Information on the Processing of Personal Data
I take the protection of your personal data seriously.
Your personal data (“your data”) are processed in accordance with the data protection regulations of the German Federal Data Protection Act (“BDSG“) and Regulation (EU) 2016/679 (EU General Data Protection Regulation – “GDPR”). If you instruct me in my capacity as a notary, your personal data are processed in accordance with the State Data Protection Act (BremDSG), the GDPR and the BDSG.
Hereinafter, you shall find information about the processing of your personal data,
If you participate in an Audi or video conference, a chat and/or a desktop sharing session with me via Microsoft Teams, a program of Microsoft Deutschland GmbH (Walter-Gropius-Strasse 5, 80807 Munich, Germany – “Microsoft”) or work with me via the co-working platform (Section G).
You will also receive general information about the disclosure of your data to third parties (Section I) and your rights with regard to the processing of your data (Section J).
Should you have any questions or concerns, please contact me at email@example.com.
A. Who is Responsible for the Processing of Your Data?
The data controller, i.e. the person responsible for the processing of your data in the form of Art. 4 No. 7 GDPR is:
Dr. Christoph Herrmann, LL.M. (Cambridge)
Rechtsanwalt | Avocat à la Cour | Notar
T + 49 (0) 421 610 738 0
F + 49 (0) 421 610 738 28
Werde ich als Notar tätig, verarbeite ich Ihre personenbezogenen Daten gemäß den datenschutzrechtlichen Vorschriften des Bremischen Datenschutzgesetzes (BremDSG), der DS-GVO und des BDSG.
B. External Data Protection Officer (Notarial Services)
For the provision of notarial services, I have appointed Mr. Julian Habekost as my external data protection officer. You can contact him at firstname.lastname@example.org.
C. Privacy Information for Visitors of My Website
This section shall provide an overview of what happens to your personal data when you visit this website. Personal data are all data through which you can be personally identified. Detailed information on data protection can be found in the further text of this information notice.
I. Data Collection on this Website
1. Who is responsible for the data collection on this website?
The data processing on this website is carried out by the operator of this website. Contact details can be found in section A of this information notice.
2. How are your data collected?
Your data are collected either by you providing me with it. Other data are collected either automatically or with your consent by the server of this website when you visit the website.
This concerns mainly data for technical purposes, e.g. information about your browser, your operating system or about the date and time of your visit). Such data is collected automatically as soon as you enter this website.
3. What does my law firm use your data for?
Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyze the quality and success of the content of the website.
4. What are your rights with respect to your data?
You have the right to receive information, at any time and free of charge, about the origin, the recipients and the purpose of the processing of your data. You may also require rectification or erasure of your data. If you have given your consent to the processing of your data, you can withdraw such consent at any time for the future. Furthermore, you have the right to request, under certain circumstances, the restriction of the processing of your data. You also have the right to lodge a complaint with the competent supervisory authority. Should you have any questions or concerns, please contact me at email@example.com.
II. Hosting and Content Delivery Networks (CDN) – External Hosting
The website of my law firm is hosted by an external service provider (hoster). Your data collected when you access this website is stored on the servers of the hoster. This may include, without limitation, IP addresses, contact requests, meta data and communication data, contract-related data, contact details, names and statistical data on website access. The services of the hoster serve to fulfill my contractual duties towards potential and existing clients (Art. 6 (1) lit. b GDPR) and to ensure a safe, speedy and efficient operation of the website (Art. 6 (1) lit. f GDPR). The hoster shall only process your data to the extent necessary to perform its obligations and shall follow my instructions with respect to data collected. The hoster is:
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
III. General and Mandatory Information
1. Data Protection
In my capacity as data controller, I take the protection of your data very seriously. I shall treat your data confidentially and in accordance with the statutory data protection regulations and this data protection notice.
When you access the website of my law firm, different personal data are collected. Personal data are data that can be used to personally identify you. This data protection notice explains what data I collect and what I use them for. It also explains how and for what purpose this is done. I would like to point out that data transmission over the Internet (e.g. when communicating via e-mail) may have security gaps. Complete protection of data against access by third parties is not available.
2. Duration of Storage
Unless a more specific storage period has been specified herein, your data will be stored until they are no longer required for the purpose for which they have been collected. If you request erasure on sufficient grounds or if you withdraw your consent to the processing of data, your data will be erased unless further storage is required or permitted by statutory law (e.g. tax law, commercial law or professional ethics-based storage obligations). In the latter case, the erasure shall take place once storage is no longer required.
3. Note on Data Transfer to the USA
The website of my law firm may use tools from companies based in the United States of America. When such tools are active, your data may be accessed by respective companies and stored on servers located in the United States. I shall point out that the USA have not been declared as a country offering an adequate level of protection by the European Commission. Companies established in the USA are required to disclose personal data to security agencies without you, as the individual concerned, being able to take legal action against it. It cannot therefore be ruled out that US authorities (e.g. intelligence agencies) process, evaluate and permanently store your data on US servers for surveillance purposes. I do not have any influence on such processing activities.
4. Withdrawal of Your Consent to Data Processing
Many data processing operations are only permissible with your explicit consent. You can withdraw your consent at any time. The legality of the data processing carried out prior to the withdrawal of your consent remains unaffected.
5. Right to Object to the Processing of Data in Specified Cases (Art. 21 GDPR)
IF YOUR DATA IS PROCESSED ON THE BASIS OF ART. 6 (1) 1 LIT. E OR F GDPR, YOU HAVE AT ANY POINT IN TIME THE RIGHT, FROM THE RIGHT, FOR REASONS RELATED TO SPECIFIC CIRCUMSTANCES, TO OBJECT TO THE PROCESSING OF YOUR DATA; THIS ALSO APPLIES FOR IN CASE OF PROFILING BASED ON SUCH STIPULATIONS. THE RESPECTIVE LEGAL BASES ON WHICH PROCESSING IS BASED CAN BE FOUND IN HEREINAFTER. IF YOU OBJECT TO THE PROCESSING OF YOUR DATA, I WILL NOT FURTHER PROCESS YOUR DATA, UNLESS THERE ARE OVERRIDING LEGITIMATE GROUNDS OR UNLESS THE FURTHER PROCESSING OF YOUR DATA SERVES THE EXCERCICE OF RIGHTS OR THE DEFENSE AGAINST CLAIMS (RIGHT TO OBJECT PURSUANT TO ART. 21 (1) GDPR). I DO NOT PROCESS YOUR DATA FOR PROFILING OR DIRECT MARKETING PURPOSES (RIGHT TO OBJECT PURSUANT TO ART. 21 (2) GDPR.
6. Right of Complaint to the Competent Supervisory Authority
In the event of an infringement of the GDPR, the individuals concerned shall have the right to lodge a complaint with a competent supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.
7. Right to Portability
You have the right to receive your data or request the transfer of your data in a structured, commonly used and machine-readable format (data portability). If you request the transfer of your data to another data controller, this is subject to technical feasibility.
8. SSL or TLS Encryption
For security reasons and to protect the transmission of confidential content, this site uses SSL or TLS encryption. You can recognize an encrypted connection from the “https://” in the address line of the browser and from the lock icon on the screen of your device. If SSL or TLS encryption is enabled, the data you submit cannot be accessed by third parties.
9. Right of Access to, Erasure of and Rectification of Your Data
Subject to applicable statutory provisions, you have the right to be informed on the processing of your data, on its origin and on its recipients as well as on the purpose of the data processing and, if necessary, a right to rectification or erasure of your data. Should you have any questions or concerns, please contact me at firstname.lastname@example.org.
10. Right to Request the Restriction of the Processing of Your Data
You have the right to request the restriction of the processing of your data under certain circumstances as described hereinbelow:
If you have restricted the processing of your data, such data may be further processed only with your consent, for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person or for reasons of public interest of the European Union or a Member State of the European Union.
IV. Data Collection on My Website
You can set your browser so as to be informed on the setting of cookies, enable the storage of cookies only on a case-by-case basis, disable cookies for certain cases or in general, and set the automatic erasure of cookies when the browser is closed. When disabling cookies, the functionality of my law firm’s website may be limited.
Insofar as cookies are used by third parties or for analysis purposes, I will inform you about this separately within the framework of this data protection notice and, where necessary, request your consent.
2. Cookie Consent Technology
My law firm’s website uses the cookie consent technology of Borlabs Cookie to obtain your consent to the storage of certain cookies in your browser and to document them in compliance with data protection requirements.
The provider of this technology is Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (“Borlabs”).
When you visit my website, a Borlabs cookie is stored on your browser. The Borlabs cookie is used to store data on your consent and its withdrawal. The corresponding data will not be passed on to Borlabs. The collected data is stored until you ask me to delete, until you delate the Borlabs cookie yourself or until storage is no longer required, notwithstanding regulatory document storage obligations.
Details on the data processing of Borlabs can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/
Individual cookie settings
3. Server Log Files
My law firm’s website automatically collects and stores information in so-called server log files, which your browser automatically transmits on the following items:
Such data is not merged with other data from other sources.
The collection and storage of such data is carried out on the basis of Art. 6 (1) lit. f GDPR. Server log files must be recorded to ensure the stability and proper functioning of websites. As website operator, I have a legitimate interest in the storage of cookies for the stability and proper functioning of my law firm’s website.
4. Requests by E-mail, Telephone or Telefax
If you contact me by e-mail, telephone or telefax, your request, including any data (name, subject-matter of the enquiry) that results from it, will be stored and processed by me for the purpose of processing your request. I will not share or disclose such data without your consent.
The processing of such data is carried out on the basis of Art. 6 (1) lit. b GDPR, provided that your request is related to the fulfilment of a contract or is necessary for compliance with pre-contractual obligations. In all other cases, the processing is based on the legitimate interest in the effective processing of enquiries (Art. 6 (1) lit. f GDPR) or on your consent (Art. 6 (1) lit. a GDPR).
V. Plugins and Tools
My law firm’s website uses the map service Google Maps. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
To use the functionalities of Google Maps, your IP address is stored and corresponding data may be transferred to and stored by a server in the USA belonging to Google.
As provider of my law firm’s website, I have no influence on such data transfer. The use of Google Maps is in the interest of an easy location of my office. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. If consent has been requested, the processing shall be carried out exclusively on the basis of Art. 6 (1) lit. a GDPR. Your consent can be withdrawn at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission.
Details can be found here:
D. Data Processing in the Context of Client Information Consent
I. Subscription to a Newsletter
To register for a newsletter, you must provide your e-mail address, your first and last name, your job title, the name of your company, your position in such company and the place where you are located, as well as the topics in which you are interested. This data will only be used for the purpose of sending the newsletter. The legal basis for the processing of such data is Art. 6 (1) lit. a GDPR. You may withdraw your consent at any time. In this case, you will no longer receive the newsletter.
When subscribing a newsletter, the IP address of your device and the date and time of subscription as well as the result of e-mail opt-in are collected. Such data is processed for the purpose of being able to discover a possible improper use of e-mail addresses. The legal basis for the processing of such data is Art. 6 (1) lit. f GDPR.
The subscribed newsletters may contain so-called tracking pixels. A tracking pixel is a thumbnail graphic embedded in HTML-style emails. Tracking pixels allow me to know if and when the newsletter was opened by its recipient and which links contained in the newsletter were accessed. Data collected in the newsletters is processed in an anonymously in order to take better account of the interest of the recipients.
II. Consent to the Sending of Information about Events
If you have given your consent to receive information about events, I will use your contact data (address, first and last name, job title, professional address, e-mail address) to provide you with the requested information (regularly by e-mail). The legal basis for this processing is Art. 6 (1) lit. a GDPR. You can withdraw your consent at any time. In this case, you will no longer receive information about events and your data will be erased. In the absence of a consent withdrawal, this applies automatically after a period of two years. Contact information will not be deleted if I am entitled or obliged to further storage (e.g. in connection of an attorney-client-relationship).
If you are invited to an event, I shall process the above data to provide you with the pre-filled registration form. When you register for the event, I will process your name, your job title and which company or organism you belong to so as to provide you and the other participants with a list of all participants. The legal basis for such data processing is Art. 6 (1) lit. f GDPR.
E. Data Processing in the Context of an Attorney-Client Relationship
I process your data to the extent necessary for the establishment an attorney-client relationship and for compliance with my contractual and professional duties.
I. Who is affected by data processing?
I process personal data from
II. What personal data will be processed?
I process the following categories of personal data to the extent that they are necessary for establishing an attorney-client-relationship and for compliance with my contractual and professional duties:
If I am instructed in my capacity as a notary, I also process the following personal data, depending on the subject matter and the professional duties to be observed:
Such data may exceptionally include special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) and data on criminal convictions and criminal offences in accordance with Art. 10 GDPR.
III. From which sources do the processed data stem from?
Insofar as I do not receive personal data directly from the data subjects themselves, the data stem from the following sources:
IV. For what purposes are the data processed?
Data will be processed in connection with the performance of my contractual and professional duties for the following purposes:
The legal basis is, in so far as personal data of the client is processed, Art. 6 (1) lit. b and/or f GDPR. The legal basis for the processing of specific categories of personal data is Art. 9 (2) lit. f GDPR.
V. To whom will your data be transferred?
Insofar as this is necessary for the establishment of an attorney-client-relationship or the performance of my contractual or professional duties, I transfer personal data to the following recipients:
In some cases, data are also transmitted to recipients established in countries outside the European Union or the European Economic Area for which the European Commission has not formally established the existence of an adequate level of data protection in accordance with Art. 46 GDPR. Insofar as the transfer is not necessary for the establishment, exercise or defense of legal claims (Art. 49 (1) lit. e GDPR) and no other ground for transmission in accordance with Art. 49 (1) GDPR is available, appropriate safeguards for the protection of personal data at the recipient are set up, regularly by way of contract using so-called standard data protection clauses in accordance with Art. 46 (2) lit. c GDPR. Should you have any questions or concerns, please contact me at email@example.com.
VI. How long will your data be stored?
Your data will be stored as long as their processing is necessary for the purposes specified in point IV above, notwithstanding statutory requirements for a longer storage period.
F. Privacy Information for My Business Partners
I process personal data as part of the cooperation with service providers, cooperation partners and other business partners (hereinafter “Business Partners”).
I. Who is affected by data processing?
I process personal data of business partners, their board members, their representatives and their employees.
II. What personal data will be processed?
I process the following categories of personal data to the extent that they are necessary for the establishment or proper performance of contractual relations with the business partner:
III. From which sources do the processed data stem from?
Insofar as I do not receive personal data directly from the data subjects, the data regularly stem from the business partner as the employer of the data subjects.
IV. For what purposes are the data processed?
I process your data referred to in II. for the establishment and performance of a contractual relationship with the business partner. The legal basis for such data processing is, in so far as personal data of the business partner are processed, Art. 6(1) lit. b GDPR, otherwise Art. 6 (1) lit. f GDPR.
V. How long will your data be stored?
Your data will be stored as long as their processing is necessary for the purposes described under point IV, notwithstanding statutory requirements for a longer storage period.
G. Privacy Information Related to Communication via Microsoft Teams
I process personal data to the extent necessary to communicate and collaborate with you through Microsoft Teams.
I process personal data from:
I process the following categories of personal data where necessary:
The purpose and legal basis for the processing of such personal data arise in principle from the respective context of communication, as described in this data protection notice under sections C to F. The legal basis by default is Art. 6 (1) lit. f GDPR.
To provide the Microsoft Teams features, the above-described data shall be sent to Microsoft. Microsoft is obligated to maintain strict confidentiality and processes data only on behalf of and in accordance with my instructions. The above-described may be transferred to countries outside the EU/EEA, in particular to the USA. Microsoft Corporation is certified under the EU-US Privacy Shield to ensure adequate data protection.
Audio and video data generated during an audio or video conference or desktop sharing session is processed only for the duration of the conference or session and immediately deleted afterwards. Records (except for personal notes) will not be produced without your explicit consent.
Communication by text as well as data from a co-working platform are stored as long as the purpose of the cooperation requires (see in particular section C above). In addition, they will be erased or pseudonymised as soon as their storage is no longer necessary, notwithstanding statutory requirements for a longer storage period.
H. Privacy Information for Visitors of my Offices
My offices are equipped with a surveillance camera. In that regard, I process personal data for the purpose of prevention and detection of criminal offenses, their establishment and the conservation of related evidence, the detection of unauthorized access and the exercise of ownership rights on the basis of Art. 6 (1) lit. f GDPR.
The surveillance camera records the image and movement of individuals inside the offices, in particular their face, their clothing and objects carried with them. The recording is limited to periods when the offices are closed.
The recording and processing is based on the legitimate interest of the protection of and defense against criminal offenses, such as theft, willful damage to property and trespass as well as for the protection of personnel, clients and visitors.
The data recorded may be passed on to public authorities, in particular the police, if they constitute evidence of criminal offense. The data recorded may be passed on to other public authorities at their request and according to applicable legal requirements
I. Will Your Data Relating to an Attorney-Client Relationship be Passed on to Third Parties?
Your personal data in connection with an attorney-client relationship shall not be transferred to third parties unless specified hereinbelow. I use the support of external service providers who have access to your data for certain technical services, in particular IT system maintenance companies and advisors. These service providers are carefully selected and meet high data protection and data security standards. They are obliged to maintain strict confidentiality and process data only on my behalf and in accordance with my instructions.
I work with colleagues and consultants that have special expertise in specific fields or on specific areas (e.g. tax consultants, specialized lawyers, consultancy firms, experts, notaries). They are either subject to a professional confidentiality obligation or to a contractual confidentiality obligation. Insofar as it is necessary to transfer your data, the legal basis is, depending on the circumstances, 6 Abs. 1 lit. b or f GDPR.
Except in the cases described herein, I will only pass on your data to third parties without your express consent if I am obliged to do so by law or by an official or court order.
J. What Rights do You Have with Respect to Your Data?
You are entitled to information about the processing and storage of your data and, if the respective legal requirements are met, to rectification, erasure and restriction of the processing. You also have the right to receive your data, if provided by yourself, in a structured, commonly used and machine-readable format. This includes the right to transfer your data to another controller, subject to technical feasibility.
Insofar as the processing of your data is based on a balance of interests within the meaning of Art. 6 (1) lit. f GDPR, you have, subject to the prerequisites of Art. 21 GDPR, the right to object to such processing.
You can also contact the competent supervisory authority with complaints:
The Officer for Data Protection and Freedom of Information in Bremen (Germany)
Frau Dr. Imke Sommer
T +49 421 3612010 / +49 471 5962010
F +49 421 49618495