DSGVO Wissen
Website Privacy – Overview

EQS IR Services and Data Protection – What Belongs in the Privacy Policy

Concise guide to EQS IR Services: integration functions, processed data, purposes, legal bases (GDPR) and what website operators must include in their privacy policy.

EQS IR Services and Data Protection – What Website Operators Need to Know

If a website operator (in particular a publicly listed company) uses IR services from EQS, they typically integrate news widgets, IR website modules, or investor relations tools on their corporate website and thereby process access data and, where applicable, user account data of website visitors for the purpose of providing investor relations content and compliance documentation. This information is based on provider statements and publicly accessible sources.

A. Purpose and Function of EQS IR Services

EQS Group AG is a leading provider of software and services for publicly listed companies, in particular for:

  • Investor Relations (IR)
  • Corporate Compliance & Governance
  • Data Privacy Management
  • Whistleblowing systems (Integrity Line)

The EQS IR Services comprise several integration functions for corporate websites:

  1. EQS News Widget / News Feed: Automatic display of press releases and regulatory news on the IR website
  2. IR Website & Reports: Fully integrated IR website modules with embedded news, stock charts, investor profiles, contact forms
  3. EQS Stock Chart: Automatic integration of share price data and corporate news in the chart
  4. Contact forms and request management: Forms for investor enquiries

When integrating these modules, website access data and where applicable user data are collected and processed.

B. Mandatory Disclosures in the Privacy Policy on EQS IR Services

Under the GDPR, the operator must disclose the following information on EQS IR Services:

  • Purpose (Art. 13(1)(c)): Provision of investor relations content, compliance documentation, user request management
  • Legal basis (Art. 13(1)(a)/(f)): Legitimate interests of the company in investor relations + where applicable consent for tracking elements
  • Recipients (Art. 13(1)(e)): EQS Group AG as processor or joint controller (depending on configuration)
  • Third-country transfer (Art. 13(1)(f)): To be verified by the operator; according to the provider in some cases US infrastructure (AWS)
  • Retention period (Art. 13(2)(a)): Depending on use and consent

Note: Tool-specific text templates are problematic. Better: a topic-oriented structure (e.g. "Investor relations and website analysis") with an enumeration of data recipients.

Recommendation

Privacy policy in minutes — easy to maintain, no subscription.

Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.

  • No subscription, no hidden costs
  • Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
  • Curated by Dr. Thomas Helbing, certified specialist for IT law
Create your privacy policy now

The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.

C. Provider of EQS IR Services: EQS Group AG

D. Data Processing by EQS IR Services – Procedure

Collection

When visiting an IR website with integrated EQS modules, the following are recorded: IP address, date/time, browser agent, device information, URL referrer, clicks on news items, clicked links. If users fill in contact forms: name, email address, message, where applicable telephone.

Storage

EQS stores the data collected in its systems; according to the provider: in part in EU data centres (Germany, Ireland), in part on AWS (USA). Exact storage locations are to be verified by the operator. Retention period: To be clarified by the operator.

Use

EQS uses the data for: Provision of IR functionality, analysis of investor engagement, improvement of news distribution, security of the platform.

Disclosure

Sub-processors: Cloud infrastructure (AWS, where applicable Google Cloud), HubSpot (for website tracking and CRM). Third-country transfer to USA: To be verified by the operator; SCC/Standard Contractual Clauses required.

Deletion

Access data is deleted after expiry of the retention period. Contact requests: Retention depending on compliance and business requirements (to be defined by the operator).

E. Data Collected When Using EQS IR Services

EQS records various categories of user data when integrating IR services:

  • Web server log data: IP address, date/time/time zone, request URL, referrer, HTTP status codes
  • Click paths: Pages visited, news items clicked, links clicked, news downloads, timestamps
  • Browser information: Browser name, browser version, user agent string
  • Device data: Device type (desktop/tablet/mobile), operating system, display resolution, language setting
  • Coarse location data: IP-based location at city/municipality level
  • User profiles: If a user account is created: username, email address, login history, favourite news, subscriptions
  • Conversion events: News download, registration for IR alert, contact request, event registration
  • Interaction data: Clicks on news share buttons (LinkedIn, Twitter), dwell time on pages, scroll depth

F. Purposes of Use When Using EQS IR Services

The data is processed for the following purposes:

  • Provision of functionality: Display of news, share price integration, provision of IR functionality
  • User-individual product improvement: Personalised news recommendations, content optimisation based on user behaviour
  • General product improvement: Analysis of frequently visited content, optimisation of the IR website structure
  • General marketing: Reach analysis of news distributions, success analysis of press releases
  • Compliance: Documentation of news publication and dissemination for stock exchange compliance
  • Communication: Answering investor enquiries via contact forms

Step 1 – Categorisation: EQS IR Services are functional and business optimisation tools for publicly listed companies.

Step 2 – Legal Bases:

  • For provision of functionality (news, IR website): Legitimate interests under Art. 6(1)(f) GDPR. The company has a legitimate interest in disseminating investor relations content.
  • For website tracking and user profiles:
    • With cookieless anonymisation: Legitimate interests Art. 6(1)(f)
    • With cookie use: Consent Art. 6(1)(a) in conjunction with § 25(1) TDDDG
  • For contact forms: Legitimate interests Art. 6(1)(f) (answering enquiries)

Case-by-case examination required: Depending on the scope of EQS integration and whether tracking cookies are used.

H. Special Features and Notes on EQS IR Services

  • Processing relationship required: The operator should clarify whether EQS acts as processor (Art. 28 GDPR) or joint controller (Art. 26 GDPR). A DPA is likely required.
  • Sub-processors and third-country transfers: According to the provider: HubSpot and AWS (USA). Data protection impact assessment (DPIA) recommended; SCC required.
  • Tracking and cookies: The news widget integration may set cookies. The operator must clarify whether tracking cookies are possible without consent or whether user consent is required.
  • Contact forms: Email addresses and names of investors are recorded. Retention period and purpose of disclosure must be clearly documented.
  • Accountability: The operator should document which EQS modules are integrated and which data is processed.

I. FAQ on EQS IR Services

J. Conclusion and Recommendation on EQS IR Services

Summary: EQS IR Services are specialised tools for investor relations. The operator should carry out a data protection impact assessment (DPIA), especially where tracking cookies or sub-processors in the USA are involved.

Common error: Operators copy EQS standard texts for the privacy policy without documenting the specific configuration of their integration. This is not GDPR-compliant under Art. 12(1) GDPR. Better: Document precisely which EQS modules you use, which data flows, and which legal basis applies.

This article serves as general information on EQS IR Services and does not replace legal advice in individual cases. As of: 2026-04-22. The information is based on provider statements and publicly accessible sources.

Recommendation

Privacy policy in minutes — easy to maintain, no subscription.

Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.

  • No subscription, no hidden costs
  • Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
  • Curated by Dr. Thomas Helbing, certified specialist for IT law
Create your privacy policy now

The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.

Authorship

Dr. Thomas Helbing

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com

Didomi and Data Protection – What Belongs in the Privacy Policy

Concise guide to Didomi: processed data, purposes, legal bases (GDPR) and what website operators must include in their privacy policy.

etracker Analytics and Data Protection – What Belongs in the Privacy Policy

Concise guide to etracker Analytics: GDPR-compliant tracking configuration, processed data, legal bases, and what website operators must include in their privacy policy.

On this page

EQS IR Services and Data Protection – What Website Operators Need to KnowA. Purpose and Function of EQS IR ServicesB. Mandatory Disclosures in the Privacy Policy on EQS IR ServicesC. Provider of EQS IR Services: EQS Group AGD. Data Processing by EQS IR Services – ProcedureCollectionStorageUseDisclosureDeletionE. Data Collected When Using EQS IR ServicesF. Purposes of Use When Using EQS IR ServicesG. Legal Bases for EQS IR ServicesH. Special Features and Notes on EQS IR ServicesI. FAQ on EQS IR ServicesJ. Conclusion and Recommendation on EQS IR Services