Data Protection Declaration
1. General information
1.1 We, NEON Partnerschaft von Rechtsanwält:innen mbB as well as the notaries associated to the partnership (hereinafter: “we” or “us“) would like to inform you here about the processing of personal data in our company.
1.2 The terms used below have the same meaning as in the General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR“).
2. Data Controller
We are the controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:
NEON Partnerschaft von Rechtsanwält:innen mbB, limited liability partnership registered in the Partnership Register of the Local Court of Charlottenburg under the register number PR 472 B
Schlüterstraße 37, 10629 Berlin
Tel.: +4930 889 190
Fax.: +4930 889 19100
info@neon.law
3. Contact person
Our company data protection officer is always available to answer any questions you may have and to act as your point of contact for data protection issues. His contact details are
NEON Partnerschaft von Rechtsanwält:innen mbB, limited liability partnership registered in the Partnership Register of the Local Court of Charlottenburg under the register number PR 472 B
Schlüterstraße 37, 10629 Berlin
datenschutz@neon.law
4. Rights of data subjects
4.1 You can assert your rights as a data subject with regard to the processed personal data against us at any time. You have the following rights:
a) to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of the data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
b) in accordance with Art. 16 GDPR, to immediately request the correction of incorrect data or the completion of your data stored by us;
c) in accordance with Art. 17 GDPR, to demand the deletion of your data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
d) in accordance with Art. 18 GDPR, to demand the restriction of the processing of your data if the accuracy of the data is disputed by you or the processing is unlawful;
e) in accordance with Art. 20 GDPR, to receive the data you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller (“data portability“);
f) pursuant to Art. 21 GDPR to object to the processing if the processing is based on Art. 6 para. 1 lit. e or lit. f GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. If you object to the processing of data for the purpose of direct marketing, we will cease processing immediately. This also applies to profiling insofar as it is associated with direct advertising;
g) in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time, if given prior. As a result, we may no longer continue the data processing that was based on this consent in the future;
h) to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. You can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.
4.2 If you exercise your rights, we will process your personal data in accordance with Art. 6 para. 1 lit. c GDPR in order to process your request and for identification purposes.
5. Website
5.1 When you visit our website, the following categories of personal data are collected, stored and processed by us:
a) Scope of data processing
When you visit our website, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:
- the URL of the page from which the page was requested (so-called referrer URL),
- the name and URL of the requested page,
- the date and time of the access,
- the description of the type, language and version of the web browser used,
- the IP address of the requesting computer, which is shortened, so that a personal reference can no longer be established,
- the amount of data transferred,
- the browser,
- the operating system,
- the message whether the access was successful (access status/Http status code),
- the GMT time zone difference.
b) Purpose of data processing:
The storage of log data for the duration of the session is necessary to display our website to you. The processing also serves to ensure the permanent functionality and security of our websites and information technology systems.
c) Legal basis for data processing:
The legal basis for the processing of log data is Art. 6 para. 1 lit. f GDPR, our legitimate interest being achieving the stated purposes.
d) Recipient of the data:
We use external service providers for the operation of the website, who process personal data strictly in accordance with instructions on the basis of a data processing agreement in accordance with Art. 28 GDPR. We use the following service provider to host the website: hostNET Medien GmbH, Osterdeich 107, 28205 Bremen. Technical support is provided by: ALEKS & SHANTU GmbH, Seelower Str. 4, 10439 Berlin.
e) Storage duration:
The log data is stored for a period of seven days and then deleted, unless it needs to be retained for longer in exceptional cases to track an identified attack.
5.2 We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard disk by means of a characteristic string of characters, through which certain information flows to the website that sets the cookie.
a) We use first-party and third-party cookies. First-party cookies come from our website and send information only to us; third-party cookies are placed on our website by third parties and send information about your device to other companies that recognize that cookie. In most cases, the information in a cookie is pseudonymized or anonymized because cookies generally do not identify you as a person, but your device. In a few cases, certain cookies may be linked to personal data. We will only process such information if you give us your consent or if the processing is necessary for you to use a particular service.
b) Technically necessary cookies: These are absolutely necessary to move around the website, to use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited; Necessary cookies cannot be deactivated as they are absolutely necessary for the provision of the website, but you can delete them in your browser after using the website. The legal basis for the processing of these cookies is our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. The basis of our legitimate interest is to ensure the security and functionality of our website. In addition, the storage of the necessary cookies in your browser or in your terminal device is necessary in accordance with Section 25 para. 2 No. 2 TDDDG so that the website you have called up can be made available with its services.
c) We also use cookies for analysis or advertising purposes. However, we only do this if you have given your prior consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time and without giving reasons. You can find more information about the respective cookies in our cookie banner.
5.3 To manage cookies on our website and to obtain the necessary consent, we use Hugli consent management tool to manage cookies and similar technologies on our website. Hugli is a plugin developed by our web development team. Through Hugli, you can review and update your cookie preferences at any time in accordance with your privacy choices.
5.4 Google Analytics
We use Google Analytics only with your prior consent, which you can provide via our cookie consent management tool. If you choose “accept only necessary cookies,” Google Analytics will not be activated and no related cookies will be set. You can withdraw or change your consent at any time via the cookie settings link in the footer of our website.
Google Analytics is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google uses cookies to help us analyze how visitors use our website. The information generated by these cookies about your use of the website may be transmitted to and processed by Google on servers in the United States. Please note that such transfers may involve certain risks due to the absence of an EU adequacy decision and limitations on enforcement of your rights.
The following cookies may be set when you consent to the use of Google Analytics:
_ga (Host: google.com) – Used to distinguish users;
_gid (Host: google.com) – Used to distinguish users;
_gat (Host: google.com) – Used to throttle request rates;
For more information on how Google processes your data, please see Google’s privacy policy: https://policies.google.com/privacy?hl=en
Legal basis: Art. 6(1)(a) GDPR (consent)
5.5 Vimeo
We integrate videos on our website using the video platform Vimeo operated by:
Vimeo.com, Inc.
555 West 18th Street
New York, NY 10011
USA
https://vimeo.com/privacy
When you visit a page on our website that contains a Vimeo video, a connection to Vimeo’s servers is established. This informs Vimeo’s server which of our pages you have visited. In addition, Vimeo obtains your IP address. This may also occur if you are not logged into Vimeo or do not have a Vimeo account.
Vimeo may store cookies or use comparable recognition technologies (e.g., device fingerprinting) on your device to analyze user behaviour, improve its services, and personalise content. If you are logged into your Vimeo account, you enable Vimeo to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your Vimeo account before accessing content on our website.
Data processing may involve the transfer of personal data to the United States. Vimeo’s use of such data is governed by Vimeo’s own privacy policy. For more information on the scope and purpose of data collection, as well as your rights and settings options to protect your privacy, please refer to Vimeo’s privacy policy linked above.
5.6 YouTube
We integrate videos on our website using the video platform YouTube, which is operated by:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
https://policies.google.com/privacy
When you visit a page on our website that contains a YouTube video, a connection to YouTube’s servers is established. This informs YouTube’s server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your YouTube account before accessing our website.
YouTube may store cookies or use comparable recognition technologies on your device to analyse user behaviour, improve its services, and personalise content. Data processing may involve the transfer of personal data to the United States.
For more information on the handling of user data, please refer to YouTube’s privacy policy linked above.
6. Clients and client-related contacts
In this section, we provide information about the processing of personal data in the context of a mandate.
6.1 Scope of data processing
When we are mandate, we generally collect the following data:
- Salutation, title, first name, surname;
- Name and designation of the company or organization in which the respective person works;
- E-mail address, address (business and private), telephone number, fax number;
- Information about facts and data that are necessary for the assertion and exercise of rights within the scope of the mandate or for the handling of a notarial matter;
- correspondence arising in the context of the mandate with the personal data contained therein;
- all data collected for the purpose of invoicing our services (activity records, if applicable with contact persons from telephone calls or meetings) including account details and, if necessary, tax identification number and
- in individual cases, data required under the Money Laundering Act, in particular date of birth, place of birth, nationality, copy of identity card or passport, data on beneficial ownership and information on whether beneficial owners or their immediate family members or close associates are a politically exposed person.
6.2 Purpose of data processing:
The processing of the aforementioned personal data takes place on the basis of the mandate and is necessary for the lawful and appropriate processing of the mandate and the mutual fulfillment of obligations arising from the client relationship or for the handling of a notarial process. Furthermore, we process the data for correspondence with the client, the parties to the mandate, opposing parties and courts or authorities involved as well as for invoicing. It may be necessary to process the above data in order to check for conflicts prior to the engagement.
6.3 Legal basis:
The legal basis for the processing of client data for the purposes of processing the mandate is Art. 6 para. 1 lit. b GDPR, insofar as the client is a natural person. If our client is a legal entity, we process the client’s employee data in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in being able to process and fulfill the mandate. We process data of other data subjects in connection with the processing of the mandate in accordance with Art. 6 para. 1 lit. f GDPR. Insofar as personal data is processed for money laundering checks, the legal basis is Art. 6 para. 1 lit. c GDPR in conjunction with the Money Laundering Act. When processing notarial transactions, the legal basis is Art. 6 para. 1 lit. c and e GDPR.
6.4 Personal data will only be passed on to third parties if this is necessary for the above-mentioned purposes. This includes the disclosure of data to opposing parties in proceedings, in notarial matters to parties to proceedings or documents, and their representatives (in particular their lawyers) as well as courts, public registers and other public authorities for the purpose of correspondence and for asserting and exercising your rights. Third parties are legally obliged to use the data disclosed exclusively to the extent required or necessary for the purposes stated in the processing of the mandate.
6.5 In addition, data will only be passed on if consent has been given (Art. 6 para. 1 lit. a GDPR) or if we, as the controller, are legally obliged to pass on data in accordance with Art. 6 para. 1 lit. c GDPR, for example to tax and financial authorities in the context of corresponding audits.
6.6 As part of our tax obligations, we use the services of a tax advisor. Only if it is necessary for tax law reasons can the tax consultant view personal data (e.g. on fee invoices). The tax consultant is already obliged to protect your data because of their professional duty of confidentiality.
6.7 We use various service providers for the support, storage and hosting of our IT systems and applications, who only process your data in accordance with our instructions and based on an order processing contract in accordance with Art. 28 GDPR.
6.8 We may transfer data to countries outside the EU and the European Economic Area (“third countries“) if, for example, you communicate with us from a third country or via email providers in a third country (such as Google or Microsoft as part of Office 365). This is also possible if the mandate relates to a matter in third countries and therefore requires communication with parties in third countries. In these cases, the transfer to third countries takes place based on Art. 49 para. 1 lit. b GDPR. Your data will not be transferred to third parties for purposes other than those listed.
6.9 The attorney-client privilege remains unaffected, as does the obligation of our notaries to maintain confidentiality. Insofar as data is concerned that is subject to attorney-client privilege, it will only be passed on to third parties with express consent (Art. 6 para. 1 lit. a GDPR), or insofar as this is necessary to safeguard legitimate interests, e.g. to enforce or defend claims arising from the client relationship or to defend our own interests (Art. 6 para. 1 lit. f GDPR).
6.10 Storage period: The data collected by us in the context of the mandate and the processing of the mandate will be stored until the expiry of the statutory retention obligation for lawyers (in accordance with Section 50 para. 1 BRAO six years after the end of the calendar year in which the mandate was terminated) and then deleted, unless we are obliged to store the data in accordance with Art. 6 para. 1 lit. c GDPR due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO) or in notarial matters due to the permission according to Art. 6 para. 1 lit. c and e GDPR are obliged to a longer storage (DONot) or have consented to further storage according to Art. 6 para. 1 lit. a GDPR.
7. Business communication
In the following, we inform you about how we process data of our business partners or employees of our business partners.
7.1 Scope of data processing: As part of our business relationship with you as a business partner or employee of business partners, we process the data that we receive from you or your employer. This is data that we receive when you or your colleagues have contact with our employees. We process the following categories of data in this context:
- Professional contact and organizational data: e.g. surname, first name, title, academic degree, gender, name of the company you work for, department, professional e-mail address, address, telephone number;
- Data on professional circumstances: e.g. job title, tasks, activity, qualifications.
- Other: In addition, we may process other data that you provide during interactions with our employees or that we have legitimately collected about you from publicly available sources (e.g. commercial register)
7.2 Purpose of data processing: Your data will be processed by us for the purpose of establishing and implementing the contractual relationship with our business partner and to comply with legal requirements.
7.3 Legal basis for data processing: We process the data based on the following legal bases:
a) If you are personally our business partner, the processing is carried out based on Art. 6 para. 1 lit. b GDPR for the execution or initiation of a contract.
b) For fulfilling legal obligations, processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with legal and official requirements (e.g. from tax and commercial law).
c) If you are an employee of one of our business partners, your data will be processed based on our overriding legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the functioning and practicable cooperation with our business partners and the employees of our business partners.
7.4 Recipients of the data: Within our law firm, only those people have access to your data who need it for the purposes described. We also transfer your data to authorities (e.g. tax office, police, public prosecutor’s office, social security institutions) or courts within the scope of their respective responsibilities if we are obliged to do so by law or by order. In these cases, too, we will only transfer data to the extent that this is necessary for the respective purposes.
7.5 Storage period: Westore your data for as long as we need it for the specific processing purpose. We regularly store your data for at least the duration of our business relationship with you or the business partner for whom you work.
In addition, we store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).
Under certain circumstances, we may have to store your data for longer. This is the case, for example, if a ban on data erasure is ordered for the duration of the proceedings in connection with official or court proceedings.
8. Video conferencing tools
8.1 We use third-party video conferencing tools to conduct video and audio conferences, webinars and other types of video and audio meetings. The following categories of data are processed:
- Inventory data (e.g. names, addresses);
- Contact details (e.g. e-mail, telephone numbers);
- Content data (e.g. text entries, photographs, videos);
- Meta/communication data (e.g. device information, IP addresses).
8.2 The purpose of processing the data is to set up and conduct online meetings / video conferences. The processing is carried out on the legal basis of Art. 6 para. 1 lit. b GDPR or in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interests in efficient and secure communication with our communication partners.
8.3 We have concluded a data processing agreement with the providers of the video conferencing solution in accordance with Art. 28 GDPR. The EU standard contractual clauses apply to ensure a sufficient guarantee for any data transfers to the USA or other third countries.
9. Applications
If you would like to become part of our team and apply for a job with us, we will process your personal data as follows:
9.1 Scope of data processing:
We process the following categories of data during the application process:
- Private contact and identification data: e.g. surname, first name, academic degree, gender, e-mail address, address and telephone number;
- Data on professional qualifications, such as school and educational qualifications, language skills, as well as your place of study or training, certificates;
- Curriculum vitae and data contained therein;
- Other data provided as part of the application.
9.2 Transmission within the company: The application documents are sent to the contact person named in the job advertisement and are forwarded internally to other partners responsible for the application process and employees.
9.3 Processing via Personio: We use the HR management and recruiting software Personio to manage applications and the recruitment process. Personio is provided by:
Personio SE & Co. KG
Rundfunkplatz 4
80335 Munich
Germany
https://www.personio.com/privacy-policy/
In this context, the application data submitted by you (as described above) will be stored and processed on Personio’s secure servers within the European Union. The use of Personio enables us to efficiently manage application documents, schedule interviews, and communicate with applicants.
Personio acts as a data processor on our behalf pursuant to Art. 28 GDPR. A corresponding data processing agreement is in place to ensure that your personal data is processed strictly in accordance with our instructions and in compliance with the GDPR. For more information on how Personio handles personal data, please refer to Personio’s privacy policy linked above.
9.4 Purpose of data processing: We process the application data exclusively for the purpose of carrying out the application process.
9.5 Legal basis for data processing: The legal basis for data processing is Section 26 para. 1 BDSG and Art. 6 para. 1 lit. b GDPR. If we receive personal data as part of the application that is not required for the application process, we will not process it.
9.6 Recipient of the data: Internally, only those persons have access to the application data who need it for the stated purposes. These are primarily the responsible partners and HR employees.
9.7 Storage period: If an employment relationship is established, we will continue to process the application data for the purposes of the employment relationship. Detailed information on this is provided in the data protection information for employees. In the event that no employment relationship is established, we generally store the application data for a period of six months from the date of rejection. The application documents are then deleted.
10. Marketing e-mails
10.1 We occasionally send e-mails with advertising content. In this context, we generally process the following data:
- Surname, first name, title;
- E-mail address and
- Information about whether and when the e-mails were opened and what content in the e-mail was clicked on.
10.2 We send promotional emails for marketing purposes. If a business relationship already exists and our advertising measure relates to similar services, the legal basis is Art. 6 para. 1 lit. f GDPR. Otherwise, we obtain consent in advance. In this case, the legal basis is Art. 6 para. 1 lit. a GDPR.
10.3 We would like to point out that we evaluate your user behavior in marketing e-mails. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the email also contain this ID. The data is only collected in pseudonymized form.
10.4 We use the “rapidmail” service from the provider rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau, Germany, to send and analyze marketing emails. We have concluded an order processing agreement with rapidmail in accordance with Art. 28 GDPR.
10.5 You can object to receiving marketing emails at any time and without giving reasons. To do so, click on the unsubscribe link contained in every marketing email or contact us using the contact details above.
11. Social Media
11.1 We operate various social media profiles in order to provide information on the respective social media platforms and to be able to contact you. Please note that the respective platform operator may store cookies in your browser in which your usage behavior is stored for market research and advertising purposes. These usage profiles can also be created across devices. The platform operators evaluate these usage profiles in order to display personalized advertising to you. Data processing may also affect people who are not registered as users with the respective social media platform. The data may also be shared by the platform operators with other companies and transferred to countries outside the EU.
11.2 We receive information from the platform operator, in particular statistical evaluations, about visits to our social media profile. This may also involve personal data. Both we and the respective platform operator are jointly responsible for the processing of personal data in this context. A corresponding agreement on joint processing will be published by the respective platform operator. The processing of your personal data when you visit one of our social media profiles is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information option to improve our external presentation and communication with you. The legal basis for this is Art. 6 para. 1 lit. f GDPR. If you have given a platform operator your consent to data processing, Art. 6 para. 1 lit. a GDPR is the legal basis.
11.3 Further information on the scope, purpose and legal basis of data processing on social media platforms and your rights vis-à-vis the platform operator can be found here:
a) LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Irland: https://www.linkedin.com/legal/privacy-policy
b) Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland: https://www.instagram.com/legal/privacy/
c) New Work SE (operator of XING platform), Dammtorstraße 30, 20354 Hamburg, Germany: https://privacy.xing.com/en/privacy-policy
12. Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. TLS encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
We will be happy to provide you with further information on request. Please contact our data protection officer.
13. Profiling
We will not use personal data collected from you for any automated decision-making process (including profiling).