Privacy Policy
The protection of your personal data (hereinafter referred to as ‘data’) is very important to us. Therefore, we would like to inform you in detail about what data is collected when you use our services and how it is processed.
Please note that this privacy policy may be updated due to new technologies or changes in legislation. We will always take your interests into account.
1. Controller
The controller as defined in the General Data Protection Regulation (GDPR) is
IT.LAW GmbH
(hereafter: „IT.LAW“)
Colmantstraße 15
53115 Bonn, Germany
Email: info@it.law
Phone: +49 (0)228 74 898 0
Fax: +49 (0)228 74 898 66
If you have any questions or comments about this privacy policy or about data protection in general, please contact our Data Protection Officer by email at datenschutz@rickert.law or in confidence by post to the attention of the data protection officer at the following address:
Data Protection Officer
c/o Rickert Rechtsanwaltsgesellschaft mbH
Colmantstraße 15
53115 Bonn
Germany
2. Legal Basis for the Processing of Your Data
We only process your personal data if this is legally permitted. We use various legal bases for this:
| Legal | Explanation | Example |
|---|---|---|
| Consent (Article 6 (1) (a) GDPR) | You have explicitly allowed us to use your data for a specific purpose. | You have consented to website analysis via the cookie banner. |
| Performance of a contract (Article 6 (1) (b) GDPR) | Your data is necessary to conclude or execute a contract with you. | We need your address to bill you for the requested service. |
| Legal obligation (Article 6 (1) (1) (c) GDPR) | We are legally obliged to process your data. | We have to keep your billing data. |
| Legitimate interest (Article 6 (1) (f) GDPR) | Processing is important for our company or third parties and does not affect your rights. | Technically essential cookies to display our website correctly and to ensure stability and security. |
In the following, we specify the applicable legal basis for the processing operations we carry out. Processing may be based on more than one legal basis.
We will only store information on your device (e.g. your computer or smartphone) if this is permitted by law:
- if you have given your consent (Article 6 (1) (a) GDPR)
- to send you a message
- to provide digital services
3. Recipients of Data / Conditions for the Transfer of Personal Data to Third Countries
Processors are companies that we commission to process your personal data. They work exclusively according to our instructions and are contractually obliged to ensure data protection. You can find more information about the processors in the individual procedures.
Third parties are companies that we commission to provide certain services (e.g. shipping, payment) or to which we are required to transfer data by law. These companies are responsible for handling your data.
| Category | Recipient | Purpose of data transfer | Legal basis |
|---|---|---|---|
| Processor | IT service providers (e.g. hosting providers, software providers, e-mail service providers) | Technical support for the website, provision of software solutions, goods management | Data processing agreement (Article 28 GDPR) |
| Third parties | Payment service providers | Processing payments | Contractual obligation to fulfil the contract with the customer Article 6 (1) (b) GDPR |
| Third parties | Authorities (e.g. tax office, customs) | Fulfilment of legal reporting obligations | Legal obligation Article 6 (1) (c) GDPR |
In order to offer you the best possible service, we work with partners in various countries. This means that your data is sometimes also transferred to countries outside the EU.
We ensure that your data is protected even when it is transferred abroad. We use various measures to do this:
| Scenario | Description | Security measures | Legal basis |
|---|---|---|---|
| Adequate level of data protection | Transfer of data to countries with a level of data protection similar to that in the EU (e.g. Switzerland, Canada). | No additional protection is required as the level of data protection is considered sufficient. | Article 45 GDPR |
| No adequacy, but contract clauses | Data transfer to countries without an adequate level of data protection. | EU- standard contractual clauses, binding corporate rules | Article 46 GDPR, Article 47 GDPR |
| Data transfer to certified companies in the USA | Transfer of data to companies in the United States that have joined the EU-US Data Privacy Framework. | The companies have undertaken to comply with European data protection standards and are subject to regular review, Article 45 of the GDPR + certification according to the EU-US Data Privacy Framework | Article 45 GDPR + certification https://www.dataprivacyframework.gov |
| Exceptional cases | Data transfer that is necessary due to explicit consent, contractual or legal obligation | Consent of the data subject, contractual obligation, legal obligation | Article 49 GDPR |
4. Storage Periods
We only store your personal data for as long as is necessary to fulfil the respective purposes. As soon as the purpose no longer applies, the data will be deleted, Article 17 and 18 GDPR.
In some cases, we are legally obliged to store your data for a certain period (e.g. for tax and commercial law purposes). We are also unable to delete your data for the duration of any legal proceedings in which your data is required as evidence.
5. Your Rights
In accordance with the law, you may exercise the following rights against the data controller:
| Your Rights | Significance | Legal Basis |
|---|---|---|
| Access | You can find out at any time which of your data we process. | Article 15 GDPR |
| Rectification | Is your data incorrect? We will be happy to correct it. | Article 16 GDPR |
| Erasure | Under certain circumstances, you may request that your data be deleted. | Article 17 GDPR |
| Restriction of processing | In certain cases, you can restrict the processing of your data. | Article 18 GDPR |
| Transmission | You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. | Article 20 GDPR |
| Object | You have the right to object to the processing of your data, particularly if it is used for direct marketing purposes. | Article 21 GDPR, provided that the processing is carried out based on Article 6 (1) (1) lit. e) or f) GDPR |
| Withdraw of consent | If you have given us consent to process your data, you can withdraw your consent at any time with effect for the future. | Article 7 (3) GDPR |
To exercise your rights under the GDPR, please contact us at datenschutz@it.law. Of course, you can also assert your rights against us via the ‘Contact’ form of our website.
If you believe that the processing of your personal data is in breach of data protection law, you have the right to complain to the data protection supervisory authority of your choice under Article 77(1) of the GDPR.
6. Data Security
Our primary objective is to ensure confidentiality, integrity and availability of your personal information. We use technical and organizational security measures to protect the personal data we collect, against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. Our security measures are continually improved in line with technological developments.
7. Collection and Processing of Your Personal Data
a. Provision of IT.LAW for Informational Use (Log Files)
When you visit our website, certain information is automatically stored in so-called server logs. This information helps us to improve our website and ensure that it works smoothly.
The data collected includes:
- technical data (date and time you accessed one of our websites; your browser type and settings; your operating system; the pages you visited and the duration of your visit, as well as the amount of data transferred and the access status, e.g. for downloads, success messages or error messages)
- IP address
We do this to enable you to use the website you have accessed and to improve our website. We only store your IP address for the duration of your visit so that you can access and use the website for information purposes. Any further evaluation will only take place in accordance with the following provisions and on the basis of your consent.
The processing of the aforementioned data is mandatory pursuant to Article 6 (1) (f) GDPR for the correct display of our website and to ensure the stability and security of the performance of the website.
b. Contact Form
It’s easy to get in touch with us: just fill in the contact form. Select your query and enter the required information (name, email address, message, company name and number of employees if applicable). We will use the information you provide to process your enquiry.
We will only use the information you provide to process your request. The legal basis for this is your consent (Article 6 (1) (a) GDPR) or, if your request is related to a contract, the performance or initiation of a contract (Article 6 (1) (b) GDPR).
Once your request has been answered, it will be achieved. Access to it is strictly limited. Non-contractual requests will be deleted after one year. Enquiries relating to contracts are subject to the legal retention periods (see our privacy policy, section 4).
c. Application
You are welcome to apply to us by email to karriere@it.law. We will process the personal data you provide solely for the purpose of selecting suitable applicants and for subsequent contact. If your application is successful, your data may be further processed for the purpose of establishing and maintaining the employment relationship.
Your personal data will be processed in accordance with Article 6 (1)(b) of the GDPR in conjunction with Section 26 of the German Federal Data Protection Act (BDSG) for the purpose of implementing pre-contractual measures. After completing the application process, we will keep your data for 6 months to defend against possible legal claims, based on Article 6 (1) (f) GDPR and Article 17 (3) (e) GDPR.
At your express request, we will store your application data in a talent pool so that we can consider you for future job offers. This storage will only take place with your consent in accordance with Article 6 (1) (a) GDPR, which you can revoke at any time. Please note this request in your cover letter.
If you provide us with special data such as photos or information about your status as a severely disabled person, this data will also be processed based on your consent in accordance with Article 9 GDPR.
d. Required Cookies
We use cookies on our website to provide you with the best user experience possible. Cookies are small text files sent from our web server to your browser and stored on your device.
Functions and purpose
- Storage of settings: cookies enable us to store your preferences (e.g. language settings).
- Technical necessity: certain cookies are required for our website to function to its full extent.
- Duration: functional cookies usually have a validity period of one year.
You have full control over the use of cookies:
- Browser settings: you can manage the setting of cookies in your browser settings.
- Options: you can disable cookies completely, allow them only for certain websites or activate notifications.
Please note: disabling cookies may limit the functionality of our website. The use of cookies is based on Article 6 (1) (f) GDPR (legitimate interest), unless otherwise stated.
e. Matomo
We use the web analysis tool ‘Matomo’ to ensure that our web pages are designed to meet demand. Matomo uses cookies stored on your device to create pseudonymized user profiles. This enables us to recognize and count returning visitors.
In addition, we use the Matomo modules Heatmap and Session Recording. The heatmap visualizes the most frequently clicked and mouse-touched areas of our website. Session Recording records individual user sessions, which we can play back to analyze user behavior. Important: Data that you enter in forms is not stored and cannot be viewed at any time.
Data processing is carried out based on your consent in accordance with Section 25 (1) of the Telecommunications Digital Services Data Protection Act (TDDDG) and Article 6 (1) (a) of the GDPR, provided that you have given this via our banner. You can revoke your consent at any time via the settings in our banner.
Further information about Matomo and its data protection policy can be found at: https://matomo.org/privacy/
f. LinkedIn-Profile
We deliberately refrain from using social media plug-ins on our website. We maintain a profile on LinkedIn to provide you with information. We will inform you about the data processing associated with our LinkedIn profile.
We are jointly responsible with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland for data processing in connection with our LinkedIn profile. LinkedIn processes your personal data in accordance with its privacy policy. This includes:
- data that you provide during registration and in your profile (e.g. name, email address, education)
- information about your activities on LinkedIn (e.g. posts, likes, group memberships)
- technical data (e.g. IP address, device information)
LinkedIn uses this information for various purposes, including providing and improving its services and for personalized advertising.
We receive anonymized statistics (Page Insights) from LinkedIn about the use of our profile. They do not allow any conclusions to be drawn about individual users.
LinkedIn may transfer data to the USA. LinkedIn is a participant in the EU-US Data Privacy Framework, which ensures an adequate level of data protection in accordance with Article 45 of the GDPR when data is transferred to the USA. You can find LinkedIn’s detailed data protection declaration at: https://de.linkedin.com/legal/privacy-policy
g. Stripe
We use the payment service provider Stripe (c/o Legal Process, 510 Townsend St., San Francisco, CA 94103, USA) to provide you with a secure and efficient payment method and to manage your contract data. Stripe acts as an independent payment provider within the meaning of Article 4 no 7 of the GDPR. Furthermore, we use Stripe as a processor for the administration of your customer data for payment processing.
Invoices are issued automatically at the contractually agreed times; for payment methods with automatic processing (e.g. credit card), invoice amounts are collected automatically. The legal basis for the transfer of data to Stripe is:
- Article 6 (1) (b) GDPR: necessary for the performance of a contract.
- Article 6 (1) (f) GDPR: legitimate interest in secure payment processing and fraud prevention.
Stripe Inc. is a participant in the EU-US Data Privacy Framework, which ensures an adequate level of data protection in accordance with Article 45 of the GDPR when data is transferred to the United States. This certification confirms that Stripe complies with the required data protection regulations. Further information about Stripe’s features can be found at https://stripe.com/de/use-cases/saas. You can view Stripe’s privacy policy at https://stripe.com/de/privacy.
h. DocuSign – Electronic Signature
We use the tool ‘SAP Signature Management by DocuSign’ (hereinafter ‘DocuSign’) from our processor DocuSign Inc., 221 Main St., Suite 1000, San Francisco, CA 94105, USA, to electronically sign contracts and documents. The process works by uploading the documents to be signed to the ‘DocuSign Agreement Cloud’. As a signing party, you will receive a link by email that gives you access to the documents and allows you to sign them electronically in the fields provided.
The following personal data is processed when using DocuSign:
- name and email address
- IP address
- date and time of signature
- electronic signatures and initials
- depending on the setting: identification data for authentication (e.g. access code, telephone call, SMS, possibly ID data)
The use of DocuSign serves our legitimate interest in making the process of legally valid signing of documents more efficient and user-friendly by using electronic signatures. The lawfulness of the processing is based on Article 6 (1) (f) GDPR (legitimate interest) and, depending on the specific application, on Article 6 (1) (b) GDPR (taking steps prior to entering into a contract).
We have concluded a data processing agreement with DocuSign in accordance with Article 28 of the GDPR. This agreement ensures that DocuSign processes the data entrusted to us only in accordance with our instructions and in compliance with the GDPR. The data processing agreement comprehensively regulates DocuSign’s obligations as a processor, including technical and organizational measures to protect your data. For more information about DocuSign’s data processing, please refer to DocuSign’s privacy policy. To ensure a high level of data protection and so-called appropriate safeguards, DocuSign has adopted binding corporate rule in accordance with Article 47 of the GDPR, which you can view here: https://www.docusign.com/trust/privacy/binding-corporate-rules.