I. Name and address of the data controller
The data controller, as defined in the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions, is:
1. Company and address of the responsible body:
PKF Fasselt Partnerschaft mbB Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft Rechtsanwälte („PKF Fasselt“)
EUREF-Campus 10/11
10829 Berlin
Phone: +49 30 - 306907 - 0
Fax: +49 30 - 306907 – 99
E-mail: info@nothing-important.pkf-fasselt.de
Partnership register: Local Court Berlin (Charlottenburg) PR 645
2. Management:
Managing Director responsible for operations: WP StB [German public auditor and tax consultant] Frank Villwock
II. Name and address of the data protection officer
The data protection officer of the data controller is
RA/StB [German lawyer/tax consultant] Alexander Hamminger
datenschutz@nothing-important.hamminger.de
III. General information on data processing
1. Scope of the processing of personal data
We generally process the personal data of our users only to the extent necessary for the provision of a functional website and our content and services. The processing of the personal data of our users is routinely carried out only after users have given consent. An exception applies in those cases where obtaining prior consent is not possible for practical reasons and where the processing of the data is permitted by law.
2. Legal basis for processing personal data
Article 6(1) a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data, insofar as we obtain the consent of the data subject for processing operations involving personal data.
Article 6(1) b) GDPR serves as the legal basis when we process personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Article 6(1) c) GDPR serves as the legal basis insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject.
Article 6(1) d) GDPR serves as the legal basis in the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person.
Article 6(1) f) GDPR serves as the legal basis for the processing if it is necessary for the purposes of safeguarding the legitimate interests of our company or a third party and where the first-mentioned interests are not overridden by the interests, fundamental rights and freedoms of the data subject.
3. Data erasure and retention period
The personal data of the data subject get erased or blocked as soon as the purpose for retaining the data ceases to apply. Furthermore, data may be retained if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the Data Controller is subject. The data will also be blocked or erased if a retention period prescribed by the aforementioned standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
In the course of this, the following data are collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's IP address
(4) Date and time of access
2. Legal basis for processing data
Article 6(1) f) GDPR is the legal basis for the temporary storage of data and log files.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose the user's IP address has to remain stored for the duration of the session.
The data is stored in log files in order to ensure the functionality of the website. Furthermore, we use the data to optimise the website and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.
Our legitimate interest in data processing pursuant to Article 6(1) f) GDPR also lies in these purposes.
4. Retention period
The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. If the data were collected for the provision of the website this is the case once the respective session has ended.
The IP addresses are stored anonymised. For this purpose, the last one to three digits are removed, i.e. "127.0.0.1" becomes "127.0.0.0". IPv6 addresses are also anonymised. The anonymised IP addresses are stored for 60 days. Details of the directory protection user used are anonymised after one day.
Error logs, which record incorrect page views, are deleted after seven days. In addition to the error messages, these contain the accessing IP address and, depending on the error, the website accessed.
5. Possibility of objection and erasure
The collection of data for the provision of the website and storing data in log files is vital for the operation of the website. Consequently, there is no possibility for users to opt out of this.
V. Use of cookies
1.) Description and scope of data processing
The website uses so-called system cookies in certain places, which do not store any user-relevant data.
External content, e.g. from Google or YouTube, can be called up at certain points. It is pointed out beforehand that clicking on such an element establishes a connection to this service and that external cookies may be used.
2.) Legal basis for processing data
The legal basis for the processing of personal data using cookies is Art. 6(1) f) GDPR and, if applicable, based on your consent in the consent window/banner
3.) Purpose of data processing
The purpose of using cookies is to simplify the use of websites for users.
VI. Newsletter and event invitations
1. Description and scope of data processing
Newsletters and invitations to events are sent out on the basis of the user's registration on the website:
On our website, it is possible to subscribe to free newsletters and receive invitations to events that are created or organised and sent out by the individual locations of the company. When subscribing to the newsletter, the data from the input mask is saved in a special tool and then forwarded to the respective location. There it is added to the selected mailing list(s). The recipients are managed either in special software or DATEV Eigenorganisation Comfort.
The following data is collected as part of the newsletter registration:
E-mail address
Surname
First name
Company name
Position
The mandatory fields are marked with an *. Only the e-mail address is mandatory.
The following data is also collected during registration:
(1) IP address of the accessing computer
(2) Date and time of registration
Your consent is obtained for the processing of the data as part of the registration process and reference is made to this privacy policy.
No data will be passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.
2. Legal basis for processing data
The legal basis for the processing of data after registration for the newsletter by the user is Art. 6(1) a) GDPR if the user has given consent, in other cases also Art. 6(1) f) GDPR or Art. 6(1) b) GDPR.
3. Purpose of data processing
The purpose of collecting the user's e-mail address is to send the newsletter.
Any further information is voluntary and is used to address you personally and to personalise the content of the newsletter as well as to clarify any queries regarding the e-mail address. In addition, the collection serves to prevent misuse of the services or the e-mail address used.
4. Retention period
The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. A user's e-mail address will accordingly be retained for as long as his/her newsletter subscription remains active.
5. Possibility of objection and erasure
The users concerned can cancel their newsletter subscriptions at any time. The appropriate link for this purpose can be found in each newsletter.
This also makes it possible to withdraw consent to the retention of the personal data collected during the registration process.
VII. Contact form and e-mail contact
1. Description and scope of data processing
On our website there is a contact form that can be used to contact us electronically. If a user chooses this option then the data entered into the input mask is transmitted to us and stored. These data are:
Last name
First name
Company
E-mail
When you send a message the following data will also be stored:
(1) User’s IP address
(2) Date and time of dispatch
In the course of the dispatching process your consent to the processing of the data is obtained and reference is made to this Data Privacy Statement.
Alternatively, you can contact us using the e-mail address provided. In this case, the user's personal data transmitted with the e-mail are stored.
In this context, data will not be passed on to third parties. The data are used solely for the purposes of processing the conversation.
2. Legal basis for processing data
Legal basis for the processing of data for the contact form is Art. 6(1) a) GDPR if the user has given his consent.
Article 6(1) f) GDPR is the legal basis for the processing of data transmitted in the course of sending an e-mail. Article 6(1) b) GDPR is the additional legal basis for the processing of data if the aim of the e-mail contact is to conclude a contract.
3. Purpose of data processing
The processing of the personal data from the input mask serves us solely to process the contact. If contact is made by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Retention period
The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. This is then the case for the data from the input mask in the contact form and the data transmitted via e-mail once the respective conversation with the user ends. The conversation will be deemed to have ended if, from the circumstances, it is possible to infer that the issue in question has been conclusively clarified.
5. Possibility of objection and erasure
Users have the option of withdrawing consent for the processing of personal data at any time. If users contact us via e-mail they are thus able to object to the retention of their personal data at any time. In such a case it is not possible to continue the conversation.
All the personal data that were saved in the course of establishing contact would be erased in this case.
VIII. Online conferences, meetings and webinars
1. Description and scope of data processing
We use platforms and applications from other providers (hereinafter referred to as "third-party providers") for the purpose of holding video and audio conferences, webinars and other types of video and audio meetings. When selecting third-party providers and their services, we observe the legal requirements.
In this context, data of the communication participants are processed and stored on the servers of the third-party providers, insofar as these are part of communication processes with us. This data may include, in particular, registration and contact data, visual and vocal contributions as well as entries in chats and shared screen content.
If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata that they process for security purposes, service optimisation or marketing purposes. We therefore ask you to read the data protection notices of the respective third-party providers.
2. Legal basis for data processing
If we ask users for their consent to the use of third-party providers, the legal basis for processing is consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, user data is collected on the basis of our legitimate interests (i.e. interest in efficient communication) and for the fulfilment of the contract.
3. Purpose of data processing
Contractual services and support, contact enquiries and communication, office and organisational procedures.
4. Services used and service providers:
Microsoft Teams: Messenger and conference software; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: products.office.com/en-EN/microsoft-teams/group-chat-software; Privacy Policy: privacy.microsoft.com/de-de/privacystatement, Security information: www.microsoft.com/de-de/trustcenter; Privacy Shield (Safeguarding the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.
IX. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information
You can request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you can request the following information from the controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data being processed
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
(4) the envisaged period for which the personal data concerning you will be stored, or, if specific information on this is not possible, the criteria used to determine that period
(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing
(6) the existence of a right to lodge a complaint with a supervisory authority
(7) all available information about the origin of the data if the personal data is not collected from the data subject
(8) the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without delay.
3. Right to restriction of processing
You may request the restriction of the processing of your personal data under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
(4) if you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erase data
You can request the Data Controller to erase the personal data concerning you without undue delay and the Data Controller is obliged to erase these data without undue delay if any of the following reasons apply:
(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based pursuant to Article 6(1) a) or Article 9(2) a) GDPR and where there is no other legal basis for the processing;
(3) you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
(4) the personal data concerning you have been unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation under EU law or the laws of Member States to which the Data Controller is subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.
b) Information to third parties
Where the Data Controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase them, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the data controllers processing the personal data that you have requested erasure by them of any links to, or copy or replication of, these personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under EU law or the laws of the Member States to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9(2) h) and i) as well as Article 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in clause a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right vis-à-vis the controller to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, insofar as:
(1) the processing is based on consent pursuant to Article 6(1) a) GDPR or Article 9(2) a) GDPR or on a contract pursuant to Article 6(1) b) GDPR and
(2) the processing is carried out with the help of an automated procedure.
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one data controller to another data controller insofar as this is technically feasible. The rights and freedoms of other people may not be adversely affected because of this.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Article 6(1) e) or f) GDPR; this also applies to profiling based on these provisions.
The Data Controller shall no longer process the personal data concerning you unless the Data Controller is able to demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is intended for the establishment, exercise or defence of legal claims.
If the personal data concerning you are processed for direct marketing purposes then you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes then the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services and notwithstanding Directive 2002/58/EC, you may exercise your right to object with the help of an automated procedure where technical specifications are used.
8. Right to revoke the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
This applies in particular to the storage of a tracking cookie, which can be immediately revoked electronically at the beginning of this declaration via the hyperlink "Revoke cookie settings". A cancellation can also be sent to us by letter, email or fax. However, you must accept a short processing time for the implementation of your cancellation.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This will not apply if the decision:
(1) is necessary for the conclusion or performance of a contract between you and the Data Controller;
(2) is permissible under the laws of the Union or the Member States to which the Data Controller is subject and which also includes appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
(3) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) GDPR unless Article 9(2) a) or g) GDPR applies and appropriate measures have been adopted to safeguard your rights and freedoms as well as your legitimate interests.
With respect to the cases referred to in (1) and (3), the Data Controller will adopt suitable measures to safeguard your rights and freedoms as well as your legitimate interests that will at least include the right to obtain human intervention on the part of the Data Controller, to express your own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
11. Further information
Matomo
This website uses the open source web analysis service Matomo. Matomo uses technologies that enable cross-page recognition of the user to analyze user behavior (e.g. device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized before storage.
With the help of Matomo, we are able to collect and analyze data about the use of our website by website visitors. This enables us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).
The use of this analysis tool is based on Art. 6 (1) f) GDPR. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) a) GDPR and Art. 25 (1) TDDDG, insofar as the consent includes access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
IP anonymization
We use IP anonymization for the analysis with Matomo. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.
Hosting
We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.
X. Whistleblower systems
The electronic form available below enables you to anonymously report potential or actual violations of our professional duties as well as any criminal offences or administrative offences within our company to a member of the Executive Committee ("GFA") in accordance with Section 55b (2) No. 7 WPO (whistleblower system).
Whistleblower system for professional duties
The electronic form available below enables you to report potential or actual violations of money laundering regulations within PKF Fasselt Partnerschaft mbB to the company's money laundering officer in accordance with Section 6 (5) GwG, while maintaining the confidentiality of your identity (anonymity).