We care about your privacy.
INFORMATION PROVIDED PURSUANT TO ARTICLES 12 ET SEQ.
OF THE EU GENERAL DATA PROTECTION REGULATION
Below you will find both our ‘General Data Protection Policy for our website and the ‘Data Protection Policy for Events’. The latter applies when you participate in one of our RSU events.
The controller as referred to in the EU General Data Protection Regulation (GDPR) and other, national data protection laws of the member states as well as other regulations on data protection is:
RSU GmbH & Co. KG
Karlstraße 35
80333 München
Germany
4HV6+MJ
Tel +49.(0)89.442340-0
Fax +49.(0)89.442340-999
info@rsu.one
You can reach our data protection officer by e-mail at Datenschutzbeauftragter@rsu.one.de, by regular mail by adding “der Datenschutzbeauftragte” to our postal address or by telephone at +49 89/442340-0.
The present text is to inform users about the nature, extent, and purpose of the processing of personal data by RSU GmbH & Co. KG, Karlstraße 35, 80333 München (hereinafter: “RSU”). The relevant statutory provisions on data protection are contained in the GDPR.
Since changes in legislation or to our internal processes may require us to amend this data protection statement from time to time, we would ask you to check this statement regularly.
“Personal data” as defined in Article 4 of the GDPR means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more specific properties. For example, personal data include the name, e-mail address, telephone number or IP address of an individual.
Information which we cannot connect to you (or which we could only connect to you at disproportionate cost), for example because it has been anonymized, is not personal data. Any processed personal data will be erased once the purpose of the processing has been achieved and there is no legal requirement to store the data any more.
RSU will only process personal data if this is legal or the data subject agrees to the collection of the data. In case we process your personal data, the concrete operations, extent and purpose of and legal basis for the processing and the time for which the data are stored are stated below.
1. Setting up and operating a website
a) Nature and extent of data processing
RSU (or its web space provider) collects data on every instance in which the website is accessed (referred to as server log files). The data collected include: domain, IP address, name of website retrieved, file, date and time of retrieval, amount of data transmitted, information on success of retrieval, type and version of browser, user’s operating system, referrer URL (site previously visited) and requesting provider.
RSU only uses the log data for statistical evaluation in support of the operation, protection and optimisation of the website. However, RSU reserves the right to check the log files at a later time if there are specific indications of illegal use.
b) Legal basis
This processing of data is based on Article 6(1)(f) of the GDPR. It is necessary for operating a website and thus for pursuing a legitimate interest of our company.
You may object to this processing at any time for reasons arising from your special situation. If you do, RSU will stop processing these personal data unless it has compelling and legitimate reasons which take priority over the interests, rights or liberties affected or it is necessary to process these data for asserting, exercising or protecting legal claims.
c) Storage period
Recording the data required for operating the website and saving the data in log files is indispensable for operating an Internet page. Your personal data will be erased as soon as they are no longer needed for the aforementioned purpose. If personal data are saved in log files, they are erased after three days. Data may be stored more extensively in individual cases if this is required by law.
2. Enabling people to contact RSU
a) Nature and extent of data processing
If you contact RSU via contact form or by e-mail, the information you provide is stored for the processing of your inquiry and in case further questions arise.
b) Legal basis
This processing of personal data is generally based on Article 6(1)(f) of the GDPR. Our legitimate interest referred to in this provision is to answer inquiries from people interested in RSU. We may even have a legal obligation to do so, in which case the relevant legal basis is Article 6(1)(c) of the GDPR.
c) Storage period
Once the personal data gathered in this context are no longer needed, they will be erased or their processing will be restricted if they must be stored by law. You may object to the future processing of your personal data at any time when contacting RSU.
3. Job applications
a) Nature and extent of data processing
We process the personal data you provide to us as part of your job application in order to manage the recruitment process and assess your suitability for the advertised position or other vacancies within our company.
This includes, in particular, the following categories of data:
• Your contact details and the source of your application
• Details from your CV, certificates, and your qualification
• Communications exchanged with us
• Notes and evaluations recorded during the application process (if applicable)
We may also consider publicly available information from professional networks (e.g., LinkedIn, XING) if you have published relevant details there or have actively contacted us via such platforms.
Use of Social Media Platforms
In addition to our online application portal (operated by comvaHRo GmbH, 85630 Grasbrunn, as a processor pursuant to Art. 28 GDPR), we also post job advertisements on various social media platforms. Please note the following platform-specific information:
• XING (New Work SE, Am Strandkai 1, 20457 Hamburg):
XING provides a link to our online application portal. Applications can be submitted via this portal. Additionally XING offers the option to apply directly through the platform. In such cases, profile data and CV information may be transmitted to our application portal or, in the case of an early rejection, processed solely within XING. Applying via XING is voluntary and may be used as an alternative to our application portal. For more information on XING’s data protection practices, visit: https://privacy.xing.com/de/datenschutzerklaerung
• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland):
LinkedIn provides a link to our online application portal. Applications can be submitted via this portal. Additionally LinkedIn offers the option to apply directly through the platform. In such cases, profile data and CV information may be transmitted to our application portal or, in the case of an early rejection, processed solely within LinkedIn. Applying via LinkedIn is voluntary and may be used as an alternative to our application portal. For more information on LinkedIn’s data protection practices, visit: https://www.linkedin.com/legal/privacy-policy?
• Stepstone (The Stepstone Group Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf):
Stepstone provides a link to our online application portal. Applications can be submitted via this portal. Additionally Stepstone offers the option to apply directly through the platform. In such cases, profile data and CV information may be transmitted to our application portal or, in the case of an early rejection, processed solely within Stepstone. Applying via Stepstone is voluntary and may be used as an alternative to our application portal. For more information on Stepstone’s data protection practices, visit: https://www.thestepstonegroup.com/deutsch/richtlinien/datenschutzrichtlinie/
• kununu (New Work SE):
This platform is used solely for presenting our employer profile. Applications cannot be submitted via kununu, and no applicant data is processed.
• Meta (Facebook, Instagram) & Google:
These platforms are used to display job advertisements as part of targeted recruitment campaigns. RSU does not process personal data directly via these platforms. Data processing in this context is carried out solely by the respective platform providers.
b) Legal basis
The legal basis for processing your personal data is Art. 6 (1) (b) GDPR in conjunction with Art. 88 GDPR and § 26 of the German Federal Data Protection Act (BDSG), to initiate an employment relationship.
If we consult publicly available data from professional networks, we do so based on our legitimate interest in efficient recruitment pursuant to Art. 6 (1) (f) GDPR.
If it becomes necessary to retain applicant data after the recruitment process concluded – for example, for legal defense purposes – the data will be processed on the basis of our legitimate interests pursuant to Art. 6 (1) (f) GDPR
c) Storage period
If your application is unsuccessful, we will retain your data for up to six months after completion of the application process.
If you have consented to be added to our applicant pool, your data will be deleted no later than two years after your consent.
If an employment relationship is established, your data will be transferred to your personnel file and processed in accordance with applicable legal retention requirements.
4. Direct marketing (such as newsletters and customer surveys)
4.1. Newsletter subscription and event registration
a) Nature and extent of data processing
On our website you can subscribe to receive newsletters by e-mail and register for events. In this context, the data you provided via the input mask and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this Privacy Policy.
In order to verify that a registration for the sending of a newsletter is made by the actual owner of an e-mail address, we use the so-called “double opt-in” procedure. After registration, you will receive an email in which you are asked to confirm your subscription. This confirmation is necessary to avoid anyone using others’ email addresses for the registration. Hence, the registration process is only completed once the confirmation link in the confirmation e-mail has been activated. In this context, date and time of activation of the confirmation link are transmitted to us.
You can unsubscribe from the newsletter at any time by using the unsubscribe link contained in each newsletter or by contacting us using the contact details provided above.
If you also provide us with your telephone number as part of your event registration or participation, your consent also extends to being contacted by telephone for marketing and sales purposes. You can also object to this processing at any time.
b) Legal basis
The processing of personal data is based on Art. 6 (1) lit. a) GDPR following the consent given by you.
c) Storage period
Please note that if you withdraw your consent, we will retain the data relating to the consent expiry of the statutory limitation period (three calendar years after the last e-mail newsletter was sent in accordance with Section 195 of the German Civil Code (BGB)) in order to be able to defend ourselves legally if necessary. In this context, the duty of accountability takes precedence over the duty of erasure for this period (Art. 17 (3) lit. e) GDPR). The legal basis for the retention of consent data is Art. 6 (1) lit. c) in conjunction with Art. 5 (1) lit. a), (2), Art. 7 (1) GDPR and Art. 6 (1) lit. f) GDPR.
4.2. E-mail newsletters and customer surveys in the context of an existing customer relationship
a) Nature and extent of data processing
If you are a customer of RSU and provide us with your e-mail address, we may subsequently use it to send you an e-mail newsletter or other marketing messages (such as customer surveys) if you have not objected to such use. In such a case, the email will only be used to send direct advertising for our own similar goods or services (such as surveys pertaining to RSU-services that you have been using). You can object to the use of your e-mail address at any time, without incurring any costs other than the transmission costs according to the basic rates, by using i.e. the unsubscribe link contained in every newsletter or by contacting us at the above-mentioned contact details.
b) Legal basis
The legal basis for sending the newsletter or conducting customer surveys as a result of the sale of goods or services is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR.
c) Storage period
Please note that if your data has already been used for the sending of email advertising during an existing customer relationship, we will retain the data in the event of an objection to further advertising use until the expiry of the statutory limitation period (based on Section 7 (3) of the German Unfair Competition Act (UWG) in accordance with § 195 BGB, three calendar years after the last advertising email was sent) in order to be able to defend ourselves legally if necessary. The duty of accountability takes precedence over the duty of erasure for this period (Art. 17 para. 3 lit. e) GDPR). The legal basis for the retention of consent data is Art. 6 (1) lit. c) in conjunction with Art. 5 (1) lit. a), (2), Art. 7 (1) GDPR and Art. 6 (1) lit. f) GDPR.
4.3. Newsletter Analytics/Tracking
A statistical analysis of usage data may be carried out for our newsletters. For this purpose, we may record both the openings of the e-mail and the internal clicks. This information serves the purpose of measuring and optimizing the success of our newsletter campaigns by making the newsletter content more relevant to our target group.
The legal basis for this analysis is your consent pursuant to Art. 6 (1) lit. a) GDPR.
4.4. Newsletter Service Provider
The newsletter is sent via the service provider “Brevo”. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. The data collected is stored on Brevo’s servers in the EU. Brevo uses this information to send the newsletter on behalf of RSU.
You can find more information about Brevo’s privacy policy here: https://www.brevo.com/de/legal/privacypolicy/
5. Establishment, exercise or defence of legal claims
a) Nature and extent of data processing
In the context of the establishment, exercise or defence of legal claims, we process your personal data to refute unfounded claims and enforce claims and rights.
b) Legal basis
The legal basis for processing your personal data to establish, exercise or defend legal claims is our legitimate interest as referred to in Article 6(1)(f) of the GDPR.
c) Storage period
Your personal data will be erased as soon as they are no longer needed for the purposes for which they have been collected.
6. Whistleblowing system
a) Nature and extent of data processing
For confidential communication with whistleblowers according to the German Whistleblower Protection Act (HinSchG), RSU uses a digital whistleblower system of the service provider ‘Compliance.One’. This provider also assumes the function of the internal reporting office as ombudsperson.
The whistleblower system enables the submission of anonymous reports for which no personal data of the whistleblower is collected or otherwise processed. However, depending on the content of the submitted report and any accompanying documents, it cannot be ruled out that personal data of the whistleblower or of other persons named in the report will be processed.
b) Legal basis
Art. 6 (1)(c) of the GDPR in conjunction with Section 10 of the German Whistleblower Protection Act (HinSchG) forms the legal basis.
Further information can be found in the privacy policy for the whistleblower system at
https://platform.compliance.one/case/legal/150/7a78fa9a77b2/
7. Electronic Signatures (DocuSign)
a) Nature and extent of data processing
RSU uses DocuSign software for the digital signature of contracts. The provider of this service is DocuSign International (EMEA) Limited, Hanover Quay, Grand Canal Dock, Dublin, Ireland. As part of the service, you will receive an email with a link that enables you to submit a legally valid and binding digital signature on the DocuSign platform.
In connection with the digital signature, the personal data listed in the documents to be signed will be processed. This includes, in particular, the name, e-mail address, device and transaction data.
You can find more information on data protection at DocuSign here.
b. Legal basis
The legal basis for the processing is our legitimate interest as referred to in Article 6(1)(f) of the GDPR. We have a legitimate interest in digitizing our processes and in offering a digital method to conclude contract. The use of your e-mail address serves to send the relevant information and to facilitate the process of obtaining the necessary signatures and documents.
All personal data remains in data centers in the EU. No personal data leaves the EU; only transaction data required for billing and worldwide access to DocuSign services is transferred to the US. To this end, the transfer takes place on the basis of the certified DocuSign Binding Corporate Rules (BCRs) and the EU Standard Contractual Clauses (SCCs).
c. Storage period
Your personal data will be deleted as soon as it is no longer required for the respective purpose and until the end of the legally regulated retention periods.
8. Social Media
a. Nature and extent of data processing
• Social Media Buttons (LinkedIn, XING, Stepstone, kununu, Facebook):
When you click on one of the social media buttons on our website, you will be redirected to our company page on the respective platform. In this process, the provider of the social media network receives the information that your browser has accessed the corresponding page of our website – even if you do not have a profile on the respective network or are not logged in. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider. If you are logged in to the respective social media network at the time or log in after being redirected, the transmitted information may be associated with your user account.
For details on the purpose and scope of data collection and processing by the respective social media providers, including their legal notices, contact information, and your privacy rights and settings, please refer to the data protection policies provided by each platform.
• Social Media Pages: We maintain publicly accessible profiles on various social media platforms (e.g., LinkedIn, XING, Stepstone, kununu, Instagram, Facebook).
When you visit one of our social media pages and are logged into your account on the respective platform, the platform provider may analyze your usage behavior and associate the collected information with your account. This information may also be enriched using other data already stored by the provider. Even if you are not logged in – or do not have an account with the platform at all – personal data such as your IP address or cookie-based information may still be collected by the respective provider. The operators of social media networks may use such data to create user profiles. These profiles can then be used to serve you interest-based advertisements both on and off the social media platforms.
When you visit one of our social media pages, we and the respective platform provider are considered joint controllers under data protection law (Art 26 GDPR) with regard to the collection and processing of your personal data.
For detailed information on how your personal data is processed on these platforms, please refer to the privacy policies of the respective providers.
You may exercise your rights as a data subject under Chapter III of the GDPR (e.g., the right to access, rectification, erasure, restriction of processing, and data portability) both against us and against the respective platform provider.
Please note, however, that our ability to influence how your data is processed and how data subject rights are implemented on these platforms is limited to the functionalities made available to us by the providers.
b. Legal basis
The legal basis for processing personal data in connection with the use of our social media buttons and pages is Art. 6 (1) (f) GDPR. Our legitimate interest lies in increasing our visibility, presenting our company, and enabling targeted communication with interested parties and job applicants.
Where a joint controllership pursuant to Art. 26 GDPR exists with a social media platform provider, the processing of personal data is also based on the respective joint controllership agreement concluded with the provider.
c. Storage period
The retention period for personal data is determined by the policies of the respective social media provider.
We have no control over how long user data is stored on these platforms. For more information, please refer to the privacy policies of the respective services.
9. Participation in Video Conferences and Trainings via Microsoft Teams
a. Nature and extent of data processing
In the context of conducting video conferences and online trainings (“online meetings”), RSU processes the personal data of participants.
We use “Microsoft Teams” to conduct online meetings, a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
The following categories of personal data may be processed:
• User Information: e.g., display name, email address (if applicable), profile picture (optional), preferred language
• Meeting Metadata: e.g., date, time, meeting ID, phone numbers, location
• Text, Audio, and Video Data: Participants may use the chat function during online meetings; any messages entered are processed and displayed to all participants. Audio and video data from a participant’s device (e.g., microphone, webcam) may be processed to enable communication. Participants can deactivate their microphone or camera at any time via the Microsoft Teams app.
You may join the meeting using either the Microsoft Teams app or a web browser. Recordings, including any transcriptions, are made only after prior notice (e.g., via pop-up notification) and with the consent of the participants. Consent is considered granted when you actively enable your microphone and/or camera (“Unmute” / “Turn Camera On”). You may deactivate your microphone or camera at any time and are free to leave the meeting at any time.
Microsoft acts as a data processor based on a data processing agreement in accordance with Article 28 GDPR. The data processing performed with Teams is based on the Microsoft EU Data Boundary, meaning that the data of European customers is generally stored and processed on servers within the EU/EEA. In cases where data is transferred to a third country, an adequate level of data protection is ensured pursuant to the European Commission’s adequacy decision under Article 45 GDPR, as Microsoft is certified under the EU-U.S. Data Privacy Framework (DPF). In addition, the EU Standard Contractual Clauses had been concluded in accordance with Article 46 GDPR.
For more information, see: https://www.microsoft.com/en-us/trust-center/privacy/european-data-boundary-eudb
b. Legal basis
The processing of personal data in connection with the use of Microsoft Teams is based on the following legal provisions:
• Article 6(1)(b) GDPR: insofar as the online meeting is conducted as part of the contract performance.
• Article 6(1)(f) GDPR: for the purposes of legitimate interests, namely enabling efficient collaboration and communication regardless of the participants’ locations, whether internally or externally.
• Section 26(1) BDSG (German Data Protection Act), in conjunction with Article 6(1)(b) GDPR: where the data processing is necessary for the fulfillment of the employment relationship.
• Article 6(1)(a) GDPR: where meetings are recorded or transcribed, processing is based on the consent of the participants. You may deactivate your camera or microphone at any time or leave the meeting. From that point onward, no further audio or video data will be recorded.
c. Storage period
As a general principle, your personal data is processed only for as long as necessary to fulfill the purposes outlined above. Once the data is no longer required for these purposes, it will be deleted, unless its continued processing is necessary to comply with legal retention obligations or is based on your consent.
d. Withdrawal of Consent
You may withdraw your consent, either fully or partially, at any time by contacting RSU via email at datenschutzbeauftragter@rsu.one . The withdrawal will take effect upon receipt and does not affect the lawfulness of any processing carried out prior to that point.
Example: “I hereby withdraw my consent to the processing of my audio/video data in the Microsoft Teams recording of the meeting held on [date] at [time].”
10. Retrieval-Augmented Generation AI to assist in processing methodological inquiries
a. Nature and extent of data processing
An internal RAG AI supports RSU employees in responding to methodological inquiries (tickets) from our customers. Before use, the free text in the tickets is automatically anonymized on a local RSU server to remove personal information (such as names). The RAG AI then processes only the anonymized text and generates appropriate response suggestions.
b. Legal basis
The legal basis for the processing of personal data in the context of anonymizing ticket content is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient and consistent processing of customer inquiries using an AI-supported RAG.
c. Storage period
Personal data is only processed within the scope of anonymization and is immediately deleted. This data is not stored beyond the anonymization step.
We only disclose your personal data to third parties if:
• You have given your express consent to this in accordance with Art. 6 (1) lit. a) GDPR;
• this is legally permissible and necessary for the fulfillment of a contractual relationship with you in accordance with Art. 6 (1) lit. b) GDPR;
• there is a legal obligation for the disclosure pursuant to Art. 6 (1) lit. c) GDPR; or
• the disclosure pursuant to Art. 6 (1) lit. f) GDPR is necessary to safeguard the legitimate interests of RSU, as well as to assert, exercise or defend legal claims and there is no reason to assume that your interests are overridden when disclosing your data.
We use the open source web analytics service Matomo (previously named Piwik, a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769). With this tool we gather and analyze anonymized data about how our website is used. This allows us among other things to find out which web pages have been accessed, when and from which area.
The legal basis for our use of this analytical tool is article 6(1)(f) of the GDPR because we have a legitimate interest in analyzing how people use our website so that we can optimize it and adapt it to the users’ needs on a continuous basis.
Protecting your data matters to us, which is why we perform IP anonymization when using Matomo. This means that your IP address is truncated before any analysis takes place so that it can no longer be clearly linked to you.
Further, we only use our own servers to host Matomo to ensure that all data gathered remain in our possession and are not shared with anyone else.
You can prevent your actions on this website from being analyzed and put into context. This will protect your privacy but will also prevent the operator from learning from your actions and improving your and other people’s user experience.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
a) Nature and extent of data processing
We use cookies on our website. Cookies are small files that are sent to and stored in your browser when you visit our website. Some of the functions of our website cannot be provided without using specific cookies.
The following cookies are used on our website:
• Session cookie (JSESSIONID): saves the user’s page request status for the application form
• Language selection cookie (wp-wpml_current_language): indicates the country code inferred from the user’s IP address; this determines the language used
b) Legal basis
The legal basis for the processing of cookies that are necessary for technical reasons is our legitimate interest in the processing of personal data according to article 6(1)(f) of the GDPR.
c) Storage period
The data provided to us through cookies are erased as soon as they are no longer needed for the purposes described above, in particular when the cookies are deactivated. Data may be stored more extensively in individual cases if this is required by law.
d) Browser configuration
You can manage cookies by defining the relevant settings below or by configuring your browser according to your preferences. Most browsers are pre-configured to accept cookies by default. You may, however, configure your browser to accept only certain cookies or even none at all. Note that you may not be able to use all functionalities of our website if cookies are deactivated through your browser settings. Your browser settings also allow you to delete cookies already stored in your browser or check the storage period of cookies. You can also configure your browser to inform you before cookies are stored. Since browsers may differ in their functionalities, we ask you to refer to your browser’s help menu for details. If you would like to get a complete list of all external connections established with your browser, we recommend that you install a dedicated plug-in for this purpose.
e) Refusing cookies
Note that you may not be able to use all functionalities of our website if cookies are deactivated through your browser settings.
Our website contains hyperlinks to RSU’s pages on LinkedIn and XING. The websites of LinkedIn and XING are subject to the data protection provisions of these service providers.
If we process your personal data, you are a data subject and have the following rights with regard to the personal data concerning you:
Pursuant to Article 15 of the GDPR you are entitled to information about the personal data processed by us. In particular, you are entitled to information on the purposes for which the data are processed, the categories of personal data processed, the categories of recipients to which your data are or were disclosed, the period for which the data are intended to be stored, any existing right to rectification, erasure or restriction of processing, right to object or right to lodge a complaint, the source of your data if your data have not been collected at our company, and any transfer made to a third country or an international organisation. You are also entitled to information about whether there is an automated decision-making system, including profiling, and to meaningful details on any such system.
Pursuant to Article 16 of the GDPR you are entitled to have any inaccurate personal data about you that we have stored corrected and to have any incomplete personal data about you that we have stored completed without undue delay.
Pursuant to Article 17 of the GDPR you are entitled to have your personal data stored by us erased unless processing the data is necessary for exercising freedom of speech and information, complying with legal obligations or establishing, exercising or defending legal claims or is in the public interest.
Pursuant to Article 18 of the GDPR you may have the way in which we can process your personal data restricted if you contest the accuracy of the data, the data are processed unlawfully or we do not need the data any more and you object to their erasure because you need them for the establishment, exercise or defence of legal claims. This applies even if you have objected to the processing of your personal data on the grounds set forth in Article 21 of the GDPR.
Pursuant to Article 20 of the GDPR you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format or to have the data transmitted to a different controller.
Pursuant to Article 21 of the GDPR you have the right to object to the processing of your personal data based on Article 6(1)(e) or (f) of the GDPR for reasons arising from your special situation. If you do, RSU will stop processing these personal data unless it has compelling and legitimate reasons which take priority over the interests, rights or liberties affected or it needs to process these data for asserting, exercising or protecting legal claims. Further, you have a general right to object to the processing of your personal data for direct marketing purposes according to Article 21(3) of the GDPR, with which we will comply without any need for you to invoke special circumstances.
Pursuant to Article 7(3) of the GDPR you may withdraw your consent at any time, in which case we are prohibited from processing the data based on such consent in the future.
Pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. As a rule, this may be the competent authority at your habitual residence, your place of work or our registered seat. The supervisory authority responsible for RSU in matters of data protection is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Germany
Telefon: +49 (0) 981 53 1300
Telefax: +49 (0) 981 53 98 1300
E-Mail: poststelle@lda.bayern.de
We undertake to protect your privacy and treat your personal data as confidential. To prevent any manipulation, loss or abuse of the data stored in our systems we take extensive technical and organisational precautions, which we check and update in line with technological progress on a regular basis. This includes the use of acknowledged encryption methods (SSL or TLS). However, please be aware that due to the structure of the Internet there may be persons or institutions outside our area of responsibility which disregard data protection rules or fail to observe the aforementioned precautions. In particular, third parties may have access to data that are made available unencrypted, for example via e-mail. We have no way of preventing this by technical means. Users are responsible for protecting the data they make available, for example by means of encryption.
As part of our events, we process personal data, for example the data that you provide when registering, but also data that is collected as part of your participation, i.e. if you provide one of our employees with your contact details for inquiries or if photos are taken.
The controller as referred to in the EU General Data Protection Regulation (GDPR) and other, national data protection laws of the member states as well as other regulations on data protection is:
RSU GmbH & Co. KG
Karlstraße 35
80333 München
Germany
4HV6+MJ
Tel +49.(0)89.442340-0
Fax +49.(0)89.442340-999
info@rsu.one
You can reach our data protection officer by e-mail at Datenschutzbeauftragter@rsu.one.de, by regular mail by adding “der Datenschutzbeauftragte” to our postal address or by telephone at +49 89/442340-0.
1. Contact details and prospect enquiries
a) Nature and extent of data processing
As part of the event registration process, we collect information that you provide to us when you register for the event. This data is processed to complete your registration and to be able to enter into a contract with you regarding your participation which is subject to our terms and conditions for events.
We also process your data to create/issue name badges and participation lists and to provide you with information about the event before, during or after the event.
Information which is provided voluntarily during the event (i.e., via meeting notes or exchange of business cards, etc.) is processed to respond to customer requests. RSU may therefore contact you by mail, telephone and/or email.
b. Legal basis
The legal basis for the aforementioned processing is Art. 6 (1) lit. b) GDPR, as this information is required to enter into a contract with you (event) and in order to take steps at your request prior to entering into this contract. Our direct marketing activities are based on your consent in accordance with Art. 6 (1) lit. a) GDPR. You can withdraw your consent at any time.
c. Storage period
Your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected.
2. Photos and videos
a) Nature and extent of data processing
As part of our events, we also take photos and videos (“recordings”) for internal and external communication, in particular for press and advertising purposes as well as for editorial and public relations activities. This includes use in all types of media, “offline” (i.e. print material such as brochures, flyers, and other advertising materials) as well as “online” (i.e. on our website and social media pages). In addition to the recordings, metadata such as the date and time of the recording may be collected. Even if the primary purpose of the recoding is the documentation of the event as such, it cannot be excluded that participants of the event may be identifiable in the recordings.
b. Legal basis
The legal basis for the creation and publication of recordings where a person is an insignificant or coincidental element (so called “Beiwerk” according to the German Artistic Copyright Act) is our overriding legitimate interest in documenting and reporting about the event, Art. 6 (1) lit. f) GDPR.
Recordings of individuals or small groups of people who stand out or are clearly identifiable are only taken and published based on the consent of the individuals captured in these recordings. This consent can be withdrawn at any time with effect for the future, Art. 6 (1) lit. a) GDPR.
c. Storage period
Your personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.
3. Creating and publishing recordings by event participants
We would ask you to respect the privacy rights of other participants when taking part in an event. If you take or publish photographs of other participants, especially for social media purposes, you are required to obtain the consent of the respective individual(s).
4. Survey Tool (Slido)
a. Nature and extent of data processing
During the event, participants have the option to engage in surveys. RSU currently uses the service provider Slido/sli.do, headquartered in Vajnorská 100/A, 831 04 Bratislava (EU), Slovakia, with whom a data processing agreement had been concluded.
Slido processes certain personal data for survey purposes, which includes your IP address and may include other technical information like browser type, and the date and time of access. Additionally, any personal information you submit, such as your name and email address, may also be processed.
More details about the nature, type, and purpose of data processing by Slido, including information about the service providers involved, can be found in their privacy policy: https://www.slido.com/terms#slido-privacy
Participants also have the option to use Slido anonymously, thereby not requiring the submission of any personal information (e.g., name, email address) to partake in the surveys. It is therefore highly recommended to utilize this anonymous feature as no information will be shared with Slido or other participants in this mode.
b. Legal basis
The processing of your personal data is based on our legitimate interest in conducting surveys in accordance with Art. 6 (1) lit. f) GDPR or based on consent in accordance with Art. 6 (1) lit. a GDPR, if such consent has been provided.
c. Storage period
All personal data collected for the purpose of conducting surveys will be promptly deleted following the event.
d. Data recipient
Slido is a service of Cisco Systems Inc. based in the USA. However, Cisco Systems Inc. is certified under the EU-US Data Privacy Framework, ensuring an approved level of data protection. Slido also utilizes subprocessors that are based in the US, but which are offering the appropriate safeguards under GDPR.
You can object to photographs to be taken in which you are shown alone or in a (small) group of people at any time (i.e. by addressing the photographer directly or indicating by hand signal that you do not wish to be photographed). If you declare your objection after the event, you can also contact us directly (i.e. by e-mail to Datenschutzbeauftragter@rsu.one.de).
If you object to a recording to be published or withdraw your consent to the publication of a recording in which you are shown together with other people, the photograph will not necessarily be deleted. In this case, it is sufficient if you are made unrecognizable/anonymized (i.e. by pixilation).
You have a right of access to the data stored about you, you have the right to rectification of your data, restriction of processing, erasure, data portability and objection and you have the right to file a complaint with a data protection supervisory authority if you believe that the processing of your personal data is not lawful.
Further information can be found in RSU’s ‘General Data Protection Policy
Munich, 16/10/2025
