This privacy statement informs you about category, extent and purpose of using personal data (hereinafter referred to as "data") within our online offer and connected websites, functions and contents as well as external online presences (hereinafter referred to as "online offer"). Regarding the terminology used, like "processing" or "controller", we refer to the definitions of art. 4 of the General Data Protection Regulation (GDPR).
Privacy officer of the law office
Zimmermann & PartnerPatentanwaelte mbB
Gerd Zimmermann, Dr. Thomas Leidescher, Dr. Christian Ginzel, Dr. Jan Hornung,
Dr. Marc Kraushaar, Dr. Frank Steinbach, Dr. Benedikt Neuburger, Dr. Dominique Gobert
Categories of processed data:
- inventory data (names, addresses, etc.)
- contact data (e-mail, telephone numbers, etc.)
- content data (text input, photographs, videos, etc.)
- usage data (visited websites, interest in contents, times of access, etc.)
- meta / communication data (device information, IP addresses, etc.)
Categories of data subjects
Visitors and users of our online offer (hereinafter referred to as "users").
Purpose of processing
- providing the online offer, its functions and contents
- responding to contact enquiries and communicating with users
- security measures
- reach measurement /marketing
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (Cookie, etc.) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This terminology has a wide range and includes almost any handling of data.
"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
According to art. 13 GDPR we inform you about the legal basis of our data processing. In cases where the legal basis is not mentioned in the privacy statement, the following applies: The applicable law for obtaining consent is art. 6 (1) a and art. 7 GDPR; the applicable law for processing for executing our services and implementing contractual measures as well as responding to requests is art. 6 (1) b GDPR; the applicable law for processing for fulfillment of our legal duties is art. 6 (1) c GDPR; the applicable law for processing for protecting our legitimate interests is art. 6 (1) f GDPR. In the case of vital interests of the data subject or another natural person making processing of personal data necessary, art. 6 (1) d GDPR is the applicable law.
According to art. 32 GDPR we take appropriate technical and organizational measures to ensure an appropriate level of protection in consideration of state of the art, implementation costs and category, amount, circumstances and purposes of processing as well as the different probabilities of occurrence and seriousness of the risk for rights and liberties of natural persons.
In particular, these measures include securing confidentiality, integrity and availability of data by controlling the physical access to the data as well as access, entry, disclosure, securing availability and separation of the data.
Furthermore, we have implemented processes which guarantee the exercise of rights of data subjects, deletion of data and reaction to hazard of data. We take into account the protection of personal data when developing or choosing hardware, software and processes according to the principle of data protection by design and by default (art. 25 GDPR).
Cooperation with processors and third parties
In case we disclose, transmit or grant access to data in the course of our processing to other persons or companies (processors or third parties), this shall only be conducted due to legal permission (for example: transmission of data to third parties, for example to payment providers (art. 6 (1) b GDPR), is necessary for the performance of the contract), your permission, a legal obligation or on the basis of our legitimate interests (for example: deployment of agents, webhosts etc.).
In case we engage third parties to process data on the basis of a so-called "processor contract", art. 28 GDPR applies.
Transfer to third countries
If we process data within a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or data is processed in the course of services of third parties or disclosure or transfer of data to third parties, this is only conducted in order to meet our (pre)contractual duties, on the basis of your allowance, due to a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we only process or let third countries process data in the case of special conditions of art. 44 GDPR and subsequent articles. That means the processing is carried out on the basis of special guarantees, like the officially recognized finding of a data protection level in accordance with the EU (for example for the USA with the "Privacy Shield") or consideration of officially recognized special contractual obligations (so-called "standard contractual clauses").
Rights of the data subject
You have the right to obtain confirmation as to whether or not personal data is being processed and access this data as well as further information and copies of the data according to art. 15 GDPR.
According to art. 16 GDPR, you have the right to have incomplete personal data completed or have inaccurate data corrected.
According to art. 17 GDPR, you have the right to obtain the erasure of personal data without undue delay or alternatively, according to art. 18 GDPR, you have the right to obtain the restriction of processing.
According to art. 20 GDPR, you have the right to obtain the data you provided us with and request transmission to another controller.
According to art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority.
Right to withdraw
You have the right to withdraw your consent according to art. 7 (3) GDPR with effect for the future.
Right to object
You have the right to object future processing of your personal data according to art. 21 GDPR. In particular, you have the right to object processing for purposes of direct marketing.
Cookies and right to object to direct marketing
"Cookies" are small files that are being saved on the computers of users. Within these cookies, different information may be saved. Primarily, cookies are used to save information about users (or the device of the user where the cookie is saved on) during or after visiting online offers. Temporary cookies, or "session cookies" or "transient cookies" are cookies that are being deleted after the user leaves the website and closes his browser. Within such a cookie, the content of the basket of an online shop or a login status may be saved. Cookies are called "permanent" or "persistent" when they are saved after closing the browser. In this way, the login status may be saved when users visit the same website again a few days later. Also, interests of users that are used for reach measurement or marketing purposes may be saved within such a cookie. Cookies are called "third party cookie" when they are not offered by the controller who is in charge of the website, but by other providers (in cases where the cookies are from the controller, they are called "first party cookies").
We may use temporary and permanent cookies and inform about this in the course of our privacy statement.
In case the users don't wish cookies to be saved on their computers, they are requested to deactivate the responding option in the configurations of their computers. Saved cookies can be deleted in the configurations. The exclusion of cookies may lead to functional restrictions of the website.
A general opposition against the usage of cookies for the purposes of online marketing, in particular in the case of tracking, is explained on the US American website www.aboutads.info/choices/ or the EU website www.youronlinechoices.com. Furthermore, the saving of cookies may be prevented by deactivating them in the settings. Please note that in this case there is the possibility that not all features of this website can be used.
Deletion of data
The data processed by us is deleted or restricted according to art. 17 and art. 18 GDPR. If not explicitly mentioned in this privacy statement, the data saved by us will be deleted as soon as it is no longer required for the intended purposes and no legal storage obligations prevent deletion. If the data is not deleted, because it is required for other and legal permitted purposes, the processing will be restricted. That means the data will be blocked and not processed for other purposes. This applies for example to data that has to be saved due to reasons of commercial or tax law.
According to German law, storage for 10 years applies in particular according to §§ 147 (1) AO, 257 (1) no. 1 and 4, (4) HGB (German commercial code) (books, records, reports, vouchers, trading books, relevant tax documents, etc.) and 6 years according to § 257 (1) no. 2 and 3, (4) HGB (commercial letters).
Additionally, we process
- contractual data (for example contractual object, duration, customer category)
- payment data (for example bank details, payment history)
of our customers, potential customers and business partners for the purpose of contractual performance, service and customer care, marketing, advertisement and market research.
We process the data of our contractual partners and potential customers as well as other customers, clients, or contractual partners (consistently called "contractual partners") according to art. 6 (1) b GDPR in order to perform contractual or pre-contractual services. The data being processed as well as kind, amount, purpose and necessity of the processing are determined by the underlying contract.
The processed data contains the master data of our contractual partners (for example names and addresses), contact data (for example e-mail addresses and telephone numbers) as well as contract data (for example performed services, contract contents, contractual communication, names of contact persons) and payment data (for example bank details, payment history).
In principal, particular categories of personal data are not processed, except when these are part of an instructed or contractual processing.
We process data that is necessary for establishing and performing contractual services and point out the necessity of the disclosure thereof, if it isn't evident for contractual partners. Disclosure to external persons or companies will only be conducted in case it is required for an underlying contract. We are processing the data provided to us in the course of a contract according to the instructions of our customers and the legal requirements.
In the course of the utilization of our online services, we may save the IP address and the time of the respective user action. This saving is conducted on the basis of our legitimate interests as well as the interests of the users in protection of abuse or other unauthorized usage. In principle, disclosure of this data to third parties is not conducted, except it is required for pursuing our claims according to art. 6 (1) f GDPR or there is a legal obligation according to art. 6 (1) c GDPR.
Deletion of the data will be conducted when it is no longer required for fulfillment of contractual or legal duties as well as for guarantee or similar duties; the necessity of saving the data is reviewed every 3 years; apart from that, legal retention obligations apply.
Administration, accounting, office organization, contact management
We process data in the course of administrative tasks as well as organization of our company, accounting and the compliance with legal obligations, like archiving. Here, we process the same data that we process when fulfilling our contractual services. The basis of processing is art. 6 (1) c GDPR and art. 6 (1) f GDPR. Customers, potential customers, business partners and visitors of the website are affected by processing. The purposes and our interest in processing are administration, accounting, office organization and archiving our data; that means tasks for maintaining our business activity and performing our services. The deletion of data regarding contractual services and contractual communication corresponds to the information provided for this processing.
We disclose or transmit data to fiscal administration, consultants, like tax consultants or auditors as well as further fee payment offices and payment providers.
Furthermore, on the basis of our economic interests, we are saving information about deliverers, organizers and other business partners, for example for subsequent contacting. In principal, we save these mostly company related data long-term.
Privacy notices during application procedures
We only process data of applicants for the purpose and in the course of the application procedure according to legal provisions. Processing of the data of applicants is conducted in order to fulfill our (pre)contractual obligations in the course of the application procedure according to art. 6 (1) b and f GDPR if data processing becomes necessary, for example in the course of legal procedures (in Germany, § 26 BDSG (German Federal Data Protection Act) additionally applies).
The application procedure starts when applicants provide us with their application data. The required application data are, in case we offer an online form, marked; in other cases arise from the job description and in general, information about the person, postal and other contact addresses and documents belonging to the application, like letter, CV and certificates. Further, applicants may voluntarily provide us with additional information.
By transmitting the application to our office, applicants agree to the processing of their data for purposes of the application procedure according to this privacy statement.
If, in the course of the application procedure, particular categories of personal data according to art. 9 (1) GDPR are transmitted voluntarily, the processing of these data will be conducted additionally according to art. 9 (2) b GDPR (for example health data, like the status of a severely disabled person or ethnic origin). If, in the course of the application procedure, particular categories of personal data according to art. 9 (1) GDPR are requested from the applicant, the processing of these data will be conducted additionally according to art. 9 (2) a GDPR (for example health data if these are required for professional practice).
If available, applicants may transmit their applications via an online form on our website. The data will be transmitted encoded pursuant to the state of the art.
Applicants may as well transmit their application via email to our office. However, please note that in principal, e-mails are not encoded and that the applicants themselves need to encode their e-mails. Therefore, we cannot assume responsibility for the transmission path between sender and reception on our server and advise to use an online form or post. Instead of sending the application via online form or email, applicants may as well still send their application via postal service to our office.
The data provided by applicants may be processed in the case of a successful application for purposes of employment. Otherwise, if the application was not successful, the data of the applicants will be deleted. Deletion of the data will also be conducted, if an application is withdrawn. Applicants are entitled to withdraw their application at all times.
Subject to a justified revocation of the applicant, deletion is conducted after a period of six months, in order to being able to answer any follow-up questions relating to the application and to meet burdens of proof according to the equality act. Invoices regarding compensation for travelling will be archived according to tax law.
In the course of the application, we offer the possibility to the applicants to be registered in our "talent-pool" for a period of two years on the basis of permission according to art. 6 (1) b and art. 7 GDPR.
The application documents in the talent-pool will be processed only in the course of future job descriptions and job vacancies and will be deleted after the period, at the latest. Applicants are informed that their permission to be registered in the talent-pool is optional, doesn't have any influence on the current application procedure and that they may withdraw their permission with effect for the future at any time as well as may object according to art. 21 GDPR.
When contacting our office (for example via contact form, e-mail, telephone or social media), information about the user are processed for handling the contact request according to art. 6 (1) b GDPR. The information about the user may be saved in a customer-relationship-management-system ("CRM system") or similar inquiry management systems.
We delete requests if they are no longer required. We review the necessity every two years. Furthermore, legal archiving obligations apply.
Hosting and e-mail dispatch
Hosting services are used by us in order to make the following services available: infrastructure and platform services, computing capacity, memory and database services, e-mail dispatch, security services as well as technical maintenance services which we use for the purpose of running the online website.
We, or our hosting service, process inventory data, contact data, content data, contract data, usage data, meta and communication data of clients, potential clients and visitors of our website on the basis of our legitimate interests in offering an efficient and safe website according to art. 6 (1) f GDPR and art. 28 GDPR (processor contract).
Collection of access data and log files
We, or our hosting service, collect data about any access to the server on which the service is located (so-called server log files) on the basis of our legitimate interests according to art. 6 (1) f GDPR. Access data contains the name of the visited website, file, date and time of access, transmitted data amount, notification about successful retrieval, type and version of browser, operating system of the user, URL of prior visited website, IP address and requesting provider.
Due to safety reasons (for example investigation of abuse or fraud), log file information is saved for a maximum of 7 days and deleted thereafter. Data that is required for further evidence is exempt from deletion until the respective matter is solved.
Google is certified by the Privacy-Shield Agreement and therefore guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our account to analyze usage of our online offer by users, to create reports about the activities within the website and to perform further services referring to usage of the website and internet services for us. During this process, pseudonymous usage profiles of the users may be created from the processed data.
We only use Google Analytics with activated IP anonymization. That means that the IP addresses of users will be shortened by Google within the states of the European Union or other contracting states of the Agreement on the European Economic Area. The full IP address will only exceptional be transmitted to a server of Google in the USA and then shortened.
The IP address being transmitted by the browser of the user will not be amalgamated with other data of Google. The users may stop the saving of cookies by a special setting of their browser software. Furthermore, the users may stop the recording of data produced by the cookie relating to their usage of the website by Google by downloading and installing the browser plugin from this link: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information about data usage by Google, possibilities of settings and objections are to be found in the Privacy Statement of Google (https://policies.google.com/technologies/ads) as well as in the settings for presentation of advertisements by Google (https://adssettings.google.com/authenticated).
The personal data will be deleted or anonymized after 14 months.
Integration of services and contents of third parties
Within our website and on the basis of our legitimate interests (i.e. interest in analysis, optimization and economic operation of our website according to art. 6 (1) f GDPR) we use content or service offers of third parties in order to integrate their contents and services, like videos or fonts (hereinafter called "contents").
This always requires third parties to record IP addresses of the users, because otherwise they wouldn't be able to send contents to the browsers of the users. Therefore, the IP addresses are required for presenting these contents. We strive to only use contents of third parties which use the IP addresses only for delivery of the contents. Third parties may also use so-called pixel-tags (invisible graphics, also called "web beacons") for statistical or marketing purposes. The "pixel-tags" analyze information like the traffic of visitors on the pages of the website. The pseudonymous information may be saved in cookies on the device of the users and contain, among other things, technical information about the browser and operating system, linked websites, time of the visit and further information about the usage of our website as well as be linked with such information from other sources.
We integrate fonts ("Google Fonts") of the supplier Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. Privacy Statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
We integrate maps of the service "Google Maps" of the supplier Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. The processed data include in particular IP addresses and location data of the users that, however, will not be collected without their permission (normally permitted through the settings of their devices). The data may be processed in the USA. Privacy Statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Created with Datenschutz-Generator.de by lawyer Dr. Thomas Schwenke