Privacy policy

Kramer Consulting SARL‑S
RCS B284903 · VAT LU35729347
18, Rue du Nord, L‑7242 Helmsange, Grand Duchy of Luxembourg
Email: info@kramerconsulting.lu
Effective date: 24 June 2025

1. Who we are

Kramer Consulting SARL‑S ("we", "our", "us") is a Luxembourg‑registered single member limited liability company that helps organisations navigate EU regulation through consulting, learning & development and project management services. We act as data controller for the personal data described below (Article 4 (7) GDPR).¹

We do not appoint a statutory Data Protection Officer because our scale and type of processing do not require one under Article 37 GDPR.

Questions? Write to us at info@kramerconsulting.lu or by post at the address above.

2. How we obtain personal data

• When you request a proposal or consultancy service.
• When you attend one of our workshops, webinars or events.
• When you subscribe to our MailerLite mailing list or download a lead magnet.
• When you browse our websites (tomaszkramer.com, kramerconsulting.lu) – cookies are managed via Squarespace’s standard banner; a detailed cookie policy will be published at launch.
• When you interact with us on LinkedIn or similar platforms.
• When you correspond with us by email or telephone.

3. Personal data we process

Identity & contact data – name, job title, organisation, email, telephone, postal address.
Professional information – sector, project role, areas of interest, workshop‑attendance records.
Contract & billing data – purchase order details, VAT number, bank transfer references.
Marketing preferences – mailing list subscription status, email engagement metrics.
Website usage – IP address, browser user‑agent, pages visited (aggregated analytics).

We do not intentionally collect special category data (e.g. health, ethnicity). Please avoid sending such information unless strictly necessary.²

4. Legal bases for processing

• Contract (Art. 6 (1)(b)) – to prepare or perform a contract with you or your organisation.
• Legitimate interest (Art. 6 (1)(f)) – e.g. to maintain our EU‑hosted CRM (HubSpot EU1), protect against fraud or run proportionate marketing to existing contacts; we balance these interests against your rights.
• Legal obligation (Art. 6 (1)(c)) – to meet Luxembourg tax and accounting rules, which require 10‑year record‑keeping.³
• Consent (Art. 6 (1)(a)) – when you voluntarily join our mailing list or accept non‑essential cookies; you may withdraw consent at any time.

5. Purposes of processing

• Service delivery – proposal drafting, workshop facilitation, reporting (Contract).
• Client management – CRM updates, follow‑up emails, feedback surveys (Legitimate interest).
• Marketing & thought leadership – newsletters, LinkedIn outreach, event invitations (Consent or Legitimate interest).
• Finance & compliance – invoicing, bookkeeping, audit trail, regulatory filings (Legal obligation).

6. Sharing your data

• Service providers – MailerLite (email marketing, EU servers), HubSpot EU1 (CRM), Google Workspace (EU region), Squarespace (website hosting & CMS; Standard Contractual Clauses in place).
• Professional advisers – accounting firm, legal counsel.
• Public authorities – CNPD, tax office or courts where legally required.

All vendors are contractually bound to safeguard your data and, where applicable, rely on Standard Contractual Clauses (SCCs) for transfers outside the EEA.

7. International transfers

Our primary storage locations are in the European Economic Area. If we transfer data outside the EEA, we use an adequacy decision (Article 45 GDPR) or SCCs (Article 46 GDPR).¹ You may request a copy of the relevant safeguards.

8. Data retention

• Contract & billing records – 10 years from fiscal year‑end (Luxembourg Commercial Code).³
• Prospective‑client data (no engagement) – 3 years after last contact.
• Mailing‑list subscription data – until you unsubscribe or 2 years of inactivity.
• Workshop attendance logs – 5 years to evidence training provided (Ministry of Education accreditation).

9. Your rights

Under Articles 15–22 GDPR you may:
• request access to your data;
• rectify inaccurate data;
• erase data (“right to be forgotten”);
• restrict processing;
• object to processing based on legitimate interest or direct marketing;
• receive your data in a portable format.

To exercise a right, email tomasz@kramerconsulting.lu. We will respond within one month.

If you believe we have infringed your rights, you can lodge a complaint with the Luxembourg Commission Nationale pour la Protection des Données (CNPD): 15 Boulevard du Jazz, L‑4370 Belvaux, Luxembourg · www.cnpd.lu · info@cnpd.lu.

10. Security measures

We apply technical and organisational safeguards including:
• TLS‑encrypted email and web traffic.
• Multi‑factor authentication for cloud services.
• Least‑privilege access controls.
• Annual security review.

11. Updates to this notice

We may update this notice to reflect legal, technical or business changes. The latest version is always available on our website. Previous versions are archived for accountability (Article 5 (2) GDPR).¹

Footnotes / References

  1. Regulation (EU) 2016/679 (General Data Protection Regulation), OJ L 119, 4 May 2016, p. 1–88, EUR‑Lex.

  2. GDPR, Article 9 (1) – special categories of personal data.

  3. Code de commerce (Luxembourg), Article L.123‑22 – 10‑year retention of accounting records, consolidated 12 January 2024, Legilux.