Privacy Notice

We take the protection of personal data very seriously. Below, we set out what data we process, the purposes for which this is done, and the rights of data subjects.

This privacy notice applies to:
– Members and contact persons at member organisations
– Participants in events and training courses (face-to-face and online)
– Users of our website
— Subscribers to our newsletter
– People who use our services (e.g. careers portal, mentoring)

1. Data controller

German association of Corporate Treasurer (VDT)
2 Pariser Straße
65552 Limburg
Email: service@vdtev.de
Telephone: 06431 – 212 137 0
Website: www.vdtev.de

2. Categories of personal data

In particular, we process:
– Member details: name, business contact details,
Length of service, role/position, assignment to
Membership types, billing and subscription details.

– Event details: name, contact details, company, booked

Events, attendance history, payment details, participation in online-
Events.

– Newsletter data: name, email address, interaction data (open and

Click behaviour (subject to consent).

– Photography and videography: Taking photographs and filming at events.


– Website/IT data: server log files, cookie information, consents,

Browser specifications.
– Career portal/mentoring: Data entered whilst using the service
(profile information, enquiries, application details).

3. Purposes of processing and legal bases

3.1 Membership administration (mandatory information upon joining)

Purposes:
– Membership administration
– Communication on association-related matters
– Pursuit of the objectives set out in the Articles of Association (Article 2 of the Articles of Association)
– Collection of contributions & invoicing

Legal basis:
Article 6(1)(b) of the GDPR (Contractual membership)
Article 6(1)(c) of the GDPR (legal obligations)
Article 6(1)(f) of the GDPR (representation of interests, networking, professional exchange)

3.2 Events, training courses & online events

We process data in order to:
– Processing registrations
— to enable participation
– to issue certificates/confirmations
– To issue invoices
– To draw up lists of participants (including only the most essential details)
– Hosting online events (MS Teams)

Legal basis:
Article 6(1)(b) of the GDPR (contract/participation)
Article 6(1)(f) of the GDPR (Organisation and implementation, security)

Recipient:
– Hotels/venues only where absolutely necessary
– IT service provider & MS Teams (Microsoft Ireland/USA, EU data boundary)

3.3 Photography and video recording at events

We produce photos and videos for:
Photographs and videos are taken during events. These are used for reporting on the event, for the German association of Corporate Treasurer (VDT)’s public relations work, and to document the association’s activities, in particular on our website and on our social media channels (LinkedIn, Instagram).

By taking part, you agree that you may be recognisably depicted in group and situational photographs. We will only publish individual portraits or specific close-ups with your express consent.

You may object at any time to the taking or use of your photographs in future. Please speak to the event team on site or contact the following address afterwards: service@vdtev.de

Legal basis:
Article 6(1)(f) of the GDPR (legitimate interest in public relations and documentation)

In certain cases: Article 6(1)(a) of the GDPR (consent), in particular where individual portraits are clearly identifiable.

Note:
At events, we clearly indicate where photography and video recording are permitted.
Data subjects may object at any time.

3.4 Newsletter (CleverReach)

We use CleverReach GmbH & Co. KG, Germany, as our data processor.

Purposes:
– Distribution of official membership information
– Sending out newsletters and event information

Data:
– Name, email address
– companies, where applicable
– Interaction data (only with consent)

Legal basis:
– Communication with members: Article 6(1)(f) of the GDPR
– Newsletter on a voluntary basis: Article 6(1)(a) of the GDPR
– Tracking (opens/clicks): only with consent

Recipient:
– CleverReach

3.5 Using MS Teams (online events)

Data types:
– Name
– Email address
— Technical specifications
— Meeting interactions

Legal basis:
Article 6(1)(b) of the GDPR (organisation of the online event)
MS Teams processes some data within the EU (‘EU Data Boundary’); in some cases, support access may be provided from within the EU – secured by EU Standard Contractual Clauses.

3.6 Use of the website, cookies & tracking

We use:
– Essential cookies (Borlabs cookie, WordPress/session, Wordfence Security,

Web Analytics)
– Simply History, Limit Login Attempts Reloaded, Ultimate Member, Burst
Statistics
– Statistics or marketing cookies only with consent (Section 25 TDDDG + Article 6
(Article 6(1)(a) of the GDPR)

Google Maps will only be loaded once consent has been given.
Social media links may transmit data; this only happens once you click on them.

Server log files:

– When you visit our website, data is stored in log files and anonymised immediately upon collection.
– Referrer (previously visited website)
– Requested web page or file
– Browser type and version – Operating system used
– Type of device used
– Time of access
– IP address in anonymised form (used only to determine the location of the
(access used)

The data is stored for 8 weeks. It is neither disclosed to third parties nor transferred to third countries outside the EU or the EEA.
Web Analytics (server-side)

We use WebAnalytics to track usage of your website. The data is extracted from existing log files. No new data is collected. No external service is used. This is not traditional user tracking; no profiles are created. To protect personal data, WebAnalytics does not use cookies. The visitor’s IP address is transmitted when a page is accessed; it is anonymised immediately after transmission and processed without any personal reference.

No personal data relating to website visitors is stored, so that no conclusions can be drawn about individual visitors.

Data is stored exclusively in Germany, in IONOS data centres.

 

WordPress
– No log files whatsoever.

– Debug logs are disabled.

 

Wordfence Security
Keeps detailed logs:

– Live Traffic Log
– Firewall log
– Login/Brute-force log
– Scan Result Log

Shelf life: 30 days.
Storage location: wp-content/wflogs/ and databases

This site uses the WORDFENCE security plugin to protect the website against hacker attacks and the like. The provider is DEFIANT, 800 5th Ave Ste 4100, Seattle, WA 98104.
The GDPR-compliant data processing agreement provided has been concluded.

WORDFENCE currently uses three cookies; the following explains what each cookie does, who set it and why it helps to protect the site.

wfwaf-authcookie- (Hash) What it does: This cookie is used by the WORDFENCE firewall to perform an authentication check on the current user before WordPress loads. Who receives this cookie: This cookie is only set for users who are able to log in to WordPress. How this cookie helps: This cookie enables the WORDFENCE firewall to recognise logged-in users and grant them enhanced access. WORDFENCE can also recognise users who are not logged in and restrict their access to secure areas. The cookie informs the firewall of a visitor’s access level, helping the firewall to make informed decisions about who to allow and who to block.

wf_loginalerted_ (Hash) What it does: This cookie is used to notify the WORDFENCE administrator when an administrator logs in from a new device or location. Who receives this cookie: This cookie is set only for administrators. How this cookie helps: This cookie helps website operators to know whether an admin login has taken place from a new device or location.

wfCBLBypass What it does: WORDFENCE offers site visitors the option to bypass country blocking by accessing a hidden URL. This cookie is used to track who is permitted to bypass the country block. Who receives this cookie: When a hidden URL defined by the site administrator is accessed, this cookie is used to check whether the user is accessing the site from a country that is restricted by the country block. This applies to anyone who knows the URL that allows them to bypass the standard country block. This cookie is not set for anyone who does not know the hidden URL used to bypass the country block. How this cookie helps: This cookie enables website owners to grant access to blocked countries to specific users, even though their country has been restricted.

Further information on how user data is handled can be found in DEFIANT’s privacy policy: https://www.WORDFENCE.com/privacy-policy/

 

A Brief History
This is a plugin that logs activity on the website, but expressly does not set any cookies, does not use any local storage and anonymises IP addresses.

Saves:
– Username

— IP address
– Changes

Saves changes:
– Log in/Log out

– Pages/posts amended
– Plugins installed/deactivated
– Forms submitted, etc.

Storage: 60 days
Location: Database

 

Limit Login Attempts Reloaded
This is a plugin which, as a security feature, prevents passwords from being hacked – for example, through brute-force attacks – by counting and limiting the number of failed login attempts from a particular IP address or username.

Saves:
– failed logins

– Username
— IP address

Retention: indefinitely until deletion
Location: Database

 

Ultimate Member

Saves:
– Login attempts

– Registrations
– User actions

Storage: 60 days
Location: Database

Burst Statistics
This is a plugin that measures website visitor numbers and stores the data locally on the internal server without collecting any personal data.

Saves:
– anonymised page views
– Event details

Shelf life: 12 months (adjustable)
Location: Database

 

Borlabs cookie

Saves:

– Cookie lifetime
– Cookie version
– Website domain and path
– The visitor’s consents
– A random user ID (UID) that is not personally identifiable.

Storage: Standard 365 days.
Location: Database.

Legal basis:
Article 6(1)(f) of the GDPR (Security & Operations)

Storage period: 7–365 days

3.7 Careers portal / Mentoring / Library

Purpose:
Provision of specialist content and career opportunities
User management

Legal basis:
Article 6(1)(b) of the GDPR (use of the service)
Article 6(1)(f) of the GDPR (professional development)

4. Recipients of personal data

We only pass on data where this is necessary or where the individuals concerned have given their consent.

Possible recipients:
– IT and hosting service providers
– CleverReach (newsletter)
– MS Teams / Microsoft
– Venues, hotels (if required)
– Tax advisers, banks
– Data processors with whom data processing agreements are in place
– Transfers to third countries:
– May occur at Microsoft or on social media
– Basis: Standard contractual clauses or the EU–US Data Privacy Framework

5. Retention period

– Membership data: for the duration of membership plus 10 years
– Event details: up to 3 years after the event
– Invoice data: 10 years (statutory requirement)
– Newsletter data: until you withdraw your consent or we delete the data
– Server log files: 7–30 days
– Photographs and video recordings: until further notice or, as a rule, for a maximum of 3–5 years

6. Rights of data subjects

Data subjects have the following rights:
– Right of access (Article 15 of the GDPR)
– Rectification (Article 16 of the GDPR)
– Erasure (Article 17 of the GDPR)
– Restriction of processing (Art. 18 GDPR)
– Data portability (Article 20 of the GDPR)
– Right to object (Article 21 of the GDPR) – in particular to
Photo and video processing & direct communication
– Consent may be withdrawn at any time with effect for the future

Right to lodge a complaint:
Hesse’s Commissioner for Data Protection and Freedom of Information
(or the relevant regional authority)
Contact details for exercising your rights:
service@vdtev.de

7. Security of processing

We implement technical and organisational measures to protect personal data against loss, misuse and unauthorised access. These include access restrictions, encryption, backup strategies and internal IT policies.

8. Status of the privacy notice

As at December 2025
We will update this information as soon as any legal or technical changes arise.