Obligatory Information acc. to Art. 12 contd. GDPR

Contact details of the person responsible (e.g., CEO)

Contact details Data Protection Officer (if available)

From which source do we obtain your personal data?

In principle, the collection of your data takes place on your premises. The processing of personal data provided by you is necessary to fulfill the obligations arising from the contract you have concluded with us. Due to your duties to cooperate, it is inevitable to provide the personal data requested by us, otherwise, we will not be able to fulfill our contractual obligations.

Provision of your personal data is necessary within the framework of pre-contractual measures (e.g., master data entry in the interested party process). If the requested data is not provided by you, a contract cannot be concluded.

In order to provide our services, it may be necessary to process personal data that we have received from other companies or other third parties, e.g., revenue offices, your business partner, or the like, permissibly and for the respective purpose.

Furthermore, we may process personal data from sources that are publicly accessible, e.g., websites, which we use legitimately and only for the respective contractual purpose.

Purposes and legal bases of the processing

The personal data you provide to us will be processed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

Due to legal requirements (acc. to art. 6 para. 1 subpara. c GDPR) or public interest (acc. to art. 6 para. 1 subpara e GDPR)

The purposes of data processing result from legal requirements or lie in the public interest (e.g., compliance with retention obligations; proof of compliance with the tax consultant's notification and information obligations).

For the fulfillment of contractual obligations (acc. to art. 6 para. 1 subpara. b GDPR)

On the one hand, the purposes of the data processing result from the introduction of pre-contractual measures that precede a contractually regulated business relation, and on the other hand from the fulfillment of the obligations from the contract that was closed with you.

On the basis of consent (acc. to art. 6 para. 1 subpara. a GDPR)

The purposes of processing personal data result from giving consent. Your consent can be revoked at any time with effect for the future. Consents given before the GDPR took effect (25 May 2018) can also be revoked. Processing that took place before the revocation remains unaffected by the revocation. For example: Sending a newsletter; consent to data disclosure to third parties at your request (e.g., banks, insurances, shareholders, etc.).

Within the scope of balancing conflicting interests (acc. to art. 6 para. 1 subpara. f GDPR)

The purposes of the processing result from the protection of our legitimate interests. It may be necessary to process the data you have provided to us beyond the actual performance of the contract. Our legitimate interest may be used to justify further data processing that you have provided to us, subject to the condition that your interests or fundamental rights and freedoms do not prevail. Our legitimate interest may be in individual cases: enforcement of legal claims; defense of liability claims; prevention of criminal offenses.

Who receives the personal data you provide us with?

Within our company, only those divisions receive access to the personal data that you have provided to us, which are required to fulfill contractual and legal obligations and which are entitled to process this data.

In fulfillment of the contract that has been concluded with you, only those divisions receive the data that you have provided to us, which require this data for legal reasons, e.g., tax authorities; social insurance carriers; competent authorities and courts.

Other recipients will only receive the data you have provided to us at your request if you give us the necessary consent.

Within the scope of our services, we commission contractors who contribute to the fulfillment of contractual obligations, e.g., computer center service providers; EDP partners; companies who shredder documents, etc. These data processors are contractually bound by us to comply with the requirements of the GDPR and the BDSG.

Will the data you provide to us be transferred to third countries or international organizations?

Data that you provide to us will in no case be transferred to a third country or an international organization. If in individual cases, you wish the data you have provided to us to be transferred to a third country or an international organization, we will only do so with your written consent.

Does automated decision making, including profiling, take place?

No fully automated decision making (including profiling) according to art. 22 GDPR is applied to process the data you have provided to us.

Duration of processing (criteria for deletion)

The data you have provided to us will be processed for as long as it is necessary to achieve the contractually agreed purpose, in principle, as long as the contractual relationship with you exists. After the end of the contractual relationship, the data you have provided to us will be processed to comply with legal retention obligations or on the basis of our legitimate interests. After the legal retention periods have expired or our legitimate interests have ceased to exist, the data that you have provided to us will be deleted.

Expected periods of storage obligations and our legitimate interests are:

• Fulfillment of commercial and tax retention periods: The periods for storage and documentation specified therein range from two to ten years.

• Preservation of evidence under the statute of limitations: According to sections 195 contd. of the German Civil Code (BGB), the limitation period can be up to 30 years, whereas the standard limitation period is three years.

Information and access to personal data

• Right of access acc. to art. 15 GDPR:

Upon request, you have the right to receive information free of charge as to whether and what data about you is stored and for what purpose it is stored.

• Right to rectification acc. to art. 16 GDPR:

You have the right to request from the Data protection officer to correct your incorrect personal data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

• Right to erasure("Right to be forgotten") acc. to art. 17 GSPR:

You have the right to demand from the Data protection officer to delete your data immediately. The person responsible is obliged to delete personal data immediately, if one of the following reasons applies:

1. Purposes shall cease to apply for which the personal data was collected.
2. You are revoking your consent to the processing. There is no other legal basis for the processing.
3. You object to the processing. There is no other legal basis for the processing.
4. The personal data have been processed unlawfully.
5. The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the Data protection officer is subject.
6. The personal data has been collected in relation to information society services provided in accordance with article 8 para. 1. 

• Right to restriction of processing according to art. 18 GDPR and art. 35 BDSG:

You have the right to request a limitation of the processing, if one of the following conditions is given:

1. You doubt the accuracy of the personal data.
2. The processing is unlawful, but you refuse to have it deleted.
3. Personal data is no longer required for the purposes of processing; however, you will need the data to assert, exercise, or defend legal claims.
4. You have filed an objection against the processing acc. to art. 21 para. 1 GDPR. As long as it has not yet been determined whether the legitimate reasons of the responsible person outweigh you, the processing will be restricted.

•  Right to data portability acc. to art. 20 GDPR:

You have the right to receive the data you provided from the person responsible in a structured, current, and machine-readable format. Forwarding it to another responsible person may not be hindered by us.

• Right to object acc. to art. 21 GDPR:

In this case, please contact the person responsible for processing (see above).

• Right to lodge a complaint with a supervisory authority acc. to art. 13 para. 2 subpara. d, 77 GDPR in connection with art. 19 BDSG:

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. For this purpose, please contact the competent supervisory authority

• Withdrawal of consent acc. to art. 7 para. 3 GDPR:

If the processing is based on your consent acc. to art. 6 para. 1 subpara. a or art. 9 para. 2 subpara. a (processing of special  categories of personal data), you are at any time entitled to withdraw the appropriately bound consent without prejudice to the legality of the processing which has taken place on the basis of the consent until revocation.