GDPR / Data Processing

The GDPR (General Data Protection Regulation) is the legal basis for the processing of personal data in the EU. It regulates the principles of data processing and the rights of the data subjects.

The GDPR applies to all companies and organizations that process personal data of EU citizens, regardless of the company's location.

A DPA is a contractual agreement between the controller (customer) and the processor (Crewmeister). The DPA is automatically concluded with the main contract for the use of Crewmeister products and is an integral part of it.

The current version of the DPA can be found in the GDPR section on our website and consists of the main document and three appendices:

• DPA Appendix I: Describes who processes data, what data, and the type of processing
• DPA Appendix II: Lists the technical and organizational measures taken by Crewmeister
• DPA Appendix III: A list of approved subprocessors of Crewmeister

These are security measures to protect personal data, such as:

• Physical access control (e.g., locking systems)
• Digital access control (e.g., passwords)
• Encryption
• Data backup
• Emergency management

A detailed list of the technical and organizational measures we have taken can be found in our GDPR section on our website in Appendix II.

The following categories are processed:

• Employee master data and time management information
• Information from personnel deployment planning (if this module is booked)
• Application and task management (if this module is booked)
• Access management information
• System-related information

Further details can be found in the DPA in Appendix I under point 2 in the GDPR section of our website.

We store your data in AWS exclusively in the Central European zone. The data center is located in Frankfurt a. Main. AWS does not store or transfer data to or through non-EU countries.

Your data are both encrypted during transmission and storage. We use the latest security standards for this.

We process data in accordance with GDPR only for specific purposes and with the appropriate legal basis, while adhering to the principle of data minimization. We use personal data for the following purposes:

• Providing services to you as a customer
• Communication with users of the application
• Contract processing with you as a customer
• Marketing (only with consent)
• Improving our offer

Yes, but only to carefully selected and contractually bound processors (see DPA Appendix III) or if there is a legal obligation. Our processors from the USA are certified under the Privacy Shield.

The EU can issue an adequacy decision for non-EU third countries if they ensure an adequate level of data protection. In July 2023, the EU issued such a decision for the USA. The Privacy Shield Framework is the adequacy decision for the USA. It regulates data protection for the transfer of data from EU citizens between the EU and the USA. Companies that adhere to the Privacy Shield Framework commit to complying with EU data protection standards. Crewmeister only works with processors that are subject to the Privacy Shield Framework. More information can be found on the website of the US Department of Commerce. A list of certified companies can be found here.

The data are stored for the duration of the contractual relationship plus statutory retention periods. After the purpose has been fulfilled, they are deleted.

ATOSS ALOUD GmbH (Crewmeister) is responsible.

You can contact the data protection officer of Crewmeister at: Email: datenschutz@crewmeister.com