Responsible party:
Trebbau direct media GmbH
Schönhauser Str. 21
50968 Cologne
– hereinafter referred to as Trebbau –
Managing Director: Jörg Hennig – Adviser: Karl-Peter Trebbau
You can reach our data protection officer at:
Dirk Niedernhöfer
dn Datenschutz UG (limited liability)
Laurenz-Kiesgen-Str. 1
51105 Köln
Tel.: +49 (0) 221 572 738 20
Mobil: +49 (0) 177 888 65 77
Mail: dirk.niedernhoefer@dndatenschutz.de
Web: https://dndatenschutz.de/
Preamble
Trebbau regularly operates both as a lettershop and as a data processing company within the framework of order processing. Due to these fields of activity, Trebbau is subject to EU Regulation 2016/79 on the protection of individuals with regard to the processing of personal data (GDPR). In addition, Trebbau has undertaken to comply with the special requirements of the Quality and Performance Standards (QuLS) of the Deutscher Dialogmarketing Verband e.V. (DDV) and is thus subject to these obligations, which go beyond the law, in order to ensure a particularly high level of data protection for its customers, business partners and suppliers, but also for its employees. In the context of the processing of personal data, , particular focus is placed on the relationship between the address owners, list owners, list brokers, advertisers and other order processors.
Furthermore, Trebbau also feels obliged to the recipients of advertising and advises its customers comprehensively on the fulfilment of their data protection obligations.
Technical-organizational measures (TOMs)
CONFIDENTIALITY
Entry control
Organizationally, it is regulated that strangers are never allowed to stay alone in the building or move around freely. Employees are trained accordingly on a regular basis.
The entrances to the building are always locked and can only be opened from the outside with security keys or during normal business hours using time recording cards issued to employees. External visitors must report to the central reception desk or, in the case of deliveries, to the goods receiving department. Visitors must be picked up at reception by a member of staff, recorded in a visitor’s book and given a visitor’s pass. Visitors are only permitted in sensitive areas when accompanied by employees who have signed a confidentiality undertaking.
Outside working hours, the premises are monitored by an alarm system in accordance with the VDE standard. Messages from the system are monitored by a security service and followed up according to a documented intervention plan. Windows on the ground floor are barred or protected by metal blinds.
Access control
Access to data processing systems is not permitted to unauthorised individuals. Access to our IT systems via external interfaces is protected by a firewall. Publicly available services, such as bastion hosts with e-mail or Internet access, are secured via appropriate separations from the internal network (DMZ). All PC systems are password-protected. Passwords must meet high standards and are regularly and compulsorily renewed. Old passwords cannot be reused. After ten incorrect login attempts, the corresponding user access is automatically blocked. External access, for example for employees working from home, is only possible via VPN tunnels to our systems and via two-factor authentication.
Data access control
Access to network directories in which personal data is stored is restricted to the respective persons involved in the orders for which such data is to be used. The system requires these persons to identify themselves accordingly. Production systems in particular can exclusively access one network directory that has been established specifically for the system.Data is only stored in these directories for as long as it is required for the immediate production process. Program usage is logged, as is the retrieval of data from inventories via selections. The server can only be booted by entering a password. All storage media are locked when stored.
Separation rules
By separating the orders from each other by putting these into separate order folders and network directories that are separated from each other, it is ensured that data collected for different reasons are processed separately.
Pseudonymization and encryption
As a service provider for direct marketing, most of our data processing operations are not possible in pseudonymized form. However, where it is possible, sensible and proportionate, data is stored in encrypted form.
INTEGRITY
Data transmission control
If the transfer of personal data is necessary, the data is exchanged via our data exchange server (DataStore). Prior registration is required to use the DataStore. A unique password is also required for individual access, which is only disclosed to the authorized user via a different medium. Personal data is only sent within the legally prescribed framework. Data exchange is encrypted. The transmission paths are password-protected.
Documents containing personal data are collected in locked containers of a specialized and certified company for data and file destruction and then destroyed by this company in accordance with data protection regulations. The destruction is logged. This also applies to waste paper in the lettershop (personalized advertising letters and catalogs). In addition to document disposal, the contracted service provider also destroys data tapes. CDs and DVDs are shredded.
Input control
The IT system used automatically logs user activities. In addition, it is documented in writing that address data has been stored on our servers and where and by whom. Changes to address data (removing duplicates, qualifying addresses) are documented by saving different production stages.
AVAILABILITY AND CAPACITY
Availability control / recoverability
Our IT systems are protected against data loss by RAID systems. UPS systems, virus protection and firewalls as well as daily data backups guarantee that no data is lost in the event of a loss of IT system functionality. In the event of fire or other events damaging the IT system, the data backups are also stored outside the server room in a fireproof location. In order to minimize the extent of possible fire damage, our company is equipped with a fire alarm system. Reports from the system are monitored by a security service and followed up according to a documented intervention plan.
REGULAR INSPECTION PROCEDURE
Order control
Instructions from the client are documented in writing. Orders are managed and documented using our own software. Organizationally, it is regulated that orders are checked according to the dual control principle. Follow-up checks are carried out.
Trebbau has signed the German Dialog Marketing Association’s (DDV) declaration of commitment to address owners and submitted it to the association for publication.
If other service providers or subcontractors are commissioned by Trebbau and the commissioning requires the handling of personal data, the commissioned company shall submit a signed data protection declaration in accordance with the DDV standard. If the granting of such contractual relationships requires the consent of a third party, Trebbau will obtain this consent via the client.
Training and obligations of employees
All employees are bound by their employment contract to maintain confidentiality and to report any breaches of personal data protection. They are made aware of their obligations to maintain data confidentiality in annual training sessions and attest to this with their signature. They are given the “Data protection” information sheet. They are instructed on the principles of data protection (in particular the requirements for order processing), the use of the Robinson list, the obligation to maintain confidentiality regarding company and business secrets, the careful handling of data carriers and files, telecommunications secrecy and the quality and performance standards of the DDV (QuLS + SVE).
Guidelines for implementing data protection are recorded centrally, approved by the management and accessible to employees in the Trebbau data protection manual.
Data protection supervisor
An external data protection officer has been appointed by the company.
Control of data protection measures taken
Meetings of the Trebbau data protection team take place every six months. The ongoing processing and the measures taken to protect the data are monitored and checked for potential for improvement.
Seal of Quality and Performance Standards (QuLS) of the German Dialogue Marketing Association (DDV) / Lettershop, Data Processing and List Broking
Trebbau submits an annual declaration of commitment (SVE) to the DDV. In more than 70
points and sub-points will be the measures taken by the company to improve the
provisions of the law. In the SVE, Trebbau also explains the
measures taken in order to comply with the obligations of the DDV
seal of quality and performance.
Compliance with the commitment made in the SVE is monitored by independent experts.
Will. As a sign of the special quality of the services provided by Trebbau, the DDV Quality and Performance Seal (QuLS) 2024/2025.
Last updated: November 2024