This Privacy Information explains how we process your personal data (“Data”) when you visit our website or our social media profiles, when you become our client or enter into another business relationship with us, or when you apply for a job with us.
Identity and contact details of the controller:
WIPIT Partnerschaft mbB
Rechtsanwälte Steuerberater
Ohmstraße 22
80802 München
T +49 89 38 39 95-0
F +49 89 38 39 95-99
info@wipit.legal
If you have any questions regarding data protection, please do not hesitate to contact our internal data protection team or our external data protection officer, DataCo GmbH, Sandstr.33, 80335 München, +49 89 452459 900, www.dataguard.de.
You are welcome to use our privacy mailbox for this purpose: privacy@wipit.legal.
Content:
I. Visiting our website
This section explains how we process your data when you visit our website.
1. Scope
When you access our website, the following data is transferred to our web server and stored in a log file:
2. Purposes
The processing of protocol data is necessary for the optimal display of the website content on your device. We also process this data to investigate and track attacks on our IT.
We use Matomo to analyse the activities on our website and thus adapt the design of our website to the needs of website visitors. We use consent cookies to record your consent/refusal to the Matomo analysis and thus fulfil the legal requirements for the setting of cookies.
3. Rechtsgrundlage der Datenverarbeitung
Die Verarbeitung dieser Daten erfolgt nach § 25 Abs. 2 Nr. 2 Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz(„TDDDG“), Art. 6 Abs. 1 lit. f EU-Datenschutzgrundverordnung(„DSGVO“) aufgrund unseres berechtigten Interesses, Ihnen die Webseite anzeigen zu können und Angriffe auf unsere IT nachverfolgen zu können.
3. Legal basis
We process protocol data and the information whether JavaScript is activated in accordance with Section 25 (2) No. 2 of the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, “TDDDG”) and Article 6 (1) point (f) of the EU General Data Protection Regulation (“GDPR”) due to our legitimate interest in being able to display the website for you and to track attacks on our IT.
4. Recipients
We use an external IT service provider, Zefyron GmbH, Rotwiesenstr. 26A, 70599 Stuttgart, Germany, to provide the website. This service provider processes your data exclusively in accordance with our instructions and on the basis of a data processing agreement in accordance with Article 28 GDPR.
5. Storage period
The log data is stored for a period of seven days and then deleted, except if a longer retention is necessary to follow up an identified attack.
II. Clients
This section explains how we processing of data when you become our client.
1. Scope
When you engage us, we collect the following data:
2. Purposes
We process your aforementioned data in response to your mandate, as necessary for the lawful and proper handling of your mandate and the mutual fulfilment of our obligations from the mandate relationship. Furthermore, we process the data for correspondence with you, the parties to the mandate, opponents and involved courts or authorities as well as for invoicing. The processing of some of this data may already be necessary for a collision check prior to the engagement.
3. Legal basis
We process data in response to the engagement based on Article 6 (1) point (b) GDPR if the client is a natural person. If our client is a legal entity, we process employee data in accordance with Article 6 (1) point (f) GDPR on the basis of our legitimate interest in being able to handle and fulfil the mandate.
We process your data for the money laundering audit based on a legal obligation and thus in accordance with Article 6 (1) point (c) GDPR in conjunction with the German Money Laundering Act (Geldwäschegesetz, “GWG”).
4. Recipients, transfer to third countries
To the extent necessary in accordance with Article 6 (1) point (b) GDPR for the handling of client relationships or for the handling of a notarial matter (Article 6 (1) points (c) and (e) GDPR) with you, your data will be passed on to third parties. This particularly includes the transfer of data to the opposing party, as well as courts, public registers and other public authorities for the purpose of correspondence and for the assertion and exercise of your rights. Third parties are bound by law to use the data passed on exclusively to the extent required or necessary for the above-mentioned purposes.
Beyond this, data will only be passed on if you, as the data subject, give your consent (Article 6 (1) point (a) GDPR) or if we, as the controller in accordance with Article 6 (1) point (c) GDPR, are legally obliged to pass on the data, for example to tax and revenue authorities in the course of corresponding audits.
For the support, storage and hosting of our IT systems and applications, we use the following service provider, who processes your data only in accordance with our instructions and on the basis of a data processing agreement in accordance with Article 28 GDPR:
Markus Schiller Office- und IT-Lösungen, Feursstr. 21b, 82140 Olching.
We may transfer data to countries outside the European Union and the European Economic Area (“third countries”) if, for example, you communicate with us from a third country or via email providers in a third country (such as Google or Microsoft in the Office 365 environment). This may also happen if the mandate concerns a matter in third countries and therefore requires communication with parties in these third countries. In such cases, the communication in third countries is carried out on the basis of Article 49 (1) point (b) GDPR.
Your data will not be transferred to third parties for purposes other than those listed.
The attorney-client confidentiality remains unaffected. Insofar as data is subject to the attorney-client privilege, it will only be passed on to third parties with your express consent (Article 6 (1) point (a) GDPR), or to the extent necessary for the assertion of legitimate interests, e.g. for the enforcement or defence of claims arising from the client relationship or for defence on one’s own behalf (Article 6 (1) point (f) GDPR).
5. Storage period
The data collected by us during the engagement and the handling of the mandate will be stored until the expiry of the statutory retention period for lawyers (pursuant to Section 50 (1) of the German Federal Code for Lawyers [Bundesrechtsanwaltsordnung, “BRAO”] 6 years after the end of the calendar year in which the mandate ended) and deleted thereafter, unless we are obligated to retain the data for a longer period pursuant to Article 6 (1) point (c) GDPR due to storage and documentation obligations under tax law and commercial law (under the German Commercial Code [Handelsgesetzbuch, “HGB”], the German Criminal Code [Strafgesetzbuch, “StGB”] or the German Fiscal Code [Abgabenordnung, “AO”]) or in notarial matters due to permission in accordance with Article 6 (1) points (c) and (e) GDPR (under the official regulations for notaries [Dienstordnung für Notarinnen und Notare, “DONot”]), the storage is necessary for the assertion, exercise or defence of civil law claims in accordance with Section 24 (1) No. 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) or you have consented to an extended storage in accordance with Article 6 (1) point (a) GDPR.
III. Mandate-related contacts
This section explains how we process your data for the purpose of a mandate if you are not our client but, for example, a witness, a family member or an employee of a public authority.
1. Scope
We process data we receive from you when we contact you on the basis of a client relationship, and which we require for handling our mandate. This may include the following data:
2. Purposes
Your data will be processed for the purpose of handling the mandate and protecting the interests of our clients.
3. Legal basis
We process your data either on the basis of Article 6 (1) point c GDPR due to legal obligations or on the basis of Article 6 (1) point f GDPR due to our legitimate interest. The legitimate interest in this case is the protection of our clients’ interests and the proper handling of the mandate.
4. Recipients
Recipients of your or your employees’ data may be entities, institutions or individuals. Recipients can in particular include authorities, public offices, or courts, but also experts, our clients’ opponents or other involved parties. The transfer of data is based on our legitimate interest (Article 6 (1) point f GDPR) in being able to handle the mandate properly, so that data is only transferred to the extent necessary to safeguard this interest.
5. Storage period
We will delete your data, together with all mandate-related data, after expiry of the statutory retention period for lawyers (pursuant to Section 50 (1) of the German Federal Code for Lawyers [Bundesrechtsanwaltsordnung, “BRAO”] 6 years after the end of the calendar year in which the mandate was terminated), unless we are obliged to retain the data for a longer period pursuant to Article 6 (1) point (c) GDPR due to storage and documentation obligations under tax law and commercial law (under the German Commercial Code [Handelsgesetzbuch, “HGB”], the German Criminal Code [Strafgesetzbuch, “StGB”] or the German Fiscal Code [Abgabenordnung, “AO”]) or in notarial matters due to permission in accordance with Article 6 (1) points (c) and (e) GDPR (under the official regulations for notaries [Dienstordnung für Notarinnen und Notare, “DONot”]), the storage is necessary for the assertion, exercise or defence of civil law claims in accordance with ection 24 (1) No. 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), or you have consented to an extended storage beyond in accordance with Article 6 (1) point (a) GDPR.
IV. Business contacts and their employees
This section explains how we process data of our business partners or their employees.
1. Scope
Within the scope of our business relationship with you as a business partner or employee of a business partner, we process the data that we receive from you or your employer.
In particular, this concerns data that we receive when you or your colleagues interact with our employees.
We process the following categories of data in this context:
2. Purposes
We will process your data for the purpose of establishing and implementing the contractual relationship with our business partner as well as for fulfilling the legal requirements.
3. Legal basis
We process the data on the following legal basis:
If you personally are our business partner, the processing is carried out on the basis of Article 6 (1) point (b) GDPR for the purpose of implementing or initiating a contract
For the purpose of fulfilling legal obligations, the processing is carried out on the basis of Article 6 (1) point (c) GDPR in conjunction with legal and official requirements (e.g. under tax and commercial law)
If you are an employee of one of our business partners, your data will be processed on the basis of our prevailing legitimate interest in accordance with Article 6 (1) point (f) GDPR. Our legitimate interest lies in the functioning and practicable cooperation with our business partners and the employees of our business partners
4. Recipients
Within our firm, only those persons who need your data for the described purposes have access to it.
We also transfer your data to authorities (e.g. tax office, police, public prosecutor’s office, social insurance agencies) or courts within the scope of their respective responsibilities if we are obliged to do so by law or by official order. In these cases, data will also only be transferred by us to the extent necessary for the respective purposes.
5. Storage period
We will store your data as long as the data is required for the specific processing purpose. We generally store your data at least for the duration of our business relationship with you or the business partner you work for.
In addition, we store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as required under statutory retention periods (e.g. under the German Commercial Code [Handelsgesetzbuch, “HGB”], the German Fiscal Code [Abgabenordnung, “AO”]), but generally for a maximum of ten years.
Under certain circumstances, we may have to retain your data for a longer period of time. This may for example be the case if in connection with an official or judicial procedure an order is issued prohibiting the deletion of data.
V. Video conferencing tools
We use the Microsoft Teams (“MS Teams”) video conferencing tool to hold video and audio conferences, webinars and other types of video and audio meetings.
In this section, we explain which data we process when you take part in a video or audio conference with us using the MS Teams video conferencing software.
1. Scope
2. Purposes
We process this data for the purpose of organizing, providing and holding online meetings/video conferences in connection with the client relationship.
3. Legal basis
If you have an established client relationship with us or if such a relationship is to be established, we process your data to fulfil our obligations arising from the client relationship. The legal basis is Article 6 (1) point (b) GDPR if the client is a natural person. If our client is a legal entity, we process the data of our client´s employees and data of other natural persons who participate in the video/audio conference within the scope of the mandate based on our legitimate interest in efficient and secure communication with our communication partners in accordance with Article 6 (1) point (f) GDPR.
4. Recipients
MS Teams is a cloud application provided to us by Microsoft Ireland Operations Ltd (“Microsoft”). In this context, Microsoft processes data on our behalf and in accordance with our instructions on the basis of a data processing agreement (Article 28 GDPR). In addition, we have concluded a separate confidentiality agreement for professional secrecy holders with Microsoft, by which Microsoft acknowledges that the data processed by us is subject to special legal or notarial confidentiality.
If data is stored in the cloud when using MS Teams, the storage takes place exclusively in the European Union (dormant data). However, data processed during the use of MS Teams may also be processed in third countries, particularly if participants are located outside the EU. For these cases, Microsoft uses sub-processors (e.g. Microsoft Inc.) and provides sufficient data protection guarantees for potential third country transfers in accordance with Article 44 et seq. GDPR; Microsoft is certified under the EU-US Data Privacy Framework.
5. Storage period
Data we process in connection with the use of MS Teams is generally deleted as soon as it is no longer required for the purposes for which it was collected. We delete meta data after 30 days.
VI. Job applicants
You can apply to us in response to our published job offers or send us an unsolicited application. In this section, we explain which data will be processed in this context.
1. Scope
During the application process we process the following data categories:
A minimum of data is required for the purpose of carrying out our applicant selection process.
Your application documents will be sent to the contact person named in the job advertisement and will be forwarded internally to other persons responsible for the application process.
2. Purposes
We will process your data in order to assess whether you are an eligible job candidate in the context of the applicant selection process.
3. Legal basis
The legal basis for the data processing is Section 26 (1) of the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) and Article 6 (1) point (b) GDPR (contract initiation). Any information that you provide voluntarily and which goes beyond what is required will be processed based on our legitimate interest (Article 6 (1) point (f) GDPR), i. e. being able to optimally respond to your application. If, in individual cases, you provide information for which we have no legal basis for processing, we will not process it.
4. Recipients
Within our firm, only those persons have access to your data who need it for the above-mentioned purposes. These are primarily the responsible partners, responsible HR employees and those persons who are necessarily involved in the applicant selection process.
5. Storage period
If we establish an employment relationship with you, we will process your data for the purposes of the employment relationship in accordance with a separate privacy information, which you will receive from us then.
In the event that no employment relationship is established with you, we will generally store your data for a period of six months from the time you receive the rejection. Your application documents are then deleted.
VII. Social Media Profile: LinkedIn
No cookies of social media platform operators are integrated on our website (e.g. via plug-ins). However, we operate various social media profiles of our own in order to constantly improve our visibility and to provide information on the respective social media platforms.
In this section, we explain what data we process on LinkedIn.
Scope
You can interact with our profile on LinkedIn e.g. by following us, by “liking” or leaving comments on our posts, or by sharing updates we posted. In this case, we will receive a notification from LinkedIn that you have visited or interacted with our account. We can then see your profile name, your interaction and – if available – your profile picture. If you contact us through LinkedIn via direct messaging, we can see your user profile and message.
LinkedIn also provides us with information about visitors, followers, and updates to our LinkedIn site (“Page Insights”). This information is displayed on our administrator page. Both we and LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland, “LinkedIn”) are jointly responsible for the processing of your data in connection with this function on our LinkedIn page. In particular, LinkedIn is responsible for complying with your privacy rights in connection with Page Insights. However, you may still contact us to assert your rights.
Purposes
We process the data in order to be able to interact with you on your initiative, and to read and respond to your request or notification.
We do not use the analysis function, but we cannot deactivate it, because LinkedIn does not provide this option.
Legal basis
We process your data based on our legitimate interest in accordance with Article 6 (1) point (f) GDPR. Our legitimate interest consists in the interaction with you as described above.
Recipients
Your data will be viewed by our employees who manage our LinkedIn account.
In addition, LinkedIn processes your data in accordance with its own privacy information.
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Privacy Information: https://www.linkedin.com/legal/privacy-policy
Opt-out for advertising: www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Storage period
We cannot delete your messages or other data because we do not have the authorization to do so. We do not actively use direct messages on LinkedIn to communicate with you – we prefer encrypted communication via e-mail. If you send us direct messages, we will delete them at the latest one year after receipt of your message.
VIII. Your rights as a data subject
The following rights may be especially limited by client confidentiality in accordance with Article 23 GDPR in conjunction with Section 29 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”). Provided there is no conflict with the client relationship and the statutory requirements are met, you have the following rights:
1. Right of access
You have the right to obtain free information on request as to whether or not data concerning you are being processed and, where this is the case, what data we process about you (Article 15 GDPR). You may submit a new request after a reasonable period of time. You also have the right to receive a copy of your data undergoing processing by us.
2. Right to rectification
You may also request the correction of incorrect data concerning you in accordance with Article 16 GDPR. You further have the right to request the completion of incomplete data concerning you, taking into account the purposes of the processing.
3. Right to erasure (“right to be forgotten”)
If the prerequisites of Article 17 GDPR are met, you can request the erasure of your data.
4. Right to restriction of processing
You have the right to request that we restrict processing if the requirements of Article 18 GDPR are met. This is the case, for example, if the processing of your data is no longer necessary for our purposes, but you need it to establish, exercise or defend legal claims. If the processing of your data is restricted, such data – apart from being stored – may only be processed by us with your consent or in the special cases mentioned in Article 18 (2) GDPR.
5. Right to data portability
Insofar as data provided by you is processed by us pursuant to Article 6 (1) point (b) or point (a) GDPR (based on a contract or based on your consent) by automated means, you may, under the prerequisites of Article 20 GDPR, request to receive such data in a structured, commonly used and machine-readable format. In this case, you can also request that we transmit this data to another controller.
6. Withdrawal of consent
If we process your data based on your consent, you have the right to withdraw your consent at any time with effect for the future (Article 7 (3) GDPR).
4. Right to restriction of processing
You have the right to request that we restrict processing if the requirements of Article 18 GDPR are met. This is the case, for example, if the processing of your data is no longer necessary for our purposes, but you need it to establish, exercise or defend legal claims. If the processing of your data is restricted, such data – apart from being stored – may only be processed by us with your consent or in the special cases mentioned in Article 18 (2) GDPR.
5. Right to data portability
Insofar as data provided by you is processed by us pursuant to Article 6 (1) point (b) or point (a) GDPR (based on a contract or based on your consent) by automated means, you may, under the prerequisites of Article 20 GDPR, request to receive such data in a structured, commonly used and machine-readable format. In this case, you can also request that we transmit this data to another controller.
6. Withdrawal of consent
If we process your data based on your consent, you have the right to withdraw your consent at any time with effect for the future (Article 7 (3) GDPR).
7. Right to object
If your data are processed by us on the basis of our prevailing legitimate interest (Article 6 (1) point (f) GDPR), you also have the right to object if your interest against data processing outweighs our interest in processing on grounds relating to your particular situation. In the event of an objection, we therefore ask you to inform us of your reasons for objecting to the data processing.
8. Assertion of your data subject rights
To assert your rights as a data subject, please contact our data protection officer by email or letter (contact details below).
9. Right to lodge a complaint with a supervisory authority
If you consider that your data is being processed unlawfully, you can lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).
IX. Contact and data protection officer
If you have any questions about this Privacy Information or about how we process of your personal data, you can contact our data protection officer.
DataCo Gmb, Dachauer Straße 65, 80335 München, 089/452459-900, www.dataguard.de
Last update: January 2025