Privacy Policy
BBS Certification GmbH
Last updated: 15 August 2025
BBS Certification GmbH (hereinafter referred to as ‘we’, “us” or ‘the company’) take the protection of your personal data very seriously. Processing is carried out exclusively in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
- Controller
BBS Certification GmbH
Friedrich-Bergius-Straße 5
65203 Wiesbaden, Germany
- Represented by:
Dr. Mirac Aslantas
- Contact:
📞 +49 611 950 18140
📧 info@bbs-cert.de / datenschutz@bbs-cert.de
- What Data We Process
We only process personal data where necessary, for example:
- For our services:
Certification, auditing, inspections, training, workshops, consulting, engineering, testing, analysis, evaluation, verification, reporting, and project services. - For contract fulfilment:
Handling enquiries, preparing quotations, invoicing. - To comply with legal obligations:
Retention and documentation requirements.
- Legal Bases of Data Processing
| Processing Activity | Purpose of Processing | Legal Basis (GDPR) | Supplementary Legal Basis (BDSG) |
| Handling enquiries and preparing quotations | Responding to customer or prospective client enquiries, preparing offers | Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR | § 4 BDSG |
| Conducting certifications, audits, inspections | Performing contractual and accreditation-related services | Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR | § 4 BDSG, § 24 BDSG |
| Trainings and workshops | Managing participants, issuing certificates, optional recordings | Art. 6(1)(b) GDPR, Art. 6(1)(a) GDPR | § 4 BDSG, § 22 BDSG |
| Consulting, engineering, testing, analysis, evaluation, verification, reporting, project services | Processing customer data for technical, management, or conformity services | Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR | § 4 BDSG, § 24 BDSG |
| Delivering certificates and managing validity periods | Managing certificate lifecycle, renewals, and traceability | Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR | § 4 BDSG |
| Invoicing, accounting, financial reporting | Processing billing, payment, and tax-related data | Art. 6(1)(c) GDPR, Art. 6(1)(b) GDPR | § 4 BDSG |
| Retaining documents and fulfilling statutory obligations | Meeting accreditation, documentation, and retention requirements | Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR | § 24 BDSG |
| Managing LinkedIn, Twitter (X), Instagram accounts, newsletters, events | Public relations, marketing, and event management | Art. 6(1)(a) GDPR, Art. 6(1)(f) GDPR | § 4 BDSG |
| Log files, cookies, analytics, security monitoring | Website operation, analytics, IT security | Art. 6(1)(f) GDPR, Art. 6(1)(a) GDPR | § 4 BDSG |
| Internal and external audits (quality, accreditation, financial) | Verification of compliance and system performance | Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR | § 24 BDSG |
| HR management, payroll, performance evaluations | Administration of employment and personnel records | Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR | § 26 BDSG |
We process data only to the extent necessary for the stated purposes and in accordance with the principles of Art. 5 GDPR (lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, and integrity/confidentiality). In cases where processing relies on consent, the data subject may withdraw consent at any time with effect for the future. Data may also be retained and processed under § 24 BDSG to assert or defend legal claims or to meet accreditation and regulatory obligations.
- Retention Period
- Data will only be stored for as long as is necessary for the relevant purpose.
- Statutory retention periods (e.g., 6 or 10 years) are observed (BDSG § 257, § 147).
- Disclosure to Third Parties
Your data will only be disclosed if:
- You have given your consent (Art. 6 (1) (a) GDPR, BDSG § 28)
- It is necessary for contract fulfilment (Art. 6 (1) (b) GDPR)
- There is a legal obligation to do so (Art. 6 (1) (c) GDPR, BDSG § 32)
Your personal data may be shared with National and International Accreditation Bodies (such as DAkkS), Educational Institutions (such as Exemplar Global, PECB, etc.) and Public Institutions and Organisations for the purpose of fulfilling the requirements of the services provided and only to the extent necessary for that purpose.
- Transfer to Third Countries
Where the transfer of data to countries outside the EU/EEA is required, it will only take place with appropriate data protection safeguards in accordance with Art. 44 et seq. GDPR and BDSG § 32.
- Your Rights
You have the following rights:
- Access to your stored data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing (Art. 21 GDPR)
- Withdrawal of consent at any time (Art. 7 GDPR)
- Data Subject Request: to lodge a complaint with a data protection supervisory authority about the processing of your personal data by our company, for example with the data protection supervisory authority responsible for us. (Art. 77 GDPR)
Supervisory Authority:
The Hessian Commissioner for Data Protection and Freedom of Information
📍 Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
📧 poststelle@datenschutz.hessen.de
- Visiting Our Website
When visiting our website, server log files are automatically collected:
- Referrer URL
- Date and time
- Browser type/version
- IP address (shortened/anonymised)
- Operating system
- Data volume transferred
- HTTP status code
Cookies:
We use cookies to improve user-friendliness. Details can be found in our Cookie Policy.
- Sector-Specific Processing
As part of our accreditation, we process data for:
- Conducting audits and inspections in accordance with ISO standards
- Reporting to national/international accreditation bodies
- Managing certificates and their validity periods
Legal basis: Art. 6 (1) (b), (f) GDPR; BDSG § 26, § 28
- Use of Our Social Media Accounts
We operate company profiles on LinkedIn, Twitter (X) and Instagram.
When visiting these profiles, the platform operator collects personal data, e.g.:
- IP address
- Device information
- User behaviour (clicks, likes, comments)
- Profile data (if logged in)
Joint controllership (Art. 26 GDPR):
Where possible, agreements on joint controllership have been concluded with the platform operators.
Privacy policies of the platforms:
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
- Twitter (X): https://twitter.com/de/privacy
- Instagram: https://privacycenter.instagram.com/policy
Legal basis:
Legitimate interest (Art. 6 (1) (f) GDPR; BDSG § 28) in public relations and communication.
- Changes
We reserve the right to amend this Privacy Policy where necessary. The current version is available on our website.