Data Privacy and Data Security Concept of Trebbau direct media GmbH

Trebbau direct media GmbH
Schönhauser Str. 21
50968 Cologne

– hereinafter referred to as Trebbau –

Managing directors: Simone Heger and Jörg Hennig. Adviser: Karl-Peter-Trebbau

 Our data protection officer can be reached at:

 Helsper & Helsper – Attorneys
Mr. Rudolf Helsper
Am Kielshof 18
51105 Cologne

Tel.: +49 221 9834240 – email:


Trebbau operates as lettershop as well as data-processing company within the framework of order processing. On the basis of this field of operation, Trebbau is subject to the 2016/79 EU Regulation on the protection of individuals with regard to the processing of personal data (GDPR). In addition, Trebbau undertakes to comply with the specific requirements regarding quality and performance standards (QuLS) of the German Dialogue Marketing Association (DDV), and thus has subjected itself to further obligations beyond the law in order to ensure a particularly high level of data protection for its customers, business partners and suppliers, but also for its employees.  In the context of the processing of personal data, particular focus is placed on the relationship between the address owners, list owners, list brokers, advertisers and other order processors.

Furthermore, Trebbau recognise their commitment to the recipients of advertisement, and therefore offer clients their full support in the fulfilment of their data protection obligations. 

1. Technical and organisational measures (TOMs)


 Physical access control

It is an organisational rule that persons external to the company are never left alone in the building or allowed to move around freely. Employees are regularly trained accordingly.

Entrances to the building are kept closed and may only be opened from the outside with a security key or with a time card given to employees during usual business hours. People external to the organisation register at the main reception or with the goods receiving department in the case of deliveries. Visitors are personally collected from reception by an employee, recorded in a visitors’ book and receive a visitor pass. Visitors are only allowed into sensitive areas accompanied by employees who have provided a declaration of commitment to safeguarding confidentiality. Outside of working hours, the rooms are monitored by an alarm system in accordance with the VDE standard. System reports are monitored by a security service and tracked according to a documented intervention plan. Windows on the ground floor are partially barred or protected with metal shutters.

System access control

Unauthorised persons are not granted access to data processing systems. Access via external interfaces to our IT systems is protected by a firewall. Publicly accessible systems, such as bastion hosts with e-mail or internet access, are secured by being separate from the internal network (DMZ). All PC systems are password-protected. Passwords must meet high requirements and are compulsorily regularly changed. Old passwords cannot be used again. After ten failed login attempts, the corresponding user access is automatically locked. External access, for example for employees in the home office, takes place exclusively via VPN tunnels to our systems and via two-factor authentication.

Data access control

Access to the network directories in which personal data are saved is restricted to the respective persons who are tasked with the contracts for which these data should be used. These persons must be identified by the system. In particular, production systems only have access to the one established network directory. Data are only saved in these directories for as long as they are required for the direct production process. Program use is likewise logged, such as accessing data from data blocks via selections. It is only possible to boot the server by entering a password. Data carriers are locked away.

Separation rule

By separating the contracts from one another, both in separate contract folders and in separate network directories, it is guaranteed that the address data are processed separately for different purposes.

Pseudonymization and encryption
As a direct marketing service provider, most of our data processing operations cannot be pseudonymized. However, where it is possible, reasonable and proportionate, data is kept encrypted.


Data transmission control

If the transfer of personal data should be necessary, the data are transferred via our data transfer server (DataStore). Prior registration is required to use the DataStore. A unique password is also required for individual access which is only provided by the authorised user via another medium. Personal data are only sent within the legally defined scope. The data transfer is encrypted. The transfer routes are password-protected.

Documents with personal information are collected in locked containers from a specialist, certified company for data and document disposal and are subsequently destroyed by this company in compliance with data protection law. The destruction is logged. This also applies to paper waste in the letter shop (personalised advertising letters and catalogues). In addition to disposing of documents, the service provider also destroys data tapes. CDs and DVDs are shredded.

Input control

The IT system used has an automatic log of user activities. For contracts, it is also documented in writing where on our servers the address data have been saved. Amendments to address data (removing duplicates, qualifying addresses) are documented by saving different production steps.


Availability control / recoverability

Our IT systems are protected from data loss by RAID systems. USV systems, anti-virus software and firewalls, as well as data back-ups, guarantee that in the event of the IT systems not working, no data will be lost. In the event of fire or other damaging events, data back-ups are stored outside of the server room safe from fire. In order to minimise the extent of fire damage, our company is equipped with a fire alarm system. System reports are monitored by a security service and tracked according to a documented intervention plan.


Contract control

Instructions from the client are documented in writing. Contracts are managed and documented via our software. There is an organisational rule that contracts are checked according to the 4 eyes principle. Follow-up inspections take place.

Trebbau has signed the declaration of commitment of the Deutscher Dialogmarketing Verband e.V. [German Dialogue Marketing Association] (DDV) vis-à-vis address owners and has provided it to the association for publication.

If other service providers or subcontractors are commissioned by Trebbau and the commissioning requires the handling of personal data, the commissioned company shall submit a signed data protection declaration of commitment in accordance with the DDV standard. If the granting of such contractual relationships requires the consent of a third party, Trebbau shall obtain such consent via the client.


All employees are obligated by their employment contract to maintain confidentiality and to report breaches of personal data protection. The ‘Data protection’ leaflet is handed out to them. In particular, the training focuses on the principles of data protection (particularly the requirements for contract data processing), using the Robinson list, the obligation to confidentiality of operational and business secrets, the careful handling of data carriers and files, telecommunications confidentiality and the DDV Quality and Performance standard (QuLS + SVE).

Guidelines for implementing data protection are recorded centrally, approved by the management and accessible to employees in the Trebbau data protection manual.

Data protection officer

An external data protection officer has been appointed by the company.

Monitoring the data protection measures taken

Meetings of the Trebbau data protection team take place every six months. During these meetings, the current processing and the measures taken to protect the data are monitored and checked for potential improvements.

The Quality and Performance Standard seal (QuLS) of the DDV / Lettershop, data processing and list broking

Every year, Trebbau provides the DDV with a Selbstverpflichtungserklärung [Declaration of Commitment] (SVE). The measures which the company has taken to comply with the provisions of the law are verified in more than 70 points and subpoints in this declaration. Moreover, in this SVE Trebbau declares the measures taken to demonstrate the obligations of the DDV Quality and Performance seal arising from the laws.
Compliance with the obligation provided in the SVE is monitored by independent assessments. As a sign of the special quality of the services provided by Trebbau, the DDV awarded us the DDV Quality and Performance seal (QuLS) 2022/2023.

2. Conduct towards the owner of the addresses

Trebbau has signed the Declaration of Commitment of the German Dialogue Marketing Association (DDV), and entrusted it to the association for publication.

3. Sub-contracting

If other service providers or sub-contractors of Trebbau are commissioned, and the commission requires the handling of personal data, it will be imperative to have the subcontracted company sign a letter of commitment with regard to the data protection regulations in compliance with the standards for the German Dialogue Marketing Association (DDV). If the granting of such contractual relationship requires the consent of a third party, Trebbau will obtain the respective consent through the client.

Status: January 2022