Data Privacy

With the following data protection information, we inform you about which categories of personal data (hereinafter referred to as "data") we process for which purposes and to what extent.

The protection of your privacy when processing personal data, as well as the security of all business data, is an important concern for us that we take into account in our business processes. We process personal data - provided that you submit a report of a violation of the compliance obligation ("Compliance Report") - confidentially and solely in accordance with legal regulations.

As the data controller, Keenfinity GmbH is responsible for processing your data; exceptions are listed in this privacy notice.

Keenfinity GmbH

Fritz-Schäffer-Straße 9

81737 Munich

GERMANY

E-Mail: dataprotection.keenfinity@keenfinity-group.com

Phone: +49 89 6290-0

Personal data are all information relating to an identified or identifiable natural person, such as names, addresses, phone numbers, email addresses, contract, booking, and billing data that reflect the identity of a natural person. We process personal data only when there is a legal basis for this or when you have given your consent in this regard.

The use of the Keenfinity Compliance Reporting Platform for a compliance report is voluntary. If you use the system, we will ask you to provide data that concerns the following data categories:

The complete answering of the questions raised in the context of the compliance report helps us to process your report. If you provide us with incomplete data, we may not be able to process your report or may only be able to do so with delays.

The aim of the Keenfinity Compliance Reporting Platform is to provide you with a communication channel for your compliance report and to ensure that your report is processed by Keenfinity GmbH in accordance with the processes of the Compliance Management System as a implementation of legal and regulatory requirements.

In particular, we process your personal data for the following purposes:

Legal Basis: Legitimate interest of Keenfinity GmbH in prosecuting criminal offenses, asserting civil claims, conducting or terminating an employment relationship, uncovering criminal offenses in the employment context, and preventing violations of regulatory law (Art. 6 para. 1 f) GDPR in conjunction with § 24 para. 1 BDSG, Art. 88 GDPR in conjunction with § 26 para. 1 BDSG in conjunction with §§ 30, 130 OWiG).

Legal basis: Legitimate interest of Keenfinity GmbH in obtaining a central overview of compliance reports as part of the governance function (Art. 6 para. 1 f) GDPR) as well as the assertion and defense of our rights.

In order to maintain the connection between your computer and the Keenfinity Compliance Reporting Platform, a purely technically necessary cookie is stored on your computer, which only contains the session ID (so-called null cookie). The cookie is valid only until the end of your session and becomes invalid when you close the browser. No further external services or tracking are present.

In the context of processing a compliance report, it may be necessary to forward the report in whole or in part to the employees of Keenfinity GmbH or its subsidiaries responsible for processing the report. Your information will only be made accessible to those employees who need it to process your report and only to the extent permitted by legal requirements for whistleblower protection.

Furthermore, data may be transferred to other responsible parties (e.g. authorities) if we are required to do so by legal provisions or through enforceable administrative or judicial orders.

Keenfinity GmbH has commissioned Vispato GmbH, Hansaallee 299, 40549 Düsseldorf ("Service Provider"), to operate the compliance reporting system on behalf of Keenfinity GmbH and to store the data in a data center within the European Union.

Keenfinity GmbH has carefully selected the Service Provider and regularly monitors it, especially regarding its careful handling of and securing the data stored by it. Access to the data is only possible for selected Keenfinity employees (see above under "Disclosure of Data to Keenfinity Employees and Other Controllers"). The Service Provider has no access to the data. This is ensured by a certified procedure through extensive technical and organizational measures.

The Service Provider has been obligated by Keenfinity GmbH to maintain confidentiality and to comply with legal requirements.

As part of our processing of personal data, it may be transmitted to further parties, companies, legally independent organizational units, or individuals, insofar as this is necessary for the fulfillment of processing purposes. Recipients of this data may include, for example, tax service providers or law firms. We have carefully selected these service providers and monitor them regularly, particularly with regard to the careful handling of the data they store and its protection. In these cases, we observe legal requirements and specifically conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

We may also disclose personal data to Keenfinity legal entities or authorities located outside the EU or EEA in so-called third countries. In this case, we ensure before the disclosure that there is either an adequate level of data protection with the recipient (e.g., due to an adequacy decision by the EU Commission for the respective country or the agreement of so-called EU standard data protection clauses with the recipient) or that you have given your consent to the disclosure.

You can obtain an overview of the recipients in third countries and a copy of the specific agreed arrangements to ensure an adequate level of data protection from us. Please use the information in the contact section for this purpose.

We generally store your data for as long as necessary to clarify the compliance incident to which your report relates. After the processing of the compliance report is completed, we delete your personal data, with the exception of data that needs to be retained and processed to assert and defend our rights. The deletion of personal data that we continue to store and process to assert and defend our rights is based on the expiration of the maximum limitation period specified for administrative offenses and criminal acts, as well as for asserting civil claims (§§ 31 Abs. 2, 33 Abs. 3 OWiG; §§ 78 Abs. 3, 78 c Abs. 3 StGB or §§ 195 ff. BGB).

Our employees and the service providers we engage are obligated to confidentiality and to comply with the provisions of applicable data protection regulations. Detailed information is received by a select group of expressly authorized and specially trained employees of Keenfinity and is always treated confidentially. The employees of Keenfinity assess the situation and conduct further case-related fact-finding. Each of these individuals who has access to the data is bound to confidentiality.

We take all necessary technical and organizational measures to ensure an adequate level of protection and to safeguard your data managed by us, particularly against the risks of accidental or unlawful destruction, manipulation, loss, alteration, or unauthorized disclosure or access. Our security measures are regularly improved in accordance with technological developments. Communication between your computer and the Keenfinity Compliance Reporting Platform for compliance reporting occurs over an encrypted connection (TLS).

You have the right to obtain information from us about the processing of your data. You can exercise your right to access regarding the personal information we process about you.

You can request the correction of inaccurate data and – to the extent that the legal requirements are met – the completion or deletion of your data from us. This does not apply to data that is required for billing and accounting purposes or is subject to legal retention obligations. To the extent that access to such data is not needed, its processing will, however, be restricted (see below).

You may request that we restrict the processing of your data, provided that the legal requirements are met.

In addition, you have the right to object to the processing of your data by us at any time, for reasons arising from your particular situation, as long as this processing is based on the legal grounds of "legitimate interest." We will then cease processing your data unless we can demonstrate – in accordance with legal requirements – imperative legitimate reasons for the continued processing that outweigh your rights, or the processing is necessary for the assertion, exercise, or defense of legal claims (Art. 21 GDPR).

You have the right to lodge a complaint with a data protection authority. You can contact the data protection authority responsible for your residence or your federal state, or the data protection authority responsible for us. This is: 

Data Protection Authority of Bavaria for the Private Sector State Commissioner for Data (BayLDA) 
Promenade 18 
91522 Ansbach

Postal address
P.O. Box 1349
91504 Ansbach
Germany

Email   

Phone: 

+49 (0) 981 180093-0

Monday to Friday: 08:00h – 12:00h

Fax: 

+49 (0) 981 180093-800

We reserve the right to change our security and privacy measures. In these cases, we will also adjust our privacy statement accordingly. Please therefore pay attention to the current version of our privacy policy.

If you would like to contact us, you can reach us at the address provided in the "Responsible Party" section.

To exercise your rights or report data protection incidents, please use the following email address: dataprotection.keenfinity@keenfinity-group.com.

For suggestions and complaints regarding the processing of your personal data, we recommend that you contact our Data Protection Officer:

IT-Security Coach GmbH

Olper Hütte 5b

57462 Olpe

Phone: +49 276183363100

Email: info@itsecuritycoach.com

Date: 01 July 2025