Privacy Policy – CCAG

I) Information about the processing of your personal data within the scope of this website

pursuant to Article 13 of the General Data Protection Regulation (GDPR)

02.12.2024

This data protection information describes the processing of your personal data within the scope of this website. In doing so, CCAG association fulfils its information obligations pursuant to Article 13 of the EU General Data Protection Regulation (hereinafter: GDPR). With regard to the terms used in the following, e.g. “personal data”, “processing”, “Controller”, etc., please refer to the definitions in Article 4 of the GDPR.

1.1 Names and contact details

The entity responsible for processing your personal data (the “Controller”) within the scope of the website is:

Collaborative Cloud Audit Group for the Financial Services Industry in the European Union e.V. (CCAG association)
Kaiserstraße 16, 60311 Frankfurt am Main, Germany
(postal address: CCAG e.V., c/o Commerzbank AG, GM-A, Imre Bakó, Kaiserstraße 16, 13. OG, 60261 Frankfurt am Main)
Phone: +49 69 136 80806
E-Mail: info@ccag.group

1.2 Contact details of the Data Protection Officer

You can reach the Data Protection Officer of CCAG association as follows:

CCAG Data Protection Officer
Phone: +49 2761 83363 13
E-Mail: dataprotection@ccag.group

2. Data category(s), purpose(s) and legal basis for processing your personal data

Every time you access the content of the website, data is temporarily stored there via so-called log files, which may allow you to be identified as a website visitor. These are:

  • Date and time of retrieval
  • IP address of the accessing computer
  • Website from which the website was accessed
  • Websites accessed through the website
  • Page visited on our website
  • Amount of data transferred
  • Message whether the retrieval was successful
  • Information about the browser type and version used
  • Operating system

The storage of this data is necessary for the course of a website visit in order to enable the website to be delivered, to ensure the functionality of the website and the security of the information technology systems.

The legal basis for the storage of this data is the legitimate interest of CCAG association pursuant to Article 6 (1) (f) GDPR. The legitimate interest lies in ensuring network and information security.

For security reasons and to protect the transmission of confidential content, such as membership applications or inquiries that you make to us as the operator of the website, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and the lock symbol appears in the browser line. If SSL or TLS encryption is activated, data that you transmit to us cannot be read by third parties.

3. Recipients of your personal data

The website of CCAG association is hosted at:

IONOS SE
Elgendorfer Str. 57
56410 Montabaur, Germany.

For this purpose, IONOS SE processes the above-mentioned data as a processor. A data processing agreement was concluded pursuant to Article 28 (3) GDPR.

In addition, personal data will not be passed on to third parties without your consent. In individual cases, a transfer may take place on the basis of a legal permission or obligation. If other (technical) service providers gain access to personal data, this will be done on the basis of a contract pursuant to Article 28 GDPR. For data processing that takes place with other controllers, this is done if necessary on the basis of an agreement pursuant to Article 26 GDPR.

As a matter of principle, no personal data will be transferred to countries outside the European Economic Area and associated countries (no “third country transfer”).

4. Duration of storage of your personal data

The data collected and stored by visiting the website will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. When the website is provided, the data is deleted when the respective session has ended. The log files are kept for 7 days. Data whose further retention is necessary for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

5. Rights of data subjects

As a data subject, you may at any time exercise the rights granted to you by the GDPR; These are:

  • the right to information as to whether and which of your data is being processed pursuant to Article 15 of the GDPR;
  • the right to request the correction or completion of data concerning you pursuant to Article 16 GDPR;
  • the right to erasure of data concerning you pursuant to Article 17 GDPR
  • the right to restrict the processing of data pursuant to Article 18 GDPR;
  • the right to data transfer of data concerning you pursuant to Article 20 GDPR.

6. Right to lodge a complaint

In addition to the rights of data subjects mentioned above, you have the right to lodge a complaint with a supervisory authority under data protection law (of your own choosing) (Article 77 GDPR) if you believe that the processing of personal data concerning you violates these data protection requirements.

7. Objection to the processing of your personal data

You have the right to object at any time to the processing of your personal data on the basis of Article 6 (1) (f) GDPR on grounds relating to your particular situation. The Controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims. The collection of data for the provision of the website and the storage of log files are mandatory for the operation of the website.

II) Information about the processing of your personal data in the context of other activities of CCAG association

pursuant to Article 13 of the General Data Protection Regulation (GDPR)

02.12.2024

This data protection information describes the processing of your personal data within the scope other activities of CCAG association (and related to the implementation of audits by CCAG). In doing so, CCAG association fulfils its information obligations pursuant to Article 13 of the EU General Data Protection Regulation (hereinafter: GDPR). With regard to the terms used in the following, e.g. “personal data”, “processing”, “Controller”, etc., please refer to the definitions in Article 4 of the GDPR.

1.1 Names and contact details

The entity responsible for processing your personal data (the “Controller”) within the scope of the website is:

Collaborative Cloud Audit Group for the Financial Services Industry in the European Union e.V. (CCAG or CCAG association)
Kaiserstraße 16, 60311 Frankfurt am Main, Germany
(postal address: CCAG e.V., c/o Commerzbank AG, GM-A, Imre Bakó, Kaiserstraße 16, 13. OG, 60261 Frankfurt am Main)
Phone: +49 69 136 80806
E-Mail: info@ccag.group

For the activity of performing collaborative audits there is a joint responsibility between the CCAG association (see above) and the CCAG members.

1.2 Contact details of the Data Protection Officer

You can contact the Data Protection Officer of CCAG association as follows:

CCAG Data Protection Officer
Phone: +49 2761 83363 13
E-Mail: dataprotection@ccag.group

2. Data category(s), purpose(s) and legal basis for processing your personal data

a) Association membership

CCAG association processes personal data to the extent necessary to ensure the achievement of the association’s goals. To this end, it shall in particular maintain an overview of the contact details of the members and of the persons designated by the members who exercise the rights of membership.

The purpose of the processing of your personal data as a member of the association is to ensure the purpose of the association, namely the logistical, technical and organizational support of the internal audit departments of its members in the joint, collaborative audit of IT service providers, in particular providers of “public cloud services” or “software as a service” in a public cloud, which are used in a comparable way by a subgroup of members.

The legal basis for the processing of your personal data in the context of association membership is Article 6 (1) (f) GDPR.

b) Communication

For communication with our members, interested parties and others, CCAG association uses e-mail and conference tools.

CCAG association uses Microsoft Teams as a conference tool. Microsoft Teams collects all information that you provide or access to use the tools (email address and/or your phone number). In addition, the conferencing tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants, and other “contextual information” about the communication process (metadata). In addition, technical data required for the handling of online communication will be processed. This includes, but is not limited to, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speakers, and the type of connection. If content is exchanged, uploaded or otherwise made available within the tool, it is also stored on the servers of the tool provider. This content includes, but is not limited to, cloud recordings, chat/instant messages, voice messages, uploaded photos and videos, files, whiteboards, and other information exchanged while using the Service

The conference tools are used to communicate with potential or existing contractors or to offer certain services to members and other persons. In addition, the use of the tools serves to generally simplify and accelerate communication with us, our association and our members. In some cases, the processing of your data within the framework of the conference tools is voluntary:

The legal basis for the processing of your personal data in the context of the performance of a contract is Article 6 (1) (b) GDPR; in individual cases, the legitimate interest of CCAG association pursuant to Article 6 (1) (f) GDPR as well as your consent pursuant to Article 6 (1) (a) GDPR.

c) Collaborative audit

The CCAG and CCAG members work closely together on the “CCAG Collaboration Platform”. This also involves the joint processing of your personal data as a data subject, whereby CCAG only provides the platform and is not involved in the individual audits. In particular, the following data will be processed by the parties participating in an audit (Employees of the CSP (contact persons, subject matter experts), as well as other employees of the CSP, third-party employees, and of the Parties participating in an audit).

  • Personal master data (e.g. name, surname) of dedicated contact persons at the CSP and/or subject matter experts of the CSP, as well as other employees of the CSP, third parties involved in the business conduct of the CSP (e.g. suppliers), and of the Parties participating in an audit
  • Contact details (e.g. telephone, e-mail) of dedicated contact persons at the CSP and/or subject matter experts of the CSP, as well as other employees of the CSP, third parties involved in the business conduct of the CSP (e.g. suppliers), and of the Parties participating in an audit
  • Management data that can be others than public record, including e.g. evidences containing further Personal Data, such as roles and responsibilities, activities performed / log entries, control effectiveness assessments, minutes etc. associated with Data Subjects on auditee and auditor side

The legal basis for the processing of your personal data in the context of audits is generally a legal obligation pursuant to Article 6 (1) (c) GDPR in conjunction with the relevant banking supervisory regulations applying to each CCAG member. In Germany, for example, KWG Art. 25a in connection with MaRisk AT 4.4.3 (3) and MaRisk BT 2.4 (2) as well as Regulation (EU) 2022/2554 (DORA) Art. 28 (6).

The joint examination is carried out for the purpose of fulfilling the contract between the members of the association pursuant to Article 6 (1) (b) GDPR.

3. Recipients of your personal data

Re 2a)

Your contact details as a member may be disclosed to other members for the purpose of promoting the purpose of the association.

The legal basis for the transfer of your personal data to other members of the association is the legitimate interest of CCAG association pursuant to Article 6 (1) (f) GDPR. The legitimate interest exists in particular with regard to promoting the solidarity of the members and the performance of confidential tasks among themselves.

Re 2b)

As described, we use Microsoft Teams as a conference tool. The provider is

Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Irland.

For this purpose, Microsoft Ireland Operations Limited processes the above data as a data processor. A data processing agreement was concluded pursuant to Article 28 (3) GDPR. Further information on the data processing carried out on the part of Microsoft can be found here: Microsoft Privacy Statement – Microsoft privacy

Re 2c)

The CCAG and CCAG members work closely together on the “CCAG Collaboration Platform”. This also involves the joint processing of your personal data as a data subject, whereby CCAG only provides the platform and is not involved in the individual audits. With regard to this processing, the CCAG and CCAG members are so-called joint controllers (Article 26 GDPR), which has been regulated in an agreement (so-called joint controller agreement (JCA)). The essence of the agreement can be found below (section III.).

4. Duration of storage of your personal data

If and to the extent that the processing of your personal data is based on your consent, your personal data will only be stored until you revoke your declaration of consent, unless there is also another legal basis for the processing (Article 17 (1) (b) GDPR). The data collected by us directly via the video and conference tools will be deleted from our systems when the reason for the storage no longer applies.

The data processed as part of the audits will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The statutory retention periods apply.

5. Rights of data subjects

As a data subject, you may at any time exercise the rights granted to you by the GDPR; These are:

  • the right to information as to whether and which of your data is being processed pursuant to with Article 15 of the GDPR;
  • the right to request the correction or completion of data concerning you pursuant to Article 16 GDPR;
  • the right to erasure of data concerning you pursuant to Article 17 GDPR
  • the right to restrict the processing of data pursuant to Article 18 GDPR;
  • the right to data transfer of data concerning you pursuant to Article 20 GDPR.

6. Right to lodge a complaint

In addition to the rights of data subjects mentioned above, you have the right to lodge a complaint with a supervisory authority under data protection law (of your own choosing) (Article 77 GDPR) if you believe that the processing of personal data concerning you violates these data protection requirements.

7. Revocability of your declaration of consent

You have the right to withdraw your consent to the processing of your data in whole or in part at any time without giving reasons. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent before the revocation (Article 7 (3) GDPR). As a result, CCAG association may no longer continue the data processing based on this consent in the future and must delete your data, unless there is also another legal basis for the processing (Article 17 (1) (b) GDPR). If you would like to revoke your declaration of consent in whole or in part, please send an e-mail to: dataprotection@ccag.group, stating the subject line.

8. Object to the processing of your personal data

You have the right to object at any time to the processing of your personal data on the basis of Article 6 (1) (f) GDPR on grounds relating to your particular situation. The Controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims.

III) Information on joint controllership
(Essence of the Joint Controllership Agreement)

pursuant to Article 26 (2) 2 of the General Data Protection Regulation (GDPR)

The following information serves to highlight the essential elements of the data protection responsibility between the members of the Collaborative Cloud Audit Group (“CCAG members”), additionally including the Collaborative Cloud Audit Group for the Financial Services Industry in the European Union e.V. (“CCAG” or “CCAG association”) for you as data subjects. CCAG and CCAG members thus fulfill their obligations pursuant to Art. 26 para. 2 sentence 2 GDPR.

Why do we use controllership?

The CCAG and CCAG members work closely together on the “CCAG Collaboration Platform”. This also involves the joint processing of your personal data as a data subject, whereby CCAG only provides the platform and is not involved in the individual audits. With regard to this processing, the CCAG and CCAG members are joint controllers (Article 26 GDPR), which has been regulated in an agreement (so-called Joint Controllers Agreement (JCA)). The JCA thus agreed regulates how the CCAG members jointly handle personal data during audits to ensure compliance with the GDPR.

In which sections of processing does a joint controllership exist and what did the parties agree on?

Subject is the processing of personal data within the performance of collaborative audit activities on cloud services.

CCAG members involved in an audit (participation varies depending on the audit) are jointly responsible for the processing of personal data that takes place on the collaboration platform as part of an audit, including the data processing that occurs in this context through cooperation with the participants and the use of relevant documents (audit reports, evidence, working papers, etc.). The audit covers the implementation including planning, fieldwork and reporting.

The provision and operation of the collaboration platform is carried out by the CCAG, which is, however, not involved in conducting the audits.

If the data is further processed by the individual member institutions following the audit, this is then done under their own responsibility, as is the association’s member administration, which is the sole responsibility of the association.

What does this mean for you as a data subject?

The parties jointly agreed on which obligations each party fulfills under the GDPR. This particularly concerns the exercise of the rights of data subjects and the fulfilment of information obligations under Articles 13 and 14 of the GDPR.

The responsibility of the Parties for providing notices to Data Subjects under Art. 13 and/or 14 GDPR shall be as follows:

  • Each Party shall make available the essence of the Joint Controllers Agreement to the Data Subject whose Personal Data is processed under the Joint Controllers Agreement upon the Data Subject’s request. This essence will be provided by the CCAG association, preferably as part of CCAG’s privacy policy.
  • Each Party performing the audit shall be responsible for providing notices to the Data Subjects, where necessary, in relation to its processing of Joint Controller Data as described in Art. 13 and, if applicable, Art. 14 GDPR on the basis of what is indicated in the Joint Controllers Agreement. The Parties agreed to issue and maintain a privacy notice for the CCAG informing about data processing within the audit. The Privacy notice shall be made available to the Data Subjects affected. This is performed under joint responsibility, coordinated by the CCAG association: CCAG’s privacy policy is published on the website: https://ccag.group/gdpr-privacy-policy/.
  • The Parties shall immediately inform each other about the exertion of the rights of a data subject and provide the other Party with all necessary information referred to the right of access.
  • Where a Data Subject exercises its rights pursuant to Articles 15 through 22 GDPR (such as access right, right to rectification, right to restriction, right to object, right to data portability and/or right to be forgotten) at a Party in relation to the processing of Joint Controller Data by the other Parties, such first Party shall forward the request to the other Parties via coordination of the CCAG (Board and Data Protection Officer) without undue delay and shall assist the other Parties in dealing with the request. Primary point of contact for the Data Subjects shall be:
CCAG Data Protection Officer
Phone: +49 2761 83363 13
E-mail: dataprotection@ccag.group