1. Introduction

2. Business-related activity and location

3. Data Protection Officer (DSB) and person responsible for data protection

4. Further training and state of the art

5. Raising awareness among employees / service providers

6. Data processing / data processing purposes

7. Data protection impact assessment

8. Description of the technical-organisational measures (TOMS)

8.1 Principles

8.2. IT infrastructure

8.3. Head of IT

8.4. Individual measures

8.4.1. Confidentiality (Art. 32 para. 1 lit. b DS-GVO)

8.4.2. Access control

8.4.3. Access control

8.4.4. Separation control

8.4.5. Pseudonymisation (Art. 32 para. 1 lit. a DS.-GVO; Art. 25 para. 1 DS-GVO)

8.4.6. Measures for encrypting the data

8.5. Integrity (An. 32 para. 1 lit. .b DS-GVO)

8.5.1. Transfer control

8.5.2. Input control

8.6. Availability and resilience

8.6.1. Availability control

8.6.2. Rapid recoverability

8.7. Organisational control

8.7.1. Organisational control

8.7.2. Security and risk management

8.7.3. Certification

8.7.4. Incident response management

8.7.5. Privacy-friendly default settings

8.7.6. Order control

9. Talent authentication and quality assurance

9.1. Control measures to authenticate the actual user (talent)

9.2. Quality control measures

10. Imprint and privacy statements

11. Protect data subjects' rights

11.1. Data subjects' rights: Process chains

11.2. Data breach notification: Process chain

12. Checklist for the annual control and improvement process

13. Summary


This data protection concept is based on the principles formulated in Article 5(1) of the GDPR, such as purpose limitation, data minimisation, storage limitation, integrity, the right to be forgotten and confidentiality, and is lawful (Article 6 of the GDPR). The compliance with the Regulation as required by the GDPR (Art. 5(2); Art. 24(1)), the compliance with the rights of the data subjects (Art. 13-20), the obligation to report data breaches (Art. 33-34), the obligation to provide evidence and the obligation to be accountable (Art. 5(2), Art. 24(1)) is guaranteed. A control and improvement process is carried out at least once a year (Article 32, line 1), based on the checklist contained in the last chapter of this data protection concept.


We process personal data of natural persons over the age of 18 (Art 8 GDPR) in whole or in part by automated means and have our place of business in the EU:

Yoummday GmbH, Infanteriestraße 11a, House E, 80797 Munich,

Fon: +49 89 230236-03


If one of the following criteria applies, an external or internal DPO is necessary and must be appointed:

Processing of the data by a public authority or a public body, with the exception of the courts
YES ( )
NO (X)

Processing of personal data processing of personal data is a core activity of the organisation and/or requires extensive regular and systematic monitoring of the person concerned.
YES (X )
NO ( )

Processing of categories of personal data requiring special protection (Art. 9(1) of the GDPR) such as z. e.g. health data, ethical background, genetic or biometric data, trade union membership, etc.) is a core activity of the organisation.
YES ( )
NO (X)

Data Protection Officer:
Björn Barthelmes
Karl-Frank-Straße 35
12587 Berlin

Data Protection Coordinator:
Jörg Hoffmann
Phone: +49 89 230 236 03


- Information and training events

- Webinars, for example at or

- regular


It is particularly important to raise the awareness of all relevant employees, which we naturally do. Only with informed and attentive employees can security measures be implemented effectively and possible security incidents be recognised in good time.

Once the cause of a security incident has been identified, measures must be taken to address it. It is often necessary to isolate the affected IT systems or sites to contain the impact of the security incident.

The resolution of security incidents must be documented in detail.

An example of an awareness-raising/commitment to compliance with the GDPR for employees can be found in the appendix. Also in the appendix: A sample contract for commissioned data processing.


Purposes and description of the data processing operations:

  1. Accounting and business processing: Processing and transmission of data within the scope of business relationships with customers, talents and suppliers, as well as third parties and business partners involved in the business processing, including their respective contact persons, including automatically generated and archived text documents (such as invoices, correspondence or contracts) in these matters.
  2. Customer care and marketing: Service-oriented information and care of categorised customers, suppliers and third parties or business partners involved in the business process, including their respective contact persons and interested parties, including automatically created and archived text documents (e.g. correspondence) as well as the transmission of newsletters, form letters and information material.
  3. Operation of websites: Transmission of data within the framework of the job market (company name, contact person, telephone number, website address, job description, CV, address, user name, password); Newsletter dispatch: Information to interested parties and customers on the subject of social media. Regularly updated information about new job offers
  4. Website analysis: Analysis of anonymised visitor behaviour on the website for optimisation and traceability of page visits (e.g. entry and exit pages, length of stay...).
  5. Contact form: Contact request via the website for interested parties and customers to answer specific enquiries / Talent area: Users can log in to the website to visit a talent area.


To the extent that the DPO determines that the intended processing is subject to a data protection impact assessment, the DPO shall notify this immediately. The procedure may only be carried out after approval by the DPO. In case of doubt, the management shall decide.


8.1. Principles

As the responsible body, suitable technical and organisational measures have been taken to ensure compliance with the principles of the European Data Protection Regulation. This ensures and provides evidence that the processing is carried out in accordance with the provisions of the EU Data Protection Regulation.

The following measures serve to ensure the confidentiality of the systems and serve the:

  • Ensuring the confidentiality of systems and services
  • Ensuring the integrity of systems and services
  • Ensuring the availability of systems and services
  • Ensuring the resilience of systems and services
  • Restoring the availability of and access to personal data after a physical and technical incident. Procedures for regular review,
  • assessment, evaluation of the effectiveness of the above measures.

The technical and organisational measures to be taken are based on:

  • State of the art
  • the implementation costs
  • Nature, scope, circumstances and purpose of processing
  • the varying likelihood and severity of the risk to the rights and freedoms of natural persons

This ensures a level of protection for personal data that is commensurate with the risk. To maintain the level of protection, the measures are regularly reviewed and updated.

8.2. IT-Infrastruktur

see doc: Technical Setup and DP Infrastructure Az*4

8.3. Head of IT

Head of IT:
Thomas Wallner
Phone: +49 89 230 236 04

Yaroslav Dimitrov
Phone: +49 89 231 66 00 11

8.4. Individual measures

8.4.1. Confidentiality (Art. 32 para. 1 lit. b DS-GVO)

Access control: protection of rooms with data processing equipment against access by unauthorised persons

Security device Property
(+) The premises where computers are housed are fenced off,
(+) Gate system with registration

Area monitoring
(+) Video surveillance with camera control,
(+) the video surveillance is marked with information signs

Access control system Building security
(+) Locking system safety lock
(+) Locking system digital lock with coded key

Central reception area
(+) All visitors must register at the reception and sign in and out of the visitors' list as well as be accompanied in the house.

Access control system for business premises
(+) Locking system security lock
(+) Locking system RFID chip

Measures in case of loss of a key/card/chip
(+) Replacement of the locking system with keys
(+) Reprogramming of the code

Monitoring systems buildings
(+) Smoke alarm system
(+) Fire alarm system

Security of the server rooms
(+) Locking system digital lock with coded key

External service providers
(+) All external craftsmen, house technicians and computer centre technicians must register at the reception before starting their work. The receptionist informs the staff member who is expecting the visit and arranges for them to be picked up. If neither the desired employee nor another employee who is familiar with the task for the external craftsman, house technician or data centre technician can be reached, no access may be granted.

Key/key allocation
(+) The keys are issued by the central building management.
(+) Each issued key is recorded in a key book or in a key management system.

Special protection of the data centre
(+) Partitioning of the data centre according to the shell principle.
(+) Access to the data centre rooms through locks.
(+) Video surveillance
(+) Motion detector
(+) Smoke detector
(+) Temperature monitoring
(+) Alarm system

8.4.2 Access control

Protection of computer systems against access by unauthorised persons

Control of password conventions
(+) Release only by administrator

Rights management
(+) A rights concept exists for rights management.
(+) All authorisations are documented in a comprehensible manner
(+) The rights are changed in the following cases
(+) Leaving of an employee

Screen lock
(+) Screen lock during absence with password identification is set up.

(+) physical separation of the guest WLAN from the company network

Notebook security
(+) User ID and password

Automatic lock PC (e.g. password and pause switch)
(+) An automatic locking of the PC takes place after 10 minutes

Secure connection for "Remote access"
Remote access" to systems from the "home office" is only possible with own PCs and laptops under the following conditions.
(+) User ID and password or private/public key
(+) Data is transmitted encrypted

8.4.3 Access control

Access control measures are aimed at preventing unauthorised activities (e.g. unauthorised reading, copying, modification or removal) in DP systems outside of granted authorisations.

A strictly monitored authorisation concept with personal user accounts has been set up. Access to certain information is granted via a group or role concept.

Protection of data against access by unauthorised persons

Written administration concept
(+) Uniform requirements for IT security
(+) Separation of responsibilities
(+) Administrators are own employees
(+) Separation of administrator accounts according to systems and persons

Identification and authentication of administrators
(+) UserID and password or private/public key

Admin Password Conventions
(+) Character minimum length alphanumeric character set
(+) Trivial password exclusion,
(+) password entry with encrypted process,
(+) secure password files

Role-based authorisation concept
(+) A role-based user authorisation concept is set.

Restrictive rights allocation system
(+) Access authorisation always follows the principle of restrictive rights assignment.

Identification and authentication of administrators
(+) UserID and password or private/public key

Admin Password Conventions
(+) Character minimum length alphanumeric character set,
(+) Trivial password exclusion,
(+) password entry with encrypted process,
(+) secure password files

Role-based authorisation concept
(+) A role-based user authorisation concept is set.

Restrictive rights allocation system
(+) Access authorisation always follows the principle of restrictive rights assignment.

Logging of system use
(+) Logging of system usage is done via LOG files of the corresponding systems.

Access to data only via access authorisations
(+) Access to data is via a user ID and a correspondingly secure password as well as the correspondingly assigned access authorisations (roles).

Authorisations only after approval by superiors
(+) The access authorisations (roles) are requested and approved via an electronic workflow.

Rules on the withdrawal of access authorisations
(+) The revocation of access authorisations (roles) takes place via an electronic workflow.

Allocation of authorisation only by authorised persons
(+) Authorisations are only granted by authorised persons on the basis of an electronic workflow.

Control of authorisations
(+) The allocation of authorisations is checked on a regular basis.

Special authorisations
(+) Special access authorisations are only granted in exceptional cases.

Declarations of commitment for Administrators
(+) Employees are obliged to observe data secrecy, data protection and telecommunications secrecy and, if necessary, social secrecy. Sensitisation takes place upon recruitment or on a regular basis.

Training of the administrators
(+) Administrators are regularly trained to handle information safety specially trained.

Controlled destruction of data
(+) Controlled destruction of data and printouts takes place and printing by specialised, certified service providers.

8.4.4 Separation control

Separation of data sets that are processed for different purposes

Earmarking of the systems
(+) The systems are operated in accordance with the corporate data protection guideline.

Rights concept according to data purpose
(+) The rights concept is strictly based on data separation.

8.4.5 Pseudonymisation (Art. 32 para. 1 lit. a DS.-GVO; Art. 25 para. 1 DS-GVO)

If pseudonymisation is provided for data, the processing of personal data is carried out in such a way that the data can no longer be assigned to a specific data subject without the use of additional information. This additional information is stored separately and backed up with appropriate technical and organisational measures.

The following pseudonymisation procedures are used:
Anonymised identifiers, which can only be resolved with the help of a separate database.

8.4.6 Measures for encrypting the data

The aim of the measures for encrypting personal data is to protect the contents of databases from unauthorised viewing and modification.

All personal data as well as other confidential information is always transferred in encrypted form; either a secure HTTPS portal is used for this or password-protected zip files are sent electronically.

Mail encryption is possible on a reciprocal basis. The following encryption techniques are used:

  • TLS encryption for e-mail traffic

8.5. Integrity (An. 32 para. 1 lit. .b DS-GVO)

8.5.1 Transfer controls with data processing equipment against access by unauthorised persons

Care shall be taken to prevent unauthorised reading, copying, modification or removal during electronic transmission or transport.

Organisational specifications for the storage of data media
(+) Internal company rules for dealing with data carriers

Protected rooms for data storage
(+) The data backups are stored either in a protected room (e.g. data protection room, data centre) externally by an appropriate service provider.

Data protection-compliant data media disposal
(+) The physical destruction of data carriers is carried out in accordance with DlN 66399 min. in security level 3).

Identification and authentication of the participants
(+) Identification and authentication of the participants is done by user ID, phone numbers, identification, password User ID

Encryption of e-mails
(+) The transmission of highly sensitive data is only encrypted

8.5.2 Input control

Documentation of whether and by whom personal data have been entered into data processing systems, changed or removed. (Logging, document management)

Proof of data entry or modification

Access regulations
(+) Access rules and user authorisations are in place, allowing identification of all users and terminals in the system.

Logging of the setup and operation of the IT system
(+) Documentation of all authorised users with rights profile
(+) Documentation for the rights of use set up.

System logs
(+) User activity is logged in system logs. Input control in database systems shall be carried out within the framework of the standard procedures supplied with the database systems delivered, which, depending on the database system, may include all inputs up to the point of entry. As far as booking journals are possible in the software systems, these are filled in.

Retention of system logs
(+) System logs are kept within the framework of legal or contractual requirements.

Logging functions
(+) The activities of the users are traceable via extensive logging functions

Change logging
(+) Changes are logged on the servers or in the programmes.

(+) Input control in database systems is carried out within the framework of the standard procedures supplied with the database systems, which, depending on the database system, may include up to the recording of all inputs

Table logging
(+) if software table logging and audit information system are available, these functions can be used to carry out an appropriate control.

8.6. Availability and resilience

8.6.1 Availability controlProtection against accidental or deliberate destruction or loss of data.

Regular data backups
(+) The data is saved in backup systems and can be extended by redundant systems. This ensures a short recovery time and high overall availability for any disaster scenarios.

Mirroring hard disks, e.g. RAID procedure
(+) Data is regularly mirrored (RAID systems), mirroring on spatially separated systems)

Uninterruptible Power supply (UPS)
(+) The data centres are protected by separate UPS systems with battery power.

Separate storage
(+) Mirroring of data takes place regularly (mirroring to spatially separated systems). Separate storage of Data takes place

Virus protection/firewall
(+) Virus scanner and firewall systems on all systems.

Backup system
(+) Systemic

Emergency plan
(+) The company has a contingency plan and corresponding manuals for maintaining the core processes in the event of a K-case. Creation and maintenance of a customer-specific K-case manual takes place regularly

8.6.2 Rapid recoverability

Emergency plans/crisis plans/disaster recovery exist for the data centres. These are documented in the backup and emergency concept. The functionality of this concept is checked at regular intervals. The emergency plans are subject to a regular review and improvement process.

8.7. Organisational control

8.7.1. Organisational control

Organisational measures to ensure the processing of personal / sensitive data

IT security concept
(+) An information security guideline is available in the current version.

Password policy
(+) The password policy is present in the current version and can be viewed on site

Data protection directive
(+) A privacy policy is in place and can be activated on site. be seen.

Data Protection Officer
(+) An external data protection officer is provided

Obligation of employees according to Art. 29 +32 DS-GVO(+) All employees are bound by data secrecy and the observance of company and business secrets and are instructed in accordance with DS-GVO, Articles 29 and 32 (4) to process personal data only on the instructions of the controller.

Obligation of employees to § 88 TKG(+) All employees must be committed to data secrecy and compliance with Art. 29 +32 DS-GVO.

(+) Directive Subcontractor is available

(+) In annually obligatory trainings, all employees must update their data protection awareness. They ensure the binding implementation of the data protection and information security guidelines, which are obligatory in the company-wide intranet.

8.7.2 Security and risk management

Services are provided on the basis of an information security management system. This includes, among other things, written guidelines, processes and manuals for IT/computer centre operation. They are based on legal regulations and internally proven rules.

The security procedures used are reviewed on an ongoing basis.

A risk management system has been implemented that covers operational risks from tenders, contracts and projects. In addition, there is an IT security risk management system that deals with process-related, service-related and location-related risks.

The technical and organisational measures for data protection in accordance with Article 32 of the GDPR are regularly reviewed as part of the ISO certification. In addition, data protection-relevant issues are also taken into account during internal process audits.

8.7.3 Certification

ISO 9001:2015 Quality Management


Incident response management

Security incidents are handled according to standard operating procedures and tool-supported processes in order to restore trouble-free operation as quickly as possible. Security incidents are monitored and analysed in a timely manner. Depending on the type of incident, the responsible and necessary employees of the specialist departments and specialists are called in to deal with it.

8.7.5 Privacy-friendly default settings

Data protection is taken into account at the earliest possible stage through data protection-friendly default settings ("Privacy by Design and by Default") in order to prevent unlawful processing or misuse of data. Appropriate technical default settings are to ensure that, as a matter of principle, only those personal data are collected and processed that are actually required for the specific purpose (need to know principle).

In order to achieve the lowest possible risk processing of personal data, the following protective measures are implemented, among others:

  • Minimise the amount of personal data Pseudonymise or encrypt data as early as possible
  • Establish transparency with regard to the functions and processing data
  • Delete or anonymise data as early as possible
  • Minimise access possibilities to data Preset
  • existing configuration options to the most data protection friendly values

8.7.6 Order control

The aim of order control is to ensure that personal data processed on behalf of a client can only be processed in accordance with the client's instructions.

All sub-service providers are selected according to defined criteria and are obliged to comply with the GDPR. A list of the sub-service providers is available.

Service providers who act as processors within the meaning of the GDPR are selected with the utmost care according to data protection criteria. These are contractually bound to the client in accordance with Article 28 of the GDPR. The technical and organisational measures for the protection of personal data specified in the contractual commitment are based on the standards described in this document. A list of the processors is available.

The employees are instructed in data protection law at regular intervals. They are therefore familiar with the client's right to issue instructions with regard to commissioned data processing, both in their role as client and in their role as contractor. Persons authorised to issue instructions on the part of the client are named and known to the contractor.

An assessment of the contractor's IT security is carried out before the contract is awarded.

Formalised contracts and order forms ensure that the rights and obligations of the parties are clearly defined in the contract. The execution of the contract is regularly checked and controlled. Instructions are always received in writing and with written confirmation.

No commissioned data processing within the meaning of Art. 28 DS-GVO takes place without corresponding instructions from the client, e.g.: Clear contract design, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.

Every activity is based on an order from a customer. At a minimum, an existing contract applies. If personal data is processed, standard changes are only accepted by authorised persons of the customer.


Pursuant to Article 32 (1) and (2) DSGVO and Section 62 BDSG, the controller of personal data is obliged to ensure compliance with the provisions of this Act and other provisions on data protection. If he commissions other persons or bodies to process personal data, he must ensure that the processor takes the necessary technical and organisational measures in accordance with the state of the art to protect the personal data and to ensure the lawful processing of the data he processes.

Pursuant to Section 64 (3) of the BDSG, measures must be taken which, among other things, are intended to achieve the following:

  • Prevention of unauthorised reading, copying, modification or deletion of data carriers (data carrier control),
  • Prevention of unauthorised entry of personal data as well as unauthorised access to, modification and deletion of stored personal data (storage control),
  • Preventing the use of automated processing systems with the help of data transmission equipment by unauthorised persons (user control),
  • Ensuring that those authorised to use an automated processing system have access only to the personal data covered by their access authorisation (access control), ensuring that it is possible to verify and identify the entities to which
  • personal data have been disclosed (access control), ensuring that it is possible to identify the entities to which personal data have been disclosed (access control)
  • data has been or can be transmitted
  • or made available by means of data transmission equipment (transmission control), Ensuring that it is possible to subsequently check and establish which personal data have been entered or changed in automated processing systems, at what time and by whom (input control), ensuring that personal data processed on behalf of the client can only be processed in accordance with the client's instructions (order control)

9.1. Control measures to authenticate the actual user (talent)

Frequency analysis: The voice frequencies of the user are continuously analysed and automatically checked by means of a voice comparison to see whether they match the voice frequency of the talent created during the registration process. In this way, it can also be determined whether unauthorised third parties are present in the room.

Typing behaviour: The behaviour of the user when typing on the keyboard is continuously measured. The user can be identified on the basis of the measured characteristics by comparing stored data. In particular, the takeover of the computer by another person can be recognised.

9.2. Quality control measures

Silent monitoring: Yoummday GmbH has the possibility to listen in on current conversations. On the one hand, this is done for training purposes in order to give the talent the opportunity to improve his or her conduct of the conversation through feedback from a trainer and thus achieve better results. This measure only takes place if both the interlocutor and the talent have expressly agreed to it in advance. Voice Recording: The conversations of a talent can be electronically recorded by Yoummday GmbH. However, only the spoken word of the talent, but not that of the interlocutor, is stored. As a rule, recording only takes place with the prior consent of the talent. However, in individual cases this can also take place without the knowledge and consent of the talent if there is cause for customer complaints.


DSGVO-compliant on the website operated, available under the following links:






As a matter of principle, we make the current version of our data protection concept available to every user or affected party.

According to the GDPR, every data subject has the following rights:

  • Right of access (Art 15 GDPR)
  • Right of rectification (Art 16 GDPR)
  • Right of erasure (Art 17 GDPR)
  • Right of restriction (Art 18 GDPR)
  • Right to portability (Art 20 GDPR)
  • Right to object (Art 21 GDPR)
  • Right to complain to the data protection authority

11.1. Data subjects' rights: Process chains

We are informed that a data subject wishes to assert his or her rights, e.g. verbally, in writing or by e-mail.

If the data subject is not known to us personally, we must establish the identity of the applicant (data subject) in order to avoid a data breach:

"Dear Ms/Mr ...,

As we have unfortunately not yet had the opportunity to meet you personally, we would ask you to send us a copy/scan of your identity card/passport so that we do not commit any data protection offences - such as forwarding personal data to the wrong person. We will then immediately comply with your request in terms of data protection. Thank you for your understanding.

With kind regards"

  • Identity cannot be established beyond doubt and the person concerned does not contact you despite being informed: => No activities necessary.
  • Identity is established beyond doubt and enquiry is Legal: The data subject receives the following answers in clear and understandable language within a maximum of 14 days, depending on his or her request, in accordance with Art. 19 of the GDPR: "Right of access (Art. 15 GDPR)".

The person concerned receives his or her master data sheet with all personal data (screen shot) as a PDF file.

Right of rectification (Art 16 GDPR)The data subject receives his master data sheet with the corrected personal data as a PDF file (screenshot).

Right to erasure (Art 17 GDPR)The data subject receives a PDF of his or her master data sheet without personal data (except name) as proof that the deletion has taken place with the note that

  • the data is used anonymously for internal statistics
  • after copying the master data sheet, the entire master data sheet including names was also irrevocably deleted (screenshot).
  • or in the case of an existing or concluded contract with the person concerned, I will delete all data (~ marketing data) except for those where we can assert a justified interest of the person responsible according to Art 6 Z 1 lit f or lit c (legal obligations e.g. BAO and UGB; especially accounting records) DSGVO. According to the BAO and the UGB; above all accounting records) DSGVO and we will therefore only delete this data after 7 years due to the legal retention periods; in addition, we will delete the personal data until the end of any legal dispute, ongoing warranty or guarantee periods.
  • In these cases, a blocking (restriction) takes the place of a deletion of the accounting data.

Right to restriction (Art. 18 of the GDPR)The data subject receives a PDF of his or her master data sheet, from which he or she can see that the "Right to restriction asserted" checkbox is ticked and that no processing of his or her personal data is taking place. (Screenshot)

Right to portability (Art 20 GDPR)The data subject receives his master data sheet with all personal data (as a PDF, as it should be machine-readable), pursuant to Art 20 Z2 GDPR we transmit his master data sheet with all personal data by CC to another responsible person named by the data subject by e-mail, but only via a secure and encrypted transmission. Otherwise printed out by registered letter at the expense of the data subject.

Right to complain to the data protection authority

11.2. Data breach notification: Process chain

The GDPR defines a "personal data breach" (data breach) in Art. 33 as a breach of security that results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, whether unintentional or unlawful.

  • We become aware of a data breach.
  • Within 72 hours we report with the help of the
  • "Model Data Protection Breach Notification" (see Annex) to the competent supervisory authority pursuant to Article 55 GDPR if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
  • We inform data subjects immediately with a cover letter and a copy of the notification to the data protection supervisory authority.
  • We will document all breaches of the protection of personal data including all related facts (effects, remedial measures taken). This documentation serves the supervisory authority to verify correct compliance with the notification obligation, see Art 33 Z5 DSGVO.


The following checklist serves as an implementation aid for checking and documenting the implementation status of the security measures for small institutions. The checklist can also be used as evidence of efforts to implement IT security.

  1. Are new employees made aware of existing regulations and instructions on information security when they are hired?
  2. Are the important key positions filled by a representative?
  3. Have all employees signed a data confidentiality commitment?
  4. Are backup media stored in a separate room?
  5. Are virus protection programmes installed on all clients?
  6. Are operating systems and applications regularly updated?
  7. Is there a checklist for employees on termination of employment?
  8. Is there user and rights management for IT systems and applications?
  9. Are there password regulations for IT systems and applications and are these implemented?
  10. Are all employees informed about the regulations on the use of standard software?
  11. Is only software from trustworthy sources installed?
  12. Are there regular checks regarding the installed software?
  13. Are automatic updates activated on clients and servers?
  14. Are there special instructions and tools for deleting and destroying data?
  15. Are doors and windows usually locked when staff are not in place?
  16. Are there lockable desks or cupboards in the offices?
  17. Are there anti-theft devices for IT systems in offices open to the public?
  18. Are lockable desks or cabinets available at the mobile workplace?
  19. Are there regulations governing which official documents may be processed at the home workplace and transported back and forth between the institution and the home workplace?
  20. Is the screen lock activated on all clients?
  21. Is access to the LAN from mobile laptops secured?
  22. Is the encryption of e-mail communication between client and server activated?
  23. Is the entry of the device PIN activated on all mobile phones / smartphones?
  24. Is all confidential data only stored encrypted on cell phones/smartphones or memory cards?
  25. Is the WPA2 encryption method used for WLAN?
  26. Are the keys for WiFi access changed regularly?


We consider the level of data protection documented here with the TOMs set to be appropriate and sufficient for us. We can therefore say to our customers with a clear conscience:

Dear customer, dear interested party!

Trust is the basis and prerequisite for our Yoummday platform. Therefore, all your personal and professional data is also in good hands with us.

We assure you that we will handle it carefully and in strict confidence and that our data protection measures will always comply with the latest legislation and that our software and hardware will always be up to date.

You can trust in that.

Munich 03.05.2022

Date, Place, Stamp Signature

Note: An original of this data security concept with signature is stored in our archive. The digital version of the data security concept is valid without signature


If you have any further questions, please contact

Jörg Hoffmann


What are business and trade secrets?
What is not a secret?
What are your duties of confidentiality and return?
What are the consequences of violations?


Today you will be instructed about your duty to maintain business and trade secrets. This leaflet gives you the opportunity to read the most important information again. If you have any questions, do not hesitate to ask your supervisor.

What are business and trade secrets?

Business and trade secrets are facts, circumstances and processes related to Yoummday that are not public knowledge but are only accessible to a limited group of people and which Yoummday has a legitimate interest in not disclosing.

Business secrets relate more to commercial issues. Examples: individual business transactions, offer and contract documents, customer and supplier data, market data, market strategies, calculations, prices, conditions, balance sheets, employees, organisation.

Trade secrets tend to relate to the organisational or technical area. Examples: Design plans and ideas, recipes, control procedures and results, property and performance analyses, modes of operation, production methods, process sequences, plans for new products or modifications, developments including the intended task solution, development steps, design or programming methods.

A trade secret can also be information that a company uses a process or computer programme that is actually obvious. A trade secret is also a service invention, for example, even if you made the invention yourself and no one but you knows about it.

Before disclosing or using for your own purposes any information you have received in the course of your work at Yoummday, please check with your manager to make sure there are no objections. This also applies after your employment with Yoummday has ended.

What is not a secret?

If a fact is public, it is no longer a business or trade secret. A fact is public if it is accessible at will, for example through publication in a newspaper.

It is not sufficient for a product to be disclosed if, for example, its composition and method of manufacture can be discovered through detailed investigations and considerations. The secret may also be made known to employees without losing its character as a secret, since employees are subject to a legal duty of confidentiality. The disclosure to external persons is harmless if the need for confidentiality is explicit or arises from the circumstances. This is assumed by case law even without an agreement if, for example, another company is to carry out plans or external experts are called in. Even if a secret is betrayed, this does not necessarily eliminate the confidential character.

What confidentiality and return obligations do you have?

You may not disclose business and trade secrets to third parties during or after your employment with Yoummday. A third party is anyone to whom the secret is not accessible. This does not only apply to competitors, but also to Yoummday employees who do not know the secret, family members, etc. As an employee, you may not use business and trade secrets for your own purposes.

You may only take documents, materials, equipment, etc. containing business or trade secrets out of the company if you have the permission of your supervisor. If you work in a home or mobile office, the Home Office/Mobile Office (Teleworking) Guideline also applies to you. Other confidentiality obligations - such as your data protection confidentiality obligations - also apply.

All business documents, regardless of whether you received them from Yoummday or from third parties or whether you created them yourself, must be returned without being asked at the end of the employment relationship. You must also return or delete any notes (e.g. files) that you have created yourself. Your supervisor can also ask you to return or delete them at any time during the employment relationship.

What are the consequences of violations?

If you obtain or secure business and trade secrets without authorisation (e.g. copy a secret or write it down from memory - even if you are legally aware of the secret), communicate them to third parties or exploit them, you can be punished with up to five years' imprisonment under Section 17 UWG.

Other possible consequences are obligations to pay damages and injunctions (if necessary also against the new employer) and (during the existence of the employment relationship) dismissal with or without notice.

* The masculine form chosen here always refers to female, male and diverse persons at the same time.


The secrecy of telecommunications
Your duty to maintain the secrecy of telecommunications
Requests for information
Consequences of violations Wording of the laws


Today, you have been informed about the secrecy of telecommunications. At the same time, you will receive a briefing on the obligations that arise for you from the secrecy of telecommunications. This leaflet gives you the opportunity to read the most important information again. If you have any questions, do not hesitate to ask your supervisor or the company data protection officer.

The telecommunications secret

The secrecy of telecommunications protects not only telephones and faxes, but also modern forms of communication such as e-mail. It is therefore also called telecommunication secrecy. It is a fundamental right (Article 10 of the Basic Law - GG), which is regulated in more detail in § 88 of the Telecommunications Act (TKG) and § 206 of the Criminal Code (StGB). §§ Sections 91 ff. TKG regulate data protection in telecommunications. In special cases, the General Data Protection Regulation (DS-GVO) or, if applicable, the Federal Data Protection Act (BDSG) may also be applicable instead of the TKG.

On the one hand, the secrecy of telecommunications protects the content of the communication: What was discussed during the telephone conversation? What data was transmitted? What is in the email or chat message? And also: What is in the subject of the email?

On the other hand, the secrecy of telecommunications also protects the "closer circumstances of the telecommunication": Who telephoned or emailed with whom and when? Which internet pages were called up? Who actually tried to establish a telephone connection?

Not only Yoummday, but also you personally must observe the secrecy of telecommunications. This obligation already results from the law (§ 88 TKG, § 206 StGB). Your formal commitment today to the secrecy of telecommunications only serves to make clear to you how important this duty is.

Please note:

The secrecy of telecommunications applies for an unlimited period of time, even if you are no longer working for us (this is expressly stated in § 88 para. 1 sentence 2 TKG; however, this also applies to § 206 StGB). It applies to all people who are not responsible for the matter in question - i.e. also towards all other colleagues, your family and the press.

Your duty to preserve the secrecy of telecommunications

You must treat information that is subject to telecommunications secrecy with absolute confidentiality. You may not, for example, evaluate individual connection records or log files on telecommunication connections, view e-mail boxes or similar, unless this is permitted by law as an exception. The most important permission is contained in section 88, paragraph 3, sentence 1 of the TKG: If we can only provide the telecommunication service or protect our telecommunication systems if we have knowledge of certain information subject to telecommunications secrecy, we are permitted to take such knowledge. §§ Sections 96 and 97 of the Telecommunications Act allow us to store and use connection data to the extent necessary for billing purposes. For the purpose of combating interference and fraud, we are permitted to § 100 TKG in certain cases to use connection data. (In special cases, the DS-GVO, possibly the BDSG, may also be applicable instead of the TKG). Your supervisor will explain to you what data may be stored and used for what purpose in a specific case.

Please note that these permissions only exist to the extent that knowledge, storage or use is absolutely necessary for the respective purpose. If, for example, you have to look into a mailbox to correct a technical error, you may only do so to the extent that this cannot be avoided: If it is sufficient to evaluate the header of an email, you are not allowed to read the message text itself. Of course, you are not allowed to pass on things that are subject to the secrecy of telecommunications, even if you have obtained legal knowledge of them for administrative purposes - not even to your superior. Exception: If you accidentally learn that a serious offence mentioned in § 138 StGB is being planned.

Request for information

You may be approached by the police or other authorities and asked for certain information, for example about users or details that are subject to telecommunications secrecy. Please forward such requests immediately to the internal data protection coordinator. You yourself are not allowed to provide information if this is not specifically part of your job description.

Consequences of infringements

If you violate the secrecy of telecommunications, you may face up to five years in prison.

§ Section 206 of the Criminal Code makes it a criminal offence (among other things) to pass on information that is subject to telecommunications secrecy. It is also a criminal offence to suppress confidential transmissions (especially e-mails) without authorisation, for example, to delete them or to withhold them for a longer period of time.

Certain violations of the TKG may also result in a fine, e.g. if data is collected or not deleted without authorisation (§ 149 TKG). Under certain circumstances, further fines and criminal offences may be considered, such as violations of data protection law (Art. 83 DS-GVO, §§ 42, 43 BDSG), betrayal of business and trade secrets (§ 17 UWG), spying on data (§ 202 a StGB), computer fraud (§ 263 a StGB).

It can cause serious damage to Yoummday if a so-called data breach becomes public knowledge. Customers lose trust and stop using our services if they cannot be sure that their data is in good hands with us. In addition, we may be obliged under the GDPR to notify all data subjects of a data breach and may also have to inform the public. Please help us to ensure that the secrecy of telecommunications is always maintained.

If damage is caused by breaches of telecommunications secrecy, we and you personally may have to pay compensation. You personally may also face consequences under labour law if you violate the secrecy of telecommunications.

Depending on the severity of the misconduct, a warning, termination with notice or even termination without notice without prior warning are conceivable.

Wording of the laws Telecommunications Act (TKG)

§ Section 88 Secrecy of telecommunications

(1) The secrecy of telecommunications shall apply to the content of telecommunications and the details thereof, in particular the fact whether a person is connected to a telecommunications process is or was involved. The secrecy of telecommunications also extends to the detailed circumstances of unsuccessful connection attempts.

(2) Every service provider is obliged to maintain the secrecy of telecommunications. The obligation to maintain secrecy shall continue even after the end of the activity which gave rise to it.

(3) Those obliged under paragraph 2 shall be prohibited from obtaining knowledge of the content or the detailed circumstances of telecommunications for themselves or others beyond what is necessary for the provision of the telecommunications services in accordance with the business, including the protection of their technical systems. They may use knowledge of facts subject to telecommunications secrecy only for the purpose stated in sentence 1. The use of this knowledge for other purposes, in particular the disclosure to others, shall only be permissible if this Act or another statutory provision so provides and expressly refers to telecommunications processes. The obligation to report under Section 138 of the Criminal Code shall take precedence.

(4) If the telecommunications installation is on board a watercraft or aircraft, the duty to maintain secrecy does not apply to the person driving the vehicle or to his or her representative.

Criminal Code (StGB)

§ Section 206 Violation of postal or telecommunications secrecy

(1) Any person who without authorisation informs another person of facts which are subject to postal or telecommunications secrecy and which have become known to him or her as the owner or employee of an undertaking which provides postal or telecommunications services on a commercial basis shall be liable to a custodial sentence not exceeding five years or to a monetary penalty.

(2) It shall also be a punishable offence for any person who, as owner or employee of an undertaking referred to in paragraph 1, unauthorisedly

1. opens a consignment which has been entrusted to such an undertaking for transmission and which has been sealed, or obtains knowledge of its contents by technical means without opening the seal,

2. suppresses a consignment entrusted to such an undertaking for transmission; or

3. permits or encourages any of the acts referred to in paragraph 1 or in points 1 or 2.

(3) Paragraphs 1 and 2 shall also apply to persons who are

1. perform supervisory tasks over an undertaking referred to in paragraph 1,

2. are entrusted by or with the authorisation of such an undertaking with the provision of postal or telecommunications services; or

3. are entrusted with the manufacture of or work on a plant serving the operation of such an enterprise.

4. Any person who without authorisation informs another person of facts which have become known to him or her as a public official working outside the postal or telecommunications sector on the basis of an authorised or unauthorised interference with postal or telecommunications secrecy shall be liable to a custodial sentence not exceeding two years or to a monetary penalty.

5. Postal secrecy applies to the details of the postal traffic of certain persons as well as to the contents of postal items. The secrecy of telecommunications applies to the content of telecommunications and the circumstances surrounding them, in particular the fact whether someone is or was involved in a telecommunications process. The secrecy of telecommunications also extends to the details of unsuccessful attempts to make a connection.


What does "unfair" mean?
What is prohibited?
"Black List" (Annex to Section 3 (3) UWG)
What are the legal consequences of unfair conduct?
Annex to the instruction on the obligation not to infringe the Unfair Competition Act (UWG)


Employees shall be instructed not to engage in any unfair commercial activities within the scope of their telephone activity:

What does "unfair" mean?

Business acts are unfair, in particular towards consumers, and therefore unlawful, if they are capable of influencing the personal decision-making capacity in such a way that the ability to decide on the basis of information is noticeably impaired. This is intended to prevent business decisions from being brought about which the persons concerned would probably not have taken otherwise.

In this respect, the legal provisions include various rules of conduct that must be observed in all telephone contact.

What is forbidden?

The freedom of personal decision-making can be impaired by various types of telephone conduct. The most important prohibitions for business communication by telephone are described below:

Unreasonable harassment (§ 7 UWG)

Unsolicited calls for advertising purposes are considered intrusive and harassing advertising. Calls for cold calling in order to gain new customers are therefore generally prohibited due to customer trapping by harassment.

Exceptions apply only if

  • a consumer has expressly declared consent before the advertising call. For this purpose, it is not sufficient if the first question asked by the caller is "Do you agree with this telephone advertising?
  • in the case of traders, presumed consent is to be assumed. However, this can only be safely assumed if the call is made in connection with an existing business relationship and does not go beyond the nature of the existing business.
  • the person contacted has made contact himself/herself and has expressly requested a callback on a specific matter.

Aggressive sales methods (§ 4 a UWG)

It is important not to exert any pressure or influence - either legal or psychological - on a contract decision made by telephone and to maintain a friendly tone at all times.

Blackening of competitors or commercial defamation, disparagement and disparagement (section 4 no. 1 and 2 UWG)

Competitors are to be protected from untrue factual allegations that are detrimental to business. Negative claims are only permissible if they are demonstrably true. This means that the utmost caution must be exercised in telephone contact when making negative statements about competitors. Here, the area of criminal law (e.g. defamation) can also be touched very quickly.

Misleading commercial acts pursuant to § 5 UWG

In addition, no misleading statements may be made in telephone contact which are suitable for influencing a business decision. In particular, the following are inadmissible:

  • Untrue advertising statements or information about goods or services,
  • true advertising statements, if they are misunderstood by the target audience,
  • Advertising with self-evident statements such as: "With us you get a two-year warranty/guarantee", since the legally prescribed warranty is two years,
  • incomplete or omitted information, such as concealment of the fact that the goods are second choice or a discontinued model.

Comparative advertising (Section 6 UWG)

Often, comparisons to the goods or services of the competitor or to the competitor itself are made when initiating a contract by telephone. Comparative advertising is permissible in principle, but can quickly become unlawful if it falls under the prohibition catalogue of Section 6 (2) UWG. Apart from many individual cases, the principle applies here that a comparison is only permissible if it is based on demonstrably true facts.

– Therefore, caution is advised with unique selling propositions such as: "The biggest...", "The best...", "Leading company in the sector...", "Number 1".

Advertising with a Top position is only permissible if this position can be proven on the basis of objectively verifiable criteria and the advertiser has a clear lead over his competitors with a certain consistency.

Statements that consist of a mere value judgement, such as "I personally find the product worse or better" do not constitute a factual claim and are therefore not covered by the regulations on comparative advertising.

Violation of business secrets (please refer to the separate instruction on this subject).

"Black List" (Annex to Section 3 (3) UWG)

To supplement this, the appendix to Section 3 (3) of the Unfair Competition Act (UWG) is attached in Annex 1. This so-called "black list" contains 30 explicit offences of unfair conduct which are inadmissible in any case. Even if these offences only partially affect telephone contact, it is obligatory to review them as part of the training.

What are the legal consequences of unfair conduct?

A violation of the prohibitions of conduct establishes the immorality of his actions. Contracts that come into being through immoral conduct are thus null and void according to § 138 BGB.

In particular, there is a risk of claims for injunctive relief and damages, which can also be asserted against the employer.

Violations of the prohibition of unlawful telephone advertising to consumers are also administrative offences and can be punished with a fine of up to 300,000 euros (Section 20 (2) UWG).

Under labour law, such behaviour often constitutes grounds for termination of the employment relationship with notice or, if necessary, without notice.

Annex to the instruction on the obligation not to infringe the Unfair Competition Act (UWG)


Unlawful business acts are according to the Annex to Section 3 (3) UWG:

"Adorning oneself with borrowed plumes"
1. the untruthful statement of an entrepreneur to be one of the signatories of a code of conduct;

2. the use of quality marks, quality labels or similar without the necessary authorisation; example: organic seal or "Blue Angel";

3. making an untrue statement that a code of conduct has been endorsed by a public or other body;

4. the untruthful statement that an entrepreneur, a business act carried out by him or a product or service has been confirmed, endorsed or approved by a public or private body, or the untruthful statement that the conditions for the confirmation, endorsement or approval are met. Example: "TÜV tested/certified/ state recognised/state approved/...";

"Promises you can't keep"
5. offers of goods or services at a specified price if the trader does not disclose that he has reasonable grounds for believing that he will not be able to provide or cause to be provided those goods or services or similar goods or services for a reasonable period of time and in reasonable quantities at the specified price (bait and switch offers). If the stockpiling is shorter than two days, it is up to the trader to prove the reasonableness;

"Promises you don't want to keep"
6. Offers of goods or services at a certain price if the trader then, with the intention of selling another good or service instead, performs something defective or refuses to show what he has advertised or refuses to accept orders for it or to provide the advertised service within a reasonable time;

"Putting consumers under time pressure"
7. Untruthfully stating that certain goods or services are only available generally or under certain conditions for a very limited period of time in order to induce the consumer to make an immediate commercial decision without having the time and opportunity to decide on the basis of information. Example: "Today only", "Today and then never again", or similar;

"Confronting consumers with foreign languages"
8. After-sales services in a language other than that in which the negotiations were conducted before the conclusion of the transaction, if the language originally used is not an official language of the Member State in which the trader is established; this does not apply if consumers are informed before the conclusion of the transaction that these services will be provided in a language other than the language originally used; example: After conclusion of the contract, everything only in English;

"Deceiving consumers"
9. making a false statement or creating the false impression that a product or service is marketable;

"Advertise with self-evident facts"
10. making a false statement or creating the false impression that legal rights are a special feature of the offer; example: "Two-year warranty on new goods";

"Camouflaged advertising"
11. the use of editorial content financed by the entrepreneur for the purpose of sales promotion without this connection being clearly evident from the content or the type of visual or acoustic presentation (advertising disguised as information); example: fake newspaper articles;

"Fear advertising"
12. untruthful statements about the nature and extent of a risk to the personal safety of the consumer or his family in the event that he does not purchase the offered goods or does not make use of the offered service;

13. Advertising a good or service that is similar to a competitor's good or service if this is done with the intention of deceiving as to the commercial origin of the advertised good or service;

"Snowball or pyramid schemes"
14. the introduction, operation or promotion of a sales promotion system which gives the impression that remuneration can be obtained solely or mainly through the introduction of further participants into the system (snowball or pyramid scheme);

"Untruths, exaggerations and inaccuracies"
15. making an untrue statement that the trader is about to go out of business or move premises;

16. a claim that a particular good or service will increase the chances of winning a game of chance;

17. making a false statement or creating the false impression that the consumer has already won or will win a prize or will obtain a prize or other advantage by taking a certain action, when in fact there is no such prize or advantage, or when in any case the possibility of obtaining a prize or other advantage is made dependent on the payment of a sum of money or the assumption of costs;

18. the untrue statement that a good or service can cure illnesses, dysfunctions or deformities;

19. an untruthful statement about market conditions or sources of supply in order to induce the consumer to purchase or use a good or service at less favourable conditions than the general market conditions; example: "Made in Germany", "we produce in Germany" although this is not true;

20. the offer of a competition or a prize competition, if neither the prospective. The following is not true of the prices awarded, nor of an appropriate equivalent;

21. the offer of a good or service as "free", "free of charge", "free of costs" or similar, if costs are nevertheless to be borne for this; this does not apply to costs which are unavoidable in connection with the acceptance of the offer of goods or services or for the collection or delivery of the goods or the use of the service; example: Undisclosed basic charges, handling fees or minimum purchases;

22. the transmission of advertising material accompanied by a request for payment if this conveys the false impression that the advertised goods or services have already been ordered; example: subscription fraud;

23. making a false statement or creating an inaccurate impression that the trader is a consumer or is not acting for the purposes of his business, trade, craft or profession; example: many eBay traders are to be classified as commercial because of the scale of their activity;

24. misrepresenting or creating the false impression that after-sales service is available in relation to goods or services in a Member State of the European Union other than that in which the goods are sold or the service is provided;

"Take them by surprise and build up pressure"
25. creating the impression that the consumer cannot leave certain premises without first entering into a contract;

26. in the case of a personal visit to the home, failure to comply with a request by the person visited to leave or not to return to the home, unless the visit is justified for the lawful enforcement of a contractual obligation;

"Run down consumers"
27. Measures intended to prevent the consumer from enforcing his contractual rights arising out of an insurance relationship by requiring him to produce a copy of the insurance policy when making a claim of documents that are not necessary to prove this claim or that letters asserting such a claim are systematically not answered;

"When children are addressed"
28. the direct invitation to children included in an advertisement to purchase the advertised goods or services themselves or to induce their parents or other adults to do so;

"Subcontracted goods and services"
29. a request for payment for goods or services which have not been ordered or a request to return or store goods which have not been ordered, unless this is a replacement delivery permitted under the regulations on distance contracts, and

"Pity tour"
30. the express statement that the trader's job or livelihood is at risk if the consumer does not purchase the goods or services.