Your privacy, our commitment

At szilviasandberg.com, we deeply value your privacy. This statement outlines how we handle your personal information when you visit our compliance blog, sign up for updates, or explore our books on human rights and business ethics. We're committed to transparency and protecting your data.

Privacy Policy

 

 

  1. Introduction

With the following information, we would like to provide you, as a “data subject,” with an overview of how we process your personal data and your rights under data protection laws. In general, you can use our website without providing any personal data. However, if you wish to use specific services offered by our company via our website, the processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to “0 Schulungsmandant CerDat GmbH.” Through this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use, and process.

As the data controller, we have implemented numerous technical and organizational measures to ensure the most comprehensive possible protection of the personal data processed via this website. Nevertheless, internet-based data transmissions can generally have security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, you are free to provide us with personal data through alternative channels, such as by phone or mail.

You, too, can take simple and easy-to-implement measures to protect yourself against unauthorized access to your data by third parties. Therefore, we would like to provide you with some tips on how to handle your data securely: 

l Protect your account (login, user, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with strong passwords.

l Only you should have access to the passwords.

l Make sure you only use your passwords for a single account (login, user, or customer account).

l Do not use the same password for different websites, applications, or online services.

l Especially when using publicly accessible IT systems or those shared with others: You must log out after every session on a website, application, or online service.

Passwords should consist of at least 12 characters and be chosen so that they cannot be easily guessed. Therefore, they should not contain common everyday words, your own name, or the names of relatives, but rather a combination of uppercase and lowercase letters, numbers, and special characters.

 

  1. Data Controller

The controller within the meaning of the GDPR is:

 

Szilvia Sandberg

info@szilviasandberg.com

 

Representative of the controller: Szilvia Sandberg

 

  1. Data Protection Officer

Please note that a Data Protection Officer does not need to be appointed.

 

  1. Definitions

This Privacy Policy is based on the terminology used by European legislators and regulators when enacting the General Data Protection Regulation (GDPR). Our Privacy Policy is intended to be easy to read and understand for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

In this privacy policy, we use the following terms, among others:

 

  1. Personal Data

Personal data is any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  1. Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).

  1. Processing

Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

  1. Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

  1. Profiling

Profiling is any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

  1. Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure the personal data is not attributed to an identified or identifiable natural person.

  1. Processor

A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

  1. Recipient

A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether or not they are a third party. However, public authorities that may receive personal data in the course of a specific investigative mandate under Union law or the law of the Member States are not considered recipients.

  1. Third Party

A third party is a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.

  1. Consent

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

  1. Legal basis for processing

Article 6(1)(a) of the GDPR (in conjunction with Section 25(1) of the TDDDG (formerly TTDSG)) serves as the legal basis for our company’s processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party—as is the case, for example, with processing operations required for the delivery of goods or the provision of other services or consideration—the processing is based on Article 6(1)(b) of the GDPR. The same applies to processing operations necessary for the implementation of pre-contractual measures, such as in cases of inquiries regarding our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as to fulfill tax obligations, the processing is based on Article 6(1)(c) of the GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance information, or other vital information had to be disclosed to a doctor, a hospital, or other third parties. In such cases, the processing would be based on Article 6(1)(d) of the GDPR.

Finally, processing operations may be based on Article 6(1)(f) of the GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal bases, provided that the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this regard, the legislator took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47, Sentence 2 of the GDPR).

 

Our services are generally intended for adults. Persons under the age of 16 may not transmit any personal data to us without the consent of their parents or legal guardians. We do not request personal data from children and adolescents, do not collect such data, and do not disclose it to third parties.

 

  1. Transfer of Data to Third Parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only disclose your personal data to third parties if:

  1. You have given us your explicit consent to do so pursuant to Art. 6(1)(a) of the GDPR,
  2. the transfer is permissible under Article 6(1)(f) of the GDPR to safeguard our legitimate interests, and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
  3. there is a legal obligation to disclose the data pursuant to Article 6(1)(c) of the GDPR, and
  4. this is legally permissible and necessary under Article 6(1)(b) of the GDPR for the performance of contractual relationships with you.

 

To protect your data and, where necessary, to enable data transfers to third countries (outside the EU/EEA), we have entered into data processing agreements based on the European Commission’s Standard Contractual Clauses. If the Standard Contractual Clauses are insufficient to ensure an adequate level of security, your consent pursuant to Article 49(1)(a) of the GDPR may serve as the legal basis for the transfer to third countries. This does not apply, however, to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Article 45 of the GDPR.

 

  1. Technology

7.1 SSL/TLS Encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data, or contact requests, that you send to us as the operator. You can recognize an encrypted connection by the fact that "https://" appears in the browser’s address bar instead of "http://," and by the lock icon in your browser bar.

We use this technology to protect the data you transmit.

 

 

 

7.2 Data Collection When Visiting the Website

When you use our website for informational purposes only—that is, if you do not register, do not otherwise transmit information to us, or do not consent to processing that requires consent—we collect only the data that is technically necessary to provide the service. This typically consists of data that your browser transmits to our server (in so-called server log files). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server’s log files. The following may be collected:

 

  1. browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system reaches our website (so-called referrer),
  4. the subpages accessed on our website via an accessing system,
  5. the date and time of access to the website,
  6. an Internet Protocol (IP) address, and
  7. the Internet service provider of the accessing system.

 

We do not draw any conclusions about your identity when using this general data and information. Rather, this information is required to

 

  1. deliver the content of our website correctly,
  2. optimize the content of our website as well as the advertising on it,
  3. ensure the continued functionality of our IT systems and the technology of our website, and
  4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.

 

We therefore evaluate this collected data and information both statistically and with the aim of enhancing data protection and data security within our company, ultimately to ensure an optimal level of protection for the personal data we process. The data from the server log files is stored separately from any personal data provided by a data subject.

 

The legal basis for data processing is Art. 6(1)(f) of the GDPR. Our legitimate interest arises from the purposes of data collection listed above.

 

  1. Audience Measurement with Plausible Analytics

This website uses the web analytics service Plausible Analytics. The provider is Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia.

We use Plausible Analytics for privacy-friendly statistical analysis of the use of our blog. The analysis helps us understand how visitors use our content and which posts are accessed particularly frequently, so that we can improve our online offering.

Plausible Analytics operates without cookies or similar tracking technologies. No personal user profiles are created. Analysis is based exclusively on anonymized and aggregated statistical data, such as page views, referrers, devices used, and the approximate regions of origin of visitors.

Processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR to statistically evaluate the use of our online offering and optimize our content.

Plausible Analytics is hosted via the Google Cloud Platform. The server location used is in the Netherlands, meaning that data processing generally takes place within the European Union.

The Google Cloud Platform is provided by **Google LLC, USA**. It therefore cannot be completely ruled out that access from the USA may occur in the context of technical or administrative processes. In this context, data may be transferred to a third country.

Google LLC is certified under the EU-US Data Privacy Framework (DPF). Additionally, any data transfer is based on the **EU Standard Contractual Clauses pursuant to Art. 46 GDPR** to ensure an adequate level of data protection.

For more information on data processing by Plausible Analytics, please visit:

https://plausible.io/data-policy

 

  1. Your Rights as a Data Subject

9.1 Right to Confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

 

9.2 Right of access (Art. 15 GDPR)

You have the right to receive from us, at any time and free of charge, information regarding the personal data stored about you, as well as a copy of this data in accordance with legal provisions.

 

9.3 Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

 

9.4 Erasure (Art. 17 GDPR)

You have the right to request that we erase personal data concerning you without undue delay, provided that one of the grounds provided for by law applies and insofar as the processing or storage is not necessary.

 

9.5 Restriction of Processing Art. 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met.

 

9.6 Data Portability Art. 20 GDPR

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller to whom the personal data has been provided, without hindrance from us, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Art. 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another controller, provided this is technically feasible and does not infringe upon the rights and freedoms of others.

 

9.7 Objection under Article 21 of the GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) of the GDPR.

This also applies to profiling based on these provisions within the meaning of Article 4(4) of the GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims.

 

8.8 Withdrawal of Consent Under Data Protection Law

You have the right to withdraw your consent to the processing of personal data at any time with future effect.

 

8.9 Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data.

 

  1. Routine Storage, Deletion, and Blocking of Personal Data

We process and store your personal data only for the period necessary to achieve the purpose of storage or to the extent required by the legal provisions to which our company is subject.

If the purpose of storage no longer applies or a prescribed retention period expires, the personal data will be routinely blocked or deleted in accordance with legal requirements.

 

  1. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period. Upon expiration of the period, the corresponding data is routinely deleted, provided it is no longer required for the performance of a contract or for entering into a contract.

 

 

  1. Validity and Changes to the Privacy Policy

This Privacy Policy is currently valid and is dated March 2026.

Due to the further development of our website and services, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. You can access and print the current version of the Privacy Policy at any time.