With this data protection information, we inform you (also referred to as “user” or “data subject” in the following text) in a general manner about data processing in our law firm and in a special manner about data processing in the context of calling up our website, contacting us via our website contact form, contacting us by e-mail or telephone and in the context of registering to receive our newsletter. Furthermore, we inform you about data processing during video conferences and about your rights with regard to the processing of your data. The term “data processing” always refers to the processing of personal data.
1. Name and address of the person responsible
The responsible person in the sense of the data protection basic regulation as well as other data protection legal regulations is:
Mr Tilmann Lahann, Attorney at Law
Telephone: (+) 49 (0) 681 370320
2. General information on data processing
2.1 Categories of personal data
We process the following categories of personal data:
- Existing data (e.g. names, addresses, functions, organisational affiliation etc.);
- contact data (e.g. e-mail, telephone/fax numbers etc.);
- content data (e.g. text entries, image files, videos etc.);
- usage data (e.g. access data);
- meta/communication data (e.g. IP addresses).
2.2 Recipients or categories of recipients of personal data
If, in the course of our processing, we disclose data to other persons and companies such as web hosters, contract processors or third parties, transfer it to them or otherwise grant them access to the data, this is done on the basis of a legal authorisation (e.g. if transfer of the data to third parties is required in accordance with Art. 6 para. 1 lit. b GDPR for the fulfilment of a contract), if the per-sons concerned have consented or a legal obligation provides for this.
2.3 Duration of storage of personal data
The criterion for the duration of the storage of personal data is the respective legal retention period. After expiry of the period, the corresponding data will be deleted if they are no longer required for achieving the purpose, fulfilling the contract or initiating a contract.
2.4 Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Eco-nomic Area (EEA)) or if this is done in the context of using the services of third parties or if we dis-close or transfer data to third parties, this only takes place if it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data in a third country if the special conditions of Art. 44 ff. GDPR, i.e. the processing is carried out, for example, on the basis of special guarantees, such as the officially recognised de-termination of a level of data protection equivalent to that in the EU or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
3. Data processing within the scope of visiting our website
3.1 Log files
Every time a data subject accesses our website, general data and information are stored in the log files of our system:
- Date and time of the retrieval (time stamp);
- request details and destination address (protocol version, HTTP method, referrer, UserAgent string);
- name of the retrieved file and transferred data volume (requested URL incl. query string, size in bytes);
- message whether the retrieval was successful (HTTP status code).
When using this general data and information, we do not draw any conclusions about the data subject. There is no personal evaluation or an evaluation of the data for marketing purposes or a profile formation. The IP address is not saved in this context.
The legal basis for the temporary storage of data is Art. 6 Para. 1 lit. f GDPR. The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the secure operation of our website. There is therefore no possibility for the person concerned to object.
3.2 Malware detection and protocol data evaluation
We collect protocol data that is generated during the operation of our company’s communication technology and evaluate it automatically, insofar as this is necessary to detect, limit or eliminate faults or errors in the communication technology or to defend against attacks on our information technology or to detect and defend against malware.
The legal basis for the temporary storage and evaluation of data is Art. 6 para. 1 lit. f GDPR. The storage and evaluation of the data is absolutely necessary for the provision of the website and for its secure operation. There is therefore no possibility for the person concerned to object.
The legal basis for the processing of personal data using Cookies is Art. 6 para. 1 lit. f GDPR.
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services which we use for the purpose of operating our website.
For this purpose, we or our contract processor process inventory data, contact data, content data, contract data, usage data, meta and communication data of users of our website on the basis of our legitimate interests in the efficient and secure provision of this online service in accordance with Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a contract for contract processing).
3.5 Use of Google Analytics and Google Tag Manager
(1) This website uses Google Analytics, a web analysis service of Google Inc. („Google“). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other states which are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on the website activities and to provide further services to the website operator in connection with the use of the website and the internet.
(2) The IP address transmitted by your browser within the framework of Google Analytics is not combined with other data from Google.
(4) This website uses Google Analytics with the extension “_anonymizeIp()”. This enables IP ad-dresses to be further processed in a shortened form, thus excluding the possibility of personal references. If the data collected about you contains a personal reference, this is immediately excluded and the personal data is therefore deleted immediately.
(5) We use Google Analytics to analyse and regularly improve the use of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.
(6) Third party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. user conditions: http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, and the data protection declaration: http://www.google.de/intl/de/policies/privacy.
(7) This website also uses Google Analytics for a cross-device analysis of visitor flows, which is car-ried out via a user ID. You can deactivate the cross-device analysis of your use in your customer account under “My data”, “personal data”.
(8) Use of the Google Tag Manager application: The Google Tag Manager is an application that al-lows website tags to be managed through an interface. The Google Tag Manager application itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The application triggers other tags, which in turn may collect data. The Google Tag Manager does not access this data. If deactivation has been made at the cookie or domain level, it will remain in effect for all tracking tags implemented with Google Tag Manager. http://www.google.de/tagmanager/use-policy.html
The legal basis for the processing of personal data using Google Analytics and Google Tag Manager is Art. 6 para. 1 lit. a GDPR.
3.6 Use of Google Fonts
Our website uses so-called Google fonts, which are provided by Google Inc. for the uniform presen-tation of texts and fonts. When a page is called up, your internet browser loads the required fronts into your browser cache in order to display texts and fonts correctly. For this purpose your browser must connect to the servers of Google Inc. This enables Google Inc. to know that our website has been accessed via your IP address. The use of Google Fonts serves our interest in a uniform and visually appealing presentation of our online offer. This represents a so-called legitimate interest within the meaning of Art. 6 Paragraph 1 lit. f. GDPR.
If your browser does not support Google Fonts, a standard font will be used by your PC.
3.7 Conversion measurement with the Facebook conversion pixel
We use the visitor action pixel of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“hereinafter: Facebook”). By calling up this pixel from your browser, Facebook can recognise whether one of its own advertisements was successful. For this purpose, we only receive statistical data from Facebook without reference to a specific person. This allows us to record the effectiveness of the Facebook ads for statistical and evaluation purposes. We also refer to the Facebook data protection information.
Please go to https://www.facebook.com/ads/preferences/ if you wish to withdraw your consent to Conversion Pixel.
4. Data processing within the framework of contact
4.1 Contact by e-mail
Contacting our law firm by e-mail is possible via the e-mail addresses published on our website.
If you use this contact method, the data you provide (e.g. surname, first name, address), but at least the e-mail address, as well as the information contained in the e-mail together with any personal data you may have provided will be stored for the purpose of contacting you and processing your request. In addition, the following data is collected by our system:
- IP address of the calling computer;
- date and time of the e-mail.
The legal basis for the processing of personal data in the context of e-mails sent to us is Art. 6 para. 1 lit. b or lit. f GDPR.
4.2 Contact via website contact form
If you use the contact form provided on our website for communication purposes, it is necessary to enter your name and surname and your e-mail address. Without these data, your request transmitted via the contact form cannot be processed. Entering your address is optional and enables us to process your request by post if you so wish.
In addition, the following data is collected by our system:
- IP address of the calling computer;
- date and time of registration.
The legal basis for the processing of personal data in the context of e-mails sent to us is Art. 6 para. 1 lit. b or lit. f GDPR.
4.3 Contact by letter and Telefax
If you send us a letter or fax, the data transmitted by you (e.g. surname, first name, address) and the information contained in the letter or fax together with any personal data transmitted by you will be stored for the purpose of contacting you and processing your request.
The legal basis for the processing of personal data in the context of letters and faxes sent to us is Art. 6 para. 1 lit. b or lit. f GDPR.
5. Data processing when receiving our newsletter
If you subscribe to our newsletter distribution list, your e-mail address and the newsletter you have chosen will be stored on a server by us.
In addition, the following data is collected by the system when you register:
- IP address of the calling computer;
- date and time of registration.
For the processing of the data, your consent will be obtained during the registration process and reference will be made to this data protection declaration. The data will be processed on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and within the scope of the legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
We use this data exclusively for sending the newsletter.
Use of the dispatch service provider “MailChimp”
Our newsletter is sent via “MailChimp”, an application of Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The e-mail addresses of the recipients of our newsletter, as well as their other data described in this privacy notice, are stored on Rocket Science Group servers in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, MailChimp will use this data according to its own specifications to optimise its own offer. MailChimp does not use the personal data of the recipients of our newsletter to contact them itself or pass them on to third parties. Mailchimp has committed itself to respect the EU data protection regulations. Furthermore, we have concluded a “Data-Processing-Agreement” with MailChimp, in which MailChimp commits itself to protect the data of our users, to process them on our behalf according to its data protection regulations and especially not to pass them on to third parties.
Unsubscribe from the newsletter
You can unsubscribe from receiving our newsletter at any time. Your consent to receive the newsletter via MailChimp and the statistical analyses will expire at the same time. A separate cancellation of the dispatch via MailChimp or the statistical analysis is unfortunately not possible.
You will find a link to cancel the newsletter at the end of each newsletter.
The legal basis for the processing of personal data in the context of the newsletter via Mail-chimp is art. 6 paragraph 1 lit. a GDPR.
6. Data processing for Zoom videoconferences
We use the tool “Zoom” to conduct video conferences, telephone conferences, online meetings, and/or web seminars (hereinafter: “video conferences”). “Zoom” is a service of Zoom Video Communications, Inc. based in the USA. When using “Zoom”, the following types of data are processed. The scope of data processing depends, among other things, on the personal data you provide before or during participation in a video conference.
The following personal data are subject to processing:
User details: first name, last name, telephone (optional), e-mail address, password (if “single sign-on” is not used), profile picture (optional), department (optional).
Conference metadata: Topic, description (optional), participant IP addresses, device/hardware information.
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
For telephone dial-in: Information on incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in a video conference. In this respect, the text entries you make are processed in order to display them in the video conference and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device as well as from any video camera of the terminal device are processed accordingly during the meeting. You can switch off or mute the camera or microphone yourself at any time via the “Zoom” applications.
To participate in an “online meeting” or to enter the “meeting room”, you must at least enter your name.
Scope of processing:
If we want to record video conferences, we will inform you transparently in advance and – if necessary – ask for your consent. The fact of the recording will also be displayed to you in the “Zoom” app. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case. In the case of web seminars, we may also process questions asked by seminar participants for the purposes of recording and following up on webinars. If you are registered as a user with “Zoom”, then reports on video conferences (metadata, data on telephone dial-in, questions and answers in webinars, survey function in webinars) may be stored by “Zoom” for up to one month. Automated decision-making within the meaning of Art. 22 GDPR is not used.
“Zoom” is a service provided by a provider from the USA. Processing of personal data therefore also takes place in a third country (USA). We have concluded an order processing agreement with Zoom Video Communications, Inc. that meets the requirements of Art. 28 GDPR.
An appropriate level of data protection is guaranteed on the one hand by the “Privacy Shield” certification of Zoom Video Communications, Inc. and on the other hand by the conclusion of the so-called EU standard contractual clauses.
Insofar as personal data of employees of Müller, Altmeyer & Partner Rechtsanwälte, Partnerschaftsgesellschaft mbB are processed, § 26 BDSG is the legal basis for the data processing. If, in connection with the use of “Zoom”, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of “Zoom”, Art. 6 para. 1 lit. f) GDPR is the legal basis for the data processing. In these cases, our interest lies in the effective implementation of video conferences.
Otherwise, the legal basis for data processing when conducting video conferences is Art. 6 para. 1 lit. b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here, too, our interest is in the effective implementation of video conferences.
7. Your rights
As a data subject, you have the following rights in connection with the processing of your personal data:
7.1 Right of access to information
(1) The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him/her are being processed; if this is the case, he/she shall have the right to be informed of such personal data and to receive the following information:
- a) the processing purposes;
- b) the categories of personal data processed;
- c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
- d) if possible, the envisaged period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
- e) the existence of a right of rectification or erasure of personal data relating to them or of a right of objection to their processing by the controller;
- f) the existence of a right of appeal to a supervisory authority;
- g) where the personal data are not collected from the data subject, any available information as to their source;
- h) the existence of automated decision-making, including profiling, in accordance with Art. 22, para. 1 and para. 4 GDPR, and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.
7.2 Right of rectification
The data subject has the right to ask the data controller to rectify incorrect personal data concerning him/her without delay. Having regard to the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
7.3 Right of deletion
(1) The data subject has the right to request the controller to delete personal data relating to him/her without delay and the controller is obliged to delete personal data without delay if one of the following reasons applies:
- a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- b) The data subject withdraws the consent on which the processing was based pursuant to Art. 6 para. 1 lit. a) or Art. 9 para. 2 letter a) GDPR and there is no other legal basis for the processing.
- c) The data subject lodges an objection to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing, or the data subject lodges an objection to the processing pursuant to Art. 21 Para. 2 GDPR.
- d) The personal data have been processed unlawfully.
- e) Erasure of the personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
- f) The personal data was collected in relation to services offered by the information society in accordance with Art. 8, Paragraph 1 of the GDPR.
(2) Where the controller has made personal data public and is obliged to delete them pursuant to paragraph 1, he shall take reasonable measures, including technical measures, taking into account available technology and implementation costs, to inform controllers who process personal data that a data subject has requested them to delete all links to such personal data or to delete copies or replications of such personal data.
(3) Paragraphs 1 and 2 shall not apply insofar as the processing is necessary:
- a) to exercise the right to freedom of expression and information;
- b) to comply with a legal obligation requiring processing under Union or national law to which the controller is subject or in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- c) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 letters h) and i) and Art. 9 para. 3 GDPR;
- d) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1, insofar as the law referred to in para. 1 is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
- e) to assert, exercise or defend legal claims.
7.4 Right to restrict processing
(1) The data subject has the right to ask the person responsible to restrict processing if one of the following conditions is met:
- a) the accuracy of the personal data is disputed by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
- b) the processing is unlawful and the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted;
- c) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to exercise or defend his rights; or
- d) the data subject has lodged an objection to the processing in accordance with Art. 21 para. 1 GDPR as long as it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.
(2) Where processing has been restricted in accordance with paragraph 1, such personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State.
7.5 Right to data transferability
(1) The data subject shall have the right to obtain the personal data concerning him which he has supplied to a controller in a structured, standard and machine-readable format and the right to have such data communicated to another controller without interference by the controller to whom the personal data has been supplied, provided that
- a) the processing is based on a consent pursuant to Article 6 paragraph 1 lit. a) or Art. 9 para. 2 letter a) GDPR or on a contract pursuant to Article 6 paragraph 1 lit. b) GDPR and
- (b) the processing is carried out by means of automated procedures.
(2) In exercising his or her right to transfer data in accordance with paragraph 1, the data subject shall have the right to obtain that personal data be transferred directly from one controller to another controller, in so far as this is technically feasible.
The right referred to in paragraph 1 must not prejudice the rights and freedoms of other persons.
This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7.6 Right of objection
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out pursuant to Article 6, paragraph 1 lit. e) or f) of the GDPR, including profiling based on these provisions. The controller no longer processes the personal data unless he can demonstrate compelling reasons for processing which are justified on grounds of protection and which outweigh the interests, rights and freedoms of the data subject, or unless the processing serves to assert, exercise or defend legal claims.
In the context of the use of Information Society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his right of objection by means of automated procedures involving technical specifications.
7.7 Right of withdrawal
The data subject has the right to revoke his/her declaration of consent under data protection law at any time. Revocation of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the point of revocation.
7.8 Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to complain to a supervisory authority, in particular in the Member State in which he/she is resident, at his/her place of work or at the place where the alleged infringement occurred, if he/she considers that the processing of personal data relating to him/her is being carried out in breach of this Regulation.