Data Privacy Policy

Data protection notices for clients, employees, website visitors and other stakeholders

With the following information, we would like to give you an overview of how FTI-Andersch AG (“FTI-Andersch“) processes your personal data and of your rights under data protection law. Which individual data is processed and how it is used depends substantially on your relationship with us, whether you are a client, an applicant, employee, website visitor or otherwise affected data subject (such as a freelancer employed by us for a certain project or parties interested in our services). For this reason, not all parts of this information will apply to you.

Note

For reasons of better readability, we use the masculine form (generic masculine) for gender-specific designations and personal nouns. We always mean all genders in the sense of equal treatment. The abbreviated language form has editorial reasons and does not contain any value judgements.

Who is responsible for data processing and whom can I contact?

The controller is

FTI-Andersch AG
Taunusanlage 9-10
60329 Frankfurt am Main
Germany

You can reach our data protection officer at:

Attorney at Law
Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
50672 Cologne
Germany

datenschutz@fti-andersch.com

What data and sources do we use?

We process personal data that we receive from our clients in the course of our business relationship and from applicants and employees (including interns and working students) for hiring decisions or carrying out the employment relationship, from visitors to our website or other data subjects. In addition, we process – insofar as necessary for the provision of our service – personal data that we have obtained legally from publicly accessible sources (e.g. commercial and company registers, land registers, press, Internet) or which have been made available to us by third parties (e.g. by a credit agency).

Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality) and identification data (e.g. information on passports or ID cards). In addition, this may also include order information (e.g. from our order letter), data from fulfilling our contractual obligations (e.g. from our payment transactions), documentation data (e. g. consultation report) as well as other data comparable with the categories mentioned.

Why and on which legal basis do we process your data?

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

(1) Within the scope of employment (Art. 6 para. 1 lit. b GDPR)

We process personal data of our employees (including interns and working students) for the purpose of hiring, carrying out and terminating the respective employment relationship.

(2) Based on consent (Art. 6 para. 1 lit. a GDPR)

If you have given us your consent to process personal data for certain purposes (e.g. contacting, newsletter mailing, registration for our annual restructuring meeting), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e. before 25/05/2018. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

(3) To fulfill (pre)contractual obligations (Art. 6 para. 1 lit. b GDPR)

The processing of personal data of our clients and freelancers employed by us on a project basis is carried out for the provision of our services in the context of the performance of our contracts with our clients or for the implementation of pre-contractual measures, which are carried out upon request. Further details on the data processing purposes can be found in the relevant contractual documents and terms and conditions.

(4) Based on legal obligations (Art. 6 para. 1 lit. c GDPR)

In addition, as a stock corporation we are subject to various legal obligations (e. g. in the German Commercial Code (HGB), Stock Corporation Act (AktG), Securities Trading Act (WphG), the German Money Laundering Act (GwG), tax laws). Processing purposes include, among others, the identification obligation for the prevention of money laundering, the obligation to create and retain manual files and the fulfillment of reporting obligations under tax law.

(5) Based on a balancing of interests (Art. 6 para. 1 lit. f GDPR)

If required in order to safeguard legitimate interests on our part, we will process your data beyond the purposes stated above, especially for

  • Measures for business management and further development of services and products
  • Advertising (also by way of direct approach) and market research insofar as you have not objected to the use of your data,
  • Assertation of legal claims and defense in legal disputes.

Who gets my data?

At FTI-Andersch, access to your data is granted to those persons who need it to fulfill our contractual and legal obligations. We also use service providers outside our company (esp. freelancers and IT service providers) and vicarious agents may receive data for these purposes and are contractually obligated to maintain confidentiality and comply with data protection regulations in this regard. If the conditions for this exist, we also conclude data processing agreements. Other data recipients may be those entities for which you have given us your consent to transfer data or to which we are authorized to transfer personal data based on a balancing of interests.

Will data be transferred to a third country?

A data transfer to entities in countries outside the European Union (in so-called "third countries") does not take place in principle, unless,

  • it is required by law (e.g. due to reporting obligations under tax law, regulations to combat money laundering, terrorist financing and other criminal acts),
  • you have given us your consent to do so, or
  • it is necessary to ensure the IT operation and the CRM system at FTI-Andersch to possibly transfer your personal data to an IT service provider in the USA or another third country in compliance with the European data protection level or
  • it is personnel data of the employees of FTI-Andersch, which due to the employment relationship (e.g. for the purpose of human resources and general business administration, administration of performance evaluation, sick leave and absence management, disciplinary and complaint management), are transferred to FTI Consulting Inc. and affiliated companies to the USA.

How long will my data be stored?

We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which in any case is intended to last for several months and in many cases for years

If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted, unless their (temporary) further processing is necessary for the following purposes:

  • Fulfillment of retention obligations under commercial and tax law, which may arise especially from the German Commercial Code, the German Stock Corporation Act, the German Money Laundering Act, the German Securities Trading Act and the German Fiscal Code. The periods specified there for the retention of corresponding documentation are generally two to ten years.
  • Preservation of evidence within the limits of the statutory limitation provisions. According to Sec. 195 et seqq. of the German Civil Code, these limitation periods can be up to 30 years, whereby the regular limitation period being three years.

What data protection rights do I have?

Each data subject has the

  • Right to withdraw consent according to Art. 7 para. 3 GDPR,
  • Right of access according to Art. 15 GDPR,
  • Right to rectification according to Art. 16 GDPR,
  • Right to erasure according to Art. 17 GDPR,
  • Right to restriction of processing according to Art. 18 GDPR,
  • Right to object according to Art. 21 GDPR,
  • Right to data portability according to Art. 20 GDPR.

Regarding the right of access and the right to erasure, the restrictions pursuant to Sec. 34 and 35 BDSG apply. In addition, there is a right of appeal to a competent data protection supervisory authority pursuant to Art. 77 GDPR in conjunction with Sec. 19 BDSG. The data protection supervisory authority responsible for FTI-Andersch AG is the Hessian Commissioner for Data Protection and Freedom of Information. He can be reached at the following contact details:

The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box (Postfach) 3163
65021 Wiesbaden
Germany

Telephone: +49 611 1408 – 0

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to FTI-Andersch before the applicability of the GDPR, i.e. before 25/05/2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

How is the right to object under Art. 21 GDPR designed?

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of a balance of interests (Art. 6 para. 1 lit. f GDPR); this also applies to profiling based on this provision within the meaning of Art. 4 no. 4 GDPR. In the case of so-called "profiling", we process your data in part automatically with the aim of evaluating certain personal aspects, for example in order to be able to provide you with targeted information and advice about our products and services. This enables us to provide needs-based communication, advertising and market research.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

In individual cases, we process your personal data in order to conduct direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling, insofar as it is connected with such direct advertising.

If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made informally with the subject "objection", stating your name, address and date of birth, and should be addressed to our data protection officer (see above).

Is there an obligation for me to provide data?

In the context of your business relationship with FTI-Andersch, you must provide all personal data that is necessary for the establishment, performance and termination of a business relationship and for the fulfillment of the associated contractual obligations, or which we are legally obligated to collect. Without this data, we will generally not be able to enter into, perform or terminate a contract with you.

In particular under money laundering regulations we are obliged to identify you by means of your identification document prior to the establishment of the business relationship and to collect and record your name, place of birth, date of birth, nationality, address and identification data (cf. Sec. 11 para. 1, 4 of the Money Laundering Act). In order for us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship requested by you.

To what extent does automated decision-making or profiling take place?

For the establishment and performance of business relationships, FTI-Andersch does not use fully automated decision-making pursuant to Art. 22 GDPR.

We process your data partly automatically with the aim of evaluating certain personal aspects (so-called profiling), for example, in order to be able to inform and advise you specifically about our products and services. This enables us to provide needs-based communication, advertising and market research.

What data is collected, processed or used for what purpose on the FTI-Andersch website?

(1) Cookies

The Internet pages of FTI-Andersch use cookies. They are used to recognize the users of our Internet pages (website visitors) and to make our offer user-friendly, effective and secure. Cookies are text files that are stored on the end device via the Internet browser.

The use of technically required cookies is based on the legitimate interest of FTI-Andersch pursuant to Art. 6 para. 1 lit. f GDPR or Sec. 25 para. 2 nr. 2 of the German Telecommunication-Telemedia Data Protection Act (TTDSG).

The use of technically not required cookies is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Sec. 25 para. 1 TTDSG.

Website visitors can prevent the setting of cookies by our Internet pages at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. It may then not be possible to use all the functions of our Internet pages to their full extent.

Furthermore, cookies that have already been set can be deleted via the Internet browser or other software programs. In addition, you can revoke your consent to the setting of cookies on our websites at any time via the cookie preferences settings at the bottom of our website (by clicking on “Cookies preferences”). For the rest, please refer to our cookies preferences under “Cookies” at the bottom of our websites.

Cookie consent with Usercentrics

This website uses the cookie consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your terminal device or to the use of certain technologies and to document this in accordance with data protection law. Provider is

Usercentrics GmbH
Sendlinger Str. 7
80331 Munich
Germany
Website: usercentrics.com
(hereinafter “Usercentrics”).

When you enter our website, the following personal data is transferred to Usercentrics:

  • Your consent(s) or revocation of your consent(s)
  • Information about your browser
  • Information about your terminal device
  • Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consent you have given or its revocation to you. The data collected in this way is stored until you request us to delete it, until you delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. The consent data (consent and revocation) are stored for three years. Mandatory legal storage obligations remain unaf-fected.

Usercentrics is used to obtain legally required consents for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

Data processing by Usercentrics takes place within the EU/EEA. For a data transfer outside the EU/EEA, written consent by FTI-Andersch is required.

Conclusion of a data processing agreement
We have concluded a so-called data processing agreement (hereinafter: DPA) with Usercentrics in which we oblige Usercentrics to protect the data of our website visitors. Through the DPA, Usercentrics undertakes to implement technical and organizational measures to protect the data.

Standard contractual clauses
For the provision of those services, Usercentrics uses Google Cloud EMEA Ltd. for hosting as a sub-processor with whom Usercentrics has agreed standard contractual clauses. The servers are located in the EU.

(2) Logging

The websites of FTI-Andersch collect a series of general data and information with each call. General data and information are stored in the server's log files. The following can be recorded

  • the browser types and versions used,
  • the operating system used by the accessing system,
  • the website from which an accessing system arrives at our website (so-called Referrer),
  • the sub-websites that are accessed via an accessing system on our website,
  • the date and time of an access to the website,
  • an Internet Protocol (IP) address,
  • the Internet service provider of the accessing system and
  • other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, FTI-Andersch does not draw any conclusions about the data subject. Rather, this information is needed to

  • display the contents of our websites correctly,
  • optimize the content of our websites and the advertising for them,
  • ensure the long-term functionality of our information technology systems and the technology of our website, and
  • provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.

Therefore, FTI-Andersch analyzes anonymously collected data and information on one hand for statistical purposes and on the other hand for the purpose of increasing the data protection and data security of our company, with the aim of ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

(3) Login data

To contact you as offered on our websites, send newsletters to you, register you for our annual restructuring meeting or similar we ask for your name, address and e-mail address via a form-like input mask. By entering your data, you give us your consent to store the data as well as to use it for the respective purpose above. Consent given can be revoked at any time.

(4) Contact form, contacting per e-mail and contact management

You can contact us using a form provided on our website or by email. The data you provide (in particular your e-mail address, your first and last name and the text of your request and, if applicable, other information you have provided in the contact form or by e-mail) will be stored by us when you contact us in order to process your request and respond to your concern.
The data processing is justified under Art. 6 para. 1 lit. f GDPR. We have an interest in contacting you through the website to address your concern. Insofar as your request is aimed at the fulfillment of a contractual or pre-contractual measure with you as a natural person, Art. 6 para. 1 lit. b GDPR is legal basis for data processing.
We will delete the data generated during your concern/contact as soon as it is no longer required for processing your concern. Insofar as legal storage obligations exist, the data will be stored for the duration of the legally prescribed storage obligation. The use of the contact form is completely voluntary for you.

Contact form by Parlant

FTI-Andersch uses the web form services of Parlant GmbH to enable contacting FTI-Andersch via contact forms.

Parlant GmbH
Großgörschener Str. 15
06686 Lützen
Germany
(hereinafter: “Parlant”)

Data processing by Parlant

Parlant stores the information you provide via the contact forms so that FTI-Andersch can contact you afterwards and process your request. In addition, Parlant analyzes the information provided in the contact forms and connection data for the purpose of sorting unwanted contract form entries.

Therefore, Parlant processes the following categories of personal data:

  • Names
  • Telephone numbers
  • E-mails
  • Behavioral data
  • Communication data
  • All personal data that you additionally and voluntarily enter in the free text field of the contact form

Group of persons affected by the data processing:

  • Visitors
  • Interested parties
  • Customers
  • Clients
  • Applicants

Legal basis

Data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR, as we have an interest in responding to your request. Insofar as your request is aimed at the fulfillment of a contractual or pre-contractual measure, we base the processing on Art. 6 para. 1 lit. b GDPR.

Storage period

Parlant deletes the personal data stored in the context of your request/your contact via the contact form as soon as it is no longer re-quired for processing your request/your contract, at the latest after three months, provided that this deletion does not conflict with any further statutory retention period.

Conclusion of an agreement for data processing

We have concluded a so-called data processing agreement with Parlant in which we oblige Parlant to protect the data. The transfer of your personal data by Parlant to third parties such as service providers occurs only in limited circumstances. The service providers to whom data is transferred are contractually obligated to comply with the level of data protection and to ensure an adequate level of security.

In addition, Parlant processes your personal data exclusively in the EU/EEA.

You can find more information here.

Contact management with GEDYS

If you provide us with your business card e.g. through an employee of FTI-Andersch, we will take over your contact information from this business card into our data base so we can stay in contact.

To manage and maintain this contact information we use the CRM solution of GEDYS IntraWare GmbH.

GEDYS IntraWare GmbH
Eigilstraße 2
36043 Fulda
Germany
(hereinafter: “GEDYS”)

Data processing by GEDYS

GEDYS stores the contact information. In addition, the contacts entered into the GEDYS CRM solution can be linked to Microsoft Outlook, so that they are listed under the Outlook contacts of the board members of FTI-Andersch.

The following categories of personal data are processed:

  • Name, first name
  • Form of address
  • Firm
  • Position/function
  • Address
  • E-mail address
  • Phone number
  • Cell phone number
  • URL

The following persons are affected by the data processing:

  • Clients
  • Customers
  • Interested parties
  • Contracting parties

Legal basis

The data processing is based on your consent according to Art. 6 para. 1 lit. a GDPR. The handing over of your business card to a contact person of FTI-Andersch constitutes such consent to the data processing.

Storage period

Your personal data will be stored until your request us to delete it. FTI-Andersch can also arrange an earlier deletion. This applies as long as no legal retention periods prevent such deletion.

Conclusion of a contract for data processing

We have concluded a so-called data processing agreement with GEDYS, in which we oblige GEDYS to protect the data. If personal data is transferred to other service providers, they are contractually obligated to comply with the level of data protection and to ensure an adequate level of security.

Standard Contractual Clauses

For the provision of services, it may be necessary for GEDYS to transfer data to other countries, including countries outside the EU or EEA, and to process data there. The data may be transferred to subcontractors for this purpose. In such a case GEDYS uses standard contractual clauses.

You can find more information here.

(5) Newsletterdata

If you would like to receive a newsletter offered by FTI-Andersch, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data are not or only collected on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The processing of the data entered in the newsletter registration form is based exclusively on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The data you provide to us for the purpose of receiving the newsletter will be kept by us until you unsubscribe from the newsletter. It will also be stored by the newsletter service provider and deleted from the newsletter distribution list after unsubscribing from the newsletter. Data stored by us for other purposes remain unaffected by this.

After you have unsubscribed from the newsletter distribution list, your e-mail address will be stored by us or the newsletter service provider and if applicable it will be stored in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para.1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

(6) CleverReach

FTI-Andersch uses CleverReach to send newsletters and other marketing communications by e-mail, e.g. event invitations.

CleverReach GmbH & Co. KG
//CRASH Building
Schafjückenweg 2
26180 Rastede
Germany
(hereinafter: “CleverReach”).

CleverReach is a service that allows among others the sending of newsletters and event invitations which can be organized and analyzed. The data entered by you for the purpose of receiving the newsletter or other marketing messages from FTI-Andersch (e.g. e-mail addresses) are stored on CleverReach’s servers in Europe. If you do not want to receive newsletters or invitations, e.g. to events, you must unsubscribe from the newsletter or from receiving messages. For this purpose, a corresponding link is provided in every e-mail of an advertising nature.

Data analysis by CleverReach

With the help of CleverReach we can analyze our newsletter and event campaigns. In the reports, data of the recipients opening and clicking is presented anonymously. Technical information is also collected (e.g. Time of retrieval, IP address, browser type and operating system). This information cannot be assigned to the respective recipient. They are used solely for statistical analysis of our campaigns to enable us to better tailor future e-mails to the interests of recipients.

CleverReach's privacy policy can be found here.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter or the receipt of marketing messages in general. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide to us for the purpose of receiving the newsletter or other marketing messages will be stored by us or CleverReach until you unsubscribe from the messages. After unsubscribing from messages, they are deleted from both our servers and CleverReach's servers. Data that has been stored by us for other purposes remains unaffected by this.

After you have unsubscribed from the distribution list, your e-mail address will be stored by us or CleverReach in a blacklist, if necessary, in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending marketing messages (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

Conclusion of a contract for data processing

We have concluded a so-called data processing agreement with CleverReach in which we oblige CleverReach to protect our customers' data and not to pass it on to third parties.

(7) Code Piraten GmbH (guestoo)

FTI-Andersch uses the service of the Code Piraten GmbH for the purpose of guest and participant management at events.

Code Piraten GmbH
Am Rumbach 44
45149 Essen
Germany
(hereinafter: “Code Piraten”)

Data processing by Code Piraten

FTI-Andersch sends out the invitations for events by e-mail. Participants can use the registration form linked in the invitation e-mail to provide information about their attendance. Code Piraten GmbH provides the software “guestoo” for organizing the registration form. The information collected via the registration form is transmitted by guestoo to the responsible employees at FTI-Andersch for further organization of the corresponding event.

Code Piraten processes the following categories of personal data on behalf of FTI-Andersch:

  • Name, first name
  • Address
  • E-mail address
  • Telephone number
  • Cell phone number
  • Firm
  • Position

The following categories of natural persons are affected by the data processing:

  • Clients
  • (Former) employees
  • Newsletter subscribers
  • Website visitors
  • Business contacts

Legal basis

The data processing is based on the contract for participation in the corresponding event (Art. 6 para. 1 lit. b GDPR), you enter into at the time of sending the registration form.

Storage period

FTI-Andersch deletes the data four weeks after the end of the corresponding event.

In the guestoo software, backups are deleted on a rolling basis, so that the data is also physically deleted after 3 months the latest.

Conclusion of a contract for data processing

We have concluded a so-called data processing agreement with Code Piraten, in which we oblige Code Piraten to protect the data.

You can find more information about the privacy policy here.

(8) Recruitee

In order to optimize applicant management and for purposes of personnel restructuring and talent acquisition, FTI-Andersch uses the Recruitee recruiting software.

Recruitee B.V.
Keizergracht 313
1016 EE Amsterdam
Netherlands
(hereinafter: “Recruitee”).

Data processing by Recruitee

The processing of personal data relates to applicants, potential applicants, candidates and potential candidates for jobs and for project work at FTI-Andersch. In addition, the personal data of visitors to the FTI-Andersch careers website and of all persons who visit the referral website are processed.

Recruitee processes the following categories of personal data of candidates on behalf of FTI-Andersch:

  • Contact details, including names
  • CVs
  • E-mail correspondence
  • Address
  • Professional career
  • Letter of motivation and other application documents
  • Candidate information collected via integrations between services and via third party services on behalf of FTI-Andersch.
  • Notes on candidates
  • Candidate reviews
  • Other personal data processed in the context of the services in relation to candidates

On behalf of FTI-Andersch, Recruitee processes the following personal data in relation to visitors to the careers website:

  • Traffic source
  • HTTP requests and responses
  • Cookies
  • Date and time of use
  • Other personal data related to visitors and processed within the scope of the services.

Recruitee may process the above mentioned personal data only to the extent that it falls within the scope of the service used by FTI-Andersch and will store them on Recruitee's servers in Europe except where personal data has been anonymized and used to improve the services.

Recruitee takes and maintains appropriate technical and organizational measures to protect your personal data from destruction, loss or unauthorized access or other forms of unauthorized or unlawful processing of personal data.

Storage period

Application documents

The use and storage of application documents and the personal data contained therein are exclusively for the purpose of the application and in the event of an unsuccessful conclusion of the application process, the documents provided will be deleted after the expiry of eight months from receipt of the application, unless mandatory legal provisions and/or official or judicial requirements prevent deletion, or longer storage has been expressly agreed to (e.g. storage in the talent program).

In special cases, FTI-Andersch may ask for consent to store data for a longer period of time, e. g. for inclusion in the talent program or in the freelancer list.
In this case, you will receive a request for consent to store or for extension of the storage of your data and, if necessary to receive company news. You will receive a link to provide consent and have 30 days to respond to the link. If you decline the request or do not respond, your status will be reset to what it was before you sent the request.

Conclusion of a contract for data processing

We have concluded a so-called data processing agreement with Recruitee in which we oblige Recruitee to protect our customers' data and not to pass it on to third parties.

Standard Contractual Clauses

Recruitee does not transfer personal data to third countries unless Recruitee has received prior written consent from FTI-Andersch, which is only given if candidates and other visitors to the careers website consent to such transfer. Recruitee uses standard contractual clauses in the event that no proper adequacy decision or other appropriate mechanism for the transfer of personal data to a third country applies and a transfer requires such a decision or mechanism under applicable data protection legislation.

In addition, Recruitee subcontracts Google Cloud Platform, Ziggeo, Amazon Web Services, Recruitee, Textkernel and Mailgun.

You can find more information here.

(9) YouTube

FTI-Andersch has integrated YouTube components on its website.

The operating company of YouTube is

YouTube, LLC
901 Cherry Ave., San Bruno
94066 California (USA)

YouTube, LLC is a subsidiary of the

Google Inc.
1600 Amphitheatre Pkwy, Mountain View
94043-1351 California (USA)

YouTube is an Internet video portal that allows video publishers to post video clips free of charge and enables other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all kinds of videos, which is why complete film and TV shows, but also music videos, trailers or videos made by users themselves can be accessed via the Internet portal.

Each time one of the websites operated by FTI-Andersch is called up, on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the data subject is automatically caused by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube.

Within the scope of this technical procedure, YouTube and Google receive information about which specific subpage of our website is visited by the data subject by setting cookies. When a subpage containing a YouTube video is called up, YouTube recognizes which specific subpage of our website the data subject is visiting. This information is collected by YouTube and Google.

Data processing

YouTube and Google store personal data such as the IP address and the behavior of the data subject on our websites.
YouTube and Google use the collected data to personalize their own services. These include among others the provision of recommendations and personalized content.

Legal basis

Data processing by YouTube

We use the extended privacy mode of YouTube.
YouTube always receives information via the YouTube component that the data subject has visited websites if the data subject has consented to the setting of YouTube cookies after calling up our websites. The data processing by YouTube is thus based on your consent (Art. 6 para. 1 lit. a GDPR). You can change or revoke this consent at any time by setting the cookies preferences according to the link at the bottom of our web pages (by clicking on "Cookies preferences").

Data processing by Google

Google receives information via the YouTube component that the data subject has visited our websites as soon as the data subject calls up our websites. This takes place regardless of whether the data subject clicks on a YouTube video or not. Such transmission of this information to Google cannot be prevented. This connection to the Google network can trigger further data processing operations without our influence.

The privacy policy published by YouTube, is available under this link.

More information about YouTube can be found here.

(10) LinkedIn

FTI-Andersch has integrated components of the LinkedIn Corporation on its websites.

LinkedIn is an Internet-based social network that allows users to connect with existing business contacts and make new business contacts.

With each individual call up of our websites that are equipped with a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a corresponding representation of the component from LinkedIn. As part of this technical process, LinkedIn receives information about which specific subpage of our website is visited by the data subject.

If the data subject is logged in to LinkedIn at the same time, LinkedIn recognizes which specific subpage the data subject is visiting each time the data subject calls up our websites and for the entire duration of the re-spective stay on our websites. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the person concerned. If the data subject activates a LinkedIn button integrated on our website, LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores this personal data.

LinkedIn always receives information via the LinkedIn component that the data subject has visited our website if the data subject is logged into LinkedIn at the same time as calling up our website; this takes place regardless of whether the data subject clicks on the LinkedIn component or not.

If the data subject does not want this information to be transmitted to LinkedIn, he or she can prevent the transmission by logging out of his or her LinkedIn account before accessing our website.

LinkedIn offers the ability to unsubscribe from e-mail messages, SMS messages, and targeted ads, as well as ad settings here. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame, which may set cookies. Such cookies can be rejected here.

The operating company of LinkedIn is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA.

For privacy matters outside the U.S., LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible.

LinkedIn's applicable privacy policy is available here. LinkedIn's cookie policy is available here.

Further information on LinkedIn plug-ins can be found here.

LinkedIn Insights and Conversion Tracking

The websites of FTI-Andersch use the LinkedIn Insight Tag of the LinkedIn network.

Provider is the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

The LinkedIn Insight Tag creates a LinkedIn "browser cookie" that collects the following data:

  • IP address,
  • Timestamp,
  • Page activities,
  • demographic data from LinkedIn, if the user is an active LinkedIn member.

Using this technology, FTI-Andersch can generate reports on the performance of our advertisements as well as website interaction information. For this purpose, the LinkedIn Insight tag is integrated on the websites of FTI-Andersch, whereby a connection to the LinkedIn server is established if you visit this website and are logged into your LinkedIn account at the same time.

FTI-Andersch processes their data to evaluate campaigns and collect information about website visitors who may have reached FTI-Andersch through campaigns on LinkedIn.

We process your data because you have consented to this, Art. 6 para. 1 lit. a GDPR. FTI-Andersch stores your data for as long as we need them for the respective purpose (campaign evaluation), resp. you have not objected to the storage of their data or revoked your consent. The collected data is encrypted.

(11) Xing

FTI-Andersch has integrated components of Xing on its websites.

Xing is an Internet-based social network that allows users to connect with existing business contacts and make new business contacts. Individual users can create a personal profile of themselves on Xing. Companies can create company profiles or publish job offers on Xing.

With each individual call up of our websites on which a Xing component (Xing plug-in) has been integrated, the Internet browser on the information technology system of the data subject is automatically caused by the respective Xing component to download a representation of the corresponding Xing component from Xing. Further information on the Xing plug-ins can be found here. As part of this technical process, Xing receives information about which specific subpage of our website is visited by the data subject.

If the data subject is logged in to Xing at the same time, Xing recognizes which specific subpage of our website the data subject is visiting each time the data subject calls up our website and for the entire duration of the respective stay on our website. This information is collected by the Xing component and assigned by Xing to the respective Xing account of the person concerned. If the data subject activates one of the Xing buttons integrated on our website, for example the "Share" button, Xing assigns this information to the personal Xing user account of the data subject and stores this personal data.

Xing always receives information via the Xing component that the data subject has visited our website if the data subject is logged into Xing at the same time as calling up our website; this takes place regardless of whether the data subject clicks on the Xing component or not. If the data subject does not want this information to be transmitted to Xing, he or she can prevent the transmission by logging out of his or her Xing account before accessing our website.

The operating company of Xing is XING SE, Dammtorstraße 30, 20354 Hamburg, Germany.

The privacy policy published by Xing, which can be found here, provides information about the collection, processing and use of personal data by Xing. Furthermore, Xing has published Privacy notices for the Xing Share button here.

(12) Instagram

FTI-Andersch operates a fan page on the social network Instagram (hereinafter: “Instagram fan page”) for the purpose of online marketing. Posts are published on the Instagram fan page. These are also posts that contain photos and videos (hereinafter: “image recordings”) on which i.a. employees and other persons (hereinafter: “persons”) can be seen e.g. at events organized by FTI-Andersch.

In addition, the Instagram fan page enables contact with FTI-Andersch through direct messages, the Like function and other reaction and interaction possibilities in connection with FTI-Andersch posts and comments. The operating company for Instagram is

Meta Platforms Ireland Limited
4 Grand Canal Square
Dublin 2
Ireland
(hereinafter: "Instagram”)

Data processing

1. Data processing by Instagram

Insofar as personal data is processed in connection with the Instagram fan page and Instagram determines the purposes and means of the processing, Instagram is sole controller of the processing within the meaning of the GDPR.

Instagram processes i.a. content created by FTI-Andersch. In this context, Instagram processes personal data of persons to the extent that FTI-Andersch provides them. If FTI-Andersch publishes an image recording of you and labels it with your name, Instagram processes in particular the following categories of your personal data:

  • First and last name
  • Image recording

Further data processing by Instagram takes place if you have your own Instagram account or visit Instagram pages. E.g., Instagram collects and receives information from and about the app you use, the browser and devices (i.a. IP address).

2. Data processing by FTI-Andersch

If personal data is transferred to FTI-Andersch via the Instagram fan page of FTI-Andersch and FTI-Andersch determines the purposes and means of the processing, FTI-Andersch is the sole controller of the processing within the meaning of the GDPR.

Depending on the type of post and image recording, processing by FTI-Andersch is based on Art. 6 para. 1 lit. f GDPR. The legitimate interest lies in particular in the presentation and promotion of the event organized by FTI-Andersch.

In addition, the data processing within the context of the publishing of the image recording taken of you incl. your first and last name if applicable, is based on your consent (Art. 6 para. 1 lit. a GDPR), you give to FTI-Andersch for publishing. You can revoke this consent at any time by sending an e-mail to datenschutz@fti-andersch.com.

Insofar as your personal data is processed in the context of responding to a direct message you send to FTI-Andersch, the permissibility of this processing is based on Art. 6 para. 1 lit. f GDPR, as we have an interest in responding to your request. If the contact is aimed to conclude a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

3. Instagram-Insights

As the administrator of the Instagram fan page, Instagram provides FTI-Andersch with so-called “Instagram Insights” (hereinafter: “Insights”). These are key figures that provide information on how FTI-Andersch’s posts are received by the target group. Instagram also uses cookies to provide these Insights.

You can find more information about the Insights here.

Instagram and FTI-Andersch are jointly responsible for data processing in connection with the Insights within the meaning of Art. 26 GDPR.

The permissibility of this processing by FTI-Andersch is based on Art. 6 para. 1 lit. f GDPR, as we have an interest in measuring the range and effectiveness of our posts and thus of our online marketing measures.

Storage period

The data will be stored for as long as FTI-Andersch as data exporter provides them to Instagram. In some cases, the data will be stored by Instagram for a longer period of time.

Standard data protection clauses and adequacy decisions

For the provision of the services, Instagram transfers the collected data, including image recordings and names of persons that FTI-Andersch shares on its Instagram fan page, worldwide both internally between branches and data centres and externally with i.a. other partners, providers and service providers.

In the case of transfers of data to other countries outside the EU, Instagram enters into standard contractual clauses or relies on adequacy decisions, where applicable. Regarding the transfer of data to the US, Instagram has confirmed its participation in the EU-US Data Privacy Framework.

For more information, see Instagram's privacy policy.

(13) Typeform SL (Videoask)

FTI-Andersch uses the service "Videoask" of the provider for recording and playing videos.

Typeform SL
Carrer Bac de Roda, 163, local,
08018 - Barcelona (Spain)
(hereinafter: Typeform)

Typeform is a service for providing interactive videos to website visitors.

Data processing by Typeform

For the provision of its services, Typeform processes personal data in the sense of data collection, storage, organization, hosting and deletion.

Legal basis

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can change or revoke this consent at any time via the cookie preferences settings according to the link at the bottom of our websites (by clicking on "Cookies Preferences").

Storage period

The data will be stored as long as FTI-Andersch as data exporter needs the services of Typeform.

Conclusion of an agreement for data processing

We have a so-called data processing agreement with Typeform, in which we obligate Typeform to protect the data of our website visitors.

Standard contractual clauses

For the provision of the services, it may be necessary for Typeform to transfer the data to other countries, also outside the EU, and to process it there. The data may be transferred to subcontracted processors for this purpose. In such a case, Typeform uses standard contractual clauses.

You can find more information here.

(14) Bonza Interactive Group LLC (Verse)

FTI-Andersch uses the service "Verse" of the provider for recording and playing videos.

Bonza Interactive Group LLC
43-01 22nd Street,
Studio 501
Long Island City
10065 New York (USA)
(hereinafter: “Bonza”)

Bonza is a service that allows website visitors to be provided with interactive videos.

Data processing by Bonza

Bonza undertakes to never disclose personal data to third parties for their sales and marketing purposes. Personal data will only be disclosed to third parties for own business purposes or to fulfill contractual or legal obligations. Bonza may share personal data with businesses with which Bonza partners to offer among others products and advertising. Bonza may allow authorized partners, advertising companies and ad networks to use tracking technologies such as cookies to collect information about persons who view or interact with their advertisements.

If you consent to the data processing by Bonza, also tracking technologies from Twitter will be placed on the FTI-Andersch website. These technologies store information about your visit to the website, passing it to Twitter and help to identify users if you use Twitter services.

You can find more information about Twitter’s use of tracking technologies . Twitter’s privacy policy can be found .

Legal basis

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can change or revoke this consent at any time via the cookie preferences settings according to the link at the bottom of our websites (by clicking on "Cookies Preferences").

Standard contractual clauses

Bonza also transfers personal data outside of Germany, for example to the USA. To make data transfers secure, Bonza enters into standard contractual clauses or implements other security measures as necessary.

Storage period

Data is stored for as long as necessary for the business purposes for which it was collected and processed.

You can find more information on the privacy policy here and at this link.

(15) Sanity AS

FTI-Andersch uses the content management system hosting service of Sanity AS

Sanity AS
Trondheimsveien 2
0560 Oslo (Norway)

Data processing by Sanity

FTI-Andersch uses the service of Sanity to manage the content to be displayed on the websites of FTI-Andersch. For this purpose, FTI-Andersch uploads texts, photos and videos to the Sanity service. On behalf of FTI-Andersch, Sanity thus also processes personal data. Sanity processes the following personal data, among others:

  • Name
  • Photo recording
  • Video recording

Group of persons affected by the data processing:

  • Employees
  • Customers/clients

This data is always stored on servers within the EU operated by Sanity's contracted processor, Google Cloud Platform. However, it is possible that this data may be temporarily stored or cached in a country where Google or its agents maintain facilities.

Sanity, as a data controller within the meaning of the GDPR, processes data when accessing Sanity services.

For the purposes of security, troubleshooting, and overall statistics, the following data is processed without being associated with any specific individual:

  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • URL of the previously visited website
  • Amount of data
  • Performance data such as latency and caching

For logged-in users of Sanity services (e.g., employees of FTI-Andersch), authentication information is transmitted via cookies, among other things, so that the Sanity system can authenticate and authorize the request and make decisions based on the logged-in user.

Data that a user enters via the customer account, e.g. in the free text field, is also processed.

The data that Sanity, as data controller, processes may also be processed outside the EU, primarily in the United States.

For such transfers to third countries, adequate safeguards are in place, including data processing contracts that are compatible with the standard data protection clauses.

Legal basis

The data processing, for which FTI-Andersch is responsible under data protection law, is based on our legitimate interest in managing the FTI-Andersch websites (Art. 6 para. 1 lit. f GDPR).

Storage period

Data is stored for as long as necessary for the purposes for which it is collected and processed.

Access logs are deleted or anonymized within 90 days of their collection. If a user account is deleted, the data will be deleted within 90 days, unless legal retention periods prevent deletion. In certain cases, the data may remain in the systems of the subcontracted processor Google Cloud Platform for up to 180 days.

You can find more information here.

(16) Vercel, Inc.

FTI-Andersch uses services of the provider Vercel, Inc.

Vercel Inc
440 N Barranca Ave #4133
Covina
91723 California (USA)
(hereinafter: “Vercel”)

Vercel offers a cloud platform for on-demand delivery and related hosting and sharing services.

Data processing by Vercel

On behalf of FTI-Andersch, Vercel operates and hosts the FTI-Andersch-websites. Vercel processes among others the following information of the FTI-Andersch customers. To provide its services, Vercel processes the information that FTI-Andersch provides to Vercel. Vercel processes the following personal data, among others:

  • Name
  • Photo recording
  • Video recording
  • IP addresses
  • System configuration information

Group of persons affected by the data processing:

  • Employees
  • Customers/clients

Vercel's data processing takes place primarily in the USA. The data may also be processed in all other jurisdictions where Vercel operates.

Legal basis

Data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR, as we have an interest in providing the FTI-Andersch websites.

Storage period

Prior to the termination of the agreement between FTI-Andersch and Vercel, Vercel will process the stored data for the purpose of providing the services until FTI-Andersch decides to delete these data through the Vercel services. Deletion by Vercel will not occur if legal retention obligations prevent it.

Standard contractual clauses

In case of transfer of personal data by Vercel to third countries, the standard data protection clauses apply.

Conclusion of an agreement for data processing

We have a so-called data processing agreement concluded with Vercel, which is based on the standard contractual clauses. In this agreement, Vercel is obligated to protect personal data and, in the case of subcontracted processing, to enter into data protection regulations corresponding to our data processing agreement.

Where Vercel transfers personal data to sub-processors in third countries, Vercel uses standard contractual clauses if no ordinary adequacy decision applies to the transfer of personal data to a third country and a transfer requires such a decision under applicable data protection legislation.

You can find more information on the data protection provisions here.

(17) Microsoft 365

FTI-Andersch uses Office applications and cloud services from Microsoft 365, among others Microsoft Exchange (e-mail, address book, calendar, tasks), SharePoint (file storage and editing, application platform), Microsoft Teams (file sharing, chat, telephony, video conferencing solution) and Microsoft Forms (survey creation and execution).

The operating company of Microsoft 365 is the
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
Ireland (hereinafter: "Microsoft")

Data processing by Microsoft

The purpose of the processing by Microsoft is to provide a workplace that enables collaboration and communication within and outside of FTI-Andersch. Collaboration here is understood to mean, for example, joint work on files, e-mail communication, meetings, live broadcasts and innovative tools.

The processing of personal data refers to employees of FTI-Andersch and all persons such as customers and contractors (current, former, future) who communicate with FTI-Andersch via Microsoft 365 applications.

Microsoft processes on behalf of FTI-Andersch among others the following categories of personal data:

  • Professional contact, work, and organizational data (e.g. first name, last name, e-mail, company, social media identifiers, if applicable photo)
  • Private telephone numbers and private data that users enter into the system
  • Authentication data (e.g. user name, password or PIN code, security question)
  • Unique identification numbers and signatures (e. g. IP addresses, signature)
  • Position data and location data (e.g. location at start/end of call)
  • Administrative events (e.g. joining a team, creating a channel, sending an e-mail, etc.)
  • Photos, videos and audio
  • Contents (e.g. contents of the files and communications you enter, upload, receive, create, and control)
  • Metadata (for example, about calls and meetings (e.g. network status, date/time/duration, terminals used, audio quality data))
  • Internet activities (e.g. browsing history, search history)
  • Device identification (e.g. SIM card number)

Data processing especially with the use and application of Microsoft Forms

FTI-Andersch regularly uses Microsoft Forms as part of Microsoft Office 365 for the purpose of conducting internal anonymous and non-anonymous online surveys (employee surveys). Surveys can be addressed in different ways (via hyperlink, QR code, embedding in web page or e-mailing). Participation in surveys is voluntary and possible without user registration with Microsoft.

An employee survey is considered anonymous if FTI-Andersch cannot draw any conclusions about the responding employee (e.g. Team Call surveys, query feedback Academies). On the basis of the survey results, anonymous evaluations are made by the processor, which have no reference to the respondent.

In the case of a non-anonymous employee survey, FTI-Andersch can draw conclusions about the responding employee and identify him or her (e.g. query participation/content of management jour fix, query participation in FTI-events and related information such as overnight stays, meal requests, allergies, etc.). In this case, the recipients of the personal data are the creator of the employee surveys and other persons at FTI-Andersch (e.g. HR), if required for the purpose of the employee survey.

If personal data is specifically collected and further processed via surveys, FTI-Andersch will inform the employees separately in advance and - if necessary - ask for their consent. You can find more information about privacy for Microsoft Forms here.

In particular the following personal data is processed by Microsoft Forms:

  • Name and contact details
  • Login information
  • Demographic data
  • Device and usage data
  • Position data
  • contents specified in the employee survey and, if applicable
  • Health data

In the case of anonymous employee surveys, FTI-Andersch may view the following data:

  • Content specified in the employee survey

In the case of non-anonymous employee surveys, FTI-Andersch may view the following data depending on the purpose of the query/survey:

  • Name, first name
  • Content specified in the employee survey
  • Health data (e.g. allergies, food preferences)

Data processing specifically when deploying and using Microsoft Teams

Through the Microsoft Teams video conferencing solution, FTI-Andersch can offer participation via video/audio in online events. FTI-Andersch uses Microsoft Teams to conduct online events, enable collaborative work on files and internal company communication. In doing so, FTI-Andersch uses the Team Meetings mode with Microsoft Teams. In general, there is no recording of the event.
In exceptional cases, recording may take place under the following conditions:

  • Prior explicit announcement of the planned recording to the participants twice (firstly when inviting and secondly before the start of the event to be recorded)
  • Participants will be provided with the link to this general data protection information

Participants are provided with the following supplemental privacy information:

  • Concrete purpose of the recording
  • Person responsible for recording (function, role)
  • Authorized users of the recording or Addressees to whom the recording is to be made available
  • Location and duration of the recording.

In particular the following personal data is processed by Microsoft Teams:

  • Communication data (e.g. e-mail address, if this is specified on a personal basis).
  • Log files, log data
  • Metadata (e.g. IP address, time of participation, etc.)

Microsoft implements and maintains technical and organizational measures to protect your personal data from destruction, loss, or unauthorized access or other forms of unauthorized or unlawful processing of personal data.

Cookies

Microsoft uses cookies and similar technologies to store and maintain preferences and settings.

Legal basis

The data processing is carried out for the fulfillment of (pre)contractual obligations according to Art. 6 para. 1 lit. b GDPR for external parties and internal employees, in the case of image and sound recordings, on the basis of consent in accordance with Art. 6 para. 1 lit. a GDPR. Processing within the scope of log files and metadata is carried out on the basis of legitimate interest pursuant to. Art. 6 para. 1 lit. f GDPR (legitimate interest to detect misuse and ensure IT security and continuous improvement of services).

You can revoke your consent at any time, among others by sending an e-mail to datenschutz@fti-andersch.com. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revoca-tion.

Disclosure of data within the scope of the processing activity to recipients or categories of recipients

In some cases, data is passed on to FTI Consulting, Inc. Sharing takes place through the forwarding of e-mails that contain personal information, as well as communication via Microsoft Teams (video conference, phone call, chat) with FTI Consulting, Inc. held.

Storage period

The personal data will be processed and stored as long as FTI-Andersch uses Microsoft 365 applications.

Metadata from calls and meetings are stored by Microsoft for a maximum of 120 days (depending on the date). Here the data will be deleted automatically. Adjustment for deadlines for live events (120 days) and teams meetings/calls (90 days) is not available.

If FTI-Andersch deletes the personal data itself, it will also be deleted by Microsoft after 180 days at the latest, provided that this deletion does not conflict with any further statutory retention period.

If no active deletion of the personal data takes place on the part of FTI-Andersch, the personal data will be deleted no later than 180 days after the expiration of the termination of a Microsoft 365 subscription.

Conclusion of an agreement for data processing

We have concluded a so-called data processing agreement with Microsoft in which we oblige Microsoft to process the data of our employees etc. in accordance with the data protection laws. The standard contractual clauses are included in this data processing contract.

Standard contractual clauses

It cannot be excluded that in individual cases personal data may also be transferred to other countries outside the EU (e.g. to the USA) and processed there. The data may also be transferred to subcontracted processors for this purpose. In such a case Microsoft uses standard contractual clauses.
You can find more information here.

(18) Realtimeboard Inc. dba Miro

FTI-Andersch uses an online whiteboard tool for the purpose of collaboration and common exchange on specific topics, i.a. in workshops with (potential) clients.

The provider of the online whiteboard tool is

Realtimeboard Inc. dba Miro
201 Spear Street
Suite 1100
San Francisco, CA94105
United States
(hereinafter: "Miro")

Data processing by Miro

Data is processed when accessing the Miro website, registering and using the tool:

  • Service metadata of authorized users
  • Log data (i.a. IP address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences).
  • Device data (i.a. device type, operating system used, device settings, application ID, unique device identifiers, crash data; whether some or all of the data is collected often depends on the device type and its settings)
  • Location data
  • Name of registered user
  • E-mail address of registered user
  • All personal data entered into the online whiteboard

Miro uses cookies and similar technologies on its own website and services. You can find more information about these technologies and how you can opt out of them in the Miro Cookies Policy.

Legal basis

Data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the common exchange, e.g. during a workshop, as well as in the preparation and provision of the results afterwards.

Storage period

Miro stores the personal data for as long as the tool is used. The personal data will be stored for 180 days after termination or expiry of the agreement between Miro and FTI-Andersch.

Conclusion of an agreement for data processing

We have concluded a so-called data processing agreement with Miro, in which we oblige Miro to protect the data. The standard contractual clauses are included in this data processing agreement.

Data processing in third countries

Miro customer content is hosted in Europe, including computing infrastructure, production data and backup data. This data residency in the EU also applies to the sub-processors Amazon Web Services, Inc. (Hosting) and Zendesk, Inc. (Support).

However, it cannot be excluded that personal data may also be transferred to other countries outside the EU (e.g. to the USA) and processed there. The data may also be transferred to sub-processors for this purpose. In such a case, Miro takes steps to ensure that suitable guarantees are in place to guarantee the protection of personal data, e.g. by entering into standard contractual clauses.

You can find more information here.