Privacy Notice Pursuant to GDPR

This Privacy Notice provides mandatory information regarding the transparency of personal data processing, as required under Articles 13 and 14 of the European General Data Protection, Regulation (EU) 2016/679 (“GDPR”), and other data protection laws applicable in the member states of the European Union (“EU”). 

Wherever your personal data is processed, you are a “data subject” as defined in GDPR. So that this Privacy Notice is as clear and understandable as possible, the word “you” is used interchangeably with the words “data subject”. Many other terms within this Privacy Notice are also defined terms under GDPR. 

1. Who is the “Controller”

The controller is: Lora McInturf

                      The Inner Advocate (Executive Coaching with Lora McInturf)

                       Schafstr. 12/1

                       71394 Rommelshausen (Germany)

                        lora.mcinturf@outlook.com

                        +49 (0) 160 / 3414 569

2. Your Personal Data 

The controller can be contacted as provided above. If you contact the controller through one of these channels, then the personal data transferred about you will be stored automatically by the controller. (If the controller obtains personal data from a source other than the individual it relates to, such as through a third party referral, then the personal data transferred will be stored automatically by the controller and the individual will be notified.)

Before, while and after the coaching agreement is in effect, the following information about you (“personal data”) could be processed by the controller: 

●     Name

●     Phone number

●     Email address

●     Billing information, including address

●     Client location (for time zone considerations)

●     Curriculum Vitae (or Resume)

●     The entire contract with corresponding details (including parties, term, coaching package, cancelation, etc.)

●     Start and end date of our coaching relationship

●     Actual number of paid and/or pro bono coaching hours together

●     Name of referral - individual name and corresponding company (if applicable)

●     Client category (for example: lawyer, expat, job change, other)

●     Information given on questionnaires or other forms, such as feedback forms, before, during, or after the coaching relationship

3.  The Purposes of Processing Your Personal Data

The controller’s purposes of processing your personal data are:

1. To facilitate the controller and client reaching a coaching agreement or to perform the coaching agreement itself, which may include follow-up with the client after the coaching agreement is complete from a contractual standpoint.

2. To maintain a written log of personal data (consisting of information such as client’s name; client’s email address and/or phone number; the start and end date of the coaching relationship; and the number of paid and/or pro bono hours of coaching) (a “Client Coaching Log”) in the event a third party, such as a coaching organization (the ICF, for example), requests evidence to verify the controller’s coaching experience for purposes of credentialing or other professional certification (an "audit").

3. To identify the types of clients that result in a coaching agreement with the controller, the legitimate interest being to get a clearer understanding of the controller’s executive coaching business for purposes of improving coaching services offered by the controller to future clients.

4. To comply with applicable law where release of information is required, including: illegal activity; pursuant to a valid court order or subpoena; imminent or likely risk of danger to self or to others; and any other instances when applicable law requires release of information.

5. To collect feedback from clients for purposes of improving coaching services offered by the controller to future clients.

4. Legal Bases for Processing Personal Data

The controller processes your personal data under one or more of several legal bases, as further set forth in GDPR. These legal bases are summarized as follows:

Legal Basis —> GDPR §

Consent - Where the controller obtains the data subject’s consent to the processing of personal data. —> §6(1)(a)

Contract - Where the processing of personal data is required for the performance of a contract to which the data subject is party (including processing activities required to perform steps prior to entering into a contract).—>§6(1)(b)

Legal Obligation - Where the processing of personal data is required for compliance with a legal obligation to which the controller is subject.—>§6(1)(c)

Vital Interests - Where the processing of personal data is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.—>§6(1)(d)

Legitimate Interests - Where the processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.—>§6(1)(f)

5. Routine Erasure, Blocking, and Storage Period of Your Personal Data

Your personal data must be stored for the period of time prescribed by European or national lawmakers as set forth in EU regulations, laws or other rules governing the controller.  For example, at a minimum, your personal data will be stored for the duration of the applicable legal retention period under German tax law, which is 10 years.

After applicable retention periods expire, your personal data will be deleted as a matter of routine, unless it is necessary for the controller to continue to process or store your personal data to (a) achieve further contract initiation or performance between the controller and you, (b) prove the controller’s coaching experience in an audit, or (c) as otherwise described in this Privacy Notice. 

Once the storage periods required by applicable regulations expire or the purpose of storing the data no longer applies, whichever occurs later, your personal data will be blocked or erased as a matter of routine and in accordance with EU and German laws.

6. Your Rights (“Rights of the Data Subject”)

Wherever your personal data is processed, you are a data subject, as defined in GDPR, and you have the following rights vis-à-vis the controller:

6.1       Right of Access to Data / Copies of Data

You can require the controller to confirm whether or not she processes personal data concerning you. If the controller does, then you have the right to request the following information from the controller:

a.         the purposes of the processing;

b.         the categories of personal data concerned;

c.         the recipients or categories of recipient to whom your personal data have been or will be disclosed;

d.         the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e.         the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;

f.          the right to lodge a complaint with a supervisory authority;

g.         where the personal data is not collected from the data subject, any available information as to their source; and

h.         the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You also have the right to be told whether your personal data is being or has been transferred to a third country or an international organization. In this context, you have the right to be informed of the appropriate safeguards described in GDPR Article 46 relating to the transfer. Please see Section 9 below for more information.

6.2       Right to Rectification of Errors

You have the right to obtain from the controller the rectification and/or completion of processed personal data concerning you if the data is inaccurate. The controller must rectify the data without undue delay.

6.3       Right to Deletion / Right to be Forgotten

6.3.1.   You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

a.         your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

b.         you withdraw consent on which the processing is based according to GDPR Articles 6(1)(a) or 9(2)(a), and where there is no other legal ground for the processing;

c.         you object to the processing pursuant to GDPR Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to GDPR Article 21(2);

d.         your personal data has been unlawfully processed;

e.         your personal data has to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject; or

f.          your personal data has been collected in relation to the offer of information society services referred to in GDPR Article 8(1).

6.3.2.   Where the controller has made your personal data public and is obligated pursuant to GDPR Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, such personal data.

6.3.3.   The right to erasure does not apply to the extent that processing is necessary

a.         for exercising the right of freedom of expression and information;

b.         for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c.         for reasons of public interest in the area of public health in accordance with GDPR Article 9(2) points (h) and (i) as well as Article 9(3);

d.         for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article GDPR 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e.         for the establishment, exercise or defense of legal claims.

6.4       Right to Restrict Processing

You have the right to obtain from the controller a restriction of processing in any of the following circumstances:

a.         you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;

b.         the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

c.         the controller no longer needs the personal data for the purposes of the processing, but you require the data for the establishment, exercise or defense of legal claims; or

d.         you have objected to processing pursuant to GDPR Article 21(1) pending the verification whether the legitimate grounds of the controller override yours.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. If you have obtained a restriction of processing through the above requirements, then you will be informed by the controller before the restriction of processing is lifted.

6.5       Right to Notification

If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller must communicate any rectification or erasure of personal data or restriction of processing to every recipient to whom the personal data has been disclosed, unless this proves impossible or impracticable. The controller must inform you of these recipients if you request it.

6.6       Right to Data Portability

You have the right to receive your personal data which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:

a.         the processing is based on consent pursuant to GDPR Article 6(1)(a) or 9(2)(a) or on a contract pursuant to GDPR Article 6(1)(b); and

b.         the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The rights and freedoms of others must not be adversely affected by this right. 

6.7       Right to Object to Processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on GDPR Article 6(1)(e) or (f), including profiling based on those provisions.

a.              The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

b.              Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

c.              Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

6.8       Right to Withdraw Consent to Processing

Where you have given your consent, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

6.9       Right to Object to Automated Processing / Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

a.         is necessary for entering into, or performance of, a contract between you and the controller;

b.         is authorized by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

c.         is based on your explicit consent.

Such decisions must not be based on special categories of personal data referred to in GDPR Article 9(1), unless GDPR Article 9(2)(a) or (g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (a) and (c), the controller must implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

6.10     Right to Complain to a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

The supervisory authority with which the complaint has been lodged must inform the complainant of the progress and the outcome of the complaint including the possibility of a judicial remedy under GDPR Article 78.

8. Transfers of Your Personal Data to Third Parties

Your personal data is stored primarily for the purpose of processing and facilitating a coaching agreement with you. The controller does not share your personal data with third parties, except in the following limited instances:

a.     If your personal data is related to: illegal activity; pursuant to a valid court order or subpoena; and any other instances when applicable law requires release of information. Please see GDPR §6(1)(c) and the ICF Code of Ethics.

b.     If your personal data is related to imminent or likely risk of danger to self or to others. Please see GDPR §6(1)(d) and the ICF Code of Ethics.

c.     If the controller is subject to an audit. Where such audit of a controller is conducted by a third party inside the defined European Economic Area for purposes of GDPR (the “EEA”), then the controller will notify you that your personal data is subject to such audit. In that case, the controller will request a copy of the third party’s data privacy policy and provide that to you so that you are aware of how your personal data will be handled by that third party. Please see Section 9 below for the special case where a transfer of your personal data is made outside the EEA.

9. Transfers of Your Personal Data to Third Countries

In the event the controller is the subject of an audit by a third party that is established outside of the EEA (the “third country organization”), then the controller will notify you that your personal data is subject to an audit by a third country organization.  

There are possible additional risks when your personal data is transferred to a third country organization outside of the EEA. One such risk is that the third country organization is not subject to the same data privacy legal obligations concerning your personal data as set forth in GDPR. Additionally, your personal data may not be given similar legal protections in that country outside of the EEA as what is provided for in the EU by GDPR.

In response to these risks, the controller will request a copy of the third country organization’s data privacy policy and provide you with the copy so that you are aware of how the third country organization will handle your personal data. The controller will also assure that only the minimum amount of personal data is transferred to the third country organization and in the safest way possible so as to minimize risk to you and your personal data. 

10. Cookies Through This Website

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. This website asks for visitors’ confirmation to use cookies (through a cookie consent banner).

For further information about cookies, visit allaboutcookies.org.

a.     How are cookies used?

Squarespace, the website host for The Inner Advocate, places cookies on your browser to help this site run effectively, provide the best experience for its visitors, and help to learn more about traffic to this website. 

b.     What types of cookies are used?

There are a number of different types of cookies. This website uses cookies for the purpose of functionality and analytics. 

c.     How can you manage cookies?

If you provide confirmation to the cookie consent banner, then analytic information will be collected from you through cookies (or similar technology). When you click the confirmation message on this website’s cookie consent banner, you won’t see the message again for 30 days unless you clear your cookies.

If you do not provide confirmation, then analytic cookies are restricted from being collected. Additionally, you may set your browser to not accept cookies. (Please visit www.allaboutcookies.org to learn how to remove cookies from your browser.) However, in removing cookies from your browser, some of the website features may not function as a result.

11. Privacy Policies of Other Websites

This website contains links to other websites. This privacy policy applies only to this website; therefore, if you click on a link to another website, then you should read their privacy policy.

12. Changes to This Privacy Policy

This privacy policy is regularly reviewed and places any updates on this web page. This privacy policy was last updated on 1 May 2020.