Sign in Subscribe

Privacy Policy

1. General information

This Privacy Policy explains how personal data is processed when you visit and use this website.

This website is a personal professional publication and advisory presence operated under the name CISOsCISO. It provides articles, essays, professional reflections, and contact options related to cybersecurity, information security, digital trust, AI, governance, resilience, and strategic risk.

I process personal data only where this is necessary to operate the website, provide requested content or communication, respond to inquiries, maintain security, or comply with legal obligations.

2. Controller

The controller responsible for the processing of personal data on this website is:

Eckhart Mehler
Julius-Reincke-Stieg 7
20251 Hamburg
Germany

Email: eckhart.mehler@ciosciso.com
Website: http://www.cisosciso.com

3. Hosting and technical operation

This website is operated using the Ghost publishing platform.

Depending on the configuration of this website, technical service providers may process data required for hosting, delivery, security, maintenance, and operation of the website. This may include IP addresses, browser information, device information, operating system, referrer URL, date and time of access, requested pages, and technical log data.

The processing of this data is necessary to make the website available, ensure stability and security, detect misuse or technical errors, and maintain the integrity of the service.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests in secure, reliable, and efficient website operation.

Where service providers process personal data on my behalf, they are used on the basis of appropriate contractual arrangements, including data processing agreements where required.

4. Server log files

When you access this website, technical access data may be automatically collected and stored in server log files.

This may include:

  • IP address
  • date and time of access
  • requested page or file
  • browser type and version
  • operating system
  • referrer URL
  • amount of data transferred
  • access status or error messages

This data is processed for technical security, troubleshooting, abuse prevention, and operational reliability.

Legal basis: Art. 6(1)(f) GDPR.

Server log files are generally stored only for as long as necessary for the stated purposes, unless longer storage is required for security investigations, legal obligations, or the establishment, exercise, or defence of legal claims.

5. Contact by email or contact form

If you contact me by email or through a contact form, the personal data you provide will be processed for the purpose of handling and responding to your inquiry.

This may include:

  • name
  • email address
  • organization or role, if provided
  • content of your message
  • date and time of contact
  • any additional information you voluntarily provide

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in responding to inquiries.
Where the inquiry relates to a potential advisory, speaking, writing, or professional engagement, the legal basis may also be Art. 6(1)(b) GDPR — steps prior to entering into a contract.

I do not use contact inquiries for unrelated marketing purposes without appropriate legal basis or consent.

6. Newsletter, subscriptions, or memberships

If this website offers a newsletter, subscription, or membership function, the data provided during registration will be processed to deliver the requested content and manage the subscription.

This may include:

  • email address
  • name, if provided
  • subscription status
  • registration date
  • confirmation status
  • technical information required for subscription management
  • interaction data, where enabled and legally permissible

Newsletter or subscription emails are sent only where a valid legal basis exists, typically consent under Art. 6(1)(a) GDPR or, where applicable, another lawful basis.

You may unsubscribe at any time using the unsubscribe link in the respective email or by contacting me directly.

Where technically available, a double opt-in process may be used to verify subscriptions. Confirmation data may be stored to document consent.

7. Cookies and similar technologies

This website may use cookies or similar technologies where necessary for technical operation, security, login sessions, membership functionality, or subscription management.

Ghost does not set non-essential cookies by default on most standard sites. However, cookies or similar technologies may be used if memberships, login functions, analytics, embedded content, payment services, or third-party integrations are activated.

Strictly necessary cookies are processed on the basis of Art. 6(1)(f) GDPR and, where applicable, relevant national rules for technically necessary access or storage.

Non-essential cookies, analytics cookies, tracking technologies, or similar tools are used only where a valid legal basis exists, usually consent under Art. 6(1)(a) GDPR.

You can manage or delete cookies through your browser settings. Disabling cookies may affect certain website functions.

8. Analytics and reach measurement

This website may use privacy-friendly analytics or reach measurement tools to understand how content is accessed and to improve the website.

Depending on the tool used, processed data may include page views, referrer information, device type, browser type, approximate location, interaction data, or anonymized/pseudonymized usage statistics.

Analytics are used to improve content quality, technical performance, editorial planning, and user experience.

Legal basis: Art. 6(1)(f) GDPR where privacy-friendly, non-invasive analytics are used without personal profiling and where legally permissible.
Where analytics involve non-essential cookies, tracking, profiling, or third-party marketing technologies, the legal basis is consent under Art. 6(1)(a) GDPR.

[If no analytics are used, replace this section with: “This website does not currently use analytics or tracking tools.”]

9. Embedded content and external links

This website may contain links to external websites or embedded content, such as videos, podcasts, social media posts, images, documents, or other third-party materials.

When you access external links or embedded third-party content, the respective third-party provider may process personal data under its own responsibility. This may include IP addresses, browser data, device data, cookies, or interaction data.

I have no control over the data processing of third-party websites or services. Please review the privacy policies of the respective providers.

Where possible and appropriate, I use external links instead of active embeds to reduce unnecessary data transfers.

10. AI-assisted content and data protection

Some content on this website may be drafted, structured, edited, translated, summarized, or refined with the support of commercially available AI-assisted tools.

I do not intentionally publish confidential personal data through AI-assisted tools. Personal data provided through contact inquiries is not used for public content generation unless the person concerned has clearly agreed or the information is otherwise lawfully usable.

Where AI-assisted tools are used for editorial purposes, I aim to avoid entering unnecessary personal data and to retain human editorial responsibility for final publication decisions.

11. Images, stock photography, and visual material

This website may use original images, licensed stock photography, AI-generated or AI-assisted illustrations, screenshots, or other visual materials.

Where images contain identifiable persons or where visual content could create a misleading impression of real events, additional care is taken in selection, licensing, attribution, and contextual presentation.

Image credits and rights information may be provided in the article, image caption, footer, imprint, or another appropriate location, depending on the applicable license and editorial context.

12. Advisory inquiries and professional communication

If you contact me regarding advisory services, speaking engagements, writing, collaboration, interviews, or professional exchange, I may process the information you provide to evaluate, respond to, and manage the respective inquiry.

This may include professional contact details, organizational context, project descriptions, communication history, and scheduling information.

Legal basis: Art. 6(1)(b) GDPR where the processing relates to pre-contractual or contractual communication.
Legal basis may also be Art. 6(1)(f) GDPR where the processing concerns general professional communication and legitimate interest in managing inquiries.

13. Data retention

Personal data is stored only for as long as necessary for the purposes described in this Privacy Policy.

Different retention periods may apply depending on the type of data:

  • technical log data: usually short-term, unless needed for security or legal purposes
  • contact inquiries: retained as long as necessary to respond and manage the communication
  • advisory or business-related communication: retained according to applicable contractual, legal, tax, or documentation requirements
  • newsletter subscription data: retained for as long as the subscription is active and, where necessary, to document consent or compliance
  • legal claims or disputes: retained as long as required to establish, exercise, or defend legal claims

Where data is no longer required, it will be deleted or anonymized unless legal retention obligations apply.

14. Recipients of personal data

Personal data may be processed by technical service providers, hosting providers, email providers, newsletter providers, analytics providers, security providers, or other processors where necessary for the operation of this website and communication with users.

Personal data is not sold.

Data is disclosed to third parties only where necessary for the purposes described in this Privacy Policy, where required by law, where necessary to protect legitimate interests, or where you have given consent.

15. International data transfers

Some service providers or technical platforms may process personal data outside the European Economic Area.

Where personal data is transferred to countries outside the European Economic Area, I aim to ensure that appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, data processing agreements, or other legally recognized mechanisms.

The specific situation depends on the service providers and integrations actually used by this website.

16. Your rights

Under the GDPR, you have the following rights, subject to the applicable legal requirements:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object to processing based on legitimate interests
  • right to withdraw consent at any time with effect for the future
  • right to lodge a complaint with a supervisory authority

To exercise your rights, please contact me using the contact details provided above.

17. Right to object

Where personal data is processed on the basis of Art. 6(1)(f) GDPR, you have the right to object to the processing on grounds relating to your particular situation.

If you object, I will no longer process the personal data unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

Where processing is based on consent, you may withdraw your consent at any time with effect for the future.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

19. Security

I use reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

However, internet-based communication can never be guaranteed to be completely secure. Please avoid sending highly confidential or sensitive information through unsecured communication channels unless appropriate protective measures have been agreed.

20. Updates to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in legal requirements, technical setup, website functionality, service providers, or editorial practices.

Last updated: 05.06.2026