Information on data processing according to Article 13 & 14 GDPR

1 General

The law firm ASG | Asche Stein Glockemann Verstl Wiezoreck („ASG“) offers its clients advisory skills in the areas of legal advice, tax advice and auditing. Our lawyers, tax advisors and auditors work closely together to develop optimal synergies. Our services essentially include

  • Legal advice: advisory and forensic activities, litigation
  • Tax advice: advisory activities and compliance (preparation of accounting, annual financial statements and tax returns)
  • Auditing: advisory activities, preparation of annual financial statements, statutory and voluntary audits.

With this information on data processing, we inform you about the processing of your data in our law firm and the data protection claims and rights to which you are entitled within the meaning of Articles 13 and 14 of the General Data Protection Regulation (GDPR).

For information on the responsible authority and the data protection officer, please refer to the data protection declaration on this homepage: www.aschestein.de/en/data-protection.

1.1 Processing purposes and where the data comes from

We process your personal data (in the following "data") exclusively on the basis of the statutory provisions.

As a rule, we receive data from our clients themselves. Data from opposing parties are provided by the opposing party in the course of legal disputes or court proceedings.

We receive data from job applicants personally, via the employment agency, web portals or recruitment agencies.

1.2 On what legal basis is the data processed?

We process your data

  • to fulfil (pre-)contractual obligations in accordance with Article 6 (1) b GDPR. You must provide us with this data, otherwise cooperation is not possible.
  • for the fulfilment of legal obligations pursuant to Article 6 (1) c GDPR, which arise, for example, from commercial law, tax law, criminal law or procedural law. You must also provide us with this data because otherwise cooperation is not possible.
  • for the purposes oft he legitimate interests (Article 6 (1) f GDPR): Based on a balancing of interests, data processing may take place beyond the actual fulfilment of the contract in order to protect the legitimate interests of us or third parties. Data processing for the purpose of legitimate interests takes place, for example, in the following cases:
  • Advertising or marketing
  • Measures for business management and further development of services
  • Data obtained from you in the course of our business relationship (e.g. in customer meetings)
  • Maintaining a customer database
  • In the context of legal proceedings
  • Use of web applications
  • within the scope of your consent (Article 6 (1) a GDPR): e.g. for the receipt of newsletters, storage of applicant data for a longer period of time.
  • we process applicant data on the basis of § 26 BDSG.

1.2.1 Right of withdrawal

Consent is always voluntary. If it is not given, no disadvantages arise. Your consent can be revoked or amended at any time without giving reasons with effect for the future. Data processing that has already taken place remains unaffected. Please send your revocation either to our postal address or to kanzlei@aschestein.de or you are welcome to visit us.

1.3 Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time. To do so, please use the address given above or the e-mail address kanzlei@aschestein.de.

We are entitled, under the legal conditions of Section 7 (3) of the German Unfair Competition Act (UWG), to use the e-mail address of clients provided when concluding a contract for direct advertising for our own similar services.

If you do not wish to receive advertising by e-mail from us, you can object to the use of your data for this purpose at any time. A message in text form to kanzlei@aschestein.de is sufficient for this purpose.

1.4 Who receives your data?

If we use a service provider for processing, we still remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only in the context of providing the service. The processors we commission receive your data as far as they require the data to fulfil their respective service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as software providers for the implementation of our business processes.

Within the scope of the mandate, personal data may be passed on to other partners in individual cases. This is done in the legitimate interest of all parties involved.

In addition, we transmit your personal data to other recipients outside the law firm as far as this is necessary for the fulfilment of our contractual and legal obligations (e.g. courts, opposing parties, authorities).

1.5 Data transfer to third countries

In principle, we do not transfer any data to a third country. A transfer will only take place in individual cases on the basis of an adequacy decision of the European Commission, standard contractual clauses, appropriate guarantees or your express consent.

1.6 How long is your data stored?

Client data is usually deleted by ASG after 10 years following the termination of the cooperation. Individual data may be subject to other storage obligations for legal, tax or commercial reasons and may only be deleted after these legal obligations have expired.

In the event of legal disputes in which the data is required as evidence, the data will only be deleted after the legal disputes have ended.

Data of applicants are usually deleted after 6 months; longer storage is only carried out with the consent of the applicant.

2 Use of Microsoft 365

We use Microsoft 365 from Microsoft to carry out our office work and to communicate for conference calls, online meetings, video conferencing and online collaboration. Our legitimate interests are to simplify IT processes, communicate internally and externally, deal with enquiries, increase efficiency and promote cross-company collaboration.

Microsoft 365 is a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland.

When using Microsoft 365, personal data is also processed. We have concluded an order processing contract with Microsoft for this purpose. A corresponding order processing agreement is included in the Online Service Terms (OST).
https://www.microsoft.com/de-de/servicesagreement
https://www.microsoft.com/en-us/licensing/product-licensing/products

2.1 Categories of data processed and legal basis

When using Microsoft 365, Microsoft processes different data:

  • Functionality data
  • Licensing data
  • Diagnostic data (telemetry)
  • Technical support
  • Continuous improvement
  • Processing for Microsoft's legitimate business activities

Which personal data is exactly processed depends on the individual case:

  • Your IP address used to access Microsoft 365 applications. The legal basis for this is Article 6 (1) f GDPR.
  • The user name (access data to the Microsoft 365 applications), information about your person that identifies you as a user, sender, recipient of data within the Microsoft 365 world. Data within the scope of the so-called multi-factor authentication that you yourself have stored in your Microsoft account (e.g. optionally the (private) mobile phone number). The legal basis for this is Article 6 (1) b GDPR.
  • Other voluntary data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you and other Microsoft 365 users at all times in your profile, but also in Outlook in particular, and can be individually adjusted by you. The legal basis for this is Article 6 (1) a GDPR.
  • Usage data: This includes in particular communication content (text, audio, video), files created by you or created files. This depends on the application you use in Microsoft 365 (Teams). The legal basis for this is Article 6 (1) b and f GDPR.

2.2 Recipients of data

In addition to the cases explicitly mentioned in this data protection declaration, your personal data will only be passed on without your express prior consent if this is legally permissible or required.

2.2.1 Data transfers to third countries
Data processing outside the European Union (EU) does not usually take place, as we have limited our storage location to data centres in the European Union. However, telemetry or diagnostic data, the support hotline and possible other data processed in Microsoft's area of responsibility outside the EU are excluded from this.

Furthermore, due to legal obligations, personal data may be passed on or disclosed to third parties (in particular authorities), also to third countries (USA) with a different level of data protection.

In order to achieve the required secure level of data protection, in addition to internal organisational measures, the so-called Standard Contractual Clauses (SCC) have been concluded with Microsoft, which are part of the Data Protection Addendum (DPA) as an annex to the above-mentioned OST.

2.3 Profiling, automated decision making

The data will NOT be used by us for profiling, automated decision making, data analysis, market research or advertising.

2.4 Encryption

Data is encrypted not only during transfer, but also at rest. This includes messages, files (video, audio etc.), meetings and other content. Teams also uses TLS and MTLS to encrypt chat messages.

2.5 Retention period or criteria for determining this period

If a user (or an administrator on behalf of the user) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 60 days.

If a service offered by Microsoft is terminated, the corresponding personal data will be deleted between 60 and 180 days after the service is discontinued. We usually delete personal data when there is no need for further storage. A need may exist in particular if the data is still required to fulfil contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. Microsoft must then comply with the request of the company administrator.

In the case of the legal obligation to retain data, deletion will only be considered after the respective retention obligation has expired.

2.6 Additional information for Microsoft Teams

We use the "Microsoft Teams" tool to conduct presentations, meetings, joint project processing, team meetings, conferences, training sessions and seminars.

Type of data

  • Activity data
  • User data (user name, profile picture)
  • Audio and video data
  • Contact data
  • Meeting data (topic, participants IP addresses, device/hardware information)
  • User data (files for joint editing, chat data)

The legal basis for data processing when conducting "online meetings" is Article 6 (1) b GDPR, insofar as the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Article 6 (1) f GDPR. Our legitimate interest is the effective conduct of online meetings.

Audio or video content is only recorded with your consent; you will be informed of this in advance in each case. The legal basis for this is Article 6 (1) a GDPR.

Further information on the processing of personal data in Microsoft Teams can be found above or here https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.

3 Use of ZOOM

We use the online conference tool "ZOOM" to conduct presentations, meetings, joint project processing, team meetings, conferences, training sessions and seminars. The provider is ZOOM Video Communications, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113.

We have entered into an order processing agreement with Zoom's provider. You can find more information about ZOOM's data processing here: https://zoom.us/docs/de-de/privacy-and-legal.html and here https://zoom.us/de-de/gdpr.

3.1 Categories of data processed and legal basis

When using ZOOM, different types of data are processed. The scope of the data also depends on the data you provide before or during participation in an online conference.

The following personal data are subject to processing:

  • User details: first name, last name, telephone (optional), e-mail address, password, profile picture (optional), department (optional).
  • Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information.
  • Recordings: MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
  • Text, audio and video data: You have the option of using the chat, question or survey functions at ZOOM. In this respect, the text entries you make are processed in order to display and log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device as well as from any video camera of the terminal device are processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the ZOOM app.

To participate in a ZOOM meeting or to enter the "meeting room", you must at least provide information about your name or alias.

The legal basis for data processing when conducting "ZOOM meetings" is Article 6 (1) b GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Article 6 (1) f GDPR. Our legitimate interest is the effective conduct of "online meetings". Article 6 (1) a GDPR can also be considered as a further legal basis.

If we want to record "online meetings", we will inform you transparently in advance and ask for your consent. The fact of the recording will also be displayed to you in the "ZOOM app“. The legal basis for this is consent in accordance with Article 6 (1) a GDPR.

If you are registered as a user with ZOOM, then reports of "online meetings" (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored by ZOOM for up to one month.

3.2 Profiling, automated decision making

We do NOT use the data for profiling, automated decision-making, data analysis, market research or advertising.

3.3 Recipients / disclosure of data

Personal data processed in connection with participation in "online meetings" will usually not be passed on to third parties unless it is specifically intended to be passed on. Please note that content from "online meetings", as well as from face-to-face meetings, is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.

3.4 Data processing outside the European Union

ZOOM is a service provided by a provider from the USA. Currently, it is not yet possible to configure ZOOM so that all data is processed exclusively in data centres within the EU / EEA. The meeting metadata will continue to be processed in data centres in the USA. The transfer of the meeting metadata to the USA is based on the Standard Contractual Clauses (SCC) of the EU Commission concluded between ZOOM and us.

According to ZOOM, the transmission of the data is necessary to control the utilisation of the ZOOM servers. Without this control, the service cannot be provided reliably. In Europe, it has not yet been possible to set up the necessary infrastructure, but this is planned in the future. If you would like to limit the transmission of meeting metadata, we recommend that you register for ZOOM meetings with a pseudonym that does not allow any conclusions to be drawn about your name or person and that you participate via VPN connection.

3.5 Deletion of data

The data will be processed for as long as it is necessary for the performance of the online meetings and related services. This does not apply if a longer storage or retention period is required by law.

If an online meeting is being recorded, you will be informed of this via an advance notice from the organiser via a technical signalling system. You can deactivate your camera and microphone yourself and leave the meeting at any time. With the recording, the data of the audio and video stream and optionally the messages in the chat, question or survey function are saved and remain stored beyond the duration of the meeting. The data stored on the cloud server of the provider of ZOOM will be automatically deleted after 30 days at the latest. To the extent that online meetings are not recorded, the provider states that it does not store the meeting content after the meeting has ended.

If you are logged in with a ZOOM account, reports of "online meetings" (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored by ZOOM for up to one month.

3.6 What data protection rights do you have?

Data subjects have the right to information, correction, blocking, deletion or restriction of the processing of their data at any time. You can revoke consent with effect for the future; data processing remains legal until the effect of your revocation. Under certain circumstances, you may receive your stored personal data for data transmission in electronic form or as a copy. You can find comprehensive information on your rights in our data protection declaration: https://www.aschestein.de/en/data-protection

3.7 Right to object:

If we process your data for legitimate interest, you can object to this data processing at any time. This would also apply to profiling. ASG does not carry out automated profiling.

We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the assertion, exercise or defence of legal claims. You may object to the processing of your data for the purpose of direct marketing at any time without giving reasons.

3.8 Right of complaint:

f you are of the opinion that we violate German or European data protection law when processing your data, please contact us to clarify any issues. Please contact us either by post (for address see (Adresse siehe https://www.aschestein.de/en/data-protection) or by e-mail: kanzlei@aschestein.de. You are also welcome to contact our data protection officer in confidence: datenschutz@aschestein.de. In case of doubt, we may request additional information to confirm your identity. In addition, the supervisory authority of the federal state of Hamburg is available to you as a contact.

4 Security information on e-mails

For security reasons, all incoming e-mails and file attachments are checked. If a warning is issued during a check, the e-mails are moved to quarantine and the recipient is informed. If necessary, the e-mails will then be delivered after IT has checked them.

If you absolutely have to exchange certain files with macros or unusual file formats or large files, please contact your contact person at our office in advance. They can provide a SharePoint for you