Privacy Policy for the website, newsletter, Perseus services, webinars, and applications

If you visit our website at perseus.de ("website"), we process your personal data as follows:
To do so, we use the services of third parties. These services also include the use of cookies (essential cookies, functional cookies, analysis and statistics, and marketing and other third-party cookies). Specific information on the individual cookies and individual setting options can be found under "Individual settings" in the consent management tool.

Here you can give your consent to processing and/or object to processing on the basis of legitimate interest. You can also adjust your preferences at a later point in time or withdraw your consent with effect for the future. Please note that without your consent, individual website features may not function properly.

Purpose

• Establishing the technical connection between the visitor's device and our website (conducting the session)
• Maintaining and improving the functionality of the website
• Maintaining and improving information security and data security (confidentiality, availability, and integrity) of the site (data storage in log files)

Categories of data processed

• IP address of the accessing system
• Type and version of browser used on the end device
• Internet service provider of the accessing system
• Date and time of access as well as whether access was successful or not
• Third-party websites from which the user's system reached our website
• Third-party websites that are accessed by the user's system via our website
   

Categories of recipients

• Website host - Winter Business Net GmbH, Feithstr. 68, 58095 Hagen

Third-country data transfer

• no

Storage duration and criteria

• Session: Data deleted at the end of the respective session
• Log files: Data deleted after 90 days or anonymized

Legal basis

• Art. 6 para. 1 b) and f) GDPR (performance of a contract and legitimate interest)

As a visitor to our website, you can use various options to contact us. Currently these include: Contact form, email, telephone, and live chat. Contact is primarily established via Freshworks applications. We use the following Freshworks systems: Freshsales as a customer relationship management system (CRM system), Freshdesk as a helpdesk system, and Freshchat as a chat system. .

Purpose

• Acceptance, checking, and processing of inquiries
• Customer relationship management

Categories of data processed

• Contact information via contact form, email, telephone, or social media: Name, email address, and optional telephone number
• Connection data: IP address as well as date and time of contact form registration; if necessary, transfer to third parties via cookies (this can be managed via the consent management tool), email address, social media username, if necessary telephone number
• Contents of the completed contact form, emails, live chats, and telephone calls may contain personal data

Categories of recipients

• Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA
• Email and telecommunications providers, social media channels
   

Third-country data transfer

• To the USA to Freshworks

We have concluded an agreement with Freshworks based on the EU standard data protection clauses, thus enabling data to be transferred with appropriate safeguards pursuant to Art. 46 GDPR.

Storage duration and criteria

• Data is automatically deleted as soon as the respective request has been dealt with

Legal basis

• Art. 6 para. 1 b) GDPR (performance of a contract)
• Art. 6 para. 1 f) GDPR (legitimate interest)

We process the personal data of visitors to our website in order to optimize our website and conduct reach analysis. You can find detailed information on this type of data processing in the consent management tool under "Analysis and statistics". The legal basis for processing is Art. 6 para. 1 f) GDPR (legitimate interest).

On our website, we give you the option of sharing content directly via social media and networks. For social media sharing, we use so-called Shariff social media buttons, so that the content is shared within selected social networks while maintaining appropriate data protection. In contrast to the usual social plugins, which process data when you visit the website, Shariff only establishes direct contact with the respective social network when you actively click on a social button to share a post.

You can find detailed information on this type of data processing in the consent management tool under "Marketing and other third-party cookies". The legal basis for processing is Art. 6 para. 1 a) GDPR (consent).

If you are a Perseus customer who uses Perseus services or an employee of a Perseus customer, we process your personal data as follows:

Insofar as Perseus processes personal data on behalf of customers ("order processing"), Perseus' customers and other recipients of Perseus services are entitled to adopt the description of services, inform their own data subjects and thus fulfill their own information obligations pursuant to Articles 13 and 14 GDPR.

In particular, Perseus may provide the following services or sub-services to its customers or authorized users as part of the order processing: endpoint detection and response, phishing tests, malware scanning, and incident management – first level support. In such cases, it is important to note that the legal basis provided for the processing is the same legal basis used by Perseus to process the data. The legal basis for the customer or their authorized users as the data controller as defined by data protection legislation, on whose behalf Perseus is processing the data, may differ from this.

This includes the following Perseus services:

Prevention through awareness (human firewall):

• Cyber security cockpit for admins
• Online training for data protection & cyber security
• Certificates (GDPR evidence)
• Employee activation
• Security overview
• IT security audit with checklist
• Phishing tests
• Cyber security toolbox
• Expert presentations
• Customer service
• Cyber ​​blog & newsletter
• Threat warning

Response and safeguarding (incident management)

• 24-hour emergency support ("incident management")

The following table shows the details of the data processing, its purposes and legal basis, and if applicable, the legitimate interests, potential recipients or categories of recipients of the personal data, and any third-country transfers, as well as the storage period.

Purpose

• To establish, maintain, and improve the compliance of customers and their authorized users with cyber security and data protection measures
• To ensure technical and organizational data protection (data security) and cyber security (information security) in order to protect the confidentiality, availability, and integrity of information and personal data
• To provide administrators (e.g., supervisors, managers, or IT employees) with an overview of the current security status and statistics on completed training courses or phishing tests. On this basis, we can measure and track the effectiveness of security measures and optimize these.
• To implement and monitor online training on the subjects of cyber security and data protection
• To issue personal certificates as proof of knowledge acquired on cyber security and data protection (certificate for evidence of GDPR)
• To enable the aggregated continuous monitoring of risk awareness and the statistical analysis of employee behavior
• To provide support to the employees of customers and their authorized users with regard to organizational and technical questions about cyber security and data protection ("customer service")
• To provide malware scans and darknet scans

Categories of data processed

• Surnames, first names, email addresses, personal status of Perseus registration,
• personal training status, test results, type of certificate issued,
• personal security status, personal results such as  "phishing detected", "training completed", "current browser", "security software installed"

Categories of recipients

• Administrators (e.g., supervisors, managers, or IT staff) of customers and their authorized users
• Organizational entities of customers or their authorized users which are required to provide evidence of GDPR, certificate holders (data subjects)
• Perseus customer service
• Data processor: Amazon Web Services Inc., The Rocket Science Group LLC

Third-country data transfer

USA (Amazon Web Services Inc., The Rocket Science Group LLC) based on the EU standard data protection clauses

Storage duration and criteria

• Insofar as customers and their authorized users are required to provide evidence of their compliance with cyber security and data protection, the evidence contains personal data, and the data is stored in Perseus' systems, the requirements specified by the customers and their authorized users will apply to the duration of storage
• In the case of order processing, the storage requirements specified by customers and their authorized users always apply
  Beyond this, data will be stored until the purpose for which it was stored has been fulfilled and, insofar as Perseus is required to comply with its own statutory retention obligations, until the expiry of these deadlines, after which it will be deleted

Legal basis

Compliance with a legal obligation pursuant to Art. 6 para. 1 c) GDPR

Legitimate interest of the data controller pursuant to Art. 6 para. 1 f) GDPR (Perseus has a legitimate interest in processing personal data for the performance of its contracts with customers and to provide services to its customers and their authorized users.)

Purpose

• To establish, maintain, and improve the compliance of customers and their authorized users with cyber security and data protection measures
• To ensure technical and organizational data protection (data security) and cyber security (information security) in order to protect the confidentiality, availability, and integrity of information and personal data
• To analyze and reconstruct security incidents
• To issue recommendations for action 
• To restore systems, applications, information, and data
• To document security incidents
• To preserve forensic evidence
• To ensure continuous improvement ("PDCA cycle")
• If necessary, to process insurance claims

Categories of data processed

• All personal connection and content data (master and transaction data) that is stored in the customer's compromised systems and processed by authorized users may potentially be accessed
• All personal data that is transferred to Perseus systems for analysis or forensic evidence preservation
• Contact details of the points of contact for customers and their authorized users, connection and content data of the correspondence

Categories of recipients

• Perseus incident management team
• Data processor: SEC Consult Deutschland Unternehmensberatung GmbH and TeamViewer Germany GmbH

Third-country data transfer
No

Storage duration and criteria

• Insofar as customers and their authorized users are required to provide evidence of their compliance with cyber security and data protection, the evidence contains personal data, and the data is stored in Perseus' systems, the requirements specified by the customers and their authorized users will apply to the duration of storage
• In the case of order processing, the storage requirements specified by customers and their authorized users always apply
• Beyond this, data will be stored until the purpose for which it was stored has been fulfilled and, insofar as Perseus is required to comply with its own statutory retention obligations, until the expiry of these deadlines, after which it will be deleted

Legal basis

• Compliance with a legal obligation pursuant to Art. 6 para. 1 c) GDPR
• Legitimate interest of the data controller pursuant to Art. 6 para. 1 f) GDPR (PERSEUS has a legitimate interest in processing personal data for the performance of its contracts with customers and to provide services to its customers and their authorized users.)

For the purpose of payment processing, we use the external payment services Stripe, Quaderno, and FastBill.

Purpose

• Payment processing (payments by credit card and SEPA direct debits)
• Automatic creation of invoices
• Semi-automatic creation of invoices

Categories of data processed

• Inventory data
• in particular account and payment card holder
• Bank details incl. account or credit card number
• Invoice amount
• Transaction number
• Contact details and contract information

Categories of recipients

• Stripe Payments Europe Ltd., (Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, "Stripe")
• Quaderno supplied by Recrea Systems, SLU (Fernando Guanarteme 111, 35010 Las Palmas, Spain, "Quaderno")
• FastBill GmbH (Wildunger Str. 6, 60487 Frankfurt a. M. "FastBill") (no end customers, but other contractual partners)
• Stripe, Quaderno, and Fastbill process your data on our behalf. In order to protect your data, we have concluded an order processing agreement with Stripe, Quaderno, and Fastbill.

Third-country data transfer
No

Storage duration and criteria

• after the statutory retention requirements have expired, 6 and 10 years respectively

Legal basis

• Art. 6 para. 1 b), c) and f) GDPR (performance of the contract, compliance with legal obligations, and legitimate interest)

If you are a newsletter subscriber who receives the Perseus newsletter, we process your personal data as follows:
The data you enter via the input mask provided for this purpose will be transmitted to us and processed when you register. It is mandatory to provide your email address when subscribing to the newsletter. The provision of any further data is voluntary and enables us to address you personally. At the time the message is sent, we save your IP address and the date and time of your registration via the contact form.

We use a double opt-in procedure to ensure that you only receive our newsletter if you really want to. To this end, we will send you a notification email. By clicking on the link contained in this email, you confirm that you actually want to receive our promotional emails or our newsletter.
Newsletter subscription

We use the Mailchimp system to send newsletters to the email addresses provided by subscribers.
Processing

Purpose

• To send our newsletter in a lawful manner

Categories of data processed

• Email address (required on contact form)
• The provision of any further data is voluntary and enables us to address you personally
• At the time the message is sent, we save your IP address and the date and time of your registration via the contact form.

Categories of recipients

• The Rocket Science Group LLC, 675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA 30308, USA as data processor

Third-country data transfer

• to the USA (Rocket Science)

We have concluded an agreement with Rocket Science based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

• After unsubscribing from the newsletter (you can unsubscribe at any time)

Legal basis

• Art. 6 para. 1 a) and b) GDPR (performance of the contract and consent)

We carry out statistical evaluations of our newsletter mailing process and the response to our newsletter. We use the "MailChimp" and "Mandrill" systems as well as tracking pixels. We evaluate user behavior in relation to newsletter subscriptions (e.g., when users open a message, which links they click on) and carry out statistical analysis of our newsletter campaigns.

Processing

• Statistical evaluation of the newsletter

Purpose

• To design effective, secure, and reader-friendly newsletters
• To secure the mailing process to the satisfaction of newsletter subscribers and thus to ensure customer acquisition

Categories of data processed

• Email address,
• where applicable name and company
• Technical information (time of retrieval, IP address, browser type, and operating system)
• This data is collected in pseudonymized form only and is not linked to your other personal data.

Categories of recipients

• The Rocket Science Group LLC (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA, "Rocket Science") as the data processor

Third-country data transfer

• to the USA (Rocket Science)

We have concluded an agreement with Rocket Science based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

• Evaluation data will be deleted after 12 months at the latest (after unsubscribing from the newsletter or deactivating the display of graphics in the email program)

Legal basis

• Art. 6 para. 1 f) GDPR (legitimate interest)

If you are a webinar participant, we process your personal data as follows:

You can participate in a webinar if you have registered for this in advance on our website. Webinars are implemented and followed up using the Freshworks and Zoom systems.

In the virtual seminar rooms, the personal data of lecturers and participants (collectively "participants") is processed. The lecturers and participants are therefore data subjects pursuant to the GDPR.  

When participants and lecturers log in and/or enter the virtual seminar rooms, they assign themselves a virtual name tag in order to identify themselves and to enable other webinar participants to address them. 

When a webinar is held, the lecturers and participants transmit video data, audio, screen content, and chat messages to everyone involved in the webinar, provided that the respective feature is enabled or actively used by the lecturer or the participant. Data is only stored and processed for the purpose of transmission and in order to document the participants; apart from this, webinars are generally not saved once the transmission has ended.

Participants have the option of chatting one-on-one in virtual private rooms or with all participants in the main room. Only the two participants involved in a one-on-one chat or the participants in the respective webinar have access to the content of the chat messages.

We occasionally take the opportunity to record webinars and subsequently make the recorded content available to the participants, as well as to document the webinar internally. If we are going to record a webinar, we will announce this in the webinar itself so that participants can decide whether they want to enable or actively use video data, audio, screen content, and chat messages and thus make them available for the recording.

We collect personal data from participants about their presence in the virtual seminar room, the length of their stay, and their use of features. This corresponds roughly to how we would observe participants in a real room.

Webinar participants via Freshworks and Zoom

Purpose

• To enable the technical implementation of webinars (transfer of names, camera images, audio, video content, and chat messages)
• To record webinars
• To issue participation certificates
• To follow up after webinars (e.g., by providing seminar documents and evaluating lecturers)
• To request feedback from participants and, where applicable, identify areas for improvement

Categories of data processed

• Contact information via contact form, email, telephone. Or via social media: name, email address, and optional telephone number
• Connection data: IP address as well as date and time of contact form registration; if necessary, transfer to third parties via cookies (this can be managed via the consent management tool), email address, social media user name, if necessary telephone number
• Contents of the completed contact form, emails, live chats, and telephone calls may contain personal data

Categories of recipients

• Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA ("Freshworks")
• Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113 ("Zoom")

Third-country data transfer

• to the USA (Freshworks and Zoom)

We have concluded agreements with Zoom and Freshworks based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

• After the end of the respective webinar, the chat content is automatically deleted.
• After we have aggregated and issued the attendance certificates, we delete the data from the virtual seminar room.

Legal basis

• Art. 6 para. 1 a), b) and f) GDPR (consent, contract performance, and legitimate interest)

Participants are regularly given the opportunity to evaluate lecturers at the end of the webinars. We use the Google Forms service for this. Organizationally, it is impossible for us to see individual participants' evaluations. We receive an aggregated evaluation of the lecturer.

Feedback via Google Forms

Purpose

• To request feedback from participants and, where applicable, identify areas for improvement

Categories of recipients

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Third-country data transfer

• To the USA (Google)
• We have concluded Agreements with Google based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

• Once evaluations are carried out

Legal basis

• Art. 6 para. 1 f) GDPR (legitimate interest)

Feedback via SurveyMonkey 
 

Purpose

• To request feedback from participants and, where applicable, identify areas for improvement

Categories of recipients

• SurveyMonkey Inc., One Curiosity Way, San Mateo, CA 94403

Third-country data transfer

• to the USA (SurveyMonkey)

We have concluded an Agreement with SurveyMonkey based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

• Once evaluations are carried out

Legal basis

• Art. 6 para. 1 f) GDPR (legitimate interest)

If you are an applicant, we process your personal data as follows:

We use the Personio recruiting system as a technical platform.

Applicant management

Purpose

• Participation in the application process for vacant positions
• Handling of the application process
• Implementation of pre-contractual measures
• Categories of data processed
• Name (first name and surname)
• Email address
• Telephone number
• Desired salary
• Availability
• Documents provided      (e.g., cover letter your resume and references)
• Information contained in the uploaded data (e.g. date of birth, address, etc.)

Categories of recipients

• authorized employees from HR
• Employees involved in the application process
• Employees of Personio GmbH (processor)

Third-country data transfer

• no

Storage duration and criteria

• Once purpose of processing has ended
• Storage period – 6 months from the end of the application process
• If the applicant is rejected, the data is deleted or anonymized. If the applicant is hired, the data is transferred to the applicant’s personnel file

Legal basis

• Art. 6 para. 1 b) GDPR (performance of contract).

If your personal data is processed, you are a data subject within the meaning of the GDPR. You have the following rights with respect to the data controller:
 

In accordance with Art. 15 GDPR, you have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you can request the following information from us: Purposes of the data processing; Categories of personal data being processed; Recipients and/or categories of recipients to whom your data has been or will be disclosed; planned storage period or, if specific information on this is not available, criteria for determining the storage period; Existence of your right to rectification or deletion of data, restriction of processing or objection to processing; Existence of your right to lodge a complaint with a supervisory authority; Source of your data, if not collected by us; Existence of automated decision-making including "profiling" and, where appropriate, meaningful information on its details; Transfer of personal data to a third country or to an international organization; appropriate safeguards in accordance with Art. 46 GDPR relating to the transfer.

In accordance with Art. 16 GDPR, you have the right to demand the immediate correction or completion of any personal data stored by us.

In accordance with Art. 18 GDPR, you have the right to demand the restriction of processing of your personal data if you contest the accuracy of the data, or if the processing is unlawful but you refuse to have the data erased. You can also demand the restriction of processing if we no longer require the data, but you require it to assert, exercise or defend legal claims, or if you have objected to the processing in accordance with Art. 21 GDPR.

In accordance with Art. 17 GDPR, you have your right to demand the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.

In accordance with Art. 19 GDPR, if you have asserted your right to rectification, erasure or restriction of processing with respect to Perseus as the data controller, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to request that Perseus informs you about these recipients.

In accordance with Art. 20 GDPR, you have the right to receive the personal data that you provided to us in a structured, common and machine-readable format or to request its transfer to another data controller.

In accordance with Art. 21 GDPR, you have the right to object to the processing of your data at any time. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose; this also applies to "profiling" insofar as it relates to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.
 

In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent to the processing of your data at any time. Your withdrawal of consent does not affect the legality of the processing carried out on the basis of this consent up to the point of withdrawal.

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority responsible for your usual place of residence, place of work or the place of the alleged violation.

This Privacy Policy is valid as amended from time to time. You can visit our website at www.perseus.de/datenschutzerklaerung/ to access and print the current Privacy Policy at any time.

Last updated: May 2021