processing directory
documentation of the processing activity
information about the person responsible |
|
Responsible body (according to Art. 4 No. 7 GDPR) |
|
joint controller |
Katharina Richter kontakt@original - unverpackt . de |
Legal Representative (Management) |
Katharina Richter kontakt@original - unverpackt . de |
Basic information on processing |
|
Description of the processing activity: |
· E - mail processing · General customer management · Processing of order processes · Handling of shipping processes |
Responsible contact person |
Katharina Richter kontakt@original - unverpackt . de |
General data protection requirements GDPR |
|
intended purpose |
· Processing activity : “ E - mail processing ” · Processing activity : “ General customer management " · Processing activity: “Address management” Pursued purpose “Processing and forwarding of address data for shipping processing” |
Lawfulness of processing, Art. 6 GDPR |
Consent ( Article 6, paragraph 1, letter a , Article 7 )
|
collection of data |
|
circle of affected groups of people |
The group of people affected is limited to our customer base . |
Type of data or data categories stored: |
· Billing data · Address data · IT - usage data / log data / log files · IP address · Contact details · Name / First name / Salutation / Title · Payment data
|
Origin of the data: |
The data is exclusively provided or collected by our customers during the ordering process . |
Recipients or categories of recipients to whom the data may be communicated |
|
Internal recipients |
· Accounting · Customer service · IT department |
External recipients and third parties: |
· tax office · Shipping service providers |
order processing as a client |
|
processor |
· DHL Paket GmbH · Trusted Shops GmbH · Google Analytics |
Written data protection compliant contract |
Yes |
suitability of the processor |
The processor is suitable |
location of processing |
Germany |
Data transfer to third countries / international organizations |
|
Data transfer to third countries: |
There is no transfer of data to third countries outside the EU . |
Adequate level of data protection through: |
· Adequacy decision of the EU Commission pursuant to Art . 45 para . 3 GDPR · Guarantees pursuant to Art . 46 GDPR Binding Corporate Data Protection Rules ( BCR ) · EU standard contract |
Standard deadlines for the deletion of data |
|
storage period |
All order data is retained for 10 years for accounting and legal reasons . After this time, it is deleted according to our deletion concept . |
Assessment of the appropriateness of technical and organizational measures (TOM) |
|
1. General description of the technical and organizational measures (Art. 30 para. 1 lit. g, Art. 32 para. 1 GDPR) |
|
a) Access control (rooms and buildings) Objective description: To prevent unauthorized persons from accessing data processing systems with which personal data is processed or used or in which personal data is stored. |
· Our office building is secured by a manual locking system . · Keys are issued via coded key safes |
b) Access control Measures that are suitable to prevent data processing systems from being used by unauthorized persons. The information relates to our database system and the server access |
· User rights and user access must be requested and approved by the system administrator · If employees leave the company , access is blocked and access rights are revoked · Access rights are logged · Work equipment is encrypted according to the latest technical standards and is all password protected
|
c) Access control Objective description: It must be ensured that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage. The measures relate to our customers’ data. |
· Existence of an authorization concept · The number of administrators is reduced to the “ bare minimum ” · Management of rights by our system administrator · Compliance with internal password policies including password length and password changes |
d) Pseudonymization (Article 32 paragraph 1 lit. A; Article 25 paragraph 1 GDPR) |
|
2. Integrity (Art. 32 para. 1 lit. BDSGVO) |
|
a) Control of data transfer Objective description: It must be ensured that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or storage on data carriers, and that it can be checked and determined to which locations personal data is intended to be transmitted by data transmission facilities. |
· E - mail encryption · Compliance with internal password policies including password length and password changes · Strict checking and separation of read and write rights for our employees and service providers
|
3. Availability and resilience (Article 32 paragraph 1 letter B GDPR) |
|
a) Availability control of data Objective description: It must be ensured that personal data processed on behalf of the client can only be processed in accordance with the client's instructions. |
· Selection of the contractor under special care aspects · Written instructions to the contractor · Concluding a data processing contract with all service providers · Regular checks and consultation with all service providers |