GDPR and Data Protection

Is Inbassador GDPR (DSGVO/DSGMO)compliant?

Yes, we are. We have made an incredible amount of thought on the subject. As stated in the Privacy Policy, the Privacy by Design or Privacy by Default, Privacy Policy applies to every user.

So we ask u.a. in several places, whether the data may be processed and also indicate the purpose.

We also meet all the GDPR requirements:

  • Documented the lawful basis for processing personal data;
  • Ensured that data is only kept for as long as it meets that basis;
  • Ensured that data is accurate and up to date;
  • Sectioned off sensitive data so that only approved personnel can access it.

We even hired a GDPR consultant that will accompany any question you might have:

Markus Plank
[email protected]

Will my data be shared with others?

No, every customer has his own data storage. This allows us to ensure that data is not mixed. We generally use data in anonymous form for benchmarking. For this purpose, however, all personal data are rendered unrecognizable and the source encrypted. This is needed for internal optimization.

Can Inbassador team or anyone else access and use my data?

No, the data can’t be accessed by any of our team members or anyone else as we have defined that only a user can access the company data (In accordance with “Sectioning off sensitive data so that only approved personnel can access it.”).

Why does the General Data Protection Regulation exist (DSGVO/DSGMO)

The GDPR is the most comprehensive reorganization of data protection in Europe. As of May 25 2018, new laws will apply that strengthen the protection of personal data and, accordingly, protect the user / customer / subscriber from data leaks.

A certain commitment will of course remain. Nevertheless, certain measures must be taken to make it easier to cope with the legislative and information terrain.

Privacy Policy

The DS-BER contains important principles to improve the handling of data.

Principle of proportionality

Comes from the data protection basic right (Art. 8 fundamental right Charter or Art.8 EMRK) and designates a superior principle. By “proportionality in the narrower sense”, which refers to the balancing of interests or goods

Prohibition principle

The use of personal data is prohibited unless expressly permitted.

Principle of purpose limitation

Data may only be collected for specified, clear and legitimate purposes and not reused in a manner incompatible with those purposes.

Principle of materiality

Data may only be used to the extent that it meets the purposes for which it was collected and / or which are necessary for the purposes for which it was determined.

Principle of data deletion

Data may only be kept in personal form for as long as it is necessary for the purposes for which it was identified.

Principle of data minimization

Reduction of processing of personal data to the minimum.

Privacy by Design und Privacy by Default

Privacy by Design “Privacy through technology design” and takes up the idea that privacy can best be maintained if it is already technically integrated in the development of a data processing operation

Principle of good faith and legality

Privacy by default translates as “Privacy by privacy-friendly preferences” and means that the factory settings are designed to be privacy-friendly.


Principle of transparency

Information of the person concerned about the existence of processing and its circumstances

Principle of the right to speak

Rights to information, rectification and cancellation as well as opposition

Principle of factual accuracy and timeliness

Data may only be used in such a way that they are factually correct and, if necessary, kept up-to-date with regard to the intended purpose.

Principle of data security

There are important points to keep in terms of data security: access control, access control, access control, transfer control, input control, order control, availability control, separate processing

What does the DS-GVO regulate?

The DS-GVO regulates the entire handling of data by natural persons (affected persons). This applies not only to digital channels but also to offline channels e.g. Loyalty cards, point of sale, etc. or employee privacy. Even in these areas, very sensitive data is processed and companies are therefore even more committed to protecting their data.


  • As a company, you had the last two years to prepare for the DS-GVO. The following points had to be recorded and documented
  • Create a processing directory, i. Capture all activities in dealing with data
  • Creating a method directory, i. A catalog of measures to correctly collect, protect and use data without violating the DS-GVO.
  • Check all service providers and technology partners for their conformity
  • Examine old existing processes and add new processes.
  • Communication and awareness in the company
  • Analysis of data obsolescence and renewal of informed consent

Affected rights

Every person concerned also has certain rights with the DS-GVO. This should i.a. help to get more overview of submitted data. The following rights apply to an affected person:

  • Right to information
  • Right to change
  • Right to cancellation
  • Right to transport

Do I have to comply with the DS-GVO?

In our view, this is not a MUST but a WILL. We as Inbassador see this as absolutely necessary. Basically, the DS-GVO is “active”, where a service is provided. With that you have managed to keep the big international company to the DS-GVO. Example: If I use Facebook within the EU, Facebook must also comply with the DS-GVO.

What would happen if we did not comply with the DS-GVO?

The DS-GVO provides for high fines, companies should not comply with the law. Of course, proof must first be provided. This is exactly where something changes with the new regulation. In the future, companies have to prove that they act in conformity. Of course, this is only possible if the companies have sufficiently documented this.

Data Protection Officer

We as Inbassador are committed to the observance of data protection measures and will continue to do so to the best of our knowledge and belief.

The definition of the Data Protection Officer is cited as follows:

Based on this information, we would like to note the following cornerstone to the Data Protection Officer.

  1. […] The controller and the processor will definitely designate a data protection officer if […]
  2. a)the core activity of the controller or the processor is to carry out processing operations which, by reason of their nature, their scope and / or their purpose, require extensive periodic and systematic surveillance of data subjects, or
  3. b)the core activity of the controller or processor is the extensive processing of specific categories of data referred to in Article 9 or of personal data relating to criminal convictions and offenses referred to in Article 10.
  4. The data protection officer assumes this activity in the sense of a Inbassador holding activity. This covers all potential subsidiaries. This also applies to subsidiaries not resident in the EU.
  5. The person has received the appropriate training and certification from TÜV Austria (March and September 2017). Ongoing training is planned.
  6. The duties and duties of a corporate data protection officer are regulated in Art. 39 GDPR and include:
  7. Informing and advising the responsible persons, the processor and the employees
  8. Monitoring compliance with the GDPR and national special regulations
  9. Sensitization and training
  10. Advising and monitoring in the context of the privacy impact assessment
  11. Cooperation with the supervisory authority

Responsible or processor

The role of companies and their activities will be crucial in the future. For the persons concerned this is the clue to whom one can turn in the suspicion of an offense.

Following the two definitions.

‘Controller’ means the natural or legal person, public authority, body or body that alone or jointly with others decides on the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of the Member States, the person responsible or the specific criteria for its designation may be provided for under Union or national law ‘.

‘Processor’ means a natural or legal person, public authority, body or body that processes personal data on behalf of the controller;


The two parties should have upright contractual relationships with each other so that you as a person affected can turn to both if necessary.

Simply put, the owner is the owner of their data

You should now be able to better understand where your data is collected and where it is used. For some services, the person in charge of you will need an active consent, which you can subsequently withdraw.

Nonetheless, continue to pay attention to information provided to you through services.