Data protection information under the GDPR
The following information provides you with a detailed overview of the data that we collect about you personally and what we do with these data when you attend one of our events. We will also provide you with information about your data protection rights and explain who you can contact if you have any questions about the protection of your data.
1. Who we are
The controller responsible for processing your data:
NRW.Global Business GmbH
Trade & Investment Agency
of the German State of North Rhine-Westphalia (NRW)
Völklinger Strasse 4
40219 Düsseldorf, Germany
Tel: +49 211 13000-0
CEO: Felix Neugart
If you have any questions about this data protection policy, the processing of your data, your rights or any other concerns relating to data protection, our Data Protection Officer will be happy to help you.
Contact details for the Data Protection Officer:
NRW.Global Business GmbH
Trade & Investment Agency
of the German State of North Rhine-Westphalia (NRW)
The Data Protection Officer
Völklinger Strasse 4
40219 Düsseldorf, Germany
datenschutz@nrwglobalbusiness.com
2. Definitions
Personal data: The following policy talks a lot about “personal data”, but what does this term actually mean? “Personal data” is legally defined as follows in Article 4(1) GDPR:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Processing: Article 4(2) GDPR defines “processing” as follows:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
3. What data are processed?
In this section, we explain what data we collect and process in connection with events and for which purposes. We also set out the legal bases on which we process these data.
I. Registration and attendance
Purposes: We process the data that you provide when you register in order to plan our event, to send you your entrance tickets, to host the event itself (including admission control) and as evidence of use of funds. We use the data marked with an asterisk (*) in the table below for invoicing purposes where a fee is charged for events.
Source of the data: As a general rule, we receive your data from you personally when you register for an event. It may also be the case that you register with our partner with whom we are jointly hosting the event and that we receive your data from this partner in order to plan and host the event. If one of our partners is a co-organiser, you will be informed of this when you register or when the event is announced, and this will be clearly indicated during the event.
Legal basis: The legal basis for processing your data for the above-mentioned purpose is performance of a contract (point (b) of Article 6(1) GDPR).
II. Film recordings and photographs
Purposes: Events are filmed and photographed as part of our marketing activities and those of our event partners and as souvenirs.
Legal basis: We make film recordings and take photographs and use these on the basis of our legitimate interest in portraying our company positively and reporting on it, and in illustrating documents such as presentations (point (f) of Article 6(1) GDPR). This applies to all recordings of gatherings and similar occasions in which the visitors shown took part, and to recordings of members of the public or public figures and of people who clearly indicate or communicate to us that they would like to be photographed (as a photographic memento).
III. Newsletter
Purposes: We process your data in order to provide you with information by e-mail (in a newsletter) about other events and news about NRW as a business location and investment projects. At some events, you can register for our newsletter using your business card, which you can give to us specifically for this purpose.
Legal basis: We process your data for the purpose described above on the basis of a balancing test in which all the relevant interests are considered (point (f) of Article 6(1) GDPR) as we have a legitimate interest in supporting and promoting North Rhine-Westphalia as an investment location.
Overview of the data used in situations I-III
Data | I. Registration and attendance | II. Film recordings and photographs | III. Newsletter |
Form of address | x | x | |
Title | x | x | |
First name | x | x | |
Surname | x | x | |
Company | x | x | |
Position | x | ||
E-mail address | x | x | |
Telephone | x | ||
Film recordings and photographs | x | ||
Person accompanying | x | ||
No food (in the case of events with catering) | x |
IV. Other purposes
In addition to the purposes described so far, the above-mentioned personal data are processed for the following purposes in order to safeguard our legitimate interests or the interests of third parties in the context of a balancing test in which all the relevant interests are considered (point (f) of Article 6(1) GDPR). The interests are stated below:
- Should our company experience a security incident involving your data, we are obliged to report the incident to our relevant data protection supervisory authority (Article 33 GDPR). Because it is in our legitimate interest to comply with this statutory reporting requirement as quickly as possible, it may be the case that data concerning you personally are processed in the context of investigating the security incident in question. The notifications of these security incidents to the data protection supervisory authorities do not contain any of your personal data.
- Because it is in our interest to guarantee the security of our systems, we regularly carry out security and efficacy tests, in the context of which your above-mentioned data may be processed.
- In the event of legal disputes, it is in our interest to keep evidence until all relevant statutes of limitation have expired, in accordance with Sections 195 et seq. BGB (German Civil Code). For this purpose, we retain the relevant personal data about you according to these statutes of limitation.
- Furthermore, it is in our interest to pursue suspicious cases and to hand over relevant information to the law enforcement agencies when there is a specific suspicion of an offence.
- In order to comply with our obligations under tax law, we engage tax consultants. We also engage auditors in order to comply with our obligation under commercial law to audit our annual financial statements under Section 316(1) HGB (German Commercial Code). It cannot be excluded that documents containing your data may be viewed in the course of these activities. As it is in our interest to fulfil our tax and legal obligations, we process your data in such cases for these specific purposes.
- It is in our interest to resolve legal disputes. If a legal dispute should arise, the data required for litigation will be processed.
- We conduct internal and external audits in order to obtain and maintain certifications and in the context of commercial relationships; your data may be processed in the course of these activities. In order to fulfil various regulations, to assess the effectiveness of our processes and to implement customer requirements and quality standards, we also conduct ongoing inspections.
- Anyone can make a mistake, and they can occur in any business process. In order to optimise these processes and reduce our error rate, we process the data available in our company so that we can identify sources of errors. We process these data in order to safeguard our legitimate interest in improving our processes.
- It is in the interest of the ministries to know if public or political figures, diplomats or other high-ranking representatives are attending events so that the ministries can prepare for events and attendees can be addressed in accordance with the correct protocol. We therefore provide corresponding information to the ministry.
4. When are the processed data deleted?
We process your data for as long as they are required in order to fulfil the stated purposes in each case. Where statutory retention periods apply, the data will not be deleted until after the expiry of these periods. In order to safeguard our legal positions and to retain evidence for this purpose, data may be retained until the expiry of the statutes of limitation under Sections 195 et seq. BGB; the retention periods set out therein can be up to 30 years. The standard statute of limitations is three years.
5. Which organisations receive your data?
The following table provides you with a complete overview of the situations in which data are shared with other organisations. In order to see which specific data this involves, please refer to the relevant sections of this policy.
In order to fulfil our duties, we use selected agents and service providers (processors under Article 28 GDPR); these agents and service providers may be given access to your data to the extent required in each case. Processors are subject to numerous contractual obligations and must in particular only process your personal data acting on our instructions and exclusively for the fulfilment of orders received from us.
Data recipients | Explanation |
Partners | Our partners receive your data in order to plan and host the event where they are co-organisers or supporting us with the event. |
IT service providers | In the context of operating our IT infrastructure and our website, the relevant service providers (processors) may gain access to your data. |
Courts, lawyers, authorities, opposing parties, advisers | Should legal disputes arise, your personal data may be shared with the parties involved. Lawyers are bound by a duty of confidentiality as persons entrusted with confidential information. |
Tax authorities | Your personal data are only disclosed to these bodies in order to fulfil our legal obligations. |
Tax consultants | In order to comply with our obligations under tax law, we engage tax consultants. It cannot be excluded that documents containing your personal data may be viewed while they are advising us. Tax consultants are bound by a duty of confidentiality as persons entrusted with confidential information. |
Law enforcement agencies | It is in our interest to pursue suspicious cases and to hand over all the required data to the law enforcement agencies when there is a specific suspicion of an offence. |
Auditors | In order to comply with our legal obligation to audit our annual financial statements under Section 316(1) HGB, we engage auditors. It cannot be excluded that documents containing your personal data may be viewed in the course of such an audit. Auditors are bound by a duty of confidentiality as persons entrusted with confidential information. |
Service providers for sending e-mails | We use service providers who send out newsletters as part of the processing they undertake on our behalf. They are given your e-mail address for the purposes of dispatch. |
Auditors | Your data may be processed in the course of audits. |
Service providers for the destruction of data carriers | We use service providers who destroy and dispose of paper files and data carriers as part of the processing they undertake on our behalf. |
Ministries | Ministries are informed of the public and political figures, diplomats and other high-ranking representatives attending our events so that the ministries can prepare for the events and attendees can be addressed in accordance with the correct protocol. |
Event agencies | We use event agencies to organise some events; these agencies may receive your data in order to plan and host the event. |
6. Your rights
You have the legal right to:
- Access the personal data stored about you (Article 15 GDPR)
- Rectification and completion of the data we have about you (Article 16 GDPR)
- Erasure (Article 17 GDPR)
- Restriction of processing (Article 18 GDPR)
- Data portability (Article 20 GDPR)
- Withdrawal of consent that has been given (Article 7 GDPR) with future effect. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Objection to the processing of your data to safeguard our legitimate interests or the legitimate interests of third parties (Article 21 GDPR) – You have the right, on the basis of reasons related to your particular situation, to object to processing of this kind at any time; this also applies to profiling based on these provisions within the meaning of Article 4(4) GDPR.
- Objection to direct marketing: you have the right to object to the processing of your data for direct marketing purposes at any time without giving a reason.
To exercise these rights, you can in particular contact us at:
NRW.Global Business GmbH
Trade & Investment Agency
of the German State of North Rhine-Westphalia (NRW)
The Data Protection Officer
Völklinger Strasse 4
40219 Düsseldorf, Germany
datenschutz@nrwglobalbusiness.com
You also have the legal right to lodge a complaint with a data protection supervisory authority.