Privacy policy

• I. General
• II. Responsible party
• III. Privacy Officer
• IV. Your rights
• V. Processing of personal data during informational use of our website
• VI. Processing of personal data by cookies
• VII. Other functions and offers of our website
• VIII. Contacting us
• IX. Online Application
• X. Further Contact
• XI. Events and Event Registration via Eventbrite
• XII. Use of AI-Powered Tools
• XIII. Supplement to the Information on the Respective Social Media Profiles
• XIV. Information on Transfers to Third Countries and the Recipients of the Data There
• XV. Information on the Cloud Solution You Use for Data Exchange with Clients
• XVI. Google Analytics
• XVII. Google Tag Manager
• XVIII. YouTube

I. General

(1) In the following, we inform you about the collection of personal data when using our website.

(2) The term 'personal data' means, with reference to the definition of Article 4 No. 1 of Regulation (EU) 2016/679 (hereinafter referred to as 'General Data Protection Regulation' or 'GDPR' for short), all data that can be personally related to you. This includes, for example, name, address, e-mail address, user behavior. With regard to further terminology, in particular the terms processing', 'controller', 'processor' and 'consent', we refer to the legal data protection definitions of Art. 4 DSGVO.

(3) We process personal data only to the extent necessary to provide a functional website and the content and services offered by us. Personal data is regularly processed only if you have given us your consent within the meaning of Art. 6 (1) a) DSGVO or if the processing is permitted by statutory provisions, in particular by one of the legal bases mentioned in Art. 6 (1) b) to f) DSGVO.

(4) Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. In addition, storage may take place if this has been provided for by national or European regulations to which we are subject. In this case, the data will be blocked or deleted when the storage period prescribed by the respective regulations has expired. The latter does not apply if further storage of the data is necessary for the conclusion or fulfilment of a contract.

(5) If we wish to use commissioned service providers for individual functions of our website or use your data for advertising purposes, we will inform you in detail about the respective processes below.

II. Responsible party

(1) The responsible party within the meaning of Art. 4 No. 7 GDRP, the other data protection laws applicable in the Member States of the European Union and other regulations and provisions of a data protection nature is:

Nacken Hillebrand Partner GmbH Steuerberatungsgesellschaft
Managing Director: Christoph Hillebrand, Martin Kowol, Matthias Lamprecht, Gert Nacken, Kai Nowak, Patrick Rode, Christoph Stüvel

Oststr. 11-13
50996 Köln

Phone: +49 221 935521-0
Fax: +49 221 935521-99
Email address: info@nhp.de

Register court: Amtsgericht Köln
Register number: HRB 100354

(2) For further details on the responsible body, please refer to our imprint.

III. Privacy Officer

You can reach and contact our Privacy Officer at the following address:

Christian Dohmen
DETIS-EDV GmbH
Langenkamp 13
46348 Raesfeld
Tel: 02865 521 06 20
E-mail: datenschutz@nhp.de

IV. Your rights

(1) You have the following rights in relation to us in respect of personal data relating to you:

• the right of access,
• the right to rectification and erasure,
• the right to restriction of processing,
• the right to object to processing,
• the right to data portability.

(2) Additionally, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

V. Processing of personal data during informational use of our website

(1) If you access our website without registering or otherwise providing us with information ('Informational Use'), we only collect the personal data that your web browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to enable you to view our website and to ensure its stability and security: IP address, Date and time of the request, Time zone difference to GMT, Content of the web page, Access status (HTTP status), Amount of data transferred, Request website, Web browser, operating system, browser language and version

(2) The aforementioned data is also stored in so-called log files on our servers. A storage of this data together with other personal data of you does not take place.

(3) The collection and temporary storage of the IP address is necessary to enable the delivery of our website to your terminal device. For this purpose, your IP address must be stored for the duration of your visit to our website.

(4) The storage of the above-mentioned data in log files serves to ensure the functionality and optimization of our website as well as to ensure the security of our information technology systems.

(5) An evaluation of this data for marketing purposes does not take place. In the above purposes lies our legitimate interest in data processing. The legal basis for the collection and temporary storage of the aforementioned data and the log files is Art. 6 para. 1 p. 1 lit. f) GDRP. The aforementioned data for the provision of our website will be deleted when the respective session has ended. The collection of the above data for the provision of our website is mandatory for the operation of our website. There is no possibility to object.

VI. Processing of personal data by cookies

(1) We use so-called cookies on our website. Cookies are small text files that are stored on the storage medium of your end device, for example on a hard drive, and through which certain information flows to us as the body that sets the cookie. Cookies cannot execute programs or transmit viruses to your end device. This website uses the following types of cookies, the scope and functionality of which are explained below.

(2) Cookies that are stored in association with your web browser:

• Transient cookies: these cookies are automatically deleted when you close your web browser. These include, in particular, session cookies. These store a so-called session ID, by means of which various requests of your web browser can be assigned to the common session. This makes it possible to recognise your terminal device when you return to our website. Session cookies are deleted as soon as you log out or close the web browser.

• Persistent cookies: these cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete these cookies at any time in the settings of your web browser.

(3) The processing of personal data by the aforementioned cookies serves to make the offer of our website as a whole more user-friendly and effective for you. Some functions of our website cannot be offered without the use of these cookies. In particular, some functions of our website require that your web browser can still be identified after a page change. If you have an account, we use the cookies to identify you for subsequent visits. This prevents you from having to log in again each time you visit our website. The data processed by cookies that are required to provide the functions of our website are not used to create user profiles. Where cookies are used for analysis purposes, they are used to improve the quality and user-friendliness of our website, its content and functions. They enable us to track how the website, which functions and how often they are used. This enables us to continuously optimize our offer.

(4) In the above purposes lies our legitimate interest in data processing. The legal basis is Art. 6 (1) lit. f) GDRP.

(5) The above cookies are stored on your terminal device and transmitted from it to our server. You can therefore configure the processing of data and information by cookies yourself. You can make appropriate configurations in the settings of your web browser, through which you can, for example, reject third-party cookies or cookies altogether. In this context, we would like to point out that you may then not be able to use all functions of our website properly. In addition, we recommend a regular manual deletion of cookies as well as your browser history.

VII. Other functions and offers of our website

(1) In addition to the aforementioned informational use of our website, we offer various services that you can use if you are interested. This usually requires the provision of further personal data. We need this data to provide the respective service. The aforementioned data processing principles apply.

(2) In some cases, we use external service providers to process this data, which have been carefully selected and commissioned by us. These service providers are bound by our instructions and are regularly monitored by us. Insofar as personal data is passed on to third parties in the course of services which we offer jointly with partners, you can find more detailed information in the following descriptions of the individual services. If these third parties are based in a country outside the European Economic Area, you can find more detailed information about the consequences of this circumstance in the following descriptions of the individual services.

VIII. Contacting us

(1) If you contact us by e-mail, the personal data you send to us with your e-mail will be stored.

(2) In addition, we maintain a contact form on our website with which you can contact us. In doing so, the data you enter in the input mask is transmitted to us and stored: Last name, Email address .

(3) The data will only be used to answer your questions. Unless explicitly stated in this privacy policy, the data will not be shared with third parties. In addition, we record your IP address and the time of sending.

(4) The processing of the above personal data is solely for the purpose of dealing with your enquiries.

(5) The processing of further personal data, which is generated by the use of the contact form provided on our website, serves to prevent misuse as well as to ensure the security of our information technology systems.

(6) This is also our legitimate interest in processing your personal data. Insofar as you have given us consent for this, the legal basis for the processing of this data is Art. 6 para. 1 lit. a) GDRP. Otherwise, the legal basis for the processing of this data is Art. 6 (1) (f) GDRP, in particular in the event that the data is transmitted to us by you by sending us an e-mail. Insofar as you wish to work towards the conclusion of a contract by sending us an e-mail, Art. 6 (1) (b) GDRP constitutes an additional legal basis.

(7) The data will be deleted, subject to statutory retention periods, as soon as we have conclusively processed your request. When contacting us by e-mail, you can object to the storage of your personal data at any time. We would like to point out that in this case your request cannot be processed any further. You can declare the revocation or the objection by sending an e-mail to our e-mail address given in the imprint.

IX. Online Application

(1) We offer you the opportunity to apply online on our website. In order for you to participate in the application process, you will be required to provide personal data. This data may include, but is not limited to, personal master data such as first name, last name, address, date of birth, contact details such as telephone number or e-mail address, as well as data relating to your educational and/or professional background such as school and work references, data on apprenticeships, internships or previous employers. This data may originate from an application form to be completed by you online on the application platform or from documents provided by you such as a cover letter, a curriculum vitae, an application photo, certificates or other evidence of professional qualifications. Data that is mandatory for participation in the application process is marked accordingly as mandatory data. Insofar as no third-party provider is named in this data protection declaration whose service we use to provide the online application function, no data is passed on to third parties.

(2) We process the above data for the purpose of carrying out the application procedure. Insofar as you have given us your consent, the legal basis for the processing of the data is Art. 6 para. 1 p. 1 lit. a) GDRP. Insofar as the processing of the above data is carried out for the initiation of contractual relationships, the legal basis is Art. 6 para. 1 p. 1 lit. b) GDRP.

(3) The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the event that an employment relationship, training relationship, internship or other service relationship is established following the application process, the data will initially continue to be stored and transferred to the personnel file. Otherwise, the application procedure ends with the receipt of a rejection. In this case the data will be deleted after bei Absage. Deletion does not take place if further processing and storage of your personal data is necessary in individual cases for the assertion, exercise or defence of legal claims. In this case, we have a legitimate interest in the further processing and storage of your personal data. The legal basis is Art. 6 para. 1 p. 1 lit. f) GDRP. Deletion will also not take place if we are obliged to continue storing your personal data due to legal regulations.

(4) You can revoke any consent you have given us at any time. You can object to the processing of your personal data at any time. In particular, you have the option to withdraw your application at any time. As part of the application process, you should only provide us with the personal data that is required for participation in the application process and its implementation. There is no legal or contractual obligation to provide data. However, we would like to point out that without this data we will not be able to carry out the application procedure and consider your application. The same applies in the event of an objection to the processing of your data. You can have the data stored about you changed at any time.

X. Further Contact

(1) Processing of Personal Data Outside the Website / Client Communication

We also process personal data in the context of communication processes outside our website, in particular when contacting and communicating with clients, prospective clients, and business partners by telephone, fax, mail, email, video conferences, and in the context of in-person meetings.

(2) In particular, we process the following data:

• Master and contact data (e.g. name, address, telephone number, email address)
• Communication content (e.g. notes of conversations, correspondence)
• engagement-related information

Where necessary in individual cases, special categories of personal data within the meaning of Art. 9(1) GDPR may also be processed.

(3) The processing is carried out:

• for the implementation of pre-contractual measures and the performance of contracts pursuant to Art. 6(1)(b) GDPR,
• for compliance with legal obligations pursuant to Art. 6(1)(c) GDPR,
• as well as on the basis of our legitimate interest in efficient communication and handling of client matters pursuant to Art. 6(1)(f) GDPR.

(4) Where special categories of personal data are processed in the course of handling client matters, this is additionally carried out on the basis of Art. 9(2)(g) GDPR in conjunction with Section 11 of the German Tax Consultancy Act (StBerG), insofar as the processing is necessary for the performance of our statutory and professional duties.

XI. Events and Event Registration via Eventbrite

For the organization and administration of our events, we use the service “Eventbrite,” offered by Eventbrite Operations (IE) Ltd., Block 1, Harcourt Centre, Harcourt Street, LAKE DRIVE, CITYWEST BUSINESS CAMPUS, Dublin D02 YA40, Ireland. If you click on the registration link for an event, you will be redirected to the Eventbrite website. Data collection and processing there is carried out by Eventbrite under its own responsibility. Further information on data protection at Eventbrite can be found at: https://www.eventbrite.de/help/de/articles/460838/datenschutzrichtlinie-von-eventbrite/

XII. Use of AI-Powered Tools

(1) Purpose and Legal Basis

To support the handling of client matters, we use AI-powered tools in certain individual work steps. In particular, these tools may assist in the preparation and revision of document drafts, research, the preparation of work steps, as well as the structuring and summarization of information. Professional responsibility and the final review of all work results always remain with our qualified professionals.

(2) The processing of personal data in connection with the use of AI-powered tools is carried out, insofar as the respective use is necessary for the performance of the engagement agreement, on the basis of Art. 6(1)(b) GDPR.

(3) Insofar as the use of AI-powered tools is not necessary, but is appropriate for increasing efficiency, quality assurance, standardization, and error reduction, the processing of personal data is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the efficient, secure, and high-quality handling of client matters.

(4) Right to object: You have the right, on grounds relating to your particular situation, to object at any time, pursuant to Art. 21 GDPR, to the processing of personal data concerning you that is based on Art. 6(1)(f) GDPR. In that case, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.”

(5) Categories of Data Concerned

In connection with the use of AI-powered tools, depending on the engagement, the following categories of data in particular may be processed: master and contact data, communication and engagement data, as well as tax- and finance-related data relating to individuals; in addition, purely factual engagement information without personal reference may also be processed where applicable. We observe the principle of data minimization and only disclose content that is necessary for the respective purpose; wherever possible, data is shortened, abstracted, and/or pseudonymized before being entered. All information processed in connection with the engagement is subject to professional confidentiality obligations.

(6) Special Categories of Personal Data

Special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data, information on ethnic origin, political opinions, or religious beliefs), as well as other particularly sensitive engagement information subject to professional secrecy, are generally not entered into external AI tools.

(7) Such data is processed using external AI tools only in exceptional cases and exclusively on the basis of your explicit consent.

(8) Transfers to Third Countries

When using ChatGPT Business, a transfer of personal data to OpenAI in the United States cannot be ruled out. The transfer of data is carried out on the basis of the Standard Contractual Clauses issued by the European Commission pursuant to Art. 46(2)(c) GDPR. In addition, insofar as OpenAI acts as a processor, a data processing agreement pursuant to Art. 28 GDPR has been concluded.

(9) Storage Period and Deletion

When using ChatGPT Business and Microsoft Copilot, personal data is generally processed on a session-specific and purpose-specific basis. Content entered into the respective AI tools or incorporated from internal sources (e.g. prompts and generated outputs) is stored and deleted only in accordance with the contractual agreements concluded with the respective providers and the activated product and tenant configurations.

(10) For ChatGPT Business, the content entered by us and the generated outputs are, under the contractual terms, not used for training purposes; storage takes place only to the extent and for the duration resulting from the contractual agreements and the respective configuration.

(11) Irrespective of this, any additional storage may be limited to technically necessary log and metadata records (e.g. security, abuse, and error logs); their storage and deletion are governed by the respective contractual agreements and the deletion periods provided for by the provider.

(12) Relevant work results are stored authoritatively and permanently exclusively in our internal law firm systems and are subject there to the applicable statutory retention periods, in particular under tax and commercial law provisions. The AI tools are not used as primary file management or archival systems.

(13) Providers of AI-powered tools used by us may include in particular:

• OpenAI (e.g. ChatGPT Business)
• Microsoft (e.g. Microsoft Copilot)

The specific use takes place exclusively within the scope of the respectively required purposes in compliance with data protection requirements and professional confidentiality obligations.

XIII. Supplement to the Information on the Respective Social Media Profiles

(1) Social Media Profiles

We maintain online presences on social networks in order to provide information about our services and to communicate with users there.

(2) In this context, personal data may be processed by the respective platform operators. This concerns in particular usage data, communication content, as well as interactions with our profiles.

(3) Please note that the processing of personal data by the providers of the social networks is carried out under their own responsibility. We have only limited influence over the data processing carried out by these providers.

(4) Further information on data processing can be found in the privacy policies of the respective providers:

• LinkedIn: We maintain a company profile on LinkedIn. The provider of this service for users in the European Economic Area and Switzerland is LinkedIn Ireland Unlimited Company, Gardner House, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Further information about LinkedIn can be found at: https://www.linkedin.com/legal/impressum
  
  Information on the processing of personal data by LinkedIn can be found at:
  https://www.linkedin.com/legal/privacy-policy
  https://www.linkedin.com/legal/privacy/eu
  
  Insofar as personal data is processed for so-called “Page Insights” in connection with the operation of our LinkedIn company page, there is joint controllership with LinkedIn within the meaning of Art. 26 GDPR. Further information on this can be found at: https://legal.linkedin.com/pages-joint-controller-addendum
  
  A transfer of personal data to the United States cannot be ruled out. According to LinkedIn, data transfers to the United States are carried out on the basis of certification under the EU-U.S. Data Privacy Framework; in addition, LinkedIn relies on the Standard Contractual Clauses of the European Commission for certain data transfers. Where applicable, the UK Extension to the EU-U.S. Data Privacy Framework and the UK Data Transfer Addendum also apply.
  
  
• Instagram and Facebook: We maintain company profiles on Facebook and Instagram. The provider of these services for users in the European Economic Area is Meta Platforms Ireland Limited, Merrion Road, Ballsbridge, Dublin D04 X2K5, Ireland.
  
  Information on the processing of personal data by Meta can be found at:
  https://www.facebook.com/privacy/policy/
  https://privacycenter.instagram.com/policy
  
  Insofar as personal data is processed for so-called Page Insights in connection with our Facebook page, there is joint controllership with Meta within the meaning of Art. 26 GDPR. Further information on this can be found at: https://www.facebook.com/legal/terms/page_controller_addendum
  
  A transfer of personal data to the United States or other third countries cannot be ruled out. According to Meta, Meta relies in particular on the Standard Contractual Clauses of the European Commission for international data transfers; where applicable, Meta also refers to its certification under the EU-U.S. Data Privacy Framework.

(5) Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR.

(6) Insofar as we are jointly responsible with the platform operators for individual processing operations, the processing is carried out on the basis of Art. 26 GDPR.

XIV. Information on Transfers to Third Countries and the Recipients of the Data There

(1) Transfer of Personal Data to Third Countries

Insofar as we transfer personal data to recipients outside the European Economic Area (EEA), this is done only in compliance with the statutory requirements.

(2) A transfer to third countries takes place in particular where:

• an adequacy decision of the EU Commission exists (e.g. EU-US Data Privacy Framework),
• appropriate safeguards pursuant to Art. 46 GDPR exist (e.g. Standard Contractual Clauses),
• or a statutory exception pursuant to Art. 49 GDPR applies.

Recipients in third countries may in particular include IT and cloud service providers as well as providers of digital services (e.g. analytics, communication, or AI services).

XV. Information on the Cloud Solution You Use for Data Exchange with Clients

(1) Identity Verification and Checks Under the German Money Laundering Act (GwG)

As part of our statutory obligations, we are required to carry out certain checks under the German Money Laundering Act (GwG). These include in particular:

• identity checks of our clients,
• checks for politically exposed persons (PEP),
• as well as, where applicable, comparisons with sanctions lists.

In particular, we process:

• identification data (e.g. name, date of birth, address),
• ID document data,
• beneficial owners,
• as well as other information required by law.

(2) The processing is carried out on the basis of Art. 6(1)(c) GDPR in conjunction with the statutory obligations under the German Money Laundering Act.

(3) The data is stored for the statutory retention periods.

(4) Where special categories of personal data are processed in individual cases, this is additionally carried out only where a relevant legal basis pursuant to Art. 9 exists.

(5) The data is stored for the statutory retention periods.