Data protection declaration

This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) on our website and the associated web pages, features and content. (hereinafter jointly referred to as “online offering”). With regard to the terminology used (such as “personal data” and “processing”) we refer you to the definitions used in Art. 4 of the General Data Protection Regulation (GDPR).

Responsible entity:

Name: Bachtenkirch-Sujata Berke Schäffer Wirtschaftsprüfer Steuerberater PartGmbB
Street and no.: Lietzenburger Straße 46
Postcode, place, country: 10789 Berlin
Partnership register/no.: Amtsgericht Charlottenburg / PR 1221 B
Partners: Ines Bachtenkirch-Sujata, Stephan Berke, Matthias Schäffer
Telephone number: +49 30 885 627-0
Email address: info@bsbs-partner.de

 

The processing of special categories of data (Art. 9 para. 1 GDPR):
☒ No special categories of data are processed.

Categories of data subjects:
☒ Visitors and users of the online offering.
Hereinafter the data subjects are jointly referred to as “users”.

The purpose of processing:
☒ The making available of the online offering, its contents and features.
☒ Rendering contractual performance, providing service and customer support.
☒ Responding to customer inquiries and communication with users.
☒ Security measures.

1. Relevant legal bases

We inform you of the legal bases of our data processing in accordance with Art. 13 GDPR. If the legal basis is not mentioned in the data protection declaration, the following applies: The legal basis for the obtaining of consent is Art. 6 para. 1 lit. a and Art. 7 GDPR; the legal basis for data processing for service fulfilment and the implementation of contractual measures and responding to inquiries is Art. 6 para. 1 lit. b GDPR; the legal basis for data processing to fulfil our legal obligations is Art. 6 para. 1 lit. c GDPR; and the legal basis for data processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as a legal basis.

2. Changing and updating the data protection declaration

We kindly ask you to keep yourself updated about our data protection declaration. We adapt the data protection declaration as soon as the changes to the data processing we perform make this necessary. We will inform you as soon as the change requires cooperation on your part (e.g. consent) or any other individual notification.

3. Security measures

3.1. Pursuant to Art. 32 GDPR and taking into account the state of technology, implementation costs and the type, scope, circumstances and purpose of the data processing and the probability of occurrence and severity of the risk to the rights and freedoms of natural persons, we take suitable technical and organizational measures to ensure a level of protection commensurate with the risk; these measures in particular include the safeguarding of the confidentiality, integrity and availability of data by checking the physical access to the data, as well as their access, input, passing on, protection of availability and their separation. Furthermore, we have established procedures which safeguard the rights of data subjects, the deletion of data and the response to the endangerment of data. In addition, we bear in mind the protection of personal data when we develop or select hardware, software and procedures, in accordance with the principle of data privacy through technology design and through data privacy-friendly default settings (Art. 25 GDPR).

3.2 These security measures in particular include the encrypted transmission of data between your browser and our server.

4. Working with order processors and third parties

4.1 Where in the context of data processing we disclose data to other persons and companies (data processors or third parties), transmit data to them or otherwise grant access to this data, then this is done only on the basis of a legal permission (e.g. if the transmission of the data to third parties, such as to payment service providers, in accordance with Art. 6 para. 1 lit. b GDPR is required for contract fulfilment), if you have given your consent, if there is a legal obligation to do so or on the basis of our legitimate interests (e.g. when deploying agents, web hosting companies, etc.).

4.2 If third parties, such as, in particular, DATEV eG, are entrusted with the processing of data on the basis of a so-called “data processing agreement”, then this is done on the basis of Art. 28 GDPR.

5. Transmissions to third countries

When we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this is carried out in connection with utilising third-party services or the disclosure or transmission of data to third parties, then this is done only if this serves to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process data or have it processed in a third country if the special requirements of Art. 44 ff. GDPR are in place. I.e. the data is processed on the basis of special guarantees for example, such as if a level of data protection is in place that is officially recognised as being equivalent to the level of protection in the EU (e.g. for the US, this is the Privacy Shield) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses“).

6. Rights of data subjects

6.1. You have the right to request confirmation about whether relevant data is processed and information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.
You can request information from us about whether we process your personal data. There is no right to information if granting the requested information would violate the duty of confidentiality under section 83 StBerG or the information must be kept confidential for other reasons, in particular on the basis of an overriding legitimate interest of a third party. In deviation to this, there may be an obligation to provide information if your interest outweighs the interest in confidentiality, especially when taking into account imminent damage. The right to information is also excluded if the data is saved only because it cannot be deleted due to legal or statutory retention periods or exclusively serve the purpose of data backup or data protection monitoring, if the provision of information would require a disproportionate amount of effort and the processing of data for other purposes is excluded by technical and organizational means. If the right to information is not excluded in your case and your personal data is processed by us, you can request information from us about the following:

  • The purpose of processing;
  • The categories of personal data processed;
  • The recipients or categories of recipients your personal data is disclosed to, especially if the recipients are in third countries;
  • If possible, the planned duration for which your personal data will be stored, or, if this is not possible, the criteria for determining the duration of storage;
  • The existence of a right to the correction or deletion or restriction of your personal data or a right to object to this processing;
  • The existence of a right to appeal to a data protection supervisory authority;
  • Where the personal data was not collected from you as data subject, the available information about the origin of the data;
  • Where applicable, the existence of automated decision-making including profiling and relevant information about the involved logic as well as the implications and intended effects of automated decision-making;
  • Where applicable, in the case that data is transmitted to recipients in third countries (if there is no decision by the EU Commission regarding the commensurability of the level of protection according to Art. 45 para. 3 GDPR) information about which appropriate guarantees are put in place in accordance with Art. 46 para. 2 GDPR for the protection of personal data.

6.2. In accordance with Art. 16 GDPR, you have the right to request the completion of your data or the correction of incorrect data.

6.3. Under Art. 17 GDPR, you have the right to request that relevant data is deleted immediately, or alternatively under Art. 18 GDPR request a restriction of the processing of your data. You have a right to deletion (“right to be forgotten“), if the data processing is not required to exercise the right to free expression, the right to information or for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest and one of the following reasons applies:

  • The personal data is no longer necessary for the purposes for which it was processed.
  • The legal basis of data processing was exclusively your consent, which you have revoked.
  • You have objected to the processing of your personal data which we have made public.
  • You have objected to the processing of personal data which we have not made public and there are no overriding legitimate reasons for its processing.
  • You personal data was processed unlawfully.
  • The deletion of the personal data is required to fulfil a legal obligation which we are subject to.

There is no entitlement to deletion if the deletion in the case of lawful or non-automated data processing is not possible or only with disproportionately high effort and your interest in its deletion is low. In this case, the deletion is replaced by the restriction of processing
You can request the restriction of processing if one of the following reasons applies:

  • You deny the accuracy of the personal data. In this case, the restriction can be requested for a period during which we are able to check the accuracy of the data.
  • The processing is unlawful and instead of requesting the deletion of your data you request the restriction of its use.
  • Your personal data is no longer needed by us for the purposes of processing; however, it is required to assert, exercise or defend legal claims.
  • You have filed an objection in accordance with Art. 21 para. 1 GDPR. The restriction of data processing can be requested as long as it has not yet been ascertained whether our legitimate reasons outweigh your reasons.

Restriction of data processing means that your personal data may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We are obligated to inform you before we lift the restriction.

6.4. You have the right to request that you receive the relevant data which you have provided us with according to Art. 20 GDPR and request its transmission to other responsible entities.
You have the right to data portability, provided the data processing is based on your consent (Art. 6 para. 1 clause 1 letter a) or Art. 9 para. 2 letter a) GDPR) or on a contract of which you are a party and the processing is done by automated means. The right to data portability in this case includes the following rights, provided this does not affect the rights and freedoms of other persons: You have the right to request to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format. You have the right to transmit this data to another responsible entity without hindrance on our part. As far as is technically feasible, you can request that we transmit your personal data to another responsible entity.

6.5. In accordance with Art. 77 GDPR, you also have the right to file a complaint with the competent supervisory authority.

6.6. Right to revocation
You have the right to revoke the consent you have granted according to Art. 7 para. 3 GDPR with effect for the future.

6.7. Right of objection
In accordance with Art. 21 GDPR, you have the right to object to the future processing of the relevant data at any time.
If the data processing is based on Art. 6 para. 1 clause 1 letter e) GDPR (performance of a task in the public interest or in the exercise of official authority) or on Art. 6 para. 1 clause 1 letter f) GDPR (legitimate interest of the responsible entity or a third party), you have the right, on grounds relating to your particular situation, to object to the processing of your personal data at any time. This also applies to profiling based on Art. 6 para. 1 clause 1 letter e) or letter f) GDPR. We will no longer process your personal data unless we can show that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the assertion, exercise or defence of legal claims.
You can object to the processing of your personal data for the purpose of direct advertising at any time. The same applies to profiling which takes place in connection with such direct advertising. When you exercise this right to object, we will no longer use your personal data for the purpose of direct advertising.
You have the option to informally communicate the objection by phone, email or if necessary by fax or to the postal address of our firm listed at the beginning of this data protection declaration.

6.8. Revoking consent

6.8. Revoking consent
Sie haben das Recht, eine erteilte Einwilligung jederzeit mit Wirkung für die Zukunft zu widerrufen. Der Widerruf der Einwilligung kann telefonisch, per E-Mail, ggf. per Telefax oder an unsere Postadresse formlos mitgeteilt werden. Durch den Widerruf wird die Rechtmäßigkeit der Datenverarbeitung, die aufgrund der Einwilligung bis zum Eingang des Widerrufs erfolgt ist, nicht berührt. Nach Eingang des Widerrufs wird die Datenverarbeitung, die ausschließlich auf Ihrer Einwilligung beruhte, eingestellt.

6.9. Complaint
If you are of the opinion that the processing of the relevant personal data is unlawful, you can lodge a complaint with a supervisory authority for data protection which is responsible for your place of residence or place of work or for the place of the alleged violation.

7. Cookies

We use temporary cookies, i.e. small files which are stored on the devices of the users (for an explanation of the term and the function of cookies, see the last section of this data protection declaration). Some cookies enhance security or are required for our online offering to work (e.g. to display the website) or to save the user decision when the cookie banner is confirmed.

8. Deletion of data

8.1. The data processed by us is deleted or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated otherwise in this data protection declaration, we delete personal data as soon as it is no longer required for the purpose it was collected for and there are no statutory retention periods preventing it from being deleted. If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted. This means the data is locked and not processed for other purposes. This for example applies to data which must be retained under commercial or tax law.

8.2. In compliance with legal regulations, the data is in particular retained for 6 years in accordance with section 257 para. 1 HGB (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting receipts, etc.) and for 10 years in accordance with section 147 para. 1 AO (books, records, status reports, accounting receipts, commercial and business letters, documents relevant for taxation, etc.).

9. Provision of contractual services

9.1. We process user-related data (e.g. name and addresses as well as contact details of users) and contractual data (e.g. services received, names of contact persons, payment information) for the purpose of meeting our contractual obligations and providing our services in accordance with Art. 6 para. 1 lit b. GDPR.

9.2. part of the registration process and logins and the utilisation of our online services, we store the user’s IP address and the time of their respective activity. Their storage is based on our legitimate interests as well as the user’s protection against misuse and other unauthorised use. This data is not passed on to third parties unless this is necessary to pursue our claims or there is a legal obligation in accordance with Art. 6 para. 1 lit. c GDPR.

9.3. It is deleted after the expiry of the statutory guarantee and similar obligations, and the necessity to store the data is reviewed every three years; where there are legal archiving obligations, the data is deleted after its expiry (end of commercial retention period (6 years) and fiscal retention period (10 years)); information in the customer account remains there until its deletion.

10. Establishing contact

10.1. When you contact us by email, the user’s information will be used to process the contact inquiry and its processing in accordance with Art. 6 para. 1 lit. b) GDPR.

10.2. The user’s information can be stored in our customer relationship management system (CRM system) or a similar inquiry organisation system.

10.3. We delete inquiries if they are no longer required. We review the necessity every two years. Where there are legal archiving obligations, the data is deleted after its expiry (end of commercial retention period (6 years) and fiscal retention period (10 years)).

11. Collection of access data and log files

11.1. On the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR, we collect data every time the server on which our service is located is accessed (so-called server log files) The access data includes the name of the web page visited, file, date and time of retrieval, transmitted data volume, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the page previously visited), IP address and the requesting provider.

11.2. For security reasons (e.g. to investigate abuse or fraud) log file information is stored for a maximum of seven days and then deleted. Data which needs to continue to be stored for evidential purposes is exempt from deletion until the respective incident has been conclusively resolved.

12. Cookies & range measurement

12.1. Cookies are information that is transmitted from our web server or third-party web servers to the web browser of the user and stored there for later retrieval. Cookies can be small files or other types of information storage.

12.2. We use “session cookies”, which are only stored on our website for the duration of the current visit (e.g. to enable the storage of your login status or the shopping basket feature and thus to enable the use of our online offering in the first place). A session cookie stores a randomly generated unique identification number, a so-called session ID. A cookie also contains information about its origin and the retention period. These cookies cannot store other data. Session cookies are deleted when you have finished using our online offering and you have, for example, logged out or closed the browser.

12.3. This data protection declaration informs users about the use of cookies as part of pseudonymous range measurement.

12.4. If users do not want cookies to be stored on their computer, they are requested to disable the relevant options in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can restrict the functionality of this online offering.

12.5. You can object to the use of cookies that serve range measurement and advertising purposes via the opt-out page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and the US website (http://www.aboutads.info/choices) or the European website  (http://www.youronlinechoices.com/uk/your-ad-choices/).

12.6. You can find more information about data usage for marketing purposes by Google on the overview page: https://policies.google.com/technologies/ads, he data protection declaration of Google can be found at  https://policies.google.com/privacy.

12.7. If you want to object to interest-based advertising by Google Marketing Services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.

13. Integration of services and third-party content

13.1. In our online offering, based on our legitimate interests (i.e. interest in the analysis, improvement and economical operation of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR) we use third-party content and services to integrate their contents and services, such as videos or fonts (hereinafter referred to as “content”). This always means that the third-party provider of this content becomes aware of the IP address of the users, because without the IP address they would not be able to send content to their browser. This means that the IP address is required to display this content. We endeavour to only use content where the respective provider only uses the IP address to deliver their content. Furthermore, third-party providers can use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical and marketing purposes. These “pixel tags” enable the analysis of information, such as visitor traffic on the pages of this website. In addition, the pseudonymous information can be stored in cookies on the user’s device and, among other things, obtain technical information about the browser and the operating system, referring websites, time of visit and other information about the use of our online offering and be linked to such information from other sources.

13.2. Below, you find an overview of third-party providers as well as their content, including links to their data protection declarations, which contain further information about the processing of data and, some of which is already mentioned here, appeal options (opting out):

14. Data protection declaration date and updates

This data protection declaration was last updated on 15 May 2018. We reserve the right to update the data protection declaration in due course to improve data privacy and/or to adjust it to new administrative practice or jurisdiction.