This privacy statement explains the nature, extent and purpose of the processing of personal data (hereinafter simply referred to as “data”) within our online service and the websites, functions and content associated with it as well as in our online presence as, for example, our social media profile (referred to collectively hereinafter as “online services”).
With regard to the terminology used here, such as “personal data” or their “processing”, please refer to the definitions in Article 4 of the General Data Protection Regulations (GDPR).
FLÜGEL PREISSNER SCHOBER SEIDEL Patentanwälte PartG mbB
Nymphenburger Straße 20
80335 München, Deutschland
Register/Nr.: PR 933, AG München
Represented by Christoph D. Schober, Marcus Seidel, Florian Krieg, Nicolaus Preissner
Telephone number: +49 89 5205730
E-mail address: firstname.lastname@example.org
Data protection officer:
FLÜGEL PREISSNER SCHOBER SEIDEL Patentanwälte PartG mbB
Nymphenburger Straße 20
80335 München, Deutschland
Telephone number: +49 89 5205730
E-mail address: email@example.com
Kinds of data processed
☒ Inventory data (e.g. names, addresses)
☒ Contact data (e.g. e-mail addresses, telephone numbers)
☒ Content data (e.g. text entries, photographs, videos)
☒ Contract data (e.g. subject-matter of contract, duration, client category)
☒ Payment data (e.g. bank details, payment record)
☒ Usage data (e.g. websites visited, interest in content, access times)
☒ Meta-/Communication data (e.g. information about devices, IP addresses)
The processing of certain categories of data (Art. 9 (1) GDPR)
☒ The processing of special categories of personal data is prohibited under the regulations unless the user has explicitly consented to this processing, e.g. submitted in online forms.
Categories of people concerned by the processing
☒ Clients / prospective clients / suppliers
☒ Visitors and users of online services
Hereinafter we will describe these people concerned collectively as “user(s)”.
The purpose of processing
☒ To make the online service, with its content and functions, available
☒ To fulfil contractual tasks, perform the service and provide client care and support
☒ To respond to enquiries and communications from users
☒ Marketing, advertising
☒ Security measures
- Relevant legal framework
In accordance with the provisions of Art. 13 GDPR we are to inform you of the legal basis for our data processing. If the legal basis is not mentioned in the privacy statement, the following applies: the legal basis for obtaining the subject’s consent is Art. 6 (1)(a) and Art. 7 GDPR, the legal basis for processing involved in the fulfilment of our service and the performance of contractual measures as well as in responding to enquiries is Art. 6 (1)(b) GDPR, the legal basis for processing in compliance with our legal obligations is Art. 6 (1)(c) GDPR, and the legal basis for processing necessary in pursuit of our own legitimate interests is Art. 6 (1)(f) GDPR. If processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis for this is provided in Art. 6 (1)(d) GDPR.
- Amendment and updating of the privacy statement
You are requested to inform yourself regularly with regard to the content of our privacy statement. The statement will be amended as and when changes in our data processing practices make this necessary. We will inform you as soon as such changes require action on your part in co-operation or participation (e.g. consent) or some other individual information or notification is required.
- Security measures
3.1 In accordance with the provisions of Art. 32 GDPR, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the varying probability and severity of the risk to the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security commensurate with the risk. These measures will include in particular the assurance of confidentiality, the integrity and availability of data by controlling the physical access to the data as well as authorised access, input, transmission, the securing of availability and its severance. Furthermore, we have set up systems which assure the recognition of the rights of persons concerned, the deletion of data and the appropriate reaction to any threat to the data. In addition, we take the protection of personal data into account already at the development stage in the choice of suitable hardware, software and processes in line with the principle of data protection and by using default settings which are user friendly (Art. 25 GDPR).
3.2 Among the security measures employed is, in particular, the encrypted transmission of data between your browser and our server (SSL encryption).
- Collaboration with contracted processors and third parties
4.1 To the extent to which we disclose data to other people or enterprises (contract processors or third parties), transfer data to them or permit them access to such data, this is only done within the scope of a legal authorisation (e.g. when the transfer of data to a third party, such as a payment service provider, is necessary in accordance with Art. 6 (1)(b) GDPR for the performance of a contract), which you have consented to, in compliance with the controller’s legal obligations or on the basis of our legitimate interests (e.g. in the appointment of officers, commissioning of web-hosting services, etc.).
4.2 To the extent that we commission third parties with the processing of data on the basis of what is called a “processing contract”, this is carried out in conformity with Art. 28 GDPR.
- Transfers to third countries
To the extent that we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) for processing or this happens within the framework of use of third-party services or disclosure and/or transfer of data to third parties, such transfer is only carried out in the fulfilment of our (pre)contractual duties, on the basis of your consent, to meet a legal obligation or on the basis of our own legitimate interests. Subject to legal or contractual permission, we process or have data processed in third countries only if the special requirements laid down in Art. 44 ff GDPR are fulfilled. That is to say, the processing is performed on the basis of specific guarantees such as the officially recognized establishment of a level of data protection commensurate with EU standards (e.g. the “Privacy Shield” for the USA) or conformity with officially recognized special contractual obligations (known as “standard contractual clauses”).
- Rights of parties concerned
6.1 Under Art. 15 GDPR you are provided with the right to demand confirmation as to whether or not your personal data is being processed and to receive information about these data as well as further information and copies of the data.
6.2 16 GDPR gives you the right to have incomplete personal data relating to you completed or to require the rectification of personal data relating to you which is inaccurate.
6.3 In accordance with Art. 17 GDPR, you have the right to demand that personal data relating to you be erased without undue delay or alternatively under the provisions of Art. 18 GDPR to require a restriction of the processing of your personal data.
6.4 You have the right pursuant to Art. 20 GDPR to require that personal data relating to you which you have made available to us should be transmitted to another controller.
6.5 You also have the right, under Art. 77 GDPR, to lodge a complaint with the appropriate supervisory authority.
- Right to withdraw consent & right to object
You have the right, pursuant to Art. 7(3) GDPR and with effect for the future, to withdraw your consent at any time. Under the provisions of Art. 21 GDPR, you can object at any time to the future processing of personal data relating to you. The objection can relate in particular to the processing of your data for the purpose of direct advertising. If you wish to exercise your right to withdraw consent or to object to processing, it is sufficient to send an appropriate e-mail to: firstname.lastname@example.org
- Cookies and the right to object to direct advertising
- Erasure of data
9.1 The data that we process are erased or their processing is restricted under the provisions of Art.17 and Art.18 GDPR. Unless explicitly stated otherwise in this privacy statement, the personal data that we store will be erased as soon as they cease to be necessary for the purpose envisaged and this erasure does not contravene any legal obligation to retain data. If the data are not erased because they are necessary for other and legally authorised purposes, their processing will be restricted. That is to say, the data will be ‘frozen’ and not processed for other purposes. This applies, for example, to data which have to be retained for commercial or taxation reasons.
9.2 In accordance with the statutory requirements, retention is for six years pursuant to § 257 (1) HGB (German Commercial Code) (accounts and records, inventories, opening balances, annual financial statements, trade letters, accounting receipts, etc.) as well as for ten years pursuant to § 147 (1) AO (Fiscal Code of Germany)(books and records, situation reports, accounting records, trade and business correspondence, tax-relevant documents, etc.).
- Performance of contractual services
10.1 We process inventory data (e.g. names and addresses as well as users’ contact details), contract data (e.g. services used, names of contact partners, payment information) in order to fulfil our contractual duties and in the provision of services in accordance with Art. 6 (1) (b) GDPR. The entries in online forms which are marked as obligatory are necessary for the conclusion of a contract.
10.2 Erasure is carried out after expiry of the statutory warranty and comparable obligations; the necessity to retain data is revised every three years; in the case of obligatory archiving duties, erasure takes place after expiry of the corresponding statutory duty (six years for commercial purposes and ten years for taxation purposes); data retained in the client account remains until it is deleted.
- First contact
11.1 When the user first contacts us (by using the contact form or by e-mail), the user’s details are processed in order to handle the enquiry and to respond to it, in accordance with Art. 6 (1)(b) GDPR.
11.2 The user’s details can be stored in our Customer-Relationship-Management System (“CRM System”) or in a comparable enquiries-handling system.
11.3 We delete the enquiries once they are no longer necessary. This necessity is checked every two years; enquiries from clients who have a client account are stored for a longer duration and clients are referred to their client account facilities with regard to deletion. In the case of data covered by the statutory obligation to retain information, deletion takes place after expiry of the statutory period (after six years for commercial purposes, after ten years for taxation purposes).
- Collection of access data and log files
12.1 On the strength of our own legitimate interests pursuant to Art. 6 (1)(f) GDPR, we collect data about every access event related to the server which hosts this online service (in what are called server log files). Access data includes the name of the website visited, the file, the date and time of access, volume of data transferred, record of successful access, browser type and version, the user’s operating system, referrer URL (the site previously visited), IP address and the service provider from which the request came.
12.2 For security reasons (e.g. to investigate abuse or fraudulent activities) logfile information is stored for a maximum of seven days and is subsequently erased. Data which needs to be retained for longer as evidence is not erased until the case in question has been completely clarified and resolved.
- Cookies & reach measurement
13.1 Cookies are information which is transferred from our web server or web servers of third parties to the user’s web browser and are stored there to be called up later. Cookies can be in the form of small files or some other kinds of information storage.
13.3 If users do not wish to have cookies stored on their computer devices, they are requested to deactivate the appropriate options in their browser system settings. Cookies already stored can be erased using the system settings in the browser. The exclusion of cookies can lead to restricted use of functions in the online service available.
- Inclusion of services and content of third-parties
14.1 In pursuit of our legitimate interests (i.e. interest in the analysis, optimisation and economically effective operation of our online service in the sense of Art. 6 (1)(f) GDPR) we make use of content and service offers of third parties in order to incorporate their content and services such as videos or typefaces (referred to here simply as “content”). This always presumes that the third-party providers of this content can access the user’s IP address, since without this IP address the content cannot be transmitted to the user’s browser. Consequently, the IP address is essential for this content to be displayed. We endeavour to use only content whose providers use the IP address solely for the delivery of the content. Third parties can also use what are known as pixel-tags (invisible graphics, also described as “Web Beacons”) for statistical or marketing purposes. By means of these “pixel-tags” it is possible to evaluate information such as the volume of traffic visiting the pages of the website. The pseudonymised information can also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, the referring websites, visiting time as well as other details about use of our online service and may also be linked to such information from other sources.
14.2 The following list offers an overview of third-party providers as well as their content, and links to their privacy statements which contain further details about the processing of data and, as already mentioned in part above, possibilities to object, known as opt-out:
- We employ the function for recognizing bots, e.g. checking input into online forms (“ReCaptcha“) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/, Opt-Out:https://adssettings.google.com/authenticated.