Soulhouse Group Data Protection Policy

Applies to: all Soulhouse entities (DE, AT, ES) and all staff, including Experts and contractors.

1. Purpose

This policy sets out how Soulhouse handles personal data and the responsibilities of everyone working for or with Soulhouse. It is the umbrella document referenced by all other data protection materials.

2. Scope

This policy applies to:

  • All Soulhouse legal entities and studios
  • All employees, Experts, freelancers, contractors and interns
  • All processing of personal data, regardless of format (digital or paper) or location (HQ, studios, on the road)

3. Definitions (short)

  • Personal data — any information relating to an identified or identifiable natural person.
  • Special category data — data revealing racial/ethnic origin, political opinions, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. Treatment-relevant health information (e.g. contraindications) is special-category data at Soulhouse.
  • Processing — any operation performed on personal data (collection, storage, use, disclosure, deletion).
  • Controller — Soulhouse, since we determine the purposes and means of processing customer and employee data.
  • Processor — a third party that processes data on our instructions (booking software, payroll, etc.).
  • Data subject — the person whose data is processed (customer, employee, applicant, prospect).

4. Principles (Art. 5 GDPR)

Soulhouse processes personal data in line with the following principles. All staff are expected to apply them in their daily work:

  1. Lawfulness, fairness and transparency — there is always a documented legal basis; customers know what we do.
  1. Purpose limitation — data is collected for specified purposes and not reused for incompatible new ones.
  1. Data minimisation — only the data needed for the purpose is collected.
  1. Accuracy — data is kept correct and up-to-date.
  1. Storage limitation — data is retained only as long as needed (retention schedule in the RoPA).
  1. Integrity and confidentiality — appropriate security measures are in place (see TOMs, document 03.1).
  1. Accountability — Soulhouse is responsible for and can demonstrate compliance.

5. Roles and responsibilities

See 01.3 — Roles & Responsibilities Matrix. In short:

  • Management — accountable for compliance, provides resources, signs off policies.
  • DPO — advises, monitors, point of contact for authorities and data subjects.
  • Department leads (Operations, Marketing, IT, HR, Finance) — own the processing activities in their area, keep the RoPA accurate, decide on vendors with DPO sign-off.
  • All staff and Experts — handle personal data per policy and instructions, report incidents immediately.

6. Legal bases used at Soulhouse

PurposeLegal basis (Art. 6)Art. 9 condition (if special category)
Booking and delivery of treatmentArt. 6(1)(b) — contractn/a for booking; Art. 9(2)(a) explicit consent for health intake
Payment and accountingArt. 6(1)(c) — legal obligationn/a
Marketing emails to existing customersArt. 6(1)(f) — legitimate interest, with opt-outn/a
Marketing emails to non-customersArt. 6(1)(a) — consentn/a
Cookie-based analytics / adsArt. 6(1)(a) — consent (ePrivacy/TTDSG/DDG/LSSI)n/a
Employment relationshipArt. 6(1)(b) + § 26 BDSG (DE) / national equiv.as needed for occupational health

7. Data subject rights

Soulhouse honours every right granted by GDPR Art. 15–22. Requests are handled per the DSR SOP (05.1) within one month.

8. Information obligations

Customers and other data subjects receive a clear privacy notice whenever data is collected (folder 04). The notices are kept current and aligned with the RoPA.

9. Working with processors and sub-processors

No vendor receives personal data without:

  • Inclusion in the Vendor Register (06.1)
  • A signed DPA meeting Art. 28 requirements (06.2)
  • A documented transfer mechanism if data leaves the EU/EEA

10. Security (TOMs)

Soulhouse implements technical and organisational measures appropriate to the risk (03.1). All staff must follow the access control, password and device rules set out there.

11. Personal data breaches

Any suspected breach must be reported immediately to datenschutz@soulhouse.me (group mailbox forwarding to the DPO) and, in parallel, to the Soulhouse main contact line +49 40 80813059. Soulhouse does not operate a 24/7 on-call rota at present; reports received outside business hours are picked up at the start of the next business day. The Breach SOP (07.1) drives the full response. The DPO's direct firm contact is held in the internal DPO Appointment Letter (01.1) for the Breach Response Lead to use when an acute incident requires immediate escalation; it is not published outside the framework.

12. Training and awareness

All staff complete data protection training on onboarding and refresher annually. Studio-specific training covers handling of health intake forms and customer confidentiality.

13. Review

This policy is reviewed at least annually by the DPO, or when triggered by a material change in processing, law, or organisational structure.

14. Approval

This Data Protection Policy was approved on 15 January 2026 by the management of Soulhouse GmbH and is binding on all entities of the Soulhouse Group from that date.

RoleNameApproval dateMethod
Managing Director, Soulhouse GmbHBenjamin Schroeter15 January 2026Management decision, recorded in the framework approval register
Managing Director, Soulhouse GmbHRozalla Tapper15 January 2026Management decision, recorded in the framework approval register
Data Protection Officer (effective from 1 February 2026)Daniel Pohl, LL.M. (Fritz und Mark Legal Rechtsanwaltsgesellschaft mbH)Endorsed on appointment, 5 February 2026DocuSign envelope ID E15A2EC2-DA69-43DC-8515-54FE4B41C5F0, filed with the DPO appointment

The signed appointment instrument and supervisory-authority notification (HmbBfDI) are held in 01_Framework_and_Governance/01.1_DPO_Signed_Contract/. Counter-signed copies of subsequent revisions of this policy are added to the framework approval register at each annual review.