Privacy Policy for Data Subjects

in accordance with Art. 13, 14 and 21
of the EU General Data Protection Regulation (GDPR)

General information

This Privacy Policy applies to the processing of personal data by komm.passion GmbH and its branches in the Federal Republic of Germany (Duesseldorf, Hamburg and Berlin).

In accordance with Art. 12 et seqq. GDPR, we, in our capacity as a company, herewith provide you with information about your rights that you, in your capacity as a data subject, can enforce through komm.passion GmbH.

Which data may be processed and how it may be used generally depends on the respective relationship with you. Details, explanations or addendums for the purpose of data processing are stated in our contractual documentation and documents, e.g. a declaration of consent to data protection and/or other information provided to you (e.g. when using our website


This Privacy Policy is updated to reflect new legislation. Please do not hesitate to contact us should you have questions about data protection.

Controller and contact 

komm.passion GmbH
Himmelgeister Strasse 103-105
40225 Duesseldorf
Tel.: +49(0)211-60046-0
Fax: +49(0)211-60046-200

Data protection officer

RPA Datenschutz + Compliance GmbH
Hauser Gasse 19 b
35578 Wetzlar

Legal bases and purposes for the processing of personal data

Both the storage and processing of your personal data may be based on various legal bases and/or the type of service to be provided by us as well as the type of relationship with you.

The following section explains these for the legal basis …

… Consent (Art. 6 (1) lit. a) GDPR)

If you have consented to the storage and processing of your personal data in a legally conforming manner – e.g. by subscribing to our Dossier Newsletter – this forms the corresponding legal basis on which we, komm.passion GmbH, process your data.
You have the right to withdraw your consent at any time and without stating any reasons with future effect. To do so, please use the contact details stated in the “Data protection officer” section. The texts for the respective consents also contain further information on the consequences of failure to give consent.

Please note: To prevent misuse by third parties and protect your rights, we reserve the right to check the identity of data subjects in the event of us receiving an objection.

… Contract or contractual preparation (Art. 6 (1) lit. b) GDPR)
komm.passion GmbH processes your personal data for preparing contracts with you and/or executing orders and for ensuring the performance of contractual measures and activities. This happens, for instance, when you are introduced to us as a new customer. Please be aware that we are unable to fulfil our contractual and/or pre-contractual obligations to you without processing your personal data.

The measures and activities required for fulfilling our contractual obligations to you are:

– Contract-related communication
– Proof of transactions, orders and other agreements
– Quality control, including documentation
– Ex gratia and legal recourse proceedings
– Measures for controlling business processes
– Fulfilment of general due diligence obligations
– Managing and controlling associated companies and/or service providers
– Corporate management statistics
– Cost reporting
– Controlling and reporting
– Internal and external communication
– Accounting
– Tax assessment of operating activities
– Risk management
– Assertion of legal claims
– Defence during legal disputes
– Assuring IT security and general security requirements, e.g. building and system security
– Ensuring and executing our domiciliary rights, e.g. access controls
– Ensuring the integrity, authenticity and availability of the data
– Prevention and investigation of criminal offences
– Control by supervisory bodies or control instances, e.g. audits

… Fulfilment of legal requirements (Art. 6 (1) lit c) GDPR) and/or public interests (Art. 6 (1) lit e) GDPR)

All businesses in the Federal Republic of Germany must comply with numerous legal requirements. These include legal requirements such as tax laws, social law provisions, etc., but also specifications issued by supervisory or other authorities. 

Processing purposes may include:

– Identity and age checks
– Fraud and money laundering prevention
– Prevention, combating and investigating terrorism financing
– Preventing, combating and investigating capital crimes
– Reconciliation with European and international sanctions lists
– Fulfilment of tax and foreign affairs law control and reporting duties
– Data archiving for the purpose of data protection and security
– Audit processes by tax and other authorities.

Should komm.passion GmbH collect and process personal data for the purpose of reconciling sanctions lists, this data will be used for this purpose only.

Please note that personal data may be disclosed within the scope of government or court measures for the purpose of obtaining evidence, prosecution or enforcement of civil claims.

… Legitimate interests of us or third parties (Art. 6 (1) lit f) GDPR)

In addition to providing services for you, the customer, we may process your data for maintaining legitimate interests of komm.passion GmbH or third parties. If your data affects our legitimate interests, we will always inform you in advance and obtain your consent for its use.

We process your data for our legitimate interests and purposes stated below:

– Use and transfer within the scope of our general business activities

– For our own marketing purposes and public image within the scope of PR measures and work

– For direct advertising of products and services provided by our company, unless you have objected to the use of your personal data for this purpose.

– For information from and data exchange with credit agencies, insofar as this exceeds our economic risk

– For the further development of services, products, systems and processes in our company

– For adding to data already held by us; this may happen, for instance, by using and/or researching publicly accessible data

– For statistical purposes and/or market analyses of services provided. Also for future consulting and assessment of customer satisfaction. We weigh up your and our respective legitimate interests in advance. If in doubt, we will exclusively use your data for these purposes with your separate consent that you can withdraw at any time.

– The enforcement of legal claims and defence during legal disputes that are not directly related with the contractual relationship.

– Prevention and investigation of crimes, unless this serves exclusively to fulfil legal requirements

– For ensuring IT security and operation as well as our website. Also for performing stress tests, developing new and adjusting our existing products and systems. This also applies to the migration of data to ensure system capability and integrity and therefore also, within the wider sense of the meaning, the processed data. The personal data provided is primarily used for tests where this cannot be performed using anonymous data with reasonable expense. Throughout this process, data security is ensured in accordance with Art. 32 GDPR.

– Building and system security (e.g. through access controls and video monitoring) if they exceed general due diligence obligations.

– Ensuring and executing domiciliary rights through corresponding measures to protect our customers and employees and to secure evidence in the event of criminal offences and their prevention.

– For the restricted storage of data if the data cannot be deleted, or its deletion would incur unreasonably high costs, due to the special type of storage.

Origin and processing of data that was not collected by us directly

We legitimately access personal data by other companies and third parties (e.g. address brokers, credit agencies) within the scope of our business activities and for the contractually agreed provision of our services. In addition to this measure, we process personal data contained in publicly accessible sources (e.g. websites, associations, commercial and club registers, resident registers, debtor registers, property deeds, telephone registers, press publications and other freely accessible media) and that we have legitimately collected, received and purchased.

The type of personal data may include:

– Personal details
such as name, date of birth, place of birth, nationality, job, industry, etc.

– Contact details
such as address, email, phone number, etc.

– Customer history data

– Financial position information
such as credit rating data for assessing our economic risk

– Payment / funds confirmation for bank and credit cards

– Data on the use of our online presence
such as time of access to our website, the Dossier Newsletter, pages and/or links clicked, etc.

Recipient of your personal data at komm.passion GmbH

Within, your personal data is received by the relevant employees and customer teams responsible for the fulfilment of our contractual obligations to you and our legal obligations or tasked with processing the data within the scope of our legitimate interests.

Transfer of your personal data to external instances

If we transfer your personal data to external instances, this serves exclusively to fulfil our contractual obligations to you. Such transfers are performed to the extent required for the provision of services and/or in accordance with your consent.

Your data may have to be transferred to third parties if:

– We are obliged by law to initiate information and reports about and/or the transfer of data

– The transfer of data is in the interest of the general public (e.g. protection of public health)

– External service providers process data by our order in their capacity as data processors or parties that assume our functions. These usually include IT service providers (e.g. IT support, website management, software development and maintenance, IT system maintenance, supervision and implementation)

– Service providers in the printing and media industry, such as print shops, call centres, letter shops and media engineers

– Software companies (provision of IT applications)

– Providers

– Security forms for the provision of physical protection and data security

– Advertising and marketing companies for supporting and implementing PR and advertising measures

– Trade fair service providers for the implementation of trade fair attendances and events

– Patent and trademark offices in Germany and the EU

– Market research institutes that perform polls among participants and/or market analyses by our order

– Also companies in the call centre services sector

Other recipients of your personal data

In order to fulfil our contractual relationship with you and provide our services, we transfer your personal data to the following third parties, depending on each individual case and situation:

– Companies associated with komm.passion GmbH. They use joint IT systems. In combination with the international type and alignment of our business activities, personal data may be shared and processed by now.
Please be aware that we are a member of Team Farner at a European level:

– Tax advisors, lawyers, notaries, insolvency managers, auditors

– Logistics partners such as freight forwarders, courier services and postal services

– Cooperation partners within the scope of projects, such as hotels, airlines, Deutsche Bahn, rental car companies, if we have been ordered by you to assume the booking for you

– Trade fair and event organisers if we have been ordered by you to assume the booking for you

We do not transfer your personal data to third parties for any other purposes.

If we engage service providers and partners within the scope of your order, your data is subject to the same security standards than at Komm.passion GmbH.

In all other cases, recipients of your data may only use your data for the purposes that are related to the order process.

Storage duration

Within the scope of our business relationship with you, we process and store your data for the duration of the relationship.

This also includes the initiation of a contract (pre-contractual relationship) and the processing of a contract.

In addition, we are subject to various storage and documentation obligations as stated in the German Commercial Code (Handelsgesetzbuch – HGB), the German Tax Code (Abgabenordnung – AO) and other regulations. The storage and documentation deadlines defined therein are up to ten years after the end of the business relationship and/or the pre-contractual legal relationship.

In addition and depending on each case, special legal requirements may require a longer storage period.

This is the case, for instance, for the safekeeping of evidence within the scope of the statutory statutes of limitation. In accordance with Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), the regular statutes of limitation are three years. However, statutes of limitation of up to 30 years may also be applicable.

If the data is no longer required for the fulfilment of the respective processing purpose, it is regularly deleted, unless its – time-limited – further processing is required due to our prevailing legitimate interests in accordance with Art. 6 (1) lit f) GDPR. Such prevailing legitimate interest also exists, for instance, if deletion is impossible or would incur unreasonable costs due to the special type of storage and processing for other purposes is impossible due to suitable technical and organisational measures.

Your rights as a data subject in detail (right to be informed, erasure, object and other data subject rights in accordance with Art. 15 to 22 GDPR)

… Art. 15 GDPR “Right to be informed”
You have the right to request confirmation if your personal data is being processed by us; if this is the case, you have the right to be informed about this personal data and the information detailed in Art. 15 GDPR.

… Art. 16 GDPR “Right to rectification”
You have the right to request the immediate rectification of incorrect personal data pertaining to you and, if applicable, request the completion of incomplete personal data.

… Art. 17 GDPR “Right to erasure”
You have the right to request the immediate erasure of personal data pertaining to you if one of the reasons stated in Art. 17 GDPR applies, e.g. if the data is no longer required for the intended purposes.

… Art. 18 GDPR “Right to restrict processing”

You have the right to request the restriction of processing if one of the conditions stated in Art. 18 GDPR prevails, e.g. if you have objected against the processing for the duration of our check.

… Art. 19 GDPR “Notification obligation regarding rectification or erasure of personal data or restriction of processing”
We inform all recipients who had their personal data disclosed to them about all rectifications or erasures of such data or restriction of processing in accordance with Art. 16, 17 (1) and 18 GDPR, unless this proves to be impossible or would incur unreasonable costs. You have the right to be informed about these recipients, if you so wish.

… Art. 20 GDPR “Right to data portability”

You have the right to receive your personal data that you provided to us in a structured, standard and machine-readable format and you have the right to transfer this data to another controller without restrictions. Other provisions apply with regard to this right. You can read more here:

… Art. 21 GDPR “Right to object”
You have the right to object to the processing of your personal data at any time for reasons resulting from your specific situation. We will then no longer process the personal data, unless we have proof of compelling reasons for the processing worthy of protection that outweigh your interests, rights and freedoms or the processing serves to enforce, execute or defend legal claims.

… Art. 22 GDPR “Automated decision making including profiling”
You have the right not to be subjected to a decision based exclusively on automated processing – including profiling – that has legal effect with regards to your person or impair you in any other manner.

Other provisions apply with regard to this right. You can read more here:

Right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR 

We would also like to make you aware at this point of your right to complain with a responsible supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR. You can assert this right with a supervisory authority in the member state where you maintain your place of residence or work or the location of the alleged violation.

The following supervisory authority is responsible for komm.passion GmbH

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
PO Box 20 04 44 
40102 Duesseldorf Germany
Tel.: +49(0)211-38424-0 
Fax: +49(0)211-38424-10

Duesseldorf, 19 January 2024