons in writ­ing. The same applies to- mutu­ally agreed – amend­ments to con­tents, pro­cesses, the scope and any oth­er com­pon­ents of the con­tract. Instruc­tions issued verbally by the cus­tom­er must imme­di­ately be con­firmed in writing.

The cus­tom­er will provide a respons­ible con­tact per­son com­pet­ent to issue instruc­tions and make or enforce prompt decisions on mat­ters relat­ing to the exe­cu­tion of the con­tract. This con­tact per­son will ensure that the mycon­vento users of the cus­tom­er are famil­i­ar and com­ply with this policy.
The customer’s admin­is­trat­or spe­cifies the users in mycon­vento. Each user is provided with per­son­al login data (user ID and pass­word) and urged not to use pass­words that are easy to spy out and not to carry with them any writ­ten pass­word remind­ers.
Any access to mycon­vento („user account”) which is no longer required for a user must imme­di­ately be deleted by the cus­tom­er. The cus­tom­er will noti­fy Con­vento without undue delay if errors are found in the exe­cu­tion of the con­tract or in the job results.

Obligations of Convento GmbH

Con­vento pro­cesses per­son­al data strictly with­in the agreed lim­its and as instruc­ted in writ­ing by the cus­tom­er. The data provided will not be used for any oth­er pur­poses. No cop­ies or duplic­ates will be made without the customer’s know­ledge.
Con­vento does not gen­er­ally main­tain or pro­cess data for cus­tom­ers and is not, there­fore, required to keep detailed data pro­cessing records that enable the cus­tom­er to veri­fy prop­er data pro­cessing. Con­vento will pro­cess data only where so spe­cific­ally instruc­ted in writ­ing by the cus­tom­er, in which case, and only then, Con­vento will keep basic data pro­cessing records. These will detail in the con­text of a log report which Con­vento employ­ee viewed or pro­cessed which data of which cus­tom­er and when. Con­vento will store this doc­u­ment­a­tion for the long term.
Con­vento handles per­son­al data in com­pli­ance with all applic­able pro­vi­sions of the Data Pro­tec­tion Act, the Tele­media Act (TMG) and the Tele­com­mu­nic­a­tions Act (TKG). On request, Con­vento will provide the cus­tom­er with the inform­a­tion stip­u­lated in Art. 30 (2) GDPR (records of pro­cessing activ­it­ies car­ried out on behalf of a controller).

In accord­ance with Art. 32 GDPR Con­vento uses appro­pri­ate tech­nic­al and organ­iz­a­tion­al meas­ures (TOM) to pro­tect per­son­al data as best as pos­sible against acci­dent­al or unlaw­ful manip­u­la­tion, loss, destruc­tion or access by unau­thor­ized per­sons. These meas­ures are con­tinu­ously improved in line with the state of the art.
All employ­ees, sup­pli­ers and part­ners of Con­vento are oblig­ated to main­tain data con­fid­en­ti­al­ity in accord­ance with the pro­vi­sions of Sec­tion 53 BDSG-new and, in addi­tion, bound to pro­fes­sion­al secrecy, if any (e.g. bank­ing secrecy).
Con­vento will noti­fy the cus­tom­er promptly if the prop­erty of the cus­tom­er at Con­vento is at risk as a res­ult of third- party action (such as attach­ment or seizure, insolv­ency or com­pos­i­tion pro­ceed­ings, etc.).

Rights of the Customer

Con­vento will grant the cus­tom­er or an aud­it­or man­dated by the cus­tom­er unhindered access to its premises as needed for mon­it­or­ing pur­poses in accord­ance with Sec­tion 64 (3) no. 12 BDSG-NEW. In par­tic­u­lar, Con­vento will allow the cus­tom­er to inspect the data stored for the cus­tom­er or in con­nec­tion with the con­tract as well as the pro­cessing oper­a­tions used in order to veri­fy com­pli­ance with the tech­nic­al and organ­iz­a­tion­al meas­ures (TOM) implemented.

To this end, the aud­it­or will be giv­en access equi­val­ent to the rights of the rel­ev­ant cus­tom­er. If in excep­tion­al cases the cus­tom­er per­mits data to be pro­cessed in private homes, Con­vento will ensure that the afore­said inspec­tions can also be per­formed in these homes. Con­vento affirms that it has obtained the con­sent of all occu­pants of these private homes to this arrangement.

Rights of data subjects

Any per­sons whose data are stored on Con­vento sys­tems, irre­spect­ive of wheth­er these were col­lec­ted by the con­trol­ler or by Con­vento, are entitled at no cost to obtain inform­a­tion on the data stored about them.

Data sub­ject groups usu­ally include journ­al­ists, blog­gers, oth­er “influ­en­cers” of the cus­tom­er and/or oth­er con­tacts in pub­lic rela­tions, such as cus­tom­ers, pro­spects, employ­ees as defined by Sec­tion 26 BDSG-new, sub­scribers, sup­pli­ers, sales rep­res­ent­at­ives or share­hold­ers.
The data sub­ject has the right to rec­ti­fic­a­tion, eras­ure or block­ing of their data stored in mycon­vento. Where Con­vento has pro­cessed data on behalf of the con­trol­ler, Con­vento will promptly for­ward the data and the com­plaint to the con­trol­ler. Altern­at­ively, the cus­tom­er may author­ize Con­vento in writ­ing to deal on its behalf with the com­plaint of the data subject.

Rights of Convento GmbH

If the cus­tom­er issues Con­vento with instruc­tions under a con­tract which may viol­ate applic­able data pro­tec­tion laws, Con­vento will noti­fy the cus­tom­er without delay and may delay act­ing on the instruc­tions until the mat­ter has been resolved.
Where com­pli­ance with data pro­tec­tion and/or data secur­ity meas­ures is mon­itored by the cus­tom­er, either itself or through anoth­er party, Con­vento is entitled to bill the cus­tom­er for the work per­formed on time basis for each hour or part there­of at the stand­ard hourly rates applic­able at Con­vento. Veri­fic­a­tions via the user account are obvi­ously free of charge.

Technical and organizational data protection measures (TOM)

Con­vento has imple­men­ted appro­pri­ate tech­nic­al and organ­iz­a­tion­al meas­ures (TOM) in accord­ance with Sec­tion 64 BDSG-new. In addi­tion, all oblig­a­tions to be met under the applic­able data pro­tec­tion laws and oth­er leg­al require­ments are mon­itored by a data pro­tec­tion officer (see below). Con­vento under­takes to com­ply with and doc­u­ment the meas­ures spe­cified in Sec­tion 64 BDSG-new dur­ing oper­a­tion and to make the records avail­able to the cus­tom­er on request. The same applies to any meas­ures agreed with the cus­tom­er for the exchange, pro­vi­sion, pro­cessing, keep­ing, release and trans­fer of data.

As proof of the tech­nic­al and organ­iz­a­tion­al meas­ures imple­men­ted, Con­vento will make avail­able to the cus­tom­er all per­tin­ent records, logs and reports it keeps, includ­ing those from inde­pend­ent author­it­ies. Con­vento reserves the right to imple­ment meas­ures reflect­ing the latest tech­nic­al and organ­iz­a­tion­al pro­gress that meet at least the same data pro­tec­tion and data secur­ity require­ments as those spe­cified in the Appendix.
A spe­cified chain of com­mu­nic­a­tion ensures prompt noti­fic­a­tion of the cus­tom­er in case of con­trol activ­it­ies, meas­ures and mon­it­or­ing in accord­ance with Sec­tions 4o BDSG-new or in accord­ance with Art. 83 GDPR. Con­vento will also noti­fy the Cus­tom­er promptly of any viol­a­tion of reg­u­la­tions relat­ing to the pro­tec­tion of the customer’s per­son­al data (e.g. in accord­ance with Art. 33 GDPR) or of stip­u­la­tions in the con­tract either by itself or by any employ­ees, and of ser­i­ous dis­rup­tions to oper­a­tions. The same applies even at the mere sus­pi­cion of such incid­ents.
Con­vento will promptly noti­fy the fol­low­ing cases, whatever their reas­on and even if only suspected:

  • ser­i­ous dis­rup­tion of operations
  • sig­ni­fic­ant irreg­u­lar­it­ies in the hand­ling of the customer’s per­son­al data
  • per­son­al data breach in acc. with Art.33 GDPR
  • unlaw­ful trans­mis­sion of per­son­al data
  • where per­son­al data may have come to the know­ledge of third parties in an unlaw­ful matter

In agree­ment with the cus­tom­er, Con­vento will take appro­pri­ate action to pro­tect the data and to min­im­ize any adverse con­sequences for the data sub­jects. Where applic­able, Con­vento will assist the cus­tom­er as con­trol­ler in ensur­ing com­pli­ance with any spe­cif­ic report­ing oblig­a­tions under Art. 33 or 34 GDPR.

Con­vento will reg­u­larly review all cus­tom­er con­tracts in the con­text of con­tract mon­it­or­ing tasks to veri­fy their exe­cu­tion and com­ple­tion. The arrange­ments and meas­ures relat­ing to con­tract exe­cu­tion are checked for com­pli­ance and amended where necessary.

Type of data, data carriers

The type of data will be spe­cified in the con­tract. These may include:

  • Key per­son­al data, com­mu­nic­a­tion data (e.g. tele­phone, email), con­tact history
  • Key con­tract data (con­trac­tu­al rela­tion­ship, product or con­tract involvement)
  • Con­tract billing and pay­ment data
  • Inform­a­tion (from third parties, e.g. inform­a­tion offices, or from pub­lic registers)

Con­vento will identi­fy all data car­ri­ers provided by, or used for, the cus­tom­er by name. Their receipt and return will be doc­u­mented. Extern­al data car­ri­ers for data backup are also encryp­ted for secur­ity pur­poses in case of trans­port between loc­a­tions.
The hand­ling of dis­used data car­ri­ers is gov­erned by the intern­al data pro­tec­tion concept applic­able to all employ­ees. These data car­ri­ers will always be passed to the IT depart­ment. Optic­al data car­ri­ers are shred­ded, dam­aged hard disks and USB sticks and oth­er data stor­age devices are kept under lock and key until their destruc­tion in com­pli­ance with data pro­tec­tion regulations.


In accord­ance with the stat­utory pro­vi­sions, Con­vento will be liable to the cus­tom­er for any dam­age caused by its employ­ees or by any party com­mis­sioned by it with the exe­cu­tion of the con­tract as a res­ult of will­ful or grossly neg­li­gent action in the per­form­ance of the con­tract. The bur­den of proof is on the cus­tom­er. Where dam­age to prop­erty or fin­an­cial loss is due to neg­li­gence, Con­vento and its vicari­ous agents will be liable only where breach of a fun­da­ment­al oblig­a­tion has occurred. In such case, liab­il­ity is lim­ited to the fore­see­able, typ­ic­ally occur­ring dam­age upon con­tract con­clu­sion. Only one claim may be brought for the action of a single Con­vento employee.

The cus­tom­er is primar­ily liable for dam­ages which a data sub­ject has suffered as a res­ult of unlaw­ful data pro­cessing pur­su­ant to the data pro­tec­tion regulations.

Under Art. 82 (2) sen­tence 2 GDPR, Con­vento is liable for the dam­age caused by pro­cessing only where it has not com­plied with oblig­a­tions of this Reg­u­la­tion spe­cific­ally dir­ec­ted to pro­cessors or where it has acted out­side or con­trary to law­ful instruc­tions of the con­trol­ler. If both the cus­tom­er as con­trol­ler and Con­vento as pro­cessor are involved in the same pro­cessing, both will be held liable for the entire dam­age in order to ensure effect­ive com­pens­a­tion of the data sub­ject in accord­ance with Art. 82 (4) DSGVO.

End of job and contract

At the end of the con­trac­tu­al rela­tion­ship, Con­vento will return all records of the cus­tom­er and any files, data car­ri­ers and doc­u­ments relat­ing to the con­tract to the cus­tom­er or, in agree­ment with the cus­tom­er, dis­pose of them in accord­ance with the data pro­tec­tion reg­u­la­tions. Con­vento will sub­sequently con­firm the dele­tion or destruc­tion in accord­ance with the data pro­tec­tion reg­u­la­tions.
Con­vento will retain data provided for pro­cessing only as long as stip­u­lated by law or by the cus­tom­er. Records con­tain­ing per­son­al data that are no longer required will be des­troyed in accord­ance with the data pro­tec­tion reg­u­la­tions only where so instruc­ted in writ­ing by the cus­tom­er. Con­vento will keep all test and sub­stand­ard mater­i­al under lock and key until it is either deleted by Con­vento in accord­ance with the data pro­tec­tion reg­u­la­tions or passed to the cus­tom­er. Con­vento will con­firm the destruc­tion of cus­tom­er records and doc­u­ment the deliv­ery of doc­u­ments to the cus­tom­er.
Con­vento may con­tin­ue to store and use data for account­ing and billing pur­poses bey­ond the end of the con­tract or after the dele­tion of per­son­al data.

The cus­tom­er may ter­min­ate the con­tract without notice at any time if Con­vento is found in ser­i­ous breach of pro­vi­sions under the Data Pro­tec­tion Act or the under­ly­ing con­tract, if it can­not or will not com­ply with a law­ful instruc­tion issued by the cus­tom­er under the Data Pro­tec­tion Act and advises the cus­tom­er there­of in writ­ing, or con­trary to the con­tract denies the cus­tom­er access.

Automatic logging of user behavior

mycon­vento uses „cook­ies” to make its use more con­veni­ent for the cus­tom­er. Cook­ies store inform­a­tion such as the login data of web­site users to save hav­ing to re-enter the data on every vis­it to the web­site. Most browsers are set to auto­mat­ic­ally accept cook­ies. In addi­tion, mycon­vento records the gen­er­al intens­ity of a customer’s use of mycon­vento. This inform­a­tion is used exclus­ively to improve cus­tom­er sup­port and to mon­it­or and safe­guard the capa­city of the over­all system.

Customer consent (myconvento user company)

By using mycon­vento, the user com­pany agrees to Con­vento col­lect­ing and using data to the extent described above. The rap­id devel­op­ment of the Inter­net makes it neces­sary to amend our data pro­tec­tion policy from time to time. As a cus­tom­er, you will be noti­fied by e‑mail about any amend­ments to our data pro­tec­tion policy. The cur­rent ver­sion can be viewed at any time on our web­site at

Further Information

If you have any quer­ies, requests or com­ments on the issue of data pro­tec­tion, please email us in the first instance at .

Data pro­tec­tion at Con­vento is also con­sist­ently mon­itored and sup­por­ted by our extern­al data pro­tec­tion officer:

Mr. Axel Krause, law­yer
Law firm Geerkens – From­men – Krause
Drusus­allee 84
41460 Neuss

ready to revolutionize your communication?



Bitte wählen Sie Ihren Wunschtermin:

Dienstag, 9. Juli, 15.00 Uhr

Donnerstag, 11. Juli, 11.00 Uhr

Dienstag, 16. Juli, 15.00 Uhr

Freitag, 19. Juli, 11.00 Uhr

Vielen Dank für Ihr Interesse

Füllen Sie das folgende Formular aus und es wird sich so schnell wie möglich jemand aus unserem Team mit Ihnen in Verbindung setzen.