Data Pro­tec­tion Poli­cy of Con­ven­to GmbH, Neuss

for users of myconvento

As of May 25, 2018,
Ger­ma­ny and the remai­ning EU mem­ber sta­tes are requi­red to com­ply with and enfor­ce the requi­re­ments of the EU Gene­ral Data Pro­tec­tion Regu­la­ti­on (here­af­ter, GDPR). In Ger­ma­ny, the new Federal Data Pro­tec­tion Act (here­af­ter, “BDSG-new”), which builds on and imple­ments the GDPR, will enter into for­ce at the same time and, tog­e­ther with the GDPR, will replace the cur­rent Federal Data Pro­tec­tion Act (BDSG-old), which remains in effect through May 25, 2018.

As a data pro­ces­sor defi­ned in Art. 4 GDPR, Con­ven­to GmbH (here­af­ter, “Con­ven­to”) pro­ces­ses per­so­nal data which its cus­to­mers as con­trol­lers make avail­ab­le in mycon­ven­to for the per­for­mance of a con­tract to which the data sub­ject is par­ty. Per­so­nal data means any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son (here­af­ter “data sub­ject”); an iden­ti­fia­ble natu­ral per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­ti­cu­lar by refe­rence to an iden­ti­fier such as a name, an iden­ti­fi­ca­ti­on num­ber, loca­ti­on data, an online iden­ti­fier or to one or more fac­tors spe­ci­fic to the phy­si­cal, phy­sio­lo­gi­cal, gene­tic, men­tal, eco­no­mic, cul­tu­ral or social iden­ti­ty of that natu­ral per­son.
Spe­ci­fi­cal­ly, it refers to address and com­mu­ni­ca­ti­on data and other dis­tinc­ti­ve par­ti­cu­lars of jour­na­lists, blog­gers, other “influ­en­cers” of the cus­to­mer, and publishers.

Con­ven­to respects its cus­to­mers’ right to and owners­hip of their data, ensu­ring full data pro­tec­tion and pri­va­cy for data sub­jects, and is com­mit­ted to do wha­te­ver it takes to mea­su­re up to our cus­to­mers’ expectations.

Ter­ri­to­ri­al scope

Cus­to­mer data are pro­ces­sed exclu­si­ve­ly wit­hin the ter­ri­to­ry of the Federal Repu­blic of Ger­ma­ny. Sin­ce 2015, Con­ven­to has ope­ra­ted its cus­to­mer sys­tems at a spe­cia­li­zed data pro­ces­sing cen­ter cer­ti­fied to ISO 27001 in D‑40472 Düs­sel­dorf at myloc mana­ged IT AG (

Dis­clo­sure of per­so­nal infor­ma­ti­on to third par­ties, subcontracts

Con­ven­to its­elf does not use the per­so­nal data pro­vi­ded by its cus­to­mers, but makes them avail­ab­le only to the rele­vant cus­to­mer on the ser­ver farm ren­ted at the data cen­ter of myLoc mana­ged IT AG (data pro­ces­sing cen­ter cer­ti­fied to ISO 27001), Am Gather­hof 44, D‑40472 Düs­sel­dorf. At the cen­ter, the data are inte­gra­ted in the customer’s data­ba­se and then made avail­ab­le exclu­si­ve­ly to the cus­to­mer.
If any part of a con­tract is sub­con­trac­ted – always strict­ly with the pri­or writ­ten con­sent of the cus­to­mer- Con­ven­to will ensu­re that its sub­con­trac­tors com­ply to the same degree with the strin­gent data pro­tec­tion and data secu­ri­ty stan­dards. The rights of inspec­tion and review of the cus­to­mer vis-à-vis Con­ven­to also app­ly to any subcontractors.

While gene­ral sup­ply ser­vices (e.g. telecom­mu­ni­ca­ti­on, main­ten­an­ce, sup­port, clea­ning) are exclu­ded from this pro­vi­si­on, Con­ven­to gene­ral­ly has appro­pria­te data pro­tec­tion and data secu­ri­ty agree­ments in place with such part­ners.
Per­so­nal data will be collec­ted and for­war­ded to govern­men­tal insti­tu­ti­ons and aut­ho­ri­ties strict­ly wit­hin the scope of cur­rent legis­la­ti­on. In such case, Con­ven­to agrees – to the extent per­mit­ted by law – to give the cus­to­mer due noti­ce in wri­ting of the dis­clo­sure. Con­ven­to does not use any ser­vice pro­vi­ders that fall wit­hin the ambit of the U.S. Patri­ot Act and the U.S. Free­dom Act.

Obli­ga­ti­ons of the customer

As “con­trol­ler” wit­hin the mea­ning of Arti­cle 4 no. 7 of the GDPR, the cus­to­mer is respon­si­ble for the law­ful­ness of work assi­gned to Con­ven­to and for safe­guar­ding the rights of data sub­jects. The cus­to­mer is requi­red to place or con­firm all orders and add-ons in wri­ting. The same app­lies to- mutual­ly agreed – amend­ments to con­tents, pro­ces­ses, the scope and any other com­pon­ents of the con­tract. Inst­ruc­tions issued ver­bal­ly by the cus­to­mer must immedia­te­ly be con­fir­med in writing.

The cus­to­mer will pro­vi­de a respon­si­ble con­ta­ct per­son com­pe­tent to issue inst­ruc­tions and make or enfor­ce prompt decisi­ons on mat­ters rela­ting to the exe­cu­ti­on of the con­tract. This con­ta­ct per­son will ensu­re that the mycon­ven­to users of the cus­to­mer are fami­li­ar and com­ply with this poli­cy.
The customer’s admi­nis­tra­tor spe­ci­fies the users in mycon­ven­to. Each user is pro­vi­ded with per­so­nal log­in data (user ID and pass­word) and urged not to use pass­words that are easy to spy out and not to car­ry with them any writ­ten pass­word remin­ders.
Any access to mycon­ven­to (“user account”) which is no lon­ger requi­red for a user must immedia­te­ly be dele­ted by the cus­to­mer. The cus­to­mer will noti­fy Con­ven­to without undue delay if errors are found in the exe­cu­ti­on of the con­tract or in the job results.

Obli­ga­ti­ons of Con­ven­to GmbH

Con­ven­to pro­ces­ses per­so­nal data strict­ly wit­hin the agreed limits and as inst­ruc­ted in wri­ting by the cus­to­mer. The data pro­vi­ded will not be used for any other pur­po­ses. No copies or dupli­ca­tes will be made without the customer’s know­ledge.
Con­ven­to does not gene­ral­ly main­tain or pro­cess data for cus­to­mers and is not, the­re­fo­re, requi­red to keep detail­ed data pro­ces­sing records that enab­le the cus­to­mer to veri­fy pro­per data pro­ces­sing. Con­ven­to will pro­cess data only whe­re so spe­ci­fi­cal­ly inst­ruc­ted in wri­ting by the cus­to­mer, in which case, and only then, Con­ven­to will keep basic data pro­ces­sing records. The­se will detail in the con­text of a log report which Con­ven­to employee view­ed or pro­ces­sed which data of which cus­to­mer and when. Con­ven­to will store this docu­men­ta­ti­on for the long term.
Con­ven­to hand­les per­so­nal data in com­pli­an­ce with all app­li­ca­ble pro­vi­si­ons of the Data Pro­tec­tion Act, the Tele­me­dia Act (TMG) and the Telecom­mu­ni­ca­ti­ons Act (TKG). On request, Con­ven­to will pro­vi­de the cus­to­mer with the infor­ma­ti­on sti­pu­la­ted in Art. 30 (2) GDPR (records of pro­ces­sing acti­vi­ties car­ri­ed out on behalf of a controller).

In accordance with Art. 32 GDPR Con­ven­to uses appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) to pro­tect per­so­nal data as best as pos­si­ble against acci­den­tal or unlaw­ful mani­pu­la­ti­on, loss, dest­ruc­tion or access by unaut­ho­ri­zed per­sons. The­se mea­su­res are con­ti­nuous­ly impro­ved in line with the sta­te of the art.
All employees, sup­pliers and part­ners of Con­ven­to are obli­ga­ted to main­tain data con­fi­den­tia­li­ty in accordance with the pro­vi­si­ons of Sec­tion 53 BDSG-new and, in addi­ti­on, bound to pro­fes­sio­nal secrecy, if any (e.g. ban­king secrecy).
Con­ven­to will noti­fy the cus­to­mer prompt­ly if the pro­per­ty of the cus­to­mer at Con­ven­to is at risk as a result of third- par­ty action (such as attach­ment or sei­zu­re, insol­ven­cy or com­po­si­ti­on pro­cee­dings, etc.).

Rights of the Customer

Con­ven­to will grant the cus­to­mer or an audi­tor man­da­ted by the cus­to­mer unhin­de­red access to its pre­mi­ses as nee­ded for moni­to­ring pur­po­ses in accordance with Sec­tion 64 (3) no. 12 BDSG-NEW. In par­ti­cu­lar, Con­ven­to will allow the cus­to­mer to inspect the data stored for the cus­to­mer or in con­nec­tion with the con­tract as well as the pro­ces­sing ope­ra­ti­ons used in order to veri­fy com­pli­an­ce with the tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) implemented.

To this end, the audi­tor will be given access equi­va­lent to the rights of the rele­vant cus­to­mer. If in excep­tio­nal cases the cus­to­mer per­mits data to be pro­ces­sed in pri­va­te homes, Con­ven­to will ensu­re that the afo­re­said inspec­tions can also be per­for­med in the­se homes. Con­ven­to affirms that it has obtai­ned the con­sent of all occup­ants of the­se pri­va­te homes to this arrangement.

Rights of data subjects

Any per­sons who­se data are stored on Con­ven­to sys­tems, irre­spec­ti­ve of whe­ther the­se were collec­ted by the con­trol­ler or by Con­ven­to, are enti­t­led at no cost to obtain infor­ma­ti­on on the data stored about them.

Data sub­ject groups usual­ly inclu­de jour­na­lists, blog­gers, other “influ­en­cers” of the cus­to­mer and/or other con­ta­cts in public rela­ti­ons, such as cus­to­mers, pro­spects, employees as defi­ned by Sec­tion 26 BDSG-new, sub­scri­bers, sup­pliers, sales repre­sen­ta­ti­ves or share­hol­ders.
The data sub­ject has the right to rec­ti­fi­ca­ti­on, era­su­re or blo­cking of their data stored in mycon­ven­to. Whe­re Con­ven­to has pro­ces­sed data on behalf of the con­trol­ler, Con­ven­to will prompt­ly for­ward the data and the com­p­laint to the con­trol­ler. Alter­na­tively, the cus­to­mer may aut­ho­ri­ze Con­ven­to in wri­ting to deal on its behalf with the com­p­laint of the data subject.

Rights of Con­ven­to GmbH

If the cus­to­mer issu­es Con­ven­to with inst­ruc­tions under a con­tract which may vio­la­te app­li­ca­ble data pro­tec­tion laws, Con­ven­to will noti­fy the cus­to­mer without delay and may delay acting on the inst­ruc­tions until the mat­ter has been resol­ved.
Whe­re com­pli­an­ce with data pro­tec­tion and/or data secu­ri­ty mea­su­res is moni­to­red by the cus­to­mer, eit­her its­elf or through ano­t­her par­ty, Con­ven­to is enti­t­led to bill the cus­to­mer for the work per­for­med on time basis for each hour or part the­re­of at the stan­dard hour­ly rates app­li­ca­ble at Con­ven­to. Veri­fi­ca­ti­ons via the user account are obvious­ly free of charge.

Tech­ni­cal and orga­niz­a­tio­nal data pro­tec­tion mea­su­res (TOM)

Con­ven­to has imple­men­ted appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res (TOM) in accordance with Sec­tion 64 BDSG-new. In addi­ti­on, all obli­ga­ti­ons to be met under the app­li­ca­ble data pro­tec­tion laws and other legal requi­re­ments are moni­to­red by a data pro­tec­tion offi­cer (see below). Con­ven­to under­ta­kes to com­ply with and docu­ment the mea­su­res spe­ci­fied in Sec­tion 64 BDSG-new during ope­ra­ti­on and to make the records avail­ab­le to the cus­to­mer on request. The same app­lies to any mea­su­res agreed with the cus­to­mer for the exchan­ge, pro­vi­si­on, pro­ces­sing, kee­ping, release and trans­fer of data.

As pro­of of the tech­ni­cal and orga­niz­a­tio­nal mea­su­res imple­men­ted, Con­ven­to will make avail­ab­le to the cus­to­mer all per­ti­nent records, logs and reports it keeps, inclu­ding tho­se from inde­pen­dent aut­ho­ri­ties. Con­ven­to reser­ves the right to imple­ment mea­su­res reflec­ting the latest tech­ni­cal and orga­niz­a­tio­nal pro­gress that meet at least the same data pro­tec­tion and data secu­ri­ty requi­re­ments as tho­se spe­ci­fied in the Appen­dix.
A spe­ci­fied chain of com­mu­ni­ca­ti­on ensu­res prompt noti­fi­ca­ti­on of the cus­to­mer in case of con­trol acti­vi­ties, mea­su­res and moni­to­ring in accordance with Sec­tions 4o BDSG-new or in accordance with Art. 83 GDPR. Con­ven­to will also noti­fy the Cus­to­mer prompt­ly of any vio­la­ti­on of regu­la­ti­ons rela­ting to the pro­tec­tion of the customer’s per­so­nal data (e.g. in accordance with Art. 33 GDPR) or of sti­pu­la­ti­ons in the con­tract eit­her by its­elf or by any employees, and of serious dis­rup­ti­ons to ope­ra­ti­ons. The same app­lies even at the mere sus­pi­ci­on of such inci­dents.
Con­ven­to will prompt­ly noti­fy the fol­lowing cases, wha­te­ver their rea­son and even if only suspected:

  • serious dis­rup­ti­on of operations
  • signi­fi­cant irre­gu­la­ri­ties in the hand­ling of the customer’s per­so­nal data
  • per­so­nal data bre­ach in acc. with Art.33 GDPR
  • unlaw­ful trans­mis­si­on of per­so­nal data
  • whe­re per­so­nal data may have come to the know­ledge of third par­ties in an unlaw­ful matter

In agree­ment with the cus­to­mer, Con­ven­to will take appro­pria­te action to pro­tect the data and to mini­mi­ze any adver­se con­se­quen­ces for the data sub­jects. Whe­re app­li­ca­ble, Con­ven­to will assist the cus­to­mer as con­trol­ler in ensu­ring com­pli­an­ce with any spe­ci­fic repor­ting obli­ga­ti­ons under Art. 33 or 34 GDPR.

Con­ven­to will regu­lar­ly review all cus­to­mer con­tracts in the con­text of con­tract moni­to­ring tasks to veri­fy their exe­cu­ti­on and com­ple­ti­on. The arran­ge­ments and mea­su­res rela­ting to con­tract exe­cu­ti­on are che­cked for com­pli­an­ce and amen­ded whe­re necessary.

Type of data, data carriers

The type of data will be spe­ci­fied in the con­tract. The­se may include:

  • Key per­so­nal data, com­mu­ni­ca­ti­on data (e.g. tele­pho­ne, email), con­ta­ct history
  • Key con­tract data (con­trac­tu­al rela­ti­ons­hip, pro­duct or con­tract involvement)
  • Con­tract bil­ling and pay­ment data
  • Infor­ma­ti­on (from third par­ties, e.g. infor­ma­ti­on offices, or from public registers)

Con­ven­to will iden­ti­fy all data car­ri­ers pro­vi­ded by, or used for, the cus­to­mer by name. Their rece­i­pt and return will be docu­men­ted. Exter­nal data car­ri­ers for data back­up are also encryp­ted for secu­ri­ty pur­po­ses in case of trans­port bet­ween loca­ti­ons.
The hand­ling of disus­ed data car­ri­ers is gover­ned by the inter­nal data pro­tec­tion con­cept app­li­ca­ble to all employees. The­se data car­ri­ers will always be pas­sed to the IT depart­ment. Opti­cal data car­ri­ers are shred­ded, dama­ged hard disks and USB sticks and other data sto­rage devices are kept under lock and key until their dest­ruc­tion in com­pli­an­ce with data pro­tec­tion regulations.


In accordance with the sta­tu­to­ry pro­vi­si­ons, Con­ven­to will be liable to the cus­to­mer for any dama­ge cau­sed by its employees or by any par­ty com­mis­sio­ned by it with the exe­cu­ti­on of the con­tract as a result of will­ful or gross­ly negli­gent action in the per­for­mance of the con­tract. The bur­den of pro­of is on the cus­to­mer. Whe­re dama­ge to pro­per­ty or finan­cial loss is due to negli­gence, Con­ven­to and its vica­rious agents will be liable only whe­re bre­ach of a fun­da­men­tal obli­ga­ti­on has occur­red. In such case, lia­bi­li­ty is limi­ted to the fore­see­ab­le, typi­cal­ly occur­ring dama­ge upon con­tract con­clu­si­on. Only one claim may be brought for the action of a sin­gle Con­ven­to employee.

The cus­to­mer is pri­ma­ri­ly liable for dama­ges which a data sub­ject has suf­fe­red as a result of unlaw­ful data pro­ces­sing pur­suant to the data pro­tec­tion regulations.

Under Art. 82 (2) sen­tence 2 GDPR, Con­ven­to is liable for the dama­ge cau­sed by pro­ces­sing only whe­re it has not com­plied with obli­ga­ti­ons of this Regu­la­ti­on spe­ci­fi­cal­ly direc­ted to pro­ces­sors or whe­re it has acted out­side or con­tra­ry to law­ful inst­ruc­tions of the con­trol­ler. If both the cus­to­mer as con­trol­ler and Con­ven­to as pro­ces­sor are invol­ved in the same pro­ces­sing, both will be held liable for the ent­i­re dama­ge in order to ensu­re effec­ti­ve com­pen­sa­ti­on of the data sub­ject in accordance with Art. 82 (4) DSGVO.

End of job and contract

At the end of the con­trac­tu­al rela­ti­ons­hip, Con­ven­to will return all records of the cus­to­mer and any files, data car­ri­ers and docu­ments rela­ting to the con­tract to the cus­to­mer or, in agree­ment with the cus­to­mer, dis­po­se of them in accordance with the data pro­tec­tion regu­la­ti­ons. Con­ven­to will sub­se­quent­ly con­firm the dele­ti­on or dest­ruc­tion in accordance with the data pro­tec­tion regu­la­ti­ons.
Con­ven­to will retain data pro­vi­ded for pro­ces­sing only as long as sti­pu­la­ted by law or by the cus­to­mer. Records con­tai­ning per­so­nal data that are no lon­ger requi­red will be des­troy­ed in accordance with the data pro­tec­tion regu­la­ti­ons only whe­re so inst­ruc­ted in wri­ting by the cus­to­mer. Con­ven­to will keep all test and sub­stan­dard mate­ri­al under lock and key until it is eit­her dele­ted by Con­ven­to in accordance with the data pro­tec­tion regu­la­ti­ons or pas­sed to the cus­to­mer. Con­ven­to will con­firm the dest­ruc­tion of cus­to­mer records and docu­ment the deli­very of docu­ments to the cus­to­mer.
Con­ven­to may con­ti­nue to store and use data for accoun­ting and bil­ling pur­po­ses bey­ond the end of the con­tract or after the dele­ti­on of per­so­nal data.

The cus­to­mer may ter­mi­na­te the con­tract without noti­ce at any time if Con­ven­to is found in serious bre­ach of pro­vi­si­ons under the Data Pro­tec­tion Act or the under­ly­ing con­tract, if it can­not or will not com­ply with a law­ful inst­ruc­tion issued by the cus­to­mer under the Data Pro­tec­tion Act and advi­ses the cus­to­mer the­re­of in wri­ting, or con­tra­ry to the con­tract denies the cus­to­mer access.

Auto­ma­tic log­ging of user behavior

mycon­ven­to uses “coo­kies” to make its use more con­ve­ni­ent for the cus­to­mer. Coo­kies store infor­ma­ti­on such as the log­in data of web­site users to save having to re-enter the data on every visit to the web­site. Most brow­sers are set to auto­ma­ti­cal­ly accept coo­kies. In addi­ti­on, mycon­ven­to records the gene­ral inten­si­ty of a customer’s use of mycon­ven­to. This infor­ma­ti­on is used exclu­si­ve­ly to impro­ve cus­to­mer sup­port and to moni­tor and safe­guard the capa­ci­ty of the over­all system.

Cus­to­mer con­sent (mycon­ven­to user company)

By using mycon­ven­to, the user com­pa­ny agrees to Con­ven­to collec­ting and using data to the extent descri­bed abo­ve. The rapid deve­lo­p­ment of the Inter­net makes it necessa­ry to amend our data pro­tec­tion poli­cy from time to time. As a cus­to­mer, you will be noti­fied by e‑mail about any amend­ments to our data pro­tec­tion poli­cy. The cur­rent ver­si­on can be view­ed at any time on our web­site at

Fur­ther Information

If you have any que­ries, requests or comments on the issue of data pro­tec­tion, plea­se email us in the first instance at .

Data pro­tec­tion at Con­ven­to is also con­sist­ent­ly moni­to­red and sup­por­ted by our exter­nal data pro­tec­tion officer:

Mr. Axel Krau­se, lawy­er
Law firm Geer­kens – From­men – Krau­se
Dru­su­s­al­lee 84
41460 Neuss

rea­dy to revo­lu­tio­ni­ze your communication?



Bitte wählen Sie Ihren Wunschtermin:

Dienstag, 9. Juli, 15.00 Uhr

Donnerstag, 11. Juli, 11.00 Uhr

Dienstag, 16. Juli, 15.00 Uhr

Freitag, 19. Juli, 11.00 Uhr