DATA PRIVACY POLICY
Last updated: 17.07.2026
Path Düsseldorf GmbH takes the protection of personal data seriously.
This Data Privacy Policy explains how personal data is processed when you visit our website, contact us, book an appointment or interact with us in connection with our professional activities.
Personal data is processed in accordance with the General Data Protection Regulation (“GDPR” / “DSGVO”), the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”), the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – “TDDDG”) and other applicable data-protection laws.
1. Controller
The controller responsible for data processing pursuant to Art. 4(7) GDPR is:
Path Düsseldorf GmbH
Geschäftsführer: K. Hakan Hasserbetci
c/o 360 Workspace
Gerresheimer Straße 86
40233 Düsseldorf
Germany
Email: support@pathdusseldorf.com
2. General Information on Data Processing
We process personal data only where permitted by law and only for specified, explicit and legitimate purposes.
Personal data is processed in accordance with the principles of:
lawfulness, fairness and transparency;
purpose limitation;
data minimisation;
accuracy;
storage limitation;
integrity and confidentiality; and
accountability.
These principles are established in Art. 5 GDPR.
The purposes, legal bases, recipients and retention criteria applicable to our main processing activities are described below.
3. Website Access, Hosting and Server Log Data
When you access our website, technical information is automatically transmitted by your browser and processed by our hosting and technical service providers.
This information may include:
IP address;
date and time of access;
page or file requested;
browser type and version;
operating system and device information;
referrer URL;
access status or error code; and
amount of data transmitted.
This information is processed for the following purposes:
delivering the website to your device;
maintaining the functionality and stability of the website;
protecting the website against attacks, misuse and unauthorised access;
identifying and investigating technical errors;
detecting and responding to security incidents; and
complying with applicable security obligations.
The legal basis is Art. 6(1)(f) GDPR.
Our legitimate interests are the secure, stable and technically reliable provision of the website and the protection of our systems and services.
Server log data is not used for third-party advertising or unrelated marketing profiling.
Recipients may include:
our website hosting provider;
website maintenance providers;
authorised IT support providers; and
cybersecurity service providers.
Where these providers process personal data on our behalf, they are engaged under appropriate contractual and data-protection arrangements.
Server log data is retained only for as long as reasonably necessary for website operation, troubleshooting and security monitoring. Data may be retained for longer where necessary to investigate a security incident, comply with a legal obligation or establish, exercise or defend legal claims.
4. Contact by Email
Our website does not currently provide a native contact form.
Visitors may contact us voluntarily by email. When you contact us, we may process:
your name;
your email address;
your organisation and professional role;
the subject and content of your message;
attachments you provide; and
subsequent correspondence.
The information is processed to:
respond to your enquiry;
communicate with you;
evaluate a possible professional engagement;
take steps towards entering into a contract; or
manage an existing contractual or professional relationship.
The applicable legal bases are:
Art. 6(1)(b) GDPR where communication concerns pre-contractual measures or an existing contract;
Art. 6(1)(f) GDPR where processing is necessary for general professional communication and relationship management; and
Art. 6(1)(c) GDPR where information must be retained to comply with a legal obligation.
Email communications are retained until the enquiry or professional matter has been concluded.
Relevant correspondence may be retained for longer where it forms part of:
a contractual relationship;
a business or accounting record;
a regulatory matter;
a legal dispute; or
another applicable statutory retention obligation.
5. Appointment Scheduling Through Microsoft Personal Bookings
Our website provides a “Book With Me” button that allows visitors to schedule an appointment with Path Düsseldorf GmbH through Microsoft Personal Bookings, also known as Bookings with me.
The booking facility is not embedded into the Path Düsseldorf website. The button is an ordinary external link.
When you click “Book With Me”:
you leave the Path Düsseldorf website; and
you are redirected to a Microsoft-hosted booking page.
Microsoft Personal Bookings is a feature of Outlook powered by Microsoft Bookings. Microsoft states that Personal Bookings integrates with Outlook and that booking information is stored within the Microsoft 365 platform and Exchange.
5.1 Categories of Personal Data
If you voluntarily schedule an appointment, the data processed may include, depending on the booking-page configuration:
your name;
your email address;
your organisation or professional role, where requested or provided;
your telephone number, where requested or provided;
the selected appointment or meeting type;
the selected date and time;
your time zone;
information entered into a message, comments or notes field;
booking confirmation information;
cancellation or rescheduling information;
calendar and meeting-invitation information; and
technical information required to provide and secure the booking service.
5.2 Purposes
Booking information is processed for the following purposes:
displaying available appointment times;
scheduling appointments;
confirming, changing or cancelling appointments;
communicating with you about the appointment;
creating calendar entries and meeting invitations;
preparing for and conducting the requested meeting;
managing professional enquiries; and
documenting relevant business communications where necessary.
5.3 Legal Bases
The applicable legal bases are:
Art. 6(1)(b) GDPR where the appointment relates to a requested service, pre-contractual communication or an existing contractual relationship; and
Art. 6(1)(f) GDPR where processing is necessary for general appointment administration and professional communication.
Our legitimate interests are the efficient organisation of appointments, the management of business enquiries and professional communication.
5.4 Service Provider and Recipient
The Microsoft service is provided in the European region through:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
Ireland
Booking information may be processed by Microsoft and authorised Microsoft subprocessors in connection with the provision, security, support and administration of Microsoft 365 and Microsoft Bookings.
Microsoft’s Privacy Statement explains the personal data Microsoft processes under its own responsibility and provides relevant privacy contact information. Microsoft also provides contractual GDPR commitments for Microsoft services, including obligations concerning processing on behalf of customers.
5.5 Retention
Appointment information is retained only for as long as necessary to:
arrange and conduct the appointment;
manage related communications;
administer any resulting professional relationship; and
comply with applicable contractual, accounting, legal or evidentiary requirements.
Where an appointment leads to a client, contractual or other professional relationship, relevant information may be retained as part of the associated client or business records.
5.6 Sensitive Information
Please do not include special-category personal data, confidential client information or other sensitive information in the Microsoft Bookings free-text field unless it is genuinely necessary and appropriate for the requested appointment.
Further information about Microsoft’s processing is available in the Microsoft Privacy Statement.
6. Cookies and Consent Management
Our website uses cookies.
We currently use:
strictly necessary session cookies; and
analytics and performance cookies.
We do not currently use functional, marketing, advertising or targeting cookies.
The confirmed cookie inventory contains two CMS Made Simple session cookies and two Google Analytics cookies.
6.1 Strictly Necessary Cookies
The website uses the following CMS Made Simple session cookies:
CMSSESSID801b376a3eec; and
CMSSESSIDf45c85403741.
These cookies maintain the visitor’s session state across page requests and support core website functionality.
They are normally deleted when the browser session ends.
The storage of or access to these cookies is based on § 25(2)(2) TDDDG, because they are necessary to provide the website requested by the visitor.
Where their operation involves personal-data processing, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is the functional, stable and secure operation of the website.
6.2 Analytics Cookies
With your consent, the website uses:
_ga; and
_ga_FRVPW3X3XX.
These cookies are associated with Google Analytics 4 and help us evaluate website traffic, sessions and visitor engagement.
They are not technically necessary and remain disabled unless you actively consent.
The legal bases are:
§ 25(1) TDDDG for storing or accessing information on your device; and
Art. 6(1)(a) GDPR for related personal-data processing.
6.3 Consent Choices
When you first access the website, you can:
accept all cookies;
reject non-essential cookies; or
manage your cookie preferences.
Analytics is disabled by default.
You may change or withdraw your consent at any time through the permanent Cookie Settings link in the website footer.
Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.
Further information concerning each cookie, its purpose and duration is available in our separate Cookies Policy.
7. Google Analytics 4
Subject to your consent, we use Google Analytics 4, a web analytics service provided by:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
7.1 Purposes
We use Google Analytics to:
measure website visits and sessions;
understand how website pages are used;
evaluate general visitor engagement;
identify technical and usability improvements; and
improve the content, structure and performance of our website.
We do not use Google Analytics to make decisions producing legal or similarly significant effects concerning website visitors.
7.2 Categories of Data
Depending on the website configuration and visitor activity, Google Analytics may process:
cookie and browser identifiers;
pages visited;
page titles and website addresses;
date and time of access;
session and engagement information;
referring website or page;
browser and device characteristics;
operating-system information;
approximate geographical information;
IP address during technical communication; and
technical event information.
Google explains that Google Analytics stores a client identifier in the _ga cookie to distinguish users and sessions. It also states that the client identifier is not stored when analytics storage is disabled through Consent Mode.
7.3 Legal Basis
Google Analytics is activated only after consent has been provided.
The applicable legal bases are:
§ 25(1) TDDDG; and
Art. 6(1)(a) GDPR.
You are not required to consent to Google Analytics.
Rejecting or withdrawing analytics consent does not prevent you from accessing the website’s essential functions.
7.4 Withdrawal
You may withdraw or change your consent at any time through the Cookie Settings link.
Following withdrawal, Google Analytics will not be activated for future website use unless you provide consent again.
You may also delete previously stored cookies through your browser settings.
7.5 Retention
The _ga and _ga_FRVPW3X3XX cookies may remain on the device for up to two years, subject to:
browser settings;
consent choices;
the Google Analytics configuration; and
earlier manual deletion by the visitor.
Analytics information is retained only for as long as required for the stated measurement and website-improvement purposes, according to the retention configuration applied to the relevant Google Analytics property.
7.6 International Processing
Information associated with Google Analytics may be processed by Google Ireland Limited, Google LLC and other authorised Google entities or service providers.
Where personal data is transferred outside the EEA, the transfer may be based on:
an applicable adequacy decision;
the EU–US Data Privacy Framework where applicable;
the European Commission’s Standard Contractual Clauses; or
another transfer mechanism permitted under Chapter V GDPR.
Google states that Google LLC and relevant wholly owned US subsidiaries participate in the EU–US and Swiss–US Data Privacy Frameworks and that Google also relies on applicable transfer safeguards.
8. External LinkedIn Link
Our website contains an ordinary external link to LinkedIn.
LinkedIn content, scripts, social plugins and tracking technologies are not embedded into the Path Düsseldorf website.
No LinkedIn cookie is placed merely because you visit the Path Düsseldorf website.
When you click the LinkedIn link:
you leave our website;
your browser connects directly to LinkedIn; and
LinkedIn may process personal data and use cookies under its own privacy and cookie policies.
Depending on your browser and LinkedIn account status, LinkedIn may receive technical connection information and may recognise that you accessed LinkedIn from our website.
Path Düsseldorf GmbH does not control LinkedIn’s independent processing after you leave our website.
LinkedIn’s processing is governed by its Privacy Policy and, where applicable, its European Regional Privacy Notice.
9. Client and Business Contact Data
In the course of our professional activities, we may process personal data relating to:
prospective clients;
clients and client representatives;
suppliers and service providers;
business partners;
professional contacts;
training participants; and
other persons involved in our professional engagements.
The information may include:
names;
professional email addresses and telephone numbers;
organisation and job title;
contractual information;
billing information;
meeting and communication records;
project and engagement information; and
other information necessary for the professional relationship.
The information may be received:
directly from the data subject;
from the person’s employer or organisation;
from a contractual counterparty; or
from publicly available professional sources.
Processing is carried out for:
professional relationship management;
responding to enquiries;
contract initiation and performance;
delivery of consulting, governance and compliance services;
invoicing, accounting and record keeping;
compliance with legal and regulatory obligations; and
establishment, exercise or defence of legal claims.
The applicable legal bases are:
Art. 6(1)(b) GDPR;
Art. 6(1)(c) GDPR; and
Art. 6(1)(f) GDPR.
Our legitimate interests include operating our business, managing professional relationships, maintaining appropriate records and protecting our legal interests.
10. Processing in Consulting, External DPO and Compliance Mandates
Depending on the nature of an engagement and the factual allocation of responsibilities, Path Düsseldorf GmbH may process personal data as:
a controller;
a processor acting on documented instructions;
a joint controller where the legal requirements are met; or
an external professional performing statutory or advisory functions, including external Data Protection Officer services.
The applicable role is determined by:
the nature of the processing;
the purposes and means of processing;
applicable law; and
the contractual arrangements with the client.
Where Path Düsseldorf GmbH acts as a processor, personal data is processed under an agreement meeting the requirements of Art. 28 GDPR.
Where we perform external DPO services, personal data is processed only to the extent necessary to perform the agreed DPO duties. The confidentiality requirements applicable to the DPO function are respected in accordance with Art. 38(5) GDPR.
Where personal data relating to a client’s employees, customers, users or other data subjects is accessed, access is limited to what is necessary for the relevant mandate.
The respective client generally remains responsible for its own controller obligations unless the applicable processing arrangement provides otherwise.
11. Freelance Consultants and Advisory Board Members
Path Düsseldorf GmbH collaborates with freelance consultants and advisory board members in Germany and internationally.
These individuals are not employees of Path Düsseldorf GmbH.
We may process their personal data for:
evaluating and establishing professional cooperation;
contract administration;
project coordination;
professional communication;
payment and invoicing;
compliance, accounting and tax purposes; and
management of professional qualifications and responsibilities.
The applicable legal bases are:
Art. 6(1)(b) GDPR;
Art. 6(1)(c) GDPR; and
Art. 6(1)(f) GDPR.
Where consultants or advisory board members require access to client or project information, access is limited to the relevant assignment and is subject to contractual confidentiality and data-protection obligations.
12. Training, Webinars and Professional Events
When we organise or deliver training sessions, webinars, workshops, examinations or professional events, we may process:
participant names;
professional contact details;
organisation and professional role;
registration information;
attendance information;
communications relating to the event;
examination or assessment results, where applicable;
certificate and certification records; and
invoicing or payment information, where applicable.
The information is processed for:
registration and event administration;
communication with participants;
delivery of the training or event;
attendance documentation;
examination and certification administration;
responding to participant enquiries;
fulfilment of contractual obligations; and
compliance with accounting and other legal obligations.
The applicable legal bases are:
Art. 6(1)(b) GDPR;
Art. 6(1)(c) GDPR; and
Art. 6(1)(f) GDPR.
Professional follow-up is limited to communications connected with the relevant event, training relationship or legitimate professional interest.
Where legally required, separate consent will be obtained before sending unrelated electronic marketing communications.
13. Recipients and Service Providers
Depending on the relevant processing activity, personal data may be disclosed or made accessible to:
website hosting and infrastructure providers;
authorised IT, website-support and cybersecurity providers;
email and communication providers;
Google Ireland Limited and relevant Google entities or subprocessors in connection with Google Analytics;
Microsoft Ireland Operations Limited and relevant Microsoft entities or subprocessors in connection with Microsoft Personal Bookings, Outlook, Exchange and appointment administration;
authorised employees, freelance consultants and advisory board members;
legal, tax, accounting, audit and other professional advisers;
clients, contractual partners and training partners where necessary for the relevant engagement; and
courts, public authorities or regulators where disclosure is required or permitted by law.
Access is limited to information necessary for the relevant purpose.
Where a provider processes personal data on our behalf, an appropriate data-processing agreement is concluded where required under Art. 28 GDPR.
Where a recipient processes personal data under its own legal responsibility, its processing is governed by applicable law and its own contractual and privacy obligations.
14. International Data Transfers
Because of the international scope of our consulting, governance and training activities, personal data may be disclosed or made accessible to recipients outside the European Union or European Economic Area.
International processing may also arise in connection with:
Google Analytics;
Microsoft Personal Bookings and Microsoft 365;
international clients;
international consultants;
international advisers; or
other authorised business partners.
Transfers are carried out only where permitted under Chapter V GDPR.
Depending on the recipient and destination, the transfer mechanism may include:
an adequacy decision under Art. 45 GDPR;
the European Commission’s Standard Contractual Clauses under Art. 46 GDPR;
supplementary contractual, technical or organisational measures;
the EU–US Data Privacy Framework where applicable; or
another legally permitted transfer mechanism.
Microsoft states that it offers the European Commission’s Standard Contractual Clauses for relevant Microsoft services, including Microsoft Bookings.
Where required, transfer risks and supplementary safeguards are evaluated by reference to:
the nature of the personal data;
the purpose of the transfer;
the recipient;
the destination country;
the applicable contractual protections; and
the technical and organisational safeguards available.
Path Düsseldorf GmbH does not transfer personal data to third countries for third-party advertising or unrelated profiling purposes.
15. Data Retention
Personal data is retained only for as long as necessary to fulfil the relevant processing purpose or comply with statutory, contractual, regulatory or evidentiary requirements.
The applicable retention period depends on:
the purpose for which the information was collected;
the duration of a contractual or professional relationship;
applicable commercial, tax and accounting obligations;
the need to establish, exercise or defend legal claims;
security and incident-investigation requirements;
training and certificate-verification requirements; and
whether consent has been withdrawn.
In particular:
server logs are retained for the period necessary for operational and security purposes;
email correspondence is retained until the matter is concluded and, where relevant, for applicable legal or contractual periods;
appointment information is retained for as long as necessary to administer the appointment and related communication;
client and project information is retained for the duration of the engagement and any applicable post-contractual period;
training and certification records are retained for as long as necessary to administer and verify attendance, examination or certification;
Google Analytics cookies may remain for up to two years unless deleted earlier; and
consent-based processing ends for the future when consent is withdrawn, subject to retention necessary to demonstrate prior consent or comply with legal obligations.
When personal data is no longer required, it is deleted, anonymised or securely restricted.
16. Data-Subject Rights
Subject to the applicable legal requirements, data subjects have the following rights:
right of access under Art. 15 GDPR;
right to rectification under Art. 16 GDPR;
right to erasure under Art. 17 GDPR;
right to restriction of processing under Art. 18 GDPR;
right to data portability under Art. 20 GDPR;
right to object under Art. 21 GDPR;
right to withdraw consent under Art. 7(3) GDPR; and
right to lodge a complaint with a supervisory authority under Art. 77 GDPR.
These rights and their applicable conditions are established by the GDPR.
16.1 Right to Object
Where processing is based on Art. 6(1)(f) GDPR, you have the right to object on grounds relating to your particular situation.
We will stop the relevant processing unless:
we demonstrate compelling legitimate grounds that override your interests, rights and freedoms; or
the processing is required for the establishment, exercise or defence of legal claims.
16.2 Withdrawal of Consent
Where processing is based on consent, you may withdraw that consent at any time with effect for the future.
Cookie and Google Analytics consent may be withdrawn through the Cookie Settings link.
Other consent may be withdrawn by contacting us.
Requests concerning data-subject rights may be sent to:
support@pathdusseldorf.com
We may request information reasonably necessary to verify the identity of the person making the request.
17. Right to Lodge a Complaint
You have the right to lodge a complaint with a data-protection supervisory authority, particularly in the Member State of:
your habitual residence;
your place of work; or
the place of the alleged infringement.
The supervisory authority responsible for Path Düsseldorf GmbH is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen – LDI NRW
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Email: poststelle@ldi.nrw.de
The official LDI NRW contact information is published by the authority and the German Federal Commissioner for Data Protection and Freedom of Information.
18. Data Security
Path Düsseldorf GmbH implements appropriate technical and organisational measures in accordance with Art. 32 GDPR to provide a level of security appropriate to the risk.
Depending on the systems and processing activities concerned, these measures include:
access-control and authorisation procedures;
confidentiality obligations;
secure communication and data-handling practices;
procedures governing access, storage and disclosure;
protection against unauthorised access, accidental loss, alteration, destruction or unlawful disclosure;
management of service providers and authorised recipients;
incident-response and escalation procedures; and
periodic review of organisational and procedural safeguards.
Security measures are selected taking into account:
the state of the art;
implementation costs;
the nature, scope, context and purposes of processing; and
risks to the rights and freedoms of individuals.
19. Provision of Personal Data and Automated Decision-Making
Providing consent for analytics cookies is voluntary.
Refusing or withdrawing Google Analytics consent does not prevent you from using the website’s essential functions.
Where personal data is required to enter into or perform a contract, failure to provide the necessary information may prevent us from:
responding fully to an enquiry;
arranging a requested appointment;
entering into a contract; or
providing the relevant service.
Path Düsseldorf GmbH does not use personal data collected through this website to make decisions based solely on automated processing that produce legal effects or similarly significantly affect individuals within the meaning of Art. 22 GDPR.
20. Changes to This Data Privacy Policy
We may update this Data Privacy Policy where necessary to reflect:
changes to the website;
changes to technologies or cookies;
changes to our services or professional activities;
changes to service providers;
legal or regulatory developments; or
decisions and guidance issued by competent authorities.