The following policy specifies Atheneum’s standards of conduct for Processing Personal Data in line with Applicable Data Protection and Privacy Laws, regulations and binding instructions or guidance of the competent Supervisory Authority or case-law. Atheneum will consider and apply this policy to comply with its accountability under Applicable Data Protection and Privacy Laws, to respect the privacy of all Data Subjects whose Personal Data is concerned, and to establish a reasonable and robust level of data protection and security.
2. Scope of this Policy
2.1 Material Scope
This policy applies without exception for all operations, transactions, business processes, workflows, applications, tools, databases, electronic or physical files, communication, and documentation at Atheneum that have as their objective or subject matter, relate to or concern the Processing of Personal Data.
2.2 Material Scope
This policy applies to all Atheneum Group entities worldwide and regardless of whether the Processing of Personal Data is performed by physical means, electronically, locally, in mobile applications or in the cloud.
2.3 Personal Scope
This policy applies to all Atheneum representatives, personnel, and staff, regardless their position or role, including all managing directors, Board members, Supervisory Board members, and Employees (the “Atheneum People”). All Atheneum People shall acknowledge, adhere to, consider, and always apply the privacy and data protection rules, principles and values stipulated in this policy, even if these are stricter than Applicable Data Protection and Privacy Laws in the respective jurisdiction.
In the event and to the extent that the Applicable Data Protection and Privacy Laws contain stricter rules, principles and values than the provisions of this policy, the Applicable Data Protection and Privacy Laws shall take precedence.
3. Terms and Definitions
|Applicable Data Protection and Privacy Laws
|means all laws, regulations and legally binding requirements of Supervisory Authorities applicable to the Processing of Personal Data by Atheneum, including, but not limited to the GDPR and the CCPA.
|refers to the Atheneum Partners GmbH as well as all of its directly or indirectly controlled companies.
|means the Atheneum group of companies consisting of the Atheneum Partners GmbH and all of its directly or indirectly controlled companies.
|means all Atheneum representatives, personnel, and staff, regardless their position or role, including all managing
directors, Board members, Supervisory Board members, and Employees, as defined in Section 2.3.
|means the executive board of any entity that is part of the Atheneum Group.
|means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
|means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Agreement.
|means a data protection impact assessment as described in Section 6.2 a).
|Data Processing Agreement
|means a binding agreement between Atheneum and a Processor that Processes Personal Data on Atheneum’s behalf that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of Atheneum as the Controller, as described in Section 13 b).
|means an identified or identifiable natural person.
|refers to the data protection officer.
|means the European Economic Area.
|means the European Union, including all EU Member States (and, for the avoidance of doubt, not including the UK).
|within the meaning of this policy are all persons working at Atheneum, including all dependently employed workers, part-time staff, interns and temporary workers, persons employed for occupational training purposes, applicants for employment and individuals whose employment has been terminated.
|Employee Privacy Notice
|Privacy notice established at Atheneum that is applicable for the Processing of Personal Data of Atheneum Employees (except for applicants for which the (Global) Privacy Notice applies).
|means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
|(Global) Privacy Notice
|information for all Data Subjects (except those covered by the Employee Privacy Notice) regarding the Processing of their Personal Data by Atheneum and their Data Subject rights.
|means the designated DPO for all legal entities in the Atheneum Group, as defined in Section 4.1 b).
|means any information relating to an identified or identifiable natural person.
|means the person appointed as a contact to outside legal counsels, consultants and advisors, as well as for the internal teams and departments at Atheneum to discuss data privacy, data protection and security related measures, safeguards, considerations, issues and concerns, and a hub to the DPO, as described in Section 4.2.
|means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
|means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
|means a record of Processing activities, as described in Section 8 a).
|means the regular reviews and amendments of the RoPA, as described in Section 8 b).
|means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council according to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
|has the meaning defined in the GDPR but shall be interpreted to include any supervisory authority located outside the European Union which is competent for the Processing of Personal Data by Atheneum.
|means the body that advises, monitors and controls the Board.
|refers to a country that is not member of the EU or the EEA.
|means a transfer impact assessment as described in 8
|refers to appropriate technical and organizational measures, applied by Atheneum, or vendors appointed by Atheneum to Process Personal Data on behalf of and upon instructions of Atheneum.
|means the United Kingdom.
4.Data Privacy Roles and Responsibilities at Atheneum
Atheneum has defined the following roles and responsibilities to safeguard an appropriate level of data protection and security, and compliance with the privacy and data protection rules, principles and values stipulated in this policy. Atheneum has designated qualified people with expert knowledge of data protection law and practices to take on these roles and responsibilities.
4.1 Data Protection Officer
Atheneum has established the role of a data protection officer (“DPO“) who shall
(i) inform and advise Atheneum and the Atheneum People about the data principles and obligations under Applicable Data Protection and Privacy Laws, and the privacy and data protection rules, principles and values stipulated in this policy;
(ii) monitor compliance with Applicable Data Protection and Privacy Laws and this policy in relation to the protection of Personal Data;
(iii) provide advice as requested with regard to data protection impact assessments and monitor their performance (cf. Sec. 6.2);
(iv) serve as a contact for all questions and concerns of Data Subjects related to Atheneum’s Processing activities and data privacy, data protection and data security questions in more general.
- Atheneum has designated a DPO for all legal entities in the Atheneum Group (so-called “Group DPO”) to perform the tasks specified in this section (Sec. 1).
- The DPO can be contacted by sending an email to firstname.lastname@example.org or by sending a letter to Benjamin Kühn, HC Plus Gesellschaft für Datenschutz UG (haftungsbeschränkt), Geneststraße 5, 10829 Berlin, Germany. The DPO shall be bound by secrecy and confidentiality concerning the performance of his tasks.
- Atheneum will involve the DPO properly and in a timely manner in all issues relating to the protection of Personal Data.
- Atheneum will support the DPO in performing its tasks under Applicable Data Protection and Privacy Laws and this policy and will ensure that the DPO does not receive any instructions regarding the exercise of those tasks. The DPO shall not be dismissed or penalised by Atheneum for performing his or her tasks.
- If the DPO is appointed with performing additional tasks and duties at Atheneum, Atheneum will take care that any such tasks and duties do not result in a conflict of interest.
- The DPO shall directly report to Chief Operations Officer.
4.2 Privacy Chief
Atheneum has appointed a Privacy Chief in the compliance department who will be the contact to outside legal counsels, consultants and advisors. The Privacy Chief shall serve as a contact for the internal teams and departments at Atheneum to discuss data privacy, data protection and security related measures, safeguards, considerations, issues and concerns, and a hub to the DPO. The Privacy Chief will organize and take care that the DPO will be involved in all issues relating to the protection of Personal Data.
Atheneum will always and without exception
- Process Personal Data lawfully, fairly and in a transparent manner in relation to the data subject (principle of lawfulness, fairness and transparency);
- collect Personal Data for specified, explicit and legitimate purposes only and will not further Process the Personal Data in a manner that is incompatible with those purposes (principle of purpose limitation);
- Process Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed (principle of data minimization);
- Process Personal Data that is accurate and, where necessary, kept up to date. Atheneum will apply reasonable measures and procedures to erase or rectify Personal Data that are or become inaccurate in relation to the purposes for which they have been collected (principle of accuracy);
- keep Personal Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed, unless a longer retention of Personal Data is required under applicable laws (principle of storage limitation);
- Process Personal Data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (principle of integrity and confidentiality).
6. Lawfulness Assessment; Data Protection Impact Assessment
6.1 Lawfulness of Data Processing
When establishing new activities of data Processing in the meaning of the material scope of this policy (Sec. 2.1), Atheneum will ensure the lawfulness of such Processing activities prior to their implementation and assess appropriate legal bases for the Processing of Personal Data (such as the Data Subject’s prior consent, the Controllers prevailing legitimate interest to Process the Personal Data, the necessity to Process the Personal Data for the performance of a contract to which the Data Subject is party, the necessity for compliance with legal obligations of Atheneum or the establishment, exercise or defence of a claim or legal position).
6.2 Data Protection Impact Assessments (“DPIA”)
- Atheneum will carry out an assessment of the impact of an envisaged Processing of Personal Data in the meaning of the material scope of this policy (Sec. 2.1), where the Processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular when using new technologies. When carrying out its assessment, Atheneum will take into account the nature, scope, context and purposes of the Processing.
- Atheneum will involve the DPO in the DPIA process and seek advice on the data privacy, data protection and security requirements applicable for the Processing (Sec. 1a).
7.Transparency of the Data Processing; Privacy Notices
Atheneum will provide all Data Subjects concerned, in a duly manner and time, with appropriate information on the Processing of their Personal Data to comply with the principle of transparency (Sec. 5a)), unless the Data Subject already has the information. The information shall include
- the identity and the contact details of the Atheneum entity that is the Controller of the Data Subject’s Personal Data;
- the contact details of the Atheneum DPO;
- the purposes of the Processing for which the Personal Data are collected;
- the legal basis for the Processing (including, where the Processing is based on legitimate interests of the Atheneum entity, which these legitimate interests are);
- the categories of recipients of the Personal Data;
- the target Third Country and a reference to the appropriate or suitable safeguards for the transfer, if the Personal Data is transferred to a Third Country outside the EU/ EEA;
- the retention period which applies to the Personal Data which are subject to the Processing;
- the Data Subject rights;
- where the Processing is based on the consent of the Data Subject, information on the existence of the right to withdraw consent at any time;
- the right to lodge a complaint with a Supervisory Authority
- information, whether the Personal Data is subject to automated decision-making, including profiling;
8. International Data Transfers
Atheneum will observe the requirements of Chapter V of the GDPR for transfers of Personal Data outside the EU or the EEA, and any other international transfer requirements that may apply in other regions. Accordingly, Atheneum will verify for every such transfer whether an adequate level of data protection can still be ensured after the transfer.
Atheneum will take suitable measures to ensure that the data protection level in the Third Country is not inadequate to the protection under the GDPR, or any other Applicable Data Protection and Privacy Laws that impose this requirement on international transfers of Personal Data. In particular, Atheneum will transfer Personal Data protected under the GDPR only where the Third Country, a territory or one or more specified sectors within that Third Country has been found to ensure an adequate level of protection by the European Commission in an Adequacy Decision (Art. 45 GDPR). If an Adequacy Decision does not exist, Atheneum will transfer Personal Data only to a Third Country if other appropriate safeguards, such as SCCs (Art. 46(2)(c) GDPR), apply. In this case Atheneum, will in addition to entering into the SCCs, assess on a case-by-case basis whether the circumstances in the destination country affect the effectiveness of the SCCs (so-called transfer impact assessment – “TIA“).
9. Records of Processing Activities
- To comply with its accountability obligations under Applicable Data Protection and Privacy Laws, Atheneum has produced and will maintain a record of Processing activities (“RoPA“). The RoPA specifies whether Atheneum acts as a Controller, joint Controller or Processor with regard to the data Processing, and contains information about (i) the purposes of the Processing, (ii) the categories of Personal Data and of the categories of Data Subjects concerned, (iii) the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in Third Countries, (iv) where applicable, transfers of Personal Data to a Third Country, (v) where possible, the envisaged time limits for erasure of the different categories of data and (vi) a general description of the technical and organisational security measures applied.
- Atheneum will regularly review and amend the RoPA, as required, to consider changes in the existing Processing activities, the onboarding of new Processing activities, and the abandonment and replacement of previously existing Processing activities (“RoPA Audits“).
- The RoPA Audits will be under the supervision and responsibility of Atheneum ‘s DPO and Director – Compliance Operations.
10. Data Security
- Atheneum will implement appropriate technical and organizational measures (“TOMs“) to ensure a level of security appropriate to the risk of the Processing for the Personal Data concerned and to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
- When identifying appropriate and reasonable TOMs, Atheneum will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects concerned.
11.Response to Data Subject Rights
- Atheneum acknowledges the rights of Data Subjects to the Processing of their Personal Data as established by Applicable Data Protection and Privacy Laws.
- Atheneum provides transparent information to Data Subjects concerned on the Processing activities relating to their Personal Data (see Sec. 0).
- Atheneum has established a workflow on how to respond to Data Subjects’ requests in a timely manner.
12.Data Breach Response
- In case of a Personal Data breach, Atheneum will take all reasonable steps and measures to stop and cure the breach and involve experts for this purpose as applicable.
- Atheneum will also comply with its legal obligations as a Controller under Applicable Data Protection and Privacy Laws to notify the competent Supervisory Authority, if required, and communicate the Personal Data breach to the Data Subjects concerned in a timely manner, if the breach is likely to result in a high risk to the rights and freedoms of the Data Subjects.
- Atheneum will duly document any Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken.
13.Data Retention and Deletion
- As a Controller, Atheneum is accountable under the GDPR for compliance with the principle of storage limitation (Art. 5(1)(e) GDPR). Accordingly, Atheneum will retain Personal Data only for as long as is necessary for each specific purpose of the Processing (e.g. for the performance of a contract to which the Data Subject is party), or for a longer period, if the Processing is
- necessary for compliance with legal obligations of Atheneum, such as providing certain information to authorities or complying with mandatory retention periods imposed by accounting, tax or social security laws,
- necessary for the establishment, exercise or defence of a claim or legal position,
- based on the Data Subject’s informed, specific, unambiguous, and freely given consent, or
- covered by Atheneum’s or a third party’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
- Atheneum will establish a process for reviewing the lawfulness of the retention of the Personal Data collected and stored for each Processing activity on a regular basis. Atheneum will also establish a process for the deletion or anonymization of the Personal Data that cannot be lawfully retained any longer. Atheneum will implement a Data Retention and Deletion Policy and Schedule for this purpose.
14.Use of Processors
- Where Atheneum uses Processors to Process Personal Data on its behalf, Atheneum will ensure that the Processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of Applicable Data Protection and Privacy Laws and ensure the protection of the rights of the Data Subjects.
- For any case of Processing on Atheneum’s behalf, Atheneum will conclude a binding agreement with the respective Processor that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of Atheneum as the Controller (a so-called “Data Processing Agreement”).
- Every Data Processing Agreement will include provisions stipulating the following Processor obligations and liabilities:obligation to Process the Personal Data only on documented instructions from Atheneum, including with regard to transfers of Personal Data to a Third Country or an international organization, unless required to do so by Applicable Data Protection and Privacy Laws to which the Processor is subject, and to inform Atheneum of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;obligation to ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
obligation to take appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk of the Processing taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
obligation to refrain from engaging another Processor without prior specific or general written authorisation of Atheneum;
obligation to impose the same data protection obligations as set out in the Data Processing Agreement on any sub-processor, in particular regarding the implementation of appropriate technical and organizational measures in such a manner that the Processing by the sub-processor will meet the requirements of Applicable Data Protection and Privacy Laws;
full liability for the performance of the data protection obligations of any sub-processor;
obligation to assist Atheneum by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Atheneum’s obligation to respond to Data Subject rights requests under Applicable Data Protection Laws, taking into account the nature of the Processing;
obligation to assist Atheneum in ensuring compliance with the obligation to implement appropriate technical and organizational measures, the obligation to conduct a DPIA, as well as the data breach response obligations;
obligation to delete or return all the Personal Data to Atheneum after the end of the provision of services relating to Processing at Atheneum’s choice, and to delete existing copies unless Applicable Data Protection and Privacy Laws require storage of the Personal Data;
obligation to make available to Atheneum all information necessary to demonstrate compliance with the obligations laid down in Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by Atheneum or another auditor mandated by Atheneum;
obligation to immediately inform Atheneum if, in the Processor’s opinion, an instruction by Atheneum infringes Applicable Data Protection and Privacy Laws.
15.Consequences of Non-Compliance
- Strict compliance with the rules, principles and values of this policy is essential for Atheneum’s accountability with Applicable Data Protection and Privacy Law requirements as a Controller of Personal Data.
- Non-compliance with Atheneum’s obligations under Applicable Data Protection and Privacy laws can lead to sanctions imposed by the competent Supervisory Authority, including substantial fines or imprisonment, and material and non-material damage claims of Data Subjects concerned, as well as inestimable damages to Atheneum’s reputation.
The DPO (Sec. 4.1) is the contact person for questions or concerns regarding Atheneum’s Personal Data Processing activities. We appreciate any comments that help improving our high data protection, privacy and security standards. We appreciate any and all notifications about possible infringements of Applicable Data Protection and Privacy Laws by any Processing Activity of Atheneum.
Last updated: 13.07.2022