I. CONTROLLER AND DATA PROTECTION OFFICER
The data controller responsible for the processing of personal data under Art. 4 No. 7 of the GDPR is:
Vogel Heerma Waitz Partnerschaft von Rechtsanwälten mbB
II. DATAPROCESSING WHEN VISITING OUR WEBSITE
1. PROVIDING THE WEBSITE AND CREATING LOGFILES
Each time you access our website, we temporarily store the data your browser automatically transmits to our web server in so-called server log files.
- the page from which you accessed our website (referrer-URL)
- date and time of access
- the amount of data transmitted
- the IP address of the requesting system
- browser type and browser version used
- the operating system used
The temporary storage of this data, in particular the storage of IP addresses, is a technical requirement to allow website access and use and to ensure the security of our systems. We do not assign this data to a specific or identifiable natural person. We also do not create any pseudonymous user profiles with the help of this data. The IP addresses are deleted or anonymized by way of abbreviation as soon as they are no longer required for the aforementioned purposes, at the latest after 7 days following a user´s visit to our website.
The legal basis for this data processing is Art. 6 para. 1 lit. e) GDPR. Our legitimate interest follows from the aforementioned purposes.
2.1 GENERAL INFORMATION
Cookies are small text files that are sent to a user´s browser and stored on the hard drive of the user´s computer or internet enabled device when a user visits a website. Cookies can be used to store unique identifiers consisting of a string of characters that enable a website to recognize a browser on the user’s next visit. Cookies can store various information, such as browser type, operating system used, language settings and other personal settings as well as information on user behaviour, such as the frequency of visits and links clicked.
Most browsers automatically accept cookies. However, you can configure your web browser to reject or delete cookies or to be informed if a cookie is installed. For more details please use the “help” option in your internet browser.
2.2 WEB ANALYTICS SERVICE MATOMO
We use the web analytics service Matomo (formerly Piwik), an Open-source software which is designed to capture visitor access for anonymous statistical evaluation. Whenever you visit our website, Matomo will apply cookies to analyze your user behavior during your visit. The cookies also capture the frequency of your visits and provide us generally with the total number of users to our website. Any information so collected will be transferred to our server. We use the information exclusively to optimize and further develop our website. The cookies have a maximum lifetime of 7 days.
We only use Matomo with active IP anonymization. This means that the IP addresses of users will be abbreviated by 2 bytes before their data is transmitted to our server (e.g. 192.168.xxx.xxx). We therefore do not have access to any data that could enable us to identify individual visitors to our website.
Our legal basis for the processing of personal data for analytics purposes by using Matomo is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in analyzing the use of our website for optimization purposes.
3. CONTACTING US
When you contact us by e-mail, we will store the personal data that you voluntarily disclose to us (e.g. your e-mail address, name and/or other contact data) on our mail server and process such data for processing your enquiry only. As a rule, we store such data only for the duration of the respective communication and as long as any possible claims arising out of this context are not yet statute-barred, unless there are longer statutory retention periods in individual cases. The communication shall be deemed to have ended if it can be inferred from the circumstances that the matter in question has been clarified. The legal basis for the processing of personal data in this context is
Art. 6 para. 1 lit. f) GDPR. Our legitimate interest derives from the aforementioned purposes.
III. DATA PROCESSING IN CONNECTION WITH JOB APPLICATIONS
When you apply for a job position with us, we process the information voluntarily provided by you, for example your first and last name, contact details as well as the information contained in your files such as cover letters, curricula vitae and certificates. In addition to your contact details, information about your qualifications, work experience and skills is of particular relevance to us.
We treat all application data confidential and only disclose such data to persons within our firm who are involved in the respective recruitment process. However, we would like to point out that if you do not use encryption technology at your end, e-mails will not be encrypted end-to-end. Thus, we cannot guarantee confidentiality of applications sent by e-mail. As a rule, you can also apply for a position by post or in person.
We solely process your application data for the purpose of processing your job application and to assess whether your skills and qualifications meet our requirements. If we are of the opinion that you are suitable for a position within our firm, we will contact you and conduct one or more job interviews.
The legal basis for the processing of your application data is Art. 6 para. 1 lit. b) GDPR and Art. 88 para. 1 GDPR in conjunction with section 26 para. 1 sentence 1 BDSG.
If your application is successful and you become employed by us, we will keep your application data for as long as it is necessary for the employment relationship and insofar as we are legally required to retain it. The legal basis for this processing is again Art. 6 para. 1 lit. b) GDPR and Art. 88 para. 1 GDPR in conjunction with section 26 para. 1 sentence 1 BDSG. If your application is unsuccessful, we will keep your application data for a maximum of 6 months after rejection of your application to defend ourselves against possible legal claims arising out of the application process. The legal basis for this retention is Art. 6 para. 1 lit. f) GDPR. The legitimate interest is the burden of proof in a potential trial.
If you have given your consent to be added to our talent pool, we will keep your application data for a period of up to 2 years following your last application to contact you about future vacancies. The legal basis for this retention is Art. 6 para. 1 lit. a) GDPR. You can revoke your consent in that regard at any time before the expiry of the specified period by sending us a letter by post or contact us via e-mail at email@example.com or firstname.lastname@example.org.
As a rule, we do not request any special category of personal data within the meaning of Art. 9 GDPR, i.e. personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership or biometric data, data concerning health or a natural person’s sex life or sexual orientation. We therefore ask you to not provide us with any such data. If such information should be relevant in exceptional cases, we will inform you accordingly.
IV. PROCESSING OF PERSONAL DATA IN CLIENT RELATIONSHIPS
1. PERSONAL DATA OF OUR CLIENTS AND THEIR LEGAL REPRESENTATIVES
We generally process the following personal data when we receive an initial request from our clients or prospective clients and/or their legal representatives:
- contact information of the requesting party and any other persons involved in the matter, in particular their first and last names, job titles, company and company name, addresses, telephone numbers (landline and/or mobile), e-mail addresses,
- payment information, e.g. tax identification numbers and VAT numbers of the client, and
- personal data contained in other information a client or prospective client provides to us in connection with our provision of legal services to such client or prospective client.
In the course of our engagement, we may store and collect further information, including personal data that is necessary or useful for the provision of our services for which our clients have engaged us. In addition, we may process – to the extent necessary for the provision of our services – personal data which we permissibly obtain from publicly accessible sources (e.g. trade and association registers, internet, press) or which is transmitted to us by third parties (e.g. contractual partners and their representatives).
We process this personal data exclusively for the purpose of establishing, performing and executing our obligations in accordance with any contract that we may have with our clients, to ensure that there are no conflicts of interest with other client matters and that we provide our services in the best way we can and to comply with our legal obligations as lawyers as well as to enforce our legal rights or defend against legal claims.
The legal bases for this processing are Art. 6 para. 1 lit. b) GDPR, Art. 6 para. 1 lit. 1 c) GDPR and Art. 6 para. 1 lit. f) GDPR. Our legitimate interest follows from the aforementioned purposes.
2. PERSONAL DATA OF RELATED PARTIES
In the course of providing our services to our clients, we may also process personal data of third parties, in particular of employees, service providers and other contractual and business partners of our clients as well as their representatives and advisors, of notaries, judges, bailiffs, counterparties and their representatives as well as translators. The data processed includes in particular:
- contact data (names, addresses, telephone and fax numbers, e-mail addresses, etc.), and
- information relating to client matters, which may also contain personal data.
Such data may be collected directly from the persons concerned or gathered indirectly by other means. In any case, however, all data is collected exclusively for the purpose of providing our services to our clients.
The legal basis for this processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the proper and effective provision of legal advice and representation services to our clients.
3. RETENTION PERIOD
We process personal data in the context of a client relationship only for as long as
- this is required or appropriate for the provision of our services to a client,
- this is required under applicable law, and/or
- possible claims from our business relationship are not yet statute-barred.
The retention period for attorneys’ files is currently 6 years, beginning at the end of the calendar year in which the respective client relationship ends. In addition, the general statutory tax retention periods apply (10 years). In the case of long-term client relationships, we often store information relating to a completed transaction beyond these statutory retention periods to be able to take into account this information in respect of current and future matters or to be able to provide our clients with information on this at a later point in time. In some cases it may also be appropriate to store data and documents for the purpose of asserting or defending claims to the extent that such assertion or defense remains possible under section 195 et subseq. of the German Civil Code (BGB). Furthermore, we will permanently retain personal data that is still required for the monitoring of a conflict of interests. This includes the name of the client, if applicable the name of the opposing party, the name of the lawyer in charge and a brief description of the subject matter of the mandate.
V. CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
With regard to the transfer of data to recipients outside our law firm, we would like to point out that we are obliged to maintain confidentiality in respect of all client-related facts of which we become aware (obligation to maintain secrecy pursuant to section 43a para. 2 of the Federal Lawyers´ Act (BRAO) and section 2 of the Rules of Professional Practice (BORA)). This does not apply to facts which are public knowledge or whose significance does not require secrecy.
In addition, we only disclose personal data to recipients outside our law firm to the extent that:
- the data subject has given his/her consent (Art. 6 para. 1 lit a) GDPR),
- this is necessary for the preparation or performance of a contract with the data subject (Art. 6 para. 1 lit. b) GDPR),
- we are legally obliged to disclose such information (Art. 6 para. 1 lit. c) GDPR), or
- the disclosure is necessary to protect our legitimate interests or the legitimate interests of our client or another third party and there is no reason to assume that the data subject has an overriding legitimate interest in not disclosing his or her data (Art. 6 para. 1 lit. f) GDPR).
The following categories of recipients are particularly relevant in the context of a client relationship: contractual partners of our clients and their representatives, notaries, courts, authorities, bailiffs, counterparties and their representatives and translators.
We also use IT service providers in accordance with Art. 28 GDPR. Such IT service providers may process personal data solely for the performance of their duties and in accordance with our instructions. For the hosting of our website, we use servers of STRATO AG based at Pascalstraße 10, 10587 Berlin, Germany.
VI. TRANSFER OF PERSONAL DATA TO RECIPIENTS IN THIRD COUNTRIES
We do not transfer personal data of visitors to our website or job applicants to recipients in third countries outside the European Economic Area.
In the context of a client relationship, we only transmit personal data to recipients in countries outside the European Economic Area on of the following conditions:
- the data subject, in particular a client, has explicitly consented to the proposed transfer (Art. 49 para. 1 sentence 1 lit. a GDPR),
- the transfer is necessary for the formation and/or performance of a contract between ourselves and the data subject (in particular where such data subject is a client) or the implementation of pre-contractual measures taken at the data subject´s request (Art. 49 para. 1 lit. b) GDPR),
- the transfer is necessary for the conclusion or performance of a contract concluded between ourselves and a third party (being another natural or legal person) and with such contract being in the interest of the data subject, in particular where such data subject is a client, (Art. 49 para. 1 lit. c) GDPR), or
- the transfer is necessary for the establishment, exercise or defense of legal claims (Art. 49 para. 1 lit. e) GDPR).
VII. DUTY TO PROVICE PERSONAL DATA
Individuals are not obliged to provide us with personal data outside of a client relationship. However, we can only respond to enquiries or process a job application if we are allowed to contact the respective individual and if we are provided with certain information. In the context of a (potential) client relationship, we are not able to advise and represent a natural or legal person, unless such person provides us with certain data relating to the relevant matter that may also contain personal data.
VIII. NO AUTOMATED DECISION-MAKING
We do not make use of automated decision making within the meaning of Art. 22 GDPR.
IX. YOUR RIGHTS
With regard to our processing of your personal data, you are entitled to the following rights free of charge:
1. RIGHT OF ACCESS PERSUANT TO ART. 15 GDPR
The aforementioned right to information may be limited or excluded under certain legal conditions. In particular, according to section 29 para. 1 sentence 2 BDSG, there is no right to information which has to be kept confidential due to a legal provision, its nature or an overriding legitimate interest of a third party. Relevant legal provisions in this context are section 43a para. 2 BRAO and section 203 para. 1 no. 3 of the German Criminal Code (StGB). In case of an enquiry, we will highlight any limitations where applicable.
2. RIGHT TO RECTIFICATION AND ERASURE PURSUANT TO ART. 16 AND 17 GDPR
You have the right to obtain rectification of inaccurate or incomplete personal data and – if the legal requirements are met – erasure of your personal data. We are, among other things, obliged to erase such data if it is no longer required for the purpose for which it was collected or otherwise processed, or if you withdraw your consent. The aforementioned right to erasure may be excluded under certain legal conditions (see Art. 17 para. 3 lit. e) GDPR). In particular, you do not have the right to erasure if the processing of your personal data is necessary to establish, exercise or defend legal claims.
3. RIGHT TO RESTRICTION OF PROCESSING PURSUANT TO ART. 18 GDPR
In certain circumstances, such as where you contest the accuracy of your personal data, you have the right to ask us to restrict the processing of such data.
4. RIGHT TO WITHDRAW CONSENT PURSUANT TO ART. 7 PARA. 3 GDPR
If you have given your consent to the processing of your personal data (e.g. in order to be added to our talent pool), you have the right to withdraw your consent at any time. Where there is no other legal ground for the processing, we will erase the relevant data promptly. The legality of processing activities prior to any consent withdrawal will be unaffected by such withdrawal.
5. RIGHT TO OBJECT PURSUANT TO ART. 21 GDPR
6. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY PURSUANT TO ART. 77 GDPR IN CONJUNCTION WITH SECTION 19 BDSG
If you believe that we are processing your personal data in violation of the GDPR or other data protection laws, you also have the right to lodge a complaint with a competent supervisory authority. In particular, you may contact the supervisory authority responsible at your place of residence or state, or the supervisory authority responsible for us. The supervisory authority responsible for us is the:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Phone: 030 13889-0
Fax: 030 2155050
Last updated: 18 February 2019