Data Pro­tec­tion Poli­cy of Con­ven­to GmbH, Neuss

for users of myconvento

As of May 25, 2018,
Ger­ma­ny and the remai­ning EU mem­ber sta­tes are requi­red to com­ply with and enfor­ce the requi­re­ments of the EU Gene­ral Data Pro­tec­tion Regu­la­ti­on (here­af­ter, GDPR). In Ger­ma­ny, the new Federal Data Pro­tec­tion Act (here­af­ter, “BDSG-new”), which builds on and imple­ments the GDPR, will enter into for­ce at the same time and, tog­e­ther with the GDPR, will replace the cur­rent Federal Data Pro­tec­tion Act (BDSG-old), which remains in effect through May 25, 2018.

As a data pro­ces­sor defi­ned in Art. 4 GDPR, Con­ven­to GmbH (here­af­ter, “Con­ven­to”) pro­ces­ses per­so­nal data which its cus­to­mers as con­trol­lers make avail­ab­le in mycon­ven­to for the per­for­mance of a con­tract to which the data sub­ject is par­ty. Per­so­nal data means any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son (here­af­ter “data sub­ject”); an iden­ti­fia­ble natu­ral per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­ti­cu­lar by refe­rence to an iden­ti­fier such as a name, an iden­ti­fi­ca­ti­on num­ber, loca­ti­on data, an online iden­ti­fier or to one or more fac­tors spe­ci­fic to the phy­si­cal, phy­sio­lo­gi­cal, gene­tic, men­tal, eco­no­mic, cul­tu­ral or social iden­ti­ty of that natu­ral per­son.
Spe­ci­fi­cal­ly, it refers to address and com­mu­ni­ca­ti­on data and other dis­tinc­ti­ve par­ti­cu­lars of jour­na­lists, blog­gers, other “influ­en­cers” of the cus­to­mer, and publishers.

Con­ven­to respects its cus­to­mers’ right to and owners­hip of their data, ensu­ring full data pro­tec­tion and pri­va­cy for data sub­jects, and is com­mit­ted to do wha­te­ver it takes to mea­su­re up to our cus­to­mers’ expectations.

Ter­ri­to­ri­al scope

Cus­to­mer data are pro­ces­sed exclu­si­ve­ly wit­hin the ter­ri­to­ry of the Federal Repu­blic of Ger­ma­ny. Sin­ce 2015, Con­ven­to has ope­ra­ted its cus­to­mer sys­tems at a spe­cia­li­zed data pro­ces­sing cen­ter cer­ti­fied to ISO 27001 in D‑40472 Düs­sel­dorf at myloc mana­ged IT AG (

Dis­clo­sure of per­so­nal infor­ma­ti­on to third par­ties, subcontracts

Con­ven­to its­elf does not use the per­so­nal data pro­vi­ded by its cus­to­mers, but makes them avail­ab­le only to the rele­vant cus­to­mer on the ser­ver farm ren­ted at the data cen­ter of myLoc mana­ged IT AG (data pro­ces­sing cen­ter cer­ti­fied to ISO 27001), Am Gather­hof 44, D‑40472 Düs­sel­dorf. At the cen­ter, the data are inte­gra­ted in the customer’s data­ba­se and then made avail­ab­le exclu­si­ve­ly to the cus­to­mer.
If any part of a con­tract is sub­con­trac­ted – always strict­ly with the pri­or writ­ten con­sent of the cus­to­mer- Con­ven­to will ensu­re that its sub­con­trac­tors com­ply to the same degree with the strin­gent data pro­tec­tion and data secu­ri­ty stan­dards. The rights of inspec­tion and review of the cus­to­mer vis-à-vis Con­ven­to also app­ly to any subcontractors.

While gene­ral sup­ply ser­vices (e.g. telecom­mu­ni­ca­ti­on, main­ten­an­ce, sup­port, clea­ning) are exclu­ded from this pro­vi­si­on, Con­ven­to gene­ral­ly has appro­pria­te data pro­tec­tion and data secu­ri­ty agree­ments in place with such part­ners.
Per­so­nal data will be collec­ted and for­war­ded to govern­men­tal insti­tu­ti­ons and aut­ho­ri­ties strict­ly wit­hin the scope of cur­rent legis­la­ti­on. In such case, Con­ven­to agrees – to the extent per­mit­ted by law – to give the cus­to­mer due noti­ce in wri­ting of the dis­clo­sure. Con­ven­to does not use any ser­vice pro­vi­ders that fall wit­hin the ambit of the U.S. Patri­ot Act and the U.S. Free­dom Act.

Obli­ga­ti­ons of the customer

As “con­trol­ler” wit­hin the mea­ning of Arti­cle 4 no. 7 of the GDPR, the cus­to­mer is respon­si­ble for the law­ful­ness of work assi­gned to Con­ven­to and for safe­guar­ding the rights of data sub­jects. The cus­to­mer is requi­red to place or con­firm all orders and add-ons in wri­ting. The same app­lies to- mutual­ly agreed – amend­ments to con­tents, pro­ces­ses, the scope and any other com­pon­ents of the con­tract. Inst­ruc­tions issued ver­bal­ly by the cus­to­mer must immedia­te­ly be con­fir­med in writing.

The cus­to­mer will pro­vi­de a respon­si­ble con­ta­ct per­son com­pe­tent to issue inst­ruc­tions and make or enfor­ce prompt decisi­ons on mat­ters rela­ting to the exe­cu­ti­on of the con­tract. This con­ta­ct per­son will ensu­re that the mycon­ven­to users of the cus­to­mer are fami­li­ar and com­ply with this poli­cy.
The customer’s admi­nis­tra­tor spe­ci­fies the users in mycon­ven­to. Each user is pro­vi­ded with per­so­nal log­in data (user ID and pass­word) and urged not to use pass­words that are easy to spy out and not to car­ry with them any writ­ten pass­word remin­ders.
Any access to mycon­ven­to (“user account”) which is no lon­ger requi­red for a user must immedia­te­ly be dele­ted by the cus­to­mer. The cus­to­mer will noti­fy Con­ven­to without undue delay if errors are found in the exe­cu­ti­on of the con­tract or in the job results.

Obli­ga­ti­ons of Con­ven­to GmbH

Con­ven­to pro­ces­ses per­so­nal data strict­ly wit­hin the agreed limits and as inst­ruc­ted in wri­ting by the cus­to­mer. The data pro­vi­ded will not be used for any other pur­po­ses. No copies or dupli­ca­tes will be made without the customer’s know­ledge.
Con­ven­to does not gene­ral­ly main­tain or pro­cess data for cus­to­mers and is not, the­re­fo­re, requi­red to keep detail­ed data pro­ces­sing records that enab­le the cus­to­mer to veri­fy pro­per data pro­ces­sing. Con­ven­to will pro­cess data only whe­re so spe­ci­fi­cal­ly inst­ruc­ted in wri­ting by the cus­to­mer, in which case, and only then, Con­ven­to will keep basic data pro­ces­sing records. The­se will detail in the con­text of a log report which Con­ven­to employee view­ed or pro­ces­sed which data of which cus­to­mer and when. Con­ven­to will store this docu­men­ta­ti­on for the long term.
Con­ven­to hand­les per­so­nal data in com­pli­an­ce with all app­li­ca­ble pro­vi­si­ons of the Data Pro­tec­tion Act, the Tele­me­dia Act (TMG) and the Telecom­mu­ni­ca­ti­ons Act (TKG). On request, Con­ven­to will pro­vi­de the cus­to­mer with the infor­ma­ti­on sti­pu­la­ted in Art. 30 (2) GDPR (records of pro­ces­sing acti­vi­ties car­ri­ed out on behalf of a controller).

In accordance with Art. 32 GDPR Con­ven­to uses appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) to pro­tect per­so­nal data as best as pos­si­ble against acci­den­tal or unlaw­ful mani­pu­la­ti­on, loss, dest­ruc­tion or access by unaut­ho­ri­zed per­sons. The­se mea­su­res are con­ti­nuous­ly impro­ved in line with the sta­te of the art.
All employees, sup­pliers and part­ners of Con­ven­to are obli­ga­ted to main­tain data con­fi­den­tia­li­ty in accordance with the pro­vi­si­ons of Sec­tion 53 BDSG-new and, in addi­ti­on, bound to pro­fes­sio­nal secrecy, if any (e.g. ban­king secrecy).
Con­ven­to will noti­fy the cus­to­mer prompt­ly if the pro­per­ty of the cus­to­mer at Con­ven­to is at risk as a result of third- par­ty action (such as attach­ment or sei­zu­re, insol­ven­cy or com­po­si­ti­on pro­cee­dings, etc.).

Rights of the Customer

Con­ven­to will grant the cus­to­mer or an audi­tor man­da­ted by the cus­to­mer unhin­de­red access to its pre­mi­ses as nee­ded for moni­to­ring pur­po­ses in accordance with Sec­tion 64 (3) no. 12 BDSG-NEW. In par­ti­cu­lar, Con­ven­to will allow the cus­to­mer to inspect the data stored for the cus­to­mer or in con­nec­tion with the con­tract as well as the pro­ces­sing ope­ra­ti­ons used in order to veri­fy com­pli­an­ce with the tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) implemented.

To this end, the audi­tor will be given access equi­va­lent to the rights of the rele­vant cus­to­mer. If in excep­tio­nal cases the cus­to­mer per­mits data to be pro­ces­sed in pri­va­te homes, Con­ven­to will ensu­re that the afo­re­said inspec­tions can also be per­for­med in the­se homes. Con­ven­to affirms that it has obtai­ned the con­sent of all occup­ants of the­se pri­va­te homes to this arrangement.

Rights of data subjects

Any per­sons who­se data are stored on Con­ven­to sys­tems, irre­spec­ti­ve of whe­ther the­se were collec­ted by the con­trol­ler or by Con­ven­to, are enti­t­led at no cost to obtain infor­ma­ti­on on the data stored about them.

Data sub­ject groups usual­ly inclu­de jour­na­lists, blog­gers, other “influ­en­cers” of the cus­to­mer and/or other con­ta­cts in public rela­ti­ons, such as cus­to­mers, pro­spects, employees as defi­ned by Sec­tion 26 BDSG-new, sub­scri­bers, sup­pliers, sales repre­sen­ta­ti­ves or share­hol­ders.
The data sub­ject has the right to rec­ti­fi­ca­ti­on, era­su­re or blo­cking of their data stored in mycon­ven­to. Whe­re Con­ven­to has pro­ces­sed data on behalf of the con­trol­ler, Con­ven­to will prompt­ly for­ward the data and the com­p­laint to the con­trol­ler. Alter­na­tively, the cus­to­mer may aut­ho­ri­ze Con­ven­to in wri­ting to deal on its behalf with the com­p­laint of the data subject.

Rights of Con­ven­to GmbH

If the cus­to­mer issu­es Con­ven­to with inst­ruc­tions under a con­tract which may vio­la­te app­li­ca­ble data pro­tec­tion laws, Con­ven­to will noti­fy the cus­to­mer without delay and may delay acting on the inst­ruc­tions until the mat­ter has been resol­ved.
Whe­re com­pli­an­ce with data pro­tec­tion and/or data secu­ri­ty mea­su­res is moni­to­red by the cus­to­mer, eit­her its­elf or through ano­t­her par­ty, Con­ven­to is enti­t­led to bill the cus­to­mer for the work per­for­med on time basis for each hour or part the­re­of at the stan­dard hour­ly rates app­li­ca­ble at Con­ven­to. Veri­fi­ca­ti­ons via the user account are obvious­ly free of charge.

Tech­ni­cal and orga­niz­a­tio­nal data pro­tec­tion mea­su­res (TOM)

Con­ven­to has imple­men­ted appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) in accordance with Sec­tion 64 BDSG-new. In addi­ti­on, all obli­ga­ti­ons to be met under the app­li­ca­ble data pro­tec­tion laws and other legal requi­re­ments are moni­to­red by a data pro­tec­tion offi­cer (see below). Con­ven­to under­ta­kes to com­ply with and docu­ment the mea­su­res spe­ci­fied in Sec­tion 64 BDSG-new during ope­ra­ti­on and to make the records avail­ab­le to the cus­to­mer on request. The same app­lies to any mea­su­res agreed with the cus­to­mer for the exchan­ge, pro­vi­si­on, pro­ces­sing, kee­ping, release and trans­fer of data.

As pro­of of the tech­ni­cal and orga­niz­a­tio­nal mea­su­res imple­men­ted, Con­ven­to will make avail­ab­le to the cus­to­mer all per­ti­nent records, logs and reports it keeps, inclu­ding tho­se from inde­pen­dent aut­ho­ri­ties. Con­ven­to reser­ves the right to imple­ment mea­su­res reflec­ting the latest tech­ni­cal and orga­niz­a­tio­nal pro­gress that meet at least the same data pro­tec­tion and data secu­ri­ty requi­re­ments as tho­se spe­ci­fied in the Appen­dix.
A spe­ci­fied chain of com­mu­ni­ca­ti­on ensu­res prompt noti­fi­ca­ti­on of the cus­to­mer in case of con­trol acti­vi­ties, mea­su­res and moni­to­ring in accordance with Sec­tions 4o BDSG-new or in accordance with Art. 83 GDPR. Con­ven­to will also noti­fy the Cus­to­mer prompt­ly of any vio­la­ti­on of regu­la­ti­ons rela­ting to the pro­tec­tion of the customer’s per­so­nal data (e.g. in accordance with Art. 33 GDPR) or of sti­pu­la­ti­ons in the con­tract eit­her by its­elf or by any employees, and of serious dis­rup­ti­ons to ope­ra­ti­ons. The same app­lies even at the mere sus­pi­ci­on of such inci­dents.
Con­ven­to will prompt­ly noti­fy the fol­lowing cases, wha­te­ver their rea­son and even if only suspected:

  • serious dis­rup­ti­on of operations
  • signi­fi­cant irre­gu­la­ri­ties in the hand­ling of the customer’s per­so­nal data
  • per­so­nal data bre­ach in acc. with Art.33 GDPR
  • unlaw­ful trans­mis­si­on of per­so­nal data
  • whe­re per­so­nal data may have come to the know­ledge of third par­ties in an unlaw­ful matter

In agree­ment with the cus­to­mer, Con­ven­to will take appro­pria­te action to pro­tect the data and to mini­mi­ze any adver­se con­se­quen­ces for the data sub­jects. Whe­re app­li­ca­ble, Con­ven­to will assist the cus­to­mer as con­trol­ler in ensu­ring com­pli­an­ce with any spe­ci­fic repor­ting obli­ga­ti­ons under Art. 33 or 34 GDPR.

Con­ven­to will regu­lar­ly review all cus­to­mer con­tracts in the con­text of con­tract moni­to­ring tasks to veri­fy their exe­cu­ti­on and com­ple­ti­on. The arran­ge­ments and mea­su­res rela­ting to con­tract exe­cu­ti­on are che­cked for com­pli­an­ce and amen­ded whe­re necessary.

Type of data, data carriers

The type of data will be spe­ci­fied in the con­tract. The­se may include:

  • Key per­so­nal data, com­mu­ni­ca­ti­on data (e.g. tele­pho­ne, email), con­ta­ct history
  • Key con­tract data (con­trac­tu­al rela­ti­ons­hip, pro­duct or con­tract involvement)
  • Con­tract bil­ling and pay­ment data
  • Infor­ma­ti­on (from third par­ties, e.g. infor­ma­ti­on offices, or from public registers)

Con­ven­to will iden­ti­fy all data car­ri­ers pro­vi­ded by, or used for, the cus­to­mer by name. Their rece­i­pt and return will be docu­men­ted. Exter­nal data car­ri­ers for data back­up are also encryp­ted for secu­ri­ty pur­po­ses in case of trans­port bet­ween loca­ti­ons.
The hand­ling of disus­ed data car­ri­ers is gover­ned by the inter­nal data pro­tec­tion con­cept app­li­ca­ble to all employees. The­se data car­ri­ers will always be pas­sed to the IT depart­ment. Opti­cal data car­ri­ers are shred­ded, dama­ged hard disks and USB sticks and other data sto­rage devices are kept under lock and key until their dest­ruc­tion in com­pli­an­ce with data pro­tec­tion regulations.


In accordance with the sta­tu­to­ry pro­vi­si­ons, Con­ven­to will be liable to the cus­to­mer for any dama­ge cau­sed by its employees or by any par­ty com­mis­sio­ned by it with the exe­cu­ti­on of the con­tract as a result of will­ful or gross­ly negli­gent action in the per­for­mance of the con­tract. The bur­den of pro­of is on the cus­to­mer. Whe­re dama­ge to pro­per­ty or finan­cial loss is due to negli­gence, Con­ven­to and its vica­rious agents will be liable only whe­re bre­ach of a fun­da­men­tal obli­ga­ti­on has occur­red. In such case, lia­bi­li­ty is limi­ted to the fore­see­ab­le, typi­cal­ly occur­ring dama­ge upon con­tract con­clu­si­on. Only one claim may be brought for the action of a sin­gle Con­ven­to employee.

The cus­to­mer is pri­ma­ri­ly liable for dama­ges which a data sub­ject has suf­fe­red as a result of unlaw­ful data pro­ces­sing pur­suant to the data pro­tec­tion regulations.

Under Art. 82 (2) sen­tence 2 GDPR, Con­ven­to is liable for the dama­ge cau­sed by pro­ces­sing only whe­re it has not com­plied with obli­ga­ti­ons of this Regu­la­ti­on spe­ci­fi­cal­ly direc­ted to pro­ces­sors or whe­re it has acted out­side or con­tra­ry to law­ful inst­ruc­tions of the con­trol­ler. If both the cus­to­mer as con­trol­ler and Con­ven­to as pro­ces­sor are invol­ved in the same pro­ces­sing, both will be held liable for the ent­i­re dama­ge in order to ensu­re effec­ti­ve com­pen­sa­ti­on of the data sub­ject in accordance with Art. 82 (4) DSGVO.

End of job and contract

At the end of the con­trac­tu­al rela­ti­ons­hip, Con­ven­to will return all records of the cus­to­mer and any files, data car­ri­ers and docu­ments rela­ting to the con­tract to the cus­to­mer or, in agree­ment with the cus­to­mer, dis­po­se of them in accordance with the data pro­tec­tion regu­la­ti­ons. Con­ven­to will sub­se­quent­ly con­firm the dele­ti­on or dest­ruc­tion in accordance with the data pro­tec­tion regu­la­ti­ons.
Con­ven­to will retain data pro­vi­ded for pro­ces­sing only as long as sti­pu­la­ted by law or by the cus­to­mer. Records con­tai­ning per­so­nal data that are no lon­ger requi­red will be des­troy­ed in accordance with the data pro­tec­tion regu­la­ti­ons only whe­re so inst­ruc­ted in wri­ting by the cus­to­mer. Con­ven­to will keep all test and sub­stan­dard mate­ri­al under lock and key until it is eit­her dele­ted by Con­ven­to in accordance with the data pro­tec­tion regu­la­ti­ons or pas­sed to the cus­to­mer. Con­ven­to will con­firm the dest­ruc­tion of cus­to­mer records and docu­ment the deli­very of docu­ments to the cus­to­mer.
Con­ven­to may con­ti­nue to store and use data for accoun­ting and bil­ling pur­po­ses bey­ond the end of the con­tract or after the dele­ti­on of per­so­nal data.

The cus­to­mer may ter­mi­na­te the con­tract without noti­ce at any time if Con­ven­to is found in serious bre­ach of pro­vi­si­ons under the Data Pro­tec­tion Act or the under­ly­ing con­tract, if it can­not or will not com­ply with a law­ful inst­ruc­tion issued by the cus­to­mer under the Data Pro­tec­tion Act and advi­ses the cus­to­mer the­re­of in wri­ting, or con­tra­ry to the con­tract denies the cus­to­mer access.

Auto­ma­tic log­ging of user behavior

mycon­ven­to uses “coo­kies” to make its use more con­ve­ni­ent for the cus­to­mer. Coo­kies store infor­ma­ti­on such as the log­in data of web­site users to save having to re-enter the data on every visit to the web­site. Most brow­sers are set to auto­ma­ti­cal­ly accept coo­kies. In addi­ti­on, mycon­ven­to records the gene­ral inten­si­ty of a customer’s use of mycon­ven­to. This infor­ma­ti­on is used exclu­si­ve­ly to impro­ve cus­to­mer sup­port and to moni­tor and safe­guard the capa­ci­ty of the over­all system.

Cus­to­mer con­sent (mycon­ven­to user company)

By using mycon­ven­to, the user com­pa­ny agrees to Con­ven­to collec­ting and using data to the extent descri­bed abo­ve. The rapid deve­lo­p­ment of the Inter­net makes it necessa­ry to amend our data pro­tec­tion poli­cy from time to time. As a cus­to­mer, you will be noti­fied by e‑mail about any amend­ments to our data pro­tec­tion poli­cy. The cur­rent ver­si­on can be view­ed at any time on our web­site at

Fur­ther Information

If you have any que­ries, requests or comments on the issue of data pro­tec­tion, plea­se email us in the first instance at .

Data pro­tec­tion at Con­ven­to is also con­sist­ent­ly moni­to­red and sup­por­ted by our exter­nal data pro­tec­tion officer:

Mr. Axel Krau­se, lawy­er
Law firm Geer­kens – From­men – Krau­se
Dru­su­s­al­lee 84
41460 Neuss

rea­dy to revo­lu­tio­ni­ze your communication?



Bitte wählen Sie Ihren Wunschtermin:

Dienstag, 9. Juli, 15.00 Uhr

Donnerstag, 11. Juli, 11.00 Uhr

Dienstag, 16. Juli, 15.00 Uhr

Freitag, 19. Juli, 11.00 Uhr

Vielen Dank für Ihr Interesse

Füllen Sie das folgende Formular aus und es wird sich so schnell wie möglich jemand aus unserem Team mit Ihnen in Verbindung setzen.