Data privacy information for the CRM system in accordance with Art. 13 GDPR
Data Privacy Information for the CRM System
This notice explains how we process your personal data and informs you of your rights under data protection law.
Who is responsible for data processing, and whom can I contact with questions or concerns?
The controller responsible for your personal data is the respective DEKRA group companythat decides, alone or jointly with others, on the purposes and means of processing your personal data. Generally, this is the DEKRA group company (or companies) that has performed, is performing, will perform, or should perform services for you or your employer.
The responsible group parent company is:
DEKRA SE
Handwerkstr. 15, 70565 Stuttgart, Germany
Entered in the commercial register of the District Court of Stuttgart under HRB 734316
You can contact our Group Data Protection Officer at: konzerndatenschutz@dekra.com
What sources and data do we use?
We process personal data that you provide to us (for example through forms, email, phone, chat, or during events and webinars), that arise during our interactions with you (for example meeting notes, documented communication, or participation in campaigns), or that we lawfully obtain from publicly available sources or professional networks.
Depending on your interaction with us, the following categories of personal data may be processed:
Identification and contact details
Salutation, name, email address, phone number, postal address, and other information required to contact you.
Professional or organizational details
If you act in a business capacity: employer, department, position or role, business contact information, industry, or professional interests.
Service- or request-related information
Details necessary to understand and handle your inquiry or the service you request. This may include appointment preferences, service preferences, the purpose of your inquiry, relevant product, object, or vehicle data, or other contextual information needed to provide our services.
Uploaded materials and documentation
Forms and portals may allow you to upload files. These files may contain unstructured content and, depending on what you choose to submit, may include personal data of third parties. We process such files only insofar as necessary to assess or respond to your request.
Communication and marketing data
Communication preferences, subscription status, consent records, history of interactions with DEKRA (for example inquiries, meetings, campaigns, or documented notes).
Technical or usage data related to online events or emails
- for online events: technical identifiers required to establish and maintain the session (such as IP address or device/browser information), attendance data, and interaction data (such as chat, Q&A, or poll participation)
- for email communication: metadata used to determine whether a message was delivered or interacted with (such as open or click signals generated by tracking pixels). Depending on your email client or settings, these signals may be blocked or anonymized.
We do not use technical identifiers for nonessential tracking unless you have provided consent where required.
For what purposes and on what legal bases do we process your data?
We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable laws. In some contexts we may process personal data not listed here; where required by law, you will receive a separate privacy notice relevant to the specific context.
A. Inclusion in a Customer Relationship Management system (CRM)
We collect and store your details in our CRM to manage and document our relationship with you. This includes staying in contact, responding to inquiries, providing information you request, and preparing or performing services. Depending on the context, this may cover identification and contact details, professional or organizational information, service-related information, or communication history. We also maintain data quality in the CRM (for example updates, deduplication, and documentation of interactions).
Legal basis:Article 6(1)(f) GDPR (legitimate interests). Our legitimate interests are effective contact management, coordination of customer-related processes, and ensuring smooth service delivery. We have carried out the required balancing test and concluded that processing is proportionate and does not override your interests or fundamental rights.
Article 6(1)(b) GDPR (performance of a contract or steps taken at your request). This applies where processing your information is necessary to respond to a request, prepare an offer, or perform a contractual relationship with you or your organization.
Processor: Salesforce Germany GmbH under a data processing agreement.
B. Newsletter and direct email marketing
If you subscribe, we use your contact details and the services you are interested in to send you relevant information about our offers by email. We maintain your subscription status and consent records, and you can unsubscribe at any time using the link in each email or by updating your preferences.
Legal basis: Article 6(1)(a) GDPR (consent).
Processor: Salesforce Germany GmbH under a data processing agreement.
C. Analysis of newsletter interactions
To understand which content is relevant, improve deliverability, and avoid sending unwanted messages, we analyze basic interactions with our emails. Salesforce Marketing Cloud automatically embeds a tracking pixel in each email to determine whether a message was delivered, opened, or clicked. These interaction signals are associated with your CRM profile so that we can understand how our communications perform over time.
If you withdraw your consent to receive newsletters, we will stop sending further messages and stop processing interaction data for this purpose. Depending on your email client or settings, certain interactions (such as opens) may not be technically measurable.
Legal basis: Article 6(1)(a) GDPR (consent).
Processor: Salesforce Germany GmbH under a data processing agreement.
D. Customer satisfaction surveys
With your permission, we invite you to voluntary surveys to help us improve our products and services. We manage invitations, collect responses, and analyze results. Depending on the survey, we may link your responses to your CRM profile to understand your experience in context, and we will inform you of this in the invitation. You can withdraw your consent at any time, and we will stop sending further invitations or using your responses for this purpose.
Legal basis: Article 6(1)(a) GDPR (consent).
Processor: Salesforce Germany GmbH under a data processing agreement.
E. Webinars and online events
We register and host online events and handle reminders, access links, attendance management, related materials, optional surveys, and, where applicable, recordings. This involves your identification and contact details, registration and session information, technical identifiers (for example, device/browser or IP address used to join), and interaction data such as chat, Q&A, or poll responses. If a session is recorded, audio and/or video of participants may be captured in line with the event notice. You can opt out of nonessential follow-ups and, where required, we will seek specific permission for your appearance or voice in recordings.
Legal basis: Article 6(1)(b) GDPR (participation/registration) Article 6(1)(f) GDPR (event operations, security, and basic analytics) Article 6(1)(a) GDPR (consent for nonessential marketing follow-ups and, where required, for your appearance/voice in recordings)
Processor: Livestorm SAS (webinar platform) and Salesforce Germany GmbH under data processing agreements.
Who will receive my data?
Within the DEKRA Group, entities that require your data to fulfil contractual or statutory obligations, or to pursue the purposes described in this Privacy Notice, will receive it. This includes computing centers operated by DEKRA SE in Stuttgart as well as locally and regionally operated computing centers where the respective DEKRA controllers process your data.
Our service providers and agents may also receive data for these purposes, provided they comply with confidentiality and data protection requirements. These providers typically operate in the areas of IT services, telecommunications, consulting, and sales and marketing.
With respect to disclosures outside the DEKRA Group, we share personal data only where required by law, where you have given consent, where it is necessary to initiate, perform, or end a contractual relationship, or where the DEKRA Group has a legitimate interest in doing so. Potential recipients include:
- Public bodies and institutions (for example tax authorities or public prosecutors) where there is a legal or official obligation
- Other DEKRA group companies for risk controlling where required by law or regulation
- Service providers acting as processors under a data processing agreement
Our CRM processing is primarily carried out by our service provider Salesforce Germany GmbH, Erika-Mann-Str. 31, 80636 Munich. We have concluded a data processing agreement with Salesforce. In the course of processing, data may be transmitted to Salesforce servers in the United States. Salesforce has adopted Binding Corporate Rules (BCRs) to facilitate the transfer of personal data from the EU/EEA to Salesforce locations outside the EU/EEA. Further information on Salesforce’s BCRs and data protection practices is available at compliance.salesforce.com
For webinars and online events, we use Livestorm SAS as a processor. Livestorm processes identification and contact details, registration information, attendance data, and session-related technical identifiers (for example IP address or device information) on our behalf. Livestorm may use service providers or infrastructure located outside the EU; where this is the case, Livestorm applies appropriate safeguards such as EU Standard Contractual Clauses. Further information is available at livestorm.co/legal-center
Other recipients may include entities for whom you have granted consent or to whom we are permitted to transmit personal data based on a balancing of interests.
Is data transferred to a third country or an international organization?
Personal data may be transferred to recipients in countries outside the European Union (third countries) where this is necessary for CRM operations, communication services, or the provision of webinars and online events. Such transfers occur only where appropriate safeguards ensure a level of protection equivalent to that of the European Union.
In particular:
- Salesforce may transfer data to servers in the United States and other third countries under its Binding Corporate Rules, which have been approved by European data protection authorities.
- Livestorm may process data on servers or through subprocessors located outside the EU. These transfers are carried out under EU Standard Contractual Clauses or other lawful safeguards.
- Other IT service providers supporting DEKRA operations may process personal data in third countries, but only where suitable safeguards (for example Binding Corporate Rules, Standard Contractual Clauses, or adequacy decisions) are in place.
Transfers to public authorities in third countries occur only where required by applicable law and subject to relevant data protection safeguards.
How long will my data be stored?
We process your personal data for as long as necessary to fulfill contractual and statutory obligations or for as long as we can justify a legitimate interest in processing. If you have granted consent, we process your data until you withdraw consent.
When processing is no longer justified, personal data is regularly deleted, unless continued processing is necessary for a limited period for one of the following purposes:
- To fulfill commercial and tax law retention obligations, for example those arising from the German Commercial Code (HGB) or Tax Code (AO). Retention and documentation periods are generally 6 to 10 years.
- To preserve evidence within statutory limitation periods. Under Sections 195 et seq. of the German Civil Code (BGB), these periods can be up to 30 years, although the regular limitation period is 3 years.
What data protection rights do I have?
Subject to the legal requirements, you have the right to:
- Access the data we process (Article 15 GDPR),
- Rectification of inaccurate data (Article 16 GDPR),
- Erasure of data we store (Article 17 GDPR),
- Restriction of processing (Article 18 GDPR),
- Data portability (Article 20 GDPR),
- Object to processing (Article 21 GDPR),
- Withdraw consent at any time with effect for the future (Article 7(3) GDPR),
- Lodge a complaint with a supervisory authority if you believe the processing of your personal data violates the GDPR (Article 77 GDPR).
Am I obliged to provide data?
In the course of our business relationship, you must provide the personal data necessary to begin, perform, and end the relationship and fulfill related contractual obligations, or data we are legally required to collect. Without this data, we may be unable to enter into, perform, or complete a contract with you or your employer.
To what extent are automated decision-making or profiling used?
We do not use fully automated decision-making within the meaning of Article 22 GDPR.
In some cases, we use automated analyzes to better understand interests and to tailor communication, which constitutes profiling under Article 4(4) GDPR. This includes, for example, segmenting contacts based on interaction history, communication preferences, or service interests, and using these segments to provide more relevant information or to prioritise follow-up activities. These analyzes do not produce legal effects for you and do not significantly affect you in a comparable manner.
If we introduce additional forms of automated decision-making in individual cases, we will inform you separately where required by law.
Information on your right to object in accordance with Article 21 GDPR
Case-specific right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) GDPR (processing in the public interest) and Article 6(1)(f) GDPR (processing based on a balancing of interests). This also applies to profiling based on these provisions within the meaning of Article 4(4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is required for the establishment, exercise, or defense of legal claims.
Right to object to processing for direct marketing
In individual cases, we process your personal data for direct marketing. You have the right to object at any time to the processing of your personal data for direct marketing. This also applies to profiling to the extent it is related to such direct marketing. If you object to processing for direct marketing, we will no longer process your personal data for this purpose.
Where to send an objection or withdrawal
You can send your objection or withdrawal of consent to the controller or to the Data Protection Officer. No specific form is required. To ensure a smooth and quick process, we request that you use the online form provided for this purpose. You can also click the link provided at the end of an informational email you receive. You will not incur any transmission costs other than those at base tariff rates.
Updates to this Privacy Notice
This Privacy Notice was last updated in March 2026. We reserve the right to amend this Privacy Notice in the future in accordance with applicable data protection laws and to adjust it to changing circumstances where necessary. We will inform you separately of significant changes to the content.