LM Law Rechtsanwaltsgesellschaft mbH
Managing directors: Ms Petra Kanz – lawyer, tax consultant; Mr Michael Leinauer – auditor, tax consultant
Link to site notice: https://lmlaw.de/impressum
Type of Processed Data
– Inventory data (e.g. personal master data, names or addresses).
– Contact details (e. g. email, phone numbers).
– Content data (e.g. text input, photographs, videos).
– Usage data (e.g. web pages visited, interest in contents, access times).
– Meta data/communication data (e.g. device information, IP addresses).
Categories of Data Subjects
Visitors to and users of our online offering (hereinafter, data subjects will also be referred to as ‘users’).
Purpose of the Processing
– Provision of the online offering, its functionality and contents.
– Replies to requests for contact and communication with users.
– Security measures.
– Reach measurement/marketing
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is comprehensive and covers practically any handling of data.
‘Pseudonymisation’ means the processing of personal data in a manner which makes it impossible to allocate the personal data to a specific data subject without using additional information, if this additional information is stored separately and is subject to technical and organisational measures which guarantee that the personal data is not subject to an ID ‘profiling’, any type of automated processing of personal data consisting of the use of personal data to evaluate or predict certain personal aspects relating to a natural person, in particular to analyse aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable Legal Bases
The legal basis for obtaining consent is point (a) of Art. 6(1) and Art. 7 GDPR;
the legal basis for the processing of data to provide our services and implement contractual measures as well as reply to enquiries is point (b) of Art. 6(1) GDPR;
the legal basis for the processing of data for compliance with our legal obligations is point (c) of Art. 6(1) GDPR;
in case the processing of personal data is required for the vital interests of the data subject or of another natural person, the legal basis is point (d) of Art. 6(1) GDPR.
The legal basis for the processing required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is point (e) of Art. 6(1) GDPR.
The legal basis for the processing of personal data to protect our legitimate interests is point (f) of Art. 6(1) GDPR.
The processing of data for other purposes than those for which it was acquired is determined under the provisions of Art. 6(4) GDPR.
The processing of special categories of data (in accordance with Art. 9(1) GDPR) is determined under the provisions of Art. 9(2) GDPR.
In accordance with statutory provisions, taking into account the state of technology, the cost of implementation and the nature, scope, context and purposes of processing as well as the different probability and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures include but are not limited to ensuring the confidentiality, integrity and availability of the data by controlling physical access to the data as well as the corresponding digital access to the data, and their input, disclosure, availability and separation. In addition, we have put procedures in place which ensure compliance with the rights of data subjects, the erasure of data and responses to risks to data security. Furthermore, we take the protection of personal data into account as early as in the development and/or selection of hardware, software and procedures, in accordance with the principle of data protection by design and with privacy-friendly default settings.
Cooperation with Processors, Mutually Responsible Parties and Third Parties
If during processing, we disclose or transfer or otherwise provide access to any data to other persons and companies (processors, mutually responsible parties or third parties), this will only occur on the basis of statutory permission (e.g. if a transfer of data to third parties such as payment service providers is required for the performance of a contract), if users have granted consent, a legal obligation prescribes it, or on the basis of our legitimate interests (e.g., if an agent, web-hosting provider, etc. is used).
If we disclose, transfer or otherwise provide access to data to other companies within our group, this occurs, in particular, for administrative purposes as a legitimate Interest and is, furthermore, based on the respective statutory provisions.
Transfer to Third Countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or the Swiss Confederation) or where we engage the services of third parties or disclose and/or transfer data to other persons or companies, we will only do so for the performance of our (pre-) contractual obligations, on the basis of your consent, for compliance with a legal obligation, or on the basis of our legitimate interests. Subject to explicit consent or contractually required transfer, we only process or have the data processed in third countries with a recognised level of data protection, which includes US processors certified under the ‘Privacy Shield’, or on the basis of specific guarantees such as a contractual obligation due to so-called standard protection clauses of the EU Commission or the existence of certifications or binding internal data protection provisions (Art. 44 to Art. 49 GDPR, Information page of the EU Commission).
Rights of Data Subjects
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and access to this data as well as further information and a copy of the data in accordance with statutory provisions.
In accordance with statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
In accordance with statutory provisions, you have the right to request the immediate erasure of data concerning you and/or alternatively, you have the right to request restriction of the processing of the data in accordance with statutory provisions.
In accordance with statutory provisions, you have the right to obtain personal data concerning you which you have provided to us and to have it transmitted to other controllers.
Furthermore, in accordance with statutory provisions, you have the right to lodge a complaint with the competent supervisory authority.
Right of Withdrawal
You have the right to withdraw your consent with effect for the future.
Right to Object
In accordance with statutory provisions, you have the right to object to the future processing of the data concerning you at any time. The right to object applies, in particular, to processing for direct marketing purposes.
Cookies and the Right to Object to Direct Marketing
‘Cookies’ are small files which are stored on a user’s computer. Different kinds of information can be stored in cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her access of an online offering. Cookies are referred to as temporary cookies or ‘session cookies’ or ‘transient cookies’ if they are deleted after a user leaves an online offering and closes his or her browser. Such cookies are used to store, for example, the contents of a shopping basket in an online shop, or a log-in status. Cookies are referred to as ‘permanent’ or ‘persistent’ if they remain stored even after the browser is closed. In this way, a log-in status can, for example, be saved if the user visits again after several days. Likewise, the interests of users can be stored in such a cookie and used for reach measurement or marketing purposes. ‘Third-party cookies’ are cookies which are offered by providers other than the controller who operates the online offering (whose own cookies are referred to as ‘first-party cookies’).
If users do not wish to have cookies stored on their computer, they are requested to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The disabling of cookies may lead to restrictions regarding the functionality of the online offering.
Erasure of Data
If data is not erased, because it is required for other lawful purposes, its processing will be restricted. I. e. the data is blocked and not processed for any other purposes. This applies for example to data which must be preserved on the grounds of commercial law or tax law.
We process the data of our contractual partners and potential clients as well as other customers, clients or contractual partners (uniformly referred to as ‘contractual partners’) in accordance with point (b) of Art. 6(1) GDPR to provide them with our contractual or pre-contractual services. The processed data, the nature, scope and purpose and the necessity of its processing is determined in accordance with the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g. name and address), contact details (e.g. email addresses and telephone numbers) as well as contractual data (e.g. services used, content of the contract, contractual communication, name of contact persons) and payment details (e.g. bank details, payment history).
As a rule, we do not process special categories of personal data, unless it is part of commissioned or contractual processing.
We process data which is necessary to justify and fulfil the contractual services and we point out the necessity of its disclosure if this is not evident to the contractual partners.
Disclosure to external parties or companies only takes place if it is necessary within the framework of a contract. When processing the data disclosed to us within the framework of an order, we act in accordance with the instructions of the client as well as the statutory provisions.
As part of the use of our online services, we may save the IP address and the time of each user action. The storage of data is based on our own legitimate interests as well as the interests of the user in the protection from misuse and other unauthorised use. This data is generally not transmitted to a third party unless it is required for the pursuit of our claims in accordance with point (f) of Art. 6(1) GDPR or there is a legal obligation to do so in accordance with point (c) of Art. 6(1) GDPR.
The data is erased if the data is no longer required to meet a contractual or statutory duty of care or for the handling of any possible guarantee and comparable obligations, whereby the necessity of storage of the data is reviewed every three years; in addition, the statutory retention obligations are applicable.
When we are contacted (e.g. via a contact form, email, telephone, or by social media), user information will be processed for the purpose of processing and dealing with the contact request in accordance with point (b) of Art. 6(1) GDPR (within the framework of contractual/pre-contractual relations), point (f) of Art. 6(1) GDPR (other enquiries). User information may be saved in a customer relationship management system (‘CRM system’) or a comparable request organisation system.
We delete requests when they are no longer required. We review the need to store this information every two years; statutory archiving obligations also apply.
Hosting and Email Dispatch
The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage capacity and database services, email dispatch, security services, as well as technical maintenance services used by us for the purpose of operating this online offering.
In this context, we and/or our hosting services provider process personal details, contact details, content data, contractual data, usage data, meta data and communication data of customers, prospective customers and visitors to this online offering on the basis of our legitimate interest in an efficient and secure provision of this online offering in accordance with point (f) of Art. 6(1) GDPR in conjunction with Art. 28 GDPR (conclusion of an order processing contract).
Collection of Access Data and Log Files
We and/or our hosting services provider collect data on each access to the server where this service is hosted (so-called server log files) on the basis of our legitimate interest in line with point (f) of Art. 6(1) GDPR. Access data includes the name of the web page visited, the file, the date and time of access, the volume of data transferred, a notification of successful access, the browser type and version used, the user’s operating system, the referrer URL (previously visited web page), the IP address and the provider making the request.
Log-file information will be saved for a maximum of seven days for security reasons (e.g. investigation of acts of misuse or fraud) and erased thereafter. Data which must be retained for longer periods for the purpose of evidence is exempted from erasure until the respective incident has been cleared up definitively.