Data Privacy Statement
We, Kanzlei KARST – Legal & Tax (hereinafter: KARST), thank you for visiting our website. As a law office, safe use of your data is very important to us. Therefore, we would like to inform you on the specifics of how your data will be used, should you decide to visit this web space.
This privacy declaration uses terms as set forth by the European legislature of the General Data Protection Regulation (hereinafter: GDPR). Our privacy declaration is designed to be easily readable and understandable for the general public and our clients. To achieve this goal, before proceeding to the actual statement, please take note of the following terms:
Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
a) Affected person is every identified or identifiable natural person whose personal data is processed by the responsible party as to processing data.
b) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
c) Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;
d) Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
e) Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
f) Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
g) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
h) Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
i) Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
j) Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Collection of Data
KARST's website collects a series of general data and information each time the website is accessed by an affected person or an automated system. This general data and information is stored in the log files of the server. In this regard, the following data might be recorded:
a) browser types used and the respective version;
b) The operating system used by the accessing system;
c) The website from which the accessing system enters our web presence (so-called referrer);
d) This sub-pages which and accessing system is headed to on our website;
e) The date and time and access occurs on our website;
f) The Internet protocol address (IP-address);
g) The Internet service provider of the accessing system;
h) Other similar data and information, which are used to a avert danger from our IT-systems;
When using this general data and information, KARST does not draw any conclusions regarding the affected person. This information is in fact used to:
a) To portray our website’s content correctly;
b) To optimize content of as well as advertisement for our website;
c) To ensure continuous functionality of our IT systems and technology of our website;
d) To provide law enforcement authorities with the information necessary for enforcing the law in the event of a cyberattack.
This anonymous data and information is therefore statistically and further evaluated by KARST with the aim of improving data protection and data security in our office in order to ultimately ensure the best possible level of protection for personal data we process. Anonymous data of the server log files is stored separately from all personal data provided by an affected person.
3. Legal or contractual provisions for the provision of personal data; Necessity for the conclusion of an agreement; Obligation of the affected person to provide the personal data; possible consequences of non-provision
We wish to clarify that the provision of personal data is partly required by law (such as tax regulations) or may result from contractual arrangements (such as details regarding a contractual party). Occasionally, it may be necessary for a contract to be concluded that an affected person provides us with personal data that must subsequently be processed by us. For example, the affected person is required to provide us with personal data when our office enters into a contract. Failure to provide the personal data would mean that the contract with the person concerned cannot be concluded. Before the personal data has been provided by the affected person, this person must contact the controller. This will happen during a first consultation and, in any case, before becoming a client. The controller will inform the affected person, on a case-by-case basis, whether the provision of the personal data is required by law or contract or is required for the conclusion of the agreement, if there is an obligation to provide the personal data and which consequences would result from failure to provide the personal data.
4. Contact via the website
KARST’s website contains information required by law to enable third clients and third parties to contact our office quickly and to communicate with us directly, which also includes a general address of the so-called electronic mail (email address). If an affected person contacts the controller by email or through a contact form, the personal data provided by the data subject will be automatically saved. Such personal data, voluntarily transmitted by an individual to the controller, is stored for the purpose of processing or contacting the affected person. There is no disclosure of this personal data to third parties.
In order to make visiting our website attractive and to enable certain functions, we use so-called cookies on various pages. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and allow us to recognize your browser on your next visit (so-called persistent cookies). You can set your browser in order to inform about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. The non-acceptance of cookies may impair functionality of our website.
6. Use of Google (Universal) Analytics for web analytics
This website uses Google (Universal) Analytics, a web analytics service provided by Google Inc. (www.google.com). Google (Universal) Analytics uses methods that allow analysis of the website, such as "cookies", text files that are stored on your computer. The generated information about your usage of this website is generally transferred to a Google server in the US and stored there. By activating IP anonymization on this website, the IP address will be shortened prior to transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. The anonymized IP address provided by Google Analytics within the scope of Google Analytics will not be merged with other data provided by Google.
You can prevent the collection of the data (including your IP address) generated by the cookie and related to your use of the website from Google as well as the processing of this data by Google by downloading the browser plug-in available under the following link and install: http://wbs.is/rom89.
Alternatively, you can click on this link to prevent future Google Analytics tracking on this website. An opt-out cookie is stored on your device. If you delete your cookies, you must click the link again.
The controller has integrated components from LinkedIn Corporation on this website. LinkedIn is an Internet-based social network that allows users to connect to existing business contacts and make new business contacts. Over 400 million registered people use LinkedIn in more than 200 countries. This makes LinkedIn currently the largest platform for business contacts and one of the most visited websites in the world.
Each time you visit our website, which has a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the affected person to download a corresponding representation of the LinkedIn component. More information about the LinkedIn plug-ins can be found at https://developer.linkedin.com/plugins. As part of this technical process, LinkedIn learns about the specific subpages of our website visited by the affected person.
If the affected person is logged-on to LinkedIn at the same time, LinkedIn recognizes the subpages with each visit to our website by the affected person and during the entire duration of the respective stay on our website. This information is collected through the LinkedIn component and linked by LinkedIn to the affected LinkedIn account. If the affected person activates a LinkedIn button integrated on our website, LinkedIn assigns this information to the personal LinkedIn user account of the person concerned and saves this personal data.
LinkedIn always receives information via the LinkedIn component that the person concerned has visited our website if the person concerned is simultaneously logged into LinkedIn at the time of accessing our website; this happens regardless of whether the person clicks on the LinkedIn component or not. If the affected person does not want to transmit this information to LinkedIn, the latter can prevent it from logging out of their LinkedIn account before visiting our website.
The controller has integrated Twitter components on this website. Twitter is a multilingual publicly available microblogging service, where users can post and distribute so-called tweets, which are limited to 140 characters. These short messages are available to anyone, including non-Twitter subscribers. The tweets are also displayed to the so-called followers of the respective user. Followers are other Twitter users who follow a user's tweets. Twitter also allows to address a broad audience via hashtags, links or retweets.
The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Each time one of the pages of this website, which is operated by the controller and on which a Twitter component (Twitter button) has been integrated is accessed, the Internet browser on the information technology system of the person concerned is automatically activated by the respective Twitter component causes to download a presentation of the corresponding Twitter component of Twitter. Further information on the Twitter buttons is available at https://about.twitter.com/en/resources/buttons. As part of this technical process, Twitter receives information about which specific subpage of our website is visited by the person concerned. The purpose of the integration of the Twitter component is to allow our users to redistribute the contents of this website, to promote this website in the digital world and to increase numbers of visitors.
If the affected person is simultaneously logged-on to Twitter, Twitter recognizes with each visit to our website by the affected person and during the entire duration of the respective stay on our website, which specific subpage of our website is visited by the affected person. This information is collected through the Twitter component and assigned through Twitter to the affected person's Twitter account. If the affected person activates one of the Twitter buttons integrated on our website, the data and information transmitted with it are assigned to the personal Twitter user account of the said affected person and stored and processed by Twitter.
Twitter always receives information via the Twitter component that the affected person has visited our website, if the affected person simultaneously logs on to Twitter at the time of access to our website; this happens regardless of whether or not the person clicks on the Twitter component. If such a transfer of this information to Twitter is not desired by the affected person, it can prevent the transfer by logging off from their Twitter account before accessing our website.
The applicable privacy policies of Twitter are available at https://twitter.com/privacy?lang=en.
The controller has integrated a Google+ button as a component on this website. Google+ is a so-called social network. A social network is an internet-based social meeting place, an online community that typically allows users to communicate with each other and interact in a virtual space. A social network can serve as a platform to exchange views and experiences, or allows the Internet community to provide personal or business information. Google+ allows social network users to create private profiles, upload photos, and socialize through friend requests, among others.
Google+'s operating company is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
Each visit to one of the pages of this website operated by the controller and incorporating a Google+ button will cause the Internet browser on the affected person's system to download, automatically triggered by the respective Google+ button, a representation of the corresponding Google+ button from Google. As part of this technical process, Google will be aware of which specific subpage of our website is visited by the affected person. More detailed information about Google+ is available at https://developers.google.com/+/.
If the person is logged on to Google+ at the same time, Google recognizes with each visit by the affected person to our website and respective subpages, during the entire duration of each stay on our website. This information is collected through the Google+ button and assigned by Google to the relevant Google + account of the affected person.
If the data subject activates one of the Google + buttons integrated on our website and thus makes a Google + 1 recommendation, Google assigns this information to the personal Google + user account of the affected person and stores this personal data. Google will store the Google + 1 recommendation of the affected person and makes it publicly available in accordance with the conditions accepted by the affected person. A Google +1 referral made by the affected person on this website will subsequently be provided together with other personal information, such as the name of the Google + 1 account used by the affected person and the photo in other Google services stored therein, For example, the search engine results of the Google search engine, the Google account of the affected person or other places, such as on websites or in connection with advertisements stored and processed. Furthermore, Google is able to link the visit to this website with other personal data stored on Google. Google also records this personal data for the purpose of improving or optimizing Google's different services.
Google always receives information via the Google + button that the affected person has visited our website if the affected person is simultaneously logged on to Google+ at the time of accessing our website; this happens regardless of whether the person clicks the Google + button or not.
If the affected person does not wish to transfer personal data to Google, said person can prevent such transmission by logging off from their Google + account before accessing our website.
10. Notice regarding changes
In the event of such a change, we will notify you of this no later than six weeks prior to entry into force.
11. Updating / deleting your personal data
At any time you have the possibility to check, change or delete the personal data provided to us by sending us an e-mail to the e-mail address firstname.lastname@example.org.
Likewise, you have the right to withdraw your consent at any time with effect for the future at any time.
Deletion of stored personal data occurs when you revoke your consent to storage (No. 12).
The controller shall process and store personal data of the affected person only for the period necessary to achieve the purpose of the storage or, as the case may be, required by the European directives or regulations or by any other legislator, in laws or regulations, which the controller is subjected to.
If the purpose of storage becomes inapplicable or if a storage period prescribed by the European directives and regulations or any other relevant legislator lapses, the personal data will be routinely locked or deleted in accordance with the statutory provisions.
12. Rights of affected persons
Each affected person has the right, as granted by the European Legislator of Directives and Regulations, to require the controller to confirm whether personal data relating to him is being processed. If an affected person wishes to make use of this confirmation right, they can contact the controller at any time.
Any person affected by processing of personal data shall have the right, granted by the European Directive and Regulatory Authority, at any time, to obtain information, free of charge, on the personal data stored about him and a copy of that information from the data controller. Furthermore, the European legislator of directives and regulations has provided the affected person with the right to the following information:
- the processing purposes
- the categories of personal data being processed
- the recipients or categories of recipients to whom personal data has been disclosed or is still being disclosed, in particular to recipients in third countries or to international organizations
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining that duration
- the right of correction or deletion of personal data, or the limitation of processing or the right to object to such processing by the controller
- the existence of a right of appeal to a supervisory authority
- if the personal data is not collected from the affected person: all available information on the source of the data
- the existence of automated decision making, including profiling pursuant to Articles 22 (1) and (4) GDPR and, at least in these cases, compelling information about the logic involved and the scope as well as the intended impact of such processing on the affected person.
In addition, the affected person has a right of access as to whether personal data has been transmitted to a third country or to an international organization. If that is the case, then the affected person has the right to obtain information about the appropriate guarantees in connection with the transfer.
If an affected person wishes to exercise this right to information, he can contact the controller at any time.
Any person affected by processing of personal data has the right granted by the European legislator to demand immediate correction of inaccurate personal data concerning him. Furthermore, the affected person has the right to request completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.
If an affected person wishes to exercise this right of correction, he can contact the controller at any time.
Any person affected by processing of personal data shall have the right granted by the European legislator of Directives and Regulations to require the controller to immediately delete personal data concerning him, provided that one of the following reasons is applicable and the processing is not required:
- The personal data has been collected for such purposes or is processed otherwise for which they are no longer necessary.
- The affected person revokes his consent to process the data, which was processed pursuant to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR and there is no other legal basis for the processing.
- The affected person objects to the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding justifiable reasons for the processing, or the affected person files an objection in accordance with. Art. 21 para. 2 GDPR.
- The personal data were processed unlawfully.
- Deletion of personal data is required to fulfill a legal obligation under Union or national law, to which the controller is subjected to.
- The personal data has been collected in relation to services provided by the information society in accordance with Art. Art. 8 para. 1 GDPR.
If one of the aforementioned reasons apply, the affected person wishes to delete the personal data stored by KARST, it may contact the controller at any time. The controller will arrange that the deletion request be fulfilled immediately.
If personal data was made public by KARST and our office is required to erase said personal data as a responsible party in accordance with Article 17 (1) GDPR, KARST, shall take appropriate measures, including technical ones, taking into account the available technology and implementation costs, to inform other controllers processing the personal data made public, to make aware those controllers that the affected person has requested the deletion of all links to this personal data or of copies or replications of such personal data, as far as the processing is not necessary. KARST’s controller will arrange the necessary action on a case by case basis.
Any person affected by processing of personal data has the right, granted by the European directive and regulatory authority, to require the controller to restrict the processing if one of the following conditions applies:
- The accuracy of the personal data is contested by the affected person for a period of time that allows the controller to verify the accuracy of the personal data.
-The processing is unlawful, the affected person refuses to delete the personal data and instead requests restriction of use of said personal data.
- The controller no longer needs the personal data for processing purposes, but the affected person needs them to assert, exercise or defend their rights.
- The affected person has objected to the processing in accordance with Art. 21 para. 1 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh those of the affected person.
If one of the aforementioned requirements apply, the affected person wishes to request restriction of personal data stored at KARST, he may contact the controller at any time. The controller will initiate the restriction of the processing.
Any person affected by the processing of personal data shall have the right conferred by the European legislator of Directives and Regulations to obtain the personal data concerning him, provided to the controller, by said person, in a structured, common and machine-readable format. He also has the right to transfer this data to another controller, without hindrance by the controller, provided the processing is carried out on the basis of the consent pursuant to Art. Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. Article 6 (1) (b) GDPR and processing is performed by means of automated procedures, unless the processing is necessary for the performance of a task which is in the public interest or in exercise of official authority which has been entrusted to the controller.
Furthermore, in exercising their right to data portability, the affected person has the right that the personal data is transmitted directly from one controller to another controller in accordance with Art. 20 para. 1 GDPR, as far as this is technically feasible and provided that the rights and freedoms of other persons are not affected.
In order to exercise the right to data portability, the affected person may, at any time, contact the controller.
Any person affected by processing of personal data shall have the right conferred by the European directive and regulatory authority to object the processing of personal data, at any time, for reasons arising from its particular situation, based on Article 6 (1) (b). e) or f) GDPR. This also applies to profiling based on these provisions.
KARST does not process personal data in the event of an objection, unless we can establish compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the affected person or serve the processing, assertion, exercise or defense of legal claims.
If KARST processes personal data in order to operate direct mail, the affected person has the right to object the processing of personal data at any time to for the purpose of such advertising. This also applies to the profiling, as far as it is associated with such direct mail. If the affected person objects to processing of personal data for the purpose of direct marketing, KARST will no longer process the personal data for these purposes.
In addition, the affected person has the right to object processing of personal data relating to him, whereas the processing is carried out by KARST for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR, for reasons arising from particular situations of said person, unless such processing is necessary to fulfill a task of public interest.
In order to exercise the right to object, the affected person may directly contact the controller. The affected person is also free, in the context of the use of information society services, notwithstanding Directive 2002/58 / EC, to exercise his right of objection by means of automated procedures using technical specifications.
Any person affected by processing of personal data shall have the right, as granted by the European legislator of Regulations and Directives, not to be subject to a decision which has a legal or affects him significantly in a similar manner, solely based on automated processing, including profiling, provided the decision
a) is not required for the conclusion or execution of a contract between the affected person and the controller, or
b) is permitted by Union or Member State legislation to which the controller is subjected to, and where such legislation contains appropriate measures to safeguard the rights and freedoms as well as legitimate interests of the affected person; or
c) is carried out with the explicit consent of the affected person.
Is the decision
a) necessary for the conclusion or execution of a contract between the affected person and the controller; or
b) is carried out with the explicit consent of the affected person, KARST shall take appropriate measures to safeguard the rights and freedoms as well as legitimate interests of the affected person, including, at least, the right to obtain intervention on part of the controller, to portray his own point of view and to challenge the decision.
If the affected person wishes to enforce rights as to automated decision-making, he may contact the controller at any time.
Any person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to revoke consent to the processing of said personal data at any time.
If the affected person wishes to exercise his right to withdraw consent, he may contact the controller at any time.
13. Legal basis of processing
Article 6 (1) (a) GDPR serves our company as a legal basis for processing data operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary to fulfill a contract of which the affected person is a party to, as it is the case, for example, in processing data operations necessary for the supply of goods or the provision of other services or consideration, processing shall be based on Art. 6 (1) (b) GDPR. The same applies to processing data operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services. If KARST is subject to a legal obligation requiring the processing of personal data, such as the fulfillment of tax obligations, the processing is based on Article 6 (1) (c) GDPR. In rare cases, the processing of personal data may be required to protect the vital interests of the affected person or another natural person. This would, for example, be the case if a visitor to our premises were injured and his or her name, age, health insurance or other vital information would have to be passed on to a doctor, hospital or other third party. In that case, the processing would be based on Article 6 (1) (d) GDPR. In the end, processing operations could be based on Article 6 (1) (f) GDPR. On this legal basis, processing operations that are not covered by any of the above legal bases are required if processing is necessary to safeguard the legitimate interests of KARST or a third party, unless the interests, fundamental rights and fundamental freedoms of the person concerned prevails. Such processing operations are particularly permitted, because they have been specifically mentioned by the European legislator. In that regard, it considered that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 GDPR).
14. Legitimate interests in processing that are being pursued by the controller or a third party
If the processing of personal data is based on Article 6 (1) (f) GDPR, our legitimate interest is the performance of our business for the benefit of owner(s), contractors and stakeholders of KARST.
15. The person responsible or your contact person
If you have any questions regarding the collection, processing or use of your personal data, information, correction, blocking or deletion of data as well as revocation of granted consent or objection to a particular use of data, please contact:
Kanzlei KARST – Legal & Tax
Dr. Björn Karst
65719 Hofheim am Taunus
+49 6122 9291199
+49 6122 9298458
As of: 01.05.2018