How we process personal data under the UK GDPR and the Data Protection Act 2018, and the rights you have as a data subject.
The protection of your personal data is of particular concern to us.
You can use our website without providing any personal data.
We process personal data in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and — where applicable — the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the national data protection laws of Austria (Datenschutzgesetz – DSG) and Germany (Bundesdatenschutzgesetz – BDSG). Data are personal where they can be clearly attributed to a specific natural person.
The general rules about the website as well as the rules in the various data subject categories inform you about the type, scope and purpose of the collection, use and processing of personal data by:
20 Red Lion Street, London, WC1R 4PQ, United Kingdom
Companies House Number: 16444161 · VAT: 507 5416 01
Blumauerstrasse 45-47, 4020 Linz, Austria
Paul-Dessau-Straße 1, 22761 Hamburg, Germany
For all data protection enquiries please contact the Data Protection Coordinator of the CALPANA / CRISAM group at privacy@calpana.com. Enquiries concerning UK-specific processing can additionally be addressed to andreas.schmitz@crisam.net.
Hereby we inform you about the most important aspects of data processing within the scope of our website.
Our website uses Google Analytics, a web analytics service of Google Inc. Google provides a browser plug-in for the deactivation of Google Analytics. Google Analytics uses cookies. These are small text files which make it possible to store user-specific information on the user’s device. They enable Google to analyse the use of our website offering. The information generated by the cookie about your use of our pages (including your IP address) is generally anonymised, transmitted to and stored on a Google server in the USA. Due to the anonymisation carried out, no conclusions can be drawn about your identity. Google uses the collected information to evaluate the use of our websites, to compile reports about it for us and to provide other services related to this. For more information, please see Google’s privacy policy.
Click here to manage your cookie settings.
Our website uses Google Analytics, a web analytics service of Google Inc. Google Analytics uses cookies. These are small text files which make it possible to store user-specific information on the user’s device. They enable Google to analyse the use of our website offering. The information generated by the cookie about your use of our pages (including your IP address) is generally anonymised, transmitted to and stored on a Google server in the USA. Due to the anonymisation carried out, no conclusions can be drawn about your identity. Google uses the collected information to evaluate the use of our websites, to compile reports about it for us and to provide other services related to this.
Click here to manage your cookie settings.
For technical reasons, the following data, which your internet browser transmits to us or to our webspace provider, is recorded (so-called server log files):
This anonymous data is stored separately from any personal data you may have provided and does not allow any conclusions to be drawn about a specific person.
We offer you the possibility to contact us by e-mail and/or via a contact form. In this case, the information provided by the user is stored for the purpose of processing the contact request. No disclosure to third parties takes place. A comparison of the data collected in this way with data that may be collected by other components of our website is also not carried out. For more detailed information on the contact possibility via the website, see the Website visitors section below.
We process personal data of the following categories of data subjects:
The processing activities in which you are involved are carried out separately by CRISAM GRC Limited (United Kingdom), CALPANA business consulting GmbH (Austria) and CALPANA business consulting Deutschland GmbH (Germany). Where processing activities are performed as joint controllers, this is noted accordingly. For UK data subjects, CRISAM GRC Limited is the primary controller; data may be shared with the CALPANA group companies where required for cross-border service delivery.
Prospects are all those persons who are interested in our product and our other services and / or wish to be regularly informed about news.
Personal data of prospects are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Provision of information | Providing information about news, products and services |
| Personal contact | Providing information about news, products and services in the course of a personal conversation |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Provision of information | Consent (UK GDPR Art. 6(1)(a)) |
| Personal contact | Consent (UK GDPR Art. 6(1)(a)) |
Within the processing activities “Provision of information” and “Personal contact”, joint processing by CRISAM GRC Limited, CALPANA Austria and CALPANA Germany may occur. The subject of this processing is the management of contact data in order to provide cross-border services.
| Processing activity | Data category | Data types included |
|---|---|---|
| Provision of information, Personal contact | Contact maintenance data | Among others: name, telephone number, e-mail, address, role in the company and additional notes (prospect’s interest in product, service or events). |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
We store your personal data for as long as required by law, necessary for the purpose, or required by the legitimate interest of the company.
| Data category | Storage period | Deletion period |
|---|---|---|
| Contact maintenance data | Until revocation. | Immediately after revocation. |
| Data category | Origin |
|---|---|
| Contact maintenance data | From the data subject themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Customers are all those persons who request and acquire our products and services. Personal data of customers are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Order processing | Processing of orders and service billing. |
| Provision of information | Provision of information about products and services. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Order processing | Contract with the customer (UK GDPR Art. 6(1)(b)). |
| Provision of information | Legitimate interest — contact maintenance (UK GDPR Art. 6(1)(f)). |
Within the processing activity “Order processing”, joint processing by CRISAM GRC Limited, CALPANA Austria and CALPANA Germany may occur. The subject of this processing is the management of contact data for the provision of services arising from joint contracts or agreements. Only contact data (name, e-mail, address and telephone number) are processed in this context.
| Processing activity | Data category | Data types included |
|---|---|---|
| Order processing, Provision of information | Customer master data | Among others: name, address, company registration number, VAT ID, e-mail and telephone number. |
| Order processing | Customer attributes | Among others: revenue, payment behaviour, contact persons and offers. |
| Order processing | Project data | Among others: backups of project files. |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
We store your personal data for as long as required by law, necessary for the purpose, or required by the legitimate interest of the company.
| Data category | Storage period | Deletion period |
|---|---|---|
| Customer master data | United Kingdom: As long as the business relationship exists and all claims have been settled. Thereafter, processing is restricted and the data are stored for 6 years in accordance with HMRC requirements and the Companies Act 2006 / Limitation Act 1980. Austria: 7 years after approved annual financial statement (under BAO). Germany: 10 years after approved annual financial statement (under § 147 AO, § 14b UStG). | Within a deletion cycle of one year after the storage period. |
| Customer attributes | Same retention periods as customer master data. | Within a deletion cycle of one year after the storage period. |
| Project data | Same retention periods as customer master data. | Immediately after the storage period. |
| Data category | Origin |
|---|---|
| Customer master data | From customer contact or prospect contact. |
| Customer attributes | From customer contact or prospect contact. |
| Project data | From the customer themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Suppliers are all those persons who provide our company with goods or services through delivery. Personal data of suppliers are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Service provision | In the course of the provision of services by suppliers, data of the contact persons are processed. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Service provision | Contract with the supplier (UK GDPR Art. 6(1)(b)). |
Within the processing activity “Service provision”, joint processing by CRISAM GRC Limited, CALPANA Austria and CALPANA Germany may occur. The subject of this processing is the management of contacts for the acquisition and use of standardised services. Only contact data (name, e-mail, address and telephone number) are processed in this context.
| Processing activity | Data category | Data types included |
|---|---|---|
| Service provision | Supplier contact data | Among others: name, telephone number, e-mail and address. |
Within the processing activities carried out by us, we transmit personal data of the data subject categories concerning you to the following recipients or categories of recipients:
| Data type | Recipient | Third country [Y/N] | Purpose of transfer |
|---|---|---|---|
| Bank details, name | Bank | N | Execution of billing. |
We store your personal data for as long as required by law, necessary for the purpose, or required by the legitimate interest of the company.
| Data category | Storage period | Deletion period |
|---|---|---|
| Supplier contact data | United Kingdom: As long as the business relationship exists and all liabilities have been settled. Thereafter, processing is restricted and the data are stored for 6 years (HMRC, Companies Act 2006) for the retention of invoice data. Austria: 7 years after approved annual financial statement (under BAO). Germany: 10 years after approved annual financial statement (under § 147 AO, § 14b UStG). | Within a deletion cycle of one year after the storage period. |
| Data category | Origin |
|---|---|
| Supplier contact data | From the supplier themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Training participants are all those persons who participate in trainings of our company and receive further training in the use of the software or other subject areas. Customers may also be considered as training participants.
Personal data of training participants are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Conducting trainings | Conducting training sessions for further education. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Conducting external trainings | Contract — service (UK GDPR Art. 6(1)(b)). |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
| Data category | Storage period | Deletion period |
|---|---|---|
| Training participant data | Until deletion of the account. Accounting-relevant data: United Kingdom: Once all claims have been settled, processing is restricted and the data are stored for 6 years (HMRC requirements). Austria: 7 years after approved annual financial statement (BAO). Germany: 10 years after approved annual financial statement (§ 147 AO, § 14b UStG). | At the end of the month, provided that an application for deletion of the account has been submitted and no further retention obligations apply. Accounting-relevant data are deleted in a one-year deletion cycle after the storage period has expired. |
| Data category | Origin |
|---|---|
| Training participant data | From the data subject themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Event participants are all those persons who participate in our events. This includes event visitors (customers, prospects) and speakers.
Personal data of event participants are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Event management | Planning, organisation and execution of events. |
| Event documentation | Documentation of events within the scope of our online presence. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Event management | Consent (UK GDPR Art. 6(1)(a)). |
| Event documentation | Consent (UK GDPR Art. 6(1)(a)), legitimate interest — image cultivation (UK GDPR Art. 6(1)(f)). |
Within the processing activity “Event management”, joint processing by CRISAM GRC Limited, CALPANA Austria and CALPANA Germany may occur. The subject of this processing is the management of contacts in order to provide cross-border services accordingly.
| Processing activity | Data category | Data types included |
|---|---|---|
| Event management | Data for events | Personal master data (e.g. first name, last name, gender/salutation), communication data (e.g. billing address, company, e-mail), booking history, planning and control data (e.g. processing status), contract billing and payment data. |
| Event documentation | Image data | Photos and videos of event participants. |
Within the processing activities carried out by us, we transmit personal data of the data subject categories concerning you to the following recipients or categories of recipients:
| Data type | Recipient | Third country [Y/N] | Purpose of transfer |
|---|---|---|---|
| Photos, videos | Vimeo | Y | Videos of events etc. available on the CALPANA and CRISAM website. |
| Data category | Storage period | Deletion period |
|---|---|---|
| Data for events | Until deletion of the account. Accounting-relevant data: United Kingdom: Once all claims have been settled, processing is restricted and the data are stored for 6 years (HMRC requirements). Austria: 7 years after approved annual financial statement (BAO). Germany: 10 years after approved annual financial statement (§ 147 AO, § 14b UStG). | At the end of the month, provided that an application for deletion of the account has been submitted and no further retention obligations apply. Accounting-relevant data are deleted in a one-year deletion cycle after the storage period has expired. |
| Image data | Until revocation. | Immediately after revocation. |
| Data category | Origin |
|---|---|
| Data for events | From the data subject themselves. |
| Image data | From the data subject themselves or via photographer and camera. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Applicants are all those persons who apply for an open position or through an unsolicited application to the company.
Personal data of applicants are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Applicant management | Selection of a person suitable for the vacant position. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Applicant management | Contract (pre-contractual relationship, UK GDPR Art. 6(1)(b)). |
| Processing activity | Data category | Data types included |
|---|---|---|
| Applicant management | Applicant data | Among others: master data (name, address, telephone number, date of birth, gender, religious affiliation if applicable, marital status), professional certificates, application photo, references, application letter (containing personal data and content disclosed by the applicant). Among other things, Article 9 data (health data, religious affiliation) or Article 10 data (criminal convictions) may be included. |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
| Data category | Storage period | Deletion period |
|---|---|---|
| Applicant data | United Kingdom: 6 months after the position has been filled or rejected, plus a buffer period of one month (in line with Equality Act 2010 limitation periods). Austria: 6 months after the position has been filled or rejected (under GlBG), plus a buffer of one month. Germany: 2 months after rejection. | Immediately after the storage period. |
| Data category | Origin |
|---|---|
| Applicant data | From the applicant or recruitment service provider. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Website visitors are all those persons who access our website within a certain measured time and thus “visit” it.
Personal data of website visitors are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Processing of contact enquiries | Processing of enquiries via the website form to provide the enquirer with appropriate support. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Processing of contact enquiries | Legitimate interest — business handling (UK GDPR Art. 6(1)(f)). |
| Processing activity | Data category | Data types included |
|---|---|---|
| Processing of contact enquiries | Contact form | Subject and detailed description of the request, name, telephone number and e-mail. |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
| Data category | Storage period | Deletion period |
|---|---|---|
| Contact form | The data are stored until the conclusion of the support case or up to one year beyond that, to ensure appropriate traceability. | Immediately after the storage period. |
| Data category | Origin |
|---|---|
| Contact form | From the data subject themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
External service providers are all those persons who provide services to the company and bill them accordingly.
Personal data of external service providers are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Service provision | Verification of the fulfilment of the service of the external service provider. |
| Service billing | Billing of the service of external service providers. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Service provision | Contract with the external service provider (UK GDPR Art. 6(1)(b)). |
| Service billing | Contract with the external service provider (UK GDPR Art. 6(1)(b)). United Kingdom: Legal basis (HMRC requirements, Companies Act 2006). Austria: Legal basis (§132 BAO). Germany: Legal basis (§ 147 AO, § 257 HGB). |
| Processing activity | Data category | Data types included |
|---|---|---|
| Service provision, Service billing | External service provider data | Among others: company name, name, telephone number, bank details, service and fee. |
Within the processing activities carried out by us, we transmit personal data of the data subject categories concerning you to the following recipients or categories of recipients:
| Data type | Recipient | Third country [Y/N] | Purpose of transfer |
|---|---|---|---|
| Bank details, name, fee | Bank | N | Execution of billing. |
| Data category | Storage period | Deletion period |
|---|---|---|
| External service provider data | United Kingdom: As long as the business relationship exists and all liabilities have been settled. Thereafter, processing is restricted and the data are stored for 6 years (HMRC, Companies Act 2006) for the retention of invoice data. Austria: 7 years after approved annual financial statement (BAO). Germany: 10 years after approved annual financial statement (§ 147 AO, § 14b UStG). | Immediately after the storage period. |
| Data category | Origin |
|---|---|
| External service provider data | From the external service provider themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Third parties are all those persons who do not belong to any of the other categories of data subjects.
Personal data of third parties are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Accidental contact | Handling of accidental contacts via e-mail. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Accidental contact | Legitimate interest — handling of enquiries (UK GDPR Art. 6(1)(f)). |
| Processing activity | Data category | Data types included |
|---|---|---|
| Accidental contact | Third party contact data | Among others: name, telephone number and e-mail. |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
| Data category | Storage period | Deletion period |
|---|---|---|
| Third party contact data | Accidental e-mails are received and stored only as long as they have been processed. | Immediately after the storage period. |
| Data category | Origin |
|---|---|
| Third party contact data | From the data subject themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Newsletter recipients are all those persons who register to receive the newsletter.
Personal data of newsletter recipients are processed within the scope of the following processing activities for the purposes stated below:
| Processing activity | Purpose of processing |
|---|---|
| Newsletter | Sending information about the product, events, general information about CRISAM, CALPANA and risk management. |
| Processing activity | Legal basis / legitimate interest |
|---|---|
| Newsletter | Consent (UK GDPR Art. 6(1)(a) and Privacy and Electronic Communications Regulations (PECR)). |
| Processing activity | Data category | Data types included |
|---|---|---|
| Newsletter | Newsletter form | Salutation, name and e-mail address. |
Within the processing activities carried out by us, we do not transmit personal data of the data subject categories concerning you to any recipients or categories of recipients.
| Data category | Storage period | Deletion period |
|---|---|---|
| Newsletter form | Until revocation. | 1 year after revocation for traceability. |
| Data category | Origin |
|---|---|
| Newsletter form | From the data subject themselves. |
No automated decision-making, including profiling, takes place in any of the above-mentioned processing activities.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data, which you can exercise free of charge by contacting us at privacy@calpana.com (Data Protection Coordinator) or andreas.schmitz@crisam.net (UK contact):
Last updated: 27 May 2026
You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information