Data protection information

In connection with the business activities of our lawyers, auditors and tax advisors, we, Noerr LLP process the personal data of (potential) clients and the employees, representative and/or advisors of our clients and their employees, opposing parties in legal proceedings and their employees, representatives and/or advisors of opposing parties in legal proceedings and their employees, employees of insurers, experts and their employees, employees of courts and/or authorities, employees of the Noerr companies that cooperate with us and the Noerr notary’s offices, as well as the law firms, tax advisory and/or auditing firms outside the Noerr companies and the Noerr notary’s offices that cooperate with us and their employees.

At our law firm we also process the personal data of employees, job applicants and participants in our talent management programme, our (potential) suppliers and their employees, users of our websites and our visitors.

The protection of personal data is important to us. We only process personal data in compliance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz- BDSG).

In Section A of this Data Protection Information we provide you with information about the controller responsible for the processing of your personal data and the controller’s data protection officer.

In Sections B we also provide you with information about the processing of your personal data.

In Section D we also provide you with information about your rights with respect to the processing of your personal data.

In Section E we also provide you with information about the technical data protection terms used in this Data Protection Information.

A. Information about the controller

Name and contract details of the controller


Noerr LLP
Tower 42, 25 Old Broad Street, London, EC2N 1HQ, United Kingdom
info@noerr.com
+49 89 286280

Contact details of the controller’s data protection officer


Pascal Schumacher
c/o Noerr LLP, Charlottenstraße 57, 10117 Berlin, Germany
pascal.schumacher@noerr.com
+49 30 2094 2316

B. Information about the processing of personal data

Professional practice

In connection with the business activities of our lawyers, auditors and tax advisors, we, Noerr LLP process the personal data of (potential) clients and the employees, representatives and/or advisors of our clients and their employees, opposing parties in legal proceedings and their employees, representatives and/or advisors of opposing parties in legal proceedings and their employees, employees of insurers, experts and their employees, employees of courts and/or authorities, employees of the Noerr companies that cooperate with us and the Noerr notary’s offices, as well as the law firms, tax advisory and/or auditing firms outside the Noerr companies and the Noerr notary’s offices that cooperate with us and their employees for the following purposes:

  • Identification of our (potential) clients, their economic beneficiary, the persons acting for them and their authorisation before or upon establishing the client relationship and carry out a comparison with sanctions lists,
  • conflict check to avoid conflicts of interests before establishing the client relationship,
  • preparation of the client relationship in particular for pre-contractual correspondence to prepare offers and cost estimates,
  • advising and representing our clients appropriately in connection with the engagement, in particular to exercise and defend the rights of our clients, including correspondence with our clients, opposing parties in legal proceedings and their representatives as well as with courts and/or authorities,
  • sending correspondence and other items on behalf of our clients in connection with engagements,
  • disbursement, receipt or forwarding of third-party funds on behalf of our clients in connection with engagements,
  • translations on behalf of our clients in connection with engagements,
  • proper internal administration, including maintaining reference files and the operation of IT systems for administrative purposes,
  • proper accounting and invoicing,
  • proper retention of documents in order to meet statutory, professional, anti-money laundering, commercial and tax law retention obligations and for evidence purposes for any establishment, exercise or defence of legal claims,
  • settlement any existing liability claims and the exercise of any claims against our clients,
  • cooperate with courts and/or authorities in order to comply with statutory obligations,
  • liaison with external accountants or auditors in order to comply with statutory obligations,
  • client relationship management and the alignment of our advisory services with the needs and wishes of our (potential) clients,
  • naming of references for rankings and analyses by press publishers and analysts.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Identification data.

Information that we receive to identify our (potential) clients, their economic beneficiaries, the persons acting for them and their authorisation.

This includes data from copies of personal identity cards and data from commercial register excerpts.

(Potential) clients,

courts and/or authorities,

other Noerr companies and Noerr notary’s offices,

cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies.

The provision of these data is required by law.

If these data are not provided, the identification required by law may not be possible.

We store the data until the retention obligation under anti-money laundering law ends, i.e. for a period of five years after the end of the calendar year in which the business relationship was ended or the information was identified (sec 8(4) German Anti-Money Laundering Act (Geldwäschegesetz – GWG)).

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Contact data.

Information that we receive for contacting and corresponding with our contacts.

These contacts include (potential) clients and the employees, representatives and/or advisors of our clients and their employees, opposing parties in legal proceedings and their employees, representatives and/or advisors of opposing parties in legal proceedings and their employees, employees of insurers, experts and their employees, employees of courts and/or authorities, as well as employees of other Noerr companies and Noerr notary’s offices and cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies and the Noerr notary’s offices.

This information includes salutation, title, first name, surname, e-mail address, address, fax number, telephone number and position/function of the individual contact.

(Potential) clients, representatives and/or advisors of our clients,

Opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings,

insurers,

experts,

courts and/or authorities,

other Noerr companies and Noerr notary’s offices,

cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies.

The provisions of these data is not required by law or contract.

The provision of the client’s contact data is required for the conclusion of an engagement agreement.

The provision of the contact data of employees of our clients, representative and/or advisors of our clients and their employees, opposing parties in legal proceedings and their employees, representative and/or advisors of opposing parties in legal proceedings and their employees, employees of insurers, experts and their employees, employees of courts and/or authorities as well as advisors and/or employees of other Noerr companies or cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies may also be necessary in order to advise and represent our clients.

It these data are not provided, it may not be possible to process the engagement.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Client data.

Information that we receive from our clients, representatives and/or advisors of our clients, opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings, insurers, experts, courts and/or authorities in order to advise and represent our clients in connection with the engagement.

This in particular includes the content of documents provided to us in connection with the engagement (as far as it relates to identified or identifiable natural persons).

This also includes bank details (IBAN, BIC, bank, account holder) for the disbursement of third-party funds.

Clients, representatives and/or advisors of our clients,

opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings,

insurers,

experts,

courts and/or authorities.

The provision of these data is not required by law or contract.

Provision may, however, be necessary to advise and represent our clients.

If these data are not provided, it may not be possible to process the engagement.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Information that we receive from our clients, representatives and/or advisors of our clients, opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings, insurers, experts, courts and/or authorities in order to disburse third-party funds in connection with the engagement.

This includes bank details (IBAN, BIC, bank, account holder).

Clients, representatives and/or advisors of our clients,

opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings,

insurers,

experts,

courts and/or authorities.

The provision of these data is not required by law or contract.

Provision may, however, be necessary to advise and represent our clients.

If these data are not provided, it may not be possible to disburse third-party funds.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Data generated in connection with correspondence with our clients, representatives and/or advisors of our clients, opposing parties in legal proceedings, representatives and advisors of opposing parties in legal proceedings, insurers, experts, courts and/or authorities, other Noerr companies and Noerr notary’s offices or cooperating law firm, tax advisory and/or auditing firms outside the Noerr companies.

These in particular include the content of oral and written (including electronic) correspondence and protocol data generated for technical reasons in the case of electronic correspondence (as far as it relates to identified or identifiable natural persons).

Clients, representatives and/or advisors of our clients,

opposing parties in legal proceedings, representatives and/or advisors of opposing parties in legal proceedings,

insurers,

experts,

courts and/or authorities,

other Noerr companies and Noerr notary’s offices,

cooperating law firm, tax advisory and/or auditing firms outside the Noerr companies.

The provision of these data is not required by law or contract.

Provision may, however, be necessary to advise and represent our clients.

If these data are not provided, it may not be possible to process the engagement.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Information that we generate in-house to advise and represent our clients as part of the engagement.

This in particular includes client identification numbers, file numbers, contents of notes to file, memoranda, expert opinions, pleadings and other documented results of our advice and representation as part of the engagement (as far as they relate to identified or identifiable natural persons).

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Billing data.

Data that we receive from our clients for billing purposes as part of the engagement.

These in particular also include the VAT identification number.

Clients.

The provision of these data is required by law.

If these data are not provided, proper billing is not possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Data that we generate in-house for billing purposes as part of the engagement.

These in particular include accounts receivable numbers, invoice numbers, file numbers, content of internal time recording, activity reports, details of any expenses and data relating to payment transactions, in particular date and amounts paid.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

II. Details on the processing of personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Identification of our (potential) clients, their economic beneficiaries, the persons acting for them and their authorisation before or upon establishing the client relationship.

We carry out the identification in coordination with the other Noerr companies and Noerr notary’s offices in order to avoid the renewed identification by other companies of clients already identified.

Identification data.

No automated decision-making takes place.

The legal basis for the identification is compliance with a legal obligation, in particular the German Anti-Money Laundering Act (Geldwäschebekämpfungsgesetzes- GWG) (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation) and a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is knowing who our contractual partner is.

The legal basis for the coordination with the other Noerr companies and Noerr notary’s offices is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is to fulfil identification obligations as efficiently as possible within the Noerr companies and the Noerr notary’s offices.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices.

Comparison with sanctions lists before the client relationship is established.

Contact data.

No automated decision-making takes place.

The legal basis for the conflict check is compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

-

Conflict check to avoid conflicts of interest before establishing the client relationship.

We carry out the conflict check in coordination with the other Noerr companies and Noerr notary’s offices in or to avoid any conflicts of interest within the Noerr companies and Noerr notary’s offices.

Contact data,

clients data.

No automated decision-making takes place.

The legal basis for the conflict check is compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation) and balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the avoidance of conflicts of interest.

The legal basis for the coordination with the other Noerr offices and Noerr notary’s offices is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the best-possible avoidance of conflicts of interest within the Noerr companies and the Noerr notary’s offices.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices.

Preparation of the client relationship, in particular pre-contractual correspondence for the preparation of offers and costs estimate.

Depending on the engagement, coordination with other Noerr companies and/or law firms, tax advisory and/or auditing firms outside the Noerr companies may be necessary in the individual case. This can for example be the case if an engagement requires advice services of local counsel in other jurisdictions.

Depending on the engagement, coordination may also be required in the individual case with representatives and/or advisors of the client or insurers of the client for the preparation of the engagement.

Contact data,

client data.

No automated decision-making takes place.

If the data subject is our client, the legal basis is taking steps at the request of the data subject prior to entering into a contract (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is taking steps at the request of our potential client prior to entering into a contract.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

cooperating law firm, tax advisory and/or auditing firms outside the Noerr companies,

representatives and/or advisors of the client,

insurers.

Advising and representing clients appropriately in connection with engagements, in particular exercising and defending the rights of our clients, including correspondence with our clients, opposing parties in legal proceedings and representatives of opposing parties in legal proceedings, insurers, experts and/or service providers, courts and/or authorities.

Depending on the engagement, coordination with other Noerr companies and/or law firms, tax advisory and/or auditing firms outside the Noerr companies may be necessary in the individual case. This can for example be the case if an engagement requires advice services of local counsel in other jurisdictions.

Contact data,

client data.

No automated decision-making takes place.

If the data subject is our client, the legal basis is the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our client.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices,

cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies,

clients,

representatives and/or advisors of clients,

opposing parties in legal proceedings,

representatives and/or advisors of opposing parties in legal proceedings,

insurers,

experts and/or other service providers,

courts and/or authorities.

Sending of correspondence or other items on behalf of our clients in connection with engagements.

To send correspondence and other items, we communicate the address details of the sender and the recipient to the relevant shipping/courier services provider.

Contact data.

No automated decision-making takes place.

If the data subject is our client, the legal basis is the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our client.

Shipping/courier service providers.

Disbursement, receipt or forwarding of third-party funds on behalf of our clients in connection with engagements.

Contact data,

client data.

No automated decision-making takes place.

If the data subject is our client, the legal basis is the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our client.

Clients,

representatives and/or advisors of clients,

opposing parties in legal proceedings,

representatives and/or advisors of opposing parties in legal proceedings,

courts and/or authorities,

banks,

IT service providers.

Translations on behalf of our clients in connection with engagements.

Depending on the engagement, coordination with other Noerr companies and Noerr notary’s offices and/or law firms, tax advisory and/or auditing firms outside the Noerr companies and Noerr notary’s offices may be necessary in the individual case. This can for example be the case if a client requires a translation or the legal review of a translation by local counsel in other jurisdictions.

 

Contact data,

client data.

No automated decision-making takes place.

If the data subject is our client, the legal basis is the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our client.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices.

Proper internal law firm administration, including the maintenance of reference files and operation of IT systems for administrative purposes.

We carry out internal administration in coordination with the other Noerr companies and Noerr notary’s offices to ensure that internal administration is as efficient as possible.

We use specialist service providers for the operation of our IT that process that data on our behalf.

Contact data,

client data,

billing data.

No automated decision-making takes place.

The legal basis is on the one hand compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation), in particular compliance with professional ethics obligations for the proper maintenance of reference files.

The legal basis is also a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is proper internal administration.

The legal basis for the coordination with the other Noerr companies and the Noerr notary’s offices is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is ensuring that internal administration within the Noerr companies and Noerr notary’s offices is as efficient as possible.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices,

IT service providers.

Proper accounting and invoicing.

Contact data,

billing data.

No automated decision-making takes place.

The legal basis is on the one hand compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation), in particular compliance with statutory requirements for proper accounting.

If the data subject is our client, the legal basis for the invoicing is the performance of a contract to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our client, the legal basis for the invoicing is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our client.

Payroll and financial accounting service providers.

 

Proper retention of documents in order to comply with statutory, professional, anti-money laundering, commercial and tax law retention obligations and for evidence purposes for any establishment, exercise or defence of legal claims.

Depending on the type of documents, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Contact data,

client data,

billing data.

No automated decision-making takes place.

The legal basis for retention is to comply with statutory, in particular professional ethics, anti-money laundering, commercial and tax law retention obligations is compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

The legal basis of retention for evidence purposes is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the establishment, exercise or defence of legal claims.

-

Settlement of any existing liability claims and the exercise of any claims against our clients. 

 

Contact data,

client data,

billing data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the establishment, exercise and defence or legal claims.

Clients,

representatives and/or advisors of clients,

opposing parties in legal proceedings,

representatives and/or advisors of opposing parties in legal proceedings,

insurers,

courts and/or authorities.

Cooperation with courts and/or authorities in order to fulfil statutory obligations.

Contact data,

client data,

billing data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

Courts and/or authorities.

Liaison with external accountants or auditors in order to comply with statutory obligations.

Contact data,

client data,

billing data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

External auditors,

External accountants.

Client relationship management and the alignment of our advisory services with the needs and wishes of our (potential) clients, including making contact to inform our (potential) clients, inviting our (potential) clients to law firm events and maintaining the relationships with our (potential) clients.

We coordinate in this respect with the other Noerr companies in order to ensure that client relationship management within the Noerr companies is as efficient as possible.

For client relationship management we use specialised IT service providers that process data on our behalf.

Contact data.

No automated decision-making takes place.

If the data subject has given their individual consent in this respect, the legal basis for the maintenance of our relationship is the individual consent (point (a) of Article 6 paragraph 1 of the General Data Protection Regulation).

The legal basis is in addition a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is maintaining the relationships with our (potential) clients and the alignment of our advisory services with the needs and wishes of our (potential) clients.

The legal basis for coordination with the other Noerr companies is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interests is ensuring that client relationship management within the Noerr companies is as efficient as possible.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

IT service providers.

Naming of references for ranking and analyses by press publishers and analysts.

Contact data.

No automated decision-making takes place.

Consent (point (a) or Article 6 paragraph 1 of the General Data Protection Regulation).

Press publishers and market analysts.

III. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Recipient’s location

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Dependent branches of Noerr LLP outside the EU

  • Office of Noerr LLP in New York, USA

Part of Noerr LLP as controller.

USA.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

However, the General Data Protection Regulation applies directly to our dependent branch in the USA anyway, so that an appropriate level of data protection exists anyway.

We also guarantee that for transfers to our dependent branch we comply with the obligations under the EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under Article 26 paragraph 4 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

Noerr companies
in Germany:

  • NOERR Aktiengesellschaft Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft (NOERR AG)
  • Team Treuhand GmbH

Controller.

Within the EU.

-

Noerr companies
in Spain:

  • Noerr Alicante IP, S.L.

Controller.

Within the EU.

-

Noerr companies
in the Republic of Slovakia:

  • Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in the Czech Republic:

·                Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in Hungary:

·                Kanzlei Noerr & Partner (= Noerr & Társai Iroda)

Controller.

Within the EU.

-

Noerr companies
in Romania:

  • S.P.R.L. Menzer & Bachmann – Noerr
  • Noerr Finance & Tax S.R.L.

Controller.

Within the EU.

-

Noerr companies
in Poland:

  • Noerr Biedecki sp.k.

Controller.

Within the EU.

-

Noerr companies
in the Russian Federation:

  • Noerr OOO

Controller.

Russian Federation.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

The transfers are subject to EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

Noerr notary’s offices:

  • Notary’s office Berlin (Dr Astrid Frense, Dr Dirk Lentfer, Felix Blobel, Dr Clemens Schönemann)
  • Notary’s office Frankfurt (Dr Thorsten Reinhard, Dr Alexander Jänecke)

Controller.

Within the EU.

-

Cooperating law firms, tax advisory and/or auditing firms outside the Noerr companies, in particular partners of the Lex Mundi network.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Clients.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Representatives and/or advisors or clients.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Insurers.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Opposing parties in legal proceedings,

representatives and/or advisors of opposing parties in legal proceedings.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Experts and/or other service providers.

Controller or processor..

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Courts and/or authorities.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

External auditors.

Controller.

Within the EU.

-

External accountants.

Controller.

Within the EU.

-

Shipping/courier service providers.

Controller.

Depends on engagement; can be within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary perform the contract with our client or to take steps at the request of our client prior to entering in to the contract (point (b) or (c) of Article 49 paragraph 1 of the General Data Protection Regulation) and/or to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Press publishers and market analysts.

Controller.

Depending on the location of the relevant press publisher or market analyst either within or outside the EU.

We only transfer personal data to third countries to the extent that the data subject has given their express consent to the proposed data transfer (point (a) of Article 49 paragraph 1 of the General Data Protection Regulation).

IT service providers.

Processor.

Within the EU.

-

Banks.

Controller.

Within the EU.

-

Payroll and financial accounting service providers.

Processor.

Within the EU.

-

Employees

We process personal data at our law firm of people who are employed by us.

We process data of our employees in particular for the purposes of recruitment, fulfilment of the employment contract, including the discharge of obligations laid down by law, the management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, the protection of our property or the property of our clients, and for the purposes of exercising and enjoying the rights and benefits related to employment and for the purposes of terminating the employment relationship.

Our employees can find more detailed information on this in the Special Data Protection Information for Employees.

Job applicants

At our law firm we process personal data of persons who apply for jobs with us.

We process the data of our job applicants for the following purposes:

  • Conducting the application process, in particular reviewing applications, contacting the applicant and conducting interviews to evaluate and select suitable applicants,
  • forwarding of the application documents to Noerr notary’s offices or Noerr companies if the applicant expressly requested this in his/her application letter,
  • storage for evidence purposes for the possible establishment, exercise or defence of legal claims.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Master data.

Name, data of birth, nationality, place of birth, country of birth, marital status.

Applicants or recruitment agencies instructed to act on behalf of applicants.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, it may not be possible to conduct the application process and, if applicable, to hire an applicant.

If an applicant is hired, the data will be entered in the personnel file. Information on the storage duration is provided in the information on the processing of the personal data of our employees.

If an applicant participates in our talent management programme, the data are stored after completion of the application process for the duration of participation in the talent management programme.

Otherwise the data will be stored for evidence purposes for the possible establishment, exercise and defence of legal claims for a period of six months after completion of the application process.

Contact data.

Private address, e-mail address telephone number.

Applicants or recruitment agencies instructed to act on behalf of applicants.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, it may not be possible to conduct the application process and, if applicable, to hire an applicant.

If an applicant is hired, the data will be entered in the personnel file. Information on the storage duration is provided in the information on the processing of the personal data of our employees.

If an applicant participates in our talent management programme, the data are stored after completion of the application process for the duration of participation in the talent management programme.

Otherwise the data will be stored for evidence purposes for the possible establishment, exercise and defence of legal claims for a period of six months after completion of the application process.

Application data.

Content of application documents, in particular photograph, CV and certificates/references,

content of the written (including electronic) correspondence relating to the application.

Applicants or recruitment agencies instructed to act on behalf of applicants.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, it may not be possible to conduct the application process and, if applicable, to hire an applicant.

If an applicant is hired, the data will be entered in the personnel file. Information on the storage duration is provided in the information on the processing of the personal data of our employees.

If an applicant participates in our talent management programme, the data are stored after completion of the application process for the duration of participation in the talent management programme.

Otherwise the data will be stored for evidence purposes for the possible establishment, exercise and defence of legal claims for a period of six months after completion of the application process.

Content of evaluation notes, perceptions from interviews, feedback and evaluations.

Generated in-house.

-

If an applicant is hired, the data will be entered in the personnel file. Information on the storage duration is provided in the information on the processing of the personal data of our employees.

If an applicant participates in our talent management programme, the data are stored after completion of the application process for the duration of participation in the talent management programme.

Otherwise the data will be stored for evidence purposes for the possible establishment, exercise and defence of legal claims for a period of six months after completion of the application process.

II Details on the processing of personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Conducting the application process, in particular reviewing applications, contacting the applicant and conducting interviews to evaluate and select suitable applicants.

Master data,

contact data,

application data.

No automated decision-making takes place.

Decision on the establishment of an employment relationship (Article 88 paragraph 1 of the General Data Protection Act, sec. 26(1) of the German Federal Data Protection Act).

Taking steps prior to entering into a contract (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

IT service providers.

Forwarding of the application documents to Noerr notary’s offices or Noerr companies if the applicant expressly requested this in his/her application letter.

Master data,

contact data,

application data.

No automated decision-making takes place.

Taking steps prior to entering into a contract (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices,

IT service providers.

Storage for evidence purposes for the possible establishment, exercise or defence of legal claims.

Master data,

contact data,

application data.

No automated decision-making takes place.

The legal basis for storage for evidence purposes is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the establishment, exercise or defence of legal claims.

IT service providers.

III. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Recipient’s location

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Dependent branches of Noerr LLP outside the EU

  • Office of Noerr LLP in New York, USA

Part of controller.

USA.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

However, the General Data Protection Regulation applies directly to our dependent branch in the USA anyway, so that an appropriate level of data protection exists anyway.

We also guarantee that for transfers to our dependent branch we comply with the obligations under the EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under Article 26 paragraph 4 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

Noerr companies
in Germany:

  • NOERR Aktiengesellschaft Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft (NOERR AG)
  • Noerr Consulting AG

Controller.

Within the EU.

-

Noerr companies
in Spain:

  • Noerr Alicante IP, S.L.

Controller.

Within the EU.

-

Noerr Companies
in the Republic of Slovakia:

  • Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in the Czech Republic:

  • Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in Hungary:

  • Kanzlei Noerr & Partner (= Noerr & Társai Iroda)

Controller.

Within the EU.

-

Noerr companies
in Romania:

  • S.P.R.L. Menzer & Bachmann – Noerr
  • Noerr Finance & Tax S.R.L.

Controller.

Within the EU.

-

Noerr companies
in Poland:

  • Noerr Biedecki sp.k.

Controller.

With the EU.

-

Noerr companies
in the Russian Federation:

  • Noerr OOO

Controller.

Russian Federation.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

Transfers are subject to EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under Article 26 paragraph 4 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

Noerr notary’s offices:

  • Notary’s office Berlin (Dr Astrid Frense, Dr Dirk Lentfer, Felix Blobel, Dr Clemens  Schönemann)
  • Notary’s office Frankfurt (Dr Thorsten Reinhard, Dr Alexander Jänecke)

Controller.

Within the EU.

-

IT service providers.

Processor.

Germany.

-

Talents

At our law firm we process personal data of persons who participate in our careers event and our talent management programme, as well as of subscribers to Noerr Careers Events News.

We process the personal data of participants in our career event for the organisation and execution of these events.

We process data of participants in our talent management programme to implement that talent management programme, in particular to select suitable talents for open positions and send information about open positions and/or general information about us as an employer.

We also process personal data in this context for the following purposes:

  • Organisation and execution of careers events, in particular the select of suitable participants based on the application and talent data requested in the pre-registration,
  • implementation of the talent management programme, in particular the select of suitable talents for open positions and sending information on open positions and/or individual information relating to the participant’s professional interests and objectives,
  • referral of the talents to the corresponding Noerr Notary’s offices or Noerr companies if the talent has expressly requested this when making contact,
  • analysis of the effectiveness of contact channels,
  • sending Noerr Careers Events News to subscribers by e-mail,
  • storage for evidence purposes for the possible establishment, exercise or defence of legal claims.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Master data.

Name, date of birth, nationality, place of birth, country of birth, marital status.

Participants in the talent management programme/careers events, subscribers to Noerr Careers Events News.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the name is not provided, it is not possible to participate in the talent management programme.

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

We store the data of subscribers to Noerr Careers Events News until consent is withdrawn.

We store these data for evidence purposes for the establishment, exercise or defence of possible legal claims and in addition for a transitional period of three years from the end of the year in which the participant has deregistered and in the case of any legal dispute until such have been concluded.

Contact data.

Private address, e-mail address, telephone number.

Participants in the talent management programme/careers events, subscribers to Noerr Careers Events News.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, unless at least a contact possibility is provided, it is not possible to participate in the talent management programme.

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

We store the data of subscribers to Noerr Careers Events News until consent has been withdrawn.

We store these data for evidence purposes for the establishment, exercise or defence of possible legal claims and in addition for a transitional period of three years from the end of the year in which the participant has deregistered and in the case of any legal dispute until such have been concluded.

Contact history.

Information on reason/medium of current and past contact with Noerr (trade, fair, event, job exchange etc.).

Applicants (in covering letter or in online application),

generated in-house (e.g. trade fair).

-

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

Application data.

Content of application documents, in particular photo, CV and certificates/references,

content of the written (including electronic) correspondence relating to the application.

Participants in the talent management programme/careers events.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

If the data are not provided, they cannot be taken into account for the selection of suitable talents.

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

Content of evaluation notes, perceptions from interviews, feedback and evaluations.

Generated in-house.

-

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme. 

Talent data.

Information on interests, professional qualifications, professional experience and other information that participants provide for talent management.

Content of written (including electronic) correspondence relating to participation in the talent management programme.

Participants in the talent management programme/careers events.

The provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

If the data are not provided, they cannot be taken into account for the selection of suitable talents.

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

Content of evaluation notes, perceptions from interviews, feedback and evaluations., which we generate in-house to select suitable talents.

Information on the next (development) steps of the talent.

Generated in-house.

-

We store the data of participants in careers events until the end of the relevant careers event.

The data of participants in our talent management programme are stored for the duration of participation in our talent management programme.

Consent data.

Data for the provision, evidence and withdrawal of consent.

These include date and time and content of the consent (e.g. registration for newsletter), data and time registration notification is sent using closed-loop opt-in procedure and IP address of the end device used for confirmation, data and time of any withdrawal of consent (e.g. deregistration from newsletters).

Participants in the talent management programme,

subscribers to Noerr Careers Events News.

Provision is not required by law or contract or for conclusion of a contract. There is no obligation to provide the data.

If the data are not provided, we cannot provides services (e.g. newsletters) which require consent.

We store the data relating to the relevant consent until consent has been withdrawn.

We store these data for evidence purposes for the establishment, exercise or defence of possible legal claims and in addition for a transitional period of three years from the end of the year in which the participant has deregistered and in the case of any legal dispute until such have been concluded.

II. Details on the processing of personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Organisation and execution of careers events, in particular the select of suitable participants based on the application and talent data requested in the pre-registration.

 

Master data,

contact data,

application data,

talent data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the execution of careers events.

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices,

IT service providers.

Implementation of the talent management programme, in particular the select of suitable talents for open positions and sending information on open positions and/or individual information. relating to the participant’s professional interests and objectives.

Master data,

contact data,

talent data,

consent data.

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 of the General Data Protection Regulation).

IT service providers.

Referral of the talents to the corresponding Noerr Notary's offices or Noerr companies if the talent has expressly requested this when making contact.

Master data,

contact data,

contact history,

application data,

talent data.

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 of the General Data Protection Regulation).

Dependent branches of Noerr LLP outside the EU,

Noerr companies,

Noerr notary’s offices,

IT service providers.

Analysis of the effectiveness of contact channels.

Contact history.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the analysis of the effectiveness of contact channels.

-

Sending Noerr Careers Events News to subscribers by e-mail.

Master data,

contact data,

consent data.

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 of the General Data Protection Regulation).

IT service providers.

Storage for a transitional period for evidence purposes for the establishment, exercise or defence of possible legal claims.

Master data,

contact data,

consent data.

No automated decision-making takes place.

Point (f) of Article 6 paragraph 1 of the General Data Protection Regulation (balancing of interests.

Our legitimate interest is the establishment, exercise or defence of legal claims.

IT service providers.

III. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Recipient’s location

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Dependent branches of Noerr LLP outside the EU

  • Office of Noerr LLP in New York, USA

Part of controller.

USA.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

However, the General Data Protection Regulation applies directly to our dependent branch in the USA anyway, so that an appropriate level of data protection exists anyway.

We also guarantee that for transfers to our dependent branch we comply with the obligations under the EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under Article 26 paragraph 4 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

IT service providers.

Processor.

Within the EU.

-

Noerr companies
in Germany:

  • NOERR Aktiengesellschaft Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft (NOERR AG)
  • Noerr Consulting AG

Controller.

Within the EU.

-

Noerr companies
in Spain:

  • Noerr Alicante IP, S.L.

Controller.

Within the EU.

-

Noerr companies
in the Republic of Slovakia:

  • Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in the Czech Republic:

  • Noerr s.r.o.

Controller.

Within the EU.

-

Noerr companies
in Hungary:

  • Kanzlei Noerr & Partner (= Noerr & Társai Iroda)

Controller.

Within the EU.

-

Noerr companies in Romania:

  • S.P.R.L. Menzer & Bachmann – Noerr
  • Noerr Finance & Tax S.R.L.

Controller.

Within the EU.

-

Noerr companies in Poland:

  • Noerr Biedecki sp.k.

Controller.

Within the EU.

-

Noerr companies
in the Russian Federation:

  • Noerr OOO

Controller.

Russian Federation.

No applicable adequacy decision of the EU within the meaning of Article 45 paragraph 3 of the General Data Protection Regulation exists.

Transfers are subject to EU standard contractual clauses in accordance with Article 46 paragraph 5 of the General Data Protection Regulation that were adopted under Article 26 paragraph 4 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our Data Protection Officer (see contact details in Section A).

 

Noerr notary’s offices:

  • Notary’s office Berlin (Dr Astrid Frense, Dr Dirk Lentfer, Felix Blobel, Dr Clemens  Schönemann)
  • Notary’s office Frankfurt (Dr Thorsten Reinhard, Dr Alexander Jänecke)

Controller.

Within the EU.

-

Suppliers

At our law firm we process personal data of our (potential) suppliers and their employees.

Suppliers are all natural persons or legal entities that manufacture and/or supply goods or provide services. Data of our suppliers can be personal data if the suppliers are natural persons. Data relating to the employees of our suppliers are also personal data.

We process the data of our (potential) suppliers and their employees for the following purposes:

  • Taking steps prior to entering into a contract, including pre-contractual correspondence,
  • performance of contracts with our suppliers, including contractual communication, exchange of services and payment processing,
  • proper accounting and storage to comply with contractual and statutory, in particular commercial law, tax law and retention obligations,
  • storage for evidence purposes for the establishment, exercise or defence of possible legal claims,
  • establishment, exercise or defence of legal claims, including coordination with external lawyers,
  • liaison with external tax advisors and/or auditors to comply with statutory obligations,
  • cooperation with courts and/or authorities to comply with statutory obligations,
  • business relationship management, including making contact to inform our (potential) suppliers and to maintain relationships with our (potential) suppliers.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Master data.

Company name, industry of our suppliers.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Contact data.

Name, position and company contact data (address, e-mail address, telephone number, fax number) of contact person at our suppliers.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Bank account data.

Account holder, bank, IBAN, BIC of our suppliers.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Communication data.

Content of business communication of our suppliers to us, in particular by post, e-mail, fax.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Connect of our business communication to our suppliers, in particular by post, e-mail, fax.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Circumstances of business communication with our suppliers, in particular parties involved, date/time and duration.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Contract data.

Information that we receive from our suppliers to take steps prior to entering into a contract and/or to perform contracts with our suppliers.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Data from written (including electronic) contract documents that we receive from our suppliers.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, the conclusion of performance of a contract may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Information that we may receive from third parties to take steps prior to entering into a contract and/or for the performance of contracts with our suppliers.

Third parties.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Data from written (including electronic) contract documents that we prepare.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Invoice data.

Data from invoices and payment reminders that we receive from our suppliers, in particular data, invoice items and invoice amounts.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provided, billing may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Payment data.

Data relating to payment transactions, in particular date and payment amounts.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Minutes data.

Data from minutes relating to the business content of appointments and meetings with our suppliers that we prepare to maintain the business relationship.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Analysis data.

Data from analyses of the business structure of the companies of our suppliers that we prepare for the strategic alignment of our business relationships.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

Date we receive from our suppliers from analyses of the companies of our suppliers that we prepare for the strategic alignment of our business relationships.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

If the data are not provided, we cannot take the data into account for the strategic alignment of our business relationships with our suppliers.

We store these data until the purposes of processing these data specified below have been achieved. 

Survey data.

Responses to our surveys on the voluntary assessment of the business from the supplier’s perspective.

Suppliers.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

If the data are not provided, we cannot take any survey results of this supplier into account. This does not otherwise have any effect on the business relationship.

We store these data until the purposes of processing these data specified below have been achieved.

II. Details on the processing of personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Taking steps prior to entering into a contract, including pre-contractual communication.

Master data,

contact data,

communication data,

contract data.

No automated decision-making takes place.

If the data subject is our (potential) supplier, the legal basis is taking steps at the request of the data subject prior to entering into a contract (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our (potential) supplier, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is taking steps at the request of our (potential) supplier prior to entering into a contract.

 

Shipping/courier service providers.

Performance of contracts with our suppliers, including contractual communication, exchange of services and payment processing.

Master data,

contact data

bank account data,

communication data,

contract data,

invoice data,

payment data.

No automated decision-making takes place.

If the data subject is our supplier, the legal basis is the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our supplier, the legal basis is a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our supplier.

Shipping/courier service providers,

IT service providers.

Proper accounting and storage to comply with contractual and statutory, in particular commercial law and tax law retention obligations.

Master data,

identification data,

contact data,

bank account data,

communication data,

contract data,

invoice data,

payment data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation), in particular compliance with statutory requirements for proper accounting and statutory, in particular professional ethics, commercial and tax law retention obligations.

If the data subject is our supplier, the legal basis is also the performance of a contract, to which the data subject is party (point (b) of Article 6 paragraph 1 of the General Data Protection Regulation).

If the data subject is not our supplier, the legal basis is also a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the performance of the contract with our supplier .

Accounting service providers,

archiving service providers.

Storage for evidence purposes for the establishment, exercise or defence of possible legal claims.

Master data,

contact data,

bank account data,

communication data,

contract data,

minutes data,

invoice data,

payment data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interests is the establishment, exercise or defence of legal claims.

Archiving service providers.

Establishment, exercise or defence of legal claims, including liaison with external lawyers.

Master data,

contact data,

bank account data,

communication data,

contract data,

invoice data,

payment data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interests is the establishment, exercise or defence of legal claims.

Courts and/or authorities,

external lawyers.

Liaison with external tax advisors and/or auditors to comply with statutory obligations.

Master data,

contact data,

bank account data,

communication data,

contract data,

invoice data,

payment data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

External tax advisors,

external auditors.

 

Cooperation with courts and/or authorities to comply with statutory obligations.

Master data,

contact data,

bank account data,

communication data,

contract data,

invoice data,

payment data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

Courts and/or authorities.

Business relationship management, making contact to inform our suppliers and to maintain relationships with our suppliers.

Master data,

contact data,

communication data,

contract data,

minutes data,

analysis data,

survey data.

No automated decision-making takes place.

The legal basis for business relationship management is generally a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the maintenance and strategic alignment of the relationships with our suppliers.

The legal basis for making contact to inform our suppliers can, depending on the circumstances of each individual case, in particular the way in which contact is made, either consent (point (a) of Article 6 paragraph 1 of the General Data Protection Regulation) or a balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is information our suppliers.

-

III. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Recipient’s location

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

External lawyers.

Controller.

Depending on the location of the relevant external lawyer, within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

External auditors.

Controller.

Within the EU.

-

External tax advisors.

Controller.

Within the EU.

-

Courts and/or authorities.

Controller.

Depending on the location of the relevant court and/or the relevant authority, within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Shipping/courier service providers

Controller.

Within the EU.

-

IT service providers

Processor.

Within the EU.

-

Accounting service providers

Processor.

Within the EU.

-

Archiving service provider

Processor.

Within the EU.

-

Visitors

At our law firm we process the personal data of the visitors to our buildings and facilities. 
Visitors are all natural persons, with the exception of our employees, who visit our buildings and facilities. These can in particular be our (potential) suppliers and their employees.

We process data of our visitors for the following purposes:

  • Identification of our visitors and documentation of visits in order to maintain the safety of our buildings, facilities and employees, to ensure the safety of our visitors, to protect our property or the property of our suppliers,
  • planning and organisation of the details of the visit,
  • storage for evidence purposes for the possible establishment, exercise or defence of legal claims,
  • establishment, exercise or defence of legal claims, including cooperation with external lawyers,
  • cooperation with courts and/or authorities to comply with statutory obligations.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Master data.

Name, position, company, industry.

Visitors.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provides, a visit may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Contact data.

Address, e-mail address, telephone number, fax number.

Visitors.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provides, a visit may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Registration data.

Expected time, duration and purpose of visit, buildings or parts of buildings to be visited, arrival and departure.

Visitors.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provides, a visit may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Additional data.

Optional information on the visitor’s special catering requirements or other technical or organisational arrangements for the visit, such as barrier-free facilities.

Visitors.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

If the data are not provided, the visitor’s special requirements cannot be taken into account.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Visit data.

Actual time and duration of visit, information on buildings or parts of buildings visited.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Communication data.

Content of communication with visitors regarding the planning and organisation of visits, in particular via post, e-mail, telephone, fax.

Visitors.

Provision of the data is not required by law or contract. The data subject is not obliged to provide the data.

However, if the data are not provides, a visit may not be possible.

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

Content of communication with visitors regarding the planning and organisation of visits, in particular via post, e-mail, telephone, fax.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Circumstances of business communication with visitors, in particular those involved, time and duration.

Generated in-house.

-

We store these data until the purposes of processing these data specified below have been achieved.

We also store the data if other statutory, in particular commercial or tax law document retention obligations exist. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)).

 

Door camera data.

Footage from cameras in door intercoms.

Generated in-house.

-

These data are not stored beyond the communication process.

II. Details on the processing of personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Identification of our visitors and documentation of visits in order to maintain the safety of our buildings, facilities and employees, to ensure the safety of our visitors, to protect our property or the property of our suppliers.

This includes checking access authorisation and comparing the master and visit data specified during the visit with any master and registration data specified during any advance registration.

To identify visitors at entrances to our buildings and/or parts of buildings, we also use real-time video transmission in door intercom systems with video function. The transmission only takes place immediately and shortly after the doorbell has been activated. A video recording does not take place. We expressly refer to the video function in connection with the door intercom system (typically by means of pictograms on the door intercom system).

Master data,

contact data,

registration data,

visit data,

door camera data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is maintaining the safety of our buildings, facilities and employees, ensuring the safety of our visitors and protecting our property or the property of our suppliers. Our legitimate interest is also ensuring that appropriate data security measures in accordance with Article 32 of the General Data Protection Regulation have been implemented.

-

Planning and organisation of the details of the visit.

For this purpose, we may carry out advance registration of visitors prior to the visit.

In addition, we take into account any optional information from visitors regarding special catering requirements or other technical or organisational arrangements for the visit, such as barrier-free facilities.

Master data,

contact data,

registration data,

visit data,

additional data,

communication data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest is the planning and organisation of the details of the visit taking the special wishes and needs of the visitor into account.

-

Storage for evidence purposes for the possible establishment, exercise or defence of legal claims.

Master data,

contact data,

registration data,

visit data,

additional data,

communication data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest the establishment, exercise or defence of legal claims.

-

Establishment, exercise or defence of legal claims.

Master data,

contact data,

registration data,

visit data,

additional data,

communication data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 of the General Data Protection Regulation). Our legitimate interest the establishment, exercise or defence of legal claims.

Courts and/or authorities,

external lawyers.

Cooperation with courts and/or authorities to comply with statutory obligations.

Master data,

visit data.

No automated decision-making takes place.

Compliance with a legal obligation (point (c) of Article 6 paragraph 1 of the General Data Protection Regulation).

Courts and/or authorities.

 

III. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Recipient’s location

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

External lawyers.

Controller.

Depending on the location of the relevant external lawyer, within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Courts and/or authorities.

Controller.

Depending on the location of the relevant court and/or the relevant authority, within or outside the EU.

We only transfer personal data to third countries and/or to international organisations to the extent that this is necessary to establish, exercise or defend legal claims (point (e) of Article 49 paragraph 1 of the General Data Protection Regulation).

Online services

In connection with the provision of our online offers, in particular our website and the offers provided on the website, we process personal data of users of our online offers.
We process data of the users of our online offers in particular to provide the offers in question.

More detailed information can be found in the following sections.

Informational use of the Website

When the use of the Website is purely informational, certain information, for example your IP address, is for technical reasons sent to our Website’s server by the browser used on your end device. We process this information in order to provide the Website content requested by you. To ensure the security of the IT infrastructure used to provide the Website, this information is also stored temporarily in what is referred to as a “web server log file”..

In order to facilitate an informational use of the Website by you, we use Cookies (see Section C) on the Website, by means of which personal data are processed.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories Sources of the data Obligation to provide the data Storage duration

Certain protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S) (“HTTP Data”) for technical reasons when the website is visited.

IP address, type and version of your internet browser, operating system used, last site accessed before visiting the Website (referrer URL), date and time of visit.

User of the Website.

There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content.

7 days, unless any security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and clarified in full.

Data stored on the user’s end device in cookies (see Section C.) strictly necessary to manage the cookie consents for this (“Opt-In Cookie Data”)

Consent and, where applicable, your individual selection for the use of cookies on your end device.

User of the Website

There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content.

We do not store these data on our systems.
See Section C.III.III on the validity period of the cookie.

Data stored on the user’s end device in cookies (see Section C.) strictly necessary to keep track of the user’s state on all Website pages requested by the user (“ASP.NET_SessionId [x2] Data” and “JSESSIONID Data”)

User preferences

User of the Website.

There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content.

We do not store these data on our systems.
See Section C.III.III on the validity period of the cookie.

Data stored on the user’s end device in cookies (see Section C.) strictly necessary to store the user’s preferred language (“Language Data”)

User’s preferred language

User of the Website.

There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content.

We do not store these data on our systems.
See Section C.III.III on the validity period of the cookie.


II. Details on the processing of the personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

HTTP data are temporarily processed on our web server for provision of the Website content requested by the user.

Http Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the Website content requested by the user.

Hosting-provider.

HTTP data are processed temporarily in web server log files to ensure the security of the IT infrastructure used to provide the Website, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).

Http Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest ensuring the security  of the IT infrastructure used to provide the Website, in particular identifying, eliminating and preserving evidence of disruptions (e.g. DDoS attacks).

Hosting-provider.

Data from cookies which are strictly necessary to provide the management of cookie consents (see Section C) are processed temporarily on our web server in order to identify, when the site is visited again, whether you have already given consent.

Opt-In Cookie Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the management of the cookie consents granted by the user for this Website.

Hosting-provider.

Data from strictly necessary cookies (see Section C) are processed temporarily on our web server in order to keep track of the user’s state on all Website pages requested by the user.

ASP.NET_SessionId [x2] Data and „JSESSIONID Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the informational function of the Website requested by the user.

Hosting-provider.

Data from strictly necessary cookies (see Section C) are processed temporarily on our web server in order to store the user’s preferred language.

Language Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the informational function of the Website requested by the user.

Hosting-provider.

Measurement of web audience and use of web analysis and web tracking technologies

To measure the web audience, visits to our website are recorded by “tracking pixels” and analysed in anonymised form. Tracking pixels are small graphics on websites that record a log file and allow a log file analysis of visits to the websites.

It you have given your consent to this, we also use web analysis technologies in order, by means of cookies (Section C.), to record and analyse the usage behaviour on our website to improve the website and better achieve the objectives of the website (e.g. frequency of visits, increase in number of page visits).

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Tracking pixels

Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) when the tracking pixels contained in our Website are accessed (“Tracking Pixel Data”).

Tracking pixels are small graphics on websites that allow recording of a log file and a log file analysis of visits to the websites.

IP address, type and version of your internet browser, operating system used, site accessed before visiting the Website (referrer URL), date and time of the visit.

User of the Website.

There is no obligation to provide the data. If the data are not provided, we cannot carry out any measurement of web audience.

An “IP anonymisation” is activated on this Website for the use of tracking pixels. The IP address transmitted is anonymised before storage by being shortened.

The other protocol data are not stored in a form allowing the data subject to be identified either.

etracker

Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web analysis tool etracker used on the Website is used (“etracker HTTP Data”).

IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), date and time of the visit.

User of the Website.

There is no obligation to provide the data. If the data are not provided, we cannot carry out any web analysis.

An “IP anonymisation” is activated on this Website for etracker. The IP address transmitted is anonymised before storage by shortening it.

Data which are stored in cookies (see Section C) on the user’s end device for etracker (“etracker Cookie Data”).

Unique visitor ID to identify returning visitors.

User of the Website.

There is no obligation to provide the data. If the data are not provided, we cannot carry out any web analysis.

We do not store these data on our systems.

See Section C.III. on the validity period of the cookie.

Data collected by etracker and stored in pseudonym usage profiles (“etracker Profile Data”).

Data about the use of the website, in particular page visits, visit frequency and time spent on the pages visited.

Generated autonomously.

-

-

Anonymous or pseudonymous data

Browser ID

User of the Website

There is no obligation to provide the data. If the data are not provided, we cannot send Push notifications.

We do not store these data on our systems.

See Section C.III. on the validity period of the cookie.

Albacross

Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web analysis tool etracker used on the Website is used (“etracker HTTP Data”).

The IP address from which you visited our website, and technical information that enables Albacross to tell apart different visitors from the same IP address.

User of the Website.

There is no obligation to provide the data. If the data are not provided, we cannot carry out any web analysis.

We do not store these data on our systems.

See Section C.III. on the validity period of the cookie.

Data which are stored in cookies (see Section C) on the user’s end device for etracker (“etracker Cookie Data”).

Unique visitor ID to identify returning visitors.

User of the Website 

There is no obligation to provide the data. If the data are not provided, we cannot carry out any web analysis.

We do not store these data on our systems.

See Section C.III. on the validity period of the cookie.

II. Details on the processing of the personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Tracking pixels:

To measure the web audience, the visits to our Website are recorded by “tracking pixels” and analysed in anonymised form.

Http Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the measurement of the web audience.

Hosting provider.

etracker:

To improve the Website and better achieve the objectives of the Website (e.g. frequency of visits, increase in number of page visits), the behaviour of users on our Website is recorded and analysed in pseudonymised form. Users of the Website are marked in pseudonymised form so that they can be recognised again on the Website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to examine where users come from, which areas of the Website they visit and how often and how long which subpages and categories are looked at.

You can object to the measurement at any time. Your objection has no negative consequences for you. You can exclude yourself from the count via the following link:

Exclude from the count

Http Data, Cookie Data,
Browser ID,
Profile Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the optimization of our online services and our web presence.

etracker GmbH

If web push notifications are activated, a service of the browser company is used to provide this function. Only anonymous or pseudonymised data are transmitted for sending push messages. You can object to receiving notifications at any time using the settings of your browser. For information on deregistration for web push notifications, visit the site for your browser here: Google Chrome , Mozilla Firefox , Apple Safari & Opera 

For these purposes cookies (see Section C) of the web analysis tool etracker are used.

 

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 GDPR)

etracker GmbH

Albacross:

Information collected from cookies set in your device that qualify as personal data will be processed by Albacross, a company offering lead identification and ad targeting services with offices in Stockholm and Krakow. Please see below for full contact details.

The purpose of the processing of the personal data is that it enables Albacross to improve a service rendered to us and our website (e.g “Lead Generation” service), by adding data to their database of companies

HTTP Data, Cookie Data, Profile Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the measurement of the web audience.

Albacross Nordic AB 

Newsletter

We offer you the possibility on the Website to subscribe to our personalised e-mail newsletter (“Noerr_news”). With Noerr_news we inform you expertly by e-mail about legal issues that are relevant for you. You can in this respect select the areas of law that interest you and thus compile the issues addressed in your Noerr_news yourself. We also invite you by e-mail to events relevant for you which we hold or participate in and contact you regarding special occasions.

Certain information, for example your e-mail address, is collected when you register for the Noerr_news and when you access the newsletter. We process this information for the provision of the Noerr_news.

You can unsubscribe from Noerr_news at any time, for example by using the link at the bottom of each newsletter. Alternatively, you can also send you unsubscription request at any time by e-mail to datenschutz@noerr.com.

In order to provide with the subscription/unsubscription form for our newsletter on our Website, we use cookies on the Website (see Section C.) with which personal data are processed.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Data we collect during the registration for the newsletter (“Registration Data”).

E-mail address (required), title, first name, last name (voluntary).

Newsletter subscribers.

There is no obligation to provide the data, but if the data are not provided, we cannot provide you with any newsletter.

We store these data as long as you are registered for our newsletter.  

We in addition store these data for evidence purposes for the establishment, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribed and in the event of any legal disputes until such have been concluded.

 

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) (“HTTP Data) for technical reasons when the subscription and unsubscription form for our newsletter on our website is accessed.

IP address, type and version of your internet browser, operating system used, site accessed before visiting the Website (referrer URL), date and time of the visit.

User of the Website

There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content.

7 days, unless any security-relevant event occurs (e.g. a DDoS attack). Data are then stored until the security-relevant event has been eliminated and clarified in full.

Protocol data which accrue for technical reasons during subscription and unsubscription of the newsletter (“Subscription and Unsubscription Data”).

Date and time of subscription to newsletter, date and time when registration notification is sent in double opt-in procedure, date and time of confirmation of registration in double opt-in procedure as well as IP address of the end device used for the confirmation, date and time of any unsubscription from newsletter.

Newsletter subscribers.

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.
If the data are not provided, we cannot provide with you any newsletter.

We store these data as long as you are registered for our newsletter.

We in addition store these data for evidence purposes for the establishment, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribed and in the event of any legal disputes until such have been concluded.

Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) when the tracking pixels contained in our newsletter is accessed (“Tracking Pixel Data”).

Tracking pixels are small graphics in HTML e-mails that allow recording of a log file and a log file analysis of access to the e-mails.

IP address, type and version of your internet browser, operating system used, page accessed, site accessed before visiting the Website (referrer URL), date and time of the visit.

Newsletter subscribers.

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data, but if the data are not provided, we cannot any analysis of newsletter usage behaviour.

We store these data as long as you are registered for our newsletter.

Data in usage profiles that we create by analysing usage behaviour regarding the newsletter using pseudonyms (“Usage Profile Data”).

Data about the use of the newsletter, in particular, access, access frequency and time spent in accessed newsletters.

Generated autonomously.

-

We store these data as long as you are registered for our newsletter.

II. Details on the processing of the personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Sending of Noerr_news, invitations to events and information about special occasions. Use of the information provided voluntarily to personalise Noerr_news and the targeted selection of relevant information. We use the title and your name specified during registration to address you personally in our newsletter.

Registration Data, Subscription and Unsubscription Data.

No automated decision-making takes place.

Consent (point (a) of Article 6 (1) GDPR)

If you download a whitepaper offered for download by us and subscribe to our newsletter in return when entering into the contract, the legal basis for mailing our newsletters is performance of the contract (point (b) of Article 6 paragraph 1 GDPR). In cases where we ask to use your data in return for the download, we state this clearly in the terms and conditions of participation for conclusion of the contract.

 

Inxmail GmbH

HTTP Data are processed temporarily on our web service to provide the newsletter subscription/unsubscription form on our Website.

Http Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is provision of the website content requested by the user.

Hosting provider.

Data from strictly necessary cookies (see Section C) are processed temporarily on our web server to provide the newsletter subscription/unsubscription form on our Website.

Form Cookie-Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is provision of the website content requested by the user.

Hosting provider.

“Double opt-in” procedure to confirm the subscription.

For this we send an e-mail message requesting confirmation to the e-mail address given by you when registering for the newsletter. Any subscription first becomes effective when the subscriber has confirmed the e-mail address by accessing the confirmation link in the e-mail.

Registration Data, Subscription and Unsubscription Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the legally secure documentation of your consent to receiving the newsletter.

Inxmail GmbH

Storage and processing for evidence purposes for any establishment, exercise or defence of legal claims.

Registration Data, Subscription and Unsubscription Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the establishment, exercise and defence of legal claims.

Inxmail GmbH

Analysis of the usage behaviour of newsletter subscribers and creation of usage profiles using pseudonyms for the purposes of personalising the newsletter.

Registration Data, Subscription and Unsubscription Data, Tracking Pixel Data, Usage Profile Data.

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 GDPR)

Inxmail GmbH

Use of the webinar function

Webinars are online presentations or events with a speaker who gives a live speech. Using Noerr webinars (webinare.noerr.com) requires registration as a member. Your name, your valid e-mail address and a password are required to register as a member. The password specified by you is stored by us in encrypted form. To inform other members about yourself you can describe yourself in more detail by providing more data in your member profile. Under Settings -> Privacy in your member account you can, however, determine which persons can access your member profile to what extent. Your address, telephone number, e-mail address and bank details are not shown in your member profile.

 

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Data that we collect during registration (“Registration Data”).

E-mail address, title, first name, last name, password.

Webinar user.

There is no obligation to provide the data, but if the data are not provided, participation in webinars is not possible.

We store these data as long as you subscribe for webinars.

We in addition store these data for evidence purposes for the establishment, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribe and in the event of any legal disputes until such have been concluded.

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the subscription/unsubscription form for webinars is accessed (“HTTP Data”).

IP address, type and version of your Internet browser, operating system used, page accessed, site accessed before visiting the Website (referrer URL), date and time of the visit.

Users of the Website.

There is no obligation to provide the data, but if the data are not provided, we cannot provide you with the webinar function.

7 days, unless any security-relevant event occurs (e.g. a DDoS attack). Data are then stored until the security-relevant event has been eliminated and clarified in full.

Data stored on the user’s end device in cookies (see Section C) strictly necessary to provide the subscription/subscription form for our webinars (“Webinar Form Cookie Data”).

language preferences

Users of the Website.

There is no obligation to provide the data, but if the data are not provided, we cannot provide you with the webinar function.

Deleted after session

Protocol data which accrue for technical reasons during webinar subscription/unsubscription (“Subscription and Unsubscription Data”).

Date and time of subscription, date and time subscription message is sent, date and of time subscription confirmation as well as IP address of device used for confirmation, date and time of any unsubscription.

Webinar users.

There is no obligation to provide the data, but if the data are not provided we cannot provide you with the webinar function.

We store these data as long as you subscribe for webinars.

We in addition store these data for evidence purposes for the establishment, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribe and in the event of any legal disputes until such have been concluded.

Data in usage profiles which we create by analysing the usage behaviour of webinar participants using pseudonyms (“Usage Profile Data”).

Data on the use of the webinar functions, in particular access, access frequency and time spent using function.

Generated autonomously.

-

We only store these data as long as you subscribe for our webinars.

II. Details on the processing of the personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Provision and streaming of webinars after subscription in registered user area.

Registration Data, Subscription and Unsubscription Data, webinars accessed.

No automated decision-making takes place.

Performance of a contract (point (b) of Article 6 paragraph 1 GDPR).

edudip GmbH

HTTP Data are processed temporarily on our web server to provide the subscription/unsubscription form for webinars on the Website.

HTTP Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the Website content requested by the user.

Hosting provider

Data from strictly necessary cookies (see Section C) are processed temporarily on our web server to provide the subscription/unsubscription form for webinars on the Website.

Form Cookie Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the Website content requested by the user.

Hosting provider

“Double opt-in procedure to confirm subscription. For this we send an e-mail message requesting confirmation to the e-mail address given by you when registering for webinars.

Subscription and Unsubscription Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the legally secure documentation of your consent to participation in webinars.

edudip GmbH

Storage and processing for evidence purposes for any establishment, exercise or defence of legal claims.

Subscription and Unsubscription Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the establishment, exercise and defence of legal claims.

edudip GmbH

Analysis of the usage behaviour of webinar participants in the registered area and creation of usage profiles using pseudonyms

Subscription and Unsubscription Data, Tracking Pixel Data, Usage Profile Data.

No automated decision-making takes place.

Consent (point (a) of Article 6 paragraph 1 GDPR)

edudip GmbH

Job applicant management

We offer you the possibility on the Website to apply for a job with us using a contact form (“Job Applicant Platform”). We process personal data in this respect for technical operation of the Job Applicant Platform and conduct the application and, if applicable, hiring process.

I. Details on the personal data that are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation to provide the data

Storage duration

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the platform is accessed (“HTTP Data”).

IP address, type and version of your Internet browser, operating system used, page accessed, site accessed before visiting the Website (referrer URL), date and time of the visit.

User of the platform as a data subject.

There is no obligation to provide the data, but if the data are not provided it is not possible to use the platform.

Data are stored in server log files in a form allowing data subjects to be identified for a maximum of 7 days, unless any security-relevant  event occurs (e.g. a DDoS attack). If a security-relevant event occurs, server log files are stored until the security-relevant event has been eliminated and clarified in full

Data specified by the applicant (“Applicant Data”)

Obligatory information: title, first name, last name, e-mail address.

Optional information: date of birth, profile picture and additional documents, e.g. CV, covering letter, overall assessment, certificates and references.

 

Job applicant as a data subject.

The provision of the data is in principle voluntary, but if the data are not provided, an application process and, if applicable a hiring are not possible.

 

If an application is successful, we transfer the data to the personnel file and store the data beyond the period of the application process in accordance with the applicable statutory provisions. If an applicant withdraws his/her application, the application is unsuccessful or the applicant deletes his/her applicant profile, we store the data beyond the period of the application process for an additional six months.

Additional internal comments store by Noerr in an applicant profile (“Applicant Comments Data”). These internal comments cannot be accessed on the platform by applicants.

Perceptions from interviews, feedback and assessments.

Generated autonomously.

-

-

II. Details on the processing of the personal data

Purpose of processing the personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

HTTP Data are processed temporarily on our web server to provide the platform content requested by the user.

HTTP Data, Login Data.

No automated decision-making takes place.

Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the platform content requested by the user.

-

Conducting the application process, in particular reviewing applications, contacting the applicant and conducting interviews to assess and select suitable applicants.

Applicant Data, Applicant Comments Data.

No automated decision-making takes place.

Taking steps prior to entering into a contract (point (f) of Article 6 paragraph 1 GDPR).

HR Department, the employee responsible in each case for any hiring of the applicant, (other) employees participating in the interview as co-interviewers.

Conducting the hiring process following a successful application, in particular conclusion of an employment contract.

HR data

No automated decision-making takes place.

Taking steps prior to entering into a contract (point (f) of Article 6 paragraph 1 GDPR).

-

C. Information on the use of Cookies

We use cookies in connection with the Website and the offers provided on the Website. We use the processing and storage functions of your end device’s browser and collect information from the memory of your end device’s browser.

I. General information regarding cookies

Cookies are small text files with information that can be placed on a user’s end device through its browser when a website is visited. When the website is visited again with the same end device, the cookie and the information it contains can be retrieved.

First-party and third-party-cookies – Depending on where a cookie comes from, a distinction can be made between first-party cookies and third-party cookies:

First-party cookies

Cookies that are placed and accessed by the operator of the website as the controller or a processor engaged by it.

Third-party cookies

Cookies that are placed and accessed by controllers other than the operator of the website that are not processors engaged by the operator of the website.

Transient and persistent cookies – A distinction can be made between transient and persistent cookies depending on how long they remain active:

Transient cookies
(session cookies)

Cookies that are automatically deleted when you close your browser.

Persistent cookies

Cookies that remain stored on your end device for a certain period of time after the browser is closed.

Consent-free cookies and cookies requiring consent– Users’ consent is required for some cookies depending on their function and purpose of use. Thus, a distinction can be made between cookies that require users’ consent and those that do not:

Consent-free cookies

Cookies whose sole purpose is transmit a message using an electronic communication network.

Cookies that are necessary so that the party offering a service that has been expressly requested by a participant or user can provide this service (“Necessary Cookies”)

Cookies requiring consent

Cookies for all purposes of use other than the abovementioned.

II. Management of the cookies used on this Website

Granting consent to the use of cookies and management of cookies using a cookie dashboard  

If a user’s consent is necessary for the use of certain cookies, we only use these cookies when you use our Website if you have previously granted your consent to this. You can find information as to whether the use of a particular cookie requires consent in the information on the cookies used on this Website in Section C.III of this cookie information.

When you visit our Website, we display a “cookie banner” in which you can declare your consent to the use of cookies on this Website by clicking on a button “settings”. When you click on the button, you have the option of giving your consent to the use of all of the cookies described in detail in Section C.III of this cookie information. In the next Section you also have the option, by clicking on “Change your consent”, to choose individual cookies and changing your individual selections at a later point in time.

We also store your consent and any individual cookies you have selected in the form of a cookie (“opt-in cookie”) on your end device in order to determine, when you visit the Website again, whether you have granted your consent. The opt-in cookie has a limited effective period of twelve months.

Necessary Cookies cannot be deactivated using the cookie management function of this Website. However, you can deactivate these cookies in general at any time in your browser.

Managing cookies using browser settings 

You can also manage cookies using your browser’s settings. Different browsers have different ways to configure cookie settings. You can find more extensive information on this, for example at http://www.allaboutcookies.org/ge/cookies-verwalten/.

However, we would like to point out that some functions of the Website may not work properly or at all if you deactivate cookies in general in your browser.

D. Information on the rights of data subjects

You can contact us for the purpose of exercising your rights using the contact details in Section A.

Right to access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Article 15 paragraph 1 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (points (a), (b) and (c) of Article 15 paragraph 1 of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation.

Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation.

Right to erasure (“right to be forgotten”)

As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you generally have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (point (a) of Article 17 paragraph 1 of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17 paragraph 2 of the General Data Protection Regulation .

Where we have made the personal data public and are obliged to erase the personal data, we, taking account of available technology and the cost of implementation, are also obliged to take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data (Article 17 paragraph 2 of the General Data Protection Regulation.

The right to erasure (“right to be forgotten”) does not by exception apply if the processing is necessary for one of the reasons listed in Article 17 paragraph 3 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (points (b) and (e) of Article 17 paragraph 3 of the General Data Protection Regulation).

You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the General Data Protection Regulation.

Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (point (a) of Article 18 paragraph 1 of the General Data Protection Regulation).

Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4 paragraph 3 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation.

Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation and the processing is carried out by automated means (Article 20 paragraph 1 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Sections B of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Article 20 paragraph 2 of the General Data Protection Regulation).

You can find the full extent of your right to data portability in Article 20 of the General Data Protection Regulation.
 

Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object .

More detailed information on this is given below:

Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6 paragraph 1, including profiling based on those provisions.

You can find information as to whether an instance of processing is based on point (e) or (f) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Sections B  of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation.

Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Sections B  of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation.

Right to withdraw consent

Where an instance of processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation, as a data subject, you have the right, pursuant to Article 7 paragraph 3 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation in the information regarding the legal basis of processing in Sections B of this Data Protection Information.

Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

The supervisory authority responsible for us is::

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
Telephone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
E-mail: poststelle@lda.bayern.de

E. Information about the General Data Protection Regulation terminology used in this Data Protection Information 

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation. 
The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

"Processor"

Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"Special categories of personal data”

Means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

“Data subject”

Means the respective identified or identifiable natural person, to which the personal Data refers to;

“Third country”

Means a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”);

“Third party”

Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“Recipient”

Means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“International organisation”

Means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Personal data”

Means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Profiling”

Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller”

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processing”

Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

F. Status of and changes to this Data Protection Information

This Data Protection Information was last modified on 5 February 2019.
It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.
An up-to-date version of this Data Protection Information can be retrieved at any time at www.noerr.com/datenschutz.