III. Collection and Storage of Personal Data: Type of Data and Purpose of Use
1. When visiting the website
When you visit our website https://se-legal.de/?lang=en, the browser on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called “logfile”. The following information is collected without any action on your part and stored until automatic deletion:
- IP address of the device accessing the website,
- date and time of access,
- name and URL of the file accessed,
- the website from which the access took place (referrer URL),
- the browser and potentially the operating system used by your device and the name of your access provider.
We process the data mentioned above for the following purposes:
- Ensuring that the device connects to the website smoothly,
- ensuring that our website can be used comfortably,
- evaluating the security and stability of the system.
The legal basis for the data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest results from the purposes for data collection listed above. We do not use in any case the collected data to conclude your person.
2. When using our contact form
For questions of any kind, we offer you the option to contact us via a form provided on our website. This requires providing us with a valid e-mail address, your first and last name, and telephone number. In this way, we know who the enquiry is from and can respond to it. Further information can be provided voluntarily.
Data processing to contact us is based on legitimate interest under Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the user-friendly collection as well as the processing and answering of your enquiry.
The personal data collected by us for the use of the contact form will be automatically deleted after the enquiry you made has been dealt with, or the purpose of the contact has ceased to exist. If a client relationship with you has come about and the purpose of processing your data has not yet ended, we will continue to store it. We comply with the requirements for purpose limitation, data minimisation and storage limitation set out in Art. 5 para. 1 lit. b), c) and e) GDPR. More detailed information on the storage period of personal data can be found under point VII.
3. Paying an appointment
When you book a fee-based appointment with Schlun & Elseven Rechtsanwälte, we collect your billing information and billing address to secure the appointment through our website. For processing payments, we use Stripe, Inc. (“Stripe) or the digital payment platform PayPal on our website.
Data processing for the purpose of contacting us and processing payments via the service provider Stripe or PayPal is based on Art. 6 para. 1 sentence 1 lit. b) GDPR, as it is necessary for the payment and thus for the performance of the contract or pre-contractual measures. Furthermore, we use the above-mentioned payment service providers per Art. 6 para. 1 sentence 1 lit. f) GDPR to be able to offer you secure options for processing your payment.
a. Processing payment via Stripe
Stripe has implemented compliance measures based on the EU Standard Contractual Clauses (SCCs) for the international transfer of data. These form a guarantee for protecting personal data transferred to third countries (cf. Art. 44 ff. GDPR). In addition, Stripe has been audited by a PCI-certified auditor and is certified as a PCI Service Provider Level 1. This is the strictest certification level possible in online payment transactions. By using excellent security procedures, Stripe ensures a high level of security.
Stripe complies with the General Data Protection Regulation requirements and always working to guarantee data protection and security. Furthermore, a corresponding contract for the order processing is in place.
b. Porcessing payment via PayPal
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg. If you choose PayPal as a payment method, your data required for the payment process will automatically be transmitted to PayPal. Only the amount to be paid and the IP address necessary to identify the payment process are transferred. To use this service for payment, the customer independently registers with PayPal or uses the (limited) option of using the payment platform without a PayPal account. Accordingly, the customer accepts PayPal’s data protection provisions when registering and accessing or using products, services, content, technologies, functions etc.
We offer direct contact with a member of our staff via live chat if you have questions or concerns. For this purpose, we use the live chat software from Crisp, operated by Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France. In doing so, Crisp collects its clients’ data (our firm) and their users (website visitors and users of our chat facility). Crisp does not sell or pass on your or our data, nor does it use them for advertising purposes.
The following data from you will be stored at Crisp to secure access to them for our law firm:
- Email address as well as telephone number (if provided),
- messages exchanged,
- date and time of last activity.
The information of the chat user is stored for as long as necessary for the purpose. Only our law firm is permitted to access this data.
Crisp protects the transmitted data by taking reasonable precautions and adhering to the European General Data Protection Regulation requirements.
The data processing to contact us via live chat is based on your voluntarily given consent by Art. 6 para. 1 sentence 1 lit. a) GDPR.
We use a Content Delivery Network (“CDN”) of the technology service provider proinity LLC, Frankenstrasse 9, 8832 Wollerau, Switzerland (“KeyCDN”) on our website.
This service is mainly used to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the Internet instead of the origin server. The use of KeyCDN’s Content Delivery Network helps us optimise our website’s loading speed and ensures that our visitors worldwide can access our website as quickly as possible. In the event of an attack (e.g., DDoS attack) on our website and similar unauthorised actions, KeyCDN helps us defend ourselves.
The processing is carried out under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in the safe and efficient provision and improvement of the stability and functionality of our website.
Our law firm uses the email relay service “Sendinblue” for sending business emails. The service provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. The Sendinblue GmbH is a certified German provider that fulfils the requirements of GDPR and the Federal Data Protection Act.
The data you enter while using our contact form is stored both on the server of our law firm and on the Sendinblue GmbH server. This includes, for example, your name and email address. Our law firm does not use Sendinblue to send newsletters or other advertising products.
The processing is based on Art. 6 para. 1 lit. a) GDPR. The legitimate interest lies in the reliable and secure delivery of business emails, which serve, among other things, to confirm appointments or the payment of initial consultation fees.
Sendinblue does not sell or share your personal information with third parties or use it for any purpose other than for our designated business emails.
To create and send newsletters, our law firm uses the email marketing tool “CleverReach” of the company CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. CleverReach fulfils the requirements of the GDPR and guarantees data security through a TÜV-tested system.
CleverReach uses a double opt-in procedure (DOI) to register for the newsletter. Those interested in a subscription receive an email containing a link to confirm the subscription. As soon as the interested party has approved the link, the subscription to the newsletter takes place. Personal data is stored on the CleverReach servers, which are exclusively located in the EU.
The email marketing software by CleverReach complies with the European General Data Protection Regulation (GDPR) requirements and guarantees the highest level of data security. In addition, CleverReach has been audited and has received DIN ISO/IEC 27001 certification and confirmation as a (DSS/PCI) Level 1 service provider.
Your data is processed under Art. 6 para. 1 lit. a) GDPR based on your voluntary given consent.
For the secure transfer of files of any kind and size, our law firm uses the ISO 27001 and NTA 7516 certified digital transfer service Cryptshare. Cryptshare AG, Schwarzwaldstr. 151, 79102 Freiburg, Germany, develops software solutions for companies.
Our law firm has its own Cryptshare server, thus ensuring the secure transmission of files. Before sending our emails, we can select an email classification, which allows us to determine the level of protection required for the information contained in the message. To ensure an optimal level of security, the sending of emails is always done through an encrypted data transfer.
Cryptshare is subject to the European General Data Protection Regulation (GDPR) requirements and the Federal Data Protection Act (BDSG). Personal data is processed under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in securely sending files of any size and type.
9. YOURLS URL Shortener in own Management
In the interest of data minimisation, we operate our own URL shortener. This creates a short URL for long internet addresses (URLs) and stores statistics about the calls to the respective short URL. To protect the calling IP address, we use the “YOURLS Pseudonymize Plugin”, which discards the last two digits of each IP address. It is an open-source software. Short URLs are used, among other things, on third-party websites, social media portals or blogs to measure reach. The data collected after pseudonymisation is processed by us and not passed on to third parties. The server is located in Germany.
The corresponding processing is carried out by Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in measuring the reach of our website and in providing user-friendly links.
We use the Sales Cloud of the company Salesforce, represented in Germany by Salesforce.com Germany GmbH (Erika-Mann-Str. 31, 80636 Munich, Germany) for customer service and to optimise our customer contact. The US parent company is based in San Francisco, CA 94105, USA.
We use the Sales Cloud of the company Salesforce, which is a customer relationship management system (CRM) that centrally records and processes the enquiries received via the various channels. The servers for processing all personal data are located within the EU. Under no circumstances will your data be sold to third companies, persons or institutions or passed on to service providers other than those mentioned here.
In addition, Salesforce undertakes to ensure an adequate level of data protection comparable to that of the European Union through binding corporate rules by Art. 46 para. 2 lit. b) and Art. 47 GDPR.
The data security and integrity of Salesforce´s systems are proven through numerous certifications. These include:
- ISO 27001, ISO 27017, ISO 27018,
- PCI DSS,
- Privacy Shield,
- Truste Privacy Verified Seal.
As a matter of principle, we do not use Salesforce services that result in the transfer of personal data to a non-European Salesforce infrastructure.
The legal basis for the collection and processing of data by Salesforce is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in processing your data with an efficient and secure customer management system and preparing it for further internal processing.
11. CookieFirst – Cookie Consent Management Platform (CMP)
Our website uses the Cookie Consent Management Platform (CMP) of CookieFirst (https://cookiefirst.com/) to obtain your consent to store certain cookies on your terminal device and document this by data protection law. The provider of this platform is Digital Data Solutions B.V., Plantage Middenlan 42a, 1018-DH Amsterdam, the Netherlands (hereinafter “CookieFirst”).
When you access our website, the following personal data is transferred to CookieFirst:
- Your consent(s) or withdrawal of your consent(s),
- your IP address,
- information about your browser,
- information about your terminal device,
- the time of your visit to the website.
In addition, CookieFirst stores a cookie in your browser to be able to assign your consent(s) or their revocation to you. The collected data is stored until you request to delete it, CookieFirst deletes the cookies itself, or the purpose of storing the data no longer applies. Mandatory legal storage obligations remain unaffected by this.
Contact for order processing
We have concluded an order processing contract with CookieFirst. This contract is required under data protection law, which ensures that CookieFirst only processes the personal data of our website visitors by our instructions and in compliance with the provisions of the GDPR.
12. SimplyMeet.me – Appointment Booking System
The online booking system “SimplyMeet” from the company “SimplyBook.me LTD” is used for booking appointments. This company has its registered office in the EU; the registered company address is “30 Glathonos, P. Makedonas Court, 3041, Limassol, Cyprus”.
A current joint data processing agreement considering the Standard Contractual Clauses is in place. The SimplyMeet.me service is ISO 27001 certified, and the company operates strictly to this security standard with regular staff training and a dedicated security officer. In addition to regular server scans, the data processor conducts extensive 3rd party penetration tests every year. Secure staff communication, daily backups in different data centres and hosting of all data on European servers secure your data.
When using this service, the following data is processed:
- IP address (when loading the booking page)
- E-mail address (for delivering the appointment and any appointment links)
- Telephone number (as primary or alternative contact for the appointment)
- The subject of the appointment (to classify the content of the appointment)
- Appointment booked during the process: Date & Time (Essential for the system’s functionality).
The data just listed are processed based on Art. 6 (1) (f) DSGVO within the framework of a legitimate interest to provide the booking service in the form of a website. The legitimate interest lies in the secure provision of a high-performance and “self-service” appointment booking system that accommodates the interested party.
We will retain this data for as long as is necessary to provide you with the SimplyMeet.me software solution and to ensure that the booked appointment(s) can successfully take place.