Data Protection

This Privacy Policy provides information about the nature, scope and purpose of the processing of personal data (hereinafter abbreviated to ‘data’) in connection with our services as well as our online offering and their associated web pages, functionality and content, as well as external online presence such as our social media profiles (hereinafter jointly referred to as ‘online offering’). Regarding the terms used, such as ‘processing’ or ‘Controller’, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

LM Law Rechtsanwaltsgesellschaft mbH
Paul-Gerhardt-Allee 50
81245 München
Deutschland

Email: info@LMLaw.de

Managing directors: Ms Petra Kanz – lawyer, tax consultant; Mr Michael Leinauer – auditor, tax consultant

Link to site notice: https://lmlaw.de/impressum

Type of Processed Data

– Inventory data (e.g. personal master data, names or addresses).
– Contact details (e. g. email, phone numbers).
– Content data (e.g. text input, photographs, videos).
– Usage data (e.g. web pages visited, interest in contents, access times).
– Meta data/communication data (e.g. device information, IP addresses).

Categories of Data Subjects

Visitors to and users of our online offering (hereinafter, data subjects will also be referred to as ‘users’).

Purpose of the Processing

– Provision of the online offering, its functionality and contents.
– Replies to requests for contact and communication with users.
– Security measures.
– Reach measurement/marketing

Terms Used

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is comprehensive and covers practically any handling of data.

‘Pseudonymisation’ means the processing of personal data in a manner which makes it impossible to allocate the personal data to a specific data subject without using additional information, if this additional information is stored separately and is subject to technical and organisational measures which guarantee that the personal data is not subject to an ID ‘profiling’, any type of automated processing of personal data consisting of the use of personal data to evaluate or predict certain personal aspects relating to a natural person, in particular to analyse aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Applicable Legal Bases

In accordance with Art. 13 GDPR, we hereby inform you about the legal bases of our data processing activities. For users from the domain of the General Data Protection Regulation (GDPR), i.e. the EU and the EEA, the following is applicable it no legal basis is named in the privacy policy:
The legal basis for obtaining consent is point (a) of Art. 6(1) and Art. 7 GDPR;
the legal basis for the processing of data to provide our services and implement contractual measures as well as reply to enquiries is point (b) of Art. 6(1) GDPR;
the legal basis for the processing of data for compliance with our legal obligations is point (c) of Art. 6(1) GDPR;
in case the processing of personal data is required for the vital interests of the data subject or of another natural person, the legal basis is point (d) of Art. 6(1) GDPR.
The legal basis for the processing required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is point (e) of Art. 6(1) GDPR.
The legal basis for the processing of personal data to protect our legitimate interests is point (f) of Art. 6(1) GDPR.
The processing of data for other purposes than those for which it was acquired is determined under the provisions of Art. 6(4) GDPR.

The processing of special categories of data (in accordance with Art. 9(1) GDPR) is determined under the provisions of Art. 9(2) GDPR.

Security Measures

In accordance with statutory provisions, taking into account the state of technology, the cost of implementation and the nature, scope, context and purposes of processing as well as the different probability and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include but are not limited to ensuring the confidentiality, integrity and availability of the data by controlling physical access to the data as well as the corresponding digital access to the data, and their input, disclosure, availability and separation. In addition, we have put procedures in place which ensure compliance with the rights of data subjects, the erasure of data and responses to risks to data security. Furthermore, we take the protection of personal data into account as early as in the development and/or selection of hardware, software and procedures, in accordance with the principle of data protection by design and with privacy-friendly default settings.

Cooperation with Processors, Mutually Responsible Parties and Third Parties

If during processing, we disclose or transfer or otherwise provide access to any data to other persons and companies (processors, mutually responsible parties or third parties), this will only occur on the basis of statutory permission (e.g. if a transfer of data to third parties such as payment service providers is required for the performance of a contract), if users have granted consent, a legal obligation prescribes it, or on the basis of our legitimate interests (e.g., if an agent, web-hosting provider, etc. is used).

If we disclose, transfer or otherwise provide access to data to other companies within our group, this occurs, in particular, for administrative purposes as a legitimate Interest and is, furthermore, based on the respective statutory provisions.

Transfer to Third Countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or the Swiss Confederation) or where we engage the services of third parties or disclose and/or transfer data to other persons or companies, we will only do so for the performance of our (pre-) contractual obligations, on the basis of your consent, for compliance with a legal obligation, or on the basis of our legitimate interests. Subject to explicit consent or contractually required transfer, we only process or have the data processed in third countries with a recognised level of data protection, which includes US processors certified under the ‘Privacy Shield’, or on the basis of specific guarantees such as a contractual obligation due to so-called standard protection clauses of the EU Commission or the existence of certifications or binding internal data protection provisions (Art. 44 to Art. 49 GDPR, Information page of the EU Commission).

Rights of Data Subjects

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and access to this data as well as further information and a copy of the data in accordance with statutory provisions.

In accordance with statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

In accordance with statutory provisions, you have the right to request the immediate erasure of data concerning you and/or alternatively, you have the right to request restriction of the processing of the data in accordance with statutory provisions.

In accordance with statutory provisions, you have the right to obtain personal data concerning you which you have provided to us and to have it transmitted to other controllers.

Furthermore, in accordance with statutory provisions, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to withdraw your consent with effect for the future.

Right to Object

In accordance with statutory provisions, you have the right to object to the future processing of the data concerning you at any time. The right to object applies, in particular, to processing for direct marketing purposes.

Cookies and the Right to Object to Direct Marketing

‘Cookies’ are small files which are stored on a user’s computer. Different kinds of information can be stored in cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her access of an online offering. Cookies are referred to as temporary cookies or ‘session cookies’ or ‘transient cookies’ if they are deleted after a user leaves an online offering and closes his or her browser. Such cookies are used to store, for example, the contents of a shopping basket in an online shop, or a log-in status. Cookies are referred to as ‘permanent’ or ‘persistent’ if they remain stored even after the browser is closed. In this way, a log-in status can, for example, be saved if the user visits again after several days. Likewise, the interests of users can be stored in such a cookie and used for reach measurement or marketing purposes. ‘Third-party cookies’ are cookies which are offered by providers other than the controller who operates the online offering (whose own cookies are referred to as ‘first-party cookies’).

We may use temporary and permanent cookies and will provide information about this within the framework of our Privacy Policy.

The legal basis for processing where we have requested the consent of the users to the use of cookies (for example within the framework of consent to cookies) is point (a) of Art. 6(1) GDPR. Otherwise the personal cookies of the users are processed in accordance with the following explanations within the scope of this privacy policy and on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and commercial operation of our online offering in line with point (f) of Art. 6(1) GDPR), or if the use of cookies is necessary to provide our contractual services in accordance with point (b) of Art. 6(1) GDPR and/or if the use of cookies is required to carry out a task which is in the public interest or for the exercise of public authority in accordance with point (e) of Art. 6(1) GDPR.

If users do not wish to have cookies stored on their computer, they are requested to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The disabling of cookies may lead to restrictions regarding the functionality of the online offering.

A general objection to the use of cookies for online marketing purposes is possible in relation to a number of services, in particular with regard to tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storing of cookies can be prevented by disabling cookies in the browser settings. Please note that, in this case, it may no longer be possible to use all the functions of this online offering.

Erasure of Data

The data processed by us will be erased or its processing will be restricted in accordance with statutory provisions. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its purpose and the erasure does not conflict with any statutory retention periods.

If data is not erased, because it is required for other lawful purposes, its processing will be restricted. I. e. the data is blocked and not processed for any other purposes. This applies for example to data which must be preserved on the grounds of commercial law or tax law.

Contractual Services

We process the data of our contractual partners and potential clients as well as other customers, clients or contractual partners (uniformly referred to as ‘contractual partners’) in accordance with point (b) of Art. 6(1) GDPR to provide them with our contractual or pre-contractual services. The processed data, the nature, scope and purpose and the necessity of its processing is determined in accordance with the underlying contractual relationship.

The processed data includes the master data of our contractual partners (e.g. name and address), contact details (e.g. email addresses and telephone numbers) as well as contractual data (e.g. services used, content of the contract, contractual communication, name of contact persons) and payment details (e.g. bank details, payment history).

As a rule, we do not process special categories of personal data, unless it is part of commissioned or contractual processing.

We process data which is necessary to justify and fulfil the contractual services and we point out the necessity of its disclosure if this is not evident to the contractual partners.

Disclosure to external parties or companies only takes place if it is necessary within the framework of a contract. When processing the data disclosed to us within the framework of an order, we act in accordance with the instructions of the client as well as the statutory provisions.

As part of the use of our online services, we may save the IP address and the time of each user action. The storage of data is based on our own legitimate interests as well as the interests of the user in the protection from misuse and other unauthorised use. This data is generally not transmitted to a third party unless it is required for the pursuit of our claims in accordance with point (f) of Art. 6(1) GDPR or there is a legal obligation to do so in accordance with point (c) of Art. 6(1) GDPR.

The data is erased if the data is no longer required to meet a contractual or statutory duty of care or for the handling of any possible guarantee and comparable obligations, whereby the necessity of storage of the data is reviewed every three years; in addition, the statutory retention obligations are applicable.

Amendments and Updates to the Privacy Policy

We kindly request you to read the content of our privacy policy on a regular basis. We will amend the privacy policy whenever this is required due to changes in our data processing methods. We will inform you if, due to the amendments, your cooperation (e.g. consent) is required or if any other individual notification becomes necessary.

Contacting Us

When we are contacted (e.g. via a contact form, email, telephone, or by social media), user information will be processed for the purpose of processing and dealing with the contact request in accordance with point (b) of Art. 6(1) GDPR (within the framework of contractual/pre-contractual relations), point (f) of Art. 6(1) GDPR (other enquiries). User information may be saved in a customer relationship management system (‘CRM system’) or a comparable request organisation system.

We delete requests when they are no longer required. We review the need to store this information every two years; statutory archiving obligations also apply.

Hosting and Email Dispatch

The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage capacity and database services, email dispatch, security services, as well as technical maintenance services used by us for the purpose of operating this online offering.

In this context, we and/or our hosting services provider process personal details, contact details, content data, contractual data, usage data, meta data and communication data of customers, prospective customers and visitors to this online offering on the basis of our legitimate interest in an efficient and secure provision of this online offering in accordance with point (f) of Art. 6(1) GDPR in conjunction with Art. 28 GDPR (conclusion of an order processing contract).

Collection of Access Data and Log Files

We and/or our hosting services provider collect data on each access to the server where this service is hosted (so-called server log files) on the basis of our legitimate interest in line with point (f) of Art. 6(1) GDPR. Access data includes the name of the web page visited, the file, the date and time of access, the volume of data transferred, a notification of successful access, the browser type and version used, the user’s operating system, the referrer URL (previously visited web page), the IP address and the provider making the request.

Log-file information will be saved for a maximum of seven days for security reasons (e.g. investigation of acts of misuse or fraud) and erased thereafter. Data which must be retained for longer periods for the purpose of evidence is exempted from erasure until the respective incident has been cleared up definitively.

Google Fonts

We integrate the fonts (‘Google Fonts’) of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, user data is only used for the purpose of displaying the fonts in the user’s browser. Integration is based on our legitimate interest in a technically secure, maintenance-free and efficient use of fonts, their uniform depiction as well as observation of potential licence restrictions for their integration. Privacy policy: https://www.google.com/policies/privacy/.