Information on data processing pursuant to Articles 13 and 14 EU GDPR
1. The purpose of this data protection information is to describe how we process data in our firm.
Controller as defined in data protection law:
Rechtsanwälte Steuerberater Wirtschaftsprüfer Partnerschaft mbB
Veritaskai 3, 21079 Hamburg
Telephone: +49 40 697989-0
Fax: +49 40 697989-110
Contact details of the external data protection officer:
Waterside DS GmbH
Vertreten durch Frau Corinna Lovens, LL.M.
Telephone: +49 40 468 99 42-0
2. We process the following personal data:
- First and last name, form of address, title if applicable
- Postal address(es)
- Telephone number(s)
- Fax number(s), if applicable
- E-mail address(es)
- Information required for the appropriate carrying out of the mandate
Insofar as the provisions of the German Money Laundering Act (Geldwäschegesetz, GwG) apply, we are required to collect and process further information, Section 2 (1) No. 10 GwG. This includes, among other things, information about your identity, the beneficial owners, the purpose and nature of the business relationship and the transactions carried out as well as the money laundering risk. In the case of natural persons, we also make a copy of an official identity document of the client to fulfil our obligations under Section 8 (2) Sentence 1 GwG. In the case of legal entities, the information regarding the beneficial owners as defined in Section 3 GwG is also collected.
3. We process personal data for the following purposes
We process personal data for the purposes of
- executing the mandate including correspondence,
- fulfilling our contractual and legal obligations as tax advisers/lawyers and
- processing as part of mutual claims arising from the mandate and remuneration agreement (e.g. invoicing and performance, remuneration and liability claims, etc.).
4. Legal bases for data processing
The legal bases for data processing in our firm are
- Article 6 (1) Sentence 1 (b) EU-GDPR for performance of the mandate agreement
- Article 6 (1) Sentence 1 (c) EU-GDPR for compliance with legal obligations to which we are subject
- Article 6 (1) Sentence 1 (f) EU GDPR, insofar as the data processing is necessary to protect our legitimate interests or those of a third party; in particular, the ongoing business relationship with our clients is in our legitimate interest
- Article 6 (1) Sentence 1 (a) EU GDPR, insofar as you have given us your consent to process personal data relating to you for specific purposes
We pass on your data to third parties as part of fulfilling our obligations arising from the underlying contracts under Article 6 (1) Sentence 1 (b) EU GDPR, insofar as this is necessary for executing the mandate. This concerns in particular the passing on of data to opposing parties and their representatives as well as to courts and other public authorities for the purpose of correspondence and asserting and defending your rights and to banking institutions for the processing of payments.
In addition, we use external technical service providers as processors in accordance with Article 28 GDPR, which are carefully selected and monitored by us. In addition, data may be disclosed to the competent authorities on the basis of statutory provisions, for example to report suspicious cases under Section 43 GwG. The legal basis for such disclosure is Article 6 (1) Sentence 1 (c) EU GDPR in conjunction with Section 43 GwG.
Examples of possible recipients:
- Tax authorities and courts
- Social security agencies
- Bundesanzeiger Verlag GmbH
- Banks, credit institutions, insurance companies and employer's liability insurance associations
- External service providers (e.g. data centres, IT service providers, providers of printing services, waste disposal companies, etc.)
- Other recipients depending on the mandate, which we coordinate with you
6. Transfer of data to third countries
Data is only transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary to execute the mandate (e.g. payment orders) or if you have given us your consent or if this is otherwise permitted by law. In this case, we take measures to ensure that your data is protected, for example, through contractual arrangements. We only transfer data to recipients who ensure that your data is protected in accordance with the provisions of the EU GDPR for transfers to third countries (Articles 44 to 49 GDPR).
7. Use of video conferencing tools
We often communicate with our clients via common video conferencing tools (primarily "Teams" and "Zoom"), to whose privacy policies we refer under the links of the aforementioned tools. As a general rule, these video conferences are not recorded.
8. Duration of storage
Your personal data will be processed and stored for as long as and to the extent necessary for the purposes stated in this policy. After these purposes have been fulfilled, the data is erased at regular intervals. Such data is not erased if further processing is required for a limited period to comply with statutory retention periods or for documentation and evidence purposes subject to the statutes of limitation.
9. Rights as a data subject
You have the following rights as a data subject whose data we process:
- Right of access under Article 15 EU GDPR
- Right to rectification under Article 16 EU GDPR
- Right to erasure ("right to be forgotten") under Article 17 EU GDPR
- Right to restriction of processing under Article 18 EU GDPR
- Right to data portability in a structured, commonly used and machine-readable format under Article 20 EU GDPR
Insofar as we process your personal data for certain purposes on the basis of your consent, you have the right to withdraw your consent at any time under Article 7 (3) EUGDPR. Upon receipt of your withdrawal of consent, we will cease processing data for the purposes for which you gave us your consent. The lawfulness of the processing prior to receipt of your withdrawal of consent remains unaffected.
Right to object: If we process your personal data to protect legitimate interests as defined in Article 6 (1) Sentence 1 (f) EU GDPR you have the right under Article 21 (1) EU GDPR to object to this processing on grounds relating to your particular situation. You may object at any time to processing for direct marketing purposes under Article 21 (2) EU GDPR without stating the reasons. In order to exercise your right to object, it is sufficient to send us an informal message (by e-mail to firstname.lastname@example.org stating which data processing you object to).
If you believe that the processing of personal data concerning you infringes the General Data Protection Regulation, you have the right to lodge a complaint with a supervisory authority under Article 77 (1) EU GDPR (in Germany, this is usually the Commissioner for Data Protection and Freedom of Information of the respective federal state). In particular, the objection may be lodged with the supervisory authority competent in the place of your habitual residence, your place of work or the place of the alleged infringement.
10. Legal status