Data Privacy Notice

The controller within the meaning of the GDPR is:KRONSTEYNDr. Hendrik Müller-LankowMesseturmFriedrich-Ebert-Anlage 4960308 Frankfurt am MainGermanyPhone: +49 69 8700 8914 0E-mail: hello@kronsteyn.lawWebsite: www.kronsteyn.law/en

In connection with our activities as lawyers, we process personal data of (prospective) clients and their employees, representatives and advisers, including employees of representatives and advisers of our clients, opposing parties and their employees, representatives and advisers, including employees of representatives and advisers of opposing parties, witnesses, employees of insurers, experts and their employees, employees of courts and authorities, lawyers, tax advisers, auditors and notaries cooperating with us, and their employees for the following purposes:identification of our (prospective) clients, their beneficial owners, the persons acting on their behalf and verification of their authorisation before or upon establishment of the client relationship, as well as screening against sanctions lists;review of potential conflicts of interest prior to the establishment of the client relationship;initiation of the client relationship, in particular pre-contractual correspondence for the preparation of fee proposals and cost estimates;proper legal advice and representation of our clients in connection with mandates, in particular for the establishment and defence of our clients’ rights, including correspondence with our clients, opposing parties and their representatives, witnesses, courts and authorities;sending correspondence or other items on behalf of our clients in connection with mandates;advancing, receiving or forwarding third-party funds on behalf of our clients in connection with mandates;preparing or commissioning translations on behalf of our clients in connection with mandates;proper internal administration, including the maintenance of physical files and the operation of IT systems for administrative purposes;proper accounting and invoicing;proper retention of documents for compliance with legal retention obligations, in particular under professional, anti-money laundering, commercial and tax law, as well as for evidentiary purposes in connection with the establishment, exercise or defence of legal claims;handling potential liability claims and asserting potential claims against our clients;cooperation with courts and/or authorities for compliance with legal obligations;coordination with external auditors and tax auditors for compliance with legal obligations;client relationship management and alignment of our advisory services with the needs and wishes of our (prospective) clients;provision of references for rankings and analyses by publishers and market analysts.Further details are set out below.2.1 Details Regarding Personal Data2.1.1 Identification DataWe process data required to identify our (prospective) clients, their beneficial owners, the persons acting on their behalf and to verify their authorisation. This includes in particular data from identification documents and commercial register excerpts.The data originate in particular from (prospective) clients, courts and authorities, as well as lawyers, tax advisers, auditors and notaries cooperating with us and their employees.The provision of these data is legally required. Without these data, legally required identification procedures may not be possible.The data are generally retained for the duration of the retention obligations under anti-money laundering law, i.e. for five years following the end of the calendar year in which the business relationship ended or the information was obtained (Sec. 8(4) German Anti-Money Laundering Act (GWG)). Where additional statutory retention obligations apply, in particular under commercial or tax law, longer retention periods of six or ten years may apply (Sec. 147 German Fiscal Code (AO), Sec. 257 German Commercial Code (HGB)).2.1.2 Contact DataWe process contact data required for communication and correspondence. This includes in particular title, first name, surname, e-mail address, address, telephone and fax number, as well as position or function.The data concern in particular (prospective) clients, their employees, representatives and advisers, opposing parties and their employees, representatives and advisers, witnesses, employees of insurers, experts and their employees, employees of courts and authorities, as well as lawyers, tax advisers, auditors and notaries cooperating with us and their employees.The provision of these data is generally not legally required. However, it may be necessary for the conclusion of a client agreement and for the advice and representation of our clients. Without these data, the handling of a mandate may not be possible or may only be possible to a limited extent.The data are retained until the respective processing purposes have been achieved. In addition, we retain the data where statutory retention obligations apply, in particular under professional, anti-money laundering, commercial or tax law.2.1.3 Mandate DataWe process data arising in connection with the initiation, performance and administration of a mandate. This includes in particular the contents of mandate-related documents, information from oral, written and electronic correspondence, log data from electronic communications and bank details where required for the advancing, receipt or forwarding of third-party funds.We obtain these data in particular from clients, their representatives and advisers, opposing parties, their representatives and advisers, witnesses, insurers, experts, courts and authorities, as well as lawyers, tax advisers, auditors and notaries cooperating with us and their employees.The provision of these data is generally not legally required. However, it may be necessary for the advice and representation of our clients and for the administration of the mandate. Without these data, the handling of a mandate may not be possible or may only be possible to a limited extent.The data are retained until the respective processing purposes have been achieved. In addition, we retain the data where statutory retention obligations apply, in particular under professional, anti-money laundering, commercial or tax law.2.1.4 Internally Generated Mandate DataWe also process data which we create or generate ourselves in the course of handling a mandate. This includes in particular client identification numbers, file numbers, file notes, memoranda, legal opinions, submissions and other documented results of our advice and representation, insofar as they relate to identified or identifiable natural persons.These data are generated by us; provision by the data subject is not required.The data are retained until the respective processing purposes have been achieved. In addition, we retain the data where statutory retention obligations apply.2.1.5 Billing DataWe process data required for invoicing our services. This includes in particular billing addresses, VAT identification numbers, debtor numbers, invoice numbers, file numbers, internal time recording information, activity reports, expenses and payment-related data, in particular payment dates and payment amounts.We obtain some of these data from our clients and generate some ourselves.The provision of certain billing data is legally required. Without these data, proper invoicing may not be possible.The data are retained until the respective processing purposes have been achieved. In addition, we retain the data where statutory retention obligations apply, in particular under commercial or tax law. Depending on the type of documents, such periods may be six or ten years (Sec. 147 AO, Sec. 257 HGB).2.2 Details Regarding Data Processing2.2.1 Identification and Sanctions List ScreeningWe process identification data in order to verify our (prospective) clients, their beneficial owners, the persons acting on their behalf and their authorisation before or upon establishment of the client relationship. We also screen the necessary data against sanctions lists.No automated decision-making takes place.The legal basis is compliance with legal obligations, in particular under anti-money laundering law, Art. 6(1)(c) GDPR. Where necessary, processing also takes place on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in particular in knowing our contractual partners and avoiding legal and professional risks.Recipients may in particular include courts and authorities, lawyers, tax advisers, auditors and notaries cooperating with us and their employees.2.2.2 Conflict ChecksWe process contact and mandate data in order to identify and avoid potential conflicts of interest before establishing a client relationship.No automated decision-making takes place.The legal basis is compliance with legal obligations pursuant to Art. 6(1)(c) GDPR and the protection of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in avoiding conflicts of interest and complying with professional obligations.Recipients may, where necessary, include lawyers, tax advisers, auditors and notaries cooperating with us and their employees.2.2.3 Initiation of the Client RelationshipWe process contact and mandate data for the initiation of a client relationship, in particular for pre-contractual correspondence and the preparation of fee proposals and cost estimates. In individual cases, this may require coordination with representatives or advisers of the client, insurers or lawyers, tax advisers, auditors and notaries cooperating with us.No automated decision-making takes place.Where the data subject is our client, the legal basis is Art. 6(1)(b) GDPR. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in carrying out pre-contractual measures at the request of our prospective client.Recipients may in particular include clients, their representatives and advisers, insurers and lawyers, tax advisers, auditors and notaries cooperating with us and their employees.2.2.4 Advice and Representation in MandatesWe process contact and mandate data for the proper advice and representation of our clients. This includes in particular the establishment and defence of our clients’ rights and correspondence with clients, opposing parties, their representatives and advisers, witnesses, insurers, experts, courts and authorities. In individual cases, coordination with lawyers, tax advisers, auditors and notaries cooperating with us may also be necessary.No automated decision-making takes place.Where the data subject is our client, the legal basis is Art. 6(1)(b) GDPR. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in performing the client agreement with our client.Recipients may in particular include clients, representatives and advisers of clients, opposing parties, representatives and advisers of opposing parties, witnesses, insurers, experts, other service providers, courts, authorities and lawyers, tax advisers, auditors and notaries cooperating with us and their employees.2.2.5 Sending Correspondence and ItemsWe process contact data where necessary for sending correspondence or other items on behalf of our clients. For this purpose, address data of the sender and recipient may be transferred to shipping service providers.No automated decision-making takes place.Where the data subject is our client, the legal basis is Art. 6(1)(b) GDPR. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in performing the client agreement with our client.Recipients include in particular shipping service providers.2.2.6 Third-Party FundsWe process contact and mandate data where necessary for the advancing, receipt or forwarding of third-party funds in connection with a mandate.No automated decision-making takes place.Where the data subject is our client, the legal basis is Art. 6(1)(b) GDPR. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in performing the client agreement with our client.Recipients may in particular include clients, representatives and advisers of clients, opposing parties, their representatives and advisers, courts, authorities, banks and IT service providers.2.2.7 TranslationsWe process contact and mandate data where translations are required on behalf of our clients in connection with a mandate. In individual cases, this may require coordination with translators or lawyers, tax advisers, auditors and notaries cooperating with us.No automated decision-making takes place.Where the data subject is our client, the legal basis is Art. 6(1)(b) GDPR. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in performing the client agreement with our client.Recipients may in particular include translators and lawyers, tax advisers, auditors and notaries cooperating with us and their employees.2.2.8 Internal Administration and ITWe process contact, mandate and billing data for proper internal administration, in particular for maintaining physical files and operating our IT systems.No automated decision-making takes place.The legal basis is compliance with legal obligations, in particular professional obligations, pursuant to Art. 6(1)(c) GDPR. In addition, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in proper and efficient law firm administration.Recipients may in particular include IT service providers.2.2.9 Accounting and InvoicingWe process contact and billing data for proper accounting and invoicing.No automated decision-making takes place.The legal basis is compliance with legal obligations, in particular under commercial and tax law, pursuant to Art. 6(1)(c) GDPR. Where invoicing is directed to clients, Art. 6(1)(b) GDPR additionally applies. In relation to other data subjects, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR.Recipients may in particular include payroll and accounting service providers and tax advisers.2.2.10 Retention of DocumentsWe process contact, mandate and billing data for compliance with statutory retention obligations, in particular under professional, anti-money laundering, commercial and tax law, and for evidentiary purposes in connection with the establishment, exercise or defence of legal claims.No automated decision-making takes place.The legal basis is Art. 6(1)(c) GDPR. Where retention takes place for evidentiary purposes, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the establishment, exercise or defence of legal claims.Data are disclosed to recipients only where necessary in the individual case.2.2.11 Liability Claims and Own ClaimsWe process contact, mandate and billing data for handling potential liability claims and asserting our own claims.No automated decision-making takes place.The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the establishment, exercise or defence of legal claims.Recipients may in particular include clients, their representatives and advisers, opposing parties, their representatives and advisers, witnesses, insurers, courts and authorities.2.2.12 Cooperation with Courts, Authorities and AuditorsWe process contact, mandate and billing data where necessary for compliance with legal obligations vis-à-vis courts, authorities, external auditors or tax auditors.No automated decision-making takes place.The legal basis is Art. 6(1)(c) GDPR.Recipients may in particular include courts, authorities, external auditors and tax auditors.2.2.13 Client Relationship ManagementWe process contact data for maintaining client relationships, aligning our advisory services with the needs and wishes of our (prospective) clients and, where applicable, informing clients about firm events or relevant topics.No automated decision-making takes place.Where consent has been given, the legal basis is Art. 6(1)(a) GDPR. Otherwise, processing is carried out on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in maintaining existing and prospective client relationships.Recipients may in particular include IT service providers.2.2.14 References for Rankings and Market AnalysesWe process contact data where clients are named as references for rankings or analyses by publishers or market analysts.No automated decision-making takes place.The legal basis is the consent of the data subject pursuant to Art. 6(1)(a) GDPR.Recipients may in particular include publishers and market analysts.2.2.15 Details Regarding Recipients and Transfers to Third CountriesWe transfer personal data only to the extent necessary for the respective processing purposes or where we are legally obliged to do so. Recipients of personal data may in particular include: clients, representatives and advisers of clients, opposing parties and their representatives and advisers, witnesses, insurers, experts and other service providers, courts and authorities, lawyers, tax advisers, auditors and notaries cooperating with us and their employees, shipping service providers, banks, IT service providers, payroll and accounting service providers, and publishers and market analysts where client references are provided with consent.Depending on the recipient, they act either as independent controllers or as processors. Where service providers process personal data on our behalf, this is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR.Transfers of personal data to third countries outside the European Union or the European Economic Area take place only where necessary in the individual case, in particular for the performance or initiation of a mandate, the establishment, exercise or defence of legal claims or on the basis of the explicit consent of the data subject.Where no adequacy decision of the European Commission exists for the relevant third country, transfers take place only where appropriate safeguards within the meaning of Art. 46 GDPR exist or on the basis of a derogation pursuant to Art. 49 GDPR. This may in particular be the case where the transfer is necessary for the performance of the client agreement, the implementation of pre-contractual measures at the request of the client or the establishment, exercise or defence of legal claims.

3.1 GeneralWhen you visit our website, we process personal data to the extent necessary for the technical provision, security, functionality and analysis of our online services. For this purpose, we partly use external service providers, in particular for hosting, website operation, fonts, analytics functions and cookie or consent management.In this context, personal data may also be transferred to third countries outside the European Union and the European Economic Area. Such transfers are carried out only in accordance with Art. 44 et seq. GDPR.3.2 Hosting and Technical Provision of the WebsiteOur website is provided through an external website and hosting service provider. When accessing the website, technically necessary data are processed in order to deliver the website, ensure its functionality and safeguard the security of the systems. This includes in particular: IP address, date and time of access, pages and files accessed, amount of data transferred, browser type and browser version, operating system, referrer URL and technical log and security data.The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and proper provision of our website.The hosting provider is established in Israel. An adequacy decision of the European Commission pursuant to Art. 45 GDPR exists for Israel. The European Commission continues to include Israel in the list of countries benefiting from an adequacy decision. Transfers of personal data to Israel may therefore generally be based on Art. 45 GDPR.To the extent that the hosting provider also transfers personal data to other third countries, such transfers are carried out in accordance with the applicable data protection requirements, in particular on the basis of an adequacy decision, appropriate safeguards pursuant to Art. 46 GDPR or a derogation pursuant to Art. 49 GDPR. According to the provider, user data may in particular be processed in the EU, Israel or other countries benefiting from an adequacy decision; furthermore, the provider states that it contractually obliges internal and external service providers to comply with data protection standards.3.3 Contacting Us via the WebsiteIf you contact us via our website, for example by e-mail or via a contact form, we process the data provided by you in order to handle your request. This may in particular include: name, e-mail address, telephone number, company or organisation, content of your message, time of contact and other information provided by you.The legal basis is Art. 6(1)(b) GDPR insofar as your request relates to the initiation or performance of a contract or mandate. Otherwise, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in handling and responding to your request.3.4 Cookies and Similar TechnologiesOur website uses cookies and similar technologies. Cookies are small text files stored on your device. Similar technologies may in particular include pixels, local storage technologies, scripts, tags or comparable technical procedures.3.4.1 Technically Necessary Cookies and TechnologiesWe use technically necessary cookies and similar technologies to the extent necessary for the operation of the website, the provision of basic functions, IT security or the storage of your privacy settings.The legal basis for storing information on your device or accessing information stored on your device is Sec. 25(2) German Telecommunications Digital Services Data Protection Act (TDDDG). The legal basis for the subsequent processing of personal data is Art. 6(1)(f) GDPR. Our legitimate interest lies in the functional, secure and user-friendly provision of our website.3.4.2 Non-Essential Cookies and TechnologiesWe use non-essential cookies and comparable technologies, in particular for analytics or marketing purposes, only to the extent that you have previously consented.The legal basis for storing information on your device or accessing information stored on your device is Sec. 25(1) TDDDG. The legal basis for the subsequent processing of personal data is Art. 6(1)(a) GDPR.You may withdraw or amend your consent at any time with effect for the future via the cookie settings.3.5 Google AnalyticsWe use Google Analytics, a web analytics service provided by Google. Google Analytics enables us to analyse the use of our website statistically and to improve our online services.In this context, the following data may in particular be processed: pages visited, duration of visits, origin of users, interactions on the website, devices and browsers used, approximate location and technical usage and event data.Google Analytics is used only to the extent that you have consented thereto. The legal basis for storing information on your device or accessing information stored on your device is Sec. 25(1) TDDDG. The legal basis for the subsequent processing of personal data is Art. 6(1)(a) GDPR.According to Google, IP addresses of users from the EU are not logged or stored in Google Analytics; IP addresses are discarded via EU domains and servers before logging. Nevertheless, the use of Google services may involve transfers of personal data to the United States.For the United States, an adequacy decision of the European Commission exists on the basis of the EU-U.S. Data Privacy Framework, provided that the respective recipient is certified thereunder. The European Commission has decided that personal data may be transferred to participating companies in the United States on this basis. Google states that it is certified under the EU-U.S. Data Privacy Framework.To the extent that a transfer to Google in the United States cannot be based on an adequacy decision, such transfer takes place only on the basis of appropriate safeguards pursuant to Art. 46 GDPR or a derogation pursuant to Art. 49 GDPR, in particular your explicit consent.You may withdraw your consent to the use of Google Analytics at any time with effect for the future via the cookie settings.3.6 Google FontsOur website may use fonts provided by Google Fonts. Google Fonts serves the uniform and visually appealing presentation of fonts on our website.Where Google Fonts are dynamically integrated, a connection to Google servers is established when accessing the website. According to Google, Google thereby receives in particular the user's IP address, the requested URL on the Google server and HTTP headers including user agent and referrer. Google further states that Google Fonts does not set or log cookies and that the information collected is not used to create user profiles or for targeted advertising.Where Google Fonts are integrated locally, the fonts are delivered from our own servers or via our website. In this case, no transfer of personal data to Google takes place when loading the fonts.Where Google Fonts are dynamically loaded via Google servers, this takes place only where a legal basis exists. The legal basis may in particular be your consent pursuant to Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG, insofar as the integration involves access to information stored on your device or the transfer of personal data to Google.For reasons of data minimisation and to avoid unnecessary third-country transfers, we recommend the local integration of Google Fonts. In Germany, the dynamic integration of Google Fonts is considered legally sensitive because at least the IP address is transferred to Google; the Regional Court of Munich I considered the transfer of IP addresses without consent in connection with the dynamic integration of Google Fonts to be problematic.3.7 Transfers to Third CountriesIn connection with the operation of our website, personal data may be transferred to recipients in third countries outside the European Union and the European Economic Area, in particular to service providers in Israel and the United States.Transfers to Israel are carried out on the basis of the adequacy decision of the European Commission pursuant to Art. 45 GDPR.Transfers to the United States are carried out, where possible, on the basis of the adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework, provided that the respective recipient is certified thereunder. Otherwise, transfers to third countries take place only where appropriate safeguards pursuant to Art. 46 GDPR or a derogation pursuant to Art. 49 GDPR exists, in particular your explicit consent.3.8 Recipients of DataRecipients of personal data in connection with our online services may in particular include: hosting and website service providers, IT service providers, providers of cookie consent and security services, Google insofar as Google Analytics or Google Fonts are used, and other technical service providers to the extent necessary for the operation, security, maintenance or analysis of the website.Where service providers process personal data on our behalf, such processing is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR.3.9 Retention PeriodWe store personal data in connection with the use of our website only for as long as necessary for the respective purposes.Technical log data are generally stored only for a limited period unless longer storage is necessary for the investigation of security incidents, the establishment, exercise or defence of legal claims or compliance with legal obligations.Data processed on the basis of consent are processed until the withdrawal of consent or until the respective purpose ceases to apply. Statutory retention obligations remain unaffected.

4.1 GeneralWe process personal data of applicants to the extent necessary for the conduct of the application process, the assessment of suitability and the decision on the establishment of an employment or other contractual relationship.This applies in particular to persons applying for an advertised position or submitting an unsolicited application.4.2 Purposes of Processing4.2.1 Conduct of the Application ProcessWe process personal data in order to receive and review applications and to conduct the application process. This includes in particular communication with applicants, the organisation of interviews and the assessment of professional and personal suitability.4.2.2 Decision on the Establishment of a Contractual RelationshipWe process personal data in order to decide whether to establish an employment, legal traineeship, internship, freelance or other contractual relationship.4.2.3 Establishment, Exercise and Defence of Legal ClaimsWhere necessary, we also process personal data for the establishment, exercise or defence of legal claims in connection with the application process.4.3 Categories of Personal DataIn connection with applications, we process in particular the following categories of personal data: master data, in particular first and last name, contact details, in particular address, e-mail address and telephone number, application documents, in particular cover letters, CVs, certificates, supporting documents, references and work samples, information regarding education, qualifications, professional experience and availability, information arising from communication with applicants, notes and assessments generated during the application process, and, where applicable, information regarding salary expectations and other contractual conditions.4.4 Sources of DataAs a rule, we obtain the data directly from applicants, in particular through the submission of application documents or in the course of communications and interviews.In individual cases, data may also originate from recruitment agencies, professional networks or publicly accessible sources, insofar as this is necessary and legally permissible for the application process.4.5 Legal Bases for ProcessingTo the extent that the processing is necessary for the decision on the establishment of an employment relationship, the processing is carried out on the basis of Sec. 26(1) German Federal Data Protection Act (BDSG).Where another contractual relationship is being initiated, the processing is carried out for the implementation of pre-contractual measures on the basis of Art. 6(1)(b) GDPR.Where processing is necessary for the establishment, exercise or defence of legal claims, the processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in safeguarding and enforcing our rights.Where applicants voluntarily provide special categories of personal data, such as health data, the processing is carried out only insofar as this is necessary for the application process or otherwise legally permissible.4.6 Recipients of DataRecipients of personal data may in particular include: internal contacts involved in the application process, IT service providers, recruitment agencies insofar as they are involved in the application process, courts and authorities, insofar as this is legally required or serves the establishment, exercise or defence of legal claims.Personal data are disclosed only to the extent necessary for the respective processing purposes or where a legal obligation exists.4.7 Obligation to Provide DataThe provision of personal data is generally neither legally nor contractually required. However, without the information necessary for the application process, an application may not be considered.4.8 Retention PeriodWe store applicant data for the duration of the application process. Following completion of the application process, we generally delete the data after a period of six months unless longer retention is required.Longer retention may in particular take place where applicants have consented to longer storage, for example for inclusion in an applicant pool, or where storage is necessary for the establishment, exercise or defence of legal claims.

5.1 GeneralWe process personal data of suppliers and service providers as well as their employees, representatives and contact persons to the extent necessary for the initiation, performance and administration of the respective contractual or business relationship.This applies in particular to suppliers and service providers delivering goods, providing services or otherwise supporting us or our legal practice.5.2 Purposes of Processing5.2.1 Initiation of the Business RelationshipWe process personal data in order to obtain quotations, conduct contract negotiations, select suppliers or service providers and prepare the respective business relationship.5.2.2 Performance of the Business RelationshipWe process personal data for the performance of existing contracts, in particular for communication with suppliers and service providers, the ordering and coordination of services, the receipt of deliveries and the review and acceptance of services rendered.5.2.3 Accounting and BookkeepingWe also process personal data for the review, processing and payment of invoices as well as for proper accounting and compliance with commercial and tax law obligations.5.2.4 Establishment, Exercise and Defence of Legal ClaimsWhere necessary, we also process personal data for the establishment, exercise or defence of legal claims in connection with the respective business relationship.5.3 Categories of Personal DataIn connection with suppliers and service providers, we process in particular the following categories of personal data: first and last name, business contact details, in particular address, e-mail address and telephone number, company, function and position, communication data and contents of business correspondence, contractual and performance-related data, invoicing, payment and banking data, tax-related information where required, and data relating to the documentation of deliveries, services, complaints or other business transactions.5.4 Sources of DataAs a rule, we obtain the data directly from the respective supplier or service provider, from their employees, representatives or contact persons, or from business correspondence.In individual cases, data may also originate from publicly accessible sources, in particular websites, registers or professional networks.5.5 Legal Bases for ProcessingWhere the data subject is themselves a contractual party, the processing is carried out for the implementation of pre-contractual measures or for the performance of a contract on the basis of Art. 6(1)(b) GDPR.Where the data subject is not themselves a contractual party, for example as an employee, representative or contact person of a supplier or service provider, the processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the initiation, performance and administration of the respective business relationship.Where processing is necessary for compliance with legal obligations, in particular commercial or tax law retention and documentation obligations, the processing is carried out on the basis of Art. 6(1)(c) GDPR.5.6 Recipients of DataRecipients of personal data may in particular include: internal contacts responsible for commissioning or coordinating the respective services, banks and payment service providers, tax advisers, auditors and accounting service providers, IT service providers, courts and authorities, insofar as this is legally required or serves the establishment, exercise or defence of legal claims.Personal data are disclosed only to the extent necessary for the respective processing purposes or where a legal obligation exists.5.7 Obligation to Provide DataThe provision of personal data is generally neither legally nor contractually required. However, without the necessary information, the respective business relationship may not be initiated, performed or invoiced.Where certain data are required to comply with legal obligations, in particular under tax or commercial law, the provision of such data may be mandatory.5.8 Retention PeriodWe store personal data of suppliers and service providers for as long as necessary for the initiation, performance and administration of the respective business relationship.In addition, we retain the data where statutory retention obligations apply, in particular under commercial or tax law. Depending on the nature of the documents, retention periods of six or ten years may apply (Sec. 147 German Fiscal Code (AO), Sec. 257 German Commercial Code (HGB)).Longer retention may take place where this is necessary for the establishment, exercise or defence of legal claims.

6.1 GeneralWhen you visit us at our offices, we process personal data to the extent necessary for the organisation of your visit, to enable access to the building and our offices, and to safeguard legitimate security and organisational interests.This applies in particular to visitors of clients, business partners, service providers, applicants and other persons attending appointments with us.6.2 Purposes of Processing6.2.1 Organisation of VisitsWe process personal data of visitors in order to prepare and coordinate visits. This includes in particular the registration of visitors with the relevant reception or office management services.6.2.2 Access ManagementWe also process personal data to the extent necessary to enable visitors to access the building and our offices. For this purpose, the data may be shared with the relevant office management and building management services.6.2.3 Security and TraceabilityThe processing also serves the security of the offices, the persons working there and the facilities located in the building. This may also include the ability to determine which visitors were registered or granted access at a particular time.6.3 Categories of Personal DataIn connection with visitor registrations, we process in particular the following categories of personal data: first and last name of the visitor, company or organisation of the visitor, contact details where required for the organisation of the visit, date and time of the visit, and, where applicable, information required for access to the building or the offices.6.4 Sources of DataAs a rule, we obtain the data directly from the visitor, from the person or entity arranging the visit, or from the respective client, business partner or other contact in connection with whom the visit takes place.6.5 Legal Bases for ProcessingWhere the visit is connected with an existing or prospective contractual or client relationship with the data subject, the processing is carried out on the basis of Art. 6(1)(b) GDPR.Otherwise, the processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the proper organisation of visits, enabling access, ensuring the security of the offices and the building, and exercising our domiciliary rights.Where processing is necessary for compliance with legal obligations, the processing is carried out on the basis of Art. 6(1)(c) GDPR.6.6 Recipients of DataRecipients of personal data may in particular include: internal contacts organising or receiving the visit, office management or reception service providers, building management, security or access control service providers, and IT service providers operating visitor or access management systems.Personal data are disclosed only to the extent necessary for the organisation of the visit, access management or security purposes.6.7 Obligation to Provide DataThe provision of data is generally neither legally nor contractually required. However, without the necessary information, the visit may not be organised or may only be organised to a limited extent; in particular, access to the building or our offices may be denied or delayed.6.8 Retention PeriodWe store visitor data only for as long as necessary for the organisation and conduct of the visit and for security and documentation purposes.Where data are processed by reception, office management, security or building management services, their respective retention and deletion periods may additionally apply. Longer retention will only take place where statutory retention obligations exist or where storage is necessary for the establishment, exercise or defence of legal claims.

To exercise your rights, you may contact us at any time using the contact details set out in Section 1.7.1 Right of AccessPursuant to Art. 15 GDPR, you have the right to request confirmation as to whether we process personal data concerning you. If this is the case, you may in particular request information regarding the personal data processed, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, and the envisaged storage period.7.2 Right to RectificationPursuant to Art. 16 GDPR, you have the right to request the immediate rectification of inaccurate personal data concerning you and the completion of incomplete personal data.7.3 Right to ErasurePursuant to Art. 17 GDPR, you have the right to request the erasure of your personal data where the statutory requirements are met. This may in particular be the case if the data are no longer necessary for the purposes for which they were collected or otherwise processed.The right to erasure does not apply where processing remains necessary, in particular for compliance with legal obligations or for the establishment, exercise or defence of legal claims.7.4 Right to Restriction of ProcessingPursuant to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data where the statutory requirements are met. This may in particular be the case if you contest the accuracy of the data or if the processing is unlawful but you oppose the erasure of the data.7.5 Right to Data PortabilityPursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller, where the processing is based on consent or a contract and is carried out by automated means.Where technically feasible, you may also request that we transmit the data directly to another controller.7.6 Right to Object and Withdrawal of ConsentPursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR.If you object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes. In this case, the personal data concerned will no longer be processed for such purposes.Where processing is based on consent, pursuant to Art. 7(3) GDPR you have the right to withdraw your consent at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.7.7 Right to Lodge a Complaint with a Supervisory AuthorityPursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority.The supervisory authority responsible for us is:The Hessian Commissioner for Data Protection and Freedom of InformationWilhelmstraße 765185 WiesbadenGermanyTelephone: +49 611 1408 0E-mail: poststelle@datenschutz.hessen.de

This Privacy Information is dated 13 May 2026.Due to technical developments or changes in legal or regulatory requirements, it may become necessary to amend this Privacy Information.The current version of this Privacy Information can be accessed at any time at www.kronsteyn.law/en/datenschutz.