Information on Data Protection
Pursuant to Articles 13 and 14 GDPR
We at Kapellmann und Partner Rechtsanwälte mbB place a particularly high value on the protection and confidentiality of your data. It goes without saying that we will treat your personal data responsibly. We will only process your data in accordance with the applicable data protection regulations, in particular the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG).
We would like to use this privacy statement to inform you about the processing of your personal data in connection with the use of our online services and to explain your rights under data protection law as a “data subject”.
Our privacy statement is updated regularly in accordance with legal and technical requirements. Please always refer to the most recent version of our privacy statement
Contents
1 Scope of application and definitions
This privacy statement shall apply to the processing of data that occurs when you visit and use the website www.kapellmann.de, including all sub-pages as well as our online presence elsewhere, e.g. on social media websites (below, together, our “Online Services”).
This privacy statement shall not apply to websites or online services provided by other providers to which you might be directed by a corresponding link. These other providers are each responsible for the processing of personal data on the use of their own websites. We recommend that you refer to the data protection notices on the websites of such other providers.
Under Article 4(1) GDPR, personal data includes all information relating to an identified or identifiable natural person (a “data subject”). This includes e.g. personal details such as name, address, email address and telephone number, but also content data, e.g. messages that you send us by email or information about your activity on our website (e.g. pages viewed), to the extent that they can be assigned to you, e.g. by means of an IP address or device-specific data. With respect to other definitions used (e.g. “processing” or “controller”), please refer to the definitions set out in Article 4 GDPR.
2 Controller as defined in the GDPR
The “Controller“ as defined in Article 4(7) GDPR:
Kapellmann und Partner Rechtsanwälte mbB (below: “Kapellmann“)
Viersener Straße 16
D-41061 Mönchengladbach
Email: mg[@]kapellmann.de
Telephone: +49 (0)2161 811-8
Fax: +49 (0)2161 811-777
3 Contact details of the Data Protection Officer
You can reach the company Data Protection Officer at Kapellmann at datenschutz[@]kapellmann.de or by using the postal address set out above, marked for the attention of the Data Protection Officer.
4 Data processing on use of our website
When you use our website, we process your personal data for different purposes, depending on the types of application, services and contact options available on our website (the “Online Services“).
4.1 Visiting our website | Logfiles
Scope and purpose of processing: if our website is used for purely information purposes, i.e. on a simple access to the site www.kapellmann.de, information is sent, automatically and without any action on your part, by the browser used on your terminal to the server of our website. This is necessary to guarantee the establishment of a smooth connection with our internet site, the user-friendly provision and convenient use of our Online Services, as well as to ensure, assess and improve system security and stability (e.g. risk prevention and support in the event of connection issues). The information collected is temporarily stored in our system in logfiles for the duration of the session.
The following information is collected and stored until deleted automatically:
- Browser type and browser version
- Operating system used
- Internet service provider
- IP address of the computer requesting access
- Date and time of the server request
- Place and country in which the server request was made
- Time zone difference with Greenwich Mean Time (GMT)
- Website from which access to our website was initiated (referrer URL)
- Websites that were accessed by your system through our website
- Data volume transferred
This information is only processed for the stated purposes. There is no further analysis of these usage data.
The legal basis for this processing of data is Art. 6 (1)(f) GDPR, which gives rise to our legitimate interest from the stated purposes. Under the provisions of Art. 21 GDPR, you have a right to object to this processing of your data (see section 13).
Storage period: The information will be saved for up to 30 days for security reasons (e.g. to obtain information on misuse or attacks on our web server). After this period it will be deleted.
Recipient: Our website is hosted by an external service provider (M. Balluff EDV-Dienstleistungen, Erfurter Str. 21, 44577 Castrop-Rauxel), who may, where appropriate, need to access the data specified above in the course of order processing in order to perform hosting and support services.
Obligation to provide data: The provision of the information set out above is not required by law or by contract. However, without this information the functionality of our website cannot be completely guaranteed.
You will find further details about the cookies as well as analysis and marketing technologies used on our website in the following sections.
4.2 Cookies
Scope of the processing: Our website uses cookies. Cookies are small text files that are saved on your web browser or the web browser on your computer system or terminal when you visit the website and are held ready for later retrieval. Some cookies contain a characteristic character sequence that enable a clear identification of the browser on a subsequent access to the website. Cookies save various pieces of information, such as your language settings, the time you spend on our website, the information you put in there and other information on your use of our website.
We make the following distinctions:
- Session cookies: These are temporary cookies that save a “session ID“ in the Internet browser of the user, under which the various requests made by your browser during the whole session can be filed. They may be used to recognise your computer (e.g. by saving your personal setting such as text size, font, language or login details). The use of these cookies makes the use of our website possible and allows it to be designed more conveniently for you. Session cookies are deleted as soon as you close your browser or end the session.
- Persistent cookies: These are permanent cookies that are used for repeated visits and saved in the browser of the user for a pre-defined period of time. A persistent cookie makes it possible to recognise your browser on your next visit to our website. The purpose of these cookies is to record the use of our website statistically and to optimise our online services in order to be able to offer you an improved user experience. These cookies are deleted automatically after a given period, which will depend on the cookie.
Type and purpose of cookies: cookies may also be divided into the following types, according to purpose:
- Strictly necessary cookies: These are cookies that are necessary for technical reasons, i.e. they are essential to enable the use of a website and its basic features (e.g. website navigation) as well as access to secure areas of the website. These cookies also save data that have been entered and choices that have been made by the user (e.g. language options, cookie banner settings). Without these cookies the website will either not work at all or will not work properly.
- Performance cookies: These cookies make it possible to analyse data traffic, user behaviour and the technical functionality of the website (and may also be called analysis or tracking cookies). They can, for example, be used to understand which areas of a website a user visits the most, how users interact with the website and whether any error messages appear on these sites. Performance cookies serve to improve the quality and technical optimisation of the website, in order to achieve a higher level of user convenience.
- Functional cookies: Where any external contents e.g. video or social media platforms are linked to a website (e.g. YouTube or Vimeo, Instagram, etc.), performance and marketing cookies are typically used by the providers of these platforms, provided the user gives their consent.
- Marketing cookies: The purpose of these cookies is to record the activities of a user over multiple websites in order to analyse the interests of the user and present them with tailored advertising. For example, if the user visits another website, then selected advertisements for relevant products or services can be shown to the user using the information saved in the marketing cookie.
Our website only uses technically necessary cookies, performance cookies and – to the extent that there are links to external contents – functional cookies. The performance and functional cookies used are third-party cookies. These are cookies that are put in place not by us but by third-party providers whose tools we use on our website. Further information on the performance and analysis tools we use and any integrated contents can be found below.
Cookies used on this website: the following link will take you to the Cookie Consent Management Tool (the ”cookie banner“). By clicking on “settings“ there you will be able to see exactly which cookies are used on this website and select individual settings:
Legal basis: Necessary cookies are required for the protection of our legitimate interest in the proper operation of the website and in order to provide basic functionality in accordance with Article 6(1)(f) GDPR. We also only use cookies if you have provided your express consent through the cookie banner. In this event the legal basis is Article 6(1)(a) GDPR.
Duration: You can find information about the duration and validity period of the relevant cookies through the cookie banner using the link below (go to “settings” -> ”cookies“):
Cancellation and amendment of cookies settings: You can change the cookie settings at any time using the cookie banner and cancel any consent that you have previously provided. You can visit the cookie banner at any time under “cookie settings” at the foot of every page of the website or by using the following link:
Furthermore, you can use the settings on your browser to delete cookies that have already been saved on your terminal. If you would like to prevent the use of cookies across the board, you can decline the acceptance of cookies in your browser or only accept certain cookies. To understand how this works in detail, please follow the guidance provided by your browser manufacturer:
Mozilla Firefox
Microsoft Internet Explorer
Google Chrome
Apple Safari
Obligation to provide data: The provision of the information set out above is not required by law or by contract. However, without the use of necessary cookies, the functionality of our website cannot be completely guaranteed.
4.3 Google Analytics
On our website we use Google Analytics, a web analysis service provided by Google Ireland Limited, based at Gordon House, Barrow Street, Dublin 4, Ireland (”Google“).
Scope of processing: Google Analytics uses performance cookies on your terminal (see section 4.2), and these make it possible to evaluate your use of our website. Google uses cookies placed in your terminal to collect device-specific information in order to clearly identify your browser (browser type/version, operating system used, IP address) as well as usage information, that is, information concerning when and how often you have visited our website, how long you spent there and how you interacted with our website (you can find more information here).
The data identified with the help of cookies are generally transferred to a Google server in the US and saved there. IP anonymisation “_anonymizeIp()“ is activated on our website, so that the IP addresses of users of Google are usually anonymised before leaving the EU Member States or parties to the Agreement on the European Economic Area (EEA) and before transfer to the US. The full IP address is only transferred to a Google server in the US and anonymised there is exceptional cases. Please note, therefore, that data processing in the context of Google Analytics can in certain circumstances take place outside the area where EU law applies.
Purpose of processing: The use of Google Analytics by us or by Google on our behalf is to enable the analysis of the use of our website so that it may be designed according to user requirements and continually improved. Google uses the data recovered through Google Analytics on our behalf to evaluate the use of our website, to put together reports on website activity and to perform further services in connection with the use of the website and the use of the Internet. Using the statistics provided by Google, we can improve the services we offer and make our website more interesting for you as a user. The IP address transferred by your browser through Google Analytics is not mixed with the other data from Google.
It should be noted that Google also uses the user data obtained through cookies for its own purposes (particularly marketing and advertising purposes). We have no influence on this and only Google is responsible under data protection law in this respect. You can find further information here as well as in the Google privacy statement.
Legal basis: We only use Google Analytics if you have given your express agreement to the use of performance cookies through our cookie banner. In this event the legal basis for such use is set out at Article 6(1)(a) GDPR.
Storage period: Information obtained through Google Analytics can be stored for up to 26 months. Data that have reached the end of their storage period are deleted automatically once a month. You can find information on the functional life of individual cookies through the cookie banner using the following link (go to “settings” -> ”cookies“):
Recipient: The recipient of the data collected using cookies is Google Ireland Limited, based at Gordon House, Barrow Street, Dublin 4, Ireland. To the extent that personal data are transferred to Google servers in the US and stored there, the recipient is the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If data are transferred to the US, compliance with data protection standards and your right to information held by Google is ensured by appropriate guarantees (e.g. data protection provisions).
Cancellation and deactivation: You can withdraw the consent you have given to the use of Google Analytics at any time by deactivating the use of performance cookies through the cookie banner. You can visit the cookie banner at any time using the following:
You can also prevent the recording of data relating to your use of the website, collected through cookies (incl. your IP address) as well as the processing of such data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de). Opt-out cookies prevent the future recording of your data when visiting this website.
Furthermore, you can prevent the installation of cookies across the board using the appropriate settings in our browser software and delete cookies that have been installed at any time (see section 4.2).
Obligation to provide data: The provision of your data is purely optional. You can, in principle, also use our website without web tracking and cookies.
4.4 Kapellmann Online Mediation | Kapellmann Sofort Expertise
Scope and purpose of processing: When you use our online services “Kapellmann Online Mediation“ and “Kapellmann Sofort Expertise“, personal data that we need to fulfil our contract are collected and processed. This includes in particular the name and contact details of the contact person, company description and address, order details (e.g. project description, client, details of advice to be provided). We process this information to fulfil any contract we have entered with you and to communicate with you about it.
Legal basis: The data processing is carried out to fulfil a contract in accordance with Article 6(1)(b) GDPR. If the party to the contract is not you but your employer or your customer, then the processing of your data takes place in the context of your use of our Online Services on the basis of Article 6(1)(f) GDPR. Our legitimate interest arises from the necessity of processing this data for the purpose of contract fulfilment and implementation, and this includes communication with a contact person from each contract party.
Duration of storage: Following the end of the mandate, the data are deleted, provided they do not need to be retained to comply with professional or other statutory retention obligations (e.g. under s. 147 of the Tax Code, Abgabenordnung or AO, s. 257 of the German Commercial Code, Handelsgesetzbuch or HGB). It should be noted that under s.50 para. 1 sentence 1 of the Federal Lawyers‘ Act (Bundesrechtsanwaltsordnung or BRAO) reference files must be kept for six years following the end of a case.
Recipient: Your data will only be transmitted if this is necessary for the fulfilment of your request or contract.
Obligation to provide data: Your data must be provided so that we can fulfil our contract. It is not possible for you to use these Online Services or for us to communicate with you about them if you do not provide these data.
4.5 Newsletter | Preference Center
Scope and purpose of processing: On our website we offer you the possibility of subscribing to our Kapellmann newsletter using an application form (see ”Preference Centre“) or by sending an email to newsletter@kapellmann.de. Through our newsletter we will keep you informed about current legal developments and issues (e.g. recent court decisions, changes to legislation), specialist articles, news from our practice and planned events (e.g. seminars, online seminars, workshops, practice-wide events).
In order to receive your own copy of the newsletter we need at least your title, your name and your email address. You are welcome to provide further personal information when you subscribe (e.g. company, position, post code). We will only use these further details to help us to send out the most appropriate material (e.g. when arranging an event, we might limit the invitees to those in a particular region by reference to their postcodes). You also have the option of specifying issue and sector preferences, so that we only sent you contents tailored to your interests. Your data will only be processed for the distribution of the Kapellmann newsletter, including event invitations. This includes the storage and administration of your data as well as your newsletter preferences in our CRM system or a similar contact management system.
Subscription to our newsletter takes place through a double opt-in process. This means that you expressly consent to receive our newsletter, and then following your application, we send you a confirmation email containing an activation link to the email address provided. Your confirmation is necessary so that people cannot subscribe using email addresses that are not their own. Subscriptions to the newsletter are recorded so that we can prove that the application process fulfils any legal requirements and to allow us to investigate any potential misuse of your personal data. This includes a record of the time of subscription and confirmation. If you do not confirm your subscription within 30 days, your information will be deleted.
Legal basis: The dispatch of the Kapellmann newsletter and the processing of your data that is required to enable it are carried out on the basis of the consent that you have freely provided. The legal basis for this is Article 6(1)(a) GDPR.
Right of revocation: You can unsubscribe from the newsletter at any time and at no cost and withdraw your consent. You can unsubscribe by clicking on the relevant link that is included in every newsletter or by sending an email to: newsletter@kapellmann.de. The legality of processing your data on the grounds of your consent, until such consent is withdrawn, is unaffected by its withdrawal.
Following the withdrawal of your consent, the data collected for the purpose of sending the newsletter will be deleted except for your email address, which will be added to a blocklist to ensure that the withdrawal of your consent is taken into account and no further newsletters are sent to you. The legal basis for this is Article 21(3), Article 17(3)(b) and Article 6(1)(f) GDPR.
Storage period: We will store your personal details and newsletter preferences for the duration of your subscription, that is until you unsubscribe from the newsletter or withdraw your consent. We will continue to store your email address – even after you unsubscribe or withdraw your consent – in a blocklist for as long as is required to implement your withdrawal of consent or until you request the complete deletion of your data.
Recipient: The dispatch of our newsletter is carried out on our behalf by the mailing services of Episerver GmbH, Wallstraße 16, 10179 Berlin, and your data will be transferred to them to enable the order processing.
Obligation to provide data: Your personal data are provided on the basis of your consent, which is freely given. Without such consent we are unfortunately unable to send you our newsletter.
4.6 Social Media Share Buttons
On our website we offer you the opportunity to use “share buttons“ to share individual news stories (e.g. about our events or articles) using the social media platforms of Facebook, Instagram, Xing, LinkedIn or Twitter.
We deliberately do not use the plugins offered by these services, instead using our own links developed especially for our website. Thus, no user data are transferred to the server of the social media provider simply from a visit to our website. A connection is only made between your browser and the server of the relevant social media service when you click on one of the social media buttons on our website and are taken to the website of this service. We do not retain any personal data on our website through these buttons, nor do we send any data on to the social media providers.
It is the responsibility of each provider to ensure that the operation of these social media services conforms with data protection regulations. Please see their individual data protection statements for further information:
- LinkedIn (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA): http://www.linkedin.com/legal/privacy-policy
- Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg): https://privacy.xing.com/de
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland): https://de-de.facebook.com/policy.php
- Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland): https://de-de.facebook.com/help/instagram/155833707900388
- Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland): https://twitter.com/privacy?lang=de#update
4.7 Vimeo | YouTube Videos
We provide links on our website to videos that are saved on external platforms (Vimeo, YouTube) and can be viewed directly from our website.
Scope and purpose of processing: By providing links to Vimeo and YouTube videos we make it possible for you to watch these videos easily and conveniently, directly from our website. YouTube videos are embedded using an “extended data protection mode“ and Vimeo videos using a “do not track“ mode. According to the providers, none of your personal data will be transferred to the relevant provider simply as a result of your visiting our website, and no user profile will be created, unless you play the video. In addition, the visual display of these videos on our website is usually disabled by default. This means that when you simply visit the website on which a video is embedded, no cookies from the provider of that video will be used and no data about you as a user will be transferred to that provider. Only after you consciously click on the “play“ button will the video be downloaded and a connection with the server of the corresponding third party provider be established. Only at this point will it become possible for the relevant provider to collect user data – as described below – using cookies.
By clicking on the “play“ button, you consent to the data processing by the third party provider that this will trigger:
After enabling this function by clicking on the “play“ button, the videos are downloaded to our website and the relevant third party provider receives the URL of the website that has just been downloaded, the IP address of the terminal that you used and where appropriate further device-specific information (e.g. browser type). It also becomes possible for the relevant third party provider to set cookies that collect – together with the information already provided – information about the activities of the user on our website and transfer this to the relevant third party provider. These data are typically used by the provider to record video statistics, to prevent misuse and to create user profiles for market research and advertising purposes (e.g. to include personalised advertising) as well as for the user-oriented design of their website. Unfortunately, we have no control over this. This is the case, whether you have a membership account with the relevant provider or not. If you have a membership account, and have used it to log in, then your data can also be directly assigned to your account by the relevant provider (e.g. which videos you view). You can prevent this before playing a video or accepting cookies by cancelling your membership account. After a Vimeo or YouTube video has been played, further data processing operations can be triggered on the part of the third party provider, of which we have no exact knowledge and over which we have no control. This can also lead to personal data being transferred to other countries.
You can find further information on the purpose and scope of the data collection and processing carried out by the relevant provider as well as your rights and the settings options required to protect your privacy in the data protection statements of the relevant provider:
- Vimeo: You can find information about data protection by Vimeo in the data protection statement released by Vimeo.
- YouTube: You can find information about data protection by YouTube in the data protection statement released by Google.
Legal basis: Your data will only be transferred to the relevant provider if, by clicking on the “play” button and playing a Vimeo or YouTube video, you give us your consent in accordance with Article 6(1)(a) GDPR. To find out the legal basis for the processing of your data by the relevant provider, please refer to the data protection statement of the relevant provider (see above).
Storage period: You can find specific information about the functional duration of the relevant cookies at any time through the cookie banner by clicking on the following link:
Recipient: The recipients of your data are the relevant providers of these services:
- Vimeo: Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA. If data are transferred to the US, compliance with data protection standards and your right to information held by Vimeo is ensured by appropriate guarantees (e.g. data protection provisions). Information on the data protection provided by Vimeo can be found in the data protection statement provided by Vimeo.
- YouTube: Within the European Union, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google“) is the provider of this service responsible for data protection. If personal data are transferred to Google servers in the US and saved there, the recipient is often also the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If data are transferred to the US, compliance with data protection standards and your right to information held by Google is ensured by appropriate guarantees (e.g. data protection provisions). Information on the data protection provided by YouTube can be found in the data protection statement provided by Google.
Revocation and deactivation: You can prevent the transfer of information to Google at any time by simply not playing the videos embedded in our website [and refusing to accept functional cookies through the cookie banner]. You can withdraw your consent to the use of cookies by Google at any time by deactivating the use of functional cookies through the cookie banner. You can view the cookie banner at any time using the following link:
Obligation to provide data: You provide your own data of your own free will. You can, in principle, also use our website without Vimeo and YouTube. Please note, however, that you will then not be able to use all the functions of the website and in particular, you will be unable to play any videos.
4.8 Google Maps
To help us to describe the directions to our various offices, we have made various map sections available that are linked to the route planner within “Google Maps“, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (”Google“) on our website. This makes it possible for you to use the map and route planning functions of Google Maps.
We deliberately do not use the plugin offered by Google, instead using a simple link to the websites of Google Maps. Thus, no user data are transferred to the server of Google simply from a visit to our website. A connection is only made between your browser and the server of Google when you click on the map or the link “calculate route using Google Maps” and are taken to the subpage https://www.google.com/maps/. Please note that further data processing operations can be triggered on the part of Google, which are outside our control. Google alone is responsible for data protection if this occurs. Further information on the purpose and scope of data processing by Google can be found in the Google privacy notice. There you will also find further information on your rights in this area and the settings you can use to protect your privacy.
4.9 Christmas campaign “HOPEFUL“
Scope and purpose of processing: If you take part in our Christmas campaign “HOPEFUL“ and click on the link we have provided, you will be taken to a subpage of www.kapellmann.de, on which you can build a virtual house. When you visit the subpage, a user ID (= hash string) is generated and saved for the relevant user by means of a specially developed cookie. This serves to confirm whether a user has already taken part in the Christmas campaign, in order to prevent multiple clicks as well as any potential misuse.
The following information is collected by means of the cookie for the creation of the user ID:
- System language
- Depth of colour of the monitor
- Size of the computer
- Pixel density of the monitor
- Screen resolution
- Time zone
- CPU type
- Type of system (Mac or Windows etc.)
The information will be processed only for the purposes described above. These usage data are not analysed.
The legal basis for this data processing is Article 6(1)(f) GDPR, under which our legitimate interest arises from the stated purpose. You have a right of objection against this processing of your data under the provisions of Article 21 GDPR (see section 13).
Storage period: The information will be stored until the end of the Christmas campaign. After this, it will be deleted.
Recipient: Our website is hosted by an external service provider (M. Balluff EDV-Dienstleistungen, Erfurter Str. 21, 44577 Castrop-Rauxel) who may, where appropriate, need to access the data specified above in the course of order processing in order to perform hosting and support services. The data are not transferred to third parties.
Obligation to provide data: The information described above need only be provided if you take part in our Christmas campaign.
5 Data processing on contact by email or telephone
Scope and purpose of processing: If you wish to receive information about us and the services we provide or would like to contact us for some other reason, you can contact us at any time by email or by telephone. From time to time we will also post information on our website about the possibility of ordering brochures and other material on subjects relating to legal and business practice by email. If you contact us, we will process the information you provide for the purpose of answering your question, processing your request, and being able to carry out any subsequent communication with you. For this purpose we generally – depending on the request – require your first and last names, your email address and where appropriate further contact details and information about the company or organisation to which you belong as well as information relating to your request. We will obtain this information directly from you when you contact us.
The legal basis for this data processing is Article 6(1)(f) GDPR. We have a legitimate interest in enabling smooth communication with you and in complying with your request to your satisfaction. If you do not wish us to process your data within the scope described above, you can use your right of objection under the provisions of Article 21 GDPR (see section 13). If we are in a contractual relationship with you or if the contact is made in order to initiate a contractual relationship, then the processing is made on the basis of Article 6(1)(b) GDPR.
Storage period: Data that we collect in connection with a contact inquiry that you have submitted, will be deleted as soon as your request has been fully completed and no further communication is required or desired by you. If your contact request leads to the initiation of a business transaction or a contractual relationship, then these data are generally stored until the contractual relationship has come to an end. It may be necessary to store data for longer periods if there are statutory storage requirements (e.g. under s. 147 of the Tax Code, Abgabenordnung or AO, s. 257 of the German Commercial Code, Handelsgesetzbuch or HGB). The data will then be stored for the duration of the statutory storage period.
Recipient: Your data will not be transferred to any third party unless this is required to process your request.
Obligation to provide data: It is necessary for you to provide your data so that we can process your request and carry out any subsequent communication with you. If you do not provide these data, it will unfortunately not be possible.
6 Events
6.1 Registration
Scope and purpose of processing: On our website we offer you the possibility of registering for events or other meetings (e.g. events organised by the Kapellmann Academy, online seminars, events organised by partners we regularly collaborate with) through a registration form. In order to process your registration and to hold the events we generally need at least the following data from participants: first name and last name, position, company affiliation, email address, telephone number (optional) as well as – for events that are subject to a charge – billing data (e.g. billing address, payment details). These data are used exclusively for the following purposes:
- Contract performance and completion including contract management, documentation and billing,
- Communication with the participant or contact person in order to perform the contract,
- Organisation of the event and participant management (sending out organisational details about the running or any potential cancellation/postponement of the event, programme details and event documentation, creation of name badges and participant lists, implementing accreditations, issuing attendance certificates, support during the event) as well as
- Where appropriate, for the assertion, exercise or defence of any related reciprocal legal claims.
Where we organise events in collaboration with other parties, we reserve the right to share any participant lists containing names, titles, companies and positions with such parties.
Legal basis: If the processing of your data is necessary for the fulfilment of a contract with you or for the initiation of a contractual relationship, it will be based on Article 6(1)(b) GDPR. If you take part in an event but the contracting party is not you but your employer or customer, then the processing of your data will be carried out when you register for the event on the basis of Article 6(1)(f) GDPR. Our legitimate interest arises from the necessity of processing these data so that the relevant contract may be fulfilled or so that the relevant event may be organised or held.
The potential onward transfer of participant lists to parties with whom events are jointly organised is made on the bases of Article 6(1)(f) GDPR. If the event is a joint event, then the other host organisation has a legitimate interest in finding out which participants are attending the joint event. If you do not wish your data to be transferred in this manner, you can use your right of objection under the provisions of Article 21 GDPR (see section 13). If you intend to do so, please let us know at the latest 14 days prior to the event.
Storage period: Your data will generally be stored until the complete fulfilment of the contract, that is until the end of the event and until all mutual claims have been settled. Furthermore, we will store all information relating to contractual relationships in accordance with statutory storage requirements, in particular under commercial law and tax law, for the duration of the legal time limits (generally 6 or – particularly with bookkeeping documents – 10 years from conclusion of contract, ss. 257 para.4 HGB and 147 para.3 AO).
Recipient: Your data are generally only transferred to third parties if this is necessary for the fulfilment of contractual or statutory obligations (e.g. to a tax advisor). Where we hold an event jointly with another party, we will share the participant lists (name, title, company, position) with our co-host.
Obligation to provide data: Where there is a contract relating to event participation, we need the data described above to fulfil the contract and hold the event. If you do not make the necessary information available to us, this will prevent your participation in the event.
For participation in online seminars, please also see our Advice on video conferences | Online seminars under section 7.
6.2 Event photos / Visual recording
Scope and purpose of processing: We reserve the right to take photos and make video recordings during events. In general, we will only take large group or whole room shots. If, on occasion, photographs and video recordings of individual participants or smaller groups are taken, this is only done with the agreement of the relevant participants.
The images and recordings made will be used for the internal and external documentation of the event as well as to provide reports, for public relations and to advertise subsequent events. This means that selected images may be published on our website (in particular in the photo gallery), on our social media channels (LinkedIn, Xing, Instagram) and where appropriate in printed products (e.g. brochures) and possibly used in a promotional film.
If we organise events jointly with another party, then we reserve the right to share images and recordings with our co-host, who may also use the images for their own marketing purposes, that is, for publication on their own website, on their own social media channels and where appropriate in brochures.
The Legal basis for the production and publication of group shots and the associated processing of your data is Article 6(1)(f) GDPR. We have a legitimate interest in the documentation and reporting of events for marketing purposes. If you agree to the recording and publication of individual/small group shots, then the legal basis for your explicit and voluntary approval is Article 6(1)(a) GDPR, and we will seek to obtain it from you separately, where possible, verbally at the time of the event.
Storage period: The published images will be used for as long as is required to fulfil the purposes set out above or until you object to any further use of large group or whole room shots or until you withdraw your consent to the use of individual/small group shots (please see note below).
Recipient: If the images are published on the website, on social media channels or in brochures, they will be accessible to the general public and the relevant social media provider. Please note that any information, including images, that is published on our website or on social media channels can be readily copied and further distributed; unfortunately we have no control over this.
Important information regarding the right of objection: Under Article 21 GDPR, you have a right to object to the production and publication of group shots and whole-room or panoramic shots in which you can be recognised (see section 13).
If you do not agree to the production of images in which you appear and their publication, you can let us know at any time prior to the beginning of the event. If this is the case, please notify a member of staff in the reception team at the event venue, prior the beginning of the event (e.g. when you collect your name badge). In general you will then be shown to special seats that are outside the range of the cameras, or some other means will be used to ensure that no images are made in which you appear. If you have not made your desire not to be included in visual recordings clear prior to the beginning of the event, then it is possible that large group and perspective shots in which you can be recognised may be published, as described above.
Following the event, please send your objection – if possible, together with the image from which you would like to be removed or obliterated – by email to marketing@kapellmann.de or by post to the address of Kapellmann set out at section 2.
Important information regarding the right of objection to individual/small group shots: If you have already given us your consent to the production of individual/small group shots, you can of course revoke this at any time in writing, with reference to the image from which you wish to be removed. Please send your revocation of consent by email to marketing@kapellmann.de by post to the address of Kapellmann set out at section 2.
Please be aware that it is not possible to remove anything from images in printed products following their publication. It will only be possible to take your objection/revocation of consent into account in a subsequent edition.
7 Video conferences| Online seminars
To hold video conferences, online seminars and other online meetings (“Online Meetings“) we use a conference solution system provided by Cisco International Limited based at 9 New Square, Bedfont Lakes, Feltham, Middlesex, TW14 8HA, UK (”Cisco“), which is delivered to us via Deutsche Telekom GmbH (”Telekom“). Use of the conference and online seminar solution (below: “Webex“) is made on the basis of an order processing contract entered with Telekom. Telekom uses the company Cisco as a subcontractor. The data produced by the use of Webex are therefore saved on servers in the EU.
Below we set out some information about the processing of personal data in connection with the use of Webex.
Type and scope of processing resulting from participation in Online Meetings: When you use Webex various types of participant data are processed. The type and scope of data processed will depend on the type of Online Meeting, what information you provide and which Webex functions you use when you participate.
The following data are usually processed:
- Registration information: first and last names; company name; email address; activation code; conference code; where appropriate, username and password unless ”single sign on“ is used; organisation ID; ”universal unique identifier“
- Configuration and communication data: device name; geodata; IP address; ”user agent identifier“; operating system type and version; client version; endpoint MAC addresses; time zone; domain name; activity protocol; hardware type
- If you dial in using a telephone: information about incoming and outgoing telephone number: country name; start and finish time; where necessary, further connection data such as IP address of device
- Meeting or conference information: title; description; date; time; duration; number of meetings; number of participants; host name; screen resolution; dial-up method; diagnostic information
- Shared screen contents, presentation material and other documents used as part of the conference
- Where appropriate, text, audio and video data: data about the camera and microphone in your terminal that are used to display video and play back audio during the meeting; text entries where the chat, question or survey function is used
- Where the meeting is recorded (with the consent of the participant): MP4 data from all video, audio and presentation recordings, text data from the online meeting chat
- Other data that are provided voluntarily in connection with the Online Meeting
Please be aware that you can turn off the camera and mute the microphone at any time by yourself through the Webex application.
Other data processed as a result of participation in an online seminar: If you take part in an online seminar, you need to provide your title, your first and last names, your company name and your email address when you register. Following successful registration, we will send you login details and a link to participate in the event to the email address you have provided.
When you take part in an online seminar, the configuration and communication data set out above will automatically be collected and processed through Webex. Text, audio and video data will only be processed if you have turned on your microphone and your camera and/or use the chat, question or survey functions.
The names of the participants are generally only visible to us as hosts and, where appropriate, to the speakers and moderators of the online seminar, but are not visible to the other participants. The same is true for the use of the chat, question and survey functions. However, if you turn on your camera or your microphone – for example, to ask a question or to make a contribution – then the other participants will be able to see and/or hear you. If you would prefer to avoid this, then you are welcome to use the chat function for questions or comments.
Purpose of processing: The data described above are, in principle, only processed in order to set up and hold video conferences, online seminars and other Online Meetings, and to enable your smooth and effective participation in them, through the web service “Webex”, including the use of its functions.
Text data from chat histories are only saved if and to the extent that these are necessary to record the results of an Online Meeting or to follow up from an online seminar. In all other cases, chat histories are not saved; they are only visible during the Online Meeting and are no longer available when it is finished.
Recording of online seminars and meetings: In some cases we may decide to record an online seminar, so that we can subsequently make the recording permanently available to the participants as a video file for follow-up purposes, or in order to publish it online (e.g. on our website or through social media channels) for marketing purposes. If a recording is planned, all participants will be expressly informed of this prior to the start of the online seminar. The recording of online seminars is carried out only in anonymised form, so that participants and their data are not visible. For this reason, audio and video functions are usually switched off for all participants during the recording. Chat histories are also not visible on recordings. The audio and video functions of participants are only switched back on once the recording is finished, for example in the Q and A session. You will be able to see that the online seminar is being recorded because a red “recording” symbol will be displayed in the online seminar window as soon as the recording starts and as long as it continues.
A recording of other Online Meetings will only be made if this is necessary for the purposes of documentation and follow up and then only with the consent of all the participants. If a recording is planned, we will let you know before the start of the meeting and – where required – ask for your consent. Recordings are not made automatically.
Legal basis: If the Online Meetings are held to enable us to provide you with our contractual services (e.g. where we are providing legal advice or holding an online seminar), the legal basis for any related processing of the personal data of the other contract parties is Article 6(1)(b) GDPR. If we obtain your consent for particular processing operations (e.g. for the non-anonymised recording of an Online Meeting), then the legal basis for the processing is Article 6(1)(a) GDPR. In other situations the processing of personal data in the context of Online Meetings is made on the basis of Article 6(1)(f) GDPR. We have a legitimate interest in enabling you to take part in Online Meetings quickly and easily.
Storage period: Any of your personal data that are processed as a result of your participation in an Online Meeting (e.g. meeting minutes and details, shared documents or files) are only stored for as long as is necessary for the purposes described above and to fulfil any statutory storage obligations. If you have a contractual relationship with us, then the data required for fulfilment of the contract will in principle be stored until the contract has been completed and all reciprocal claims have been settled. We will also store all information that must be stored in accordance with statutory storage requirements, in particular under commercial law and tax law, for the duration of the legal time limits (generally 6 or 10 years from conclusion of contract, ss. 257 para.4 HGB and 147 para.3 AO).
If the processing is carried out with your consent (e.g. as a result of the non-anonymised recording of an Online Meeting), the data will be deleted as soon as you revoke such consent, if not before.
To find out for how long any data required for the preparation of conference and online seminar services are stored by Cisco, please refer to the data protection information of Cisco.
Recipient: Participants in an Online Meeting (e.g. meetings with lawyers) can in principle see the name and company of the other participants as well as such other data and documents that a participant voluntarily shares with them during the meeting.
Participants in online seminars generally cannot see your name if you do not disclose it to the other participants yourself, e.g. using the chat function. Speakers and moderators have access to participant lists if required. In the case of events that we organise together with other parties, we reserve the right to share participant lists containing names, titles, companies and positions with our co-host.
Furthermore, any of your personal data that are collected when you use Webex for the preparation and use of conference and online seminar solutions must be forwarded to the suppliers and service providers of these services:
- Telekom Deutschland GmbH on the basis of an order processing contract in accordance with Article 28(3) GDPR
- Cisco International Limited based in Feltham, UK, as subcontractor to Telekom Deutschland GmbH
Participant data will be stored and processed in data centres in Europe (Amsterdam and London), and as a result no personal data from participants are generally sent to a third country in accordance with the contractual agreements with Telekom. Should this take place, in exceptional circumstances – e.g. where Cisco appoints a further service provider (subcontractor) based in a third country – then please be aware that, in line with the contractual agreements with Telekom, this will only be done on the basis of order processing that ensures the required level of data protection in accordance with Article 44 et seq. GDPR (e.g. on the basis of EU Standard Contractual Clauses / EU Model Clauses). If you would like further information on the data processing carried out by Cisco, please see here.
8 Application process
Scope of the processing: We regularly publish job vacancies on our website. If you apply for a job vacancy or other initiative with us and provide us with your personal data by sending us your application documents, in a personal meeting or by correspondence, at a recruitment fair or through an employment agency/personnel consultancy, then we will retain and process these data if these are required to make a decision about your application and about the conclusion of any employment agreement.
For this purpose, we usually need your name, address, email address and telephone number as well as information about your school and professional or university education, together with certificates, information about your professional career together with references from previous employers, any other professional qualifications and activities, language skills and, where appropriate, any relevant knowledge and skills that have been developed privately or any private commitments, if they are relevant for the role that you are applying for. If you voluntarily provide us with any other personal data, then we will store these too.
We will usually obtain these personal data directly from you. If the contact is made through an employment agency/personnel consultancy to whom you have provided your personal data, or if your professional information is published on the Internet so as to be generally accessible (e.g. via professional networks such as Xing and LinkedIn or through the website of your current employer), then your personal data may also be collected from such sources, if these are necessary for the hiring decision. This will be the case particularly where you contact us using such a communication method for the purpose of making an application.
If you are not selected for the advertised position or if your application cannot be considered for some other reason, there is a possibility that we will record your data – if you so desire – in our applicant pool for potential future recruitment. We need your express approval for this, which we will obtain from you, if necessary, before creating the relevant record.
Purpose of processing: We will only use your contact details for the purpose of contacting you and informing you of the status of your application and our decision. We will use other personal data contained in the application documents to check your qualifications and professional achievements and to assess your suitability for the role that is to be filled. Your data may also be processed in connection with legal action, in particular if these are necessary for the assertion, exercise or defence of reciprocal legal claims arising from the application process.
If, at the end of the application process, we enter into an employment agreement with you, then your personal data will be transferred to a personnel file and used for the purpose of creation and implementation of such an employment agreement. You will be separately informed of this on your appointment. If your application is not successful and you would like to be added to our applicant pool, then we may use your data for consideration in a subsequent application process.
The legal basis for the processing of your personal data as described above is s.26(1)(1) BDSG. If, in the course of the application process, you provide us with special categories of personal data, e.g. information about health, religious beliefs or ethnic origin, then the legal basis will be Article 9(2)(b) and (h), since the processing of such data, in accordance with our statutory duties as an employer and the associated protection of your fundamental rights may be necessary so that we can assess the employability of potential employees and where appropriate make any necessary occupational health or other healthcare provisions. The legal basis for the recording of data in our applicant pool is Article 6(1)(a) GDPR. The processing of your data for the purposes of prosecution is based on s.26 (1)(1) BDSG or Article 6(1)(f) GDPR. Our legitimate interests arise from the purposes set out above as well as the need to be able to examine and defend claims asserted by the applicant.
Recipient: We do not intend to forward the information that you have provided to third parties or other external organisations. Generally speaking, we will only transfer your data if you have consented to it or if we are obliged do so, on the grounds of statutory requirements or official regulations.
Storage period: In the event that the application process leads to an employment agreement, a training contract or an internship, then the data will be saved and transferred to a personnel file. Otherwise you will be sent a rejection and the application process will come to an end.
In the event of a rejection, we will, in principle, store your application documents and any personal data that they contain for a period of six months from the rejection. After that, we will destroy any written application documents and data that you have submitted, unless you have expressly notified us that you would prefer us to return the originals. Any electronic data will be deleted after six months. They will only be stored for longer periods if this is necessary for the defence of legal claims, where statutory regulations exceptionally prevent their deletion or if you have expressly consented to a longer period of storage.
Right of revocation: You can revoke your consent to have your details added to our applicant pool at any time (see section 12). In addition, you may of course also withdraw your application at any time.
Obligation to provide data: It is necessary to provide the personal data required for the application process so that the application process may take place. The absence of relevant personal data in the application documents can lead to your application not being considered.
9 Social Media Presences
9.1 Instagram
We maintain a social media presence on Instagram (a fanpage), through which we communicate with clients and other interested parties and report on current developments and events at our firm. The provider of this service is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (”Facebook“).
The operation of our fanpage on Instagram is accompanied by a shared data protection responsibility as set out in Article 26 GDPR. This means that the fanpage operator and Facebook are jointly responsible for the processing of the personal data of the user in connection with the Instagram site, in particular for the processing of “Instagram Insights” data (they are “joint controllers”). We have executed an agreement about such joint responsibility with Facebook Ireland Ltd., which you can view here and which covers all Facebook products that are listed there and used by us.
Facebook is the party primarily responsible under the provisions of this agreement. This is particularly true as regards the rights of data subjects covered by Articles 12 to 22 GDPR and the obligations to guarantee data security and report data protection infringements stipulated in Articles 32 to 34. Facebook has made the substantive content of this agreement available here in accordance with Article 26(2) GDPR. The agreement itself together with the security measures taken by Facebook can be viewed here.
Please note that you use our Instagram site and its functions at your own risk. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).
Scope and purpose of the joint processing: The following data processing operations take place in connection with our Instagram site:
- Reports/statistics: We receive anonymous statistics from Facebook on the use of our Instagram page (“page insights”). These contain information about the extent of and interactions with our articles, the behaviour of users on our page, demographic data (age, sex, location), information about visits to and interaction with our page as well as the long-term performance of individual articles. You can view a summary of these page insights here. These statistics are created by Facebook through specific events that are logged by the Facebook servers if people interact with pages and content linked to you. You can view a summary of these events and insight data here. These logs are only made by Facebook. We do not have access to these data and cannot control them.
We can use the anonymous statistics to continuously improve our Instagram page and to offer users an improved usage experience that is tailored to their interests. It is not possible to use the statistics to track individual users or to link to the profile data of individual users.
The legal basis for this processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the purposes set out above.
- Communication: If you are registered with Instagram then you can use the “message“ function to send us a message. Such messages are not visible to other users of Facebook/Instagram. If you provide personal data in your message, we will only process these in order to respond to your request and communicate with you.
The legal basis for this is Article 6(1)(f) GDPR. We have a legitimate interest in responding to any messages that you send us using the medium you have selected.
Further processing by Facebook: In addition, when someone visits the Instagram page, Facebook collects the IP address of the user and other information that is transmitted by means of cookies or similar technologies on the terminal of the user to Facebook. This information is used to make the statistical and usage information set out above available to the operators of an Instagram page. Facebook provides further details here.
Please also note: If you have an Instagram account and are logged in, Facebook will be able to see that you have visited our fanpage and how you have used it. The same is true for all other Facebook pages. Using these data, it can offer you contents or advertising that is tailored to you. If you would prefer to avoid this, you should log out of Facebook or uncheck the box next to “keep me logged in” and delete the cookies used on your device (see section 4.2). In this way, you will delete Facebook-related information that allows you to be directly identified. If you do this, you can use our Facebook page without disclosing your Facebook identification.
You can view the cookie policy of Facebook for Instagram, with details about the cookies used and control and opt-out optionshere.
Using your Facebook settings, you can also decide in what form you will allow Facebook to display targeted advertising (“opt-out“): https://www.facebook.com/settings?tab=ads and https://www.facebook.com/ads/settings
Please note that as operators of a fanpage we do not have control or complete knowledge of how Facebook uses the data collected from the visits to and use of Instagram pages for its own purposes, to what extent activities on Instagram pages are assigned to individual users, how long Facebook stores such data for and whether data from a visit to an Instagram page are passed on to third parties.
Recipient and transfer to third countries: Facebook sets out in its “data policies“ for what purposes and to what extent it processes data relating to Instagram users and transfers it to third parties – potentially outside the EU and the EEA. You can see the data policy for Instagram here. You can see the complete set of data policies of Facebook for all the Facebook products here. If personal data on Facebook servers are to be transmitted to the US and stored there, then the recipient is normally the US company Facebook Inc. In the event of data transfer to the US and other third countries, the compliance with data protection standards and your right to separate information from Facebook are assured by corresponding guarantees (e.g. standard data protection provisions).
Storage period: We generally do not store any personal data ourselves for communication and interaction with users that takes place over social media platforms. To find out how long Facebook stores data for, see the data policy for Instagram.
Important notice concerning your rights: If you want information about how Facebook processes your data, or if you want to rely on your other rights as a data subject including your right of revocation, it will be most effective for you to contact Facebook directly. Only Facebook has access to the user insight data referred to above and can take any directly relevant measures or provide information (see here). If you still need help, please contact us.
9.2 Linkedin
We also maintain a social media site on LinkedIn in order to report on current developments and events at our firm and to be able to make contact with interested parties. The provider of these services is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (”LinkedIn“).
The operation of our LinkedIn page is accompanied by a shared data protection responsibility as set out in Article 26 GDPR. This means that we, as operators of our LinkedIn page, and LinkedIn are jointly responsible for the processing of the personal data of anyone who visits that page, in particular for the processing of “insights” data (we are “joint controllers”). We have executed an agreement about such joint responsibility with LinkedIn with a focus on “insights” data, which you can view here.
LinkedIn is the party primarily responsible under the provisions of this agreement and assumes the essential data protection obligations in connection with the processing of “insights” data. This is particularly true as regards the information rights and rights of data subjects covered by Articles 12 to 22 GDPR and the obligations to guarantee data security and report data protection infringements stipulated in Articles 32 to 34.
Scope and purpose of the joint processing: The following data processing operations take place in connection with our LinkedIn site:
- Reports/statistics: We receive anonymous statistics from LinkedIn on the use of our LinkedIn page (“page insights”). LinkedIn processes profile data (e.g. role, country, sector, length of employment, size of company and employment status) as well as information about how a visitor has interacted with our LinkedIn page (e.g. whether a member of LinkedIn is also a follower of our page). LinkedIn uses these data to create visitor statistics and reports on the reach of our page and advertisement performance as well as demographic and geographic analyses. We receive these statistics, reports and analysis from LinkedIn only in anonymised form and have no access to the underlying data. LinkedIn makes information about the data that it processes available in its privacy policy.
- The anonymous statistics make it possible for us to continuously improve our LinkedIn page and to offer visitors an improved online service that is tailored to their interests. It is not possible to use the statistics to track individual users or to link to the profile data of individual users. For example, the statistics provide us with information about which offers and applications on our page have been of particular use or interest to our visitors. We can then use this information to provide more relevant contents to the visitors to our page and to develop functions that might be of more interest to them. Demographic and geographic analyses also make it possible to switch on interest-based advertising without directly knowing the identity of the visitor.
The legal basis for this processing is Article 6(1)(f) GDPR. We have a legitimate interest in optimising the presentation of our law firm and our online offerings.
- Communication: We also use our LinkedIn page to communicate with users and inform them about the services we provide. We may obtain further information in this regard, e.g. through user comments, private messages or because you follow us or share our content. Such data will only be processed for the purpose of communicating and interacting with you. If you provide personal data in a message, we will only process these in order to respond to your request and communicate with you.
The legal basis for this is Article 6(1)(f) GDPR. We have a legitimate interest in responding to any messages that you send us and in communicating and interacting with you using the medium you have selected.
Further processing by LinkedIn: Please note that cookies and similar storage technologies are used by LinkedIn and certain third party providers on the pages of LinkedIn in order to collect device-specific data as well as information about user activities (e.g. device IDs) and to recognise users and their terminal devices through different services and devices. This is outside our control. If you maintain a profile on LinkedIn yourself and are logged in, the collection and analysis can be carried out in a personalised way and across any device. We cannot influence this either.
If you would prefer to avoid this, you should log out of LinkedIn or uncheck the box next to “keep me logged in” and delete the cookies used on your device (see section 4.2).
You can view the cookie policy of Facebook for Instagram, with details about the cookies used and control and opt-out optionshere.
Using your Facebook settings, you can also decide in what form you will allow Facebook to display targeted advertising (“opt-out“): https://www.facebook.com/settings?tab=ads and https://www.facebook.com/ads/settings
LinkedIn provides further information on the cookies used and control and opt-out options in its cookie policy and in its privacy policy. In addition, users of LinkedIn can adjust their display settings to manage their advertising preferences on LinkedIn. You will find further information on this subject in the privacy policy.
Recipient and transfer to third countries: We do not intend to pass personal data of users that we have obtained through our LinkedIn page to third parties. LinkedIn describes in its privacy policy for what purposes and to what extent it transfers the collected information to third parties – potentially outside the EU and the EEA (e.g. to LinkedIn Inc., based in the US). In the event of data transfer to the US and other third countries, the compliance with data protection standards and your right to separate information from LinkedIn, are assured by corresponding guarantees (e.g. standard data protection provisions).
Storage period: We generally do not store any personal data ourselves for communication and interaction with users that takes place over social media platforms. To find out how long LinkedIn stores data for, see the privacy policy of LinkedIn.
Important notice concerning your rights: If you want information about how LinkedIn processes your data, or if you want to rely on your other rights as a data subject including your right of revocation, it will be most effective for you to contact LinkedIn directly. As provider of the social network, only LinkedIn has direct access to the required information and can take any necessary measures or provide information. If you still need our support, you are of course welcome to contact us at any time.
9.3 Xing und kununu
We also maintain company and employer profiles on Xing and kununu, in order to report on current developments and events at our firm and to make contact with interested parties and potential applicants. The provider of these services is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (”Xing“).
Scope and purpose of processing: We use our online presences with Xing and kununu for the following purposes:
- Communication and presentation purposes. We use them in particular to communicate with clients, interested parties and applicants who are active there and to inform them of current legal developments, news from our firm, current job vacancies and career opportunities as well as the services we provide (e.g. legal and career events). In relation to this, we may obtain further information, e.g. as a result of user comments, private messages, ratings or because you follow us or share our content. These data are processed only for the purpose of communicating and interacting with you. If you provide personal data in a message, we will only process this in order to respond to your request and communicate with you.
- The legal basis for this is Article 6(1)(f) GDPR. We have a legitimate interest in responding to any messages that you send us and in communicating and interacting with you using the medium you have selected.
Statistics: We receive anonymous user statistics from Xing that provide us with information about which services and content the visitors to our page have viewed, and which have been of particular use or interest to them, which include demographic analyses (e.g. statistics on the age profile and employment status of the visitor, origin of the hit, sector statistics). This makes it possible for us to continuously improve our company profile and to offer users an improved online service that is tailored to their interests. These statistics are based on profile data that are provided to Xing by the user, as well as interest and user profiles that Xing creates using information about user activities (through “tracking”). We receive these statistics from Xing only in anonymised form and have no access to any of the underlying data.
Xing alone is the controller for the processing of user and profile data, in particular of information about usage activities, as set out in Article 4(7) GDPR. We ourselves do not process any personal data in this respect. Information about the data processed by Xing, including processing purposes and legal basis for processing is provided by Xing in its privacy policy .
Further processing byXing: If you visit the websites of Xing or kununu, then Xing will process your personal data in accordance with its privacy policy, which you can view here. The privacy policy covers all the services provided by Xing and its applications, that is, also for kununu. Please note that cookies and similar storage technologies are used by Xing and certain third party providers on the pages of Xing and kununu in order to collect device-specific data as well as information about user activities (e.g. searches or interactions with a Xing page and user interests based on this). These data are used for the purpose of providing the Xing services as well as for the measurement and optimisation of (interest based) advertising. This is outside our control. If someone uses the services provided by Xing on several devices, collection and analysis of data can be carried out across all devices, if the user is registered and has logged on using their own profile. We cannot influence this either.
If you would prefer to avoid this, you should log out of Xing or uncheck the box next to “keep me logged in” and delete the cookies used on your device (see section 4.2). If you do this, you can use our Xing pages without disclosing your profile identification.
Xing provides further information about the cookies used and control and opt-out options in its privacy policy regarding tracking.
Storage period: We generally do not store any personal data ourselves for communication and interaction with users that takes place over Xing platforms. To find out how long Xing stores data, please refer to the privacy policy of Xing. We only retain enquiries from users addressed to us via Xing for as long as is necessary to deal with the enquiry.
Recipient and transfer to third countries: We do not intend to pass personal data of users that we have obtained through our Xing page to third parties. Xing may pass your information on to third party providers. You can see more detailed information here.
Important notice concerning your rights: If you want information about how Xing processes your data, or if you want to rely on your other rights as a data subject, including your right of revocation, you must contact Xing directly. In this respect Xing alone is the controller under data protection law, as described in Article 4(7) GDPR.
9.4 YouTube | Vimeo
We also maintain company and employer profiles on Xing and kununu, in order to report on current developments and events at our firm and to make contact with interested parties and potential applicants. The provider of these services is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (”Xing“).
Scope and purpose of processing: We use our online presences with Xing and kununu for the following purposes:
- Communication and presentation purposes. We use them in particular to communicate with clients, interested parties and applicants who are active there and to inform them of current legal developments, news from our firm, current job vacancies and career opportunities as well as the services we provide (e.g. legal and career events). In relation to this, we may obtain further information, e.g. as a result of user comments, private messages, ratings or because you follow us or share our content. These data are processed only for the purpose of communicating and interacting with you. If you provide personal data in a message, we will only process this in order to respond to your request and communicate with you.
- The legal basis for this is Article 6(1)(f) GDPR. We have a legitimate interest in responding to any messages that you send us and in communicating and interacting with you using the medium you have selected.
Statistics: We receive anonymous user statistics from Xing that provide us with information about which services and content the visitors to our page have viewed, and which have been of particular use or interest to them, which include demographic analyses (e.g. statistics on the age profile and employment status of the visitor, origin of the hit, sector statistics). This makes it possible for us to continuously improve our company profile and to offer users an improved online service that is tailored to their interests. These statistics are based on profile data that are provided to Xing by the user, as well as interest and user profiles that Xing creates using information about user activities (through “tracking”). We receive these statistics from Xing only in anonymised form and have no access to any of the underlying data.
Xing alone is the controller for the processing of user and profile data, in particular of information about usage activities, as set out in Article 4(7) GDPR. We ourselves do not process any personal data in this respect. Information about the data processed by Xing, including processing purposes and legal basis for processing is provided by Xing in its privacy policy .
Further processing byXing: If you visit the websites of Xing or kununu, then Xing will process your personal data in accordance with its privacy policy, which you can view here. The privacy policy covers all the services provided by Xing and its applications, that is, also for kununu. Please note that cookies and similar storage technologies are used by Xing and certain third party providers on the pages of Xing and kununu in order to collect device-specific data as well as information about user activities (e.g. searches or interactions with a Xing page and user interests based on this). These data are used for the purpose of providing the Xing services as well as for the measurement and optimisation of (interest based) advertising. This is outside our control. If someone uses the services provided by Xing on several devices, collection and analysis of data can be carried out across all devices, if the user is registered and has logged on using their own profile. We cannot influence this either.
If you would prefer to avoid this, you should log out of Xing or uncheck the box next to “keep me logged in” and delete the cookies used on your device (see section 4.2). If you do this, you can use our Xing pages without disclosing your profile identification.
Xing provides further information about the cookies used and control and opt-out options in its privacy policy regarding tracking.
Storage period: We generally do not store any personal data ourselves for communication and interaction with users that takes place over Xing platforms. To find out how long Xing stores data, please refer to the privacy policy of Xing. We only retain enquiries from users addressed to us via Xing for as long as is necessary to deal with the enquiry.
Recipient and transfer to third countries: We do not intend to pass personal data of users that we have obtained through our Xing page to third parties. Xing may pass your information on to third party providers. You can see more detailed information here.
Important notice concerning your rights: If you want information about how Xing processes your data, or if you want to rely on your other rights as a data subject, including your right of revocation, you must contact Xing directly. In this respect Xing alone is the controller under data protection law, as described in Article 4(7) GDPR.
10 General information on data transfer
The advertising agency EGGERT GROUP GmbH & Co. KG, Uhlandstraße 42, 40237 Düsseldorf supports us in the supervision and design of our website and our Online Services. It may therefore sometimes be necessary for the EGGERT GROUP to process personal data relating to the users of our website on our behalf to provide content management and support services. Our website is hosted by M. Balluff EDV-Dienstleistungen, Erfurter Str. 21, 44577 Castrop-Rauxel, which may also need to access data processed through our website to fulfil an order processing (sub-)contract for the provision of hosting and support services.
In addition to the recipients set out at sections 4 to 9 and above, a transfer of your data to other recipients may take place in the following situations:
- Where it is necessary to transfer data to authorities and public bodies, e.g. courts, supervisory, tax, finance, administrative or law enforcement authorities (e.g. in the context of supervisory inspections, criminal proceedings or legal disputes)
- Where further IT and web-service providers are or will be appointed to support our internal IT infrastructure (software, hardware)
- Where they need to be shared for the business purposes of authorised third parties e.g. credit institutes, post or telecommunications service providers
- Where they need to be transferred to lawyers, tax advisors, accountants, auditors, etc.
If external service providers come into contact with your personal data, we will ensure through legal, technical and organisational measures that they will observe the provisions of data protection legislation and – if they act as a processor – process your data only on our behalf and in accordance with our instructions.
11 General information on storage periods
Where no specific storage period is given in this privacy statement, personal data will be stored for as long as necessary in order to fulfil the stated purposes and to comply with our statutory obligations. If there are statutory storage obligations (e.g. under s. 147 AO, s. 257 HGB), the data will be stored for at least the duration of the storage period stipulated in law.
12 Rights of data subjects
Right to access: In addition to this privacy policy, you can request information about your personal data that we have processed at any time under the provisions of Article 15 GDPR. In particular, you can request information about the purpose of processing, the category of personal data, the categories of recipient to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or withdrawal of consent, the existence of a right of objection, the source of the data when not collected by us, as well as the existence of automated decision making, including profiling, and where appropriate detailed information about it.
Your right to access includes the right to obtain a copy of your personal data. We generally provide data copies in electronic form unless you have indicated otherwise. The first copy is provided at no cost to you, while a reasonable fee may be charged for additional copies. The information is provided subject to the rights and freedoms of others who may be affected by the transmission of the data copy. In addition, you should bear in mind the limitations on your right of information pursuant to section 34 of the BDSG.
Right to rectification: Under the provisions of Article 16 GDPR you may obtain the rectification of inaccurate or incomplete personal information that we have stored without undue delay.
Right to erasure: Furthermore, under the provisions of Article 17 GDPR you may also obtain the erasure of personal data we have stored about you, unless such processing is required for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims. The right of erasure is subject to certain restrictions under the provisions of s. 35 BDSG.
Right to restriction of processing: In accordance with Article 18 GDPR, you can also request the restriction of the processing of your personal data where you contest the accuracy of the personal data that we have stored about you or where you have objected to the processing pursuant to Article 21 GDPR. If this occurs, we must restrict the processing of your data for the period required for the examination of your case. You can also request a restriction if the processing is unlawful but you oppose the erasure of the data or it is not us but you who require the data we have stored for the assertion, exercise or defence of legal claims.
Right to data portability: Under the provisions of Article 20 GDPR, you have the right to obtain the personal data that you have provided to us in a structured, commonly used and machine-readable format, or, where technically feasible, to request the direct transmission to another controller. This right to data portability only exists if the processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or an agreement in accordance with Article 6(1)(b) GDPR and is carried out by means of automatised procedures. The restrictions under Article 20(3) and (4) GDPR and s. 28 BDSG should be borne in mind.
Right to withdraw consent that has been given: If we process your personal data on the basis of consent that you have provided, you are also entitled to withdraw such consent at any time in accordance with Article 7(3) GDPR. The result of such withdrawal will be that we will cease to carry out any data processing that had been based on such consent. The lawfulness of any processing carried out on the basis of your consent, until the time at which your consent is withdrawn, shall be unaffected by such withdrawal.
13 RIGHT OF OBJECTION
YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA WHERE THERE ARE GROUNDS RELATING TO YOUR PARTICULAR SITUATION, IF WE ARE PROCESSING SUCH DATA ON THE BASIS OF LEGITIMATE INTERESTS (ARTICLE 6(1)(F) GDPR). WHERE THERE IS A JUSTIFIED OBJECTION WE MUST REFRAIN FROM ANY FURTHER PROCESSING OF YOUR DATA, UNLESS SUCH PROCESSING IS REQUIRED FOR COMPELLING AND LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR FOR THE ASSERTION, EXERCISE OR DEFENCE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS USED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT UNCONDITIONALLY TO THE PROCESSING OF YOUR DATA FOR SUCH MARKETING PURPOSES AT ANY TIME. IF YOU DO, YOU DO NOT NEED TO PROVIDE INFORMATION ABOUT ANY PARTICULAR SITUATION. THE SAME APPLIES TO PROFILING IF IT IS CONNECTED TO SUCH DIRECT MARKETING. IF YOU DO RAISE AN OBJECTION, THE PROCESSING OF YOUR DATA FOR DIRECT MARKETING PURPOSES WILL BE DISCONTINUED IMMEDIATELY.
YOU MAY SEND IN YOUR OBJECTION IN ANY FORM (E.G. BY EMAIL, FAX OR LETTER) TO THE ADDRESS GIVEN UNDER SECTION 2 ABOVE OR TO marketing[@]kapellmann.de. NO COSTS WILL BE INCURRED EXCEPT FOR STANDARD POSTAGE FEES.
14 Right of appeal
If you are of the opinion that the processing of your personal data by us is in breach of any data protection regulations, you have a right of appeal to a regulatory authority, in particular in the Member State of your habitual residence, your place of business or the place where the alleged breach took place, under Article 77 GDPR. In North Rhine-Westphalia, the competent regulatory authority is the Office for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen or LDI NRW), which can be contacted at the following address:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
(Office for Data Protection and Freedom of Information)
PO Box 200444
40102 Düsseldorf
Telephone: +49211/38424-0
Fax: +49211/38424-10
E-Mail: poststelle@ldi.nrw.de
15 Data security
For reasons of security and to safeguard the transfer of confidential information, such as data from contact requests, this website uses SSL encryption. The implementation of this type of encoding is a recognised standard on the Internet, used above all to prevent access to personal data by unauthorised persons. You will be able to recognise an encrypted connection because the address field of the browser will change from Fehler! Hyperlink-Referenz ungültig. to Fehler! Hyperlink-Referenz ungültig. and by appearance of the lock symbol in your browser field. If SSL encryption is enabled, then data that you transfer to us cannot be read by third parties.
In addition, we take all necessary precautions to guarantee the security, stability, integrity and functionality of our IT systems and IT operations, as well as the safety of the stored data and the data processing operations that take place at Kapellmann. We have implemented technical and organisational security measures to protect your data from accidental or deliberate manipulation, partial or total loss or destruction and against unauthorised access by third parties. In this regard, it may be necessary to process the personal data stored in the IT systems of Kapellmann from time to time (e.g. through the use of spam filters). The legal basis for such processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the purposes set out above.
16 Validity of and amendments to this privacy statement
This privacy statement is currently valid, as at December 2020.
It may be necessary to amend this privacy statement from time to time, as a result of the continuing development of our website and the services we offer or due to changes to legal or technical requirements. You can view and print the most recent version of our privacy statement at any time on our website, at https://www.kapellmann.de/de/datenschutz/ .