Data protection information
We take the protection of personal data very seriously. In the following, we provide information about which data we process, the purposes for which this is done and the rights of data subjects.
This privacy policy applies to:
– Members and contact persons of member companies
– Participants in events and further training (presence & online)
– Users of our website
– Subscribers to our newsletter
– People who use our services (e.g. career portal, mentoring)
1. responsible person
Verband Deutscher Treasurer e.V. (VDT)
Pariser Straße 2
65552 Limburg
E-mail: service@vdtev.de
Phone: 06431 - 212 137 0
Website: www.vdtev.de
2. categories of personal data
We process in particular:
– Member data: Name, business contact details,
Company affiliation, role/function, assignment to
Membership types, invoice and contribution data.
– Event data: Name, contact details, company, booked
Events, participation history, payment data, participation in online
Events.
– Newsletter data: Name, e-mail address, interaction data (opening and closing times)
click behaviour, if consent has been given).
– Photo/video recordings: Photo and video recordings at events.
– Website/IT data: server log files, cookie information, consents,
Technical data of the browser.
– Career portal/mentoring: Data entered in the course of use
(profile information, enquiries, application data).
3. purposes of processing and legal bases
3.1 Member administration (mandatory information on joining)
Purposes:
– Membership management
– Communication on association topics
– Realisation of statutory purposes (§2 of the Articles of Association)
– Contribution collection & Invoicing
Legal bases:
Art. 6 para. 1 lit. b GDPR (contractual membership)
Art. 6 para. 1 lit. c GDPR (legal obligations)
Art. 6 para. 1 lit. f GDPR (representation of interests, networking, professional exchange)
3.2 Events, further training & online events
We process data in order to:
– Applications to be processed
– to enable participation
– Issue certificates/confirmations
– Create invoices
– Create participant lists (with only the most necessary information)
– Organising online events (MS Teams)
Legal basis:
Art. 6 para. 1 lit. b GDPR (contract/participation)
Art. 6 para. 1 lit. f GDPR (organisation & implementation, security)
Recipient:
– Hotels/Locations only if absolutely necessary
– IT service provider & MS Teams (Microsoft Ireland/USA, EU Data Boundary)
3.3 Photo and video recordings at events
We create photos and videos for:
Photos and videos are taken during events. The recordings are used for reporting on the event, for Verband Deutscher Treasurer e.V. (VDT) public relations work and to document the association's work, in particular on our website and on our social media channels (LinkedIn, Instagram).
By taking part, you agree that you may be recognisably depicted in group and situation shots. We will only publish individual portraits or specific close-ups with your express consent.
You can object to the recording or use of your images at any time for the future. Please speak to the event team on site or contact us afterwards: service@vdtev.de
Legal bases:
Art. 6 para. 1 lit. f GDPR (legitimate interest in public relations and documentation)
In certain cases: Art. 6 para. 1 lit. a GDPR (consent), in particular for clearly recognisable individual portraits.
Note:
At events, we visibly draw attention to photo/video recordings.
Data subjects can lodge an objection at any time.
3.4 Newsletter (CleverReach)
We use CleverReach GmbH & Co KG, Germany, as a processor.
Purposes:
– Dispatch of binding membership information
– Dispatch of newsletters & Event information
Data:
– Name, e-mail address
– Company, if applicable
– Interaction data (only after consent)
Legal bases:
– Member communication: Art. 6 para. 1 lit. f GDPR
– Newsletter on a voluntary basis: Art. 6 para. 1 lit. a GDPR
– Tracking (openings/clicks): only with consent
Recipient:
– CleverReach
3.5 Use of MS Teams (online events)
Data types:
– Name
– e-mail address
– technical data
– Meeting interactions
Legal basis:
Art. 6 para. 1 lit. b GDPR (realisation of the online event)
MS Teams processes data partly in the EU ("EU Data Boundary"), partly support access can take place from the EU - secured by EU standard contractual clauses.
3.6 Use of the website, cookies & tracking
We use:
– Essential cookies (Borlabs Cookie, WordPress/Session, Wordfence Security,
WebAnalytics)
– Simply History, Limit Login Attempty Reloaded, Ultimate Member, Burst
Statistics
– Statistics or marketing cookies only with consent (§ 25 TDDDG + Art. 6
para. 1 lit. a GDPR)
Google Maps will only be loaded after consent.
Social media links can transmit data; this only happens after clicking.
Server log files:
– When our website is accessed, data is stored in log files that are anonymised directly when they are collected.
– Referrer (previously visited website)
– Requested web page or file
– Browser type and browser version- Operating system used
– Device type used
– Time of access
– IP address in anonymised form (only used to determine the location of the
access)
The data is stored for 8 weeks. It is neither passed on to third parties nor transferred to third countries outside the EU or the EEA.
WebAnalytics (server-side)
We use WebAnalytics to document the use of your website. The data is taken from existing log files. No new data is collected. No external service is used. This is not classic user tracking; no profiles are created. To protect personal data, WebAnalytics does not use cookies. The visitor's IP address is transmitted when a page request is sent, anonymised directly after transmission and processed without personal reference.
No personal data of website visitors is stored so that no conclusions can be drawn about individual visitors.
The storage location is exclusively in Germany, in IONOS data centres.
WordPress
– No log files at all.
– Debug logs are deactivated.
Wordfence Security
Keeps extensive logs:
– Live Traffic Log
– Firewall Log
– Login/Brute-Force Log
– Scan Result Log
Storage: 30 days.
Storage location: wp-content/wflogs/ and databases
This site uses the WORDFENCE security plugin to protect the website from hacker attacks etc. The provider is DEFIANT. The provider is DEFIANT, 800 5th Ave Ste 4100, Seattle, WA 98104.
The provided GDPR-compliant data processing agreement has been concluded.
WORDFENCE currently uses three cookies and the following explains what each cookie does, who set the cookie and why the cookie helps to protect the site.
wfwaf-authcookie- (hash) What it does: This cookie is used by the WORDFENCE firewall to perform a capability check on the current user before loading WordPress. Who receives this cookie: This cookie is only set for users who can log into WordPress. How this cookie helps: With this cookie, the WORDFENCE firewall recognises logged-in users and allows them increased access. WORDFENCE can also recognise users who are not logged in and restrict their access to secure areas. The cookie informs the firewall what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
wf_loginalerted_ (hash) What it does: This cookie is used to notify the WORDFENCE administrator when an administrator logs in from a new device or location. Who receives this cookie: This cookie is only set for administrators. How this cookie helps: This cookie helps website operators to know if an admin login has taken place from a new device or location.
wfCBLBypass What it does: WORDFENCE allows a site visitor to bypass country blocking by accessing a hidden URL. This cookie can be used to track who is authorised to bypass the country block. Who receives this cookie: When a hidden URL defined by the site administrator is accessed, this cookie is used to check whether the user can access the site from a country that is restricted by country blocking. This is set for anyone who knows the URL that allows bypassing the default country block. This cookie is not set for anyone who does not know the hidden URL to bypass country blocking. How this cookie helps: This cookie gives website owners the ability to allow certain users blocked countries even though their country has been blocked.
You can find more information on the handling of user data in DEFIANT's privacy policy: https://www.WORDFENCE.com/privacy-policy/
Simple History
It is a plugin that logs activities on the website, but explicitly does not set cookies, does not use local storage and anonymises IP addresses.
Saves:
– User name
– IP address
– Changes
Saves changes:
– Login/Logout
– Pages/contributions changed
– Plugins installed/deactivated
– Forms sent off etc.
Storage: 60 days
Storage location: Database
Limit Login Attempts Reloaded
It is a plugin that acts as a security function to prevent passwords from being hacked by brute force attacks, for example, by counting and limiting the number of failed login attempts for an IP address or user name.
Saves:
– failed logins
– User name
– IP address
Storage: unlimited until deletion
Storage location: Database
Ultimate Member
Saves:
– Login attempts
– Registrations
– User actions
Storage: 60 days
Storage location: Database
Burst Statistics
It is a plugin that measures website visitor numbers and stores them locally on the internal server without collecting personal data.
Saves:
– anonymised page views
– Event dates
Storage: 12 months (adjustable)
Storage location: Database
Borlabs Cookie
Saves:
– Cookie lifetime
– Cookie version
– Domain and path of the website
– The consents of the visitor
– A random user ID (UID) that is not personalised.
Storage: Standard 365 days.
Storage location: Database.
Legal basis:
Art. 6 para. 1 lit. f GDPR (security & operation)
Storage period: 7-365 days
3.7 Career portal / mentoring / library
Purpose:
Provision of specialised content and career opportunities
User administration
Legal bases:
Art. 6 para. 1 lit. b GDPR (use of the service)
Art. 6 para. 1 lit. f GDPR (professional development)
4. recipients of personal data
We only pass on data if this is necessary or if the persons concerned have given their consent.
Possible recipients:
– IT and hosting service provider
– CleverReach (Newsletter)
– MS Teams / Microsoft
– Venues, hotels (if required)
– Tax consultants, banks
– Processors with whom data processing contracts exist
– Third country transfers:
– Can occur with Microsoft or social media
– Basis: Standard contractual clauses or EU-US Data Privacy Framework
5. storage period
– Member data: for the duration of membership + 10 years
– Event dates: up to 3 years after the event
– Invoice data: 10 years (legal obligation)
– Newsletter data: until cancellation or deletion by us
– Server log files: 7-30 days
– Photo/video recordings: until cancellation or generally max. 3-5 years
6. rights of the data subjects
Data subjects have the following rights:
– Information (Art. 15 GDPR)
– Rectification (Art. 16 GDPR)
– Erasure (Art. 17 GDPR)
– Restriction of processing (Art. 18 GDPR)
– Data portability (Art. 20 GDPR)
– Objection (Art. 21 GDPR) - in particular against
Photo/video processing & direct communication
– Revocation of consents granted at any time with effect for the future
Right of appeal:
Hessian Commissioner for Data Protection and Freedom of Information
(or the respective competent state authority)
Contact to exercise the rights:
service@vdtev.de
7. safety of processing
We use technical and organisational measures to protect personal data from loss, misuse and unauthorised access. These include access restrictions, encryption, backup strategies and internal IT guidelines.
8. status of the data protection information
Status: December 2025
We will adapt these notes as soon as legal or technical changes occur.