Data Protection Policy

VINDELICI LEGAL Rechtsanwaltsgesellschaft mbH
Maximiliansplatz 12b
D-80333 München

Telefon-Nr.: +49 (0) 89 541 988 500
E-Mail: info@vindelici-legal.com

Represented by:
Prof. Dr. Peter Chrocziel

Scope of processing of personal data in general

As a basic principle, we only process personal data if this is necessary to provide a functional website along with our content and services.

Legal basis for processing personal data

The legal basis for processing this personal data can be found in the General Data Protection Regulation, Article 6(1)(a)-(f) GDPR.

If the data subject has given consent, the legal basis is Article 6(1)(a) GDPR.

Article 6(1)(b) GDPR is the legal basis for processing personal data as required for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If processing is necessary for compliance with a legal obligation of the controller, the legal basis is Article 6(1)(c) GDPR.

If vital interests of the data subject or another natural person make it necessary to process data, the legal basis is Article 6(1)(d) GDPR.

If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Article 6(1)(e) GDPR.

If processing is necessary to protect a legitimate interest of our company and overrides the interests, fundamental freedoms or fundamental rights of the data subject, the legal basis is Article 6(1)(f) GDPR.

Provision of personal data required to conclude a contract or based on statutory retention obligations

When you contact us, we collect personal data. We store these data partly due to legal requirements and partly for the purpose of concluding a contract. If you want to conclude a contract with us, you must provide us with your data so that we can provide our services to you. Tax and commercial law considerations also result in statutory retention obligations which we have to meet. Otherwise, we may be unable to provide you with our service.

Before providing your personal data, you can feel free to get in touch with your contact person in our company to find out whether we will need your data to conclude a contract and/or to meet our statutory retention obligations and what will happen if you do not provide us with the data.

Data erasure and storage period

We will store your personal data as long as this is necessary to fulfill a purpose or the storage of the data is mandatory based on legal requirements according to Article 6(1)(c) GDPR.
If the purpose for storing personal data no longer applies, these data will be erased after 6 months or processing will be restricted unless it is necessary to continue storing the data in order to conclude or fulfill a contract.
These data will only be stored otherwise if this has been stipulated by the European or national legislator.

SSL or TLS encryption

We use SSL or TLS encryption on the entire website for security reasons on the one hand and to protect your confidential data on the other.
Confidential data such as, for example, requests or orders that you have sent to us cannot be viewed by third parties as a result of this encryption.
You can recognize an encrypted connection from the address bar of the browser changing from “http://” to “https://” and a green padlock icon being displayed in the address bar.

IP adress

1. Description and scope of data processing
   When accessing this website, requests are sent to the server which it must answer. Your IP address must be collected and processed for this purpose in order to enable the server to respond to the corresponding requests.
2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing your IP address is to ensure that the website functions correctly and to enable you to access it.
4. Legitimate interest
   The legitimate interest in the temporary storage of the IP address is that the website cannot function and access to the website is not possible without it.
5. Duration of storage
   The data will be erased again as soon as it is no longer necessary for them to be stored due to fulfillment of the purpose.
   Where the collection of data for providing the website is concerned, this is the case when the access procedure is completed.
6. Recipients of personal data
   The IP address is processed by the following hosting provider as subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

Hosting

1. Description and scope of data processing
   We use the services of our hosting provider for the technical implementation and accessibility of the website and for the technical maintenance thereof.
   This includes the provision of storage and database services and the maintenance and updating thereof.
2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing is the implementation of the website and the detection of malfunctions and intrusion attempts.
4. Legitimate interest
   The legitimate interest in mandating the hosting provider is the external technical expertise and the provision of a functional and uncompromised technical website environment.
5. Recipients of personal data and data categories:

The following hosting provider is active for us as a subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

The data categories concerned are:

User data
Communikation data
Contact data
Contract data

Server log files

1. Description and scope of data processing
   The IP addresses collected when accessing this website are also stored in what are referred to as server log files in order to discover and eliminate technical faults and/or attempts to manipulate and break into the server structure.
   The hosting provider of this website also automatically collects, stores and processes information in server log files that is sent automatically by your browser.
   This information comprises:
   IP adress
   Browser type und browser version
   Operating system used
   Referrer URL
   Host name of the accessing computer
   Time of server request
   However, this information is not merged with other data sources.

2. Legal basis for data processing
   The legal basis for processing these data is Article 6(1)(f) GDPR.
3. Purpose of data processing
   The purpose of processing your IP address and the aforementioned information is to detect malfunctions and intrusion attempts.
4. Legitimate interest
   The legitimate interest in processing the IP address and the aforementioned information is the provision of a functional and uncompromised technical website environment.
5. Duration of storage
   The data will be erased again within 7 days.
6. Recipients of personal data
   The IP address and the aforementioned information are processed by the following hosting provider as subcontractor based on a processing agreement pursuant to Article 28(2) and (4) GDPR:

MXP GmbH
Ulmer Landstraße 333
86391 Stadtbergen near Augsburg

1. Description and scope of data processing
   The website vindelici.com uses “cookies”. Cookies are text files that are stored in the memory and/or on a data carrier of the device you use to visit the site and that are processed by your Internet browser in accordance with the settings stored therein.
   Information about the individual cookies used on our websites can be accessed by following the link “Customize privacy settings”. Here, you can also give your consent to the installation of certain cookies and the related data processing or you can revoke a previously granted consent anytime with effect in the future.

   Edit Privacy Settings

2. Deactivation of Cookies
   The insertion of cookies and the retrieval of their information can also be controlled by the settings of your internet browser. You can either completely deactivate the cookie storage function in your browser or limit it to certain websites or configurate it in such a way that it automatically informs you if a cookie is to be inserted and requests your permission. Cookies can be blocked or deleted individually. This may however affect certain functions of our web presence which may then not work anymore, for technical reasons.

1. Description and scope of data processing
   In the case of e-mail inquiries, personal data are processed depending on the content of your e-mail:

This always includes your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:

First name, last name
Telephone number

The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.

2. Legal basis for data processing
   Based on the express request from the user by e-mail, the legal basis for processing data is Article 6(1)(f) GDPR. If the aim of making contact by e-mail is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
   The processing of personal data from your e-mail request only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
   Depending on the intention and content of your request, the purpose may also be to initiate and/or execute a contractual relationship.
4. Legitimate interest
   The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
   The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.

1. Description and scope of data processing
   In the case of telephone inquiries, personal data are processed depending on the content of the conversation:

Depending on the information you provide during the telephone call, this may also include the following personal data:

First name, last name
Telephone number
Customer number
Payment data
Contract data

The data are used solely for processing the conversation and/or executing and/or initiating a contractual relationship.

2. Legal basis for data processing
   Based on the express request from the user by telephone, the legal basis for processing data is Article 6(1) (f) GDPR. If the aim of making contact by telephone is also to conclude and/or to execute a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
   The processing of personal data from the telephone conversation only serves the purpose of establishing contact and enabling the company to provide the customer with information on the initiative of the customer.
   Depending on the intention and content of your request, the objective may also be to initiate and/or execute a contractual relationship and to maintain the customer relationship.
4. Legitimate interest
   The legitimate interest in data processing is the capability of handling your request and being able to respond to it accordingly. The data collected are processed on the basis of a request sent by you. This processing is also in your interests in order to enable us to respond to your request in a way that meets your expectations.
5. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code). For your e-mail, this is the case when the respective conversation with the user has ended.
   The conversation is ended when it is evident from the circumstances that the situation has been finally clarified.

1. Description and scope of data processing
   By handing over your business card to us on initial contact, you provided us with your personal data. These are:

Last name, first name
Company
Address of company
Contact data

We process these data in our CRM system.

2. Legal basis for data processing
   The legal basis is contained in Article 6(1)(f) GDPR insofar as you have consented to the data being processed.
3. Purpose of / legitimate interest in data processing
   We process these data to enable business communication and to determine shared business interests and for maintaining a customer relationship.
   We process your personal data only for this purpose and only insofar as you have communicated them to us.
4. Duration of storage
   The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are not subject to any other statutory retention obligations (e.g. 10 years pursuant to the German Tax Code, 6 years pursuant to the German Commercial Code).

1. Description and scope of data processing
   We provide information about the current vacancies to be filled on a regular basis in job advertisements or on our website. You have the opportunity to apply for these jobs. You can send us your application data either by post or by e-mail.

Data that you send us by post as part of the application procedure may include:

o Name, address and contact details
o Resume including any further details
o Personal letter
o Qualifications
o Interests

If you send us your data by e-mail, we will also process your e-mail address and the date, time and content of the message. The following personal data may also be processed depending on the content of your e-mail:

o First name, last name
o Telephone number

The data are used solely to reach a decision on the vacancy to be filled as part of the application procedure.

2. Legal basis for data processing
   The legal basis for processing the data within job application procedures is Article 6(1)(b) GDPR, § 26(1) BDSG (Federal Data Protection Act).

If you provide us with special categories of personal data within the application procedure such as information on an existing severe disability or health data that are required to assess the possibility of employing you in a certain position, these data provided on your initiative are processed according to Article 9(2)(b), (h) GDPR, Article 26(3) BDSG (Federal Data Protection Act).

3. Purpose of data processing
   The processing of personal data within job application procedures is solely for the purpose of personnel planning and to establish employment relationships.
4. Legitimate interest
   The legitimate interest in data processing is the necessity to fill open vacancies with qualified applicants as part of sustainable personnel planning and company management.
5. Duration of storage
   If an application is rejected, the data will be erased within 6 months of the rejection. Data from successful applications are subject to retention obligations which result from the labor and social law provisions, the German Tax Code (AO) and the German Commercial Code (HGB).

We maintain online presence within social networks and platforms in order to communicate with customers, interested parties and users active in social media and to inform them about our services.

We would like to point out that this might cause user data to be processed outside the European Union, which can pose risks for users because this might hinder the enforcement of users’ rights, for example.

Furthermore, user data are generally processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and the associated user interests. The usage profiles can in turn be used, for example, to display advertisements that presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behavior and interests are stored. Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).

Supplementary Information on the online presence LinkedIn:

1. Joint Controllers

For data processing on the online presence LinkedIn we and LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland) are joint controller within the meaning of data protection laws. in the sense of the data protection law. Thus, we concluded an agreement conforming with Article 26 (1) with LinkedIn which regulates the obligations in terms of data privacy of the parties. The agreement is provided by LinkedIn via the following link:

The data privacy policy of LinkedIn (https://www.linkedin.com/legal/privacy-policy) provides you with further information about the processing of your data by LinkedIn and by us when you access and interact with our online presence on LinkedIn. You will also find information about your rights as a data subject and setting options with regard to the processing of your data.

The information contained in this section of our information on data privacy only applies in addition to the information provided by LinkedIn.

2. Contact data of data protection officerThe contact data of our data protection officer are listed under II.
3. Collection, processing and use of your personal data by usYou can use our online presence on LinkedIn to react to our content, make comments or send us private messages.
   1. 1. 1. Categories of data subjects
            The data subjects are registered and unregistered visitors of our online presence on LinkedIn.
         2. Data of registered visitors of our online presence on LinkedIn which we process
            • • • User identification (user name) by which you subscribed
                • Authorized profile data (such as name occupation, job experience, qualifications, contact data, activities and interests etc.)
                • Data created in the course of the sharing of contents, messages and communications
                • Data required in the framework of a contract execution on request of a subscribed visitor

            Moreover, we process pseudonymized data of registered visitors like:
            Statistics and insights about interactions with our online presence, the content pages, videos and other content provided via our fan page (page view activities, page visits, “likes”, coverage, general demographic, site and interest-related information about age, sex, country, city, language). These pseudonymized data is provided to us by LinkedIn in terms of statistics As a rule, even we ourselves are not able to connect these pseudonymized data to any personal data (identifying features like name specifications).

         3. Data of unregistered visitors of our online presence on LinkedIn which we process
            Pseudonymized data like statistics and insights into interactions with our fan page, contributions, pages, videos and other content provided via our fan page (page view activities, page visits, “likes”, coverage, general demographic, site and interest-related information about age, sex, country, city, language). Even we ourselves are not able to connect these pseudonymized data to any personal data (identifying features like name specifications). Thus, it is impossible for us to identify individual visitors. They remain anonymous.
         4. Origin of the data
            We collect the data directly from the data subject or we receive them from the platform operator.
         5. Purpose of data processing
            We process the data mainly for the purpose of public image. Moreover, we process the data for the purpose of communication, data exchange and the organization of events. Finally, data can also be processed in order to initiate and conclude contracts.
         6. Legal basis for data processing:
            For further information please see III. General information about data processing.The processing of data for the purpose of public image takes place on the legal basis of Article 6(1)(f) GDPR (legitimate interests) and in our interest in the provision of a platform with current information, the improvement of our offer as well as our website and the presentation of our company.The processing of data for the purpose of communicating with you via the online presence on LinkedIn takes place on the legal basis of Article 6(1)(b) GDPR (initiation and conclusion of contracts), as far as the content relates to an existing contractual relationship or you are interested in entering into a contract. Otherwise, the data processing takes place on the legal basis of Article 6 (1)(f) GDPR (legitimate interests) and in our interest in effective communication with users in the event of questions and other concerns.
         7. Duration of storageBased on the agreement concluded with the platform operator in accordance with Article 26 (1) GDPR it is the platform operator’s duty to store and delete the data.
         8. Categories of recipients
            The data we process can only be accessed by our employees and service providers. But if data subjects post public content on our online presence on LinkedIn it is accessible to other registered – and possibly also unregistered – visitors at any time.

1. Description, scope and purpose of data processing
   This website uses Matomo (formerly Piwik), an open-source software used for the statistical evaluation of visitor accesses.

Matomo uses so-called cookies, i.e. text files that are stored in the memory of your computer and that allow an analysis of your use of the website.

The information created by the cookie about your use of the web content is stored with your approval as described in section V. You are entitled to withdraw your consent to the statistical analysis of your website access by Matomo anytime with effect for the future by changing the cookie settings in respect of Matomo.

Immediately after the processing and before its storage the IP-address will be rendered anonymous. You have the option to prevent cookies from being installed by customizing the settings of your browser software. Please note, however, that this might have the effect that the functions of this website are no longer fully available.

It is up to you to decide whether a unique web analysis cookie is installed in your browser in order to enable the collection and analysis of various statistical data by the website operator.

For further information about the privacy settings of the Matomo software please refer to the following link: https://matomo.org/docs/privacy/.

2. 2. Legal basis of data processing
      The legal basis for data processing is Article 6 (1) (a) GDPR in conjunction with your consent to the statistical analysis of your website use by means of Matomo.

2. Duration of storage
   Your data collected in the framework of the website analysis, will be deleted after 13 months.

If your personal data are being processed, you are the data subject within the meaning of the General Data Protection Regulation. This means you have the following rights against the controller.

In order to exercise your rights against us as the controller, please send an e-mail to the following address: Peter.Chrocziel@vindelici-legal.com

1. Right of access – Article 15 GDPR
   You have the right to request confirmation from the controller as to whether personal data relating to you are being processed.

If such data are being processed, you have the right of access to these personal data and the following information:

the purposes for which the personal data are processed;
the categories of personal data that are processed;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine the storage period;
the existence of the right to request from the controller rectification or erasure of your personal data or the right to restrict their processing or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information as to the source of the personal data where the data are not collected from the data subject;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You are also entitled to request information about whether your personal data are transferred to a third country or to an international organization. In this context, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification – Article 16 GDPR
   You have the right to obtain from the controller without undue delay the rectification and/or completion of the data relating to you if the processed personal data are incorrect or incomplete.
3. Right to erasure – Article 17 GDPR
   Erasure obligation:
   You have the right to request the erasure of your personal data without undue delay where one of the following grounds applies:

• • your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you have withdrawn your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal ground the processing;
  • you have objected to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or
  • you have objected to the processing pursuant to Article 21(2) GDPR;
  • your personal data have been unlawfully processed;
  • your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Exceptions:
There is no right to erasure to the extent that processing is necessary

• • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)
    GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defense of legal claims.

4. Right to restriction of processing – Article 18 GDPR
   You have the right to request the restriction of processing of the personal data relating to you subject to the following conditions:

• • if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
  • if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
  • if you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of your personal data has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If there is a restriction of processing based on the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

5. Right to notification – Article 19 GDPR
   If you have asserted one of your rights to rectification, erasure or restriction of processing, we must inform all recipients to whom your personal data have been disclosed of the rectification or erasure of the data or of the restriction of processing unless this proves impossible or involves disproportionate effort.

You also have the right to be notified of these recipients.

6. Right to data portability – Article 20 GDPR
   You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which you have provided the personal data, wherea) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
   b) processing is carried out by automated means.

In exercising this right to data portability, you also have the right to have your personal data be transmitted directly from one controller to another, where technically feasible.

7. Right to object – Article 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing serves the purpose of establishing, exercising or defending legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.

8. Right to withdraw the declaration of consent under data protection law
   You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority – Article 77 GDPR
   Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of your personal data infringes the General Data Protection Regulation.

The supervisory authority with which you lodge the complaint must inform you as the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.