Privacy policy of BPM&O GmbH

The provisions of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”) apply throughout Europe. We would like to inform you about the processing of personal data carried out by our company in accordance with this regulation (see Articles 13 and 14 GDPR). If you have any questions or comments about this privacy policy, you can send them at any time to the e-mail address given in section 2 or 3.

Contents

A. Overview

  1. Scope of application
  2. Controller
  3. Data protection officer

 

B. Data processing in detail

  1. General information on data processing
  2. Accessing the website
  3. Contacting us by email or chat
  4. Newsletter
  5. Consulting
  6. Further training
  7. Digital collaboration, training and events
  8. E-learning platform
  9. Market studies, e-books and white papers
  10. Events
  11. Application
  12. Tracking

 

C. Right of data subjects

  1. Right to object
  2. Right of access
  3. Right to rectification
  4. Right to erasure (“right to be forgotten”)
  5. Right to restriction of processing
  6. Right to data portability
  7. Right to withdraw consent
  8. Right to lodge a complaint

D. Glossary

 

A. Overview

The following data protection information informs you about the type and scope of the processing of so-called “personal data” by BPM&O GmbH. Personal data is information that is or can be directly or indirectly assigned to your person.

1. Scope of application

In this section of the privacy policy, you will find information on the scope of application, the data controller, its data protection officer and data security.

All data required for the execution of a contract with BPM&O GmbH is processed for the purpose of contract execution. If external service providers are also involved in the execution of the contract, e.g. cooperation partners, logistics companies or payment service providers, your data will be passed on to them to the extent necessary in each case.

When you access a website operated by BPM&O GmbH, various information is exchanged between your end device and our server. This may also involve personal data. The information collected in this way is used, among other things, to optimize our website.

This privacy policy applies to the following offer:

  • our online offer for consulting services available at bpmo.de; our online offer for further training available at bpm-akademie.de;
  • our e-learning platform available at bpmo-elearning.com;
  • our internet portal and online store available at bpm-expo.de;
  • whenever reference is made to this privacy policy from one of our offers (e.g. websites, subdomains, mobile applications, web services or integrations in third-party sites), regardless of how you access or use it.

All of these offers are also referred to collectively as “services”.

2. Responsible persons

The data controller – i.e. the party that decides on the purpose and means of processing personal data – in connection with the Services:

BPM&O GmbH , Domstr. 37 , 50668 Cologne 

Phone.: +49 (0)221 99787520 

Fax: +49 (0)221 99261607 

E-Mail: info@bpmo.de 

3. Data protection officer

You can contact our external data protection officer as follows:

DS EXTERN GmbH, Dipl.-Kfm. Marc Althaus   

Frapanweg 22
22589 Hamburg  

Contact form: https://www.dsextern.de/anfragen 

 

B. The data processing in detail

In this section of the privacy policy, we inform you in detail about the processing of personal data in the context of our services. For the sake of clarity, we organize this information according to certain functionalities of our services. During normal use of the services, different functionalities and therefore also different processing operations may be carried out consecutively or simultaneously.

1. General information on data processing

Unless otherwise stated, the following applies to all processing described below:

a. No obligation to provide

There is neither a contractual nor a legal obligation to provide personal data. You are not obliged to provide data.

b. Consequences of non-provision

In the case of required data (data that is marked as mandatory when it is entered), failure to provide it will mean that the service in question cannot be provided. Otherwise, failure to provide the data may mean that our services cannot be provided in the same form and quality.

c. Consent

In various cases, you have the option of giving us your consent to further processing in connection with the processing described below (possibly for part of the data). In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of the consent and about the purposes that we pursue with this processing.

d. Transfer of personal data to third countries

If we transfer data to third countries, i.e. countries outside the European Union, the transfer takes place exclusively in compliance with the legally regulated admissibility requirements. The admissibility requirements are regulated by Art. 44-49 GDPR.

e. Hosting with external service providers

Our data processing is carried out to a large extent with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centers and also process personal data on our behalf in accordance with our instructions. These service providers either process data exclusively in the EU or we have guaranteed an appropriate level of data protection with the help of the EU standard data protection clauses.

f. Transmission to state authorities

We transfer personal data to state authorities (including law enforcement authorities) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 para. 1 c) GDPR) or if it is necessary for the assertion, exercise or defense of legal claims (legal basis Art. 6 para. 1 f) GDPR).

g. Storage period

We do not store your data for longer than we need it for the respective processing purposes. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary storage is still necessary. Reasons for this may include the following:

  • The fulfillment of retention obligations under commercial and tax law
  • The preservation of evidence for legal disputes within the framework of the statutory limitation periods

It is also possible for us to continue to store your data with us if you have expressly given your consent for this.

h. Categories of recipients

In addition to the categories of recipients explicitly listed below, personal data is also transmitted to the following categories of recipients: Cooperation partners, shipping service providers, telephone and fax providers.

i. Data categories

  • Personal master data: Title, form of address/gender, first name, surname, date of birth
  • Address data: street, house number, address supplements if applicable, zip code, city, country
  • Contact data: Telephone number(s), fax number(s), e-mail address(es)
  • Access data: Date and time of the visit to our service; the page from which the accessing system reached our site; pages accessed during use; session identification data (session ID); also the following information of the accessing computer system: internet protocol address used (IP address), browser type and version, device type, operating system and similar technical information
  • Account data: Login/user ID and password
  • Login data: Information about the service through which you have registered; times and technical information about registration, confirmation and deregistration; data provided by you during registration
  • Training data: Information on seminars attended (face-to-face, digital, e-learning), learning progress (certificate program, e-learning), certificates obtained
  • Order/order data: Products/services ordered, prices, payment and delivery information
  • Payment data: Account data
  • Application data: Curriculum vitae, references, certificates, work samples, certificates, pictures

 

2. Calling up the website

This section describes how we process your personal data when you access our services. In particular, we would like to point out that the transmission of access data to external content providers (see under b.) is unavoidable due to the technical functioning of information transmission on the Internet.

a. Information on processing

Data category
Access data
Purpose
Establishing a connection, displaying content of the service, detecting attacks on our website based on unusual activities, diagnosing errors
Legal basis
Art. 6 Para. 1 f) GDPR
Legitimate interest, if applicable
Proper functioning of the services, securing of data and business processes, preventing misuse, preventing of damage through interference with information systems
Storage period
7 days

b. Recipient of the personal data

Category of recipients External content providers* Website service provider Hosting service providers
Data concerned Access data
Legal basis Art. 6 Para. 1 f) GDPR Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable Proper functioning of the services, (accelerated) display of content, added value for the user

3. Contact by e-mail or chat

You can find out how we process your personal data when you contact us by e-mail or chat here:

a. Information on processing

Data category
Personnel master data, address and contact data
Content from e-mail or chat
Purpose
Processing of inquiries
Contract initiation / provision of services
Legal basis
Art. 6 Para. 1 f) GDPR
Art. 6 Para. 1 f) GDPR
Legitimate interest,
if applicable
Customer loyalty, improving our services
Customer loyalty, improving our services
Storage period
1 year, 10 years archiving of data
1 year, 10 years archiving of data

 

b. Recipient of personal data

Categories of recipients
E-mail service provider
Mail archiving service provider
Chat service provider
Affected data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
Legal basis
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Legitimate interest,
if applicable

 

4. Newsletter

In the following, we describe what happens to your personal data in context of a subscription to our newsletter:

a. Information on processing

Data category
Contact data
Personnel master data
Login data
Purpose
Verifying registration (double opt-in), sending newsletter
Personalizing the newsletter
Tracing registration/ confirmation/ cancellation of the newsletter
Legal basis
Art. 6 Para. 1 a) GDPR
Art. 6 Para. 1 f) GDPR
Art. 6 Para. 1 f) GDPR
Legitimate interest,
if applicable
Personalizing the newsletter, possible direct customer contact
Proof of registration/ confirmation/ cancellation of the newsletter
Storage period
Duration of newsletter subscription
Duration of newsletter subscription
Duration of newsletter subscription

 

b. Recipient of personal data

Categories of recipients
Newsletter service provider
Affected data
All under a. mentioned data
Legal basis
Data processing on behalf (Art. 28 GDPR)
Legitimate interest,
if applicable

 

5. Consulting

The following information describe how your personal data is processed when you contact us about consulting services:

a. Information on processing

Data category
Personnel master data, address and contact data, order data, content from e-mails
Purpose
Consulting in Process Management und process-oriented management
Legal basis
Art. 6 Para. 1 b), f) GDPR, Recital 40 and 44 and respectively 47-48
Legitimate interest,
if applicable
Acquiring new customers, fulfilling customer orders, increasing company’s turnover
Storage period
10 years archiving of data

 

b. Recipient of personnel data

Categories of recipients
E-mail service provider
Mail archiving service provider
Document management service provider
CRM service provider
Resources/ project management service provider
Accounting service provider
Survey tool provider
Cooperation partner
Affected data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
Legal basis
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

 

6. Advances Training

The following information describe how your personal data is processed when you contact us about advanced training of BPM&O Akademie:

a. Information on processing

Data category
Personnel master data, address and contact data, training data, order data, content from e-mails
Documents for admission to the certification examination
Purpose
Conducting seminars and training in Process Management und process-oriented management
Examining of admission requirements, registering for certification examination
Legal basis
Art. 6 Para. 1 b), f) GDPR, Recital 40 and 44 and respectively 47-48
Art. 6 Para. 1 b) GDPR
Legitimate interest,
if applicable
Acquiring new customers, fulfilling customer orders, increasing company’s turnover
fulfilling customer orders
Storage period
10 years archiving of data
10 years archiving of data

 

b. Recipient of personal data

Categories of recipients
E-mail service provider
Mail archiving service provider
Document management service provider
CRM service provider
Resources/ project management service provider
Accounting service provider
Platform service provider
Hosting service provider
Webinar/ online meeting tool provider
Cooperation partner
Affected data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
All under a. mentioned data
Legal basis
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

 

7. Digital collaboration, training and events

The following information describe how your personal data is processed when you contact us about services relating to BPMO.digital:

a. Information on processing

Data category Personnel master data, address and contact data, account data, login data, training, order data, content from e-mails
Purpose Providing information and consulting regarding the platform BPMO.digital, conducting workshops, training and events on the platform
Legal basis Art. 6 Para. 1 b), f) GDPR, Recital 47-48
Legitimate interest,
if applicable
Acquiring new customers, fulfilling customer orders, increasing company’s turnover
Storage period 10 years archiving of data

 

b. Recipient of personal data

Categories of recipients E-mail service provider Mail archiving service provider Document management service provider CRM service provider Resources/ project management service provider Accounting service provider Platform service provider Hosting service provider Webinar/ online meeting tool provider Cooperation partner
Affected data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data
Legal basis Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

 

8. E-Learning Platform

The following information describe how your personal data will be processed when you contact us about digital training services relating to the BPM&O E-Learning Platform:

a. Information on processing

Data category Personnel master data, address and contact data, account data, login data, training, order data, content from e-mails
Purpose Digital training in Process Management and process-oriented management
Legal basis Art. 6 Para. 1 b), f) GDPR, Recital 40 and 44 and respectively 47-48
Legitimate interest,
if applicable
Acquiring new customers, fulfilling customer orders, increasing company’s turnover
Storage period 1 year, 10 years archiving of data

 

b. Recipient of personal data

Categories of recipients E-mail service provider Mail archiving service provider Document management service provider CRM service provider Academy management service provider Accounting service provider Platform service provider Hosting service provider Cooperation partner
Affected data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data
Legal basis Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

 

9. Market studies and White Paper

The following information describe how your personal data is processed when you download our market studies and/or white papers:

a. Information on processing

Data category Personnel master data, address and contact data
Purpose Providing information and consulting regarding the market studies and white paper
Legal basis Art. 6 Para. 1 f) GDPR, Recital 47-48
Legitimate interest,
if applicable
Acquiring new customers, fulfilling customer orders, increasing company’s turnover
Storage period 1 year, 10 years archiving of data

 

b. Recipient of personal data

Categories of recipients E-mail service provider Mail archiving service provider Document management service provider CRM service provider Website service provider Hosting service provider Cooperation and sales partner
Affected data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data
Legal basis Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

10. Events

The following information describe how your personal data is processed when you contact us for an (online) event, e.g. BPM-Club Meetings, CPO Circle or CPOs@BPM&O:

a. Information on processing

Data category Personnel master data, address and contact data, account data, login ata (online events)
Purpose Organizing and conducting events and conferences on Process Management and process-oriented management
Legal basis Art. 6 Para. 1 f) GDPR, Recital 47-48
Legitimate interest,
if applicable
Acquiring new customers, building the reputation of the company
Storage period 1 year, 10 years archiving of data

 

b. Recipient of personal data

Categories of recipients E-mail service provider Mail archiving service provider Document management service provider CRM service provider Website service provider Hosting service provider Webinar/online meeting service provider Accounting service provider Ticketing management service provider Cooperation and sales partner
Affected data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data All under a. mentioned data
Legal basis Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

11. Application

In an ongoing application process, we process your personal data in the following way:

a. Information on processing

Data category Personnel master data Address and contact data Application documents
Purpose Identification, contact, age verification Identification, contact, communication to initiate a contract Applicant selection
Legal basis Art. 6 Para. 1 b) GDPR Art. 6 Para. 1 b) GDPR Art. 6 Para. 1 b) GDPR
Legitimate interest, if applicable
Storage period 6 months 6 months 6 months

 

b. Recipient of personal data

Categories of recipients E-mail service provider Mail archiving service provider Document management service provider
Affected data All under a. mentioned data All under a. mentioned data All under a. mentioned data
Legal basis Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR) Data processing on behalf (Art. 28 GDPR)
Legitimate interest, if applicable

12. Tracking

In the following, we describe how your personal data is processed using tracking technologies to analyze and optimize our services and for advertising purposes.

The description of the tracking also contains information on how you can prevent or object to data processing. Please note that this so-called “opt-out”, i.e. rejection to data processing, usually is saved via cookies. If you use our services via a new device or in a different browser, or if you have deleted the cookies set by your browser, you must declare your rejection again.

The tracking described in the following process personal data only in a pseudonymous form. A connection with a specific, identified natural person, i.e. merging of data with information about the person behind the pseudonym, does not take place.

Purpose of the tracking is to analyze and optimize our services and their usage as well as to measure the success of advertising campaigns and optimize the display of advertising.

a. Purpose of data processing

The analysis of user behavior by means of tracking helps us to review the effectiveness of our services, to optimize them and to adapt them to the needs of the users as well as to correct errors. In addition, it is used to statistically determine key values about the usage of our services (range, usage intensity, surfing behavior of users) – based on uniform standard procedures – and thus to obtain values that are comparable across the market.

Tracking to measure the success of advertising campaigns is used to optimize our ads for the future and to enable marketers and advertisers to optimize their ads accordingly. Tracking to optimize the display of advertising has the purpose of showing users advertising tailored to their interests, increasing the success of the advertising and thus also the advertising revenue.

b. Legal basis

Consent according to Art. 6 Para. 1 Letter a in conjunction with Art. 4 No. 11, 7 Para. 3 GDPR in conjunction with Recital 32, 40, 42, 43.

c. Tracking technology used in detail

Name of tracking service Google Analytics, Google Optimize, Google Ads Remarketing, Google Tag Manager, LinkedIn Insight, SnapEngage, Facebook Pixel, Gravatar
Functionality Web analysis
Option for prevention of data processing You can change your selected cookie settings via this link: opt-out link
Furthermore, you can deactivate Google services via this website or install a JavaScript blocker for your browser, such as the browser plugin NoScript (e.g., www.noscript.net or www.ghostery.com).
Transfer to third countries? Yes
Adequacy decision, if applicable (Art. 45 GDPR)
Appropriate guarantees, if applicable (Art. 46 GDPR) EU-US Privacy Shield
https://www.privacyshield.gov/list

C. Data subject rights

1. Right to object

If we process your personal data to conduct direct mail, you have the right to object to the processing of your personal data for the purpose of such advertising at any time with effect for the future.

You also have the right, for reasons that arise from your particular situation, to object to the processing of your personal data, which is carried out in accordance with Art. 6 Paragraph 1 Letter e) or f) GDPR at any time with effect for the future.

You can exercise your right to object free of charge. You can contact us using the contact details given under A.2.

2. Right of access to personal data

You have the right to find out whether we are processing your personal data, what kind of personal data this may be, and further information in accordance with Art. 15 GDPR.

3. Right of rectification

You have the right to request from us to rectify any incorrect personal data without delay (Art. 16 GDPR). Taking the purposes of the processing into account, you have the right to request the completion of incomplete personal data – including by means of a supplementary declaration.

4. Right to erasure (“right to be forgotten”)

You have the right to request from us to immediately delete your personal data if one of the reasons stated in Art. 17 Para. 1 GDPR applies and the processing is not required for one of the purposes regulated in Art. 17 Para. 3 GDPR.

5. Right to restriction of processing

You are entitled to request a restriction in the processing of your personal data if one of the conditions in Art. 18 Para. 1 a) to d) GDPR is fulfilled.

6. Right to data portability

You have the right to receive personal data that you have provided to us in a structured, common and machine-readable format. You also have the right to transmit this data to another person responsible without hindrance from us or to have us transmit it directly, provided that this is technically possible. This shall always apply if the basis for data processing is consent or a contract and the data is processed automatically. This does not apply to data that is only kept in paper form.

7. Right to rescission

If the processing is based on your consent, you have the right to withdraw your consent at any time. This does not affect the legality of the processing carried out based on the consent up to the rescission.

8. Right to appeal

You have the right to file a complaint with a supervisor authority..

D. Glossary

Data processor: A natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

Browser: Computer program for visiting websites (e.g. Chrome, Firefox, Safari)

Cookies: In connection with the World Wide Web, a cookie describes a small text file that is stored locally on the user’s computer when a website is visited. This file stores data about the behavior of the user. If the browser is accessed and the corresponding website is visited repeatedly, the cookie is applied and uses the stored data to give the web server information about the user’s surfing behavior.

In this context, cookies are about information that a website saves locally in a small text file on the user’s computer. This can involve settings on a page that the user has made, but also information that the website has collected completely independently from the user. These locally stored text files can later be read out again by the same web server from which they were created. Most browsers accept cookies automatically. You can manage cookies using the browser functions (mostly under “Options” or “Settings”). This means that the storage of cookies can be deactivated, made dependent on your consent in individual cases, or otherwise restricted. You can also delete cookies at any time.

Third countries: Country that is not bound by the legal requirements of the EU data protection directive (country outside the EEA)

Personal data: All information relating to an identified or identifiable natural person. A natural person is regarded as identifiable if the person can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

Pixel: Pixels are also called counting pixels, tracking pixels, web beacons or web bugs. They are small, invisible graphics in HTML e-mails or on websites. When a document is opened, this small image is loaded from a server on the Internet, and the download is registered there. In doing so, the operator of the server can see whether and when an e-mail was opened or a website was visited. This function is usually implemented by activating a small program (Javascript). In this way, certain types of information can be recognized and passed on to your computer system, such as the content of cookies, the time and date of the page view and a description of the page on which the tracking pixel is located.

Services: Our offers to which this privacy notice applies (see A.1. Scope).

Tracking: The collection of data and its evaluation with regard to the behavior of visitors to our services.

Tracking technologies: Tracking can take place both via the activity protocols (log files) stored on our web servers and by collecting data from your device using pixels, cookies and similar tracking technologies.

Processing: Any process or series of processes carried out with or without help of automated procedures in context to personal data such as the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, erasure or destruction.

The current version of our privacy policy is also available for you to download as a PDF document. (german)

Download Download Icon