General Part
Definitions
The following terms used in this Privacy Statement have the meanings described below in accordance with the definitions used in the GDPR:

“Personal Data” (Art. 4 point 1 GDPR) means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The identifiability may also exist by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain Personal Data).

“Processing” (Art. 4 point 2 GDPR) means any operation performed on Personal Data, whether or not by automated means (i.e. technology-based). This includes, in particular, the collection (i.e. obtaining), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data, as well as the change of a purpose or intended use on which a data Processing was originally based.

“Controller” (Art. 4 point 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Third Party” (Art. 4 point 10 GDPR) means any natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process the Personal Data; this also includes other legal persons belonging to the same company group.

“Processor” (Art. 4 point 8 GDPR) means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, in particular in accordance with the latter’s instructions (e.g. IT service providers). In particular, for the purposes of data protection law a Processor is not a Third Party.

“Consent” (Art. 4 point 11 GDPR) means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which the Data Subject, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Name and contact details of the Controller
To the extent that we alone or jointly with others determine the purposes and means of the Processing of your Personal Data, we are responsible for such Processing of your Personal Data.   

Our contact details are as follows:

Treuhand Weinheim Rechtsanwalts- und Steuerberatungsgesellschaft mbH, 

Höhnerweg 2-4, 69469, Weinheim, Germany 

Commercial register number HRB 704029

Court of registry: Mannheim Local Court

If you have any questions on the subject of data protection, please feel free to contact us at any time at the e-mail address info@treuhand.weinheim.de.

Legal basis for the Processing
According to the principles of applicable data protection law, any Processing of Personal Data is prohibited as a general rule and only permitted if the Processing can be based on one of the following grounds for justification:

Art. 6(1) point (a) GDPR (“Consent”): If the Data Subject has freely, in an informed manner and unambiguously indicated by a statement or by a clear affirmative action that he or she consents to the Processing of Personal Data relating to him or her for one or more specific purposes;

Art. 6(1) point (b) GDPR: If the Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

Art. 6(1) point (c) GDPR: If the Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g. a statutory obligation to keep records);

Art. 6(1) point (d) GDPR: If the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.

Art. 6(1) point (e) GDPR: If the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or

Art. 6(1) point (f) GDPR (“Legitimate Interests”): If the Processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the Controller or by a Third Party, except where such interests are overridden by the conflicting interests or rights of the Data Subject (in particular where the Data Subject is a minor). 

For the respective Processing carried out by us, we indicate below the legal ground applicable in each case. Processing may also be based on several legal grounds.

Data erasure and storage period
For the Processing carried out by us, we indicate below in each case how long the data will be stored by us and when it will be erased or blocked. If no explicit storage period is specified below, your Personal Data will be erased or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data will only be stored on servers in Germany, subject to any transfer that may take place in accordance with the provisions in the special parts of this Privacy Statement. 

However, storage may take place beyond the specified period if a (threatened) legal dispute with you or other legal proceedings are pending or if storage is provided for by statutory regulations to which we are subject as Controller (e.g. § 257 HGB (Handelsgesetzbuch – German Commercial Code), § 147 AO (Abgabenordnung – German Tax Code)). If the storage period provided for in the statutory regulations expires, the Personal Data will be blocked or erased unless further storage by us is necessary and can still be based on an applicable legal ground.

Data security
We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorised access by Third Parties, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the Processing, as well as the existing risks of a data breach (including its likelihood and impact) for the Data Subject. Our security measures are continuously improved in line with technological developments. 

We are happy to provide you with more detailed information upon request. Please contact us using the contact details specified in A.2.

Cooperation with Processors
To process our business transactions and provide our services, we engage external service providers as (order) processors. They will act exclusively according to our instructions and are contractually bound (Art. 28 GDPR) to comply with data protection regulations. 

Conditions for the transfer of Personal Data to third countries
In the course of our business relationship with you as a client, your Personal Data may be transferred to other enterprises that we engage as service providers in the course of providing our services. These may also be located outside the European Economic Area (“EEA”), i.e. in third countries. Such Processing will only be carried out to fulfil contractual and business obligations, to maintain your business relationship with us or on the basis of another legitimate interest as described in this Privacy Statement. We will inform you about the respective details of the data exchange with enterprises in third countries at the relevant places in the special part of this Privacy Statement.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm). However, in other third countries to which Personal Data may be transferred, there may not be a uniformly high level of data protection due to the lack of legal regulations. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of Personal Data, certificates or recognised codes of conduct in conjunction with appropriate technical measures. Please contact us using the contact details provided in A.2 if you would like to receive further information on this. 

No automated decision making (including profiling)
We do not intend to use the Personal Data collected from you for automated decision-making processes (including profiling).

No obligation for the provision of Personal Data
We are not subject to any specific legal or contractual obligations to disclose the Personal Data processed to Third Parties.

We do not make the conclusion of contracts with us dependent on you providing us with Personal Data in advance. As a client, you are also not legally or contractually obligated to provide us with your Personal Data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide us with the required data. Should this exceptionally be the case within the scope of our services and activities to be provided to you, you will be informed separately.

Your rights
You can exercise your rights as a Data Subject regarding your processed Personal Data at any time by contacting us using the contact details provided at the beginning of A.2. You ̈may also log a complaint ̈about the Processing of your Personal Data with a data protection authority.̈

You have the following rights as a Data Subject:

Right to information (Art. 15 GDPR) Within the scope of Art. 15 GDPR, you have the right at any time to request confirmation from us as to whether we are Processing Personal Data relating to you; if this is the case, you also have the right within the scope of Art. 15 GDPR to receive information about this Personal Data as well as certain other information (including Processing purposes, categories of Personal Data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your data. The limitations of § 34 BDSG apply.

Right to rectification (Art. 16 GDPR) You have the right to request that we correct the Personal Data relating to you stored by us if it is inaccurate or incorrect.

Right to erasure (Art. 17 GDPR): You have the right, subject to the requirements of Art. 17 GDPR, to demand that we erase Personal Data relating to you without undue delay. The right to erasure does not exist, among other things, if the Processing of the Personal Data is necessary, for example, to comply with a legal obligation (e.g. statutory obligations to keep records) or to assert, exercise or defend legal claims. Besides, the limitations of § 35 BDSG apply.

Right to restriction of Processing (Art. 18 GDPR): You have the right to demand that we restrict the Processing of your Personal Data subject to the requirements of Art. 18 GDPR.

Right to data portability (Art. 20 GDPR): You have the right, subject to the requirements of Art. 20 GDPR, to demand that we hand over to you the Personal Data relating to you that you have provided to us in a structured, commonly used and machine-readable format. 

Withdrawal of Consent (Art. 7(3) GDPR): You have the right to withdraw the Consent given by you to the Processing of Personal Data at any time. Please note that the withdrawal will only be effective for the future. Processing that took place before the withdrawal will not be affected. An informal notice to us, e.g by e-mail, is sufficient to declare withdrawal. 

Right to object (Art. 21 GDPR): You have the right to object to the Processing of your Personal Data subject to the requirements of Art. 21 GDPR, with the consequence that we have to discontinue the Processing of your Personal Data. The right to object exists only within the limits provided for in Art. 21 GDPR. In addition, our interests may conflict with the termination of Processing, with the consequence that we are entitled to process your Personal Data despite your objection. We will observe an objection to any direct marketing measures immediately and without further consideration of the existing interests.
Right to lodge a complaint (Art. 77 GDPR): You are free to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR regarding the Processing of your Personal Data by us. As a rule, you can contact the supervisory authority of your usual place of residence or our registered office (Der Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg (State Commissioner for Data Protection and Freedom of Information), Lautenschlagerstraße 20, 70173 Stuttgart, T: +49 (0)711 615541-0, F: +49 (0)711 615541-15, e-mail: poststelle@lfdi.bwl.de).

Changes to the Privacy Statement
In the context of the further development of data protection law and technological or organisational changes, this Privacy Statement will be regularly reviewed for any need to adapt or supplement it. You will be informed about any changes in particular on our website https://treuhand-weinheim.com/de/. This Privacy Statement is effective from September 2022.

B.Client Relationship

Type of data
If you retain our services, we collect the following information:

salutation, academic degree/title, first name, last name;
e-mail address;
address;
telephone number (landline and/or mobile) and fax number, if applicable; and
information necessary for the examination, assertion and defence of your rights under the client relationship.

Purpose of the Processing
We collect and process the data within the scope of the client relationship

to be able to identify you as our client, as a representative of our client or as a contact person on the part of our client;
to be able to adequately advise and represent you or the legal entity you represent;
to correspond with you;
for invoicing purposes;
for the handling of any existing liability claims as well as the assertion of any claims against you or the clients represented by you;
for sending you information (also by e-mail) on current (tax) legal developments and invitations to events. 

Legal grounds
The Processing is carried out at your request and is necessary in accordance with Art. 6(1) sent. 1 point (b) GDPR for the stated purposes for the appropriate handling of the client relationship and for the mutual fulfilment of obligations arising from the client agreement or is based on another legitimate interest in accordance with Art. 6(1) sent. 1 point (f).

Storage duration
The Personal Data collected by us for the client relationship will be stored for as long as is necessary for the above-mentioned purposes within the scope of the client relationship. The Personal Data collected will also be stored after termination of the client relationship until the expiry of the statutory retention obligation for lawyers and tax consultants and will then be erased, unless we are obliged to store the data for a longer period of time in accordance with Art. 6(1) sent. 1 point (c) GDPR due to retention and documentation obligations under tax and commercial law (under the German Commercial Code (HGB), German Criminal Code (StGB), German Tax Code (AO) or for reasons of liability law), such storage is necessary due to post-contractual duties of care (Art. 6(1) sent. 1 point (b) GDPR), or you have consented to storage beyond this period in accordance with Art. 6(1) sent. 1 point (a) GDPR.

Transmission of Personal Data to Third Parties
Your Personal Data will not be transmitted to Third Parties for purposes other than those specified below.

To the extent this is necessary in accordance with Art. 6(1) sent. 1 point (b) GDPR for the handling of the contractual relationship with you, your Personal Data will be transferred to Third Parties. This includes, in particular, the transfer to opposing parties and their representatives (in particular their legal counsel) as well as courts and other public authorities (such as financial authorities) for the purpose of correspondence and for the assertion and defence of your rights. This transfer also extends to the attorneys we sub-authorise after prior consultation with our client. The data transferred may be used by the Third Party exclusively for the aforementioned purposes.

We are also entitled pursuant to Art. 6(1) sent. 1 point (f) GDPR to transfer data to the data centre of an external service provider, in particular DATEV e.G. (Nuremberg), for order processing in the course of the proper execution and organisation of the handling of the client relationship. We conclude a corresponding order processing agreement for this purpose. 

The statutory confidentiality obligations of lawyers and tax consultants remain unaffected. To the extent that data is involved that is subject to this professional duty of confidentiality, it will only be passed on to Third Parties in consultation with you.

C.Electronic Signature (DocuSign)

Type of data
We provide you with the option to electronically sign and transmit documents via the “DocuSign” service to facilitate the conclusion of contracts. The provider of the service is DocuSign, Inc., 221 Main Street, Suite 1000, San Francisco, CA 94105. When documents are electronically signed and transmitted via the DocuSign service, the following data is processed: 

content and metadata of the documents to be signed, 
information identifying the persons involved in the conclusion of the contract (in particular name and e-mail address), 
information and usage data on the terminal device used (in particular IP address, browser and operating system), as well as 
data in the context of authentication and signature creation. 

Purpose of Processing
The Processing of this Personal Data serves to enable the conclusion of the contract via the electronic signature procedure. 

Legal grounds
The Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract and is therefore justified pursuant to Art. 6(1) sent. 1 point (b) GDPR. Furthermore, Personal Data may be processed for the fulfilment of legitimate interests (document management, IT security, billing purposes) pursuant to Art. 6(1) sent. 1 point (f) GDPR.

Storage duration
The data will be stored for as long as necessary to achieve the stated purpose.

Transmission of Personal Data to Third Parties
The data we collect using DocuSign is processed on our behalf by DocuSign, Inc., 221 Main Street, Suite 1000, San Francisco, CA 94105, as a Processor (Art. 28 GDPR). For this purpose, we have concluded an order processing contract with DocuSign, Inc. 

As a general rule, DocuSign stores the data in data centres in the European Economic Area. In addition, it is possible that data collected in the course of providing the DocuSign service may be processed outside of the European Economic Area (such as in countries with subsidiaries or subcontractors within DocuSign, Inc.). In order to ensure adequate safeguards for the protection of Personal Data in accordance with applicable data protection law, DocuSign, Inc., has given itself binding internal data protection rules (Binding Corporate Rules – BRC) in accordance with Art. 47 GDPR, which have been approved by the competent data protection authority and can be viewed at the following link:

 In addition, DocuSign has adopted the following guidelines for dealing with government requests, which are available at this link:

https://www.docusign.com/legal/law-enforcement

DocuSign has also established actual processes that effectively safeguard the guarantees provided for in the BCR for cross-border data transfers. This includes, for example, the encryption of data. An overview of DocuSign’s measures for compliance with current data protection requirements can be viewed at the following link:

https://www.docusign.com/trust/privacy/gdpr 

For more general information about data processing by DocuSign, please see the DocuSign, Inc., privacy policy, available at:

https://www.docusign.de/unternehmen/datenschutz 

Use of our websites
Data transmission through page views
Type of data
When calling up and for the purely informative use of our web pages (i.e. without further input by the visitor), we only collect the Personal Data that your Internet browser transmits to the server of this website. The following data are collected in this process:

IP address of the visitor’s terminal device,
date and time of access by the visitor,
time zone difference to Greenwich Mean Time (GMT),
name and URL of the page accessed by the visitor,
access status/http status code,
amount of data transferred in each case,
website from which the visitor arrives at our website (so-called referrer URL),
browser and operating system of the visitor’s terminal device, language and version of the browser software, and the name of the access provider used by the visitor.

Purpose of Processing
The collection and Processing of the aforementioned data serves the purpose of

establishing the connection to our website quickly,
enabling a user-friendly use of the website,
identifying and ensuring the security and stability of the systems, and
facilitating and improving the administration of the website.

The Processing is expressly not carried out for the purpose of gaining knowledge about the person of the visitor to the website.

Legal grounds
The Processing of this Personal Data is justified according to Art. 6(1) sent. 1 point (f) GDPR. 

Storage duration
The data will be stored for as long as necessary to achieve the stated purposes.

Use of cookies when using the website 
General information about cookies
In addition to the data specified under D.1., so-called cookies are used on our websites. These are data packets that are exchanged between the server of our website and the visitor’s browser. These are stored by the respective devices used (PC, notebook, tablet, smartphone, etc.) when visiting the website. In this respect, cookies cannot cause any damage to the devices used. In particular, they do not contain viruses or other malware. In the cookies, information is stored that arises in each case in connection with the specific terminal device used. We can thus in no way obtain direct knowledge of the identity of the visitor to the website.

With regard to the storage period, a distinction can be made between so-called transient cookies and persistent cookies:

Transient cookies: These cookies are deleted automatically when you close your browser. They include, in particular, the session cookies. The latter store a so-called session ID which allows linking various requests of your browser to a common session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log off or close the browser.

Persistent cookies: These cookies are deleted automatically after a given time period which varies from cookie to cookie. You may delete the cookies at any time in the security settings of your browser.

In terms of their functions, the following types of cookies can be distinguished:

Technical cookies: These are mandatory to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;

Performance cookies: These cookies collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you – all information collected is anonymous and is used only to improve our website and find out what interests our users;

Advertising cookies, targeting cookies: These cookies are used to offer the website user tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months.

Sharing cookies: These cookies are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not absolutely technically necessary constitutes Processing that is only permitted with your explicit and active Consent pursuant to Art. 6(1) sent. 1 point (a) GDPR. This applies, in particular, to the use of advertising, targeting or sharing cookies. You can set your browser to inform you about the placement of cookies. You can also delete cookies at any time using the appropriate browser settings and prevent the setting of new cookies. Each browser differs in the way it manages cookie settings. You can find more information about cookie settings and options for deactivating cookies under the following links: 

Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies 

Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen 

Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647 

Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac 

However, it should be noted that deactivating cookies may mean that not all functions of the website can be used in the best possible way.

The cookies used on our website 
We use the Borlabs cookie from Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (“Borlabs”), on our website to obtain your Consent for the setting of cookies we may use.

As soon as you visit our website, the Borlabs cookie is stored in your browser. This cookie collects and stores your settings for the granting and withdrawing of Consent to the use of cookies on our website, as well as data on the cookie runtime, cookie version, domain and path of the WordPress website, and a randomly generated ID (“UID”). No data is transmitted to Borlabs itself.

The collection of data via the Borlabs cookie serves to comply with the data protection requirements when using cookies on our website (Art. 6(1) sent. 1 point (c) GDPR). You can prevent cookies from being set at any time by changing the settings in your browser.

You can find more information about the Borlabs cookie at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/. 

E.Data collection when contacting us

Type of data
If you contact us by e-mail or other means of communication, the data you provide in connection with the contacting (in particular e-mail address and name) will be stored by us.

Purpose of Processing
The Personal Data that you provide to us in the context of this inquiry will be stored by us in order to be able to contact you about your request and to answer your inquiry.

Legal grounds
The Processing is carried out with your Consent according to Art. 6(1) sent. 1 point (a) GDPR. 

Furthermore, to the extent that you contact us in connection with an existing contract or a contract that you would like to enter into with us (in particular in the context of initiating a client relationship), the Processing is based on Art. 6(1) point (b) GDPR if you are contacting us regarding a contractual relationship.

Storage duration
Your Personal Data will only be stored for as long as this is necessary. Data that are no longer required for the aforementioned Processing purposes will be erased. To the extent that we are obliged pursuant to Art. 6(1) sent. 1 point (c) GDPR to store your Personal Data for a longer period of time due to retention and documentation obligations under tax and commercial law,̈ these periods will apply.

F.Newsletter Dispatch

Type of data
We offer subscription to our newsletter, with which we inform you about current tax law topics. We use the so-called double opt-in procedure for subscribing to our newsletter. This means that following your registration we will send you an e-mail to the e-mail address provided by you; in this e-mail, we will ask you to confirm that you wish to receive the newsletter.

If you register for our newsletter, the page from which the page was requested (so-called referrer URL), the date and time of the call, the description of the type of web browser used, the IP address, the e-mail address, the date and time of registration and confirmation are collected, stored and processed by us as newsletter data.

Please note that we evaluate your user behaviour when sending the newsletter. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID. The data is solely collected in pseudonymised form, i.e. the IDs are not linked with your other Personal Data, a direct personal reference is excluded.

Purpose of Processing
The newsletter data is processed for the purpose of sending the newsletter. The purpose of the double opt-in procedure described above is to be able to prove your registration and, if necessary, to clarify any possible misuse of your Personal Data.

Legal grounds 
The Processing is carried out with your Consent according to Art. 6(1) sent. 1 point (a) GDPR. You may withdraw your Consent to the sending of the newsletter and unsubscribe the newsletter at any time. Such withdrawal may be declared by clicking on the link provided in each newsletter e-mail or via e-mail to the address stated in A.2.

Storage duration
Your data will be stored for as long as necessary for the stated Processing purpose. Application
Type of data
If you submit an application to us, we collect the following information:

contact information such as first name, last name; e-mail address; address; telephone number (landline and/or mobile) and fax number, if applicable; 
applicant data such as curriculum vitae, if applicable information on marital status, religion, applicant photo 
qualification data such as information regarding education, professional qualifications, academic degrees, certificates, evaluations, previous employment.

Purpose of the Processing
The purpose of Processing the contact data is to contact you after the evaluation of your application and to inform you of our decision on the application. The Processing of applicant and qualification data serves to provide us with a picture of your person and to evaluate your professional and personal suitability for the respective position or a possible alternative field of employment, as well as to be able to prepare the conclusion of an employment agreement, if applicable.  

Legal grounds
The Processing of the contact data is based on the voluntary transmission on your part (§ 26(2) sent. 1 BDSG) and is also necessary for purposes of establishing an employment relationship (§ 26(1) sent. 1 BDSG, Art. 88 GDPR). The Processing of your applicant and qualification data takes place on the basis of your voluntary transmission for the purpose of use in the application process and is also necessary for the assessment of professional and personal suitability for the respective position and thus for the establishment of an employment relationship (§ 26(1) sent. 1 BDSG, Art. 88 GDPR and Art. 6(1) sent. 1 point (a) GDPR, respectively). 

Storage duration
The Personal Data we collect as part of the application process will be stored for as long as this is necessary for the above-mentioned purposes. In the case of rejected applicants, your data will be retained for up to six months. The documents of accepted applicants will be placed in the personnel file.