Privacy Policy
This Privacy Policy applies to the data processing by BRL Risk Consulting GmbH &Co. KG in connection with the “Certinova” service, the use of the website www.Certinova.com and all subpages, as well as for all persons with whom we are in contact.
1. Name and Contact Details of the Controller and Data Protection Officer
BRL RiskConsulting GmbH & Co. KG
Caffamacherreihe 16
20355 Hamburg
Germany
+49 4035006-0
ras@BRL.de
The DataProtection Officer can be reached at the above address with the addition “Tothe Data Protection Officer” or at Datenschutzbeauftragter@BRL.de.
2 Collection and Storage of Personal Data, Type and Purpose of Use, and Duration of Data Processing
When visiting the website
When you access our website, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automatic deletion (access data):
- IP address of the requesting computer
- Date and time of access
- Name and URL of the accessed file
- Website from which the access is made (referrer URL)
- Browser used and the operating system of your computer as well as the name of your access provider
The data is processed solely to ensure and improve our services, in particular to:
- Ensure a smooth connection to the website
- Ensure a comfortable use of our website
- Evaluate and ensure system security and stability
The legal basis for data processing is Art. 6(1) sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above.
In connection with images from BRL events
During events we organize, we may take photos that may include images of attendees.
Purpose and use of the images:
We use these images to visually document and report on our events. This may include publication on our channels on professional networks (e.g., LinkedIn, Xing) and in our BRL or Certinova media.
The legal basis for data processing is Art. 6(1) lit. f GDPR. Our legitimate interest arises from the purposes listed above. Under Art. 21(1) GDPR, you have the right to object to the processing, i.e., the taking and publication of images of you.
In connection with Certinova contacts, applications, and marketing activities
When you contact us and provide personal data (any information relating to an identified or identifiable natural person), we process it — e.g., when you apply to us,hand a business card to a BRL employee or partner, send us an email containing personal data, or otherwise provide your data.
Certinova Contacts
We process, where provided:
- Salutation, title, first name, last name
- Company
- Email address
- Address
- Telephone number (landline and/or mobile)
- Additional information provided (e.g., profession, marital status, education — as may appear on a business card)
We process this data for:
- Maintaining you as a contact
- Responding to your inquiries
- Exchanging information with you
- Contacting you for marketing purposes (e.g., legal updates, specialist information, event invitations, news from our departments)
If you are in contact with us in connection with our legal representation:
- Providing you with appropriate legal advice and representation
- Invoicing
- Handling liability claims and asserting claims against you
The legal basis is Art. 6(1) sentence 1 lit. b GDPR when the contact is related to our legal services (contract performance or pre-contractual measures).
Where necessary and legally permissible, we also process your data to fulfill legal obligations (e.g., statutory retention periods) in accordance with Art. 6(1) lit. c GDPR.
Otherwise, the legal basis is Art. 6(1) sentence 1 lit. f GDPR (legitimate interests as listed above).
If processing involves special categories of personal data under Art. 9(1) GDPR, the legal basis is Art. 9(2) lit. f GDPR.
Contact and data processing based on consent:
If you have given us consent (e.g., for marketing contact by email or for processing event photos), we process your personal data based on Art. 6(1) lit. a and Art. 7 GDPR.
We record consents to meet legal documentation requirements. This includes the time of consent, any prior request, IP address used, your provided details (salutation,title, name, company, address, email, phone), and the relevant privacy notice text.
Right to withdraw consent:
You may withdraw your consent at any time with future effect under Art. 7(3) GDPR by sending an email with the subject “Withdrawal of Consent” to Datenschutz@BRL.de.
3. Duration of Data Processing
We store your data only as long as necessary for processing purposes — e.g., contract performance, responding to inquiries, or pursuing/defending legal claims —until the year following the expiry of all limitation periods, or as long as legally required or necessary to respect any marketing objection.
Website access data is generally stored for 3 days.
Application data (unsuccessful) is deleted 6 months after the process ends unless you consented to longer storage in our applicant database. If received from a recruitment agency, data may be stored for up to 24 months due to contractual claim periods.
If you have given consent, we store your data until withdrawal, but in any case delete it 5 years after our last contact.
Legal retention obligations (e.g., for legal, tax, or professional reasons) may require longer storage. For example:
- Legal case data: 6 years (§50 BRAO)
- Accounting/tax data: at lease 10 years (§147(4) AO)
4. Data Sharing
We do not transfer your personal data to third parties except in the following cases:
- You have given explicit consent (Art. 6(1) lit. a GDPR)
- It is legally permitted and necessary for contractual purposes (Art. 6(1) lit. b GDPR)
- Legal obligation (Art. 6(1) lit. c GDPR)
- For legal claims, where no overriding interest of yours exists (Art. 6(1) lit. f GDPR)
Possible recipients: tax authorities, accountants, auditors, advisors, logistics providers, fee collection bodies, payment service providers.
We also use carefully selected and monitored processors (Art. 28 GDPR), including:
- IT service providers
- Hosting providers
- Software providers (HR/applicant management, billing)
- Translation tools
Where consent is given, data may also be shared with BRL Consulting & Training GmbH, Hamburg, which will process it on the same legal basis. Withdrawal applies to both entities.
5. Your Rights
You have the right to request:
- Access (Art.15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consent (Art. 7(3) GDPR)
- Lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise rights, contact us (e.g., Datenschutz@BRL.de).
6. Embedding YouTube Videos
We embed YouTube videos provided by Google Ireland Ltd. in “enhanced privacy mode” (two-click solution). Despite this mode, it is possible that YouTube/Google may obtain your IP address before you press play. To avoid this, log out of your YouTube account before visiting such pages.
Google may transfer data to the USA under the EU-US Data Privacy Framework (DPF). Details:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active
7. Cookies, Google Analytics, and Google Ads
We use cookies for functionality, analysis, and marketing.
Google Analytics: with IP anonymization (“anonymizeIP”), legal basis Art. 6(1) lit. a or lit. f GDPR.
Google Ads Conversion Tracking: measures ad success, expires after 30 days, may involve US data transfer under DPF.
You can withdraw cookie consent at any time via our cookie settings or browser settings(may affect functionality). https://policies.google.com/privacy
SalesViewer®technology:
We use SalesViewer® for marketing/optimization purposes (Art. 6(1) lit. f GDPR). Data is pseudonymised and encrypted; no personal identification. You can opt out here:
https://www.salesviewer.com/opt-out
8. Updates to this Privacy Policy
Current as of August 2025. May be updated due to website/service changes or legal requirements.