Data Protection Policy
The following Data Protection Policy provides information about the types of your personal data (hereinafter also referred to simply as “data”) that we process, for what purposes and to what extent. This Data Protection Policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications as well as within external online presences, such as e.g. our social media profiles (hereinafter collectively referred to as “online services”).
Last updated: 26.04.2022
Table of Contents
- Overview of Processing
- Relevant Legal Bases
- Security Measures
- Transfer and Disclosure of Personal Data
- Data Processing in Third Countries
- Business Services
- Contact requests
- Notes on Data Protection when Submitting Communications
- Provision of Online Services and Web Hosting
- Cloud Services
- Social Network Accounts
- Erasure of Data
- Amendment and Update of the Data Protection Policy
- Rights of Data Subjects
Dr. Stephanie Troßbach
Attorney-at-law, Catus Law + Compliance
Thurn-und-Taxis-Platz 6 (Nextower)
60313 Frankfurt am Main
Phone: +49 (0)69 25 73 75 264
Overview of Processing
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.
Types of data processed
- Inventory data (e.g. names, addresses)
- Content data (e.g. text input, photographs, videos)
- Contact details (e.g. email, telephone numbers)
- Meta/communication data (e.g. device information, IP addresses)
- Usage data (e.g. websites visited, interest in content, access times)
- Contract data (e.g. subject matter of the contract, term)
- Payment data (e.g. bank details, invoices, payment history)
Categories of persons concerned
- Employees (e.g. employees, applicants, former employees)
- Business and contractual partners
- Interested parties
- Communication partners
- Users (e.g., website visitors, users of online services).
- Processing of mandates
- Office and organization procedures
- Contact requests and communication
- Contractual performances and services
- Handling and responding to requests
Relevant Legal Bases
The following describes the legal bases of the EU General Data Protection Regulation (GDPR) which governs our processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence and domicile.
- Consent (Art. 6 (1) sentence 1, lit. a) GDPR) – The data subject has given his or her consent to the processing of personal data relating to him or her for a specific purpose or purposes
- Performance of a contract and pre-contractual requests (Art. 6 (1), sentence 1, lit. b) GDPR) – Processing is necessary for the performance under a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request
- Legal obligation (Art. 6 (1), sentence 1, lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject
- Legitimate interests (Art. 6 (1), sentence 1, lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data
We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with the law, taking into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of the processing, as well as the various probabilities of occurrence and the level of risk to the rights and freedoms of natural persons.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data, and responses to data compromise. We take the protection of personal data into account already during the development or selection of hardware, software, and processes in accordance with the principle of data protection, through technology design, and through data protection-friendly default settings.
Transfer and Disclosure of Personal Data
The server used for data processing is located in Germany. In the course of our processing of personal data, data may be transferred or disclosed to other bodies, companies, legally independent organizational units, or persons. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks, or providers of services and content which are integrated into a website. In such cases, we will comply with the legal requirements and, in particular, conclude appropriate contracts or agreements to protect your data with the recipients of your data.
Data Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this will only occur in accordance with the applicable legal requirements.
Subject to explicit consent or transfer required by contract or law, we will process or allow the processing of data only in third countries which have a recognized level of data protection or on the basis of special guarantees, such as a contractual obligation through the EU Commission’s so-called Standard Contractual Clauses or the existence of certifications or binding internal data protection regulations (Articles 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “Contractual Partners”) in the context of contractual and comparable legal relationships as well as related measures, and in the context of communication with the Contractual Partners (or parties contemplating entering into a contract), e.g. to respond to requests.
We process this data to fulfill our contractual obligations, to safeguard our rights, to fulfill administrative tasks associated with this information, and to organize our business activities. Pursuant to applicable law, we will only disclose the data of Contractual Partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the Contractual Partners (e.g. to participating telecommunications, transport, and other auxiliary services, banks, tax and legal advisors, payment service providers, or tax authorities). The Contractual Partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this Data Protection Policy.
We will inform Contractual Partners which data are required for the aforementioned purposes before or in the course of data collection, either in person or by means of special labeling.
We will erase the data after the expiration of any legal warranty and comparable obligations, i.e., generally after 4 years, unless the data must be retained for legal reasons (e.g., for tax purposes, generally 10 years).
Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection policies of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.
Legal consulting: We process the data of our clients as well as interested parties and other contracting parties or Contractual Partners (uniformly referred to as “clients”) in order to be able to provide them with our contractual or pre-contractual services, in particular consulting services. The data processed and the type, scope, purpose, and necessity of the processing are determined by the underlying mandate or contractual relationship.
If we have the consent of the client, if it is required for the fulfillment of our contract, by law or for the protection of vital interests, or if it is based on our legitimate interests in the efficient and safe performance of our activities, we will disclose or transfer the client’s data – in compliance with the requirements of occupational laws and regulations – to third parties or agents, such as government agencies or courts, or to service providers in the area of IT, office-management, or comparable services.
- Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact details (e.g. email, telephone numbers), contract data (e.g. subject matter of contract, term)
- Data subjects: Clients, business and contractual partners, interested parties
- Purposes of processing: Contractual fulfillment and service, contact requests and communication, office and organization procedures, managing and responding to requests.
- Legal bases: Performance of a Contract and Pre-contractual Requests (Art. 6 (1), sentence 1, lit. b) GDPR), Legal Obligation (Art. 6 (1), sentence 1, lit. c) GDPR), Legitimate Interests (Art. 6 (1), sentence 1, lit. f) GDPR).
When contacting us (e.g., via contact form, email, telephone, or social media), data of the inquiring person is processed insofar as this is necessary to respond to the contact requests and prepare any requested response.
The response to contact requests in the context of contractual or pre-contractual relationships is made in order to fulfill our contractual obligations or to respond to (pre)contractual requests and otherwise on the basis of legitimate interests in responding to the requests.
- Types of data processed: Inventory data (e.g. names, addresses), contact details (e.g. email, telephone numbers), content data (e.g. text input, photographs, videos).
- Data subjects: Communication partner
- Purposes of processing: Contact requests and communication
- Legal bases: Performance of a Contract and Pre-contractual Requests (Art. 6 (1), sentence 1, lit. b) GDPR), Legitimate Interests (Art. 6 (1), sentence 1, lit. f) GDPR).
Notes on Data Protection when Submitting Communications
When communicating with Attorney-at-law, Dr. Stephanie Troßbach in her function as ombudsperson or confidential representative, the following notices apply in addition to the general Data Protection Policy:
Messages submitted via the contact form on the website www.catuslaw.com/en/ombudsperson/ or other communication channels (email, telephone, letter) serve the purpose of acknowledging and addressing any legal or regulatory violations that may exist on behalf of the commissioning companies or organizations. Personal data transmitted via the contact form will be processed exclusively for these purposes in compliance with data protection regulations.
The ombudsperson represents the contracting party (company or organization) as the client, not the whistleblower. However, if the whistleblower wishes to remain anonymous, the whistleblower will be protected by a restriction of the right to information and disclosure vis-à-vis the contracting party. Disclosure of the identity of the whistleblower to the contracting party shall (only) occur with the express and written consent of the whistleblower. In addition, there is the option to provide details about the identity. Confidentiality can be overruled, in particular, by contrary legal obligations (such as sec 138 of the German Criminal Code, which punishes the failure to report planned (serious) criminal acts).
The processing of the transmitted personal data is based on the legal basis of consent pursuant to Art. 6 (1), lit. a) GDPR.
Data are specially protected by appropriate technical and organizational measures against loss, destruction, access, modification, or dissemination. The server used for data processing is located in Germany.
This website is secured by means of a TLS protocol (Transport Layer Security) and also encrypts all messages submitted via the contact form on the website in accordance with
Art. 32 (1), lit. a) GDPR.
Communications will be received by Attorney-at-law, Dr. Stephanie Troßbach or, in the event of delegation, by a subcontracted attorney who is subject to the same legal and contractual requirements.
After receipt of the notification, an incoming inspection and initial assessment will be carried out. If the whistleblower has provided contact details, follow-up queries may also be made about the notification. If the whistleblower has expressly consented in writing, the assessment will be forwarded to the contracting party (company or organization). Depending on the nature of information, this may result in internal investigations within the contracting party. Should the contracting party have a registered office outside the European Union, different rules on data protection may apply after the data has been forwarded.
The personal data, information and documents provided shall be retained for a period of six years in accordance with Section 50 (1) and (4) of the German Federal Lawyers’ Ordinance (Bundesrechtsanwaltsordnung, BRAO). The period begins at the end of the calendar year in which the assignment has ended. After that, the documents will be destroyed in accordance with applicable laws.
Notwithstanding this provision, data subjects may exercise their right of access (Art. 14 GDPR) or rectification (Art. 15 GDPR) of their personal data.
Provision of Online Services and Web Hosting
In order to be able to provide our websites securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the websites can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services. The relevant servers are located in Germany.
The data processed within the scope of the provision of the hosting service may include all data concerning users of our websites and all data generated in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the website contents to browsers, and all entries made within our websites or from other websites.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files, storage period: 190 days). The server log files may include the address and name of the websites and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited website) and, as a rule, IP addresses and the requesting service provider.
The server log files may be used for security purposes, e.g., to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to safeguard the capacity and stability of the servers.
- Types of data processed: Content data (e.g., text input, photographs, videos), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
- Data subjects: Users (e.g., website visitors, users of online services).
- Legal bases: Legitimate Interests (Art. 6 (1), sentence 1, lit. f) GDPR)
We use software services accessible over the Internet and running on the servers of their providers (called “cloud services”, also referred to as “software as a service”) for the following purposes: Document storage and management, calendar management, emailing, spreadsheets and presentations, sharing documents, content and information with specific recipients or publishing websites, online forms or other content and information, and chatting and participating in audio and video conferences.
In this context, personal data may be processed and stored on the servers of the providers insofar as these are part of communication processes with us or are otherwise processed by us as set out in this Data Protection Policy. This data may include, in particular, master data and contact details from users, data on transactions, contracts, other processes and their contents. The cloud service providers also process usage data and metadata, which they use for security purposes and service optimization.
If we use cloud services to provide forms or other documents and content to other users or to publicly accessible websites, the providers may store cookies on users’ devices for web analytics purposes or to remember users’ settings.
Notes on legal bases: If we ask for consent to use the cloud services, the legal basis of the processing is consent. Furthermore, use of such services may be a component of our (pre)contractual services, provided that the use of the cloud services has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes)
- Types of data processed: Inventory data (e.g. names, addresses), contact details (e.g. email, telephone numbers), content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses)
- Data subjects: Employees (e.g. employees, applicants, former employees), clients, interested parties, communication partners
- Purposes of processing: Office and organization procedures
- Legal bases: Consent (Art. 6 (1), sentence 1, lit. a) GDPR), Performance of a contract and pre-contractual requests (Art. 6 (1), sentence 1, lit. b) GDPR), Legitimate Interests (Art. 6 (1), sentence 1, lit. f) GDPR)
Services Used and Service Providers:
Microsoft Cloud Services: We use the email program Outlook, which uses Microsoft’s mail servers. Cloud storage services; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 U.S.A.; Website: http://microsoft.com/de-de;
Security Notice: https://www.microsoft.com/de-de/trustcenter
Teamdrive: We use the service provider’s cloud service provider Teamdrive: TeamDrive Systems GmbH, Max-Brauer-Allee 50, 22765 Hamburg; Website: https://teamdrive.com; This is a cloud sync and share solution recommended by the German Lawyers Association (DAV): https://www.presseportal.de/pm/72437/3341567; This solution is intended to provide a modern and, above all, secure solution for storing, synchronizing, and sharing data and documents that meet the special requirements under Section 203 of the German Criminal Code (StGB). This includes end-to-end encryption and guaranteed security standards for hosting. The data is stored in the Microsoft Cloud Germany under the trusteeship of Deutsche Telekom subsidiary T-Systems.
Erasure of Data
Data processed by us will be erased in accordance with the legal requirements as soon as notices of consent for processing are withdrawn or other permissions cease to apply (e.g., if the purpose of processing this data has ceased to apply or it is not required for the purpose).
Unless the data is erased because it is required for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data is blocked and will not be processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
Further information on the erasure of personal data can also be found in the individual data protection notices of this Data Protection Policy.
Amendment and Update of the Data Protection Policy
We kindly ask you to monitor possible updates to this Data Protection Policy. We will adapt the Data Protection Policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require action on your part (e.g. consent) or in case other individual notifications become necessary.
Where we provide addresses and contact information for companies and organizations in this Data Protection Policy, please note that the addresses may change over time and please check the information before contacting us.
Rights of Data Subjects
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from the Articles 15 to 18 and 21 GDPR:
- Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1), lit. e) or f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
- Right to withdraw consent: You have the right to withdraw consent given at any time
- Right of access: You have the right to request confirmation as to whether data in question is being processed and to obtain information about this data and further information and a copy of the data in accordance with the legal requirements
- Right to rectification: You have the right, in accordance with the law, to request that the data concerning you be completed until it is complete, or that the inaccurate data concerning you be corrected
- Right to erasure and restriction of processing: In accordance with the law, you have the right to demand that data relating to you be erased without delay or, alternatively, to demand restriction of the processing of the data in accordance with applicable laws.
- Right to data portability: You have the right to receive data relating to you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements, or to request that it be transmitted to another controller
- Complaint with a supervisory authority: You also have the right, in accordance with the law, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR
This Section provides you with an overview of the terms used in this Data Protection Policy. Many of the terms are taken from the law and defined especially in Art. 4 GDPR.
The legal definitions are binding. The following explanations, on the other hand, are intended primarily to aid understanding. The terms are sorted alphabetically.
- Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
- Controller: “Controller” shall mean the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data
- Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and encompasses nearly all handling of data, be it collection, evaluation, storage, transfer or erasure.
Social Network Accounts
We maintain online presences within the social network LinkedIn in order to communicate with users active there or to offer information about us there; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
We would like to point out that in the process, user data may be processed outside the area of the European Union. This could result in risks for users, for example, because it could make it more difficult to enforce users’ rights.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to display advertisements within and outside the networks which presumably relate to the users’ interests. For these purposes, cookies are usually stored on the users’ computers, which record the usage behavior and interests of the users. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
In the case of requests for information or the assertion of data subject rights, we advise that these can be asserted most effectively with the providers. Only the providers have access to the users’ data in each case and can take appropriate measures and provide information directly. If you still need help, then you can contact us.
With regard to US providers, we would like to point out that American law does not provide a level of data protection similar to the European level of data protection. Your data may be subject to access by public authorities for control and monitoring purposes, and you may not have effective legal remedies or rights as a data subject. Use the services of these third-party providers only if you agree to accept these conditions.