The person responsible within the meaning of the data protection laws is KOCH Rechtsanwaltsgesellschaft mbH (commercial register of the district court of Düsseldorf, HRB 99050), Dreischeibenhaus 1, 40211 Düsseldorf, which is represented by its managing director, Rechtsanwalt Dr Maximilian Koch.
With this data protection declaration we inform you (in the following text also referred to as "user" or "data subject") in a general way about the data processing in our law firm and in a special way about the data processing in the context of a visit of our website, when contacting us via our Website contact form or contact via e-mail or telephone. We also inform you about our online presence in social media and about your rights with regard to the processing of your data. Conceptually, “data processing” always means the processing of personal data.
1. General information on data processing
1.1 Categories of personal data
We process the following categories of personal data:
- Inventory data (e.g. names, addresses, functions, organizational affiliation, etc.);
- Contact details (e.g. e-mail, telephone/fax numbers, etc.);
- Content data (e.g. text input, image files, videos etc.);
- Usage data (e.g. access data);
- Meta/communication data (e.g. IP addresses).
1.2 Recipients or categories of recipients of personal data
If, as part of our processing, we disclose data to other people and companies such as web hosts, contract processors or third parties, transmit it to them or otherwise grant them access to the data, this is done on the basis of legal permission if the data subjects have consented or if a legal obligation provides for this.
1.3 Duration of storage of personal data
The criterion for the duration of the storage of personal data is the respective statutory retention period. After the deadline, the corresponding data will be deleted if they are no longer required to achieve the purpose, fulfill the contract or initiate a contract.
1.4 Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this happens as part of the use of third-party services or the disclosure or transmission of data to third parties, this will only take place if it is to fulfill our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. or corresponding data protection levels are met or in compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
2. Data processing when visiting our website
2.1 Log Files
Every time an affected person accesses our website, general data and information is stored in the log files of our system:
- Date and time of retrieval (time stamp);
- Request details and destination address (protocol version, HTTP method, referrer, user agent string);
- Name of the file retrieved and amount of data transferred (requested URL including query string, size in bytes);
- Message whether the retrieval was successful (HTTP status code).
When using these general data and information, we do not draw any conclusions about the data subject. There is no personal evaluation or an evaluation of the data for marketing purposes or profiling. The IP address is not saved in this context.
The legal basis for the temporary storage of the data is Art. 6 para. 1 subs. 1 lit. f GDPR. The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the secure operation of our website. Consequently, there is no possibility of objection on the part of the data subject.
2.2 Malware Detection and Log Data Analysis
We collect log data that arises during the operation of our law firm's communication technology and evaluate this automatically to the extent necessary to identify, isolate or eliminate faults or errors in the communication technology or to ward off attacks on our information technology or to identify and ward off malware.
The legal basis for the temporary storage and evaluation of the data is Art. 6 para. 1 subs. 1 lit. f GDPR.
The storage and evaluation of the data are absolutely necessary for the provision of the website and for its secure operation. Consequently, there is no possibility of objection on the part of the data subject.
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 subs. 1 lit. f GDPR.
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use to operate our website.
In doing so, we or our contract processors process inventory data, contact data, content data, contract data, usage data as well as meta and communication data from users of our website on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 subs. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a contract for order processing).
3. Data processing in connection with establishing contact
3.1 Contacting us by email
You can contact our law firm by email using the email addresses published on our website.
If you use this contact method, the data you transmit (e.g. surname, first name, address), but at least the e-mail address and the information contained in the e-mail together with the personal data you have transmitted, will be used for the purpose of establishing contact and processing your request. In addition, the following data is collected by our system:
- IP address of the calling computer;
- Date and time of the email.
The legal basis for the processing of personal data in the context of e-mails sent to us is Art. 6 para. 1 subs. 1 lit b and lit f GDPR.
3.2 Contacting us via our website contact form
If you use the contact form provided on our website for communication, it is necessary to provide your surname and first name as well as your e-mail address. Without this data, your request sent via the contact form cannot be processed. Providing your address is optional and allows us, if you wish, to process your request by post.
In addition, the following data is collected by our system:
- IP address of the calling computer;
- Date and time of registration.
The legal basis for the processing of personal data in the contact forms sent to us is Art. 6 para. 1 subs. 1 lit. b and lit. GDPR.
3.3 Contact by letter, fax or telephone
If you send us a letter or fax or telephone us, the data you transmit (e.g. surname, first name, address) and the information contained in the letter, fax or telephone call together with the personal data you transmit will be used for the purpose of establishing contact and processing your request.
The legal basis for the processing of personal data in the context of letters and faxes sent to us and telephone calls made with us is Art. 6 para. 1 subs. 1 lit. b and lit. f GDPR.
4. Online social media presence
We maintain online presences in social networks (Brainguide, Xing, LinkedIn, Twitter and Best Lawyers) to inform the users active there about our services and to communicate via the platforms if they are interested. Our social media channels can only be accessed via an external link. As soon as you call up our social media profile in the respective network, the terms and conditions and data processing guidelines of the respective operator apply there.
We have no influence on the collection of the data and its further use by the social networks. There is no knowledge of the extent to which, where and for how long the data is stored, to what extent the networks comply with existing deletion obligations, which evaluations and links are made with the data and to whom the data is passed on. We therefore expressly draw your attention to the fact that your data (e.g. personal information, IP-address) are stored by the operators of the networks in accordance with their data usage guidelines and used for business purposes.
We process data with regard to social media presences insofar as comments or direct messages are sent to us via these, for example. The legal basis for processing the data after the user has given his consent is Art. 6 para. 1 subs. 1 lit. a GDPR.
5. Activities, legal information and office events
We use personal data (name, date of birth, e-mail address, address) to congratulate clients on their birthdays, to inform them about current legal developments, to invite them to law firm events and to send Christmas cards. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.
You can object to the processing of your personal data for these purposes at any time by sending an email to firstname.lastname@example.org or email@example.com. Your data will then no longer be processed for these purposes. It will also be deleted if you have objected to the processing in general or if the purpose of the processing no longer applies and we are not obliged to continue storing it for legal reasons.
6. Your Rights
As the data subject, you have the following rights in connection with the processing of your personal data:
6.1 Right to information in accordance with Art. 15 GDPR
(1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to them is being processed; if this is the case, you have the right to information about this personal data and the following information:
a) the processing purposes;
b) the categories of personal data being processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d) if possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;
e) the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;
f) the existence of a right of appeal to a supervisory authority;
g) if the personal data are not collected from the data subject, all available information about the origin of the data;
h) the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(2) If personal data is transmitted to a third country or to an international organization, the data subject has the right to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
6.2 Right to rectification in accordance with Art. 16 GDPR
The data subject has the right to demand that the person responsible correct incorrect personal data concerning them without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data - also by means of a supplementary declaration.
6.3 Right of deletion in accordance with Art. 17 GDPR
(1) The data subject has the right to demand that the person responsible delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
b) The data subject revokes their consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the Processing.
c) The data subject objects to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 para. 2 GDPR the processing.
d) The personal data have been processed unlawfully.
e) The deletion of the personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
f) The personal data were collected on services offered by the information society pursuant to Art. 8 para. 1 GDPR.
(2) If the person responsible has made the personal data public and is obliged to delete them in accordance with para. 1 above, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to ensure that those responsible for data processing who use the personal data process, to inform that a data subject has requested them to delete all links to this personal data or copies or replications of this personal data.
(3) Para. 1 and 2 above do not apply if processing is necessary
a) to exercise the right to freedom of expression and information;
b) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;
c) for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1, insofar as the law referred to in para. 1 above is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or
e) to assert, exercise or defend legal claims.
6.4 Right to restriction of processing in accordance with Art. 18 GDPR
(1) The data subject has the right to demand that the person responsible restrict the processing if one of the following conditions is met:
a) the accuracy of the personal data is disputed by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted;
c) the person responsible no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims, or
d) the data subject has lodged an objection to the processing pursuant to Art. 21 para. 1 GDPR, as long as it is not certain whether the legitimate reasons of the person responsible outweigh those of the data subject.
(2) If processing has been restricted in accordance with para. 1 above, this personal data - apart from its storage - may only be used with the consent of the person concerned or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or from reasons of important public interest of the Union or a Member State are processed.
6.5 Right to data portability in accordance with Art. 20 GDPR
(1) The data subject has the right to receive the personal data relating to them that they have provided to a person responsible in a structured, common and machine-readable format, and they have the right to transfer this data to another person responsible without hindrance by the person responsible , to whom the personal data was provided, if
a) processing based on consent pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR based and
b) the processing is carried out using automated procedures.
(2) When exercising their right to data portability in accordance with para. 1 above, the data subject has the right to obtain that the personal data is transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible.
The right under para. 1 above shall not affect the rights and freedoms of other persons.
This right does not apply to processing that is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been assigned to the person responsible.
6.6 Right of objection according to Art. 21 GDPR
The data subject has the right, for reasons arising from their particular situation, to object at any time to the processing of personal data relating to them, which is based on Art. 6 para. 1 lit. e or f GDPR ; this also applies to profiling based on these provisions. The person responsible no longer processes the personal data unless he has compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
In connection with the use of information society services, the data subject may, notwithstanding Directive 2002/58/EC, exercise their right to object by means of automated procedures using technical specifications.
6.7 Right of withdrawal according to Art. 7 para. 3 GDPR
The data subject has the right to revoke their declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.
6.8 Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their place of residence, their place of work or the place of the alleged infringement, if the data subject believes that the processing of personal data concerning them data violates this regulation.