Privacy Policy
Thank you for your interest in our online presence. Below, we inform you about which data Schürmann Rosenthal Dreyer Rechtsanwälte ("we") collects and processes for which purposes when you use our website and other services described below.
- Contact Person
- Data Processing on Our Website
- Use of Cookies and Similar Technologies for Usage Analysis and Online Advertising
- Online Presence on Social Networks
- Online Meetings via "Teams"
- Data Sharing
- Data Transfer to Third Countries
- Storage Duration
- Your Rights
- Right of Withdrawal and Objection
1. Contact Person The contact person and responsible party within the meaning of the EU General Data Protection Regulation (GDPR) for the processing of your personal data when visiting this website is Schürmann Rosenthal Dreyer Rechtsanwälte Partnerschaft von Rechtsanwälten mbB, Office Berlin, Am Hamburger Bahnhof 4, 10557 Berlin. If you have any questions, we are happy to assist you. Our full contact details can be found in our legal notice. You can also address your data protection concerns by email to our data protection officer at privacy@srd-rechtsanwaelte.de or by post to the postal address provided in the legal notice (keyword: "Attn: Data Protection Officer"). We explicitly point out that the contents of emails sent to this address are not exclusively accessed by our data protection officer. If you wish to exchange confidential information, please first request direct contact via this email address.
2. Data Processing on Our Website a. Website Access / Connection Data: Each time you use our website, we collect connection data automatically transmitted by your browser to enable you to visit the website. The connection data includes HTTP header information, including the user-agent, and specifically:
- IP address of the requesting device,
- Method (e.g., GET, POST), date, and time of the request,
- Address of the accessed website and path of the requested file,
- Possibly the previously accessed/requesting website/file (HTTP referer),
- Information about the browser and operating system used,
- Version of the HTTP protocol, HTTP status code, file size delivered,
- Request information such as language, type of content, content encoding, and character sets.
Additionally, we store the security cookie "csrf_https-contao_csrf_token" on your device for the duration of the session to prevent cyberattacks through so-called Cross-Site Request Forgery (CSRF).
Processing of this connection data and storing the security cookie is essential to enable the website visit, ensure the long-term functionality and security of our systems, and generally maintain our website administratively. The connection data is also temporarily stored in internal log files for the purposes described above, limited to what is necessary, to identify and counteract potential repeated or criminally intended accesses that could jeopardize the stability and security of our website.
The legal basis is Art. 6 para. 1 lit. b GDPR, provided the page visit occurs in the context of initiating or performing a contract, and otherwise Art. 6 para. 1 lit. f GDPR based on our legitimate interest in enabling the website visit and ensuring the long-term functionality and security of our systems. Access to and storage of information on the device is absolutely necessary and based on the implementation laws of the EU ePrivacy Directive by the EU member states, in Germany according to § 25 para. 2 no. 2 TDDDG.
For privacy reasons, log files are not permanently stored or analyzed.
b. Contact: You have various ways to contact us, including through the contact form, a phone call, or an email using the above-mentioned contact addresses. We process data solely for the purpose of communicating with you. If you send us messages directly via a contact form or register for our events through the contact forms, providing an email address where we can reach you is required. We also ask for your name to address you personally. Required fields are marked as such.
We process the data you provide to respond to your inquiry. The legal basis for the described data processing is Art. 6 para. 1 lit. b GDPR, to the extent your information is needed to answer your inquiry or to initiate or perform a contract, and otherwise Art. 6 para. 1 lit. f GDPR based on our legitimate interest in allowing you to contact us and us being able to respond to your inquiry. The data collected during the contact will be automatically deleted after your request has been fully processed unless we still need your request to fulfill contractual or legal obligations.
c. Newsletter: You have the option to subscribe to our newsletter, which regularly informs you about articles on data protection, IT, and competition law, practical recommendations, events, and lectures. To order the newsletter, we collect your email address and, in the case of events, additionally your name and possibly the company name.
We use the double opt-in procedure for newsletter subscriptions, meaning we will only send you newsletters via email if you confirm in our notification email by clicking a link that you are the owner of the provided email address. If you confirm your email address, we store your email address, the time of registration, and the IP address used for registration until you unsubscribe from the newsletter. The storage serves only to send you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link is included in every newsletter. A message to the contact details provided above or in the newsletter (e.g., by email or letter) is also sufficient.
In our newsletters, we use so-called pixels (tiny, invisible image files) to measure the open rate and links where we can measure the click on the link before redirecting to the target page. This data processing is carried out exclusively aggregated for statistical evaluation as well as for optimizing and further developing our content and customer communication. There is no usage analysis at the level of individual recipients. Additionally, it is recorded whether newsletters could be delivered and to which email addresses delivery was not possible. There is no linkage with other data. You can prevent the open rate measurement by disabling the loading of images in your email client.
Once you unsubscribe from the newsletter, your registration data will be deleted. Deletion also occurs promptly if you do not confirm the newsletter registration.
We use Brevo, a service of Sendinblue GmbH, Datenschutzbeauftragter, Köpenicker Straße 126, 10179 Berlin, Germany ("Brevo"), for sending our newsletters. We use Brevo for email marketing in case of a newsletter subscription on our website and for transactional emails, such as when downloading a white paper. We have signed a data processing agreement with Brevo. Your data is stored by Brevo in Germany or the European Union and transmitted encrypted. To the extent Brevo works with subprocessors whose parent company is not located in the European Union, Brevo and its subprocessors have executed standard contractual clauses and taken additional measures to protect the data. Anonymized data about newsletter usage (e.g., clicks, openings) is used for aggregated statistical evaluation within the framework of Brevo usage.
The legal basis for sending the newsletter, aggregated usage analysis, and determining deliverability is your consent according to Art. 6 para. 1 lit. a GDPR.
d. Google Maps: On the contact page, we use the Google Maps map service, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). To embed the Google map material we use and display it in your web browser, your web browser must establish a connection to a Google server, which may also be located in the USA. Google thereby receives the information that the contact page of our website was accessed from your device's IP address.
The legal basis is your consent, which you may have given for the data processing under Art. 6 para. 1 lit. a GDPR in the consent banner. Without your consent, no connection to Google's servers will be made. You can revoke your consent at any time or adjust your selection (see 3.). Access to and storage of information on the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TDDDG. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer is based on Google's certification under the EU-US Data Privacy Framework and the adequacy decision for the USA.
If you access the Google Maps service on our website while logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to associate it with your Google profile, you must log out of Google before accessing our contact page. Google stores your data and uses it for advertising, market research, and personalized display of Google Maps.
For more information, see Google's privacy policy and the Additional Terms of Service for Google Maps.
e. Job Applications: You can apply for open positions with us by email or via our career portal. The purpose of data collection is to select applicants for a possible employment relationship. To process your application, we collect the data you provide (typically: first and last name; email address; application documents such as certificates and resume; date of the earliest possible job entry; channel through which you became aware of the job advertisement; if applicable, telephone number, salary expectations, Xing or LinkedIn profile). We would like to point out that confidentiality cannot be guaranteed when sending applications via unencrypted email. In general, you can also apply for our positions by post.
We use the Personio software provided by Personio GmbH, Rundfunkplatz 4, 80335 Munich, for our career portal at srd-rechtsanwaelte.jobs.personio.de and to manage applications. We have signed a data processing agreement with Personio. Your application data is stored and transmitted encrypted by Personio in Germany or the European Union. If Personio works with subprocessors whose parent company is not located in the European Union, the data transfer is based on the EU-US Data Privacy Framework and/or Personio and its subprocessors have executed standard contractual clauses and taken additional measures to protect the data. This includes, in particular, the encryption of data using a self-created master encryption key that remains in the Personio domain.
The legal basis for processing your application documents is Art. 6 para. 1 lit. b and Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG.
When visiting the career portal, log files (server logs, error logs) are also created (see section 2.a), which Personio processes independently. For this, we refer to the statements of Personio at the end of the privacy policy on the career portal. The legal basis for this is the legitimate interest of Personio in providing the career portal, Art. 6 para. 1 lit. f GDPR. If information is read or stored on your device when accessing our career portal (e.g., storing the language in a cookie), this is absolutely necessary to provide the career portal and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG.
We store your personal data upon receiving your application. If we accept your application and an employment relationship is established, we store your application data as long as it is necessary for the employment relationship and as long as legal regulations justify an obligation to retain them.
If we reject your application, we store your application data for a maximum of three months after rejecting your application unless you consent to longer storage. If you have given us your consent, we will store your application data for up to twelve months in our applicant pool to identify and potentially contact you about other suitable positions. After the period expires, the data will be deleted. You can revoke this consent at any time by sending an email to karriere@srd-rechtsanwaelte.de.
f. Embedded Fonts and Icons: We embed fonts and style files from Adobe Typekit, provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland, as well as icons and style files from Font Awesome provided by Fonticons Inc., 307 S Main St Ste 202 Bentonville, AR, 72712-9214 USA, to display our website content. The embedding is done externally to comply with the licensing terms and enable the billing of the costs associated with using the fonts and icons. Only the usual connection data is transmitted automatically, and no information is stored or retrieved on your device.
The legal basis is Art. 6 para. 1 lit. f GDPR based on our legitimate interest in embedding our website content optimally and displaying it as intended.
In the event that personal data is transferred from Adobe Systems Software Ireland Limited to Adobe Inc. in the USA, the data transfer is based on Adobe Inc.'s certification under the EU-US Data Privacy Framework and the adequacy decision for the USA.
3. Use of Cookies and Similar Technologies for Usage Analysis and Online Advertising To improve the presentation of content on our website, we use cookies and similar technologies (e.g., local storage, fingerprints, pixels, web beacons) for the statistical collection and analysis of general usage behavior based on access data. Additionally, we use services from external providers who process the access data collected when using our website to enable interest-based advertising, such as in the context of search queries.
Optional cookies and similar technologies for marketing and analysis purposes are only used if you have given your consent to the data processing according to Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the device is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TDDDG.
a. Usercentrics: Our website uses Usercentrics from Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany, to capture and manage consents and any withdrawals. When you make a decision in the consent banner, information is stored on your device and transmitted to Usercentrics, which records your consent or rejection. The following cookies or elements in the local or session storage are stored on your device:
- "uc_user_interaction": Storage of the interaction with Usercentrics;
- "uc_ui_version": Storage of the Usercentrics version;
- "uc_settings": Storage of consent decision and history;
- "uc_user_country": Storage of the country, region, or city;
- "uc_gcm": Storage of the consent decision regarding the various Google categories for the use of analytics and advertising services.
The data processing is based on Art. 6 para. 1 lit. f GDPR to document your consent. Access to and storage of information on the device is absolutely necessary in these cases and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG. If you delete your cookies or elements in web storage, or if the storage period has expired, we will ask for your consent again during a subsequent site visit.
You can withdraw your consent at any time or adjust the selection of tools by clicking on the following link: Privacy Settings
b. Google Tag Manager: Our website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for persons from the European Economic Area and Switzerland, and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") for all others.
The Tag Manager is used to manage the tools and external services we use on our website and allows the use of so-called tags. A tag is a code element stored in the website's source code to control, for example, which pages or service elements and tools are activated and loaded in which order. The tool triggers other tags, which may themselves collect data and are further explained in this privacy policy. Some of the data may be processed on a Google server in the USA.
We have signed a data processing agreement with Google Ireland Limited for the use of Google Tag Manager. If personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer is based on Google's certification under the EU-US Data Privacy Framework and the adequacy decision for the USA.
More information about Google Tag Manager can be found in Google's information on the Tag Manager.
c. Google Analytics 4: Our website uses the web analytics service Google Analytics 4, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for persons from Europe, the Middle East, and Africa (EMEA), and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") for all others. We integrate Google Analytics 4 through Google Tag Manager. If you have not agreed to the use of analytics tools, your data will not be collected by Google Analytics 4.
Google Analytics 4 uses JavaScript and pixels to read information from your device, as well as cookies to store information on your device. This is to analyze your usage behavior and improve our website. The access data is compiled into pseudonymous usage profiles by Google on our behalf and transmitted to a Google server in the USA. We will process the obtained information to evaluate your use of the website and compile reports on website activity.
As part of the evaluation, Google Analytics 4 also uses artificial intelligence, such as machine learning, to automate the analysis and enrichment of data. For example, Google Analytics 4 models conversions when there is insufficient data to optimize the evaluation and reports. Data evaluations are automated using artificial intelligence or based on specific individually defined criteria. More on this can be found in the related Google documentation.
The usage data collected by Google Analytics 4 is enriched with data from Google Search Console and linked with Google Ads data to measure the success of our advertising campaigns (so-called conversions).
Data processed by Google Analytics 4 may include:
- IP address;
- User ID and device ID;
- Referrer URL (previously visited page);
- Pages visited (date, time, URL, title, time spent);
- Downloaded files;
- Clicked links to other websites;
- Achievement of specific goals (conversions);
- Technical information (operating system; browser type, version, and language; device type, brand, model, and resolution);
- Approximate location (country, region, and possibly city, based on anonymized IP address).
Privacy settings: The following privacy settings have been made in Google Analytics 4:
- Anonymization of IP address;
- Disabled advertising function;
- Disabled personalized advertising;
- Disabled remarketing;
- Retention period of 2 months (and no resetting of the retention period for new activity);
- Disabled cross-device and cross-site tracking (Google Signals);
- Disabled data sharing (especially Google products and services, benchmarking, technical support, account specialist).
Cookies used: Google Analytics 4 sets the following cookies for the specified purpose with the respective storage duration:
- "_ga" (2 years) and "_gid" (24 hours): Recognition and differentiation of visitors through a user ID;
- "_ga_DMNNDP0519" (2 years): Retention of current session information.
We have signed a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. If personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer is based on Google's certification under the EU-US Data Privacy Framework and the adequacy decision for the USA.
More information on Google Analytics 4 can be found in Google's privacy notice and the Google Analytics privacy policy. Additional information about the cookies used by Google Analytics 4 can also be found in Google's documentation.
d. Google Ads Conversion Tracking: Our websites use "Google Ads Conversion Tracking," provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for persons from Europe, the Middle East, and Africa (EMEA), and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") for all others. We integrate Google Ads Conversion Tracking through Google Tag Manager. If you have not agreed to the use of marketing tools, your data will not be collected by Google Ads Conversion Tracking.
The service captures and analyzes customer actions defined by us (such as clicking a button, visiting a page, downloading a file, submitting a form). Additionally, we also capture events (such as time spent on the page, scrolling, interacting with the page and forms). This helps us evaluate the success of campaigns and advertisements and optimize our website design. We also use and analyze parameters in the URL (such as the source of the visit (e.g., a domain), campaign type, visit channel (e.g., email, search engine)) to better measure the campaigns and assign them to users.
For this purpose, the service uses cookies, JavaScript, pixels, and other technologies. Google processes the data to improve the quality and accuracy of conversions. The data collected in this context may be transmitted to and stored on a Google server in the USA for evaluation.
Google sets and reads the following cookies:
- "_gcl_au" (90 days): Conversion tracking, storing ad clicks.
If personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer is based on Google's certification under the EU-US Data Privacy Framework and the adequacy decision for the USA.
More information can be found in Google's privacy policy: https://policies.google.com/privacy.
e. Server-Side Tracking: Our website uses services from TAGGRS B.V., 8442 EZ Heerenveen, Coehoorn van Scheltingaweg 1P, Netherlands ("Taggrs") for server-side tracking. The services of Taggrs collect usage, browser, and device data, including IP address and user agent, server-side, and further process them. The purpose of processing is to evaluate usage data for statistics and measure and optimize conversions. This helps to adapt and improve our website and content. Taggrs uses servers of the service provider TransIP B.V., Vondellaan 47, 2332 AA Leiden, Netherlands within the European Economic Area.
4. Online Presence on Social Networks We maintain various online presences on social networks to communicate with interested parties and inform them about our products and services:
- Facebook Fanpage of Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland ("Facebook")
- LinkedIn Company Page of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn")
- Xing Company Profile of New Work SE, Am Strandkai 1, 20457 Hamburg ("Xing")
- X Profile of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland ("X")
In the context of operating our online presences on social networks, we may access information such as statistics on the use of our online presences provided by the operator of the social network. These statistics are aggregated and may include demographic information (e.g., age, gender, region, country), employment-related information (e.g., job, function, industry, work experience, company size), and data on interaction with our online presence (e.g., likes, shares, subscriptions, viewing pictures and videos) and the posts and content shared through it. These may also provide insights into users' interests and which content and topics are particularly relevant to them. We may use this information to adjust and optimize our activities and content on the online presences. The collection and use of these statistics are subject to joint responsibility with the social network operator.
Further information on joint responsibility, the nature and extent of these statistics, and the contact details of the social network can be found at:
- Facebook: Information on Page Insights Data
- LinkedIn: Page Insights Joint Controller Addendum (the "Addendum")
The legal basis for this data processing is Art. 6 para. 1 lit. b GDPR to stay in contact with our customers and inform them and to carry out pre-contractual measures with interested parties, as well as Art. 6 para. 1 lit. f GDPR based on our legitimate interest in effective information and communication with users.
We have no control over the data processed by the social network under its own responsibility according to its terms of use. However, we point out that data on your usage behavior may be transmitted to the social network operator when visiting the online presence. The social network operators may process the aforementioned information to create more detailed statistics and for their market research and advertising purposes, over which we have no control. For this purpose, cookies and other identifiers may be stored on the computers of the affected persons. Based on these usage profiles, advertisements may be displayed within the social network and on third-party websites. More information can be found in the social networks' privacy notices:
- X
If we receive your personal data while operating the online presence on social networks, you have the rights described in this privacy policy. If you wish to assert your rights against the social network operator, you can most easily contact them directly. The operator knows both the technical operation details of the platform and the related data processing and can implement appropriate measures if you exercise your rights. We are happy to support you in asserting your rights, as far as possible, and forward your requests to the social network operator.
5. Online Meetings via "Teams" a. Participation in Meetings: We use "Teams" to conduct online meetings, phone conferences, and/or webinars (collectively referred to as "Meetings"). Teams is software provided by Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"), available as a desktop, web, and mobile app. We use it particularly for digital consultations and breakfast workshops.
The legal basis for data processing to conduct meetings via Teams is our legitimate interest in the effective and straightforward execution of online meetings, discussion rounds, and presentations according to Art. 6 para. 1 lit. f GDPR. If the meetings are conducted in the context of existing contractual relationships with you, the legal basis is Art. 6 para. 1 lit. b GDPR. We are not responsible for further data processing on the Teams product website, where the desktop software can be downloaded, and the web app used.
During a meeting, the following data may be processed:
- Participant information: possibly display name, first name, last name, phone number, email address, password (encrypted for authentication), profile picture;
- Metadata: meeting subject and description, IP address, participant's phone number, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of the participant's last activity on Teams, number of chat and channel messages, number of meetings attended, duration of time for audio, video, and screen sharing;
- When using chat or channel messages: text data for display and possibly logging;
- When using audio: recording data from the microphone;
- When using video: recording data from the video camera;
- When recording: audio, video, and screen sharing for cloud storage/Microsoft Stream;
- When using phone: incoming and outgoing phone numbers, country name, start and end time, possibly further connection data such as the IP address of the device.
Before a meeting, you register through our website or via email. Your registration data is processed by us. Before the meeting, you receive a confirmation email with an invitation link or a calendar appointment.
To participate in a meeting, you must provide at least your name and – if using the phone – your phone number unless we allow anonymous participation in meetings. In the latter case, we will inform you of this possibility of anonymous participation in the invitation. You can deactivate the microphone and camera transmission at any time via the corresponding settings. We only record meetings or log text data with your consent and prior notice. Microsoft may become aware of the above data as part of order processing to process it. All data traffic is encrypted (MTLS, TLS, or SRTP), and the encrypted data storage generally takes place on servers within the European Economic Area (EEA). Where possible, we also enable end-to-end encryption. If data is exceptionally processed in the USA, this is covered by the certification of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, under the EU-US Data Privacy Framework adequacy decision for the USA.
Further information is available in Microsoft's privacy policy, accessible at: https://privacy.microsoft.com/en-us/privacystatement
b. Survey on Meetings: We use "Forms" to conduct voluntary, anonymous online surveys about our meetings (see point 5.a). Forms is software provided by Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"), available as a web application. We use it particularly for providing and evaluating anonymous online surveys.
The legal basis for data processing to conduct anonymous online surveys via Forms is our legitimate interest in the feedback from participants in our meetings under Art. 6 para. 1 lit. f GDPR to find out whether you liked the meetings and how we can further improve them. Participation in the surveys is voluntary. Providing personal data is not required. You will receive a link to participate in the online survey at the end of the meeting or after the meeting you attended.
When accessing the website with the Forms survey, the following data may be processed:
- Connection data: IP address, HTTP header, user agent (see also point 2.a);
- Cookie information;
- Time to answer the survey;
- Selection of an answer option (checkboxes);
- Optional: Individual answer to a question (free field).
Answering the free fields is optional. Please do not enter any data that personally identifies you in the free fields if you do not wish to do so.
The following cookies can be stored and read by Forms for the specified purpose and with the mentioned storage duration on your device:
- "MUID" (390 days), "MC1" (365 days), "MSFPC" (365 days): Differentiation of Forms users, performing aggregated reach measurement;
- "RpsAuthNonce" (30 days/session): Authentication of a Microsoft account;
- "ANONCHK" (10 minutes): Management of the cookie MUID, deactivated (0);
- "MR" (7 days): Management of the cookie MUID, deactivated (0);
- "SM" (session): Management of the cookie MUID;
- "MS0" (30 minutes): Detection of cookie blocking;
- "ai_session" (30 minutes): Detection of the number of sessions;
- "__RequestVerificationToken" (session): Protection against CSRF/XSRF attacks;
- if applicable, "MicrosoftApplicationsTelemetryDeviceId" (365 days): Identification of errors in providing Forms.
The following information is stored in session storage:
- "officeforms.answermap.{ID}" (session): Storage of submitted answers.
Forms conducts aggregated reach measurement to determine how often our online survey is accessed and how long it takes to answer.
We have signed a data processing agreement with Microsoft for the use of Forms. All data traffic is encrypted (TLS), and encrypted data storage generally takes place on servers within the European Economic Area (EEA). If data is exceptionally processed in the USA, this is covered by the certification of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, under the EU-US Data Privacy Framework adequacy decision for the USA.
Further information is available in Microsoft's privacy policy, accessible at: https://privacy.microsoft.com/en-us/privacystatement
6. Data Sharing Data collected by us is generally only shared if:
- You have given your explicit consent under Art. 6 para. 1 lit. a GDPR,
- Sharing is necessary under Art. 6 para. 1 lit. f GDPR for the assertion, exercise, or defense of legal claims, and there is no reason to believe that you have an overriding legitimate interest in not sharing your data,
- We are legally obligated to share under Art. 6 para. 1 lit. c GDPR, or
- This is legally permissible and necessary under Art. 6 para. 1 lit. b GDPR for processing contractual relationships with you or for carrying out pre-contractual measures that occur at your request.
Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include data centers that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we share data with our service providers, they may only use the data to fulfill their tasks. The service providers have been carefully selected and contracted by us. They are contractually bound to our instructions, have appropriate technical and organizational measures in place to protect the rights of the affected individuals, and are regularly monitored by us.
Additionally, sharing may occur in connection with official requests, court orders, and legal proceedings, if necessary for law enforcement or legal enforcement.
7. Data Transfer to Third Countries As explained in this privacy policy, we use services whose providers are partially located in so-called third countries (such as the USA), i.e., countries whose data protection level does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among other things, the European Union's standard contractual clauses or binding corporate rules.
Where this is not possible, we base the data transfer on exceptions under Art. 49 GDPR, particularly your explicit consent or the necessity of the transfer for contract fulfillment.
If a third-country transfer is intended and no adequacy decision or suitable safeguards exist, there is the possibility and the risk that authorities in the respective third country (e.g., intelligence services) may access the transferred data to capture and analyze it, and that your data subject rights may not be enforceable. If your consent is obtained through the consent banner, you will also be informed about this.
8. Storage Duration We generally store personal data only as long as necessary to fulfill the purposes for which we collected the data. After that, we delete the data promptly unless we still need the data until the end of the statutory limitation period for evidence purposes for civil law claims or due to statutory retention obligations.
For evidence purposes, we must retain contract data for three years from the end of the year in which the business relationship with you ends. Any claims expire under the statutory limitation period no earlier than this time.
Even after that, we may need to store your data for accounting reasons. We are legally obligated to do so due to statutory documentation obligations that may arise from the Commercial Code, the Tax Code, the Banking Act, and the Money Laundering Act. The retention periods for documents specified therein range from two to ten years.
9. Your Rights You have the right to request information about the processing of your personal data by us at any time. We will provide you with an explanation of the data processing and an overview of the data stored about you as part of the information provision. If the data stored with us is incorrect or no longer up-to-date, you have the right to have this data corrected. You can also request the deletion of your data. If deletion is not possible due to other legal provisions, the data will be blocked so that they are only available for this legal purpose. You can also restrict the processing of your data, e.g., if you believe that the data we store is incorrect. You also have the right to data portability, meaning we will send you a digital copy of the personal data you provided upon request.
To exercise your rights described here, you can contact the contact details provided in section 1 at any time. This also applies if you wish to receive copies of guarantees to prove an adequate data protection level.
Your requests to exercise data subject rights and our responses will be kept for documentation purposes for up to three years and, in individual cases, beyond that, if necessary, for the assertion, exercise, or defense of legal claims. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our interest in defending against possible civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR, and fulfilling our accountability under Art. 5 para. 2 GDPR.
Finally, you have the right to file a complaint with a data protection supervisory authority. You can exercise this right, for example, with a supervisory authority in the member state of your residence, your workplace, or the location of the alleged violation. In Berlin, the competent supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
10. Right of Withdrawal and Objection According to Art. 7 para. 3 GDPR, you have the right to withdraw consent given to us at any time. This means we will no longer continue the data processing based on this consent for the future. The legality of the processing carried out based on the consent until the withdrawal remains unaffected.
If we process your data based on legitimate interests under Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your data for reasons arising from your particular situation. If the objection is to data processing for direct marketing purposes, you have a general right to object, which we will implement without specifying reasons.
If you wish to exercise your right to withdraw or object, a simple notification to the contact details provided above is sufficient.
Status: July 2024