Data Protection OneTrust

The following information shall inform you about how we process personal data when you use OneTrust. These information serve to comply with the General Data Protection Regulation (GDPR). Personal data is every piece of information that can be related to an identified or identifiable natural person.

1. Who is accountable for the use of my data?

For the operation and maintenance of the OneTrust software platform, Bertelsmann SE & Co. KGaA is the accountable Controller (hereinafter Platform Controller).

Bertelsmann SE & Co. KGaA
Carl-Bertelsmann-Straße 270
33335 Gütersloh
Germany
E-Mail: datenschutz@bertelsmann.de

For entries made in OneTrust and data processed by use of the software, the company which initiated the respective action is the accountable Controller (hereinafter Content Controller).
Information about the identity of the Content Controller can be retrieved from your involvement / invitation email or can be collected from the Platform Controller.
The above indicated companies are separately accountable for their use of personal data in OneTrust.
You can contact the companies by the means indicated above and by reference of your query. Where you want to contact the responsible data protection officer directly, add “Attention Data Protection Officer” to the address.

2. What data are concerned?

OneTrust is a software platform used for professional purposes only and in particular for doc-umentation of business activities from a data protection perspective. OneTrust, therefore pro-cesses only data about you that concern your workplace involvement.
Platform Controller processes for the above stated purpose, your name (first and last name), your Email-address, and your company affiliation (that you work for a certain company). Given that OneTrust is a software application, it is accessed via a web browser. Platform Controller therefore processes your IP address.
Content Controller processes in addition to the data processed by Platform Controller your user role in OneTrust and affiliated permissions within the tool. Moreover, data concerning you can be included within the documentation created by the Content Controller (e.g. if you are a contact person for a specific business process) and you can be assigned as Process, Busi-ness and/or Risk Owner. In each case, you will be notified by Content Controller about it.

3. Which cookies are used?

OneTrust uses non-persistent session cookies to provide consistent access to the tool. Cook-ies are small text files which are stored on your computer when you access OneTrust via your browser. Upon revisit and as well during your stay on our website, the cookie enables the tool to remember you so that you don’t have to login every time you access a new area in the tool. The cookies used by OneTrust are non-persistent, what means they are deleted as soon as you close your browser. You can also control how cookies are treated on your computer by adjusting the settings of your internet browser. Please note, however, that if you disable all cookies that way, you might not be able to use all of OneTrust’s features properly.

4. Which data are used for which purpose?

The data used (see above in section 2) are determined by the purpose for which they are pro-cessed. Purposes for processing personal data within OneTrust differ slightly due to the Joint Controllership between the Platform Controller and Content Controller.

The purposes for which the Platform Controller processes personal data are:

To create and ensure platform access
To ensure system performance
To provide support, training and trouble shooting

The purposes for which the data are processed by the Content Controller are in general solely determined by the Content Controller. They usually include, without limitation:

Operation and User management
To enable involvement in the documentation
To reflect business realities (Business, Process and/or Risk Ownership)
To provide notifications about changes and serve as a means of contact
You can find further information about each used feature as well as the underlying purposes in the following sections.

4.1 Technical provision by the Platform Controller

4.1.1 Description and extent of the processing

For the provision of OneTrust, including regular performance and security checks, server log files and IP addresses are stored as part of the information when the platform is accessed. These log files contain the information and possibly personal data as indicated in section 2 above. Log files are used for the purposes of technical provision only and they are not merged with any other data. They are available only to Platform Controller. Part of the technical provi-sion is a regular reviewing procedure that is designed to detect fraud, hacking and other forms of disruptive behavior.

4.1.2 Purposes and legal basis for the use of personal data

The legal basis for the use of such access data is to be found in Art. 6 sec. 1 lit. f GDPR. Our interest is the undisturbed, resilient and performant operation as well as a working access. Given the minor effect on the data subject due to the limited amount of data used and the min-imal number of people having access to these data, our interest prevails.

4.1.3 Duration of storage

After accessing on our website we store the server log files, including your IP address, for 90 days. Any analyses of these data are conducted only in case of a disruptive event involving these data and only by Platform Controller.

4.1.4 Right to object

You are entitled to object the use of your personal data pursuant to Art. 21 GDPR on grounds that relate to your particular situation. If you want to exercise that right contact the Data Pro-tection Officer via the means of contact indicated in section 1 above.

4.2 Contact form, Email or phone contact to Platform Controller

4.2.1 Description and extent of the processing

In the tool, you are offered different means to get in contact with the Platform Controller (here-inafter “we”). If you use one of them, data affiliated with that means respectively (e.g. your Email address which you use the contact form or your phone number if you chose to call us) and of course your request will be recorded, so that you can be provided with a solution. The same applies for your query; if you use one of that means to address some question to us, we will store and use that request in a form that is linked to you as long as we need it to process it properly. Where this is necessary, some or all of the data collected under this clause can be transmitted to other entities, provided we need their support to answer your request. In that situation we ensure that the recipient has implemented a proper level of protection as well.

4.2.2 Purposes and legal basis for the use of personal data

The legal basis for using data in this regard is to be found in Art. 6 sec. 1 lit. f GDPR. Our shared interest is that you receive an adequate answer. Hence, for the time necessary for this endeavor, there is no overriding interest that prevails and excludes the data processing unless you object.

4.2.3 Duration of storage

After responding to your request and the end of possibly further communication, your infor-mation provided for the purpose of the query will be erased unless your query was aiming for exercise of one of your data subjects rights. In that situation, we will keep records as long as necessary in order to demonstrate our compliance with your data subject request.

For data subject requests under Chapter III of the GDPR three years pursuant to sec. 195 German Civil Code.

4.2.4 Right to object

4.3 Operation and Support by Platform Controller

4.3.1 Description and extent of the processing

Where problems during your use of OneTrust occur, Platform Controller offers support and assistance. Data that may be concerned for this purpose can be any data contained in the documentation itself, in addition to the data indicated above in section 2. Where this is neces-sary, some or all of the data collected under this clause can be transmitted to third parties, provided we need their support to answer your request. In that situation we ensure that the recipient has implemented a proper level of protection as well.

4.3.2 Purposes and legal basis for the use of personal data

The legal basis for using data in this regard is to be found in Art. 6 sec. 1 lit. f GDPR. Our shared interest is to provide you with adequate support. Hence, for the time necessary for this endeavor, there is no overriding interest that prevails and excludes the data processing unless you object.

4.3.3 Duration of storage

4.3.4 Right to object

4.3 User management

4.3.1 Description and extent of the processing

OneTrust offers ways to collaboratively document processing activities. Therefore, users play an important role. The Platform Controller ensures the proper functioning of roles and permis-sions, while the Content Controller is responsible to ensure that persons are assigned accord-ingly. The Content Controller is therefore the responsible Controller regarding user manage-ment, including creating and deactivating user accounts, re-assigning persons and granting permissions.
For this purpose your user account data (Email, name, company affiliation and permissions of the user role) is processed by the Content Controller. If there are malfunctions with roles and permissions, Platform Controller may access these data as well in order to restore proper functioning what may include additionally login data. These are exclusively available to Plat-form Controller.

4.3.2 Purposes and legal basis for the use of personal data

The legal basis for using data in this regard is to be found in Art. 6 sec. 1 lit. f GDPR. Our shared interest is to comply with data protection duties, especially documentation duties. Where this documentation requires collaboration or involvement, there is no overriding interest that prevails and excludes the data processing.

4.3.3 Duration of storage

The above enumerated data are processed (stored) for the time your account remains active. Accounts remain active for the time of your employment or for the time of your responsibility for data protection documentation, which ever expires first. In addition to this period, the data of deactivated users remain stored for three years pursuant to sec. 195 German Civil Code in order to ensure accountability and traceability.

4.3.4 Right to object

You are entitled to object the use of your personal data pursuant to Art. 21 GDPR on grounds that relate to your particular situation. If you want to exercise that right contact the Content Controller responsible for your account. Where you object the use of your data, you might not be able to participate in documentation of your company anymore.

4.4 Use of the tool for documentation by Content Controller

4.4.1 Description and extent of the processing

The tool is used by subsidiaries of the Platform Controller as a basis to document business activities which are relevant in regard to data protection. To this end, Content Controller regu-larly processes Names, Email-addresses, company affiliation, and responsibilities that might come with your job (such as Contact Person, Risk, Business or Process Owner).
In its use of the tool, the Content Controller is free. Hence, where required by law or by the documented business case, additional data might be contained in the documentation.

4.4.2 Purposes and legal basis for the use of personal data

4.4.3 Duration of storage

4.4.4 Right to object

5. Who gets my data?

Within the Controllers, only those departments will have access to your data who need them in order to fulfil the purposes (see section 4 above). This applies accordingly to any involved Processors, especially the provider of the tool (OneTrust) and the hosting provider (MS Azure), who might process data on our behalf (e.g. hosting and operations, mail delivery, etc.). All our Processors are contractually bound to our instructions which adhere to the high standard of data protection set out under the GDPR.
Outside the companies acting as Controllers for the above described purposes, your data are not shared with so-called third parties (e.g. advertisement consultants, lawyers, or other busi-ness providers), unless required by law, or where you have consented.

6. Are my data transferred outside of the EU (Third country transfer)?

Where any of the providers indicated in section 5 above are located outside the EU/EEA this might lead to the result that your data are processed in a country that does not maintain a level of data protection similar or equal to the one within the EU. Therefore such a level of data pro-tection must be established by the data exporter (the respective Controller) by means of addi-tional safeguards, which raise the level of data protection of the data importer. You can requ-est a copy of the applied additional safeguards by using our contacts from Sec. 1 above.
For the provision of the tool, OneTrust is hosted on Microsoft Azure servers based in Frankfurt and Dublin. For remote support, however, there might be accesses from outside the EU/EEA. Both OneTrust and Microsoft are certified under the EU-US Privacy Shield in order to warrant an adequate level of data protection.

7. What are my rights?

You have all rights under Chapter III of the GDPR. They can be exercised towards every Con-troller handling your data. These rights are:

Right to access: You can request information about all data stored about you and how they are processed by the accountable Controller
Rectification: You can request rectification, where data concerning you are wrong or outdated
Erasure and to be forgotten: You can request that the Controller deletes your data. Where a deletion is conducted, the Controller shall inform any recipient about that to whom the data have been disclosed (Right to be forgotten)
Restriction: You can request a restriction of the data for the reasons set out by GDPR
Data Portability: Where the conditions of the law are met, you can request to receive a copy of your data in a structured, machine readable and commonly used format
Object: You can object the processing of your data for reasons that relate to your particular situation, if the processing is based on Art. 6 sec. 1 lit. f – legitimate interests – GDPR

If you have given us your consent for the processing of your data, you can at any time with-draw this consent with effect for the future. Please address your withdrawal to the attention of our Data Protection Officer indicated in Sec. 1 above.
Additionally, you are entitled to lodge a complaint with the supervisory authority competent for the Controller you want to address or with the Authority competent for you, which will forward your request if not responsible itself.

8. From where are my data collected?

Where data are not provided by yourself, they will regularly be collected from colleagues of yours, who are involved in the documentation. Collection as well as documentation for these purposes remain in the sole discretion of the Content Controller. We do not merge these data with any information we might possibly hold from other instances.

9. Final information / Version

OneTrust is subject to constant improvement and change. This may affect the herein given information about any processing of personal data. The information given reflect the “as-is” situation on 01st April 2019.