Data Privacy Notice
I. Controller
For the purpose of the General Data Protection Regulation, the controller is:
Conrad Lahann & Partner Steuerberatungsgesellschaft mbB
Große Theaterstraße 31
20354 Hamburg
Germany
Phone: +49 (0) 40-6077110-0
Email: info@cl-partner.de
II. Data protection officer
Our data protection officer can be reached at:
email: dataschutz@cl-partner.de
2. Legal basis of the data processing
The legal basis for the temporary storage of the data and the log files is Article 6 (1) point f of the GDPR.
3. Purpose of the data processing
The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the computer of the user. For this purpose, the user’s IP address must be kept stored throughout the session. It is stored in log files in order to ensure the functionality of the website. In addition, the data serve to analyse and optimise the website and to ensure the security of our IT systems. In this context, the data is not evaluated for marketing purposes. These purposes are the basis of our legitimate interest in the data processing pursuant to Article 6 (1) point f of the GDPR.
4. Data storage time period
The data is deleted as soon as it is no longer required to attain the purposes for which it has been collected. If the data is collected to provide the website, this is the case at the end of the session. If the data is stored in log files, storage may be continued after the end of the session is possible. In this case, the IP addresses of the users are anonymised, therefore assigning them to the client calling up the website is no longer possible.
5. Option to object and to option to delete
Collecting the data is indispensable in order to provide the website, and storing the data in log files is indispensable for operating the website. Therefore the user has no right to object thereto.
IV. Using cookies
- a) Description and scope of the data processing
Our website uses cookies. Cookies are text files that are stored on the Internet browser, or that are stored by the Internet browser on the user’s computer system. Whenever a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string allowing to uniquely identify the browsers when the website is called up again.
We use cookies in order to enhance the user-friendliness of our website. On order to avoid that the information on the use of cookies is provided each time our website is called up, the confirmation of the corresponding information is stored in the form of a cookie on your browser. If you do not wish this, we recommend you to adapt the settings of your browser accordingly. We think that offering a deactivation option like in the web analysis would be contradictory since this option, too, is controlled via cookies.
We also use Google Maps API to visualise geographic information. Here, Google also collects, processes and uses data concerning the use of the maps functions by the visitors of our website. For further information please read Google‘s data privacy notice (https://policies.google.com/privacy?hl=de). There you have the option to alter your personal settings in a way that enables you to manage and protect data.
- b) Legal basis for the data processing
The legal basis for the processing of personal data using cookies is Article 6 (1) point f of the GDPR.
- c) Purpose of the data processing
The purpose of using technically required cookies is to facilitate the use of websites for die user. If you do not wish to be informed about the use of cookies each time you call up our website, it is necessary that the browser be recognised also after a change of websites. User data collected by technically required cookies is not used to create user profiles. This is the purpose of our legitimate interest in the processing of personal data pursuant to Article 6 (1) point f of the GDPR.
- e) Duration of storage, option to object and option to erase
Cookies are stored on the computer of the user and transmitted by the computer to our website. Therefore you as a user have full control over the use of cookies. By changing the settings of your Internet browser you can block or restrict the transmission of cookies. Cookies already stored can be deleted anytime. This can also be done automatically. If cookies are disabled for our website, the unrestricted use of certain functions of the website may be impossible.
V. Newsletter
1. Description and scope of data processing
On our website you can subscribe to a free newsletter. When you subscribe to the newsletter, the following data from the input mask are transmitted to us:
- title, first name and surname (if provided by user)
- Email address
In addition, the following data is collected upon subscription:
- IP address of the computer calling up
- Date and time of the registration
Upon subscription, your consent for the processing of the data is requested, and you are referred to this Data Privacy Notice. The newsletter system is provided by Atikon which also analyse the user data. For further information please read Atikon’s data privacy notice (http://www.atikon.de/de/unternehmen/impressum/#privacy_policy).
2. Legal basis for the data processing
The legal basis for the processing of the data after the user has subscribed to the newsletter is, if the user’s consent has been obtained, Article 6 (1) point a of the GDPR.
3. Purpose of the data processing
Capturing the user‘s email address enables us to deliver the newsletter. The collection of the anonymised user data serves to analyse and optimise the newsletters and their contents.
4. Duration of the storage
The data is deleted as soon as they are no longer required to achieve the purposes for which they were collected. The email address of the user will be kept stored as long as the subscription of the newsletter is active. Anonymised user data is stored until the evaluation is completed.
5. Option to object and option to erasure
The subscription of the newsletters can be cancelled by the user anytime. For this purpose each newsletter contains a link for cancellation.
VI. Email contact
1. Description and scope of the data processing
Contacting us is possible via the email address provided. In this case the personal data of the user transmitted via email is stored. In this context no data is transferred to third parties. The data is exclusively used for the processing of the conversation.
2. Legal basis for die data processing
The legal basis for use of the data is, in case the user has given its consent, Article 6 (1) point a of the GDPR. The legal basis for die processing of the data transmitted by sending an email is Article 6 (1) point f of the GDPR. If the purpose of the email contact is to enter into a contract, the additional legal basis for the processing is Article 6 (1) point b of the GDPR.
3. Purpose of the data processing
The processing of the personal data serves solely to process the contact. This is the compelling legitimate interest in the processing of the data.
4. Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it has been collected. Regarding the personal data transmitted via email this is the case at the end of the conversation with the user. The conversation ends when all indications are that the subject concerned has been definitely clarified.
5. Option to objet and option to erasure
The user has, anytime, the option to withdraw its consent to the processing of the personal data. If the user contacts us via email, it may anytime object to the storage of its personal data. In such cases, the conversation cannot be continued. The withdrawal shall be sent in writing to the address mentioned under I. or to the email address also mentioned under I. In this case, all personal data stored in connection with the contact will be deleted.
VII. Rights of the data subject
If personal data of you are processed, you are a data subject for the purpose of the GDPR and you have the following rights against the controller:
1. Right to obtain information
You may request the controller to provide you with information on to whether or not personal data concerning you is processed by us. If it is processed, you may request the controller to provide the following information:
(1) the purposes for which the personal data is processed;
(2) what categories of personal data are processed;
(3) the recipients and/or the categories of recipients to which the personal data concerning you have been disclosed or will be disclosed;
(4) the planned period for which the personal data concerning you will be stored or, if providing concrete information on this subject is not possible, the criteria used to determine that period;
(5) the existence of the right to rectification or erasure of the personal data concerning you, the right to Restriction of the processing through the controller or to object to such processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) any available information on the source from which the data originate if the personal data is not collected from the data subject;
(8) the existence of automated decision-making including profiling pursuant to Article 22 (1) and (4) of the GDPR and – at least in such cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on to whether or not personal data concerning you are transferred to a third country or to an international organisation. In this context you may request that you be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.
2. Right to rectification
You have a right to obtain from the controller the rectification and/or completion if the processed personal data concerning you that is inaccurate or incomplete. The controller shall rectify it without undue delay.
3. Right to restriction of the processing
Under the following conditions you may request that the processing of the personal data concerning you be restricted:
(1) if you challenge the accuracy of the personal data concerning you for a duration enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you decline the erasure of the personal data and request the restriction of the use of the personal data instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need them in order to establish, exercise or defend legal claims, or
(4) if you have objected to the processing in accordance with Article 21 (1) of the GDPR and it has not been established yet whether or not the legitimate grounds of the controller override your grounds.
If the processing of the personal data concerning you has been restricted, such data – except for their storage – must not be processed without your consent or it may be solely used to establish, exercise or defend legal claims or to safeguard the rights of another individual or legal entity or for important reasons of public interest of the European Union or of a Member State. If the processing was restricted in accordance with conditions stated above, you will be informed by the controller prior to the lifting of the restriction.
4. Right to erasure
a) Obligation to erasure
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay if one of the following applies:
(1) The personal data concerning you is no longer required for die purposes for which it has been collected or otherwise processed.
(2) You withdraw your consent on which the processing is based according to Article 6 (1) point a or Article 9 (2) point a of the GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21 Abs. 1 of the GDPR and there is no overriding legitimate ground for die processing, or you object to the processing pursuant to Article 21 (2) of the GDPR.
(4) The personal data concerning you has been unlawfully processed.
(5) The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) Die personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17 (1) of the GDPR to erase them, the controller, taking into account the available technology and the costs of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as data subject have requested the erasure by such controllers of any links to, or copy or replication of those personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9(2) points (h) and (i) as well as Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to notification
If you have exercised the right to rectification, erasure or restriction of processing against the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to obtain from the controller information about such recipients.
6. Right to data portability
You have the right to receive the personal data concerning you which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, where:
(1) the processing is based on consent pursuant to Article 6 (1) point a of the GDPR or Article 9 (2) point a of the GDPR or on a contract pursuant to Article 6 (1) point b of the GDPR and
(2) the processing is carried out by automated means.
In exercising this right you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others. That right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) point e or f of the GDPR including profiling based on those provisions. The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves for the establishment, exercise or defence of legal claims. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdrawal of the data privacy consent
You have the right to withdraw your data privacy consent anytime. The withdrawal of the consent will not affect the legitimacy of the processing conducted on the basis of the consent until it was withdrawn.
9. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning you or which similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
Such decisions shall, however, not be based on special categories personal data pursuant to Article 9 (1) of the GDPR unless Article 9 (2) point a or g apply and suitable measures to safeguard the rights and freedoms as well as your legitimate interests are in place. With regard to the cases mentioned under (1) and (3) the controller shall take suitable measures to safeguard the rights and freedoms as well as your legitimate interests which include the right to obtain human intervention on the part of the controller, to explain your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy you have the right to lodge a complaint with a supervisory authority, in particular in the Member States of your residence, your workplace or of the place where the suspected infringement has occurred, if you consider that processing the personal data concerning you infringes the GDPR. The supervisory authority with which the complaint was lodged shall inform the complainant about the status and the results of the complaint including the option to lodge a judicial remedy pursuant to Article 78 of the GDPR.