Data Protection Policy

Data protection notice

We, Annerton Rechtsanwaltsgesellschaft mbH (hereinafter referred to as Annerton or we/us) are pleased that you are visiting our website www.annerton.com (hereinafter referred to as the ‘Website’). We are responsible under data protection law for the website. Please refer to the legal notice to find out who is responsible for the website under data protection law.

For other websites operated by us, e.g. www.paytechlaw.com, other data protection provisions apply. Please inform yourself there.

With the following information, we would like to inform you (hereinafter also referred to as the user ) about how we implement the requirements of the EU General Data Protection Regulation (GDPR) on our website, how we protect your privacy and how personal data is processed when you use our website.

The GDPR grants you certain rights as a person affected by the processing of personal data, which we inform you about separately here. We have also explained the key technical terms used in this privacy policy.
If the following information is insufficient or incomprehensible, please do not hesitate to contact us or our data protection officer. The contact details can be found in section 1.

1. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHO CAN I CONTACT?

The controller is:

Annerton Rechtsanwaltsgesellschaft mbH

Munich office
Wagmüllerstraße 23
D-80538 Munich
Telephone: +49 89 306 683 -0
Fax: +49 89 306 683 -212
www.annerton.com
hello@annerton.com

‘PayTechLaw’ is a name identification of Annerton Rechtsanwaltsgesellschaft mbH for the blog published at www.paytechlaw.com.
If you have any questions about the data protection information, please contact our data protection officer:

Annerton Rechtsanwaltsgesellschaft mbH

Munich office

Wagmüllerstraße 23
DE – 80538 Munich
Phone +49 (0)89 306683-0
Fax +49 (0)89 306683-212
E-mail: datenschutz@annerton.com

The supervisory authority responsible for us (Annerton, Munich location) is
Bavarian State Office for Data Protection Supervision
P.O. Box 606
91511 Ansbach
Telephone: +49 981 53 1300
Fax: +49 981 53 98 1300
E-mail: poststelle@lda.bayern.de.

The authority also offers a complaint form.

2. GENERAL PRINCIPLES AND INFORMATION ON DATA PROTECTION

2.1 Scope of the processing of personal data

We collect and use personal data from you as the user of our website only insofar as this is necessary to provide a functional website and/or to provide our web or online services.

The collection and use of personal data for other purposes only takes place regularly

  • with your consent, or
  • if the processing is for the purpose of contract fulfilment, or
  • if the processing is necessary to safeguard our legitimate interests, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail.

An exception applies in cases where it is not possible for us to obtain prior consent for factual reasons or where the processing of the data is permitted by law.

2.2 Legal bases

Insofar as we obtain consent for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis for the processing of personal data.
When processing personal data that is necessary for the fulfilment, implementation of pre-contractual measures or the initiation of a contract, Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which we are subject, Art. 6 para. 1 sentence 1 lit. c GDPR is the legal basis.
If the processing is necessary to protect our legitimate interests as a company or a third party and if your interests, fundamental rights and freedoms, which require the protection of personal data, do not outweigh our interests, Art. 6 para. 1 sentence 1 lit. f GDPR is the legal basis.

2.3 Obtaining consent / right to withdraw consent

We generally obtain consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR electronically. Consent is typically given by ticking the relevant box to document the granting of consent or by clicking on a corresponding selection field.
If consent is given electronically, the so-called double opt-in procedure is used to identify the user (e.g. when registering for newsletters). The content of the declaration of consent is logged electronically. You can contact us at any time to enquire about the content of the declaration of consent that you have given at a given time.
Once you have given your consent, you can revoke it at any time with effect for the future – in full or in part. This does not affect the lawfulness of any processing that has taken place on the basis of your consent prior to its withdrawal. The best way to revoke your consent is to send it electronically to the contact details given in section 1 (controller or data protection officer) or to the other contact options provided by us.

2.4 Recipients of personal data

In order to provide our web and/or online services, we sometimes use service providers who work on our behalf in accordance with our instructions (so-called ‘processors’). These processors may receive personal data or come into contact with personal data as part of the provision of services and are third parties or recipients within the meaning of the GDPR.
In such a case, we ensure that our service providers provide sufficient guarantees that appropriate technical and organizational measures are in place and that processing operations are carried out in such a way that they comply with the requirements of this Regulation and ensure the protection of the rights of the data subject (cf. Art. 28 GDPR).
Insofar as personal data is transferred to third parties outside of commissioned processing, we ensure that this is done exclusively in accordance with the requirements of the GDPR and only if there is a corresponding legal basis (see section 2.2). Insofar as such a transfer takes place, this will be expressly pointed out in the following information, stating the respective legal basis and naming the third recipient or categories of recipients.
You can request further information about the service providers we use from us. To do so, please contact the offices named in section 1 (controller or data protection officer) electronically.

2.5 Processing of data in so-called third countries

Your personal data is generally processed within the EU or the European Economic Area.
Only in exceptional cases (e.g. in connection with the involvement of service providers for the provision of web analysis services) may information be transferred to so-called ‘third countries’. ‘Third countries’ are countries outside the European Union and/or the Agreement on the European Economic Area in which an adequate level of data protection in accordance with the EU standard cannot be assumed without further ado.
If the transferred information also includes personal data, we ensure before such a transfer that an adequate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country. This can result from a so-called ‘adequacy decision’ of the European Commission or be ensured by using the so-called ‘EU standard contractual clauses’. We will be happy to provide you with further information on the suitable and appropriate guarantees for compliance with an appropriate level of data protection on request; the contact details can be found in Section 1.

2.6 Data erasure and storage period

We erase personal data as soon as the purpose of the processing no longer applies. Data will only be stored after the purpose of processing no longer applies if this is provided for by the European or national legislator in EU regulations, laws or other provisions to which our company is subject (e.g. to fulfil statutory retention obligations and/or if there are legitimate interests in storage, e.g. during the course of limitation periods for the purpose of legal defense against any claims or during an ongoing legal dispute). The data will also be deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion of a contract or for other purposes.

2.7 Rights of data subjects

The GDPR grants you certain rights as a person affected by the processing of personal data. If you wish to exercise one or more of these rights, you can contact one of our employees at any time. To do so, please use the contact options listed under point 1. The rights of data subjects are explained in detail here.

3. DATA PROCESSING FOR THE PROVISION OF THE WEBSITE / COLLECTION OF LOG FILES

3.1 Description and scope of data processing

Each time you access content on our website, our system automatically collects data and information from the computer system from which you access the content. The following data is collected (hereinafter referred to as ‘log data’)

  • Information about the browser type and version used (so-called ‘user agent’);
  • the operating system of your computer system;
  • the Internet service provider through which your computer system accesses the Internet;
  • information about the browser type and version used (so-called ‘user agent’)
  • the IP address of your computer system;
  • Date, time and duration of access;
  • Website from which you accessed the content of our website (so-called ‘referrer’);
  • Website to which you switch from our website.

With the exception of the IP address, the aforementioned log data does not allow any personal reference to be made to you. A personal reference can only be established by assigning or linking the log data to an IP address, which is generally not available to us.

3.2 Purpose of data processing

The log data, in particular the IP address, is collected and processed for the purpose of providing the content contained on our website. This requires temporary storage of the IP address. This is required to address the data traffic between your computer system and our web and/or online offering or is required to utilize our web and/or online offering.

Any further processing and storage of the IP address in log files takes place for the purpose of ensuring the functionality of our web and online services, for the purpose of optimizing these services and for ensuring the security of our information technology systems.
This data is also analyzed by us for statistical purposes. This is done in summarized form and individual users are not traced.

3.3 Legal basis

The legal basis for the collection and processing of log data, insofar as these are personal data, is Art. 6 para. 1 sentence 1 lit. b GDPR (contract fulfilment and initiation). The legal basis for storing the IP address for these purposes beyond the communication process is Art. 6 para. 1 sentence 1 lit. f GDPR (protection of legitimate interests).

3.4 Data erasure and storage duration

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session – the website visit – has ended. Any further storage of log data including the IP address for the purpose of system security takes place for a maximum period of 30 days from the end of the page access.
Any further processing and/or storage of log data is possible and permissible, provided that the IP addresses of the respective users are deleted or anonymized after the aforementioned storage period has expired in such a way that it is no longer possible to assign the log data to an IP address.

3.5 Objection and removal options

The collection of log data for the provision of the website, including its storage in log files within the aforementioned limits, is absolutely necessary for the operation of the website. There is therefore no possibility of objection. This does not apply to the processing of log data for analysis purposes; depending on the web analysis tools used and the type of data analysis (personal / anonymous / pseudonymous), this is governed by Section 6.

4. USE OF COOKIES

4.1 Description and scope of data processing, types of cookies

This website uses cookies. We use cookies to personalize content and advertisements, to be able to offer functions for social media and to analyze access to our website. We also pass on information about your use of our website to our partners for social media, advertising and analyses. Our partners may combine this information with other data that you have provided to them or that they have collected as part of your use of the services.
Cookies are small text files used by websites to make the user experience more efficient.

By law, we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages.

You can change or withdraw your consent at any time from the cookie statement on our website.

Find out more about who we are, how you can contact us and how we process personal data in our privacy policy.



4.2 Consent

The law allows us to store cookies on your device if they are absolutely necessary for the operation of this site. We require your consent for all other cookie types. You can change or withdraw your consent at any time from the cookie declaration on our website. Your consent is obtained separately for our websites using a tool.

4.3 Purpose of the data processing

The purpose of using necessary cookies is to simplify the use of websites. Some functions of our website cannot be offered without the use of such cookies. For these, it is necessary for the browser to be recognized even after a page change.
Preference cookies are used so that you can set the language preference.
The user data collected by technically necessary cookies is not used to create user profiles.
Marketing cookies and statistics cookies are used for the purpose of improving the quality of our website and its content. In this way, we learn how the website is used and can constantly optimize our offering. For these purposes, we also use third-party systems that set third-party cookies.

4.4 Legal basis

The legal basis for the use of technically necessary cookies is Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as the possibility of establishing a personal reference to the user exists and the use is necessary for the purpose of providing our web and/or online services in the sense of contract fulfilment, otherwise the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, as the use is also in our legitimate interest for the purpose of providing our website. The legal basis for the processing of personal data using analytics cookies, insofar as it is possible to establish a personal reference to the user, is Art. 6 para. 1 sentence 1 lit. a GDPR if the user has given consent. If analysis cookies are used to create pseudonymized evaluations, the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR (protection of legitimate interests).

4.5 Data erasure and storage duration

The cookies are stored on your respective end device and transmitted from there to our web server. A distinction is made between permanent cookies and session cookies. Session cookies are stored for the duration of a browser session and are deleted when the browser is closed. Permanent cookies are not deleted when the respective browser session is closed, but are stored on the user’s end device for a longer period of time.

4.6 Objection and removal options

When you visit our website, an information banner informs you about the use of cookies and refers you to this privacy policy. The banner also obtains your consent to the processing of the personal data used in this context.
As a user, you have full control over the use and storage of cookies. By changing the settings in your Internet browser, you can generally deactivate or restrict the transmission of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. Further information on the use of cookies can be found at http://www.meine-cookies.org or www.youronlinechoices.com.
Once you have given your consent to the use of cookies to create pseudonymized user profiles (see above for analysis cookies), you can object to this at any time with effect for the future; you can exercise your right of objection via the info banner or via the aforementioned setting options of your browser.

5 NEWSLETTER

5.1 Description and scope of data processing

If you would like to subscribe to our newsletter, we require a valid e-mail address as well as your first and last name. In order to be able to check whether you are the owner of the e-mail address provided or whether the owner agrees to receive the newsletter, we send an automated e-mail to the e-mail address provided after the first registration step (so-called double opt-in). Only after confirmation of the newsletter registration via a link in the confirmation e-mail will we add the e-mail address provided, as well as your first name and surname, to our mailing list. We do not collect any further data beyond the e-mail address, your first name and surname and the information to confirm your registration.

5.2 Purpose of data processing

Your data is processed exclusively for the purpose of sending the newsletter you have requested.

5.3 Legal basis

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a GDPR (consent), which you have given us by ordering the newsletter.

5.4 Data erasure and storage period

Subject to a request for erasure, the data will be stored for as long as we need this data to send the newsletter. The data will be deleted if you unsubscribe from the newsletter, or if a newsletter is reported to us as undeliverable more than three (3) times, or if we generally stop sending the subscribed newsletter.

5.5 Objection and cancellation options

You can unsubscribe from the newsletter at any time by using the unsubscribe link provided at the end of each newsletter. The information on the right of cancellation, which you can find here, also applies.

6. E-MAIL CONTACT

6.1 Description and scope of data processing

We have set up an e-mail address at hello@annerton.com that you can use to contact us electronically. If you make use of this option, the data you send us by e-mail will be transmitted to us and stored. The data transmitted and collected depends in part on your e-mail programme, but as a rule e-mails contain the following sender data:

  • E-Mail address
  • Subject of the email
  • Surname, first name, title, company if applicable
  • Message text and all personal data provided by you, e.g. postal address, telephone and fax number, mobile phone number.

The following data is also processed and stored upon receipt:

  • E-mail header, this contains technically necessary information about the sending system and more detailed circumstances of sending and forwarding to the recipient system (e.g. information on date/time, IP addresses of the servers, ID numbers)
  • Date and time of receipt by our system

Under no circumstances will the data be passed on to third parties, unless we have to use third parties to process the enquiry.

6.2 Purpose of data processing

The data is processed exclusively for the purpose of processing your enquiry. In addition, the technical data collected (e.g. email header) is used to prevent misuse of the email address and to ensure the security of our information technology systems.

6.3 Legal basis

The legal basis for the processing of the data is, insofar as the data processing is carried out for the purpose of the fulfilment or initiation of a contract, Art. 6 para. 1 sentence 1 lit. b GDPR.
The legal basis for the collection of additional data during the sending process is Art. 6 para. 1 sentence 1 lit. f. GDPR. GDPR; the legitimate interest here lies in preventing misuse and ensuring system security (see above).

6.4 Data erasure and storage duration

The data relating to an enquiry will generally be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective communication has ended and/or the enquiry has been conclusively answered. Communication is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. Instead of deletion, the data will be stored with restriction of processing if further storage of the data is necessary for the reasons stated in section 2.6, for example because the enquiry or its content is subject to statutory or regulatory retention obligations.

6.5 Objection and removal options

You can object to the processing of your data at any time, as explained here. You also have the option of cancelling communication with us at any time before the email is sent. All personal data stored in the course of contacting us will be deleted in the event of an objection, unless further storage of the data is necessary for the reasons stated in section 2.6.

7. JOB ADVERTISEMENTS AND APPLICATIONS

7.1 Description and scope of data processing

As part of the application process, only the data provided by you (e.g. application, CV, photo if applicable) will be processed. If you expressly give us this option, we will also use data that we receive from third parties, e.g. reference providers.

Within our company, only those partners and employees who are involved in the application process will receive your personal data. Furthermore, the relevant data in each individual case may be transferred to third parties on the basis of legal provisions or contractual agreements. These may be processors, such as DATEV eG, or an IT service provider.

As part of the application process, you only need to provide the data that is necessary to assess your suitability for the position to be filled. Without providing at least this data, you will not be able to participate in the application process. The provision of this information is therefore mandatory.

7.2 Purpose of data processing

The processing of your personal data is the basis for participation in the application process. Furthermore, the data provided should enable us to assess the suitability of the person applying for the vacant position. Without this data, we cannot consider the application in the application process.

7.3 Legal basis

The legal basis for the processing of your personal data for the implementation of pre-contractual measures is § 26 BDSG (data processing for the purposes of the employment relationship) and Art. 6 para. 1 sentence 1 lit. b GDPR (contract fulfilment and initiation).

7.4 Data erasure and storage period

Your data will be stored for at least the duration of the application process. Irrespective of this, we will delete your data in the event of a rejection no later than six (6) months after sending the rejection. If your application is successful, we will store the data in your personnel file for further processing.

8 WEB ANALYSIS

8.1 Description and purpose of web analysis

In order to optimize our website and adapt it to the changing habits and technical requirements of our users, we use tools for so-called web analysis. For example, we measure which elements are visited by users, whether the information they are looking for is easy to find, etc. This information can be interpreted in the first place. This information only becomes interpretable and meaningful when a larger group of users is analyzed. For this purpose, the collected data is aggregated, i.e. summarized into larger units. This allows us to adapt the design of pages or optimize content if, for example, we notice that a relevant proportion of visitors are using new technologies or are finding it difficult or impossible to find existing information.

8.2 Google Analytics

We use the analysis software Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (Google). Google Analytics uses a tracking cookie to recognize a user who has already visited our website in the past. The cookie is a small text file that is stored on your computer and enables us to analyze the history of visits to our website (so-called user profiles). The tracking cookie has a lifespan of one week. The information collected by the cookie about your use of our website (including your IP address) is usually transferred to a Google server in the USA and stored there. We have added the code ‘gat._anonymize Ip();’ to Google Analytics to ensure anonymized collection of IP addresses before transmission (so-called IP masking).
Your IP address (the number assigned to your computer by your Internet access provider) will therefore be truncated by Google at our request within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. The user profiles generated by Google Analytics are therefore anonymized, i.e. it is not possible to draw conclusions about a specific person. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.
The usage profiles contain, for example, information about the length of visit, approximate geographical origin, origin of visitor traffic, exit pages and usage processes. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for us and providing us with other services relating to website activity and internet usage. We delete the anonymized user profiles collected by Google after twelve months.
The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. A transfer of this data by Google to third parties only takes place on the basis of legal regulations or in the context of order data processing.
By using our website, you consent to the processing of the data collected about you by Google and the manner of data processing described above as well as the stated purpose. You can prevent the storage of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link http://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the browser add-on or within browsers on mobile devices, you can prevent Google Analytics from collecting data by clicking on the following link. An opt-out cookie will be set to prevent the future collection of your data when you visit this website:

Deactivate Google Analytics

You can find more information on Google Analytics and data protection at http://tools.google.com/dlpage/gaoptout?hl=de or at http://www.google.com/intl/de/policies/privacy/index.html.

9. SOCIAL PLUGINS

9.1 General information

We have integrated buttons (‘plugins’) from social networks on our websites. These provide various functions, the subject matter and scope of which are determined by the operators of the social networks.
Please note that we are not the provider of the social networks and have no influence on the data processing by the respective service providers. Further information on the scope of data can be found under the links or addresses of the providers listed below.

9.2 Twitter

Our website uses components of Twitter Inc, 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (‘Twitter’). Twitter is a multilingual, publicly accessible microblogging service on which users can publish and disseminate so-called ‘tweets’, i.e. short messages that are limited to (currently) 280 characters. These short messages can be accessed by anyone, potentially worldwide and by people who are not registered with Twitter. The tweets are also displayed to the so-called ‘followers’ of the respective user of a Twitter account. ‘Followers’ are other Twitter users who follow a specific user and their tweets. Twitter also has functions such as ‘hashtags’, i.e. keywords, as well as links and the option of retweeting other users’ tweets and thus addressing a broad audience. The components integrated by us can be recognized by terms such as ‘Twitter’ or ‘Follow’, usually associated with the Twitter logo, a stylized blue bird. With the help of the Twitter buttons, it is possible to share a page on our website, such as a blog post on Twitter, or to become a follower of our Twitter account. When you access a page on our website that contains such a component, your browser establishes a direct connection to the Twitter servers. The content of the Twitter buttons is transmitted by Twitter directly to your browser. We therefore have no influence on the scope of the data that Twitter collects with the help of this method and inform you according to our level of knowledge: According to this, only your IP address and the URL of the respective website are transmitted, but not used for purposes other than to display the button. Further information on this can be found in Twitter’s privacy policy at http://twitter.com/privacy.
Each time you access one of the individual pages of our website on which a Twitter component (Twitter button) has been integrated, your Internet browser is automatically prompted by the respective Twitter component to download a representation of the corresponding Twitter component from Twitter. Further information about the Twitter buttons is available at https://about.twitter.com/de/resources/buttons. As part of this technical process, Twitter receives information about which specific subpage of our website you are visiting. The purpose of integrating the Twitter component is to enable you to disseminate the content of our website, to publicize our website in the digital world and to increase our visitor numbers.
If you are logged in to Twitter at the same time, Twitter recognizes which specific sub-page of our website you are visiting each time you access one of our web pages and for the entire duration of your visit to our website. This information is collected by Twitter and assigned to your Twitter account by Twitter. If you click on one of the Twitter buttons integrated on our website, the data and information transmitted with it will be assigned to your personal Twitter user account and stored and processed by Twitter.
Twitter always receives information via the Twitter component that you have visited our website if you are logged in to Twitter at the same time as accessing our website; this takes place regardless of whether you click on the Twitter component or not. If the data subject does not want this information to be transmitted to Twitter, they can prevent the transmission by logging out of their Twitter account before accessing our website.

10. SECURITY

We have taken the necessary technical and organizational security measures to protect your personal data from loss and misuse. Your data is stored in a secure operating environment in a data center in the EU, which is not accessible to the public.
Should you wish to contact us by e-mail, we would like to point out that the confidentiality of the information transmitted is not guaranteed. The content of e-mails can be viewed by third parties. We therefore recommend that you send us confidential information, e.g. client or application documents, exclusively by post or agree a more secure procedure (e.g. encryption) with us.

11. AMENDMENT OF THIS PRIVACY POLICY

For legal and/or organizational reasons, changes or adjustments to our privacy policy may be necessary from time to time. Please refer to the latest version of our privacy policy, which you can access automatically by clicking on the respective link that is displayed when you request a cookie. Changes always apply to personal data collected in the future. This does not affect the protection of data collected and stored by us prior to the change.

12. YOUR RIGHTS AS A DATA SUBJECT

The GDPR grants you certain rights as a person affected by the processing of personal data, about which we inform you here.

13. CONTACT

If you have any questions about data protection, please contact us. The best way to do this is to use the contact address given in section 1. Contact details can also be found in the legal notice.

Overview: Your rights as a data subject

The EU General Data Protection Regulation (GDPR) grants you certain rights as a person affected by the processing of personal data, which we would like to inform you about below (sections 1 – 12). We have also explained the key technical terms used in this privacy policy in section 13.

1. YOUR RIGHTS, HOW TO CONTACT US

The GDPR grants you certain rights as a person affected by the processing of personal data. If you wish to exercise one or more of these rights, you can contact one of our employees at any time. The employee will ensure that your request is complied with immediately. To do so, please use the contact options provided in the privacy policy under point [1], for example, or contact us via our website annerton.com. There are no costs other than the postage costs or the transmission costs according to the existing basic tariffs.

You can also contact our data protection officer at any time as follows:

Annerton Rechtsanwaltsgesellschaft mbH

Munich office

Wagmüllerstraße 23
80538 Munich
Tel. +49 (89) 306683-0
Fax. +49 (89) 306683-212
E-mail: datenschutz@annerton.com

2. RIGHT TO CONFIRMATION (ART. 15 GDPR)

You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed by us.

3. RIGHT TO INFORMATION (ART. 15 GDPR)

You have the right to request information from us at any time and free of charge as to whether or not we are processing personal data relating to you. If you are a data subject because your personal data is processed by our company, you are entitled to information about

  • the purposes of the processing;
  • the categories of personal data that are processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.
  • the planned storage period, if possible; if it is not possible to specify the storage period, the criteria for determining the storage period (e.g. statutory retention periods, etc.) must be communicated.
  • your right to rectification or erasure of the personal data concerning you or to restriction of processing by us, and the existence of the possibility to object to this processing.
  • the existence of a right to lodge a complaint with a supervisory authority.
  • the origin of the data if personal data was not collected directly from you.

You are also entitled to information as to whether your personal data is the subject of automated decision-making within the meaning of Art. 22 GDPR (so-called ‘profiling’) and, if this is the case, what decision-making criteria such automated decision-making is based on (logic) and what effects and scope the automated decision may have for you.
If personal data is transferred to a third country outside the scope of the General Data Protection Regulation, you are entitled to information as to whether and, if so, on the basis of which guarantees an adequate level of protection within the meaning of Art. 45, 46 GDPR is ensured at the data recipient in the third country.
You also have a right to information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate safeguards in connection with the transfer.

4. RIGHT TO RECTIFICATION (ART. 16 GDPR)

As a data subject, you have the right to demand the immediate rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, including by means of a supplementary statement, taking into account the purposes of the processing.

5. RIGHT TO ERASURE (ART. 17 GDPR, SO-CALLED ‘RIGHT TO BE FORGOTTEN’)

As the data subject, you have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies and provided that the processing is not necessary for other reasons

  • the personal data are no longer necessary in relation to the purposes for which they were collected and processed;
  • if you have given your consent on which the processing was based pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, you have withdrawn this consent and there is no other legal basis for the processing;
  • you have objected to data processing pursuant to Art. 21 GDPR and there are no overriding legitimate grounds for further processing
  • your personal data has been processed unlawfully;
  • it concerns data of a child that was collected in relation to information society services pursuant to Art. 8 para. 1 GDPR.
  • the deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject
  • the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

There is no right to erasure of personal data insofar as

  • the right to freedom of expression and information precludes the request for erasure
  • the processing of personal data is necessary (i) to fulfil a legal obligation (e.g. statutory retention obligations), (ii) for the performance of public tasks and interests in accordance with Union law and/or the law of the Member States (this also includes interests in the area of public health) or (iii) for archiving and/or research purposes;
  • the personal data are necessary for the establishment, exercise or defence of legal claims.

The deletion must take place immediately – i.e. without undue delay.
If we have made the personal data public and we are obliged to erase the personal data pursuant to Art. 17 (1) GDPR, we shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data, unless the processing is necessary for other reasons.

6. RIGHT TO RESTRICTION OF PROCESSING (ART. 18 GDPR)

As the data subject, you have the right to request that we restrict the processing of your personal data in the following cases

  • You contest the accuracy of your personal data. In this case, you can demand that we do not use your data for other purposes for the duration of the accuracy check and that processing is restricted in this respect;
  • In the event of unlawful data processing, you can request the restriction of data use in accordance with Art. 18 GDPR instead of data erasure in accordance with Art. 17 para. 1 lit. d GDPR;
  • If you need your personal data for the establishment, exercise or defence of legal claims, but your personal data is otherwise no longer required, you can request that we restrict processing to the aforementioned legal prosecution purposes;
  • If you have lodged an objection to data processing pursuant to Art. 21 para. 1 GDPR and it is not yet clear whether our interests in processing outweigh your interests, you can request that your data not be used for other purposes for the duration of the review and that it be restricted in this respect.

Personal data whose processing has been restricted at your request may – subject to storage – only be used with your consent.

  • with your consent
  • for the establishment, exercise or defence of legal claims,
  • for the protection of the rights of another natural or legal person, or
  • for reasons of important public interest.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

7. RIGHT TO INFORMATION (ART. 19 GDPR)

As the data subject, you have the right to demand that we inform all recipients to whom we have disclosed your personal data of this rectification, erasure or restriction of processing in cases in which you assert the right to rectification (point 4), erasure (point 5) or restriction of processing (point 6), unless this proves impossible or involves a disproportionate effort. You have the right to be informed by us about these recipients.

8. RIGHT TO DATA PORTABILITY (ART. 20 GDPR)

As a data subject, you have the right – subject to the following provisions – to request that we provide you with the data concerning you in a commonly used electronic, machine-readable data format. The right to data portability includes the right to transmit the data to another controller; at your request, we will therefore – insofar as this is technically possible – transmit data directly to a controller named by you or to be named.
The right to data portability exists only for data provided by you and requires that the processing is based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or for the performance of a contract pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR and is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability pursuant to Art. 20 GDPR does not affect the right to data erasure pursuant to Art. 17 GDPR.
The first copy is free of charge; a reasonable fee may be charged for further copies. The data transfer is subject to the rights and freedoms of other persons whose rights may be affected by the data transfer.

9. RIGHT TO OBJECT (ART. 21 GDPR)

As a data subject, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is carried out on the basis of Art. 6 para. 1 sentence 1 lit. e or lit. f GDPR, with effect for the future. This also applies to profiling based on these provisions.
In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
If we process personal data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to any profiling (Section 10), insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process the personal data for these purposes. To exercise your right to object, you can contact any of our employees or use the contact option specified in section 1. You are also free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
Please note that the exercise of the right to object is directed at future processing. Processing that has already taken place in the past will neither become ineffective nor must it be cancelled.

10. AUTOMATED DECISIONS IN INDIVIDUAL CASES INCLUDING PROFILING (ART. 22 GDPR)

As a data subject, you have the right to ask us not to make a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, provided that the decision
a) is not necessary for the conclusion or fulfilment of a contract between you and us; or
b) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) with your express consent.
If the decision in case a) is necessary for the conclusion or fulfilment of a contract between you and us or in case b) is made with your express consent, we will take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the person responsible, to state your own position and to challenge the decision.

11. RIGHT TO WITHDRAW CONSENT UNDER DATA PROTECTION LAW (ART. 7 PARA. 3 GDPR)

You have the right to exercise your right of revocation at any time without giving reasons and to amend or completely revoke your consent to the processing of personal data with effect for the future. To exercise your right of revocation, you can contact any of our employees or use the contact option specified in section 1. Please note that the exercise of the right of cancellation is directed at future processing. Processing that has already taken place in the past will neither become ineffective nor must it be cancelled.

12. LEGAL PROTECTION, RIGHT TO LODGE A COMPLAINT (ART. 77 GDPR)

You are entitled to lodge a complaint with a competent data protection supervisory authority. To do so, you can contact the supervisory authority responsible for you in the member state of your place of residence, your place of work or the place of the alleged infringement. You can find the data protection authority responsible for us in the data protection information.

13. DEFINITIONS

We use the following terms defined in Art. 4 GDPR in this privacy policy:

13.1 ‘Personal data’ means any information relating to an identified or identifiable natural person

(hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

13.2 ‘Data subject’ means any identified or identifiable natural person whose personal data are
processed by the controller.

13.3 ‘Processing’ means any operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

13.4 “Restriction of processing ’ is the marking of stored personal data with the aim of restricting its future processing.

13.5 ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

13.6 ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

13.7 ‘Controller’ or ‘controller responsiblefor the processing’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

13.8 ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

13.9 ‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

13.10 ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

13.11 ‘Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Status: August 2024