General information on the processing of personal data by Hengeler Mueller
The purpose of this notice is to inform you about the processing of your personal data by Hengeler Mueller Partnerschaft von Rechtsanwälten mbB ("Hengeler Mueller" or the "law firm"). This information notice is intended for any natural person, in particular, representatives, contact persons or employees of clients, opposing parties and other parties involved in proceedings, courts, public authorities or other business partners with whom we have (or will imminently have) an attorney-client relationship, or a contract, service or business relationship or any other relationship of communication, and also for guests whom we have the pleasure of welcoming at our events.
We take the confidentiality and the protection of your personal data very seriously. Therefore, we process your personal data only to the extent permissible under statutory provisions, in particular, under the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act (Bundesdatenschutzgesetz). If you have any questions about this information notice or our policies regarding the processing of your personal data, you can always address any of the contact details below
The data controller, i.e., the person responsible for processing your personal data is:
Hengeler Mueller
Partnerschaft von Rechtsanwälten mbB
Behrenstraße 42
10117 Berlin
Germany
You can find a list of all offices here.
If you instructed one of our lawyers based in Frankfurt in his/her capacity as notary, the data controller is the respective notary. You can find a list of our lawyers who are registered as notaries here.
Our data protection officer who has been appointed for our lawyers and notaries is available by email at: datenschutzbeauftragter@hengeler.com
or by mail to:
Hengeler Mueller
Partnerschaft von Rechtsanwälten mbB
Datenschutzbeauftragte (Data Protection Officer)
Benrather Straße 18-20
40213 Düsseldorf
Germany
Telephone: +49 211 8304 764
Depending on the client-attorney or business relationship, we process various types of personal data. Usually, these data are
- identity data (such as names, date of birth and other data contained in identity cards and other ID documents);
- contact data (such as addresses, email addresses, telephone numbers);
- data relating to a client matter (e.g. information that (i) is typically found in legal documents, such as contracts or legal briefs, and/or in public registers, e.g. the land register, commercial registers or registers of associations, (ii) was the content of our correspondence with you or with our clients, opposing parties and other parties in-volved in proceedings, courts, public authorities or other business partners, or (iii) relates to your legal relationships with your employer or third parties, such as HR data, file or case numbers, or loan reference numbers or the account numbers kept with credit institutions);
- special categories of personal data such as data concerning health (Art. 9 (1) GDPR) or data relating to criminal convictions and offences or related security measures (Art. 10 GDPR), where this is part of our advisory services or of any other communication relationship between you and us;;
- biometric data (Art. 9 (1) GDPR), insofar as you use the biometric authentication systems provided by us;
- other communication data (e.g. data that is the content of any (verbal/written or digital (email or MS Teams) correspondence and communication between you and us).
If you have not provided us with your personal data yourself, we either received such data from our clients, business partners, employees, service providers or cooperation partners for which you act as representative or employee, as the case may be, or via which you are being invited to our events, or we collected the data from sources including, without limitation, company websites, event lists of participants or industry directories.
We process your personal data to the extent that this is necessary for the purposes of the legitimate interests pursued by Hengeler Mueller (Art. 6 (1) lit. f GDPR), in particular,
- in order to enter into or execute engagement letters, instructions of our notaries, con-tracts and other business relationships (including the processing of purchase orders, de-liveries or payments) or in order to prepare or reply to quotation requests and to deter-mine the conditions of the contractual relationship, namely with our clients, business partners, service providers or cooperation partners for whom you act as representative or employee, as the case may be;
- for internal administrative purposes of the law firm (e.g., for accounting purposes, Knowledge Management);
- in order to conduct anti-terrorism and sanctions lists screenings, if applicable;
- in order to conduct court and administrative proceedings and/or for purposes of assert-ing/exercising, as well as defending against, legal claims in Germany and abroad, and to also, inter alia, exercise legal professional privilege as well as to ensure other special rights of confidentiality;
- in order to provide you – to the extent relevant for your business activity – with our client information, such as newsletters informing about current legal topics or events organized by our law firm;
- for any for the purpose of communication with modern means of communication, such as MS Teams;
- in order to contact third parties in the event of emergencies;
- in order to ensure IT security and IT operations at our law firm;
- in order to engage service providers (e.g., external IT service providers) who support our business processes;
- in order to prevent criminal offences and conduct compliance investigations in indi-vidual cases and the associated (also electronic) review of correspondence and docu-mentation;
- in order to plan and conduct events to which you are invited, as well as to register for such events on our website and report on these events on our intranet site, which can entail the publication of photo and video material (in which you can be identified) on our intranet site.
Moreover, personal data is processed in order to perform contracts entered into or to fulfil orders placed by individuals (natural persons) with whom we have business relationships (Art. 6 (1) lit. b GDPR).
If you choose not to provide us with your personal data, we are unable to perform the contractual relationship and/or cannot fulfil the above stated communication purposes.
In addition, we are sometimes required by law to process personal data (Art. 6 (1) lit. c GDPR). For example, pursuant to the provisions of the German Anti-Money Laundering Act (Geldwäschegesetz, "GWG"), we are obliged to identify our clients and, hence, need you to provide us with the necessary information (Sec. 11 (6) sentence 1 GWG). According to Sec. 50 of the German Federal Lawyers' Act (Bundesrechtsanwaltsordnung), we are obliged under professional law (Berufsrecht) to keep and manage attorneys' reference files; to this purpose, we may use electronic data processing.
Data is processed in connection with the services provided by our notaries on the basis of Art. 6 (1) lit. e GDPR to extent that the data processing is necessary to fulfil the tasks that have been entrusted to our notaries in the public interest.
Additionally, we also process your personal data based on your consent (Art. 6 (1) lit. a GDPR) insofar as you have granted it to us.
We will transmit your personal data to third parties only on the basis of (and in accordance with) statutory provisions or if and to the extent that you have consented to such transmission in the individual case.
To the extent required for the purposes outlined above, your personal data may be dis-closed to external service providers within and outside the European Economic Area (EEA). In the course of our work, we also use cloud-based IT solutions provided by third parties (for example Microsoft Office365). We use (cloud-based) services, in particular, for purposes of document management, collaboration and document automation or analysis, and also retain the services of external (cloud computing) providers offering email servers, eDiscovery platforms, data rooms or artificial intelligence.
We carefully select these service providers and instruct them in compliance with applicable data protection and professional law.
In the course of our law firm's usual work processes and for the purposes specified above, it is possible that we disclose your data to additional third parties within and outside the EEA, for example to our business partners or to law firms with whom we work together on a client matter, to translators, opponents or to other third parties.
In addition, we can – to the extent legally permissible – disclose your data to authorities (such as social security institutions, tax authorities or law enforcement agencies), public registers and domestic and foreign courts in order to comply with statutory duties or in order to act in the interests of our law firm. This may include foreign authorities and courts.
As a law firm working on a global scale, we share the data we process with recipients (service providers or other third parties) who may be located outside the EEA. To the extent that no statutory level of security comparable to the European data protection laws exists in such countries, we will adopt appropriate measures to ensure that your personal data will be adequately protected in these countries. In particular, we may apply the standard contractual clauses published by the European Commission. You may contact our data protection officer for further information, and, in particular, request inspection of the contracts concluded.
Each of our employees and all staff members of external service providers who have access to personal data are obliged to treat such data confidentially and to protect the data accordingly. In addition, we have implemented various technical and organisational measures to enable us to process your data in a secure manner.
In particular, however, communication via email involves risks such as delays, non-delivery, delivery to persons other than the intended recipient, data loss or corruption, interception, unauthorised modification of or other tampering with data by third parties. In addition, although we use anti-virus software, emails may not be free from viruses or other malicious software. The use of mobile telecommunication devices and any other communication via the Internet such as videoconferences involve similar risks, including the risk of unauthorised third party access to communications.
Where cloud-based IT applications are used, it cannot be excluded that third parties (in par-ticular, U.S. authorities) overtly or covertly gain access to your data. In addition, despite us exercising the necessary care and observing the latest technical standards, a loss of your data or damage to it cannot be excluded when cloud-based services are used.
We will erase your personal data after termination of our attorney-client, contract or service relationship or our contact if the storage is no longer necessary for the fulfilment of our (post-)contractual obligations or the legitimate interests specified in this data protection notice and if there are no statutory retention obligations. If there are statutory retention obligations, we will restrict the processing of the data.
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you have the right to receive information about your personal data, to require rectification or erasure of your personal data or the restriction of the processing and to receive your personal data in a structured, commonly used and machine-readable format (data portability).
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you also have the right to object to the processing of your personal data.
To the extent that we process your personal data in order to inform you about our advisory services and current developments to the extent this is relevant for your business activity, you can object to a processing of your personal data at any given time and without stating any reasons.
You have the right to lodge complaints with a supervisory authority in relation to the processing of your personal data. For more information you can contact your local data protection authority.
This notice is the version of November 2024 and is currently applicable.
In the event our activities and/or our services change or as a result of amended statutory or administrative provisions, it may become necessary to amend this notice. The most recent and applicable version of this notice can be accessed, saved and printed at any time via our website.