Company: Steilen Brenner Mester Partnership

Name of authorised representative: Christian Mester
Address: Bonner Landstrasse 91; 50996 Cologne
Phone: 02236 / 309040
Fax: 02236 / 3090499
E-mail: kanzlei(at)sbm-partner.de

You can reach the Data Protection officer under the above coordinates, and at Datenschutz(at)sbm-partner.de

As a rule, the collection of your data takes place on your own premises. The processing of the personal data provided by you is necessary to fulfil the contractual obligations arising from the contract concluded with us. Due to your obligations to cooperate, it is essential that you provide the personal data requested by us, otherwise we will not be able to fulfil our contractual obligations. Otherwise, the possibility of accounting and/or tax disadvantages for you can no longer be excluded.

Within the scope of pre-contractual measures (e.g. master data acquisition in the prospective customer process), it is necessary that you provide your personal data. Should the requested data not be provided by you, a contract cannot be concluded.

In order to provide our services, it may be necessary to process personal data which we have received from other companies or other third parties, e.g. tax offices, your business partners or similar parties, in a permissible manner and for the respective purpose.

Furthermore, we may process personal data from publicly accessible sources, e.g. websites, which we use in permissible manner and only for the respective contractual purpose.

The personal data provided by you will be processed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):

Due to legal requirements (according to Art. 6 (1) (c) GDPR) or in the public interest (according to Art. 6 (1) (e) GDPR)

The purposes of the data processing arise from legal requirements or are in the public interest (e.g. compliance with obligations to retain data, proof of compliance with the tax consultant's duties to provide to inform and provide information).

In order to fulfil contractual obligations (according to Art. 6 (1) (b) GDPR)

The purposes of the data processing arise, on the one hand, from the initiation of pre-contractual measures taken prior to a contractually regulated business relationship and, on the other hand, to fulfil the obligations arising from the contract concluded with you.

On the basis of consent (according to Art. 6 (1) (a) GDPR)

The purposes of the processing of personal data arise from the granting of consent. You can revoke your consent at any time, effective in the future. Statements of consent granted prior to the General Data Protection Regulation came into force (25 May 2018) may also be revoked. Processing that took place prior to revocation remains unaffected by the revocation. Example: Sending of a newsletter, release from professional secrecy for the transfer of the data you have provided to third parties (e.g. banks, insurance companies, shareholders, etc.) at your request.

Within the scope of the balancing of interests (according to Art. 6 (1) (f) GDPR)

The purposes of the processing of personal data arise from safeguarding our legitimate interests. It may be necessary to process the data provided by you beyond the actual fulfilment of the contract. Our legitimate interest may be invoked to justify the further processing of the data you have provided, to the extent that your interests or basic rights and freedoms do not take precedent. Our legitimate interest in individual cases may be: Assertion of legal claims, defence against liability claims, prevention of criminal offences.

Within our company, access to the personal data provided by you is given to departments that need this data to fulfil contractual and legal obligations and that are authorised to process this data.

In fulfilment of the contract concluded with you, only those bodies that require the data for legal reasons, e.g. tax authorities, national insurance providers, competent authorities and courts, will receive the data you have provided.

As professionals entrusted with confidential information, we are obliged to observe and implement professional secrecy. Further recipients will only receive the data you have provided us with at your request, if you release us from the obligation of professional secrecy.

Within the scope of providing services, we commission contract data processors who contribute to the fulfilment of the contractual obligations, e.g. computer centre service providers, EDP partners, document shredders etc. These contract data processors are contractually obliged by us to observe professional secrecy and to comply with the requirements of the GDPR and the BDSG.

Under no circumstances will the data you provide be transferred to a third country or an international organisation. Should you design under individual circumstances that the data you provide be transferred to a third country or an international organisation, we shall only carry this out upon your written consent and release from the obligation of professional secrecy.

No fully automated decision making (including profiling) is used to process the data provided by you according to Art. 22 GDPR.

The processing of the data provided by you is carried out as long as it is necessary to achieve the contractually agreed purpose, generally as long as the contractual relationship with you exists. Once the contractual relationship has ended, the data you have provided will be processed to comply with statutory obligations to retain data or on the basis of our legitimate interests. After expiry of the legal retention periods and/or if it is no longer necessary to maintain our legitimate interests, the data you have provided will be erased.

Anticipated periods of the obligations to retain data to which we are subject and concerning our legitimate interests:

• Compliance with commercial, tax and professional retention periods. The periods of retention or documentation specified there are two to ten years.
• Preservation of evidence within the scope of the statute of limitations. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

• Right to information according to Art. 15 GDPR:
  You have the right to request information free of charge as to whether and what type of personal data is stored and the purpose for which it is stored.
• Right to rectification according to Art. 16 GDPR:
  You have the right to request from the controller the rectification of incorrect personal data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data — also by means of a supplementary declaration.
• Right to Erasure ("right to be forgotten") according to Art. 17 GDPR:
  You have the right to request from the controller that your data be erased without delay. The controller is obliged to erase personal data without undue delay, the extent that any of the following grounds apply:
  1. Purposes for which the personal data was collected no longer apply
  2. You revoke your consent to the processing. There is no other legal basis for processing.
  3. You object to the processing. There is no other legal basis for processing.
  4. The personal data has been unlawfully processed (unlawfulness).
  5. The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data has been collected in relation to the offer of information society services referred to in Article 8 (1).
• Right to restrict processing according to Art. 18 GDPR & Art. 35 BDSG:
  You have the right to request that the processing be restricted if any of the following conditions is met:
  1. You doubt the correctness of the personal data.
  2. The processing is unlawful; but you refuse erasure.
  3. Personal data is no longer needed for the purposes of processing; however, you need the data to assert, exercise or defend legal claims.
  4. You have lodged an objection to the processing according to Article 21 (1) GDPR. As long as it is not yet clear whether the legitimate reasons provided to you by the data controller take precedence, the processing will be restricted.
• Right to Data Portability according to Art. 20 GDPR:
  You have the right to receive the data provided by you in a structured, standard and machine-readable format from the Data Controller. We are not allowed to obstruct the forwarding to another controller.
• Right to Objection according to Art. 21 GDPR:
  To do so, please contact the Data Controller (see above).
• Right to Complaint with the supervisory authority in accordance with Art. 13 (2) (d), 77 GDPR
  in conjunction with Art. 19 German Federal Data Protection Act (BDSG):
  If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. To do so, please contact the responsible supervisory authority.
• Withdrawal of consent pursuant to Art. 7(3) of the GDPR: If the processing is
  based on your consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) (processing of special categories of personal data), you are entitled at any time to withdraw your consent, which is tied to the purpose, without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.