This Privacy Notice explains which personal data we process, how we process it and for what purposes. It also contains information on the rights you have with regard to your personal data.

I. Accountability for data processing and data protection officer

The data controller within the meaning of the GDPR for the data processing is

Leo Schmidt-Hollburg Witte & Frank Rechtsanwälte Partnerschaft mbB

Address:           Neuer Wall 80, 20354 Hamburg

Telephone:      +49 (40) 300 85 100

E-Mail:              info@lswf.de

Our data protection officer can be contacted at dsb@lswf.de.

II. Principles of data processing

Below we describe our principles of data processing. For specific information on individual processing activities, see Section V. of this Privacy Notice.

1. Purpose limitation

We process personal data only where this is necessary for the fulfilment of the purpose of the processing of the personal data, e.g. to provide a functional website and/or to perform services.

2. Legal Bases for data processing

Where we obtain the consent of the data subject for processing personal data, the legal basis is Article 6 (1) (a) GDPR.

Where processing is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6 (1) (b) GDPR. This also applies to processing operations required prior to entering into a contract.

Where processing is necessary for compliance with a legal obligation to which we are subject, the legal basis is Article 6 (1) (c) GDPR.

Where processing is necessary to protect the vital interests of the data subject or another natural person, the legal basis is Article 6 (1) (d) GDPR.

Where processing is necessary for the purposes of the legitimate interests of the controller or of a third party, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, the legal basis is Article 6 (1) (f) GDPR.

3. Time limits for erasure and storage period

Personal data will be erased or blocked as soon as the purpose for the storage no longer applies. Storage beyond that time will only occur where required by EU or national law. Data will be blocked or erased when statutory retention periods expire, unless further storage is necessary for the performance of a contract or its fulfilment.

4. Data subject rights

If we process your personal data, you are a data subject and have the following rights vis‑à‑vis the data controller:

4.1 Right to object

Where we process your personal data on the basis of Article 6 (1) (f) GDPR, you have pursuant to Article 21 (1) GDPR the right to object at any time to processing of personal data concerning you for reasons arising from your particular situation. If you object, we will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

Where we process your personal data for direct marketing purposes, you have pursuant to Article 21 (2) GDPR the right to object at any time to processing of personal data concerning you for such marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for those purposes.

An objection may be made by informal notice by e‑mail to us.

4.2 Withdrawal of consent to data processing

Some processings are only possible with your express consent. You may withdraw any consent given at any time. Withdrawal may be effected by informal notice by e‑mail to us.

The lawfulness of processing carried out on the basis of consent before its withdrawal remains unaffected by the withdrawal.

    4.3 Right to lodge a complaint with the competent supervisory authority

    In the event of breaches of data protection law, the data subject has a right to lodge a complaint with a supervisory authority. The competent supervisory authority in data protection matters is the supervisory authority of the federal state in which our company has its seat, i.e. for us the Hamburg Commissioner for Data Protection and Freedom of Information. Current contact details can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

    4.4 Right to data portability

    You have the right to receive personal data that we process on the basis of your consent or in performance of a contract in a structured, commonly used and machine‑readable format and to transmit those data to another controller. Where you request direct transmission of the data to another controller, this will be done only to the extent technically feasible and reasonable.

    4.5 Right of access, rectification, restriction of processing and erasure

    Within the applicable statutory provisions you have at any time the right to obtain, free of charge, information about the personal data we store about you, their origin and recipients and the purpose of processing, and, if applicable, the right to rectification, restriction of processing or erasure of these data. For this purpose and for further questions concerning personal data you may contact us at the address given under I. above.

    III. Disclosure of personal data to third parties

    We will only disclose your personal data to third parties where this is necessary for one of the purposes set out in this Privacy Notice or where you have previously given your consent. Examples include:

    • where this is necessary for the handling of a mandate or is required by law and while observing legal professional privilege, e.g. for notification of representation, negotiation of contracts, assertion or enforcement of claims, defence against asserted claims or for the translation of documents into another language; this in particular includes disclosure to opposing parties and their representatives (in particular their lawyers), to potential contracting parties and their representatives (in particular their lawyers), to lawyers or tax advisors with whom we cooperate within the mandate, to translation agencies as well as to courts and authorities;
    • to service providers under contractual processing arrangements, in particular for IT services and infrastructure including website maintenance and hosting, IT support and data destruction;
    • to financial institutions, our accountants and, where applicable, lawyers or similar advisors whom we engage;
    • to comply with a statutory obligation;
    • in the event of a court or administrative order, to comply with such order.

    Where we disclose personal data to service providers who act on our behalf and support us in the provision of services as processors, we conclude corresponding contracts in accordance with Article 28 GDPR.

    IV. International data transfer

    Service providers and other recipients may process personal data in third countries if this is necessary for our purposes, in particular where we must transfer such data to recipients in third countries in order to perform a contract or because of legal obligations, or where such transfer is necessary for the establishment, exercise or defence of legal claims. Third countries are countries outside the EU or the EEA. In such cases we ensure an adequate level of data protection to meet the requirements of the GDPR. Where there is no adequacy decision by the European Commission, this is generally ensured by entering into the EU Standard Contractual Clauses of the European Commission.

    V. Specific processing operations

    1. Enabling use of the website

    The provider of our website automatically collects and stores information in so‑called server log files which your browser automatically transmits to us. These are:

    • browser type and browser version
    • operating system used (where technically derivable)
    • referrer URL (if transmitted)
    • date and time of the server request
    • anonymised IP address (the last octet is replaced by “0”)

    These data are not merged with other data sources. The log files serve to ensure the secure and uninterrupted operation of the website.

    The legal basis for processing your personal data is Article 6 (1) (f) GDPR. Storing your personal data in server log files is necessary to protect our legitimate interest in ensuring the uninterrupted operation of our website. This does not override any interests, fundamental rights or freedoms of the affected users.

    The data are automatically deleted after no more than eight weeks. The log files may be accessed by us, but no personal evaluation is carried out.

    The collection and temporary storage of the data contained in the log files is technically necessary for the secure operation of the website. Consequently, there is no possibility for the user to object.

    2. External links on our website

    We do not use social‑media share plugins that automatically transmit information to social‑media service providers when you visit our website.

    Our website contains a link to LinkedIn. This service is provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. If you follow the link, information may be transmitted to LinkedIn. Please refer to LinkedIn’s privacy policy at http://www.linkedin.com/legal/privacy-policy/ for information on the purpose and scope of data collection and the further processing and use of data by LinkedIn as well as your rights and setting options to protect your privacy.

    3. Communication and contact

    We collect your personal data when you provide it to us by contacting us. We may use these personal data to respond to your enquiries or to provide the services you request. We also use the personal data you provide when you participate in campaigns on our social‑media channels or send us enquiries or comments.

    The legal basis is Article 6 (1) (b) GDPR where you enter into or are involved in a contractual relationship with us. Processing your personal data is necessary because otherwise it would not be possible to communicate with you. Where there is no contractual relationship, the legal basis is Article 6 (1) (f) GDPR. The purpose of the processing in such cases is answering your messages or enquiries; in this respect there are no overriding rights or interests of the data subject which would oppose processing by us.

    4. LinkedIn

    We operate a company page on the professional network LinkedIn of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA.

    LinkedIn provides us with statistics and analytics on usage of our LinkedIn page. These statistics do not contain names or other information about individual users. The legal basis for data processing is Article 6 (1) (f) GDPR. Our legitimate interest in the processing is to analyse and improve our activities on LinkedIn.

    We use LinkedIn to communicate with you and to promote our activities. The legal basis for this processing is Article 6 (1) (f) GDPR. For further information please refer to LinkedIn’s privacy policy.

    For processing of personal data on our LinkedIn page we and LinkedIn act as “joint controllers” pursuant to Article 26 GDPR. We have therefore concluded a separate agreement which you can find at https://legal.linkedin.com/pages-joint-controller-addendum. For any further processing of your data LinkedIn is the sole controller. If you wish to exercise your rights to access, erasure, etc. (see section “Rights of the data subject”), LinkedIn is jointly responsible with us for the fulfilment of those rights as part of our joint controllership.

    5. Processing of your personal data for contract initiation or performance

    If you or the company for which you act instructs us, we collect and store your first and last name, address, e‑mail address, telephone and fax numbers and, where applicable, other personal data that are necessary for asserting and defending your rights or the rights of the company for which you act within the scope of the mandate. We collect and store your personal data in order to identify you as a client or as a person acting for our client (e.g. employee or managing director), to provide appropriate legal advice and representation to you or the company for which you act, for correspondence with you, for invoicing, for handling any liability claims and, where applicable, for asserting possible claims against you or the company for which you act.

    If we commission you or the company for which you act to provide services, we process the personal data provided by you or by the company for which you act (in particular first and last name, address, e‑mail address, telephone and fax numbers and bank details) for contract performance, for communication with you (e.g. to arrange a delivery date) and for payment of the services provided.

    The legal basis for processing your personal data is Article 6 (1) (b) GDPR insofar as processing is necessary for the performance of a contract between you and us or to take steps at your request prior to entering into a contract.

    The legal basis for processing your personal data is Article 6 (1) (f) GDPR insofar as processing is necessary in the context of mandates to provide legal advice and representation to our clients, to enable invoicing and, where applicable, to handle liability and other claims related to the mandate.

    The legal basis for processing is Article 6 (1) (c) GDPR where processing of data is required for compliance with a legal obligation to which we are subject. For example, under the provisions of the German Anti‑Money Laundering Act (“Geldwäschegesetz”) we are required under certain circumstances to identify our clients and may therefore require certain information from you (in particular first and last names and residential addresses of the representatives acting for the client, first and last names and residential addresses of the beneficial owners of the client, copies of identity documents of the persons mentioned for the purpose of clear identification).

    The personal data collected by us in the context of a mandate are stored until the expiry of the statutory retention period for lawyers (currently six years after the end of the calendar year in which the mandate was terminated) and are then erased, unless we are obliged under the German Commercial Code (HGB), the Fiscal Code (AO) or other statutory retention and documentation obligations to retain them for a longer period, longer storage is necessary for asserting, exercising or defending legal claims, or you have consented to longer storage.

    6. Processing of your personal data as opposing party to our clients or other third parties within the scope of a mandate

    In cases where we assert claims for our clients against you or the company for which you act, out of court or in court, it may be necessary for us to process your personal data in the course of handling the mandate.

    Also in cases where you or the company for which you act are otherwise involved in a matter in which we act for our client (e.g. as witness, co‑litigant, joined party, business partner, bailiff or employee of a court or authority), it may be necessary for us to process your personal data in the course of handling the mandate.

    The legal basis for the processing is Article 6 (1) (f) GDPR. Processing by us is in particular necessary to enable us to provide legal advice and representation to our clients and, where applicable, to handle liability and other claims related to the mandate. This may include direct contact with you.

    The personal data collected by us in this context are stored until the expiry of the statutory retention period for lawyers (currently six years after the end of the calendar year in which the mandate was terminated) and are then erased, unless we are required under the HGB, the AO or other statutory retention and documentation obligations to retain them for a longer period, longer storage is necessary for asserting, exercising or defending legal claims, or you have consented to longer storage.

    7. Personal communication and publications

    We occasionally send you publications if these may be of relevance to you. We also process your personal data in order to send you current information and, where applicable, invitations to our events.

    The legal basis for processing your data is Article 6 (1) (f) GDPR. The processing serves our legitimate interest in informing our clients and other interested parties about current legal developments and is necessary to protect that legitimate interest; accordingly, there are no overriding rights or interests of the data subject opposing the processing by us.

    You may object to such contact by us at any time without incurring any costs other than transmission costs according to the basic tariffs. Otherwise it is also possible to object to our processing of your personal data for direct marketing purposes at any time and without giving reasons for the future (Article 21 (2) GDPR).

    8. Applicant data

    We process the personal data you provide when you apply to us. This applies regardless of how your application reaches us (e.g. by post, via an applicant portal or by e‑mail). Processing is for the purpose of contacting you and assessing your suitability for the position to which you have applied and, where applicable, for conducting an employment relationship.

    The legal basis for processing personal data in recruitment processes is Article 6 (1) (b) GDPR, Section 26 (1), (8) sentence 2 of the German Federal Data Protection Act (BDSG) or Article 6 (1) (a) GDPR, Section 26 (2), (8) sentence 2 BDSG.

    Applicant data are generally deleted six months after completion of the application procedure, unless (i) your application was successful and your data are transferred to your personnel file, or (ii) you have consented to storage beyond that period.

    9. Internet video telephony

    To hold video consultations and online meetings with you we may, if applicable, send you an invitation by e‑mail or other means to conduct such meetings using software provided by a third party. If you participate in such meetings, information may be transmitted to the respective software provider.

    The legal basis for processing your personal data in this context is Article 6 (1) (b) GDPR (where the meeting is held for the purpose of performing a contractual relationship with you) or Article 6 (1) (f) GDPR (where the meeting serves other business purposes); our legitimate interest in the processing in the latter case lies in the use of functional and widespread tools in order to communicate with you efficiently.

    We use Microsoft Teams for video meetings. The provider of Microsoft Teams is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052‑6399, USA (“Microsoft”). Microsoft processes on our behalf personal data of the participants, in particular the IP address, the content of the conversation, e‑mail addresses, names and, where applicable, other service‑related data, and stores these for the duration of the video conference. If you use Microsoft Teams beyond the duration of the video meeting, Microsoft stores the data for the duration of your use. Microsoft has been contractually engaged by us as a processor and obliged to comply with data protection. Microsoft may process the data outside the European Economic Area. To ensure an adequate level of data protection in accordance with the GDPR, we have agreed with Microsoft the EU Standard Contractual Clauses pursuant to Commission Decision (2010/87/EU). Further information on Microsoft’s processing can be found at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.