Privacy
Information regarding Data Protection – General
We only process the personal data of our users insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is required by law.
I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
YPOG Partnerschaft von Rechtsanwälten und Steuerberatern mbB Schnittker + Partner
Kurfürstendamm 12
10719 Berlin
Germany
+49 30 76759750
datenschutz@ypog.law
www.ypog.law
II. Contact details of the data protection officer
The data protection officer of the controller is:
secjur GmbH
Steinhöft 9
20459 Hamburg
Hamburg, Germany
+49 40 228599520
dsb@secjur.com
www.secjur.com
III. Provision of the website and creation of log files
1. scope and purpose of data processing
To provide our website, we use storage space, computing capacity and software that we rent from the server provider HubSpot as our web host. In addition, data that your browser transmits to our server is automatically processed when you visit our website. This general data and information is stored in the server log files (so-called "server log files"). The following can be recorded:
- Browser type and browser version
- Operating system used
- Referrer URL (previously visited website)
- Host name of the accessing computer
- Date and time of the server request
- IP address
When using this data and information, we do not draw any conclusions about your person. The purposes we pursue include in particular
- Provision of our website
- Provision of our online services and user-friendliness
- Operation and provision of information systems
- Content Delivery Network (CDN)
- Ensuring a smooth connection to the website
- Clarification of acts of abuse or fraud,
- Problem analyses in the network
- Evaluation of system security and stability.
2. legal basis
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in being able to provide our website in a technically flawless manner.
3. recipients of personal data
The recipient of your data in this context is our service provider Hubspot Inc, 25 First Street, Cambridge 02141, USA. The service provider was carefully selected by us, commissioned in writing and is bound by our instructions. The personal data is transferred to the USA. To ensure an adequate level of data protection at the recipient of your personal data, we have concluded standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR. For further information, please contact our data protection officer.
We also use a content delivery network (CDN). A CDN is a service with the help of which the content of an online offer, in particular large media files such as graphics or programme scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet. Therefore, the legal basis is based on the legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.
The recipient of your data in this context is our service provider Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107, USA. The service provider was carefully selected by us, commissioned in writing and is bound by our instructions. The personal data is transferred to the USA. To ensure an appropriate level of data protection at the recipient of your personal data, we have concluded standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR. For further information, please contact our data protection officer.
4. duration of storage
The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the accessing client.
IV. Use of cookies
1. scope and purpose of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.
From a legal perspective, a distinction must be made between necessary and non-necessary cookies.
1.1 Technically necessary cookies
We use necessary cookies. These are cookies that are technically necessary to provide all the functions of our website. The legal basis for data processing is our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR. We have an overriding legitimate interest in being able to offer our website in a technically flawless manner. The legal basis for the use of cookies vis-à-vis our contractual partners who make use of services contractually owed by us via our website is Art. 6 para. 1 sentence 1 lit. b GDPR, the provision of our contractual services.
1.2 Technically unnecessary cookies
We also use non-essential cookies (e.g. preferences, statistics and marketing cookies). These are cookies that are not technically necessary. We use them to understand your behaviour on our website and to improve our offering. The legal basis for data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. The cookies are only set after you have given your consent via our "cookie banner".
We also use cookies on our website that enable us to analyse the surfing behaviour of users. This also only takes place after you have given your consent via our "cookie banner". Further information on data processing in connection with technically unnecessary cookies can be found in our cookie banner.
2. duration of storage
With regard to the storage period, a distinction is made between the following types of cookies:
- Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his/her end device (e.g. browser or mobile application).
- Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or favourite content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that they can be stored for up to two years.
If you use a Safari browser version 12.1 or higher, cookies are automatically deleted after seven days. This also applies to opt-out cookies, which are set to prevent tracking measures.
3. cookie banner
3.1 Scope and purpose of data processing
When you visit our website or a sub-website for the first time and it contains cookies, a "cookie banner" will be displayed. There you will be informed about the individual cookies that we use. You can find out the name of each individual cookie, the provider(s), the purpose of processing and the storage period.
Our cookie banner informs you about the specific cookies we use. In addition, we give you the opportunity to decide whether you want to consent to the setting of non-essential cookies. Can be processed:
- Usage data (e.g. websites visited, time of access)
- Meta and communication data (e.g. IP address)
3.2 Legal basis
The legal basis for the use of the cookie banner is Art. 6 para. 1 sentence 1 lit. f GDPR. We have an overriding legitimate interest in using the cookie banner, which enables us to obtain the legally required consent for the use of non-essential cookies and to fulfil our duty to provide information regarding cookies.
3.3 Recipients of personal data
Your data will be passed on to the service provider Cookiebot by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark to the extent necessary as part of order processing. A corresponding order processing contract has been concluded with Usercentrics.
3.4 Duration of storage
The cookie banner stores the preferences until you reset or customise them.
V. Use of external services
1 LinkedIn Analytics
1.1 Scope and purpose of data processing
LinkedIn Analytics is used to analyse user behaviour on our website and to create reports about it. With the help of LinkedIn Analytics, we can see which pages are visited most frequently, how long users stay on the site and how they arrive at the site (e.g. via a search engine or from another website). This information can help to optimise the website and improve the user experience. LinkedIn Analytics can also be used to measure the effectiveness of marketing activities, e.g. to see how many users come to the website from a LinkedIn advert.
We process the following personal data through LinkedIn Analytics:
- Time of the enquiry
- IP addresses
- Online labelling
- Device identifiers
- Technical characteristics of users (e.g. browser type and version, device type, operating system)
- Measurement of user behaviour (e.g. views of individual pages / content, views of content from different areas, session duration / dwell time, bounce rate)
- Use of individual functionalities of the website (e.g. search queries, downloads)
- eCommerce activity (e.g. products purchased, sales)
- Referral URL (the previously visited page)
1.2 Legal basis
The legal basis for the use of LinkedIn Analytics is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.
1.3 Recipients of personal data
The recipient of your data in this context is our service provider LinkedIn Ireland Unlimited Company; Wilton Place, Dublin 2, Ireland. If you are logged in to LinkedIn, you can deactivate data collection at any time by clicking on the following link:
https://www.linkedin.com/psettings/enhanced-advertising.
2. HubSpot
2.1 Scope and purpose of data processing
We use functions of the CMS Hubspot (HubSpot). This is an integrated software solution that we use to cover various aspects of our online marketing. These include, among others: Email marketing (newsletters and automated mailings, e.g. to provide downloads), social media publishing & reporting, reporting (in particular traffic sources, access, etc.), contact management (in particular user segmentation & CRM), landing pages and contact forms. HubSpot places cookies on your computer. This allows personal data to be stored and evaluated, in particular the activity of the user (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and operating system), data about the advertisements displayed (in particular which advertisements have been displayed and whether the user has clicked on them) and also data from advertising partners (in particular pseudonymised user IDs). We use the HubSpot plug-in to optimise our website and marketing activities.
Other recipients of the data processed by Hubspot are in particular:
- Amazon Web Services, Inc.
- Google, Inc.
- Cloudflare, Inc.
- Twilio, Inc.
- Message Systems, Inc.
- SendGrid, Inc.
- Snowflake, Inc.*
- HubSpot, Inc.
- HubSpot Ireland, Ltd.
- HubSpot Germany GmbH
- HubSpot Australia Pty Ltd.
- HubSpot Asia Pte. Ltd.
- HubSpot Japan KK
- HubSpot Latin America, S.A.S.
- HubSpot Sweden
2.2 Legal basis for the processing of personal data
The legal basis for the processing of users' personal data is generally the user's consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.
2.3 Recipients of personal data
The recipient of your data in this context is our service provider Hubspot Inc, 25 First Street, Cambridge 02141, USA. The service provider was carefully selected by us, commissioned in writing and is bound by our instructions. The personal data is transferred to the USA. To ensure an adequate level of data protection at the recipient of your personal data, we have concluded standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR. For further information, please contact our data protection officer.
2.4 Duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.
VI Newsletter
1. scope and purpose of data processing
You can subscribe to a free newsletter on our website. When you register for the newsletter, the data from the input screen is transmitted to us.
- E-mail address
- Name
- First name
- Preferred language
- Metadata (e.g. device information, IP address, date and time of login)
- Interaction with the newsletter
- Selection of topics
No data is passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.
Our newsletters contain so-called tracking links that enable us to analyse the behaviour of newsletter recipients. For example, we can analyse how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. This enables us to statistically analyse the success or failure of online marketing campaigns. The personal data collected through the tracking links is stored and evaluated by us in order to optimise the newsletter dispatch and to adapt the content of future newsletters even better to your interests.
We process your personal data for the following purposes:
- Newsletter dispatch: realisation of marketing measures
- Newsletter tracking: measuring success
2. legal basis for data processing
The legal basis for sending our newsletter is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for newsletter tracking is also your prior consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent to receive our newsletter at any time by clicking on the unsubscribe link in emails or by sending your revocation by email to datenschutz@ypog.law or by post to the contact details given in the legal notice. Your personal data will then be removed from the mailing list.
3. recipients of personal data
The recipient of your data in this context is our service provider Hubspot Inc, 25 First Street, Cambridge 02141, USA. The service provider was carefully selected by us, commissioned in writing and is bound by our instructions. The personal data is transferred to the USA. To ensure an adequate level of data protection at the recipient of your personal data, we have concluded standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR. For further information, please contact our data protection officer.
4. duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. The user's email address will therefore be stored for as long as the subscription to the newsletter is active. The other personal data collected during the registration process will generally be deleted after a period of seven days.
VII Contact options
1. scope and purpose of data processing
It is possible to contact us on our website by e-mail, via the contact form and by telephone. In this case, the user's personal data transmitted by the enquirer will be stored. The data is used exclusively for processing the conversation. The purpose of making contact is to communicate, manage and respond to enquiries.
We process the following personal data:
- E-mail address
- Name (first name and surname)
- Contact reason
- Text of your message
2. legal basis
The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 para. 1 sentence 1 lit. f GDPR. If the e-mail contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
3. duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
VIII. Application procedure
1. scope and purpose of data processing
If you apply to us electronically, i.e. by e-mail or via our web form on our recruiting page https://www.ypog.law/en/careers), we will collect and process your personal data for the purpose of handling the application process and implementing pre-contractual measures.
By submitting an application on our recruiting page, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:
- Name (first name and surname)
- Gender
- E-mail address
- Place of residence
- Salary expectations
- Availability
- Telephone number
- Channel, how you became aware of us
You also have the option of uploading informative documents such as a cover letter, your CV and references. These may contain further personal data such as date of birth, address etc.
Only authorised employees from the HR department or employees involved in the application process have access to your data.
Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.
If you receive an offer of employment with us during the application process and accept it, we will store the personal data collected during the application process for at least the duration of the employment relationship.
2. legal basis
The legal basis for the processing of your data is the initiation of a contract, which takes place at your request, Art. 6 para. 1 sentence 1 lit. b GDPR. If we obtain your consent (e.g. for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
3. recipients of personal data
Your data will be passed on to the service provider Personio SE & Co KG Seidlstraße 3, 80335 Munich, Germany, to the extent necessary as part of order processing. The service provider has been carefully selected by us, commissioned in writing and is bound by our instructions.
4. duration of storage
Your data will be stored for a period of 180 days after the end of the application process. This is usually done to fulfil legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymise your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g. proportion of female applicants, number of applications per period, etc.).
In addition, we reserve the right to store your data for inclusion in our applicant pool for 180 days after the end of the application process in order to identify any other interesting positions for you. This also applies, for example, to applications for an apprenticeship or internship. The data will then be anonymised.
IX. Customer reviews
1. scope and purpose of data processing
We participate in review and rating processes in order to evaluate, optimise and promote our services. If users rate us or otherwise provide feedback via the participating review platforms or procedures, the General Terms and Conditions or Terms of Use and the data protection information of the provider of the kununu platform, NEW WORK AUSTRIA XING kununu Prescreen GmbH, Schottenring 2-6, 1010 Vienna, Austria, also apply. As a rule, the evaluation also requires registration with the respective provider. If you leave a review about us, we will receive a notification that someone has left a message or review. This includes information about who left the review and the corresponding content.
The purpose of this processing is to collect feedback in order to provide employees with the opportunity to give feedback. We use the online presence to provide information about our company, career opportunities, our products and services.
2. legal basis
The processing enables us to improve our offers and processes in the company and to assess the satisfaction of our employees, so that the legal basis is the legitimate interest in data pursuant to Art. 6 para. 1 sentence 1 lit. f. GDPR. GDPR.
3. duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.
X. LinkedIn
1. scope and purposes of data processing
We utilise the possibility of company appearances on professionally oriented networks.
We provide information on our site and offer users the opportunity to communicate. The company presence is used for applications, information/PR and active sourcing.
In principle, LinkedIn Ireland Unlimited Company (Ireland/EU - "LinkedIn") is solely responsible for the processing of personal data when you visit our LinkedIn page. Further information on the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
When you visit our LinkedIn company page, follow this page or engage with the page, LinkedIn processes personal data to provide us with statistics and insights in anonymised form. This gives us insights into the types of actions that people take on our site (so-called page insights). In particular, LinkedIn processes data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. With the Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to the summarised Page Insights. It is also not possible for us to draw conclusions about individual members from the information in the Page Insights.
This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. We have entered into an agreement with LinkedIn on processing as joint controllers, which sets out the distribution of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. The following applies:
- LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn online via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or reach LinkedIn via the contact details in the Privacy Policy. You can contact the Data Protection Officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also contact us using the contact details provided to exercise your rights in connection with the processing of personal data in the context of Page Insights. In such a case, we will forward your enquiry to LinkedIn.
- LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority.
Please note that in accordance with the LinkedIn Privacy Policy, personal data is also processed by LinkedIn in the USA or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision of the European Commission pursuant to Art. 45 GDPR exists or on the basis of appropriate safeguards pursuant to Art. 46 GDPR.
2. legal basis for data processing
The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR.
3. duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.
XI. Xing
1. scope and purposes of data processing
When you visit our XING profile, XING processes your data as a user to ensure security, provide the service and measure and optimise advertising. In principle, New Work SE, Am Strandkai 1, 20457 Hamburg, Germany, is solely responsible for the processing of personal data when you visit our XING page. The categories of personal data processed by XING are described in the XING Data Policy at https://privacy.xing.com/de/datenschutzerklaerung.
If you contact us via our XING profile, e.g. by commenting on a post on the XING profile or writing us a direct message via the XING platform, we process your personal data (e.g. your name, communication content, job title, company name, industry, education, contact options, photo ("profile data")) in order to process your request. The names of the registered XING users who have visited our XING profile are visible to us.
If you send us an application via our Xing profile, we will process your application data (such as name, e-mail address, date of birth, postal address and telephone number), the documents you send us (such as CV, certificates, cover letter, including the information contained therein about your person and qualifications) and additional information and messages you provide (such as desired start date and employment, salary expectations, your notice period or your motivation as to why you would like to work for us). The processing is carried out for the purposes of processing the application, including the preparation and conduct of interviews and recruitment tests and the evaluation of the results and as otherwise required as part of the application process. We will contact you during the application process to inform you of the progress of your application or to invite you to an interview or recruitment test. As part of the application process, the documents are initially processed by the HR department. If suitable, the personal data and documents will be forwarded to the relevant specialist department.
If you visit our XING profile as a company profile on XING, XING also collects usage data. XING also uses certain data that it has collected from users of the XING platform (e.g. whether a post has been marked with "Like") to compile aggregated usage statistics and make them available to the respective operators of the XING profile (so-called "employer branding performance measurement"). We receive such aggregated usage statistics. The aggregated statistics do not allow any conclusions to be drawn about individual users. We have no access to personal data that XING processes for employer branding performance measurement. XING alone determines which data is processed for employer branding performance measurement and how. We have no legal or actual influence on the processing by XING. XING provides information on this in the XING privacy policy (https://privacy.xing.com/de/datenschutzerklaerung).
2. legal basis for data processing
The processing of your profile data in this context is based on a balancing of interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR in order to offer you a contemporary and supportive information and interaction opportunity with and about us.
The legal basis for the described data processing in connection with an application via our XING page is Art. 6 para. 1 lit. b GDPR. The data processing is necessary to establish a possible employment relationship.
If you register for an event organised by us via our XING profile, we will process your profile data to enable you to participate in the event. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR to enable you to register and participate easily.
3. duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.
XII Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. right to information (Art. 15 GDPR)
You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
- the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
- the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data if the personal data is not collected from the data subject;
- the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
2. right to rectification (Art. 16 GDPR)
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.
3. right to restriction of processing (Art. 18 GDPR)
Under the following conditions, you may request the restriction of the processing of your personal data:
- if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
- if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4. right to erasure (Art. 17 GDPR)
4.1 Cancellation obligation
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
- The personal data concerning you has been processed unlawfully.
- The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data concerning you was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.
4.2 Information to third parties
If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 (1) GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.
4.3 Exceptions
The right to erasure does not exist if the processing is necessary
- to exercise the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
- for the assertion, exercise or defence of legal claims.
5. right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right vis-à-vis the controller to be informed about these recipients.
6. right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where
- the processing is based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR and
- the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. right to object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to datenschutz@ypog.law.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
8. right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. automated decision-making in individual cases including profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
- is necessary for the conclusion or fulfilment of a contract between you and the controller,
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- with your express consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or b GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. right to lodge a complaint with a supervisory authority
You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.
XIII Up-to-dateness and changes to the data protection information
This privacy policy is currently valid and has the following status: November 2023.
If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.
Information regarding Data Protection –
Notary Services
1. Who is responsible, whom can you turn to?
The controller responsible for the processing of your personal data is me, Dr. Lilly Fiedler, Notary (Notarin),
with official seat in Berlin. For all inquiries with regard to data protection, please feel free to contact me or my
data-protection officer as follows:
Dr. Lilly Fiedler, Notary
Kurfürstendamm 12
10719 Berlin | Germany
P +49 30 767597544
F +49 30 767597599
lilly.fiedler@ypog.law
ypog.law
Secjur GmbH
Steinhöft 9
20459 Hamburg | Germany
+49 40 228599520
2. Which data do I process, and where does the data come from?
Notaries process personal data that they receive from you or from third parties instructed by you (e.g. attorneys,
tax advisors, brokers, financial institutions), such as e.g.:
- personal details, e.g. first name and family name, date of birth and place of birth, nationality, marital status; in individual cases, your birth registration number;
- contact details, such as e.g. postal address, telephone and fax numbers, e mail address; • for real-estate contracts: your tax identification number (steuerliche Identifikations-Nummer);
- in certain cases — e.g. in the context of prenuptial agreements, wills, contracts of inheritance, or adoptions —, also data on your family situation and your assets as well as (where applicable) information regarding your health or other sensitive data, for instance because they serve to document your capacity to contract;
- in certain cases also data from your legal relationships with third parties, such as e.g. reference numbers, or loan or account numbers with financial institutions.
Moreover, I process data from public registers, e.g. from the land register or from commercial registers and registers of association.
3. For what purposes and on what legal basis is the data processed?
As a notary, I am the holder of a public office.
By way of my official activities, I perform a task that is in the interest of the general public as to an orderly precautionary administration of justice and thus in the public interest and occurs in the exercise of official authority vested in me (Art. 6(1) sentence 1 lit. e General Data Protection Regulation – GDPR).
Your data is processed solely in order to carry out the notarial activity requested by you and (where applicable) by additional persons involved in a transaction in accordance with my official duties, for instance, for purposes of preparing draft notarial documents, of notarizations and of executing notarial business, or of providing advice.
Accordingly, the personal data is always processed only on the basis of the provisions of professional and procedural law applicable to me, which predominantly derive from the German Federal Code of the Notarial Profession (Bundesnotarordnung – BNotO) and the German Notarization Act (Beurkundungsgesetz – BeurkG). At the same time, those provisions also give rise to a legal obligation on my part to process the necessary data (Art. 6(1) sentence 1 lit. c GDPR). A failure on your part to provide me with the data that I request from you would, therefore, result in my having to decline to (continue to) carry out the official business in question.
4. To whom do I transmit data?
As a notary, I am subject to a statutory obligation to maintain confidentiality.
The obligation to maintain confidentiality also applies to all members of my staff and any other persons instructed by me. Accordingly, I am only allowed to transmit your data if and to the extent that I am under a corresponding obligation in the individual case, e.g. owing to notification obligations vis-à-vis the tax authorities; public registers such as the land register, commercial register or register of associations, Central Register of Wills, Central Register of Lasting Powers of Attorney (Vorsorgeregister); courts such as the probate court, guardianship court or family court; or public authorities.
In the context of professional supervision and supervision of conduct in service, I might also be under an obligation to provide information to the Chamber of Notaries or to my supervisory authority regarding conduct in service, which, for their part, are subject to an official obligation to maintain confidentiality. Beyond that, your data will be transmitted only if I am under an obligation to do so owing to declarations made by you or if you have applied for such transmission.
5. Is data transmitted to third countries?
Your personal data will be transmitted to third countries only upon special request by you or if and to the extent that a party involved in a deed (Urkundsbeteiligter) is resident in a third country.
6. For what period will your data be stored?
I process and store your personal data within the limits of my statutory retention obligations. Pursuant to sec. 5(4) German Official Regulations for Notaries (Dienstordnung für Notarinnen und Notare – DONot) (hereinafter
›Notarial Regulations‹), the following retention periods apply to the retention of notarial records:
- register of deeds (Urkundenrolle), register of contracts of inheritance, index of names relating to the register of deeds and the collection of deeds (Urkunden) including the contracts of inheritance that are retained separately (sec. 18(4) Notarial Regulations): 100 years;
- custody ledger (Verwahrungsbuch), assets ledger (Massenbuch), index of names relating to the assets ledger,
list of escrow accounts (Anderkonten), general files: 30 years; - ancillary files: 7 years; the notary may, in writing and no later than in the context of the final substantive work on the respective file, designate a longer retention period, e.g. for dispositions mortis causa or in cases where there is a risk of recourse; such designation may also be made generally for individual types of legal transactions, such as e.g. dispositions mortis causa.
Once the storage periods have expired, your data will be erased and/or the hard-copy documents will be destroyed unless I am under an obligation to store them for a longer period pursuant to Art. 6(1) sentence 1 lit. c GDPR owing to retention or documentation obligations under tax or commercial law (under the German Commercial Code [Handelsgesetzbuch – HGB], the German Criminal Code [Strafgesetzbuch – StGB], the German Anti-Money Laundering Act [Geldwäschegesetz – GwG] or the German Fiscal Code [Abgabenordnung – AO]) as well as owing to obligations under professional rules of conduct for purposes of checking for possible conflicts.
7. What are your rights?
You have the following rights:
- to demand information on whether I process personal data concerning you; if so, for which purposes I process such data and which categories of personal data I process; to whom such data has been transmitted (if applicable); for what period such data will be stored (if applicable); and what rights you are entitled to;
- to have inaccurate personal data concerning you that is stored at my office rectified. Likewise, you have the right to have any incomplete data set that is stored at my office supplemented by me;
- the right to demand erasure of the personal data pertaining to you provided that a ground for erasure applies as provided for by statute (cf. Art. 17 GDPR) and the processing of your data is not called for in order to comply with a legal obligation or for other overriding grounds as per the GDPR;
- to require that, going forward, I process your data only in a restricted way — e.g. for purposes of establishing legal claims or owing to an important public interest — while I examine, for instance, your entitlement to rectification or your objection or (where applicable) in the event that I reject your claim for erasure (cf. Art. 18 GDPR);
- to object to the processing where such processing is necessary for me to perform my tasks that are in the public interest, or to discharge my public office, if there are grounds for such objection that arise from your particular situation;
- to turn to the supervisory authorities with a complaint under data-protection law. The supervisory authority with jurisdiction in relation to me is the
Commissioner for Data Protection and Freedom
of Information of the state (Land) of Berlin,
Friedrichstr. 219
10969 Berlin | Germany
P +49 30 138890
F +49 30 2155050
mailbox@datenschutz-berlin.de
datenschutz-berlin.de
- The complaint may be filed with any supervisory authority regardless of jurisdiction.
Stay in touch
Subscribe to our newsletter to stay up to date on insights and events.