Privacy Notice

Below you will find comprehensive information on how we process your personal data in our company or on our website.

AssetMetrix GmbH takes the protection of personal data very seriously. We treat personal data confidentially and in accordance with the statutory data protection regulations and on the basis of this privacy notice. The legal basis can be found in particular in the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

This privacy notice informs you in accordance with Art. 12 ff. GDPR about the handling of your personal data when using our website, in the event of a report within the meaning of the Whistleblower Protection Act or when contacting us in connection with the provision of our services or the initiation of a contract. In particular, it explains what data we collect and what we use it for. It also informs you how and for what purpose this is your personal information processed.

1. Person responsible

Responsible for the collection, processing and use of your personal data within the meaning of Art. 4 No. 7 DSGVO is:

AssetMetrix GmbH
Managing Directors: Dr. Dimitris Matalliotakis, Dr. Frank Brötz, Barbara Münch
Theresienhöhe 13
D-80339 Munich

The Controller alone or together with others decides on the purposes and means of processing personal data (e.g. names, contact data, etc.).

2. The company data protection officer

We have appointed a company data protection officer for our company.

Data Protection Officer: Katja Roganec, Email:; Phone: +49 89 5432880322

3. How we handle your data:

3.1. Personal data:

According to Art. 4 GDPR, personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2. Legal basis for the processing of data:

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the justifications pursuant to Art. 6 GDPR and Section 25 (1) TTDSG (Telecommunications and Telemedia Data Protection Act). For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing can also be based on several legal bases. Consent in accordance with Art. 6 para. 1 lit. a) GDPR is generally obtained by us in writing. If consent is obtained electronically, this is done by ticking the relevant box to document the granting of consent; the content of the declaration of consent is logged electronically. Some data processing operations are only possible with your express consent. You can withdraw your consent at any time. To withdraw your consent, simply send an informal e-mail to The legality of the data processing carried out until the revocation remains unaffected by the revocation. Please note that once consent has been given – regardless of whether this is based on Art. 6 para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR – it can be revoked at any time with effect for the future – in whole or in part; the legality of the processing carried out on the basis of the consent until revocation remains unaffected by this.

3.3. Duration of data storage:

We initially process and store your personal data for the duration for which the respective purpose of use requires corresponding storage. This may also include the periods for the initiation of a contract (pre-contractual legal relationship) and the performance of a contract. On this basis, personal data is regularly deleted as part of the fulfillment of our contractual and/or legal obligations, unless its temporary further processing is required for the following purposes:

-Fulfillment of statutory retention obligations, such as those arising from the German Commercial Code (Sections 238, 257 (4) HGB) and the German Fiscal Code (Section 147 (3), (4) AO). The retention and documentation periods specified there are up to ten years. -Preservation of evidence, taking into account the statute of limitations. According to Sections 194 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

3.4. Recipients of data:

At AssetMetrix, access to personal data is generally only granted to those persons and bodies that require access to fulfill the purposes described in this data protection information (so-called "need-to-know" principle). Within the aforementioned limits, we reserve the right to involve third party service providers (e.g. data centers, IT service providers, printing service providers, waste disposal companies, legal advisors and auditors) in a contractual relationship with our customers, who act on our behalf and according to our instructions ("processors") in the context of the provision of services. These service providers may receive personal data or come into contact with personal data as part of the provision of services and constitute third parties or recipients within the meaning of the GDPR. In such a case, we ensure that our service providers provide sufficient guarantees that appropriate technical and organizational measures are in place and that processing operations are carried out in such a way that they comply with the requirements of the GDPR and ensure the protection of the rights of the data subject (see Art. 28 GDPR). Insofar as personal data is transferred to third parties and/or recipients outside of commissioned processing, we ensure that this is done exclusively in accordance with the legal requirements (GDPR, BDSG) and only if there is a corresponding legal basis or any consent required for this.

3.5. Data transfer to third countries

Your personal data is generally processed within the Federal Republic of Germany. If personal data is processed outside the Federal Republic of Germany in other EU member states or in states of the European Economic Area ("EEA") – e.g. by service providers – this is done in compliance with the relevant provisions of the GDPR and the BDSG. Data is only transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the performance of a service contract with a customer if you have given us your consent to do so or if this is otherwise permitted by law. In this case, we take measures to ensure the protection of your data, for example through contractual regulations. We only transfer data to recipients who ensure the protection of your data in accordance with the provisions of the GDPR for the transfer to third countries (Art. 44 to 49 GDPR). For data transfers to third countries in which there is no adequate level of data protection, we ensure before the transfer that the recipient either has an adequate level of data protection (e.g. adequacy decision of the EU Commission or agreement of so-called EU standard contractual clauses of the European Union with the recipient) or that our users have given their express consent. We always ensure that the relevant data protection regulations are complied with when passing on information.

4. Purposes of the processing:

4.1. Contract initiation, performance and provision of our services, marketing

As a rule, we collect and use personal data only insofar as this is necessary for the performance and provision of our services within the framework of a service agreement or for the implementation of pre-contractual measures that are carried out on request, as well as in the other cases listed in this data protection information. The purposes of data processing are primarily based on the specific services. Any further processing of personal data will only take place if this is expressly permitted by law and/or if your consent – if required – has been obtained. We also use your personal data to provide and manage our services. The legal basis for processing in these cases is Art. 6 para. 1 lit. b) GDPR. If processing is carried out to fulfil a legal obligation, Art. 6 para. 1 lit. c) GDPR is the legal basis. In addition to the fulfilment of a contract, we also process your data to protect our legitimate interests or those of third parties (Art. 6 (1) (f) GDPR). This includes the following cases:

  • Advertising or marketing;

  • Sending of non-sales-promoting information and press releases;

  • Measures for business management and the further development of our services;

  • The execution of business processes and internal management;

  • We carry out audits and investigations as well as business controls and manage and use customer, supplier and business partner directories. We also process your personal data for financial, accounting, archiving and insurance purposes;

  • Assertion of legal claims and defense in legal disputes;

  • Ensuring our IT security and IT operations;

  • Prevention and investigation of criminal offenses;

  • Measures for building and system security (e.g. access controls).

Categories of personal data

We process the data that we have received from you as part of the contract initiation or processing and on the basis of your consent. This includes, for example:

  • First name and surname, address, contact details (e-mail address, telephone number, fax), position, dates of birth, place of birth, nationality, bank details, ID numbers;

  • For visitors to our company, this includes Name, address and signature;

  • Information from your electronic communication with us (e.g. IP address, log-in data);

  • Other data that we have received from you in the course of our business relationship (e.g. in discussions with customers);

  • The documentation of your declaration of consent for the receipt of e.g. newsletters / advertising and

  • Photographs taken as part of events.

4.2. Accessing and visiting our website – server log files

For the purpose of the technical provision of the website, it is necessary for us to process certain information automatically transmitted by your browser so that our website can be displayed in your browser and you can use the website. This information is automatically collected each time you visit our website and automatically stored in so-called server log files. These are:

  • Visited page on our domain

  • Date and time of the server request

  • Browser type and browser version

  • Operating system used

  • Referrer URL

  • Host name of the accessing computer

  • IP address This data is not merged with other data sources. The basis for data processing is Art. 6 para. 1 lit. b) GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. We store the data for up to one year.

4.3. Contact form

If you contact us, we may keep a record of that correspondence. This includes registering to use the website, subscribing to services, newsletters and alerts, registering for a conference or requesting a white paper or further information. The pages that collect this type of personal data may contain further information about why we need your personal data and how it will be processed. It is your choice whether you wish to provide this data. Data submitted via the contact form, including your contact details, will be stored in order to process your request or to be available for follow-up questions. The data entered in the contact form is processed exclusively on the basis of your consent (Art. 6 (1) (a) GDPR). You can withdraw your consent at any time. An informal notification by e-mail is sufficient for the revocation. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation. Data transmitted via the contact form will remain with us until you ask us to delete it, revoke your consent to storage or there is no longer any need to store the data. Mandatory statutory provisions – in particular retention periods – remain unaffected.

5. Use of cookies and tracking tools, processing by third parties

5.1. Cookies

Our website uses cookies. These are small text files that your web browser stores on your end device. Cookies help us to make our website more user-friendly, effective and secure. Some cookies are "session cookies". Such cookies are deleted automatically at the end of your browser session. Other cookies, on the other hand, remain on your device until you delete them yourself. Such cookies help us to recognize you when you return to our website. With a modern web browser, you can monitor, restrict or prevent the setting of cookies. Many web browsers can be configured so that cookies are deleted automatically when the program is closed. Deactivating cookies may result in limited functionality of our website. The setting of cookies, which are necessary for the performance of electronic communication processes or the provision of certain functions desired by you, takes place on the basis of Art. 6 para. 1 lit. f) GDPR. As the operator of this website, we have a legitimate interest in the storage of cookies for the technically error-free and smooth provision of our services. If other cookies are set (e.g. for analysis functions), these are treated separately in this privacy notice.

Cookies Set:

5.2. Leadfeeder

To statistically evaluate visitor access, data is collected, processed and stored for marketing purposes and to recognize web visitors using technologies from Liidio Oy ( Leadfeeder technology uses this data to determine addresses, but only in cases where it can ensure that the visitor is a company and not an individual person. Cookies can be used for this purpose. Cookies are small text files that are stored on your computer and enable your use of the website to be analyzed. The company data collected by Leadfeeder may also contain personal data. Leadfeeder may use information left behind by visits to the websites to create anonymized usage profiles. If IP addresses are collected, they are anonymized immediately after collection by deleting the last number block. Further information and Leadfeeder’s privacy policy can be found here. The processing is carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.

5.3. Matomo

On this website, data is collected and stored using the web analysis service software Matomo (, a service provided by InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand, ("Matomo") on the basis of our legitimate interest in the statistical analysis of user behavior for optimization and marketing purposes in accordance with Art. 6 para. 1 lit. f) GDPR. Pseudonymized user profiles can be created and evaluated from this data for the same purpose. Cookies can be used for this purpose. Cookies are small text files that are stored locally in the cache of the website visitor’s internet browser. Among other things, cookies make it possible to recognize the Internet browser. The data collected using Matomo technology (including your pseudonymized IP address) is processed on our servers. The information generated by the cookie in the pseudonymized user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym. If you do not agree to the storage and analysis of this data from your visit, you can object to its storage and use at any time by clicking here. In this case, a so-called opt-out cookie will be stored in your browser, which means that Matomo will not collect any session data. Please note that the complete deletion of your cookies means that the opt-out cookie will also be deleted and may have to be reactivated by you.

5.4. Google Ads and Google Conversion Tracking

Our website uses Google Ads. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. AdWords is an online advertising program. As part of the online advertising program, we work with conversion tracking. After clicking on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that your web browser stores on your end device. Google Ads cookies lose their validity after 30 days and are not used to personally identify users. The cookie allows Google and us to recognize that you have clicked on an ad and have been redirected to our website. Each Google Ads customer receives a different cookie. The cookies cannot be tracked via websites of Ads customers. Conversion cookies are used to generate conversion statistics for Ads customers who use conversion tracking. Ads customers find out how many users clicked on their ad and were redirected to pages with a conversion tracking tag. However, Ads customers do not receive any information that allows users to be personally identified. If you do not wish to participate in tracking, you can object to its use. In this case, the conversion cookie must be deactivated in the user settings of the browser. This also prevents inclusion in the conversion tracking statistics. The storage of "conversion cookies" is based on Art. 6 para. 1 lit. f) GDPR. As the website operator, we have a legitimate interest in analyzing user behavior in order to optimize our website and our advertising. Details on Google Ads and Google Conversion Tracking can be found in Google’s privacy policy: With a modern web browser, you can monitor, restrict or prevent the setting of cookies. Deactivating cookies may result in limited functionality of our website.

5.5. Google Web Fonts

Our website uses web fonts from Google. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By using these web fonts, it is possible to present you with the presentation of our website that we desire, regardless of which fonts are available to you locally. This is done by retrieving the Google Web Fonts from a Google server in the USA and the associated transfer of your data to Google. This involves your IP address and which of our pages you have visited. The use of Google Web Fonts is based on Art. 6 para. 1 lit. f) GDPR. As the operator of this website, we have a legitimate interest in the optimal presentation and transmission of our website. You can find details about Google Web Fonts at: and further information in Google’s privacy policy:

5.6. Video content - YouTube

Our website uses plugins from YouTube to integrate and display video content. The provider of the video portal is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When a page with an integrated YouTube plugin is accessed, a connection to the YouTube servers is established. This tells YouTube which of our pages you have visited. YouTube can assign your surfing behavior directly to your personal profile if you are logged into your YouTube account. You can prevent this by logging out beforehand. The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f) GDPR. Details on the handling of user data can be found in YouTube’s privacy policy at:

6. Social Media

AssetMetrix GmbH does not use so-called social media plug-ins ("plug-ins") to display texts from social networks such as Twitter, Facebook or Instagram on this website, so that no personal data is initially passed on to the social media providers when this website is accessed. By clicking on the content of social media providers on our website, no notice appears. However, you will leave this website and switch to the page of a third-party provider. AssetMetrix GmbH has no influence on the data collected by the provider and its further processing. The purpose and scope of the data collection and the further processing and use of the data by the providers as well as your rights in this regard and setting options to protect your privacy can be found in the data protection declarations of the respective provider.

7. Information on data protection in connection with whistleblowing

In the following, we would like to inform you about the collection, processing and use of personal data when you submit a report through AssetMetrix Internal Reporting Channel. Therefore, please read this data protection information very carefully before submitting a report.

7.1. Purpose of the whistleblower system and data processing

The purpose of the whistleblower system is to receive and process reports of (suspected) violations of the law or serious internal breaches of regulations or policies in a secure and confidential manner. The processing of personal data as part of the whistleblower system is based on the legitimate interest of AssetMetrix GmbH in the detection and prevention of wrongdoing and the associated prevention of damage and liability risks for AssetMetrix GmbH (Art. 6 para. 1 lit. f GDPR in conjunction with Sections 30, 130 OWiG). In addition, Section 4.1.3 of the German Corporate Governance Code requires the establishment of a whistleblower system to give employees and third parties the opportunity to report legal violations in the company in a protected manner. If the information received concerns an employee of AssetMetrix GmbH, the processing also serves to prevent criminal offenses or other legal violations in connection with the employment relationship (Section 26 (1) BDSG). The processing of your identification data is based on your consent (Art. 6 para. 1 lit. a GDPR), which is given by the fact that the notification can also be submitted anonymously. As a rule, consent can only be withdrawn within one month of receipt of the notification, as AssetMetrix GmbH is obliged in certain cases under Art. 14 para. 3 lit. a GDPR to inform the accused person of the allegations made against them and the investigations carried out within one month. This also includes the storage, the type of data, the purpose of the processing, the identity of the controller and – if legally required – of the reporting party, so that it is no longer possible to stop the data processing or delete the identification data. The revocation period may be shortened, e.g. if the type of notification requires the immediate involvement of an authority or a court, because as soon as a disclosure has been made to the authority or the court, the identification data is in the case files of both AssetMetrix GmbH and the authority or the court.

7.2. Processing of your personal data

Use of the whistleblower system is voluntary. We collect the following personal data and information when you submit a report:

  • Your name, if you disclose your identity,

  • Your contact details, if you provide them to us,

  • the fact that you have made a report via the whistleblower system,

  • whether you are employed by AssetMetrix GmbH and

  • where applicable, names of persons and other personal data of the persons named in the notification.

The data submitted to the whistleblower system is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorized employees of AssetMetrix GmbH. The employees check the reported facts and, if necessary, carry out further case-related clarification of the facts; the data is always treated confidentially. However, confidentiality cannot be guaranteed if false information is knowingly posted with the aim of discrediting a person (denunciation). In certain cases, AssetMetrix GmbH is obliged under data protection law to inform the accused person of the allegations made against them. This is required by law if it is objectively clear that providing information to the accused person can no longer affect the concrete clarification of the information. As far as legally possible, your identity as the reporting party will not be disclosed and it will also be ensured that no conclusions can be drawn about your identity. As part of the processing of reports or an investigation, it may be necessary to pass on information to other employees of AssetMetrix GmbH or employees. If necessary for the clarification, a transfer to a country outside the European Union or the European Economic Area may take place on the basis of suitable or appropriate data protection guarantees for the protection of data subjects. Please note that not all third countries have a level of data protection recognized as adequate by the European Commission. For data transfers to third countries where there is no adequate level of data protection, we ensure that the recipient either has an adequate level of data protection (e.g. adequacy decision of the EU Commission or agreement of so-called EU standard contractual clauses of the European Union with the recipient) or that our users have given their express consent before the data is transferred. We always ensure that the relevant data protection regulations are complied with when passing on information. In the event of a corresponding legal obligation or a requirement under data protection law for the disclosure of information, other possible categories of recipients include law enforcement authorities, antitrust authorities, other administrative authorities, courts and international law firms and auditing firms commissioned by AssetMetrix GmbH. Every person who receives access to the data is obliged to maintain confidentiality.

7.3. Duration of storage

Personal data is stored for as long as required for clarification and final assessment, a legitimate interest of the company or a legal requirement exists. This data is then deleted in accordance with legal requirements. The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty.

8. Your rights as a data subject

You are entitled to the following rights as a data subject:

8.1. Right to information

In accordance with Art. 15 GDPR, you are entitled at any time to request confirmation from us as to whether we are processing personal data concerning you; if this is the case, you are also entitled in accordance with Art. 15 GDPR to receive information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your data. The restrictions of § 34 BDSG apply.

8.2. Right to rectification

In accordance with Art. 16 GDPR, you are entitled to demand that we correct the personal data stored about you if it is inaccurate or incorrect.

8.3. Right to erasure

You are entitled, under the conditions of Art. 17 GDPR, to demand that we delete personal data concerning you immediately. The right to erasure does not exist if the processing of personal data is necessary, e.g. to fulfill a legal obligation (e.g. statutory retention obligations) or to assert, exercise or defend legal claims. In addition, the restrictions of § 35 BDSG apply.

8.4. Right to restriction of processing

You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

8.5. Right to data portability

You are entitled, under the conditions of Art. 20 GDPR, to demand that we provide you with the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format.

8.6. Right of withdrawal

You can withdraw your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected. An informal notification, e.g. by email to us, is sufficient to declare your revocation.

8.7. Right of objection

You are entitled to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must stop processing your personal data. The right to object exists only within the limits provided for in Art. 21 GDPR. In addition, our interests may conflict with the termination of processing, so that we are entitled to process your personal data despite your objection. We will consider an objection to any direct marketing measures immediately and without weighing up the existing interests again.

Information about your right to object in accordance with Art. 21 GDPR:

You have the right to object at any time to the processing of your data on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR (data processing on the basis of a balancing of interests) or Art. 6 para. 1 sentence 1 lit. e GDPR (data processing in the public interest) if there are reasons for this arising from your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. The objection can be made informally and should preferably be addressed to

8.8. Right to lodge a complaint with a supervisory authority

As a data subject, you have the right to lodge a complaint with the competent supervisory authority in the event of a breach of data protection law. The competent supervisory authority for our company with regard to data protection issues is BayLDA – Das Bayerische Landesamt für Datenschutzaufsicht ( and can be reached at

P.O. Box 1349 91504 Ansbach Germany


Also online: Submit an online complaint (

Other concerns: For further data protection questions and concerns, please contact our data protection officer. Corresponding inquiries and the exercise of your aforementioned rights should, if possible, be sent in writing to our address given above or by e-mail to

9. Links to websites of other providers

Our websites may contain links to websites of other providers that are not covered by this privacy policy. If the collection, processing or use of personal data is associated with the use of the websites of other providers, please refer to the data protection information of the respective providers.

10. Protecting the privacy of people under the age of 16 on the internet

We do not knowingly collect personal data from minors (under the age of 16) or use it in any way. As a rule, we do not learn the age of visitors to our website. However, we have not taken any special measures to protect such data to any particular extent. No personal data may be transmitted to persons under the age of 16 without the express consent of their parents or guardians.

11. The security of your data

The data you provide to AssetMetrix GmbH is protected by suitable technical and organizational means with the aim of securing your data against manipulation, loss, destruction, access by unauthorized persons or unauthorized disclosure to third parties, whether accidental or intentional. Our security measures are continuously monitored and improved in line with technological developments and organizational possibilities.

12. Obligation to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our website available to you without restriction or answer your inquiries to us. Personal data that we do not necessarily require for the above-mentioned processing purposes is marked accordingly as voluntary information.

13. Automated decision-making/profiling

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).

14. Update amendment of this privacy policy

Please note that this privacy policy will be updated regularly to reflect any changes that may have occurred in our treatment of your personal data or in the applicable legal situation.

The current status is January 2024.

Discover the power of our solutions

Better understand how we deliver on promise. Experience the platform in action, take the opportunity to meet our experts, and challenge them on your specific needs.