Contents

1. Subject matter and purpose
2. Scope of application
3. Roles and responsibilities
4. Lawful data processing
5. Legal basis for processing
6. Rights of the data subject
7. Documenting and checking processing activities
8. Data flows across data protecting activities
9. Processing by service providers 
10. Response to data protection breaches
11. Data Security
12. Reviews and updates
13. Change history 

…

1. Subject matter and purpose

The protection of personal data is a priority for onewoom GmbH, woom GmbH, woombikes LLC and its affiliated companies (hereinafter abbreviated to "woom" or the "company"). Employees, customers and business partners rely on us to process their data with due care. Breaches of data protection regulations can have serious consequences for woom, including damage to its reputation, claims for damages and sizable fines. 

woom GmbH and woombikes LLC may in certain cases process personal data of data subjects domiciled in the EU in joint responsibility or in the role of data processor or data controller. Such processing is being reflected in intercompany agreements entered into between woom GmbH and woombikes LLC.

This privacy policy stipulates rules for the processing of such data to ensure compliance with data protection provisions, with respect to personal data of data subjects domiciled in the EU.

This policy does not contain any practical guidelines relating to IT and data security (such as encryption and secure deletion of data) – they are provided in a separate document. 

1. Scope of application

This policy covers all instances of processing of personal data where

• the data processing is automated (e.g. using computers), 
• the data is stored or is going to be stored in a filing system 

 (e.g. on a hard drive or in physical files), or 

• the data relates to employees (e.g. notes from a job interview). 

"Personal data" means any information concerning an identified or identifiable natural person. It does not matter whether or not the data could be classed as sensitive. 

Examples: Details without any names can still be classed as personal data if additional information could realistically be used to identify a natural person (e.g. the company could easily assign a list of system login times associated with a username to the employee in question). 

"Processing" means any handling of personal data, such as collection (e.g. through a survey), recording (e.g. by means of a form, software or camera), storage (e.g. in a database, Excel file or personnel file), alteration (e.g. by making updates), disclosure by transmission (e.g. to a public body or affiliated company), alignment, combination, restriction or erasure. 

The "data subject" is the natural person that personal data refers to (e.g. an employee, customer or supplier contact).

1. Roles and responsibilities

Data protection manager woom GmbH

woom GmbH has appointed a data protection manager, who is assigned more specific tasks in this privacy policy and is the contact for all GDPR related issues. woombikes LLC has appointed a data protection contact in the US who is a point of contact for employees of woombikes LLC and for the data protection manager for questions of joint controlling. The contact details can be found in the "Contact details" appendix. 

The data protection manager coordinates with the data protection officer as required (where one has been appointed) or calls on external expertise. 

The data protection contact and/or the data protection manager is the first port of call for employees looking to raise matters relating to data protection. Employees can contact them directly to ask questions, report concerns or make suggestions concerning data protection. 

The data protection manager should also be involved at the early stages of projects, so they can offer advice on data protection aspects as necessary along the way. When it comes to international projects, the data protection manager coordinates between the companies involved.

Data protection contact person woombikes LLC

woombikes LLC has appointed has appointed a data protection contact person, who acts as a first contact for all data privacy related issuest for employees of woombikes LLC and for the data protection manager for questions of joint controlling. The contact details can be found in the "Contact details" appendix. 

The data protection contact person coordinates with the data protection manager and receives support from the same in dealing with any privacy related issues. 

Data Security Manager

The company has also appointed a data security manager. This person is tasked with managing technical and organisational measures taken to keep data secure. The person must coordinate with the management team before taking any action. The data protection manager and the data protection officer supports the data security manager in this role. Their contact details can be found in the "Contact details" appendix. 

1. Lawful data processing

All employees are required to observe the following rules when processing personal data. The relevant training will be provided and the data protection manager will be on hand with support and reminders. 

Observe the data protection principles when processing data.

Report any data protection breaches internally.

1. Data protection principles

Lawfulness

Personal data may only be processed when there is a legal basis. Sensitive data (e.g. data concerning health) may only be processed when there is an exception to the regulation prohibiting the processing of sensitive data.

Transparency

Personal data must always be processed in a transparent manner in relation to the data subject.

Forms created for customers must contain an explanation of how the data being collected is going to be used. 

Purpose limitation 

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

If data is going to be used for purposes beyond the original purposes for which it was collected, the responsible processor will inform the data protection manager who must check that the new purposes are compatible with the original purposes and document their findings. 

Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the specific purpose for which it is being processed. It is not acceptable to process an unnecessarily large volume of data relating to one person or data relating to an unnecessarily large number of people. Data must not be used beyond the required scope. The following questions need to be answered for every field of data: Why exactly is this data required? How long is this data required for? 

Example: A person subscribing to a newsletter does not usually need to be asked to provide their name and the name of the company they work for on the subscription form. 

Accuracy

Personal data needs to be accurate and, where necessary, kept up to date. 

Example: The address stored for an employee needs to be up to date, so they can be contacted by letter. Details on an employee's work experience provided in their CV as part of the recruitment process do not need to be updated, as that information was only required to narrow down the candidates and identify the best person for the job during the recruitment process.

Examples: Regularly asking data subjects if their data is correct. Linking up to a system that can be relied upon to povide up-to-date data. 

Storage limitation 

Personal data must be erased when it is no longer required for the specific purpose for which it was collected. Data can be anonymised rather than being erased. woom has its own guidelines for erasing data. Please note that the pseudonymisation is not equivalent to the anonymisation.

Example: Assessment centre results are no longer relevant after several years because they do not provide an accurate representation of an employee's current abilities. The options here are to delete the results or redact all details that would make it possible to identify the employee (name, address, employee number). 

Integrity and confidentiality 

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised access or accidental loss, using appropriate technical or organisational measures.

Pseudonymisation

Personal data should be pseudonymised before being processed where the purpose of processing permits it. According to Art. 4 (5) of the GDPR, "pseudonymisation" means that personal data is processed in such a manner that it can no longer be attributed to a specific data subject without the use of additional information. In other words, the information that makes it possible to identify a data subject (e.g. name, email address, postal address and telephone number) is removed from the data being processed. Technical and organisational measures are taken to ensure that the information that makes it possible to identify a data subject is kept secure. 

1. Automated individual decision-making 

If an individual decision is made about someone based solely on automated processing and produces legal effects concerning them or similarly affects them ("automated individual decision-making"), it has to be ensured that it is permissible under the data protection regulations. 

Example: An applicant is required to fill in an online form. A formula is used to generate a score based on their answers. That score will be the sole factor determining whether or not the applicant is invited to an interview. 

Example of such measures in relation to example provided above: A process should be implemented that gives the applicant an opportunity to share what they think of the score and allows for an employee working in the Employee Experience department to review the automated decision. 

1. Data protection by design and by default

When the means for data processing are first being determined, it is essential to ensure that personal data is being protected in accordance with the legal data protection regulations (data protection by design). 

If a system allows default settings to be applied for data processing, they must be updated to ensure that only personal data which is necessary for the specific purpose of the processing is processed. That obligation applies to the amount of personal data collected, the extent of its processing and the period of its storage. Access to the data by third parties should be limited as far as possible. 

Example: The company plans to launch an internal social network based on a standard piece of software to improve communications between employees. The software settings allow the company to choose whether or not an employee's site is shown by default when they post something. The company is obliged to deactivate that setting because the site is not routinely necessary for the purpose of the processing.

When choosing external software, the company must ensure that software developers are contractually bound to comply with these requirements. The data security manager and data protection manager must be involved in the software selection process.

1. Legal basis for processing 

Personal data may only be processed when there is a legal basis. 

1. Requirement for every instance of processing

Personal data may only be processed when there is a legal basis for the processing

This is a list of some (but not all) possible legal bases: 

• Performance of a contract: Processing is necessary for the performance of a contract with the data subject. The processing must be viewed as a logical step in performing the contract on the basis of an objective assessment. "Necessary" is not synonymous with "absolutely essential". 

Examples: Employees need to be asked to provide their bank details, so they can be paid their salary. But the analysis of a customer's buying behaviour to determine their preferences is not necessary for performing a contract with that customer. 

• Legal obligation: Processing is necessary for compliance with a legal obligation to which the company is subject. The purposes of processing must be stipulated by the legally binding provisions. 
• Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the company or a third party, and the interests of the data subject do not override such interests. Consideration of the data subject's expectations is a priority. The data subject also has the right to object.
• Consent: The data subject has given their consent to the processing of their personal data for the specific purposes. 

1. Specific requirements for sensitive data

Strict requirements must be followed when processing sensitive personal data. As a general rule, processing sensitive personal data is prohibited unless one of the exceptions set out in Art. 9 (2) of the GDPR and Section 39 of the DSG applies.

"Sensitive personal data" refers to all personal data that reveals:

• racial and ethnic origin
• political opinions
• religious or philosophical beliefs, or 
• trade union membership 

or that consists of: 

• genetic data 
• biometric data which allows identification of a natural person
• data concerning health, such as absences due to ill health, or 
• data concerning a natural person's sex life or sexual orientation

The main exceptions to the prohibition on the processing of sensitive personal data are as follows:

• The data subject has given explicit consent to the processing of their personal data (
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the company or the data subject in the field of employment and social security and social protection law.

Example: Processing details on data subjects' religion for the purpose of paying church tax.

1. Consent to data processing 

If personal data is processed on the basis of consent, the following conditions must be met: 

• Consent must be unmistakably given by the data subject in the form of a statement or another clear affirmative action. It is not acceptable to rely on silence or the use of a website. 
• Consent must be freely given. Consent is not considered to have been freely given if a contract is dependent on the consent (forced consent).
• Consent should be specific and informed. At the very least, the responsible company, data and purposes of processing must be specified. If consent is given in the context of a written declaration which also concerns other matters (e.g. acceptance of general terms and conditions), the request for consent shall be presented in a manner which is clearly distinguishable from the other matters
• Explicit consent must be given to the processing of sensitive personal data. 
• Data subjects giving their consent must be made aware of the option of withdrawing their consent and the fact that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Any data subject who gives their consent has the right to withdraw that consent with immediate effect at any time.

Please note that all other options must be exhausted first and consent is only requested when there are no other circumstances allowing for the processing of personal data. Consent must only be requested as the last resort – when there is no other reliable legal basis for processing personal data. 

1. Rights of the data subject

Right to be informed 

Where personal data is collected the data subject has to be provided with certain at the time when the personal data is collected.

Examples: 

• Job applicants must be informed about what will happen with their application documentation. 
• Any website operated by the company must include a privacy notice. 
• Employees must be informed about how the company handles their data as their employer. 

The following information must be provided: 

• The name of the company and its contact details
• The contact details for the data protection officer, if one has been appointed
• The purposes and legal basis for processing
• The legitimate interests pursued by the company if the legal basis for processing is the company's legitimate interests 
• The recipients or categories of recipients of the data
• The fact that the company intends to transfer the data to a third country and, where applicable, additional information on that
• The period for which data will be stored or the criteria used to determine that period
• The existence of the rights of the data subject
• The existence of the right to withdraw consent, where applicable
• The existence of the right to lodge a complaint with a supervisory authority
• An explanation as to whether the provision of data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data
• The existence of automated individual decision-making, including profiling, and additional information on that where applicable 

If it is not possible to provide all the necessary information at once due to space constraints, there is the option of using a layered approach.

Right to rectification 

Data subjects have the right to request the rectification of inaccurate personal data, to have incomplete personal data completed where. 

Right to erasure 

Unless required by law otherwise data subjects have the right to request the erasure of their data if: 

• The data is no longer necessary in relation to the purpose for which it was collected 

Example: If a job applicant is rejected, their application documents will no longer be required six months after the recruitment decision was made or before.

• The data subject withdraws their consent where there are no other legal grounds for the processing.

Example: A customer (an individual) previously gave their consent to their data being processed to register their potential interest for specific products. If they decide to withdraw their consent, their registered potential interest will need to be deleted.

• The data subject objects to data processing for direct marketing purposes.
• The data was collected unlawfully.
• The data has to be erased for compliance with a legal obligation.
• The data relates to an online offer and was collected on the basis of consent given by a child under the age of 16.

If the data is being processed by an external processor, steps must be taken to ensure that the data is erased by them too. All recipients of the personal data in question should be informed that the data has been erased – unless this would involve disproportionate effort.

Any such requests received must be transferred to the data protection manager or the data protection contacts.

Right to data portability

Data subjects have the right to request to receive their data in a structured, commonly used and machine-readable format. Where technically feasible, the data subject also has the right to have the data transmitted directly by the company to a third party. 

Right to object to processing for direct marketing purposes 

Where personal data is processed for direct marketing purposes (e.g. newsletter, sales letters and marketing calls), data subjects have the right to object at any time to processing of personal data concerning them. In this case, the company may no longer use the data for direct marketing. 

In the event of the data subject exerting their right to object to processing for direct marketing purposes, all data processing relating to direct marketing that is intended to be used to analyse the data subject's potential interests, preferences, financial status and other personal aspects must stop ( "profiling").

Example: A customer (consumer) informs the company that they no longer wish to receive marketing communications by email. Their email address is removed from all relevant newsletter distribution lists and may also be added to a blocked list. If the data subject's buying behaviour had previously been analysed for the purpose of tailoring the email content sent to them (profiling), that analysis must also come to a stop with relation to the data subject. 

In cases where woombikes LLC acts as processor of woom GmbH or as joint controller woom GmbH represents the single point of contact for compliance with the data subjects` rights. In such cases woom bikes LLC shall inform woom GmbH immediately but within three working days at the latest and shall support woom GmbH where necessary. 

1. Documenting and checking processing activities

By law, woom is obliged to: 

• Maintain "records of processing activities" for all processing activities under its responsibility and make the records available to the data protection supervisory authorities on request 
• Implement appropriate technical and organisational measures, both at the time of the determination of the means for processing and at the time of the processing itself, which are designed to implement the requirements of the GDPR as per Art. 25 (1) of the GDPR ("data protection by design and by default")

1. Data flows across data processing activities

Potential data flows across processing activities must always be considered for each data processing activity. Data flows across processing activities are only permitted if they are absolutely necessary for the purpose of the processing. To that end, the data protection manager must produce a data flow diagram at the very least for data processing that requires a data processing impact assessment. This documentation must clearly show which data is flowing from one application (e.g. time logging software) to another program (e.g. digital personnel file) and potentially to another piece of software after that (e.g. payroll software). 

1. Processing by service providers 

Where personal data is to be processed by a service provider on behalf of the company data protection manager should be informed and ensure that the necessary data protection agreements are put in place with the service provider and that the relevant checks are performed.

Data is often processed by a service provider in the following cases: 

• Operation or hosting of software or databases containing personal data by IT service providers 
• Usage of cloud services (e.g. software as a service) in which personal data is stored 
• Usage of website analysis systems (e.g. Google Analytics)
• External scanning, archiving or destruction of documentation

It is absolutely essential that the company does in fact specify the purpose and means of processing. 

If external parties are providing services that do not directly involve processing data but unavoidably require personal data to be accessed, this should also be classed as processing by a service provider. 

Example: An IT service provider works remotely (troubleshooting and updates) on a software/database hosted by the company in its own data centre. When providing those services, the IT service provider could also access the personal data stored on the software. 

1. Contracts with service providers

Before a service provider is engaged to process data, the IT department and data protection manager must perform checks on them and conclude a processing contract with them.

1. Service provider checks

Before service providers can be engaged to process data, checks have to be performed to confirm that they comply with the provisions set out in the GDPR, especially those concerning data security. As a priority, the checks should confirm that the service provider has implemented appropriate technical and organisational measures to guarantee data security. 

1. Response to data protection breaches 

The company must document all data protection breaches. In some cases, such breaches must be reported to data protection supervisory authorities within 72 hours and affected data subjects may also need to be informed.

The main steps to be taken are outlined in the "Process for data protection breaches" appendix. 

1. Existence of a data protection breach

A "data protection breach" is any breach which affects the confidentiality, availability or integrity of personal data in any way. 

Breach of confidentiality: This applies when personal data has been disclosed or accessed without authorisation or by accident. 

Examples: Incorrect system settings allowed unauthorised parties within the company to view employee appraisals. 

Payslips were sent out to the wrong recipients. 

An unencrypted USB stick containing customer contact details was stolen. 

An email containing employee data was accidentally sent to a large mailing list. 

Breach of availability: This applies to unauthorised or accidental loss of access to personal data and the destruction or loss of personal data. A data protection breach has occurred even if personal data is only temporarily not available. 

Examples: Digital personnel files cannot be accessed for an extended period.

A USB stick, laptop or smartphone with personal data stored on it is lost.

Computers have been the subject of a ransomware attack (malware that encrypts data and only decrypts it when a "ransom" has been paid).

Breach of integrity: This involves unauthorised or accidental changes being made to personal data. 

Example: Changes were accidentally made to the data record for the wrong employee or customer. 

1. Internal notification obligation
   1. Internal contact to notify

All employees are required to report any data protection breaches or concrete suspicions of data breaches internally to the data security manager or data protection manager or the data protection contact as soon as they become aware of them. Their contact details can be found in the "Contact details" appendix. 

The relevant internal contact must be notified as soon as possible. This is even more urgent for the most serious data breaches, including those where the company is in a position to take measures to protect data subjects. 

1. Content of internal notification

The notification should include the answers to the following questions. If the answers are not known, they should be provided as soon as possible: 

• What has happened? (Description of the data protection breach in as much detail as possible)
• Does the data protection breach relate to processing for the company itself or on behalf of another party? 
• Whose personal data is affected? (E.g. employees, customer contacts)
• Roughly how many people does the data affected concern? (E.g. up to ten, thousands) 
• What type of personal data is affected? (E.g. entire email inbox, payroll, name/address/work contact details)
• Roughly how many data records are affected? (E.g. 10–20, 100–200, 10,000)
• Who is reporting the data protection breach and how can they be contacted as a matter of urgency if necessary?
• When did they become aware of the data protection breach (date and time)?

Where possible, the following questions should ideally also be answered: 

• Which employees can be contacted to provide further information about the data protection breach and how can they be contacted?
• What are the likely consequences of the data protection breach?
• What measures have already been taken to address the data protection breach? What other measures are being suggested? (E.g. remotely erasing data on a lost smartphone)
• What measures have already been taken or are being suggested to mitigate the possible adverse effects?

1. Next steps
   1. Investigation and security measures

If a suspected data protection breach has been reported, the data security manager will immediately start to investigate the situation as required and will inform the data protection manager who will inform the data protection officer. The same applies if the likely consequences of the data protection breach – and in turn the potential risk – are not yet clear. If the suspicions are confirmed, the data security manager must document the date and time when they are sufficiently confident that a data protection breach has indeed taken place. This moment in time is important, as it marks the start of the 72-hour period for reporting to data protection supervisory authorities where necessary. 

The data security manager will take immediate action to address the data protection breach or to mitigate the possible adverse effects of the data protection breach as required. 

Examples: Block access, change passwords, back up data

1. Risk assessment

The data security manager will perform a risk assessment. They will work with the data protection manager and the data protection officer on this step. The risk assessment will be used to determine if the data protection breach poses 

• no risk, 
• a risk (yellow category)
• a high risk (red category)

to the rights and freedoms of natural persons. 

1. Requirement to notify data protection supervisory authorities

If a data protection breach is likely to result in a risk to the rights and freedoms of a natural person (in the yellow or red category), it must be reported to the data protection supervisory authorities, without undue delay and no later than 72 hours after having become aware of it.

If all the relevant details cannot be provided within the allocated window (e.g. due to ongoing internal digital forensic investigations into a hacker attack), the details must be provided to the data protection authorities as and when they become available. 

1. Requirement to notify affected data subjects

If a data protection breach is likely to result in a high risk to the rights and freedoms of a natural person (in the red category), data subjects must be notified of the data protection breach. 

1. Documentation of data protection breaches

The data protection manager must document any data protection breaches (in the green, yellow and red category) 

That documentation must include the following details: 

• All of the facts relating to the data protection breach
• The consequences of the data protection breach
• Any corrective action taken to mitigate the adverse effects of the data protection breach
• Considerations and results of the risk assessment for the data protection breach

1. Data security

The company is obliged to implement appropriate technical and organisational measures to ensure a level of protection for personal data appropriate to the risk.

• The pseudonymisation and encryption of personal data
• Measures that ensure the ongoing confidentiality, integrity, availability and resilience of systems and services
• Measures that guarantee the availability of and access to personal data (data restored in the event of a physical or technical incident).
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational data security measures (e.g. penetration testing, external reviews).

1. Reviews and updates 

The data protection manager will review this policy with their expert eye at least every 24 months and suggest changes to the company management team where necessary. 

1. Change history

Version	Date	Author	Note/change	Approval
1.0	January 2022	Kristin Thomseth	First version