Privacy Policy

I. Name and contact details of the party responsible for processing data and its data protection officer

This information on data protection applies to data processed by:

Responsible Party

Schlun & Elseven Rechtsanwälte PartG mbB
(hereinafter: the law firm)
Von-Coels-Str. 214
52080 Aachen
Tel: +49 (0) 241 4757140
Fax: +49 (0) 241 47571469

Data Protection Officer

DataCo GmbH
Nymphenburger Str. 86
80636 Munich
Tel: +49 (0) 89 452459 900

II. Legal Basis of this Privacy Policy

Our law firm processes personal data in compliance with the data protection regulations set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as the Telecommunications Telemedia Data Protection Act (TTDPA). Personal data in the sense of the regulations above (Art. 4 No. 1 DSGVO) is information that relates to an identified or identifiable natural person. Your data will be processed by us if

  • you have consented to this (Art. 6 para. 1 sentence 1 lit. a) GDPR),
  • it is necessary for the performance of a contract with you or for the implementation of pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b) GDPR),
  • it is necessary for the performance of a contractual obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) or
  • it is necessary to protect the legitimate interests of our law firm or a third party, and if there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Accordingly, your personal data will not be transferred to third parties for purposes other than those listed above.

III. Collection and Storage of Personal Data: Type of Data and Purpose of Use

1. When visiting the website

When you visit our website, the browser on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called “logfile”. The following information is collected without any action on your part and stored until automatic deletion:

  • IP address of the device accessing the website,
  • date and time of access,
  • name and URL of the file accessed,
  • the website from which the access took place (referrer URL),
  • the browser and potentially the operating system used by your device and the name of your access provider.

We process the data mentioned above for the following purposes:

  • Ensuring that the device connects to the website smoothly,
  • ensuring that our website can be used comfortably,
  • evaluating the security and stability of the system.

The legal basis for the data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest results from the purposes for data collection listed above. We do not use in any case the collected data to conclude your person.

We also use cookies and analysis services. Cookies that are not necessary for the website’s functionality are only set after your consent. You can find more detailed explanations under points IV and V of this data protection declaration.

2. When using our contact form

For questions of any kind, we offer you the option to contact us via a form provided on our website. This requires providing us with a valid e-mail address, your first and last name, and telephone number. In this way, we know who the enquiry is from and can respond to it. Further information can be provided voluntarily.

Data processing to contact us is based on legitimate interest under Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the user-friendly collection as well as the processing and answering of your enquiry.

The personal data collected by us for the use of the contact form will be automatically deleted after the enquiry you made has been dealt with, or the purpose of the contact has ceased to exist. If a client relationship with you has come about and the purpose of processing your data has not yet ended, we will continue to store it. We comply with the requirements for purpose limitation, data minimisation and storage limitation set out in Art. 5 para. 1 lit. b), c) and e) GDPR. More detailed information on the storage period of personal data can be found under point VII.

3. Paying an appointment

When you book a fee-based appointment with Schlun & Elseven Rechtsanwälte, we collect your billing information and billing address to secure the appointment through our website. For processing payments, we use Stripe, Inc. (“Stripe) or the digital payment platform PayPal on our website.

Data processing for the purpose of contacting us and processing payments via the service provider Stripe or PayPal is based on Art. 6 para. 1 sentence 1 lit. b) GDPR, as it is necessary for the payment and thus for the performance of the contract or pre-contractual measures. Furthermore, we use the above-mentioned payment service providers per Art. 6 para. 1 sentence 1 lit. f) GDPR to be able to offer you secure options for processing your payment.

a. Processing payment via Stripe

In connection with the payment process for booking an appointment, Stripe may collect your billing information and address. The information you provide via Stripe is subject to Stripe’s privacy policy (available at

Stripe has implemented compliance measures based on the EU Standard Contractual Clauses (SCCs) for the international transfer of data. These form a guarantee for protecting personal data transferred to third countries (cf. Art. 44 ff. GDPR). In addition, Stripe has been audited by a PCI-certified auditor and is certified as a PCI Service Provider Level 1. This is the strictest certification level possible in online payment transactions. By using excellent security procedures, Stripe ensures a high level of security.

Stripe complies with the General Data Protection Regulation requirements and always working to guarantee data protection and security. Furthermore, a corresponding contract for the order processing is in place.

b. Porcessing payment via PayPal

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg. If you choose PayPal as a payment method, your data required for the payment process will automatically be transmitted to PayPal. Only the amount to be paid and the IP address necessary to identify the payment process are transferred. To use this service for payment, the customer independently registers with PayPal or uses the (limited) option of using the payment platform without a PayPal account. Accordingly, the customer accepts PayPal’s data protection provisions when registering and accessing or using products, services, content, technologies, functions etc.

4. Crisp

We offer direct contact with a member of our staff via live chat if you have questions or concerns. For this purpose, we use the live chat software from Crisp, operated by Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France. In doing so, Crisp collects its clients’ data (our firm) and their users (website visitors and users of our chat facility). Crisp does not sell or pass on your or our data, nor does it use them for advertising purposes.

The following data from you will be stored at Crisp to secure access to them for our law firm:

  • Email address as well as telephone number (if provided),
  • messages exchanged,
  • date and time of last activity.

The information of the chat user is stored for as long as necessary for the purpose. Only our law firm is permitted to access this data.

Crisp protects the transmitted data by taking reasonable precautions and adhering to the European General Data Protection Regulation requirements.

The data processing to contact us via live chat is based on your voluntarily given consent by Art. 6 para. 1 sentence 1 lit. a) GDPR.

5. KeyCDN

We use a Content Delivery Network (“CDN”) of the technology service provider proinity LLC, Frankenstrasse 9, 8832 Wollerau, Switzerland (“KeyCDN”) on our website.

This service is mainly used to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the Internet instead of the origin server. The use of KeyCDN’s Content Delivery Network helps us optimise our website’s loading speed and ensures that our visitors worldwide can access our website as quickly as possible. In the event of an attack (e.g., DDoS attack) on our website and similar unauthorised actions, KeyCDN helps us defend ourselves.

The processing is carried out under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in the safe and efficient provision and improvement of the stability and functionality of our website.

6. Sendinblue

Our law firm uses the email relay service “Sendinblue” for sending business emails. The service provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. The Sendinblue GmbH is a certified German provider that fulfils the requirements of GDPR and the Federal Data Protection Act.

The data you enter while using our contact form is stored both on the server of our law firm and on the Sendinblue GmbH server. This includes, for example, your name and email address. Our law firm does not use Sendinblue to send newsletters or other advertising products.

The processing is based on Art. 6 para. 1 lit. a) GDPR. The legitimate interest lies in the reliable and secure delivery of business emails, which serve, among other things, to confirm appointments or the payment of initial consultation fees.

Sendinblue does not sell or share your personal information with third parties or use it for any purpose other than for our designated business emails.

7. CleverReach

To create and send newsletters, our law firm uses the email marketing tool “CleverReach” of the company CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. CleverReach fulfils the requirements of the GDPR and guarantees data security through a TÜV-tested system.

CleverReach uses a double opt-in procedure (DOI) to register for the newsletter. Those interested in a subscription receive an email containing a link to confirm the subscription. As soon as the interested party has approved the link, the subscription to the newsletter takes place. Personal data is stored on the CleverReach servers, which are exclusively located in the EU.

The email marketing software by CleverReach complies with the European General Data Protection Regulation (GDPR) requirements and guarantees the highest level of data security. In addition, CleverReach has been audited and has received DIN ISO/IEC 27001 certification and confirmation as a (DSS/PCI) Level 1 service provider.

Your data is processed under Art. 6 para. 1 lit. a) GDPR based on your voluntary given consent.

8. Cryptshare in own Management

For the secure transfer of files of any kind and size, our law firm uses the ISO 27001 and NTA 7516 certified digital transfer service Cryptshare. Cryptshare AG, Schwarzwaldstr. 151, 79102 Freiburg, Germany, develops software solutions for companies.

Our law firm has its own Cryptshare server, thus ensuring the secure transmission of files. Before sending our emails, we can select an email classification, which allows us to determine the level of protection required for the information contained in the message. To ensure an optimal level of security, the sending of emails is always done through an encrypted data transfer.

Cryptshare is subject to the European General Data Protection Regulation (GDPR) requirements and the Federal Data Protection Act (BDSG). Personal data is processed under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in securely sending files of any size and type.

9. YOURLS URL Shortener in own Management

In the interest of data minimisation, we operate our own URL shortener. This creates a short URL for long internet addresses (URLs) and stores statistics about the calls to the respective short URL. To protect the calling IP address, we use the “YOURLS Pseudonymize Plugin”, which discards the last two digits of each IP address. It is an open-source software. Short URLs are used, among other things, on third-party websites, social media portals or blogs to measure reach. The data collected after pseudonymisation is processed by us and not passed on to third parties. The server is located in Germany.

The corresponding processing is carried out by Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in measuring the reach of our website and in providing user-friendly links.

10. Salesforce

We use the Sales Cloud of the company Salesforce, represented in Germany by Germany GmbH (Erika-Mann-Str. 31, 80636 Munich, Germany) for customer service and to optimise our customer contact. The US parent company is based in San Francisco, CA 94105, USA.

We use the Sales Cloud of the company Salesforce, which is a customer relationship management system (CRM) that centrally records and processes the enquiries received via the various channels. The servers for processing all personal data are located within the EU. Under no circumstances will your data be sold to third companies, persons or institutions or passed on to service providers other than those mentioned here.

In addition, Salesforce undertakes to ensure an adequate level of data protection comparable to that of the European Union through binding corporate rules by Art. 46 para. 2 lit. b) and Art. 47 GDPR.

The data security and integrity of Salesforce´s systems are proven through numerous certifications. These include:

  • ISO 27001, ISO 27017, ISO 27018,
  • PCI DSS,
  • Privacy Shield,
  • Truste Privacy Verified Seal.

As a matter of principle, we do not use Salesforce services that result in the transfer of personal data to a non-European Salesforce infrastructure.

The legal basis for the collection and processing of data by Salesforce is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in processing your data with an efficient and secure customer management system and preparing it for further internal processing.

11. CookieFirst – Cookie Consent Management Platform (CMP)

Our website uses the Cookie Consent Management Platform (CMP) of CookieFirst ( to obtain your consent to store certain cookies on your terminal device and document this by data protection law. The provider of this platform is Digital Data Solutions B.V., Plantage Middenlan 42a, 1018-DH Amsterdam, the Netherlands (hereinafter “CookieFirst”).

When you access our website, the following personal data is transferred to CookieFirst:

  • Your consent(s) or withdrawal of your consent(s),
  • your IP address,
  • information about your browser,
  • information about your terminal device,
  • the time of your visit to the website.

In addition, CookieFirst stores a cookie in your browser to be able to assign your consent(s) or their revocation to you. The collected data is stored until you request to delete it, CookieFirst deletes the cookies itself, or the purpose of storing the data no longer applies. Mandatory legal storage obligations remain unaffected by this.

CookieFirst is used to obtain the legally required consent to the use of cookies. The legal basis for this is Art. 6 para. 1 p.1 lit. c) GDPR.

Contact for order processing

We have concluded an order processing contract with CookieFirst. This contract is required under data protection law, which ensures that CookieFirst only processes the personal data of our website visitors by our instructions and in compliance with the provisions of the GDPR.

12. – Appointment Booking System

The online booking system “SimplyMeet” from the company “ LTD” is used for booking appointments. This company has its registered office in the EU; the registered company address is “30 Glathonos, P. Makedonas Court, 3041, Limassol, Cyprus”.

A current joint data processing agreement considering the Standard Contractual Clauses is in place. The service is ISO 27001 certified, and the company operates strictly to this security standard with regular staff training and a dedicated security officer. In addition to regular server scans, the data processor conducts extensive 3rd party penetration tests every year. Secure staff communication, daily backups in different data centres and hosting of all data on European servers secure your data.

When using this service, the following data is processed:

  • IP address (when loading the booking page)
  • E-mail address (for delivering the appointment and any appointment links)
  • Telephone number (as primary or alternative contact for the appointment)
  • The subject of the appointment (to classify the content of the appointment)
  • Appointment booked during the process: Date & Time (Essential for the system’s functionality).

The data just listed are processed based on Art. 6 (1) (f) DSGVO within the framework of a legitimate interest to provide the booking service in the form of a website. The legitimate interest lies in the secure provision of a high-performance and “self-service” appointment booking system that accommodates the interested party.

We will retain this data for as long as is necessary to provide you with the software solution and to ensure that the booked appointment(s) can successfully take place.

IV. Cookies

We use so-called cookies on our website. When you visit our website, these small files are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.). Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware.

The cookie stores information created in connection with the specific end device used. However, this does not mean that we gain direct knowledge of your identity. Instead, the use of cookies serves to make our offer more pleasant for you. We use so-called “session cookies” to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our website.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a certain fixed period. If you revisit our website, it is automatically recognised that you have visited our website at an earlier time. In addition, the entries, and settings that you have made are also acknowledged so that you do not have to re-enter them.

We also use cookies to record the use of our website statistically and evaluate it to optimise our offer for you (see point V). If you return to our website, these cookies enable us to recognise that you have been on our website. These cookies are automatically deleted after a certain period.

The data processed by cookies are necessary for the purposes mentioned above to protect our legitimate interests and those of third parties by Art. 6 para. 1 sentence 1 lit. f) GDPR.

Please note: Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer, or a notice always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website. For more information about cookies on our website, please refer to our Cookie Policy.

V. Analysis and Tracking Tools

The tracking measures listed below and used by us are based on Art. 6 para. 1 p. 1 lit. f) GDPR. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our website. In addition, we use the tracking measures to statistically record the use of our website and evaluate it to optimise our offer for you. These interests must be regarded as legitimate within the provision above. The respective data processing purposes and data categories can be found in the corresponding tracking tools.

1. Google Ads Conversion Tracking

To statistically record our website’s use and evaluate it for the purpose of optimising our website for you, we also use Google conversion tracking. A cookie (see point IV) will be placed on your computer if you have accessed our website via a Google ad. These cookies lost their validity after 30 days and are not used for personal identification. If a user visits certain pages of our website and the cookie has not yet expired, Google and our law firm will be able to recognise that this user has clicked on the ad and been redirected to the page.

Each ads client receives a different cookie. Therefore, cookies cannot be tracked across ads clients´ websites. The information obtained using the conversion cookies is used to create conversion statistics for ads clients who have opted for conversion tracking. Ads clients are told the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to identify users personally.

If you do not wish to participate in the tracking procedure, you can refuse the setting of a cookie required for this – for example, via a browser setting that generally deactivates the automatic setting of cookies. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the domain Google´s privacy policy on conversion tracking can be found here

2. Google Tag Manager

Our law firm uses a Google Tag Manager, which is a tag management system (TSM). It collects data on our website, which is then forwarded to the analysis mentioned above tool (Google Ads Conversion Tracking) to get analysed.

To enable classification of the data and thus the corresponding allocation, code fragments (tags) are created on our website within a container. In this way, the data is collected and then sent to the corresponding tool and processed. The processing is carried out according to the European General Data Protection Regulation (GDPR) requirements.

The systems and processes of the Google products mentioned are ISO 27001 certified.

3. etracker

The provider of this website uses the services of etracker GmbH from Hamburg, Germany ( to analyse usage data. We do not use cookies for web analysis by default. As we use analysis and optimisation cookies, we obtain your explicit consent separately in advance. If this is the case and you consent, cookies will be used to enable a statistical coverage analysis of this website, a measurement of the success of our online marketing measures, as well as test procedures, e.g., to test and optimise different versions of our online offer or its components. Cookies are small text files stored by the internet browser on the user´s end device. etracker cookies do not contain any information that enables the identification of a user.

The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently audited, certified and awarded with the ePrivacyseal data protection seal of approval.

Data processing is carried out based on the legal provisions of Art. 6 para. 1 lit. f) (legitimated interests) of the General Data Protection Regulation (GDPR). Our concern regarding the GDPR (legitimate interests) is optimising our online offer and our web presence. Since the privacy of our visitors is important to us, data that may allow a reference to a person, such as the IP address, login or device identifiers, are anonymised or pseudonymised as soon as possible. No other use is made from the data, nor is it merged with other data or passed on to third parties.

You can object to the data mentioned above processing at any time. The objection has no adverse consequences.

VI. Application – Storage and Deletion of Data

In the course of an application procedure, our law firm processes several personal data. This information provided by applicants is only used to process this procedure. Therefore, only data relevant to the decision-making process is collected and stored.

Furthermore, the data is only forwarded to the departments responsible for applications within our law firm. Access by unauthorised persons is not possible. Particularly sensitive data, such as religious affiliation, marital status or sexual orientation, is redacted before further processing, as our law firm does not store such applicant data as part of the process. Any data provided by the applicant will not be passed on to third parties.

If our law firm does not offer the applicant employment, the data will be deleted, and the documents returned. The deletion of personal data takes place six months after notification of the rejection. In exceptional cases, automatic deletion after this period may be waived if a corresponding agreement has been reached with the applicant. Consent to the continued storage of data could serve the purpose of including the application in an applicant pool. However, deletion from this pool is also possible and requires a revocation by the applicant.

If the applicant is hired, the data provided to us in the application will be included in the applicant’s personnel file.  We may ask questions to supplement data relevant to the employment relationship in some cases.

The legal basis for processing your personal data is Article 6 para. 1 lit. b) and Article 88 para. 1 GDPR as well as Section 26 para. 1 BDSG.

VII. Duration of Storage

It follows from the provision on the storage of personal data standardised in Art. 5 para. 1 GDPR that personal data may be stored for the period required for the specific purpose. Your personal data provided to us will therefore be stored for as long as is necessary for the particular processing purpose. This means:

As a result of the lawyer´s duty to retain data as standardised in Section 50 of the Federal Lawyer´s Act (BRAO), we are obliged to retain the hand files and the electronic data processing used in the context of these for six years. Under Section 50 para. 1 sentence 3 BRAO, the period begins with the end of the calendar year in which the assignment was terminated.

If our law firm receives personal data from a potential client, we will process this data for the following purposes:

  • Possibility of contract,
  • verification of a conflict of interest,
  • pre-contractual exchange.

If no client relationship is established, your data will not be further processed by us.