
Privacy Policy
Information on data protection & data processing in accordance with the EU General Data Protection Regulation (GDPR)
Note that the German version of this text is the legally binding version. The English translation is provided for information purposes only.
This data protection notice describes the processing of personal data by the Bundesverband für strukturierte Wertpapiere e.V. (hereinafter “BSW”) with general information (Part I) for visitors to the website (Part II), for (sponsoring) members, interested parties, and business partners (Part III), and for applicants for an open position and in the context of unsolicited job applications (Part IV). We also explain the choices you have regarding the processing of your personal data (“data subject rights”) and how you can contact us.
This data protection notice describes the processing of personal data by the Bundesverband für strukturierte Wertpapiere e.V. (hereinafter “BSW”) with general information (Part I) for visitors to the website (Part II), for (sponsoring) members, interested parties, and business partners (Part III), and for applicants for an open position and in the context of unsolicited job applications (Part IV). We also explain the choices you have regarding the processing of your personal data (“data subject rights”) and how you can contact us.
Contents
Part I. General information
I.1. Controller / contact detailsI.2. Data subject rights
I.3. Period of data storage
I.4. Transfer of data to a third country
I.5. Data collection not directly from the data subject
I.6. Obligation to provide data
I.7. Changes or additions to the information on data processing
Part II. Information for visitors to our website and social media accounts
II.1. Visiting our website (service and IT security)II.2. Contact requests and service
II.3. Web analytics service (use of cookies and tracking technology)
II.4. Integration of social plug-ins on our website
II.5. BSW events
II.5.1. Booking events and additional services
II.5.2. Photographs and filming at events
II.6. Information for visitors to our social media accounts
II.6.1. BSW LinkedIn Account
II.6.2. BSW YouTube Account
Part I. General information
I.1. Controller / contact details
The controller within the meaning of Article 4(7) of the GDPR is:
Bundesverband für strukturierte Wertpapiere e.V.
Frankfurt Office
Feldbergstraße 38
60323 Frankfurt am Main
Phone: +49 69 244 33 03 60
Email: info@derbsw.de
Frankfurt Office
Feldbergstraße 38
60323 Frankfurt am Main
Phone: +49 69 244 33 03 60
Email: info@derbsw.de
Board members authorised to represent the company:
Markus Bärenfänger (DZ Bank AG)
Peter Bösenberg (Société Générale)
Stephan Frerker (DekaBank)
Anton Hötzl (Vontobel)
Christian Vollmuth (Bundesverband für strukturierte Wertpapiere)
Markus Bärenfänger (DZ Bank AG)
Peter Bösenberg (Société Générale)
Stephan Frerker (DekaBank)
Anton Hötzl (Vontobel)
Christian Vollmuth (Bundesverband für strukturierte Wertpapiere)
Court of registration: Frankfurt am Main
Association registration number: VR 13943
Association registration number: VR 13943
Berlin Office
Pariser Platz 3
10117 Berlin
Phone: +49 30 4000 4750
Email: info@derbsw.de
Pariser Platz 3
10117 Berlin
Phone: +49 30 4000 4750
Email: info@derbsw.de
If you have any questions about the processing of your personal data by us or about data protection in general or you wish to assert your rights as a data subject (e.g., requests for information, objections to marketing, withdrawal of consent), please contact us directly at the above address or at the email address info@derbsw.de. If you require secure transmission, please contact us by post.
I.2. Data subject rights
As a data subject, you are entitled to the following rights in principle insofar as contractual and statutory obligations do not conflict with this:
- Right of access (Article 15 of the GDPR) with restrictions in accordance with §§ 34, 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter “BDSG”);
- Right to rectification of inaccurate data (Article 16 of the GDPR);
- Right to erasure (Article 17 of the GDPR) with restrictions in accordance with §§ 34, 35 of the BDSG;
- Right to restriction of processing of personal data (Article 18 of the GDPR);
- Right to data portability (Article 20 of the GDPR);
- Right to an effective judicial remedy against a supervisory authority (Article 77 of the GDPR);
- Individual right to object (Article 21(1) of the GDPR) for reasons arising from your particular situation and relating to data processing pursuant to Article 6(1) sentence 1 point (e) of the GDPR and Article 6(1) sentence 1 point (f) of the GDPR; and
- Right to object to the processing of data for marketing purposes (Article 21(3) of the GDPR); you can object to the use of your data for marketing purposes at any time with future effect by contacting us (see I.1).
If the data processing is based on your consent, your consent can be withdrawn at any time with future effect. The legality of the processing carried out up to the time of withdrawal remains unaffected by this.
The easiest way to exercise your rights as a data subject is to contact the address provided in the legal notice. You also have the right to lodge a complaint with the competent data protection supervisory authority.
I.3. Period of data storage
Unless otherwise described in this notice, the BSW processes and stores your personal data for as long as necessary for the fulfilment of contractual and legal obligations and on the basis of the balancing of interests, taking into account the respective data category. If the data is no longer required for this purpose, it is regularly erased, unless their (temporary) further processing, such as in a separate archive with restricted access authorisations, is necessary for the following purposes:
- Preservation of evidence for a period of three years in accordance with § 195 of the German Civil Code (Bürgerliches Gesetzbuch , hereinafter BGB) for the purposes of providing such evidence and any necessary clarification of judicial or extrajudicial claims (e.g., contractual claims, correspondence in the context of processing data subject rights);
- Compliance with retention periods under commercial tax law, such as the German Commercial Code (Handelsgesetzbuch, hereinafter HGB), the German Fiscal Code (Abgabenordnung), and the German Money Laundering Act (Geldwäschegesetz) with the retention and documentation periods specified therein for a period of two to eight years (e.g., for business letters, contracts, orders, invoices, membership fees); and
- Preservation of evidence for a period of 30 years in accordance with § 197 of the BGB (e.g., in the context of legally established claims, claims arising against enforceable settlements or enforceable deeds).
I.4. Transfer of data to a third country
Data is only transferred to countries outside the EU or EEA (third countries) if this is necessary for the performance of your orders, it is required by law (e.g., reporting obligations in accordance with tax law), if you have given us your consent, or as part of commissioned data processing. If service providers are used in a third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions through appropriate measures (e.g., agreement of the EU standard contractual clauses and, if applicable, transfer impact assessment).
I.5. Data collection not directly from the data subject
Occasionally, the BSW also collects address and contact data (e.g., first name, surname, address, telephone number, email address) not directly from the data subject, such as for professional or marketing contact on the basis of the balance of interests pursuant to Article 6(1) sentence 1 point (f) of the GDPR, such as from public directories (e.g., commercial registers, telephone/industry directories), from generally accessible sources (e.g., the Internet) or from address service providers. You can object to this use in terms of content or marketing with future effect using the above-mentioned contact details (see I.1.).
I.6. Obligation to provide data
As part of a business relationship (e.g., (sponsoring) memberships, registration for events, other contracts), you must provide the personal data that is required for the establishment and performance of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or perform the order or will no longer to be able to perform an existing contract and may have to terminate it.
I.7. Changes or additions to the information on data processing
The BSW reserves the right to amend or supplement this information on data processing at any time in compliance with the legal requirements. This may be the case, for example, to comply with new legal provisions or take account of new services. We therefore recommend that you visit the website at regular intervals to find out about our current data processing activities.
Part II. Information for visitors to our website and social media accounts
In this section you will find information on the processing of personal data when using the BSW website or visiting our social media accounts.
II.1. Visiting our website (service and IT security)
When you visit our websites, we store certain information about the browser and operating system you use, the date and time of your visit, the access status (e.g., whether you were able to access a website or received an error message), the use of website functions, the search terms you may have entered, the frequency with which you access individual websites, the names of files accessed, the amount of data transferred, the website from which you accessed our websites and the website you visit from our websites when you click on links on our websites or enter a domain directly in the input field of the same tab (or window) of your browser in which you opened our websites. We also store your IP address and the name of your Internet service provider for a period of seven days for security purposes, in particular to prevent and detect attacks on our websites or attempts at fraud.
We process the aforementioned personal data on the basis of our legitimate interests in providing you with information about our services on our websites and ensuring IT security when you visit our websites, on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
II.2. Contact requests and service
If you have any questions about the BSW, our projects or campaigns, you can contact us by email, via our contact form, or by telephone. We will process your personal data depending on the subject of the enquiry. We may also use personal data that has been stored in our systems as part of other data processing (e.g., data relating to previous enquiries).
Depending on the request, the data is processed for the purpose of initiating, performing or, if applicable, processing the contract with you on the basis of Article 6(1) sentence 1 point (b) of the GDPR, to fulfil our legal obligations towards you on the basis of Article 6(1) sentence 1 point (c) of the GDPR and/or due to our/your legitimate interests in answering your requests on the basis of Article 6(1) sentence 1 point (f) of the GDPR. The data will be erased once your request/enquiry has been processed and there are no other retention obligations (e.g., in accordance with the BGB or the HGB).
II.3. Web analytics service (use of cookies and tracking technology)
Our website uses Simple Analytics, an Internet analysis service provided by Simple Analytics B.V., Jacob van Lennepstraat 78 H, 1053 HM, Amsterdam, Netherlands. With the help of this service, certain usage data of website visitors (e.g., date and time of access, user agent of the browser) is collected in anonymised form, evaluated, and processed in automatic reports. The software only tracks these metrics: Page views, referrers, top pages, screen sizes, browsers, and countries.
The legal basis is our legitimate interests pursuant to Article 6(1) sentence 1 point (f) of the GDPR in the continuous optimisation of our online services as well as to identify and resolve technical problems such as error messages when pages are viewed or search engine problems. Simple Analytics operates via a simple script code without the use of cookies or the IP address, which means that Simple Analytics does not use cookies on your end device at any time.
The information processed via Simple Analytics is not personally identifiable at any time and therefore does not allow conclusions to be drawn about your person.
If you do not wish the information described to be processed in future, you can prevent this by disabling the execution of JavaScript in your browser. Alternatively, you can also prevent the execution of JavaScript code by installing a JavaScript blocker (e.g., https://noscript.net/ or https://www.ghostery.com). However, if you do so, it is very likely that you will not be able to use all the functions of the website to their full extent. Further information on data processing and data protection at Simple Analytics can be found at https://docs.simpleanalytics.com/what-we-collect?ref=simpleanalytics.com.
II.4. Integration of social plug-ins on our website
When we use social plug-ins of social networks on our websites, we integrate them as described here. If you visit our websites, the social plug-ins are deactivated (i.e., no data is transferred to the operators of these networks). If you wish to use one of these networks, click on the respective social plug-in to establish a direct connection with the server of the respective network. If you have a user account with the network and are logged in there when you activate the social plug-in, the network can associate your visit to our website with your user account. If you wish to avoid this, please log out of the network before activating the social plug-in. A social network cannot associate your visit to other BSW websites until you have also activated a social plug-in available there. If you activate a social plug-in, the network transmits the content it makes available directly to your browser, which integrates it into our websites. In this situation, data transfers may also take place that are initiated and controlled by the respective social network. Your connection to a social network, the data transfers that take place between the network and your system, and your interactions on this platform are governed exclusively by the data protection provisions of the respective network. The social plug-in remains active until you deactivate it or erase your cookies.
If you click on a link or activate a social plug-in, personal data may be transferred to providers in countries outside the EU, EEA, and/or countries which, from the perspective of the EU do not guarantee an “adequate level of protection” for the processing of personal data in accordance with EU standards. Please bear this in mind before clicking on a link or activating a social plug-in and thereby triggering a transfer of your data.
II.5. BSW events
In connection with participation in BSW events, we process your personal data in compliance with the applicable data protection regulations. Data processing is carried out for the purpose of organising the event and is intended to enable communication about the event and association topics.
II.5.1. Booking events and additional services
We process the personal data of participants and presenters for the purposes of planning, organising and holding online and offline events (e.g., the BSW Forum and the BSW Business Journalism Awards). As a rule, we process the names, addresses, companies, roles, contact details, and email addresses of participants in the case of events held offline or online. The processing is generally carried out on the basis of Article 6(1) sentence 1 point (b) of the GDPR (an event contract), Article 6(1) sentence 1 point (f) of the GDPR (legitimate interests) or, if we request your consent during registration (which can be withdrawn at any time with future effect), on the basis of Article 6(1) sentence 1 point (a) of the GDPR.
In the event of withdrawal of consent on the basis of Article 6(1) sentence 1 point (a) of the GDPR, the BSW is entitled to use up marketing or information material that has already been printed for a reasonable amount of time. Insofar as processing is permitted due to another legal basis, the withdrawal has no influence on the legality of the data processing on this other legal basis (e.g., Article 6(1) sentence 1 point (f) of the GDPR).
If additional services (e.g., hotel accommodation, meals, etc.) are requested in addition to participation in the event, we process this data on the basis of Article 6(1) sentence 1 point (b) of the GDPR (performance of the event). If we plan events together with partners or additional services are requested, your personal data may be transferred to these partners, venue operators (entrance control), hotels, or restaurants.
Based on the legitimate interests of the BSW, we may process participation and contact data for the purpose of querying satisfaction with the event or sending further project-specific information on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
II.5.2. Photographs and filming at events
Photographs and film recordings may be made at BSW events. In addition to content pursuant to Article 6(1) sentence 1 point (a) of the GDPR, the balancing of interests pursuant to Article 6(1) sentence 1 point (f) of the GDPR also forms a legal basis for the making and use of photographs and film recordings at BSW events. The BSW processes the photographs and film recordings for the purposes of reporting on its activities, depending on the individual case, and are published on social media, the Internet/websites, press releases, newsletters, and print brochures, provided that the interests of the data subjects do not obviously conflict with this. The BSW has a legitimate interest in informing the public about the objectives it pursues in line with its statutes.
If there are special reasons why you object to the taking of photos or making of film recordings where you may be recognisable, please contact the event management or the photo/camera team on site.
If there are special reasons why you object to the taking of photos or making of film recordings where you may be recognisable, please contact the event management or the photo/camera team on site.
II.6. Information for visitors to our social media accounts
The BSW is represented on the following social media platforms with its own accounts/pages. We use these sites to inform you about our projects and activities and exchange information with you on relevant issues.
II.6.1. BSW LinkedIn Account
Processing of data in the event of enquiries via the company page
If you send us an enquiry by commenting directly on our company page, below one of our posts, or by private message, we will process your data (e.g., your account name) in order to be able to reply to you and process your request. If we need personal data from you to process your request, we may ask you to send it to us by email. To protect your data, we ask you not to enter personal data directly in a public comment. Should this nevertheless occur, we will hide the corresponding comment as quickly as possible. We process your data on the basis of our legitimate interests in processing enquiries by clients or interested parties on the basis of Article 6(1) sentence 1 point (f) of the GDPR. In the case of enquiries relating to a tenancy agreement, we will erase your data at the latest upon expiration of the limitation periods. We erase general enquiries without reference to a tenancy agreement six months after processing.
If you send us an enquiry by commenting directly on our company page, below one of our posts, or by private message, we will process your data (e.g., your account name) in order to be able to reply to you and process your request. If we need personal data from you to process your request, we may ask you to send it to us by email. To protect your data, we ask you not to enter personal data directly in a public comment. Should this nevertheless occur, we will hide the corresponding comment as quickly as possible. We process your data on the basis of our legitimate interests in processing enquiries by clients or interested parties on the basis of Article 6(1) sentence 1 point (f) of the GDPR. In the case of enquiries relating to a tenancy agreement, we will erase your data at the latest upon expiration of the limitation periods. We erase general enquiries without reference to a tenancy agreement six months after processing.
Analyses and reports - Insights
As the operator of the company page, we have access to “Insights”. Insights are an integral part of a company page on LinkedIn and contain anonymised statistical data from users who have interacted with our company page and/or our content. This data is collected with the help of cookies that are set up by LinkedIn, each containing a unique user ID. In particular, LinkedIn processes data that you have provided to LinkedIn as a member, such as your role in the company, country, industry, length of service, company size, and your employment status. LinkedIn also processes information about how you have interacted with a company page as a member of the network (e.g., whether you are follower of a page). We do not have access to this information collected by LinkedIn. As the operator of the company page, LinkedIn only provides us with anonymised statistical analyses and reports on the information collected.
Pursuant to Article 26 of the GDPR, as the operator of the company page, we are jointly responsible with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, for the collection of the information presented and its consolidation into anonymised Page Insights provided to us by LinkedIn, so we have concluded a joint responsibility agreement with LinkedIn. You can access this at https://www.linkedin.com/legal/l/page-joint-controller-addendum.
By collecting the data and combining it into anonymised statistics, we want to better understand our company page visitors and gain insights into what content on our company page is of interest to our audience. In doing so, we want to tailor our content and our information services to the needs of our visitors in the best possible way and optimise it accordingly on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
As the provider of the social network, and the fact that we as the operator of the company page have no access to the data collected about you as part of Insights, LinkedIn alone has direct access to the necessary information and can also immediately take any necessary measures or provide information. In this respect, we ask you to assert your rights directly against LinkedIn. Should you nevertheless require our support, we would be happy to assist you.
As the operator of the company page, we have access to “Insights”. Insights are an integral part of a company page on LinkedIn and contain anonymised statistical data from users who have interacted with our company page and/or our content. This data is collected with the help of cookies that are set up by LinkedIn, each containing a unique user ID. In particular, LinkedIn processes data that you have provided to LinkedIn as a member, such as your role in the company, country, industry, length of service, company size, and your employment status. LinkedIn also processes information about how you have interacted with a company page as a member of the network (e.g., whether you are follower of a page). We do not have access to this information collected by LinkedIn. As the operator of the company page, LinkedIn only provides us with anonymised statistical analyses and reports on the information collected.
Pursuant to Article 26 of the GDPR, as the operator of the company page, we are jointly responsible with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, for the collection of the information presented and its consolidation into anonymised Page Insights provided to us by LinkedIn, so we have concluded a joint responsibility agreement with LinkedIn. You can access this at https://www.linkedin.com/legal/l/page-joint-controller-addendum.
By collecting the data and combining it into anonymised statistics, we want to better understand our company page visitors and gain insights into what content on our company page is of interest to our audience. In doing so, we want to tailor our content and our information services to the needs of our visitors in the best possible way and optimise it accordingly on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
As the provider of the social network, and the fact that we as the operator of the company page have no access to the data collected about you as part of Insights, LinkedIn alone has direct access to the necessary information and can also immediately take any necessary measures or provide information. In this respect, we ask you to assert your rights directly against LinkedIn. Should you nevertheless require our support, we would be happy to assist you.
Note on the identification of visitors by LinkedIn
If you are currently logged in to LinkedIn as a user, a cookie with your identifier is stored on your device. This enables LinkedIn to track whether you are logged in as a LinkedIn user. This also applies to all other LinkedIn pages. If you want to avoid this, you should log out of LinkedIn and deactivate the “Keep me logged in” function, erase the cookies on your device, and close and restart your browser. In this way, LinkedIn information that can be used to directly identify you will be erased. This allows you to use our company page without revealing your LinkedIn identifier. If you access interactive functions on the pages (like, comment, share, message, etc.), a LinkedIn login screen will appear. After logging in, you will again be recognisable to LinkedIn as a specific user.
If you are currently logged in to LinkedIn as a user, a cookie with your identifier is stored on your device. This enables LinkedIn to track whether you are logged in as a LinkedIn user. This also applies to all other LinkedIn pages. If you want to avoid this, you should log out of LinkedIn and deactivate the “Keep me logged in” function, erase the cookies on your device, and close and restart your browser. In this way, LinkedIn information that can be used to directly identify you will be erased. This allows you to use our company page without revealing your LinkedIn identifier. If you access interactive functions on the pages (like, comment, share, message, etc.), a LinkedIn login screen will appear. After logging in, you will again be recognisable to LinkedIn as a specific user.
II.6.2. BSW YouTube Account
Processing of data in the case of service requests
If you send us a request by commenting directly on our channel, below one of our videos, we will process your data (e.g., your account name) in order to be able to reply to you and process your request. If we need personal data from you to process your requests, we may ask you to send it to us by email. To protect your data, we ask you not to enter personal data directly in a public comment. Should this nevertheless occur, we will hide the corresponding comment as quickly as possible. We process your data on the basis of our legitimate interests in processing enquiries by clients or interested parties on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
If you send us a request by commenting directly on our channel, below one of our videos, we will process your data (e.g., your account name) in order to be able to reply to you and process your request. If we need personal data from you to process your requests, we may ask you to send it to us by email. To protect your data, we ask you not to enter personal data directly in a public comment. Should this nevertheless occur, we will hide the corresponding comment as quickly as possible. We process your data on the basis of our legitimate interests in processing enquiries by clients or interested parties on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
Data processing by the platform provider
When you visit our page, the provider of the social media platform collects, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as users of the account, with statistical information about the interaction with us. The social media platform is responsible for this data processing.
We do not know how the social media platform uses the data from your visit to our account and interaction with our posts for its own purposes, how long this data is stored, and whether this data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the site as an unregistered user or user who is not logged in. When you access a post or our account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, the provider of the social media platform can use a cookie on your device to track that you have visited a website and how you have used it. This enables the provider of the social media platform to record your visits to these websites and assign them to your profile. This data can be used to tailor content or advertising to you. If you want to avoid this, you should log out, delete the cookies on your device, and restart your browser.
You can find more information on how the provider of the social media platform processes your data at https://policies.google.com/privacy?hl=en&gl=en
As the provider of the information service, we collect and process only the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can answer only via email, we will store your information in accordance with the general principles of our data processing, which we describe in this data protection notice.
When you visit our page, the provider of the social media platform collects, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as users of the account, with statistical information about the interaction with us. The social media platform is responsible for this data processing.
We do not know how the social media platform uses the data from your visit to our account and interaction with our posts for its own purposes, how long this data is stored, and whether this data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the site as an unregistered user or user who is not logged in. When you access a post or our account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, the provider of the social media platform can use a cookie on your device to track that you have visited a website and how you have used it. This enables the provider of the social media platform to record your visits to these websites and assign them to your profile. This data can be used to tailor content or advertising to you. If you want to avoid this, you should log out, delete the cookies on your device, and restart your browser.
You can find more information on how the provider of the social media platform processes your data at https://policies.google.com/privacy?hl=en&gl=en
As the provider of the information service, we collect and process only the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can answer only via email, we will store your information in accordance with the general principles of our data processing, which we describe in this data protection notice.
Part III. Information for (sponsoring) members, interested parties, and business partners
In the following section, the BSW provides you with an overview of the processing of your personal data as a (sponsoring) member, interested party, or business partner.
III.1. Categories of personal data
Which categories of personal data are processed by the BSW depends largely on the reason for and context in which contact or a contractual relationship with you arises or exists.
A distinction needs to be made, for example, between (sponsoring) members, interested parties, and business or project partners. As part of a membership, the ordering of information material or any other contract, the BSW generally processes the following categories of data depending on the specific relationship. Forms used to collect personal data indicate which data is mandatory and which data can be provided voluntarily.
A distinction needs to be made, for example, between (sponsoring) members, interested parties, and business or project partners. As part of a membership, the ordering of information material or any other contract, the BSW generally processes the following categories of data depending on the specific relationship. Forms used to collect personal data indicate which data is mandatory and which data can be provided voluntarily.
- Surname, first name, address, contact details (telephone, email), industry/profession, other data such as interests, if applicable;
- Company name, where applicable also consisting of surname, first name, address, contact details (telephone, email), industry, contact person in the company with surname, first name, role, contact details (telephone, email);
- Payment transactions and order data (e.g., bank details/credit card details, payment orders);
- Order history and sales with business partners;
- Data in the context of legal disputes (e.g., on the parties involved, authorised representatives, courts); and
- History of activities of (sponsoring) members and interested parties.
If there is direct contact with you during your (sponsoring) membership, representation of interests, or a business relationship, further data, such as information about the contact channel, date, occasion, and results, copies of correspondence are processed.
III.2. Purposes of data processing and legal basis
The BSW processes your aforementioned personal data and categories of personal data to fulfil the respective contract (e.g., (sponsoring) membership, orders of information material, invitations, workshops/conferences, other business relationships) or to carry out pre-contractual activities (e.g., contact requests with respect to contractual measures) with you in accordance with Article 6(1) sentence 1 point (b) of the GDPR. Your contact details are also used for these purposes (e.g., in the context of specific information and queries).
The BSW is also subject to various legal requirements (e.g., money laundering laws, tax laws) and in this respect also processes your data on the basis of legal requirements pursuant to Article 6(1) sentence 1 point (c) of the GDPR or in the public interest pursuant to Article 6(1) sentence 1 point (e) of the GDPR. The purposes of processing include:
The BSW is also subject to various legal requirements (e.g., money laundering laws, tax laws) and in this respect also processes your data on the basis of legal requirements pursuant to Article 6(1) sentence 1 point (c) of the GDPR or in the public interest pursuant to Article 6(1) sentence 1 point (e) of the GDPR. The purposes of processing include:
- The prevention of fraud and money laundering;
- The fulfilment of tax control and reporting obligations and audit requirements;
- The fulfilment of official and court directives and orders; and
- The assessment and management of risks at the BSW.
The BSW processes your data, if necessary, to protect the legitimate interests of the BSW or third parties within the scope of the balancing of interests pursuant to Article 6(1) sentence 1 point (f) of the GDPR. For example:
- Ordering free information material and general enquiries;
- Participation and exchange of contact data/information between the BSW and participants in workshops, conferences, committees, the BSW Academic Advisory Board, etc., as well as sending further project-specific information;
- Measures for association management and further development of tasks in line with the association’s statutes;
- Assertion of legal claims and defence in legal disputes;
- Ensuring the IT security and IT operations of the BSW;
- Prevention of criminal offences;
- Measures for building and system security (e.g., access controls);
- Use of the guest WLAN; and
- Data exchange with credit agencies to determine the creditworthiness and default risks of business partners in the commercial sector.
The BSW processes your data in the context of the balancing of interests in accordance with Article 6(1) sentence 1 point (f) of the GDPR to protect the legitimate interests of the BSW (e.g., member acquisition), for example, on the basis of (sponsoring) membership, existing contracts or requests for needs-based information geared to your interests within statutory purposes of the BSW (self-promotion) in accordance with the following measures:
- Postal marketing unless you have objected to this processing; you can object to this marketing use at any time with future effect using the contact details in I.1. above;
- Telephone marketing if you have given your presumed consent for this, provided you have not objected to this processing; you can object to this marketing at any time with future effect using the contact details in I.1. above.
If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent in accordance with Article 6(1) sentence 1 point (a) of the GDPR. You can withdraw your consent at any time with future effect by using the contact details in I.1. above.
III.3. Online meetings of internal BSW bodies
We process personal data in connection with the conducting of online meetings of internal BSW bodies (e.g., the committees).
The BSW uses the scheduling tool of the German National Research and Education Network (Verein zur Förderung eines Deutschen Forschungsnetzes e. V., hereinafter “DFN”) to make appointments for online meetings. The link with which participants gain access to a scheduling or booking process is generated as a URL with a random combination of numbers and characters to protect against unauthorised access. The following data is stored for seven days when the DFN scheduler website is accessed: IP address, date, time, URL, amount of data transferred, status code, accessing web browser (if transmitted by a client), and referrer. The data is stored for the purpose of information security and error analysis in accordance with Article 6(1) sentence 1 point (f) of the GDPR. Participation in a scheduling or booking process is possible with or without a user account. When participating, the data entered by the participants is process by the DFN. The query is designed by the BSW while the entries are made by the participants. As a rule, the BSW specifies the surname, first name, and email address for queries. The DFN processes this data for participation in scheduling or booking processes in accordance with Article 6(1) sentence 1 point (b) of the GDPR. Further information on the processing of your data by the DFN can be found at https://terminplaner6.dfn.de/en/datenschutz.
Online meetings are held using Microsoft Teams (hereinafter “Teams”). If you access the Teams website, the provider is responsible for data processing. However, it is only necessary to access the website to use Teams in order to download the software for using the service. You can also use Teams via the Teams app or directly via your browser. Various types of personal data are processed when you use Teams. The scope of data processing also depends on the information you provide before or during participation in an online meeting and your settings. The following personal data is processed:
The BSW uses the scheduling tool of the German National Research and Education Network (Verein zur Förderung eines Deutschen Forschungsnetzes e. V., hereinafter “DFN”) to make appointments for online meetings. The link with which participants gain access to a scheduling or booking process is generated as a URL with a random combination of numbers and characters to protect against unauthorised access. The following data is stored for seven days when the DFN scheduler website is accessed: IP address, date, time, URL, amount of data transferred, status code, accessing web browser (if transmitted by a client), and referrer. The data is stored for the purpose of information security and error analysis in accordance with Article 6(1) sentence 1 point (f) of the GDPR. Participation in a scheduling or booking process is possible with or without a user account. When participating, the data entered by the participants is process by the DFN. The query is designed by the BSW while the entries are made by the participants. As a rule, the BSW specifies the surname, first name, and email address for queries. The DFN processes this data for participation in scheduling or booking processes in accordance with Article 6(1) sentence 1 point (b) of the GDPR. Further information on the processing of your data by the DFN can be found at https://terminplaner6.dfn.de/en/datenschutz.
Online meetings are held using Microsoft Teams (hereinafter “Teams”). If you access the Teams website, the provider is responsible for data processing. However, it is only necessary to access the website to use Teams in order to download the software for using the service. You can also use Teams via the Teams app or directly via your browser. Various types of personal data are processed when you use Teams. The scope of data processing also depends on the information you provide before or during participation in an online meeting and your settings. The following personal data is processed:
- User details: Surname, first name, email address if applicable, profile picture (optional), preferred language;
- Meeting metadata: Topic, description (optional), participant IP address, device/hardware information;
- For recordings (optional): MP4 files of all video, audio and presentation recordings, text files of the online meeting chat;
- When dialling in with the telephone: Information on the incoming and outgoing telephone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved; and
- Text, audio, and video data: You may have the option of using the chat, question, or survey functions in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting and, if necessary, to record them. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting.
You can switch off the camera or mute the microphone yourself at any time via the Teams applications. The default settings we have set are that no text, audio, or video data from you is processed without you initiating this processing yourself.
According to the default settings we have set, only the personal text, audio, and video data of the moderators or presenters are processed in an online meeting and, if necessary, recorded and made available for retrieval on the Internet. Only in exceptional cases and with prior notification from us will the personal text, audio, and video data of participants also be collected and, if necessary, stored if they themselves participate in the online meeting by triggering the corresponding functions via chat or video. The legal basis in this respect is your consent pursuant to Article 6(1) sentence 1 point (a) of the GDPR, which you implicitly declare by activating the corresponding functions in Teams.
Personal data processed in connection with participation in online meetings will not be passed on to third parties unless it is designated to be passed on. The provider of Teams necessarily receives knowledge of the above-mentioned data insofar as this is provided for in the order processing contract with Teams.
Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, based in the United States. According to Microsoft, the data is processed in Microsoft data centres in Germany due to our location in Germany. The licence holder has concluded an order processing contract with the provider of Teams that meets the requirements of Article 28 of the GDPR. Furthermore, EU standard contractual clauses have been concluded. Microsoft Corporation is listed in the EU-U.S. Data Privacy Framework. Further information on how Microsoft protects your data and how Microsoft deals with requests from authorities can be found at: https://docs.microsoft.com/en-us/microsoft-365/enterprise/eu-data-storage-locations?view=o365-germany.
The personal data concerning you will be stored until the purpose of the data processing no longer applies (usually after the end of the meeting/event) or after the expiry of legal or administrative retention obligations.
According to the default settings we have set, only the personal text, audio, and video data of the moderators or presenters are processed in an online meeting and, if necessary, recorded and made available for retrieval on the Internet. Only in exceptional cases and with prior notification from us will the personal text, audio, and video data of participants also be collected and, if necessary, stored if they themselves participate in the online meeting by triggering the corresponding functions via chat or video. The legal basis in this respect is your consent pursuant to Article 6(1) sentence 1 point (a) of the GDPR, which you implicitly declare by activating the corresponding functions in Teams.
Personal data processed in connection with participation in online meetings will not be passed on to third parties unless it is designated to be passed on. The provider of Teams necessarily receives knowledge of the above-mentioned data insofar as this is provided for in the order processing contract with Teams.
Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, based in the United States. According to Microsoft, the data is processed in Microsoft data centres in Germany due to our location in Germany. The licence holder has concluded an order processing contract with the provider of Teams that meets the requirements of Article 28 of the GDPR. Furthermore, EU standard contractual clauses have been concluded. Microsoft Corporation is listed in the EU-U.S. Data Privacy Framework. Further information on how Microsoft protects your data and how Microsoft deals with requests from authorities can be found at: https://docs.microsoft.com/en-us/microsoft-365/enterprise/eu-data-storage-locations?view=o365-germany.
The personal data concerning you will be stored until the purpose of the data processing no longer applies (usually after the end of the meeting/event) or after the expiry of legal or administrative retention obligations.
III.4. Recipients and categories of recipients of the data
Within the BSW, only those business areas that need your data to fulfil our contractual and legal obligations will have access to it. Service providers used by the BSW may also receive data for these purposes if they are commissioned as a processor in accordance with Article 28 of the GDPR.
Potential recipients of personal data therefore include:
Potential recipients of personal data therefore include:
- Cooperation partners with whom joint events or campaigns are organised;
- Public bodies and institutions (e.g., tax authorities, the German Federal Central Tax Office) if a legal or administrative obligation exists;
- Participants in BSW committees, workshops, conferences, working groups, etc.;
- Other credit and financial services institutions;
- Processors, such as for member acquisition, for the support/maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, data screening in accordance with legal requirements, printing and sending personalised letters, sending emails, data erasure, and payment transactions;
- Credit agencies as part of credit checks on companies;
- Auditing service providers; and
- Other data recipients on the basis of your consent.
Part IV. Information for applicants for an open position at the BSW and in the context of unsolicited job applications
With the following information, the BSW provides you with an overview of the processing of your personal data as an applicant for an open position at the BSW or in the context of an unsolicited job application to the BSW.
IV.1. Categories of personal data, purposes, and legal bases
We process your personal job application data for the purposes of receiving, communicating (e.g., in the event of queries) and assessing your application. This includes, for example, your name, date and place of birth, your (business and private) contact details (mobile phone number and email), your address, and hobbies, as well as information about illnesses, vacation days, health insurance and pension details, nationality, residence permit, work permit, and tax status (including religion affiliation).
We treat all the information you send as job application data, in addition to information about your education and professional qualifications, your CV, references, grades and assessments, remuneration expectations, driving license, test results, your photo, any information about your state of health, bank and credit card details, existing salary garnishments, data on any criminal offences or proceedings, certificates of good conduct or other private information, if applicable.
We process your personal data that you provide to us within the context of your job application. This concerns both your job application documents and the information you provide in person during the application process (e.g., in telephone interviews, recruitment tests, in-person interviews, job speed dating events, or during a visit to a trade fair). For a comprehensive assessment of your application, we always require your CV as well as certificates or relevant supporting documents. Further information, including a photo, is voluntary.
Furthermore, in accordance with European Regulations 2580/2001 and 881/2002, we are legally obliged to check applicant data against the European Union’s terror lists prior to recruitment in order to ensure that no money or other financial assets are made available to persons on the list.
The processing is carried out for the purpose of conducting the application process and the recruitment process on the basis of Article 6(1) sentence 1 point (b) of the GDPR, § 26(1) sentence 1 of the BDSG, Article 6(1) sentence 1 point (c) of the GDPR and, if applicable, on the basis of your consent.
We treat all the information you send as job application data, in addition to information about your education and professional qualifications, your CV, references, grades and assessments, remuneration expectations, driving license, test results, your photo, any information about your state of health, bank and credit card details, existing salary garnishments, data on any criminal offences or proceedings, certificates of good conduct or other private information, if applicable.
We process your personal data that you provide to us within the context of your job application. This concerns both your job application documents and the information you provide in person during the application process (e.g., in telephone interviews, recruitment tests, in-person interviews, job speed dating events, or during a visit to a trade fair). For a comprehensive assessment of your application, we always require your CV as well as certificates or relevant supporting documents. Further information, including a photo, is voluntary.
Furthermore, in accordance with European Regulations 2580/2001 and 881/2002, we are legally obliged to check applicant data against the European Union’s terror lists prior to recruitment in order to ensure that no money or other financial assets are made available to persons on the list.
The processing is carried out for the purpose of conducting the application process and the recruitment process on the basis of Article 6(1) sentence 1 point (b) of the GDPR, § 26(1) sentence 1 of the BDSG, Article 6(1) sentence 1 point (c) of the GDPR and, if applicable, on the basis of your consent.
Acquisition in social networks
In order to find qualified candidates, we actively search in career-oriented social networks and approach potential candidates via their Xing or LinkedIn account, for example. In doing so, we access publicly available personal data in social networks that meet certain filter criteria. We note candidates who are of interest to us (e.g., via the Xing talent manager), store their data, and inform the data subjects about this. Data subjects are given the opportunity to comment on such data at any time. We process your data for the purpose of contacting candidates and due to our legitimate interests in recruiting suitable employees on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
In order to find qualified candidates, we actively search in career-oriented social networks and approach potential candidates via their Xing or LinkedIn account, for example. In doing so, we access publicly available personal data in social networks that meet certain filter criteria. We note candidates who are of interest to us (e.g., via the Xing talent manager), store their data, and inform the data subjects about this. Data subjects are given the opportunity to comment on such data at any time. We process your data for the purpose of contacting candidates and due to our legitimate interests in recruiting suitable employees on the basis of Article 6(1) sentence 1 point (f) of the GDPR.
Collecting further information about the applicant and checking references
If you provide references with contact details, we may ask for your consent to contact them to verify the information provided (e.g., your former employer). This is to gain an even more detailed impression of the applicant’s previous activities. The collection and verification of background information is performed by us on the basis of consent of the applicants within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG. If we use publicly accessible sources (such as profiles on social networks), we process your personal data to perform the application process on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
If you provide references with contact details, we may ask for your consent to contact them to verify the information provided (e.g., your former employer). This is to gain an even more detailed impression of the applicant’s previous activities. The collection and verification of background information is performed by us on the basis of consent of the applicants within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG. If we use publicly accessible sources (such as profiles on social networks), we process your personal data to perform the application process on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
Applicant travel expenses
If you travel to us for a job interview and we have agreed to reimburse your travel expenses, we will process your personal data, such as contact details (address, email, etc.), identification data (name), and financial data (bank details). Your data is processed for the purpose of reimbursing travel expenses and for performing the application process on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
If you travel to us for a job interview and we have agreed to reimburse your travel expenses, we will process your personal data, such as contact details (address, email, etc.), identification data (name), and financial data (bank details). Your data is processed for the purpose of reimbursing travel expenses and for performing the application process on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
Talent pool
If we are unable to offer applicants the desired position or in the context of unsolicited applications, we may add the candidates to our talent pool with their consent in order to be able to offer them another suitable position at a later date. For this purpose, we process the application data of the candidates. The processing of your applicant data is based on your consent within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG.
If we are unable to offer applicants the desired position or in the context of unsolicited applications, we may add the candidates to our talent pool with their consent in order to be able to offer them another suitable position at a later date. For this purpose, we process the application data of the candidates. The processing of your applicant data is based on your consent within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG.
Drawing up the employment contract
As soon as an offer of employment has been made to you, we process your personal data in order to draw up your employment contract. For this purpose, all contract-relevant information (such as name, address, title, start/end of contract, place of work, salary, bank details, health insurance, etc.) is processed and forwarded internally to the responsible HR management staff. Your data is processed for the purposes of drawing up the employment contract on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
As part of your recruitment, we also process special categories of personal data (such as your religious denomination for church tax purposes) and personal data relating to criminal convictions and offenses (such as your certificate of good conduct). We process this data for the establishment and performance of your employment contract on the basis of Article 9(2) point (b) of the GDPR, § 26(3) sentence 1 of the BDSG, Article 10 sentence 1 of the GDPR, and § 26(1) sentence 1 of the BDSG.
As soon as an offer of employment has been made to you, we process your personal data in order to draw up your employment contract. For this purpose, all contract-relevant information (such as name, address, title, start/end of contract, place of work, salary, bank details, health insurance, etc.) is processed and forwarded internally to the responsible HR management staff. Your data is processed for the purposes of drawing up the employment contract on the basis of Article 6(1) sentence 1 point (b) of the GDPR and § 26(1) sentence 1 of the BDSG.
As part of your recruitment, we also process special categories of personal data (such as your religious denomination for church tax purposes) and personal data relating to criminal convictions and offenses (such as your certificate of good conduct). We process this data for the establishment and performance of your employment contract on the basis of Article 9(2) point (b) of the GDPR, § 26(3) sentence 1 of the BDSG, Article 10 sentence 1 of the GDPR, and § 26(1) sentence 1 of the BDSG.
IV.2. Recipients and categories of recipients of the data
Your job application data will be reviewed by the HR department after receipt of your application. Suitable job applications are then forwarded internally to the managers responsible for the respective open position, and the next steps in the process are determined. At the BSW, only those individuals who need access to your data for the proper performance of our application process have access to it.
If you have consented to being included in our talent pool, your job application data will be forwarded to other managers who are responsible for recruitment. This transfer is based on your consent within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG.
Beyond this, we will only transfer your personal data if and insofar as we are legally obliged to do so. This transfer takes place on the basis of Article 6(1) sentence 1 point (c) of the GDPR (e.g., to police authorities in the context of criminal investigations).
If you have consented to being included in our talent pool, your job application data will be forwarded to other managers who are responsible for recruitment. This transfer is based on your consent within the meaning of Article 6(1) sentence 1 point (a) of the GDPR and § 26(2) sentence 1 of the BDSG.
Beyond this, we will only transfer your personal data if and insofar as we are legally obliged to do so. This transfer takes place on the basis of Article 6(1) sentence 1 point (c) of the GDPR (e.g., to police authorities in the context of criminal investigations).
IV.3. Duration of data storage in the application process
The log files of our visitors to the jobs/careers website are erased immediately unless there is suspicion of misuse of our service or a cyberattack that would justify longer storage until the situation has been clarified.
Once the selection process has been completed, your data will be erased within six months of a rejection. If the selection process takes longer than six months, applicants will be asked by email for their consent for further processing.
In the event that you have consented to being included in the talent pool, your data will be stored until you withdraw your consent, but after two years at the latest. If you are recruited, your data will be transferred to our internal personnel system.
We will retain your consent to the processing of data for a period of five years from the time consent is obtained and the last time it is used in order to comply with legal documentation obligations. After the end of use or after withdrawal of the declaration, consents are blocked for further processing until erasure.
Once the selection process has been completed, your data will be erased within six months of a rejection. If the selection process takes longer than six months, applicants will be asked by email for their consent for further processing.
In the event that you have consented to being included in the talent pool, your data will be stored until you withdraw your consent, but after two years at the latest. If you are recruited, your data will be transferred to our internal personnel system.
We will retain your consent to the processing of data for a period of five years from the time consent is obtained and the last time it is used in order to comply with legal documentation obligations. After the end of use or after withdrawal of the declaration, consents are blocked for further processing until erasure.
As at: March 2025