I. Name and contact details of the party responsible for processing data and its data protection officer
This information on data protection applies to data processed by:
Schlun & Elseven Rechtsanwälte PartG mbB
(hereinafter: the law firm)
Tel: +49 (0) 241 4757140
Fax: +49 (0) 241 47571469
Data Protection Officer
Dachauer Str. 63
Tel: +49 (0) 89 8967 5516 93
Our law firm processes personal data in compliance with the data protection regulations set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as the Telecommunications Telemedia Data Protection Act (TTDPA). Personal data in the sense of the regulations above (Art. 4 No. 1 DSGVO) is information that relates to an identified or identifiable natural person. Your data will be processed by us if
- you have consented to this (Art. 6 para. 1 sentence 1 lit. a) GDPR),
- it is necessary for the performance of a contract with you or for the implementation of pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b) GDPR),
- it is necessary for the performance of a contractual obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) or
- it is necessary to protect the legitimate interests of our law firm or a third party, and if there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Accordingly, your personal data will not be transferred to third parties for purposes other than those listed above.
III. Collection and Storage of Personal Data: Type of Data and Purpose of Use
1. When visiting the website
When you visit our website https://se-legal.de/?lang=en, the browser on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called “logfile”. The following information is collected without any action on your part and stored until automatic deletion:
- IP address of the device accessing the website,
- date and time of access,
- name and URL of the file accessed,
- the website from which the access took place (referrer URL),
- the browser and potentially the operating system used by your device and the name of your access provider.
We process the data mentioned above for the following purposes:
- Ensuring that the device connects to the website smoothly,
- ensuring that our website can be used comfortably,
- evaluating the security and stability of the system.
The legal basis for the data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest results from the purposes for data collection listed above. We do not use in any case the collected data to conclude your person.
2. When using our contact form
For questions of any kind, we offer you the option to contact us via a form provided on our website. This requires providing us with a valid e-mail address, your first and last name, and telephone number. In this way, we know who the enquiry is from and can respond to it. Further information can be provided voluntarily.
Data processing to contact us is based on legitimate interest under Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the user-friendly collection as well as the processing and answering of your enquiry.
The personal data collected by us for the use of the contact form will be automatically deleted after the enquiry you made has been dealt with, or the purpose of the contact has ceased to exist. If a client relationship with you has come about and the purpose of processing your data has not yet ended, we will continue to store it. We comply with the requirements for purpose limitation, data minimisation and storage limitation set out in Art. 5 para. 1 lit. b), c) and e) GDPR. More detailed information on the storage period of personal data can be found under point VII.
3. Paying an appointment
When you book a fee-based appointment with Schlun & Elseven Rechtsanwälte, we collect your billing information and billing address to secure the appointment through our website. For processing payments, we use Stripe, Inc. (“Stripe) or the digital payment platform PayPal on our website.
Data processing for the purpose of contacting us and processing payments via the service provider Stripe or PayPal is based on Art. 6 para. 1 sentence 1 lit. b) GDPR, as it is necessary for the payment and thus for the performance of the contract or pre-contractual measures. Furthermore, we use the above-mentioned payment service providers per Art. 6 para. 1 sentence 1 lit. f) GDPR to be able to offer you secure options for processing your payment.
a. Processing payment via Stripe
Stripe has implemented compliance measures based on the EU Standard Contractual Clauses (SCCs) for the international transfer of data. These form a guarantee for protecting personal data transferred to third countries (cf. Art. 44 ff. GDPR). In addition, Stripe has been audited by a PCI-certified auditor and is certified as a PCI Service Provider Level 1. This is the strictest certification level possible in online payment transactions. By using excellent security procedures, Stripe ensures a high level of security.
Stripe complies with the General Data Protection Regulation requirements and always working to guarantee data protection and security. Furthermore, a corresponding contract for the order processing is in place.
b. Porcessing payment via PayPal
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg. If you choose PayPal as a payment method, your data required for the payment process will automatically be transmitted to PayPal. Only the amount to be paid and the IP address necessary to identify the payment process are transferred. To use this service for payment, the customer independently registers with PayPal or uses the (limited) option of using the payment platform without a PayPal account. Accordingly, the customer accepts PayPal’s data protection provisions when registering and accessing or using products, services, content, technologies, functions etc.
We offer direct contact with a member of our staff via live chat if you have questions or concerns. For this purpose, we use the live chat software from Crisp, operated by Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France. In doing so, Crisp collects its clients’ data (our firm) and their users (website visitors and users of our chat facility). Crisp does not sell or pass on your or our data, nor does it use them for advertising purposes.
The following data from you will be stored at Crisp to secure access to them for our law firm:
- Email address as well as telephone number (if provided),
- messages exchanged,
- date and time of last activity.
The information of the chat user is stored for as long as necessary for the purpose. Only our law firm is permitted to access this data.
Crisp protects the transmitted data by taking reasonable precautions and adhering to the European General Data Protection Regulation requirements.
The data processing to contact us via live chat is based on your voluntarily given consent by Art. 6 para. 1 sentence 1 lit. a) GDPR.
We use a Content Delivery Network (“CDN”) of the technology service provider proinity LLC, Frankenstrasse 9, 8832 Wollerau, Switzerland (“KeyCDN”) on our website.
This service is mainly used to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the Internet instead of the origin server. The use of KeyCDN’s Content Delivery Network helps us optimise our website’s loading speed and ensures that our visitors worldwide can access our website as quickly as possible. In the event of an attack (e.g., DDoS attack) on our website and similar unauthorised actions, KeyCDN helps us defend ourselves.
The processing is carried out under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in the safe and efficient provision and improvement of the stability and functionality of our website.
Our law firm uses the email relay service “Sendinblue” for sending business emails. The service provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. The Sendinblue GmbH is a certified German provider that fulfils the requirements of GDPR and the Federal Data Protection Act.
The data you enter while using our contact form is stored both on the server of our law firm and on the Sendinblue GmbH server. This includes, for example, your name and email address. Our law firm does not use Sendinblue to send newsletters or other advertising products.
The processing is based on Art. 6 para. 1 lit. a) GDPR. The legitimate interest lies in the reliable and secure delivery of business emails, which serve, among other things, to confirm appointments or the payment of initial consultation fees.
Sendinblue does not sell or share your personal information with third parties or use it for any purpose other than for our designated business emails.
To create and send newsletters, our law firm uses the email marketing tool “CleverReach” of the company CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. CleverReach fulfils the requirements of the GDPR and guarantees data security through a TÜV-tested system.
CleverReach uses a double opt-in procedure (DOI) to register for the newsletter. Those interested in a subscription receive an email containing a link to confirm the subscription. As soon as the interested party has approved the link, the subscription to the newsletter takes place. Personal data is stored on the CleverReach servers, which are exclusively located in the EU.
The email marketing software by CleverReach complies with the European General Data Protection Regulation (GDPR) requirements and guarantees the highest level of data security. In addition, CleverReach has been audited and has received DIN ISO/IEC 27001 certification and confirmation as a (DSS/PCI) Level 1 service provider.
Your data is processed under Art. 6 para. 1 lit. a) GDPR based on your voluntary given consent.
For the secure transfer of files of any kind and size, our law firm uses the ISO 27001 and NTA 7516 certified digital transfer service Cryptshare. Cryptshare AG, Schwarzwaldstr. 151, 79102 Freiburg, Germany, develops software solutions for companies.
Our law firm has its own Cryptshare server, thus ensuring the secure transmission of files. Before sending our emails, we can select an email classification, which allows us to determine the level of protection required for the information contained in the message. To ensure an optimal level of security, the sending of emails is always done through an encrypted data transfer.
Cryptshare is subject to the European General Data Protection Regulation (GDPR) requirements and the Federal Data Protection Act (BDSG). Personal data is processed under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in securely sending files of any size and type.
9. YOURLS URL Shortener in own Management
In the interest of data minimisation, we operate our own URL shortener. This creates a short URL for long internet addresses (URLs) and stores statistics about the calls to the respective short URL. To protect the calling IP address, we use the “YOURLS Pseudonymize Plugin”, which discards the last two digits of each IP address. It is an open-source software. Short URLs are used, among other things, on third-party websites, social media portals or blogs to measure reach. The data collected after pseudonymisation is processed by us and not passed on to third parties. The server is located in Germany.
The corresponding processing is carried out by Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in measuring the reach of our website and in providing user-friendly links.
We use the Sales Cloud of the company Salesforce, represented in Germany by Salesforce.com Germany GmbH (Erika-Mann-Str. 31, 80636 Munich, Germany) for customer service and to optimise our customer contact. The US parent company is based in San Francisco, CA 94105, USA.
We use the Sales Cloud of the company Salesforce, which is a customer relationship management system (CRM) that centrally records and processes the enquiries received via the various channels. The servers for processing all personal data are located within the EU. Under no circumstances will your data be sold to third companies, persons or institutions or passed on to service providers other than those mentioned here.
In addition, Salesforce undertakes to ensure an adequate level of data protection comparable to that of the European Union through binding corporate rules by Art. 46 para. 2 lit. b) and Art. 47 GDPR.
The data security and integrity of Salesforce´s systems are proven through numerous certifications. These include:
- ISO 27001, ISO 27017, ISO 27018,
- PCI DSS,
- Privacy Shield,
- Truste Privacy Verified Seal.
As a matter of principle, we do not use Salesforce services that result in the transfer of personal data to a non-European Salesforce infrastructure.
The legal basis for the collection and processing of data by Salesforce is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in processing your data with an efficient and secure customer management system and preparing it for further internal processing.
11. CookieFirst – Cookie Consent Management Platform (CMP)
Our website uses the Cookie Consent Management Platform (CMP) of CookieFirst (https://cookiefirst.com/) to obtain your consent to store certain cookies on your terminal device and document this by data protection law. The provider of this platform is Digital Data Solutions B.V., Plantage Middenlan 42a, 1018-DH Amsterdam, the Netherlands (hereinafter “CookieFirst”).
When you access our website, the following personal data is transferred to CookieFirst:
- Your consent(s) or withdrawal of your consent(s),
- your IP address,
- information about your browser,
- information about your terminal device,
- the time of your visit to the website.
In addition, CookieFirst stores a cookie in your browser to be able to assign your consent(s) or their revocation to you. The collected data is stored until you request to delete it, CookieFirst deletes the cookies itself, or the purpose of storing the data no longer applies. Mandatory legal storage obligations remain unaffected by this.
Contact for order processing
We have concluded an order processing contract with CookieFirst. This contract is required under data protection law, which ensures that CookieFirst only processes the personal data of our website visitors by our instructions and in compliance with the provisions of the GDPR.
12. SimplyMeet.me – Appointment Booking System
The online booking system “SimplyMeet” from the company “SimplyBook.me LTD” is used for booking appointments. This company has its registered office in the EU; the registered company address is “30 Glathonos, P. Makedonas Court, 3041, Limassol, Cyprus”.
A current joint data processing agreement considering the Standard Contractual Clauses is in place. The SimplyMeet.me service is ISO 27001 certified, and the company operates strictly to this security standard with regular staff training and a dedicated security officer. In addition to regular server scans, the data processor conducts extensive 3rd party penetration tests every year. Secure staff communication, daily backups in different data centres and hosting of all data on European servers secure your data.
When using this service, the following data is processed:
- IP address (when loading the booking page)
- E-mail address (for delivering the appointment and any appointment links)
- Telephone number (as primary or alternative contact for the appointment)
- The subject of the appointment (to classify the content of the appointment)
- Appointment booked during the process: Date & Time (Essential for the system’s functionality).
The data just listed are processed based on Art. 6 (1) (f) DSGVO within the framework of a legitimate interest to provide the booking service in the form of a website. The legitimate interest lies in the secure provision of a high-performance and “self-service” appointment booking system that accommodates the interested party.
We will retain this data for as long as is necessary to provide you with the SimplyMeet.me software solution and to ensure that the booked appointment(s) can successfully take place.
We use so-called cookies on our website. When you visit our website, these small files are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.). Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware.
In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a certain fixed period. If you revisit our website, it is automatically recognised that you have visited our website at an earlier time. In addition, the entries, and settings that you have made are also acknowledged so that you do not have to re-enter them.
The data processed by cookies are necessary for the purposes mentioned above to protect our legitimate interests and those of third parties by Art. 6 para. 1 sentence 1 lit. f) GDPR.
V. Analysis and Tracking Tools
The tracking measures listed below and used by us are based on Art. 6 para. 1 p. 1 lit. f) GDPR. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our website. In addition, we use the tracking measures to statistically record the use of our website and evaluate it to optimise our offer for you. These interests must be regarded as legitimate within the provision above. The respective data processing purposes and data categories can be found in the corresponding tracking tools.
1. Google Ads Conversion Tracking
To statistically record our website’s use and evaluate it for the purpose of optimising our website for you, we also use Google conversion tracking. A cookie (see point IV) will be placed on your computer if you have accessed our website via a Google ad. These cookies lost their validity after 30 days and are not used for personal identification. If a user visits certain pages of our website and the cookie has not yet expired, Google and our law firm will be able to recognise that this user has clicked on the ad and been redirected to the page.
Each ads client receives a different cookie. Therefore, cookies cannot be tracked across ads clients´ websites. The information obtained using the conversion cookies is used to create conversion statistics for ads clients who have opted for conversion tracking. Ads clients are told the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to identify users personally.
2. Google Tag Manager
Our law firm uses a Google Tag Manager, which is a tag management system (TSM). It collects data on our website, which is then forwarded to the analysis mentioned above tool (Google Ads Conversion Tracking) to get analysed.
To enable classification of the data and thus the corresponding allocation, code fragments (tags) are created on our website within a container. In this way, the data is collected and then sent to the corresponding tool and processed. The processing is carried out according to the European General Data Protection Regulation (GDPR) requirements.
The systems and processes of the Google products mentioned are ISO 27001 certified.
The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently audited, certified and awarded with the ePrivacyseal data protection seal of approval.
Data processing is carried out based on the legal provisions of Art. 6 para. 1 lit. f) (legitimated interests) of the General Data Protection Regulation (GDPR). Our concern regarding the GDPR (legitimate interests) is optimising our online offer and our web presence. Since the privacy of our visitors is important to us, data that may allow a reference to a person, such as the IP address, login or device identifiers, are anonymised or pseudonymised as soon as possible. No other use is made from the data, nor is it merged with other data or passed on to third parties.
You can object to the data mentioned above processing at any time. The objection has no adverse consequences.
VI. Application – Storage and Deletion of Data
In the course of an application procedure, our law firm processes several personal data. This information provided by applicants is only used to process this procedure. Therefore, only data relevant to the decision-making process is collected and stored.
Furthermore, the data is only forwarded to the departments responsible for applications within our law firm. Access by unauthorised persons is not possible. Particularly sensitive data, such as religious affiliation, marital status or sexual orientation, is redacted before further processing, as our law firm does not store such applicant data as part of the process. Any data provided by the applicant will not be passed on to third parties.
If our law firm does not offer the applicant employment, the data will be deleted, and the documents returned. The deletion of personal data takes place six months after notification of the rejection. In exceptional cases, automatic deletion after this period may be waived if a corresponding agreement has been reached with the applicant. Consent to the continued storage of data could serve the purpose of including the application in an applicant pool. However, deletion from this pool is also possible and requires a revocation by the applicant.
If the applicant is hired, the data provided to us in the application will be included in the applicant’s personnel file. We may ask questions to supplement data relevant to the employment relationship in some cases.
The legal basis for processing your personal data is Article 6 para. 1 lit. b) and Article 88 para. 1 GDPR as well as Section 26 para. 1 BDSG.
VII. Duration of Storage
It follows from the provision on the storage of personal data standardised in Art. 5 para. 1 GDPR that personal data may be stored for the period required for the specific purpose. Your personal data provided to us will therefore be stored for as long as is necessary for the particular processing purpose. This means:
As a result of the lawyer´s duty to retain data as standardised in Section 50 of the Federal Lawyer´s Act (BRAO), we are obliged to retain the hand files and the electronic data processing used in the context of these for six years. Under Section 50 para. 1 sentence 3 BRAO, the period begins with the end of the calendar year in which the assignment was terminated.
If our law firm receives personal data from a potential client, we will process this data for the following purposes:
- Possibility of contract,
- verification of a conflict of interest,
- pre-contractual exchange.
If no client relationship is established, your data will not be further processed by us.
VIII. Data Subject Rights
If our law firm processes your personal data, you are entitled to the following rights as a data subject under the General Data Protection Regulation (GDPR):
- Rights of access: By Art. 15 of the GDPR, the data subject has the right to obtain information about the personal data we process. In particular, you can request information regarding the following aspects:
- the purpose of the processing,
- the category of personal data,
- the types of recipients to whom your data have been or will be disclosed,
- the planned storage period,
- the existence of a right to rectification, erasure, restriction of processing or objection,
- the presence of a right of appeal,
- the origin of your data (if we have not collected it), and
- the existence of automated decision-making, including profiling and, if applicable, meaningful information on its details.
- Right to rectification: Under Art. 16 GDPR, you may request the correction of incorrect or incomplete personal data stored by us without undue delay.
- Right to erasure: Under Art. 17 GDPR, the data subject has the right to request the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. The right to erasure is therefore limited by the lawyer´s duty of retention standardised in Section 50 of the Federal Lawyer´s Act (BRAO). The aforementioned norm obliges a lawyer to retain hand files for six years (Section 50 para. 1 sentence 1 BRAO). This Pursuant to Section 50 para. 4 BRAO, this shall apply respectively if the lawyer uses electronic data processing to keep the case files or store documents in safekeeping. Under Section 50 para. 1 sentence 1 BRAO, the retention period begins with the end of the calendar year in which the mandate was terminated.
- Right to restriction of processing: Under Art. 18 GDPR, you may request the restriction of the processing of your personal data to the extent that
- you dispute the accuracy of the data,
- the processing is unlawful, but you object to its deletion,
- we no longer require the data, but you need it to assert, exercise or defend legal claims, or
- you have objected to the processing by Art. 21 GDPR.
- Right to data portability: Under Art. 20 GDPR, you may receive the personal data you have provided to us in a structured, commonly used and machine-readable format or request that it be transferred to another responsible party.
- Revocation of consent: By Art. 7 para. 3 GDPR, you have the right to revoke your consent once given. This consequence is that we may no longer continue the data processing based on this consent.
- Right to complain: Under Art. 77 of the GDPR, the data subject has the right to complain to a supervisory authority. You can contact the supervisory authority of your usual place of residence, workplace or our registered office.
IX. Right of Objection
If your personal data is processed based on legitimate interests under Art. 6 para. 1 sentence 1 lit. f) GDPR, you have the right to object to the processing of your personal data under Art. 21 para. 1 GDPR. This is possible if there are grounds for arising from your particular situation. Unless we can prove grounds worthy of protection that outweigh your interests and rights, we will no longer process your personal data after exercising your right of objection. The objection will not be successful if the data processing serves the assertion, exercise or defence of legal claims.
The affected person also has the right to object to the processing of their personal data for direct advertising at any time by Art. 21 para. 2 GDPR. If you exercise this right, we will no longer use your personal data for advertising.
If you wish to exercise your right of revocation or objection, email email@example.com.
X. Data Security
Within the website visit, we use the widespread SSL procedure (Secure Socket Layer) to connect the highest encryption level supported by your browser. Generally, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
XI. Up-to-dateness and Amendment of this Data Protection Declaration
This data protection declaration is up to date as of December 2022 and is currently valid. Due to the further development of our website and the associated offers and changes in legal or official requirements, it may nevertheless be necessary to amend this data protection declaration. A current version of the data protection declaration can be accessed and printed out at any time on the website at https://se-legal.de/privacy-policy/?lang=en.