Landingpage available in the following languages:
or select your TÜV Rheinland region / country website:

Data protection declaration

Data Controller and Data Protection Officer

TÜV Rheinland AG, Executive Board, Am Grauen Stein, 51105 Cologne, Germany

You can reach our data protection officer at
TÜV Rheinland AG, FAO Data Protection Officer, Am Grauen Stein, 51105 Cologne, Germany

Purposes and Legal Basis of Data Processing

We process your personal data in compliance with the GDPR, the local data protection regulations (e.g. BDSG) and all other relevant legal provisions. This applies in particular (but not conclusively) to the purpose of secure, managed data transfers.

a. In order to fulfill contractual obligations (Art. 6 Para. 1 b) GDPR)

The processing of personal data takes place on the basis of the necessity for the purpose of fulfilling a contract or a pre-contractual measure, to which you are or should become a contracting party.

b. Legitimate interests (Art. 6 Para. 1 f) GDPR)

If necessary, we process your data beyond the actual fulfillment of the contract to protect the legitimate interests of us or third parties.

c. On the basis of your consent (Art. 6 Para. 1 a) GDPR)

If you have given us your consent to the processing of personal data for certain purposes (e.g. transfer of data within the group), the lawfulness of the processing is based on your consent. A given consent can be revoked at any time. The revocation of consent does not affect the legality of the data processed until the revocation.

Categories of Personal Data processed

The following data is collected and stored by the TUVbox service:

Designation Affected Users/Retention period Intended use/distribution
to third parties
Randomly generated IDs, technical parameters (Session cookie, Same-site cookies; Remember-me cookie)
all visitors to the site / end of session (closing the browser)
users of the "automatic login" / permanently
Recognition of the user while using the application
Recognition of
the user with "automatic login"
no disclosure to third parties
Log file entries
IP address, timestamp, page accessed, status, amount of data, referrer, user agent
all visitors of the page /
365 days
clarification of improper use,
anonymized statistical evaluation
no disclosure to third parties
Account data (TUVbox Accounts)
User name,
name E-mail address
User with TUVbox account / runtime of the TUVbox account 60 days after last usageSearch for users when sharing content, send of notifications Sharing to all users
PasswordFor accounts of internal employees no permanent storage, direct transfer to authentication serverAuthentication (Login)
Internal, encrypted transfer to the authentication server
Account data (external accounts)
User name, name, e-mail address
external users with account / deletion after 60 days of inactivityThe search for users is not possible for external users.
Passwordexternal users with account / deletion after 60 days of inactivityAuthentication password (login) is stored locally.
No disclosure to third parties
Settings / Properties
Timestamp last login, storage space quota, storage space purchase / runtime, language, personal settings made
User with account / see AccountDetection of inactive users, memory allocation, personalization of the interface, notifications, etc.
No disclosure to third parties
The file exchange is the central function of the system. Only browser use permitted.
User with account / see AccountClients and data synchronization are not provided. The data isshared with defined target persons via e-mail address. The forwarding is not individually adjustable.

Data protection declaration

Recipient of Personal Data

Within the TÜV Rheinland Group, those places who have access to your data to fulfill our contractual and legal obligations are given access. With regard to the transfer of your data to recipients outside the TÜV Rheinland Group, bodies will only receive the data if contractual or legal provisions so require. In addition, we use external processors and service providers who support us to protect our legitimate interests (e.g. ensuring the user help desk).
Other data recipients may be those bodies for which you have given us your consent to the data transfer.

Data transfer to a Third Country

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has confirmed an appropriate level of data protection or if there are other appropriate data protection guarantees (e.g. EU standard contractual clauses).

Duration of Retention

We process and store your personal data as long as it is necessary to fulfill our contractual and legal obligations. If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted or anonymized. It should be noted that the storage period varies depending on the purpose of the data processing.

Rights of the Data Subject

In accordance with Art. 15 GDPR, you have the right to receive information about the data stored about you, including any recipients and the planned retention period. If incorrect personal data is processed, you have a right to correction in accordance with Art. 16 GDPR. If the legal requirements are met, you can request that the processing be deleted or restricted and you can object to the processing (Art. 17, 18 and 21 GDPR). If you believe that the processing of your personal data violates data protection law, you have the right to complain to a data protection supervisory authority of your choice in accordance with Art. 77 (1) GDPR.

The most current version of this data protection declaration applies. As of March 1st,2020.