Privacy Policy

Privacy Policy www.pplaw.com


Berlin: Potsdamer Platz 5 10785 Berlin T +49 (30) 25353-0 F +49 (30) 25353-999 ber@pplaw.com	Frankfurt aM: An der Welle 3 60322 Frankfurt aM T +49 (69) 247047-0 F +49 (69) 247047-30 fra@pplaw.com	Munich: Hofstatt 1 (Entrance: Färbergraben 16) 80331 Munich T +49 (89) 24240-0 F +49 (89) 24240-999 muc@pplaw.com

Unsubscribe from the newsletter

Overview

In this Privacy Policy, we inform you in accordance with Art. 13, 14 GDPR about how, to what extent and for what purposes we process personal data

in the use of our website (see section 2)
regarding advice from POELLATH (see section 3).

Further information relevant to all the above-mentioned data processing operations is provided in Sections 1 and 4 to 5.

1. Responsible party and data protection officer

Responsible party in terms of data protection law:
P+P Pöllath + Partners Rechtsanwälte und Steuerberater mbB (hereinafter POELLATH)
Potsdamer Platz 5
10785 Berlin
T +49 (30) 25353-0
F +49 (30) 25353-999
ber@pplaw.com

Data protection officer: Anna Cardillo. You can contact our data protection officer at anna.cardillo@myle-law.com or MYLE Partnerschaft von Rechtsanwält:innen mbB, Potsdamer Str. 98, 10785 Berlin.

2. Use of the website

2.1 Access data

You may use our website for purely informational purposes without disclosing your identity. When visiting individual pages of the website in this sense, only access data is transmitted to our provider so that the website can be displayed to you. This includes the following data:

Browser type/browser version,
Operating system used,
Language and version of the browser software,
Host name of the accessing terminal,
IP address,
Website from which the request comes,
Content of the request (specific page),
Date and time of the server request,
Access status/HTTP status code,
Referrer URL (the previously visited page),
Amount of data transmitted,
Time zone difference from Greenwich Mean Time (GMT).

Temporary processing of this data is necessary to make it technically possible for a website visit to take place and for the website to be transmitted to your terminal. The access data is not used to identify individual users and is not merged with other data sources. Further storage in log files takes place to ensure the functionality of the website and the security of the information technology systems.

The legal basis for processing is Art. 6(1)(1)(f) GDPR. Our legitimate interests lie in ensuring the functionality, stability, and security of the website. The storage of access data in log files, in particular the IP address, for a longer period enables us to recognize and ward off misuse. This includes, for example, the defense against requests that overload the service or any bot usage.

Storage duration: The access data will be deleted as soon as it is no longer required for the purpose of its processing. In the case of data collection to provide access to the website, this is the case when you end your visit to the website. In principle, the data is deleted after seven days at the latest; processing beyond this period is possible in individual cases. In this case, the IP address will be deleted or encrypted such that it is no longer possible to associate it with the accessing client.

2.2 Essential: Consent management (Usercentrics)

On our website, we use the consent management tool Usercentrics from Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich. The service provider acts as a processor on our behalf and is the recipient of your data as described below. You can use a banner displayed on the website to give or refuse your consent to certain functions of our website, e.g., for the purpose of integrating streaming content, statistical analysis, and reach measurement. For some of these functions, we use third-party providers who use cookies and similar technologies to store or access information on visitors’ end devices and to process visitors’ personal data. You can use the cookie banner to give or refuse your consent to all functions or to give your consent for individual purposes or individual services. You can also change your settings retrospectively by clicking on the “Cookie Settings” link. The purpose of the cookie banner is to allow users of our website to decide whether to use the functions, cookies, and similar technologies and to offer them the option of changing their settings while continuing to use our website. When you visit the website, the Usercentrics web server stores a server log file that contains your IP address, the date and time of your visit, device and browser information, and information about the selection you made in the banner. The legal basis for processing is Art. 6 (1) (c) GDPR for the fulfillment of our legal obligations to provide evidence in accordance with Art. 7 (1) GDPR. We store your data for as long as your user settings are active. Two years after the user settings have been made, consent is requested again. The user settings made are then stored again for this period.

You can view and change your cookie selection history at any time in the “Cookie Settings”.

2.3 Marketing: Analysis of usage data for personalization and measurement of advertising success (LinkedIn Insight Tag)

Our website uses the “LinkedIn Insight Tag,” a conversion tracking tool from LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

When you visit websites that have the LinkedIn Insight Tag integrated and you have given your consent via the cookie banner, the following happens:

A cookie is set in your web browser.
LinkedIn collects the following information via this cookie:
- Your IP address (in truncated or hashed form),
- Technical information about your browser, operating system, and device,
- the time and duration of your visit to the site,
- subpages visited and interactions on our website.

The collected data is transferred by LinkedIn:

first to servers of LinkedIn Ireland Unlimited Company in Ireland,
and may also be transferred to LinkedIn Corporation in the USA as part of internal group processes.

LinkedIn is certified for data transfer to the USA under the EU-U.S. Data Privacy Framework (DPF). In accordance with Art. 45 GDPR, this ensures an adequate level of data protection for this transfer.

According to LinkedIn, personal data is pseudonymized within seven days (e.g., by shortening IP addresses).
The pseudonymized data is deleted after 90 days at the latest.
We ourselves do not receive any personal data from LinkedIn, rather only aggregated and anonymized reports, e.g.:
- on the demographic characteristics of visitors (e.g., industry, position),
- and the effectiveness of our LinkedIn advertisements.

In addition, we can use Insight Tags to carry out so-called retargeting campaigns. This means that if you are a LinkedIn member and have visited our website, you may later see relevant advertising on LinkedIn.

LinkedIn members can specify in their account settings whether and to what extent their data may be used for advertising and analysis purposes.

Cookies and similar technologies are set on the basis of Section 25 (1) TDDDG (Telecommunications Digital Services Data Protection Act). The subsequent processing of personal data using LinkedIn Insight Tags only takes place with your express consent in accordance with Art. 6 (1) (a) GDPR.

You can revoke your consent at any time by resetting the checkbox in the “Cookie Settings” of the consent management tool. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

Information on the storage period of your data and all cookies used can be found in the description in our consent management tool under “Cookie Settings.”

2.4 Functional: Integration of visual content (YouTube)

Plugins from the YouTube video platform are integrated into our website. This is a service provided by YouTube LLC (headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA (“YouTube”)), for which Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) is the controller in terms of data protection law.

We embed videos that we have published on youtube.de/youtube.com to provide you with audiovisual content directly on our website without your having to visit the YouTube platform separately.

The integration takes place in what is known as “extended data protection mode”. This means that: As long as you do not actively play an embedded video, no data is transferred to YouTube.

Only when you play a video does YouTube process:

Your IP address,
Technical information about your browser and device,
The specific subpage on which the video is embedded,
And, if applicable, other access data as described in our “Access Data” section.

This data processing takes place regardless of whether you have a Google or YouTube user account or are logged in.

If you are logged in to Google during this time, this information can be assigned to your user account. If you do not want this to happen, please log out of Google/YouTube before playing the videos.

The storage of and access to information on your device (e.g., cookies) is based on your consent in accordance with Section 25 (1) TDDDG.

The subsequent processing of personal data by Google is based on your consent in accordance with Article 6 (1) (a) GDPR.

Google may also transfer personal data to third countries outside the EU, in particular the USA.

Google is certified under the EU-U.S. Data Privacy Framework (DPF). Based on the adequacy decision of the EU Commission of July 10, 2023, an adequate level of protection in terms of Art. 45 GDPR applies.

Profiling and further processing by Google

Google or YouTube may store the aforementioned data in user profiles and process it for its own purposes, in particular:

to provide personalized advertising,
for market research,
and for the needs-based design of its own platform services.

We have no influence on these processing operations by Google.

Information on the storage period of your data and all cookies used can be found in the description in our consent management tool under “Cookie Settings”. Further information on the purpose and scope of processing by YouTube and the storage period at YouTube can be found in the privacy policy.

2.5 Functional: Map service (Google Maps)

We have integrated the map service “Google Maps” from Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) into our websites. Google Maps enables the convenient use of the map function on our website. We have integrated Google Maps in such a way that a connection to Google's servers is only established once you have given us your consent. When using the map function, Google receives information that users have accessed the corresponding subpage of our website. In addition, access data such as the IP address, browser information, the previously visited website, and the date and time of the server request are transmitted to Google. This occurs regardless of whether Google provides a user account through which users are logged in or whether no user account exists. If users are logged into Google, the user data is directly assigned to the respective Google account. Google stores the usage data as usage profiles and processes it independently of the existence of a user account with Google for its own purposes of statistical analysis and online advertising.

The legal basis for accessing your device and subsequently processing your personal data is your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR. Google also processes some of the data in the USA. If the European Commission has issued a decision on the existence of an adequate level of protection in a third country, no additional measures are required for data transfers. In the event of data being transferred to recipients based in the USA, this is done on the basis of the Transatlantic Data Privacy Framework (DPF) of July 10, 2023, provided that the recipients have the appropriate certification. Such certifications exist with regard to Google. Information on the storage period of your data and all cookies used can be found in the description in our consent management tool under “Cookie settings.”

2.6 Functional: Website security and fraud protection (Recaptcha)

We use the captcha service “reCAPTCHA” from Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) on our website. reCaptcha enables us to verify whether data entries on the website (e.g., in a contact form) are made by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. We have integrated reCaptcha in such a way that the analysis only begins once you have given us your consent. For the purpose of analysis, “reCAPTCHA” evaluates various information (e.g., IP address, length of time the website visitor stays on the website, or mouse movements made by the user). The data collected during the analysis is forwarded to Google. This occurs regardless of whether Google provides a user account through which users are logged in or whether no user account exists. If users are logged in to Google, the user data is directly assigned to the respective Google account. “Google” stores the usage data as usage profiles and processes it independently of the existence of a user account with Google for its own purposes of statistical analysis and online advertising.

2.7 Social media

We maintain publicly accessible profiles on the social media platforms LinkedIn and Instagram and offer you the opportunity to visit our LinkedIn and Instagram pages at various points on our website. However, we do not use social media plugins on our website. If you click on the respective logo or the name of a social network, you will be redirected to our respective site via a link. In addition, you can also “share” certain contents of our website on the social networks. If you click on the “Share” logo on our website, the logos of the various social networks will appear. If you click on one of these logos, you will be redirected to the website of the corresponding social network. There - if you have an account and are logged in or log in - you can share the desired content from our website.

No personal data is sent to the social networks before you click on the logos or links which take you to the social network’s website. The possibility of personal data being transmitted to and processed by the social network only exists from the moment you click on the logo on our website and are redirected to the social network website. Personal data is processed, in particular, if you are logged in with your respective social media account and post the content with your account on the social networks.

If you use our social media profiles to interact with us (e.g., liking or sharing a post, following us, writing a comment, or sending us a direct message), we will process the data you provide to us for the purpose of contacting you. If we like, share, or comment on your posts, the data you have freely published on the above-mentioned social media platforms will be made available to our followers on our profile. All information you provide in your profile is publicly visible, i.e., members who log into the network and customers of social media services can view it. This also applies to your activities within the service, such as:

Comments on posts;
“Like” marks;
“Follow” function.

Group memberships are also publicly visible. When you share posts, the default setting is for this to be done publicly. In the options, you can restrict the visibility of these posts to your contacts.

Legal basis: The legal basis for this data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in staying in contact with our business partners and interested parties and keeping them informed, as well as in up-to-date public relations and market observation. If you contact us via social media because you are interested in our offer, the request also serves to implement pre-contractual measures at your request; the legal basis is then Art. 6 (1) (b) GDPR.

Recipients:
The social network Instagram is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; the provider is therefore the recipient of your data.

The social network LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; the provider is therefore the recipient of your data.

Instagram and LinkedIn may process some of the information collected outside the European Union in the USA. The USA is a so-called third country in terms of data protection law.

If the European Commission has issued a decision on the existence of an adequate level of protection (cf. Art. 45 (3) GDPR) in a third country, no additional measures are required for the transfer of data. If data is transferred to recipients based in the USA, this is done based on the Transatlantic Data Privacy Framework (DPF) of July 10, 2023, provided that the recipient has the appropriate certification. A list of currently certified companies is available here. In other cases, as well as in the case of data transfers to other so-called non-secure third countries, data will only be transferred if the requirements of Art. 46 ff. GDPR are met.

The social media platforms we use and described above are headquartered in the USA and are certified accordingly (DPF).

The processing may also involve data for which we are jointly responsible with LinkedIn in terms of Article 26 GDPR. This applies, in particular, to the creation of so-called “Page Insights” – i.e., statistical evaluations of the use of our page.

LinkedIn processes the following categories of data, in particular, which are derived from the profile information and usage behavior of members:

Job title
Country
Industry
Career level
Company size
Employment status
Information about whether a member follows or interacts with our page

The evaluations are based on aggregated data – we do not receive any individual personal information about users and do not have access to personal LinkedIn profiles.

The processing is carried out for the purpose of reach analysis, optimization of our content and improvement of user interaction on our LinkedIn page. The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in effective external representation and communication with interested parties.

The underlying personal data (e.g., profile characteristics, interaction data) that LinkedIn processes to create anonymized Page Insights is stored in accordance with LinkedIn’s privacy policy. LinkedIn does not publish a specific storage period. However, according to its own statements, LinkedIn only processes personal data for as long as is necessary to fulfill legitimate purposes. As the operator of this page, we have no access to the underlying personal data or influence on its storage period. We ourselves only receive aggregated evaluations without personal references and do not store any personal data in this regard.

Within the framework of joint responsibility with LinkedIn, an agreement has been concluded in accordance with Art. 26 GDPR (“Page Insights Joint Controller Addendum”), which can be viewed at the following link: https://legal.linkedin.com/pages-joint-controller-addendum

In accordance with this agreement, LinkedIn assumes primary responsibility for the processing of Insights data and the fulfillment of data subject rights.

Data subjects can generally assert their rights (e.g., information, correction, deletion, objection) both against us and against LinkedIn. Since LinkedIn has sole access to user data, we recommend contacting LinkedIn directly:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland: https://www.linkedin.com/help/linkedin/ask/TSO-DPO
Privacy policy: https://www.linkedin.com/legal/privacy-policy

Further information on data processing by LinkedIn can be found in the privacy policy:
https://www.linkedin.com/legal/privacy-policy

When interacting via Instagram, there is also joint responsibility between Meta and us in connection with “Instagram Insights” in accordance with Art. 26 GDPR.

When you interact with our Instagram page (e.g., viewing, liking, or subscribing to content), Meta processes the following categories of data in particular:

Profile-related information: e.g., username, age range, gender, language, location (e.g., city/region), interests (as collected by Meta)
Usage behavior: e.g., interactions with posts (likes, comments, shared content), length of stay, views of videos or stories
Device-related data: e.g., IP address, device used, operating system, browser type, connection data

This information is provided by Meta in aggregated and anonymized form in the so-called “Instagram Insights”. We do not receive any personal data.

This information is processed for the purposes of reach analysis, target group description, and optimization of our content. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR in effective communication with users and meaningful monitoring of the success of our posts.

Meta does not provide any specific information on the storage period for personal data processed when using Instagram Insights. Meta’s privacy policy merely states that personal data will only be stored for as long as is “necessary to fulfill the purposes described in the policy”. Since we, as the website operator, are only provided with aggregated and anonymized evaluations, we do not store any personal data in connection with Instagram Insights ourselves.

Within the framework of joint responsibility, an agreement has been concluded between us and Meta in accordance with Art. 26 GDPR, which you can access here: https://www.facebook.com/legal/terms/page_controller_addendum

In this agreement, Meta assumes primary responsibility for data processing within the framework of Instagram Insights, including the exercise of data subject rights.

As a data subject, you can assert your rights both against us and against Meta. However, since only Meta has access to the underlying personal data, we recommend that you exercise your rights directly with Meta:

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
https://www.facebook.com/help/contact/308592359910928
Or via the account management in the app under:
“Settings” > ‘Privacy’ > “Data access and control”

2.8 Newsletter and email advertising by us and P+P Training GmbH

You may subscribe to the email newsletter sent by us and our event partner P+P Training GmbH on our website, which will keep you regularly informed about our publications, seminars and events. In order to receive the newsletter, a valid email address is required. The registration for our email newsletter is a double opt-in procedure. After you enter the data marked as mandatory, we will send you an email to the email address you have provided, in which we ask you to explicitly confirm your registration for the newsletter (by clicking on a confirmation link). In this way, we ensure that you actually wish to receive our email newsletter. After your confirmation, we process the email address of the recipient concerned for the purpose of sending our email newsletter. The legal basis for the processing is Art. 6(1) (1) (a) GDPR. We delete this data when you cancel the newsletter subscription. We process the data until you exercise your right of revocation by cancelling our newsletter.

You can revoke your consent to the processing of your e-mail address for the receipt of the newsletter and email advertising at any time, either by sending us a message (see the contact details in the section “Responsible party and data protection officer”), on our website or by directly clicking on the unsubscribe link contained in the newsletter. The legality of the processing carried out on the basis of consent until revocation is not affected by the revocation.

We process your IP address, the time of registration for the newsletter and the time of your confirmation in order to document your newsletter registration and to prevent the misuse of your personal data. The legal basis of the processing is Art. 6 (1)(1) (f) GDPR. Our legitimate interest in this processing lies in the prevention of fraud. We delete these data at the latest when the newsletter subscription ends.

2.9 Events

Events requiring binding registration (e.g., training courses, webinars)

If you register on our website by email or via an invitation link for an event with limited capacity or binding participation (e.g., training courses, seminars), we will process your personal data for the purpose of organizing, conducting and following up on the event.

Categories of data processed:

First and last name
Company/organization
Address (if necessary)
Email address
Telephone number, if applicable
Name and company of accompanying persons, if applicable

Legal basis:
Art. 6 (1) (b) GDPR (contract or pre-contractual measures)
The provision of data is necessary for registration and implementation. Without this information, participation is not possible.

Events with non-binding registration (e.g., summer parties, internal receptions)

For events with non-binding registration (e.g., summer parties), where registration is for planning purposes only, we process your information exclusively for the purposes of organization and implementation.

Categories of processed data:

Name, email address if applicable
Company/organization
Number and names of accompanying persons
Information on dietary preferences or accessibility if applicable

Legal basis:
Art. 6 (1) (f) GDPR (legitimate interest)
Our interest lies in the orderly planning (e.g., catering, room planning, guest list), security, and execution of the event.

To protect your data and prevent unauthorized registrations, we use the so-called double opt-in procedure. After entering your registration data (e.g., name, email address), you will receive a confirmation email at the address you provided. Your registration will only become effective once you click on the confirmation link contained in the email.

As part of the double opt-in procedure, we process:

Your IP address
Date and time of registration
Date and time of confirmation

This processing serves to authenticate and secure your registration and to prove that you actually made the registration.

The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest lies in protecting against misuse of our registration form and in proving proper communication.

Event management with “guestoo”

For technical processing, we use the cloud-based solution guestoo from Code Piraten GmbH (https://www.guestoo.de/). Your data is processed there for admission control, guest list management, and QR code creation.

Once the guest list has been finalized, you will receive a QR code generated by guestoo, which you can use to identify yourself at the entrance to the event. To grant you admission, we will scan your QR code on site on the day of the event. You will be granted access as soon as the system confirms that you are on the guest list. The system stores the fact that you have checked in and when.

The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is to control access to our events within the scope of our house rules and to grant admission only to invited guests.

Recipient:
We have a contract with Code Piraten GmbH for order processing in accordance with Art. 28 GDPR; the service provider is the recipient of your data.

Photo and video recordings at events

Photo and video recordings may be made during our events. These are used to document and publicize our activities (e.g., on our website, on social media or in print materials).

We take and process these photos and videos as part of our legitimate interest pursuant to Art. 6 (1) (f) GDPR in presenting our events and our company to the public and providing information about our work.

In doing so, we take care not to violate the interests of the persons depicted that are worthy of protection. If you do not wish to be photographed or filmed, you can contact the event team on site at any time.

Publication locations may include:

our website
social networks (e.g., LinkedIn, Instagram)
newsletters or internal presentations

Storage duration

Participant-related data:
We store your personal data (e.g., registration data, guest list, check-in times) only for as long as is necessary for the preparation, execution, and follow-up of the event. Data is usually deleted within two weeks after the end of the event, unless there are legal retention obligations (e.g., for invoice and payment data in accordance with the German Commercial Code (HGB) or the German Fiscal Code (AO)) or other legal grounds for longer storage.

Image and video material:
We store recordings made during the event that are used for documentation or external presentation (e.g., publication on our website, in social media, or on the intranet) for the duration of the existing legitimate interest in their use, but no longer than until the purpose of use ceases to exist or the data subject has effectively objected. In these cases, the recordings in question will be deleted promptly or will no longer be used.

2.10 Getting in touch with POELLATH

If you contact us electronically, for example by sending us an email, using the contact form on our website, or calling us, we will process your email address, your name, and your other contact details, as well as the information you provide in your inquiry. To respond to your written inquiry, we require at least your email address. Processing this information is therefore mandatory.

Legal basis: We process your data based on Art. 6 (1) (f) GDPR, our legitimate interest in responding to your general inquiry. If you contact us because you are seeking legal advice or wish to conclude another contract with us, the legal basis is Art. 6 (1) (b) GDPR. If we are legally obliged to store your data, the legal basis is Art. 6 (1) (c) GDPR in conjunction with the respective standard.

Storage duration: Your data will only be processed to answer your inquiry and will be deleted immediately once your inquiry has been resolved, unless a contract has been concluded (see section 3), there are legal storage obligations, or we have legitimate interests in further storage.

2.11 Applications

The data transmitted as part of your application via our careers page is transmitted using TLS encryption and stored in a database. In managing our applications, we use the personnel administration and applicant management software “Personio” from the provider Personio SE & Co KG, Seidlstrasse 3, 80335 Munich, Germany. In this context, Personio is our processor in accordance with Art. 28 GDPR and therefore the recipient of your data. You can find more information about how your data is processed as part of the application management process here.

2.12 Transaction management using “Legatics” tool

For the purpose of structured transaction execution, project-related document exchange, and joint work process management, we offer our clients the use of the Legatics platform, operated by:

Legatics Ltd.
71–75 Shelton Street
Covent Garden, London WC2H 9JQ, United Kingdom (“Legatics”)

Legatics enables all project participants to exchange transaction-related documents and information, edit them jointly, and track progress centrally via a web-based platform. It is used at the request of our clients within the scope of specific mandate processing.

If the use of Legatics has been agreed upon, we send an invitation to the project participants named by our clients to their respective email addresses. The invited persons can register with Legatics and create a user account. In this context, we process the name and email address of the invited persons for the purpose of sending invitations and assigning them to projects.

We are responsible for processing personal data in connection with:

sending invitations,
assigning projects,
project-related use of the platform,
evaluating activities within the scope of the mandate (e.g., document changes, comments, etc.).

Legatics is solely responsible for:

the processing of personal data as part of the registration process,
the operation of user accounts,
any voluntary information provided in the user profile.

Further information on data processing by Legatics can be found in their privacy policy:

When using the platform, we process the following data, depending on the project context:

Contact details: first and last name, email address
Project data: project affiliation, role information
Content data: uploaded or shared text/image files, chat messages, wiki/whiteboard entries, timestamps
Communication data: task status, comments, mentions, document change history, notifications

We receive this data either directly from you or from our clients who add you to the platform.

Legal basis: The processing of the aforementioned personal data is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient, digital processing of transactions and projects, as well as structured and secure collaboration with clients and project participants.

Storage period: We delete personal data that we have processed in connection with the use of Legatics six months after the respective transaction has been completed, automatically within the platform.

If there are legal retention obligations (e.g., under the German Commercial Code (HGB) or the German Fiscal Code (AO)), relevant documents and information are transferred to our internal document management system, where they are stored in accordance with legal requirements and deleted after the retention periods have expired - unless there is another legal basis for further storage.

Recipient: Legatics is the recipient of your data as a processor.

The processing of your personal data by Legatics may take place in the United Kingdom (UK). The European Commission has issued an adequacy decision for the United Kingdom in accordance with Art. 45 GDPR, so that data transfers to the UK are carried out on an appropriate data protection basis.

3. Advisory by POELLATH

We hereby inform you about the processing of your personal data when we advise or legally represent you as attorneys or tax advisors.

3.1. Requirement to provide your personal data, purposes of processing and legal basis

As a law firm and tax consultancy, we process the data of our (future) clients within the scope of our client relationship, insofar as they are natural persons. If our (future) clients are companies, we process the personal data of their legal representatives and employees. In addition, we process personal data of third parties who play a role in the respective case for which legal advice and representation is sought (e.g., witnesses, experts, other parties involved such as opponents and their legal representatives). If you contact us for the purpose of engaging our services and if you engage us, we process the following data:

Master data (e.g., name, address, contact information such as email, telephone number, and website address);
Mandate-related data (e.g., contracts, communication, evidence, witness data);
Consulting data (e.g., contents of inquiries, documents, file notes, legal opinions, and legal assessments);
Activity data (e.g., consulting documentation, performance records, invoices, and other information necessary for asserting and defending your rights within the scope of the mandate);
Other data that you voluntarily provide to us within the scope of the mandate relationship;
Information relevant to money laundering laws regarding your identity, the beneficial owners, the purpose and nature of the business relationship and the transactions carried out, as well as the money laundering risk. For natural persons, we also make a copy of an official identification document. For legal entities, we also collect the information required by the Money Laundering Act about the beneficial owners in terms of Section 3 GWG.

This data is processed

to be able to identify you as our client;
to comply with legal obligations;
for acquisition purposes;
to be able to provide you with appropriate legal or tax advice and representation, i.e., to examine and enforce your claims, to create files, to check for conflicts, to draw up and manage contracts, and to provide you with the desired legal advice;
to be able to communicate with you;
to make business processes efficient;
for accounting and billing;
to archive files, delete data, and document the mandate.

Legal basis: Data processing is carried out at your request and is necessary for the mandate pursuant to Art. 6 (1) (b) GDPR.

If you are not or do not wish to become a client yourself (e.g., because it is not you but the company you work for that has instructed us or wishes to instruct us, or if you are, for example, a witness, expert, other party involved or opponent or their representative), we process your personal data in accordance with Art. 6 (1) (f) GDPR. Our legitimate interests consist in the appropriate processing of mandates for the purposes mentioned, or, for example, in establishing contact.

If we are legally obliged to process data, we base this on Art. 6 (1) (1) (c) GDPR in conjunction with the respective legal provision, particularly to fulfill professional, commercial, and tax law obligations for documentation and storage, as well as to fulfill our obligations under the Money Laundering Act.

Under certain circumstances, we may need to process your personal data for the purpose of asserting or defending against claims; the legal basis for this is our legitimate interest under Art. 6 (1) (f) GDPR in the efficient defense of legal claims and enforcement of claims.

Storage duration: We delete personal data after and to the extent that storage is no longer necessary for the processing and execution of the mandate and there are no legitimate interests or legal obligations on our part, such as the professional retention period pursuant to § 50 BRAO or § 66 StberG or statutory retention obligations (§ 147 AO, § 257 HGB, § 14b UStG). Deletion therefore generally takes place 6 to 10 years after the end of the client relationship, or after 30 years in the case of titled claims.

The provision of your personal data is necessary if you or the company you work for wish to engage us. If you do not provide your personal data, it will not be possible to establish and execute the client relationship. If we are subject to a legal obligation to process certain data, e.g., to prevent money laundering or under professional law, the provision of the relevant data is also mandatory for the mandate.

3.2. Recipients and categories of recipients

We share your data as part of mandate processing – unless previously mentioned above – as follows:

IT and telecommunications service providers who maintain our systems (hosting, maintenance, and support) or provide services for the purpose of maintaining secure and functional IT operations.
Data or file destruction companies, if documents must be disposed of in accordance with data protection regulations for the purpose of secure and proper disposal of sensitive information.

During our legal or tax advisory activities, it may also be necessary to disclose your personal data to third parties. Such disclosure will only take place:

for the purpose of fulfilling our mandate,
to comply with legal obligations,
or based on legitimate interests in terms of Art. 6 (1) (f) GDPR.

The data will be disclosed the following categories of recipients:

Courts or authorities dealing with your case.
Legal basis: Art. 6 (1) (b) or (c) GDPR.
Purpose: Performance of the mandate or fulfillment of statutory obligations to cooperate
Third parties involved in your case, e.g., the opposing party and their legal representatives.
Legal basis: Art. 6 (1) (1) (f) GDPR.
Our legitimate interest lies in the effective legal representation and protection of our clients’ interests, which regularly requires the exchange of written pleadings and contact details with the opposing party.
Colleagues from other law firms whom we may call upon to handle your case (e.g., as correspondent lawyers or sub-agents)
Legal basis: Art. 6 (1) (f) GDPR.
The legitimate interest is the proper handling of the mandate, particularly where there is a professional or local need to cooperate with third parties.
Recipients in connection with the operation of the law firm, such as auditors, banks, insurance companies, tax advisors, certified public accountants, external legal or IT consultants, supervisory authorities, or translators.
Legal basis: Art. 6 (1) (f) or (c) GDPR
Legitimate interest: proper business management, legal and economic security, compliance with professional and regulatory requirements.
Logistics companies to which your address data is transmitted for the purpose of sending documents.
Legal basis: Art. 6 (1) (1) (f) GDPR.
The legitimate interest lies in the reliable transmission of documents within the scope of mandate processing.
Law enforcement authorities (e.g., police, public prosecutor’s office), if there is concrete suspicion of a criminal offense.
Legal basis: Art. 6 (1) (c) GDPR.
Purpose: Fulfilment of legal notification obligations within the scope of preliminary investigations.

In addition, your personal data may be transferred to the following recipients or categories of recipients:

P+P Training GmbH (see 2.8.)
POELLATH engages P+P Training GmbH to organize, plan, and implement events, with the latter taking full responsibility for event management.
Within the scope of this cooperation, personal data, in particular contact details, event data, and participant information, may be transferred to the contracted company to the extent necessary for the execution, coordination, or follow-up of the respective event.
Berliner Steuergespräche e.V.
Münchner Unternehmenssteuerforum e.V.
Münchner M&A Forum e.V.

If we transfer your data to a country that is not a member of the EU or the EEA, and for which no adequacy decision has been made by the EU Commission, we will take all necessary measures to secure the respective data processing. This includes, for example, standard contractual clauses of the EU Commission.

3.3 E-mail information

We reserve the right to use the email address provided by you within the scope of the client relationship in accordance with the statutory provisions from time to time in order to send you information on publications, seminars and events by email during or after our consultation, provided that you have not already objected to this processing of your email address:

If the sending of electronic information is not necessary for the execution of the contract (e.g., email in informational form), the processing is based on the legal basis according to Art. 6 (1) (1) (f) GDPR. Our legitimate interests in the above-mentioned processing are to increase and optimize our services, to send information on current market developments, to inform you of consulting offers, to invite you to free events, to send direct advertising and to ensure customer satisfaction. We delete your data at the latest after receiving your objection.

We would like to point out that you can object to receipt of this information, as well as the processing for the purpose of this information, at any time without incurring any costs other than the transmission costs according to the basic tariffs. You have a general right to object without stating reasons (Art. 21 (2) GDPR). You can declare your objection by sending us a message (see the contact details in the section “Responsible party and data protection officer”) or by directly clicking on the unsubscribe link contained in the emails.

4. Your rights

As a data subject, you have the following rights if the applicable requirements are met:

Right to information (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)

In addition, according to Art. 77 GDPR, you have the right to complain to a supervisory authority of your choice about our data processing. Our headquarters are in Berlin. The responsible supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

Furthermore, you have the right to object (Art. 21 GDPR) if we process data based on Art. 6 (1) (f) GDPR. Please note that in the case of data processing for purposes other than direct marketing, you must provide reasons arising from your particular situation. You can declare your objection by sending us a message (see the contact details in the section “Name and contact details of the controller”).

If we process data relating to you based on your consent, you can revoke your consent with effect for the future. You can declare your revocation by sending us a message (see the contact details in the section “Name and contact details of the controller”). There is no automated individual decision-making.

We do not use your personal data for automated individual decision-making in terms of Art. 22 (1) GDPR.

5. Changes to this privacy policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adjusted accordingly. The latest version is always available on our website.

Last amended: July 2025