Data Protection

Data Protection at PASS

The matter of data protection and data security is of vital importance for PASS and therefore given top priority. Data protection for PASS extends beyond legal requirements and is an essential image factor as well as an important aspect regarding quality and competitiveness.

The extent of protection covers the handling of personal data from individuals as well as other confidential or sensitive data. As a data processor, PASS is bound to professional secrecy regarding any data stored at PASS. The rights to disclose and to refuse disclosure apply to the same extent as for PASS' customers.

All PASS employees undergo rigorous routine checks already at their recruitment. They are bound to data secrecy, telecommunications secrecy and to keeping business secrets – also those of external clients / business partners (e.g. banking confidentiality).

The priority of data protection is reflected by a continuous investment in extensive and effective data protection and security systems. The risk of an unauthorized access is therefore technically reduced to a minimum and is far lower than at clients where in personnel terms there is a lack of interest on the subject. 

Data protection measures

At PASS, a comprehensive data protection concept is in force that includes the necessary precautionary measures to ensure the security of all premises and data storages as well as an uninterrupted operation from a constructional, personnel, organizational and also technical perspective. The entire processing procedures of data processing orders are developed and monitored in finely tuned processes, starting from the submission of data to the dispatchment of files. The protection requirements are secured by the clear separation of functions in operation.

Data protection policy

Our highest priority is data protection, this applies to our internet as well as our conventional services. At PASS, we have established protective measures applicable to the complete handling of confidential or security-sensitive data that comply to, and when possible and justified go beyond, the applicable legislation for the protection of personal data and data security. The protection of personal data throughout customer projects is of great importance to us and we would like you, as our customer, to feel secure.

For this reason we would like to inform you about the data protection measures we implement for our Internet offers:

Collection and processing of personal data

Whenever you visit our public websites, our web servers are generally configured to temporarily store the connection data of the inquiring computer for security purposes – including  the website you are visiting, the date and time of your stay, the identification data of the browser used and the type of operating system as well as the website you visited us from. Additional personal data such as your name, address, telephone number or e-mail address are not recorded unless these data are submitted voluntarily by you, for example in the process of creating an account, filling in a survey or requesting information.

Handling of e-mail addresses

If you send us an e-mail, we will only use your e-mail address for correspondence with you.

Information option 

Upon written request, our data protection officer would be happy to provide you with information as to whether and if so, which personal data we store in relation to you. Should your personal data be incorrect, you may have this rectified immediately. Any such information or modification is free of charge.

Moreover, you are entitled to revoke your consent to the use of data in the future, in whole or in part. Should you desire this, we will delete or block your relevant data. In order to assert such rights, please contact the PASS data protection officer (for contact information, see below).

Security

PASS implements technical and organizational security measures in order to protect the data we manage for you from manipulation, loss, damage and access from unauthorized individuals. Your data will be stored in a safe operating environment with no public access. Our security precautions are improved continuously on par with technological development.

Audit certificate

External companies review PASS' adherence to standards such as ISO/IEC 27001, PCI DSS, IDW PS 330, IDW RS FAIT 1, and IDW PS 951 in relevant business areas on a regular basis. The corresponding certificates and further evidence can be reviewed upon request.

Cookies

When you visit one of our websites, it is possible that we put information on your computer in the form of “cookies” which are used to automatically recognize your computer on your next visit. Cookies allow us, for example, to adapt a website to your interests or save your password so that you do not need to enter it again every time. If you do not want us to recognize your computer, configure your internet browser to delete cookies from your computer hard drive, block all cookies or set a policy to manually confirm any cookies to be set. Cookies may be used for this purpose that allow for the recognition of an internet browser. However, user profiles will not be consolidated with data from the bearer of the pseudonym unless consent is expressly given by the visitor. In particular, IP addresses will be made unrecognizable immediately after receipt so correlating user profiles and IP addresses is not possible. Visitors to this website can object to future data collection and storage at any time.

Web analysis services by Google Inc.

This website uses Google Analytics and Google Search Console, both web analysis services by Google Inc. (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; referred to as "Google" in the following passages). These services make use of so-called “cookies”. Cookies are text files stored on your computer that make it possible to analyze user behavior. The information generated by the cookie about your use of this website will, as a rule, be transferred to a Google server in the USA and stored there. If IP anonymization is enabled on this website, your IP address will first be shortened by Google within member states of the European Union or other contractual states with agreements on the European Economic area. Only in exceptional cases are full IP addresses transferred to a Google server in the USA and shortened there. Google on behalf of this website’s operator will use this information to analyze your usage of this website in order to compile reports on the activities there and provide the website operator with further website and internet usage related services. The IP addresses collected from your web browser during web analysis will not be consolidated by Google. You can prevent the saving of cookies through the appropriate settings in your web browser software. In addition, you can prevent the generation and use of website-related data by Google using cookies (incl. your IP address) by downloading and installing the free available browser plugin.

We would like to point out that this website uses Google Analytics with the extension code “gat_anonymizeIp();“ to ensure the anonymous collection of IP addresses (so called IP masking).

Link tracking in e-mails

We carry out link tracking for statistical purposes only. It is not possible to identify individual users.

You can unsubscribe from our newsletter at any time either by using the convenient link at the bottom of every transmission, via e-mail to pass.unternehmenskommunikation@pass-consulting.com or via mail to PASS IT-Consulting Dipl.-Inf. G. Rienecker GmbH & Co KG, Schwalbenrainweg 24, 63741 Aschaffenburg, Germany.

Embedded YouTube content

Any content taken from the video platform YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA) is embedded using iFrames. According to a decision by the European Court of Justice from october 2014, this type of usage does not constitute a public presentation in the meaning of Article 3(1) of Directive 2001/29/EG, as the content embedded by PASS is not directed at a new audience and no uncommon or otherwise special techniques are used to embed the content.

All videos are embedded using the extended data protection mode by YouTube. Calling up a website which includes YouTube content embedded in this way can result in the browser establishing a connection with YouTube and the DoubleClick network by Google. Clicking and therefore loading an embedded video can cause further connections to be established and data to be collected on part of YouTube.

The data privacy statement of Google can be accessed under the URL www.google.de/intl/en/policies/privacy

Embedded Facebook content

Our sites may embed functionality created by the social network Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA). Any functionality from Facebook embedded on our sites is indicated by the Facebook logo. When you visit our sites, only direct interaction with the provided functionality will result in a connection being established between your browser and the servers of Facebook. In this way, Facebook will receive the information that you, with your IP address, have visited our site. When clicking the Facebook symbol while being logged in with your Facebook account, you are able to link content from our pages to your Facebook profile.  This in turn allows Facebook to relate your stay on our site with your Facebook user account. Please be advised that we, as the provider of this website, do not have any knowledge or further information regarding the content of the data transmitted in a such case nor do we have any insights on how the data is used by Facebook. You may extract further information from the privacy policy of Facebook under the URL www.facebook.com/policy.php

Should you have no desire that your visit on our websites be associated with your Facebook account, then please do not interact with any Facebook-related functionality (e.g. clicking the Facebook symbol on our website).

Social media buttons

Social media buttons allow for sharing content from pages on social networks by just a few clicks. Buttons for the following networks are integrated into the websites of PASS:

The social media buttons of Facebook, Twitter, Xing and LinkedIn are embedded as static links. For you as a visitor of this website, this means clicking a social media button will redirect your browser to the respective website of the social network. In order to allow for an easier sharing of the page you are visiting, PASS will encode the URL and the title of the page within the link and transmit it as a referrer to the social network. Further data, for instance about previously visited sites, will not be actively provided by PASS. 

The websites called when clicking a social media button may initiate further data processing beyond the sphere of influence of PASS and may establish further connections with your browser.

Contact

If you have any questions concerning the handling of your personal data please contact our Data Protection Officer. He and his team are available to provide information to you and to receive your comments, suggestions and complaints.

Data Protection Officer for the PASS Consulting Group

Christian Mayer
Phone: +49 (0) 6021 - 3881 - 0
Fax: +49 (0) 6021 - 3881 - 400
datenschutzbeauftragter@pass-consulting.com

The PASS public procedures directory according to § 4e of the German Data Protection Act (BDSG)

Information on the responsible organization (§ 4e sentence 1 Nr. 1-3 BDSG):

1. Name of the responsible organization

PASS IT-Consulting Dipl. Inf. G. Rienecker GmbH & Co. KG

2.1. Managing director

Dipl.-Inf. Gerhard Rienecker

2.2 Head of data processing

Artur Lepold

3. Address of the responsible organization 

Schwalbenrainweg 24, 63741 Aschaffenburg, Germany

4. Purpose of data collection, processing or use

The business area Research includes 

  • internal software and product development
  • innovation screening
  • knowledge development and management
  • prototyping und constructive quality assurance for customer projects
  • strategic decision-making support

Result types are software and product development based on latest technologies, innovation reports, studies, strategic analysis and decision-making support for strategic questions. Project management is – in addition to software development and IT-Consulting – a PASS core competence. Our set of methods – pLine (Project Management Line), cLine (Construction Line) and qLine (Quality Assurance Line) as well as our technologies such as the Solution Factory and automated migration (Migration Factory) guarantee project success.

In the business area Software, we develop solutions and products for the following sectors:

  • banking
  • government
  • travel

We offer these solutions under the following usage models:

  • source code
  • license
  • hosting
  • ASP
  • on demand

You can also have your IT solutions operated by PASS on a scalable basis. We offer our service technology (OMS and AEP), application management and system management as on-site services or in complete outsourcing.

In addition to mandates to collect, process and use data, personal data concerning customers, suppliers and personal management are also collected, processed and used. This includes other purposes such as business partners and prospective customers support.

5. Description of affected persons, data or data categories

The affected person groups result from the purpose (nr. 5). It concerns the following data categories in which a general distinction between order data and internal data for PASS’ own purposes is necessary. 

Order data:

The entire order data processing is exempt from the obligation to provide information, as the client is solely responsible for this data.

Data for PASS’ own purposes:

  • customer/debtor data: e.g. contact person, address, contract, payment and control data of customers and other debtors, e.g. clients
  • vendor/creditor data: e.g. contract, settlement and control data of suppliers and service providers (data processing service, licenses, consulting services, training institutes, maintenance, workmen, cleaning)
  • personnel data: e.g. planning, contract and settlement data of applicants, employees, pensioners and other eligible persons
  • other personal data: data from other business partners (e.g. system partners, chambers, associations, banks and public authorities) data on potential customers, visitor administration, video surveillance etc.

6. Recipients or categories of recipients to whom data can be communicated 

  • public bodies, in so far that legal provisions demand this
  • internal bodies, in so far that this data is necessary for the orderly execution of the task
  • service providers (§ 11 BDSG), used for the orderly settlement of business transactions
  • external bodies for the orderly fulfillment of purposes mentioned under nr.5

7. Standard periods for data deletion

Data is deleted after the expiry of legal or contractual retention periods.

Provided that data is not affected by this, it is deleted when purposes mentioned in nr.5 no longer apply. Unless the concerned has agreed to data storage in writing.

8. Planned data transfer to third parties

At present there are no plans to transfer personal information to third parties or countries.

In exceptional cases where a data transfer to a third party may be necessary, this will occur in accordance with the legal permissibility regulations according to §§ 4b and 4c BDSG (German Data Protection Act), which PASS follows and considers itself liable to in accordance to applicable law. 

9. EU-U.S. Privacy Shield

For data which is hosted on servers in Germany, we would only disclose personal information in response to lawful requests by public authorities to meet national security or law enforcement requirements in accordance to German law. For data which is hosted on servers in the United States of America, we comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding its data processing facilities and are subject to the investigatory and enforcement powers of the Federal Trade Commission. Only in certain situations, we may be required to disclose personal data from U.S. facilities in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. PASS has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the International Centre for Dispute Resolution®, which is the international division of the American Arbitration Association® (ICDR/AAA). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://info.adr.org/safeharbor for more information and to file a complaint. Under certain conditions, if you are not satisfied with the above recourse mechanism, you may be able to invoke binding arbitration.

10. Further information

The general description supplies further information of the precautions and measures taken by PASS for data protection and data security according to § 11 BDSG.

 

September 2016