Privacy Notice
We attach great importance to the protection of your personal data. In this privacy policy, we inform you about the processing of your personal data by GREENFLAG Partnerschaft von Rechtsanwälten mbB Evers & Rode as controller (hereinafter "we" or "GREENFLAG"), Neuer Wall 80, 20354 Hamburg. We process your personal data in accordance with the data protection regulations of the German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG") in the version applicable from 25 May 2018 and Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR"). The processing takes place in connection with
​
-
your visit to or use of our website (greenflag.law) (see I. 1 below),
-
the provision of our consulting services to you or your company (see I. 2 below),
-
maintaining business relationships with you or a company to which you belong beyond the provision of our consulting services (suppliers, service providers, other cooperation and contractual partners) (see I. 3 below),
-
the sending of information about our company and our services (see below under I. 4), as well as participation in our events (see below under I. 5),
-
your application to us and/or your interest in us as an employer after you have contacted us (e.g. also at recruitment events) (see I. 6 below),
-
communication or collaboration with us via Microsoft Teams (see I. 7 below),
-
Research on business development (see I. 8 below).
​
In sections II. and III. we inform you about the transfer of your data to third parties and about your rights in connection with our processing of your data.
​
If you have any questions or concerns in connection with the processing of your data, you can contact us at any time at: flag.privacy@greenflag.law
​
You can reach our data protection officer at
​
GREENFLAG Partnerschaft von Rechtsanwälten mbB Evers & Rode
Neuer Wall 80, 20354 Hamburg
flag.privacy@greenflag.law
I. Data processing
​
1. When visiting our website
Use of our website
​
When you use our website www.greenflag.law, the browser used on your device (laptop, tablet, smartphone, etc.) automatically sends information to the server of our website. This information is temporarily stored in a so-called "log file". The following information is recorded without any action on your part:
​
-
IP address of the requesting computer,
-
Date and time of access,
-
Time zone difference to Greenwich Mean Time (GMT),
-
Name and URL of the retrieved file,
-
Access status / HTTP status code,
-
Website from which the access is made (referrer URL),
-
the browser used and, if applicable, the operating system of your computer and the name of your access provider.
​
We process the aforementioned data for the following purposes:
​
-
To ensure a smooth connection to the website,
-
To ensure a comfortable use of our website,
-
Evaluation of system security and stability and
-
for further administrative purposes.
​
We process your data to pursue our legitimate interests (Art. 6 para. 1 lit. f GDPR) to provide our website for information purposes and to ensure its secure and optimal operation as well as to prevent or, if necessary, prosecute the misuse of our website. Insofar as we are subject to a legal obligation to pass on data pertaining the use of our website to third parties, e.g. authorities, we process your data to fulfil these legal obligations (Art. 6 para. 1 lit. c GDPR).
​
The log files are deleted after 8 weeks unless we are legally obligated (e.g. by official order) to continue storing them.
​
Cookies
​
We use cookies on our website. These are small text files that your browser automatically creates and stores on your end device when you visit our website. Cookies do not cause any damage to your end device and do not contain any viruses, trojans or other malware. Basically, cookies can be differentiated according to their purpose (necessary cookies: cookies that are essential to display the website correctly; functional cookies: cookies to store user information so that it does not have to be entered again (e.g. language setting); performance and analysis cookies: cookies to optimise our website; marketing cookies: cookies to display targeted advertising).
​
By using necessary cookies, we process your data to pursue our legitimate interests (Art. 6 para. 1 lit. f GDPR) to provide our website for information purposes and to ensure its secure and optimal operation. In all other cases, we only use cookies if you have given us your consent to do so (Art. 6 para. 1 lit. a GDPR). The information stored in the cookies is not used to identify the user and is not merged with other personal data stored about the user.
​
In the following overview you will find more detailed information on the cookies we use, in particular on the purpose, the data processed and the storage period.
​
Cookie | Cookie Provider | Purpose | Duration | Category | Legal basis |
---|---|---|---|---|---|
bSession | wix.com Ltd. | Used for measuring system effectiveness | 30 minutes | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
svSession | wix.com Ltd. | Used in connection with the user login | 13 months | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
_wixCIDX | wix.com Ltd. | Used for system monitoring/troubleshooting | 3 months | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
TS* | wix.com Ltd. | Used for security reasons and to combat fraud | Session | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
consent-policy | wix.com Ltd. | Used for the parameters of the cookie banners | 12 months | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
XSRF-TOKEN | Wix.com Ltd.
| Used for security reasons | Session | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
smSession | wix.com Ltd. | Used to identify registered website members | Session | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
hs | wix.com Ltd. | Used for security reasons | Session | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
fedops.logger.X | wix.com Ltd. | Used for measuring system effectiveness | 12 months | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
SSR-caching | wix.com Ltd. | Used to display the system from which the website was rendered | 1 minute | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
_wix_browser_sess | wix.com Ltd. | Used for system monitoring/troubleshooting | Session | Essential | Art. 6 Abs. 1 lit. f) DSGVO |
wixLanguage | wix.com Ltd. | Used on multilingual websites to store the user's language | 12 months | Functionality | Art. 6 Abs. 1 lit. a) DSGVO |
Third-party provider
​
On our website, we use the Google Maps service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4 Ireland (hereinafter "Google"). This enables you to conveniently use the map function by displaying interactive maps directly on the website. The Google Maps map also integrates so-called Google Fonts (Google fonts). By integrating Google Maps (including integrated Google Fonts), a direct connection is established between Google's servers and your browser. This enables the Google Maps map to be provided. By integrating the Google Maps map, the IP address is transmitted by your browser to Google for independent data processing. Further information on data processing and possible transfers of personal data to third countries, e.g. the USA, by Google can be found in Google's privacy policy. The terms of use of Google Maps/Google Earth also apply.
​
Google Maps will only be used if you have given your consent to this (Art. 6 para. 1 lit. a GDPR).
​
With whom do we share your data?
​
We use the following service providers to provide our website:
​
-
IONOS SE with seat in Germany
-
WIX.com Ltd. with seat in Israel
​
These service providers process your personal data on our behalf and are strictly subject to our instructions. To protect your data, we have concluded order processing agreements with the service providers. Otherwise, we do not pass on your data to third parties unless we are legally obliged to do so (Art. 6 para. 1 lit. c GDPR) or you have given us your consent (Art. 6 para. 1 lit. a GDPR) (e.g. for Google Maps or Google Analytics).
​
2. In the provision of our services
​
In the following, we inform you about the processing of personal data in connection with the provision of our services, which includes in particular advising our clients.
​
Data of clients or their employees and board members
​
When you contact us as part of an existing client relationship or in the run-up to such a relationship, we process the following personal data from you:
​
-
address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
-
Information on income and assets
-
Information that is necessary for legal advice (e.g. for the assertion and defence of your rights) within the scope of the mandate and that you provide to us
​
Unless otherwise stated below, this data is processed in order to enter into a client relationship with you or the company for which you are contacting us (e.g. your employer) and to fulfil our obligations arising from such a client relationship. This includes in particular
​
-
Identify you (e.g. as part of a KYC (know-your-customer) check);
-
To be able to provide you, as a client or employee or member of a legal entity that has a client relationship with us, with appropriate legal advice and to represent you in and out of court;
-
to establish the facts of the case, to legally assess them and to provide you with legal advice and representation;
-
conduct necessary correspondence with you, courts, authorities and counterparties (and their advisers); and
-
to invoice you or your company for our services.
​
If you as a natural person establish or have already established a client relationship directly with us, the processing of your data is based on Art. 6 para. 1 lit. b GDPR. In all other cases, the processing is carried out to pursue our legitimate interest in providing our (legal) services to our clients and the legitimate interest of our clients in receiving legal advice and representation from us (Art. 6 para. 1 lit. f GDPR).
​
In addition, we may use the aforementioned data to process liability claims and to assert any claims against you or your company and thus to protect our legitimate interest in the assertion of and defence against legal claims (Art. 6 para. 1 lit. f GDPR).
​
We also process the aforementioned data insofar as this is necessary to fulfil a legal obligation to which we are subject (e.g. from Sections 10, 11, 12 of the German Federal Anti-Money-Laundering Act (Geldwäschegesetz – „GwG“) or from professional commercial and tax regulations, e.g. checking possible conflicts before accepting a mandate) (Art. 6 para. 1 lit. c GDPR).
​
In individual cases, the processed data may also include special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) and data relating to criminal convictions and offences within the meaning of Art. 10 GDPR. In this case, we will only process your data if this is necessary for the establishment, exercise or defence of legal claims (Art. 9 para. 2 lit. f GDPR).
​
Apart from that we will use your professional contact details (title, first and last name, business address, e-mail address if applicable) to contact you on special occasions (e.g. to send you greetings at Christmas). This processing is based on our legitimate interest in maintaining our relationships with our clients or their employees or bodies (Art. 6 para. 1 lit. f GDPR).
​
If you do not provide us with your data, we will not be able to carry out the client relationship properly and, for example, will not be able to contact you.
​
Data from third parties
​
If you are neither our client nor an employee or board member of our clients, but e.g. an opposing party or other party to the proceedings or contractual partner or their employee or board member, direct or indirect shareholder of the client, business and contractual partner or consultant of the client, beneficial owner of the client or the opposing party (or their respective employee or board member) or as an expert, witness, employee of authorities or courts, we process your following personal data:
​
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
-
Information on income and assets
-
Information that is necessary for legal advice (e.g. to assert and defend our clients' rights or to support our clients in contract negotiations)
​
As a rule, this personal data has been provided to us by our clients (or their employees / board members) (e.g. by handing over contractual documents) or by courts or authorities (e.g. by inspecting files or providing information), or we have obtained this data from publicly accessible sources.
​
Unless otherwise stated below, this data is processed to pursue our legitimate interest in providing our services to our clients and the legitimate interest of our clients in receiving legal advice and representation from us (Art. 6 para. 1 lit. f GDPR).
​
In individual cases, the processed data may also include special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) and data relating to criminal convictions and offences within the meaning of Art. 10 GDPR. In this case, we will only process your data if this is necessary for the establishment, exercise or defence of legal claims (Art. 9 para. 2 lit. f GDPR).
​
Storage duration
​
We process your personal data only to the extent that and for as long as there is a legal basis for doing so. The personal data collected by us for the mandate will be stored until the end of the statutory retention period for lawyers (six years after the end of the calendar year in which the mandate was terminated) and then deleted, unless we are legally obliged to store it for a longer period (e.g. due to tax and commercial law retention and documentation obligations under the German Commercial Code, the German Value Added Tax Act or the German Fiscal Code. The periods for storage or documentation provided for there are up to ten years) or you have consented to storage beyond this (Art. 6 para. 1 lit. a GDPR).
​
3. When working with business partners
​
Outside the provision of our consulting services, we process personal data in the context of business relationships with our business partners (e.g. suppliers, service providers, other co-operation and contractual partners).
​
In that context, we process the following categories of personal data from our business partners, their employees and their board members, insofar as they are necessary for the establishment or execution of the contractual relationship with the business partner:
​
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
-
Bank details
​
We generally receive the data from our business partner (as the employer of the data subjects) or from the data subjects themselves, for example in the course of business correspondence with us.
​
The processing is carried out to establish, implement and fulfil the contractual relationship with the business partner. The legal basis for this processing activity is Art. 6 para. 1 lit. b GDPR if you initiate or maintain a business relationship with us directly as a natural person. In all other cases, for example when we conclude the contract with the company to which you belong, the data processing is carried out to protect our legitimate interests and those of our business partners in the initiation and implementation of business relationships. The legal basis in this respect is Art. 6 para. 1 lit. f GDPR.
​
We store your data for the duration of the business relationship and beyond for a further four years, unless we are legally obligated to store it for longer (e.g. due to tax and commercial law retention and documentation obligations under the German Commercial Code, the German Value Added Tax Act or the German Fiscal Code. The periods for storage or documentation provided for therein are up to ten years) or you have consented to storage beyond this (Art. 6 para. 1 lit. a GDPR).
​
4. When sending information (e.g. newsletters)
​
If you have given us your consent to do so, we will process the following data in order to send you information about our company, our services and events and, for example, current legal topics:
​
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
​
We receive all of this data exclusively from you.
The legal basis for this processing is your consent (Art. 6 para. 1 lit. a GDPR). You can withdraw your consent at any time with effect for the future.
If you withdraw your consent or if we have had no contact for more than two years, we will delete your personal data unless we are authorised or obliged to continue storing it for another legal reason, for example in connection with the processing of a mandate.
​
5. When participating in events
​
If you participate in one of our events, we process the following data from you in order to organise the event and enable you to participate:
​
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
​
We receive all of this data exclusively from you.
The legal basis for this processing is Art. 6 para. 1 lit. b GDPR if you are attending the event as an individual. If you are attending our event as a representative of the company to which you belong, the data processing is carried out to pursue our legitimate interest in organising the event and exchanging information with you and your company.
We delete your data after 24 months unless we are legally obliged to store it for longer (e.g. due to tax and commercial law retention and documentation obligations under the German Commercial Code, the German Value Added Tax Act or the German Fiscal Code – the periods for storage or documentation provided for there are up to ten years) or you have consented to storage beyond this (Art. 6 para. 1 lit. a GDPR).
6. For applicants or junior lawyers
​
If you apply to us or have contacted us at or in connection with recruitment events or via recruitment platforms or if you work for us as a junior lawyer (trainee lawyer, research assistant, intern), we process the following categories of your personal data:
​
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
Address
-
Telephone number (landline and/or mobile)
-
Photos that you have attached to your application
-
Information on your educational background and progress (e.g. certificates and other certificates of achievement, specialisations, professional experience)
​
We receive all of this data exclusively from you.
We process this data to initiate and implement an employment relationship with you. The legal basis in this respect is Art. 6 para. 1 lit. b GDPR / § 26 para. 1 BDSG.
The personal data collected in connection with your application will be processed for a maximum of three years after completion of the procedure for the purpose of preserving evidence and then deleted or anonymised, unless the application has led to employment with us. If the procedure leads to employment, we store this data for the duration of the employment and for a further four years thereafter.
If you give us your consent to do so, we will process the following data in order to remain in contact with you after your employment with us:
-
E-mail address,
-
Address (Mr, Mrs, Ms, Mx),
-
Surname, first name
We receive all of this data exclusively from you.
The legal basis is your consent (Art. 6 para. 1 lit. a GDPR). You can withdraw your consent at any time with effect for the future.
If you withdraw your consent or if we have had no contact for more than two years, we will delete your personal data unless we are authorised or obliged to continue storing it for another legal reason, for example in connection with the processing of a mandate.
7. For communication via video conferencing systems
​
When we collaborate or communicate with you via Microsoft Teams, a service of Microsoft Corporation ("Microsoft"), we process the following categories of personal data:
​
-
Audio data and video data of the participants
-
Contents of screen views shared by you and text entries in the chat function
-
Address (Mr, Mrs, Ms, Mx), first name, surname, title
-
E-mail address
-
(business) address
-
Telephone number (landline and/or mobile)
-
Information on professional activity, company affiliation and position
-
if you log in with your own account: further information that you have entered in your profile (e.g. profile picture, user name, preferred language)
-
technical data (e.g. IP address, usage data, log data) and meeting metadata (meeting ID, date, time) generated or required in connection with the use of Microsoft Teams
​
To enable the display of video and the playback of audio, the data from your end device's microphone and any video camera on the end device will be processed for the duration of the conference. You can switch off the camera and/or mute the microphone yourself at any time via the Microsoft Teams application.
​
We ask you to ensure that when you communicate with us via Microsoft Teams, no uninvolved third parties come into the picture or are recorded by the microphone. This risk exists particularly in public, but also when participating from the home office (please bear in mind that the personal data of children is particularly worthy of protection). If in doubt, please do not switch on the video transmission and use a shielded microphone.
​
Data processing is carried out for the purposes and on the legal basis specified in the respective sections I. 2. to 8. of this privacy policy.
​
Data processing by Microsoft is carried out on the basis of a processing agreement in accordance with Art. 28 GDPR. Microsoft processes your personal data exclusively on our behalf. Accordingly, Microsoft is obliged to maintain the strictest confidentiality and may only use the data in accordance with our instructions and for our purposes and not for its own purposes, i.e. neither for advertising nor to pass it on to third parties.
​
Personal data is generally not processed outside the European Union (EU), as we have contractually restricted this to data centres in the European Union. However, we cannot rule out the possibility that your data may be routed via internet servers located outside the EU. This may be the case in particular if users are located in a third country. In order to protect your data in the best possible way, even in the event of a transfer to the USA, we have chosen Microsoft, a company that is certified under the EU-U.S. Data Privacy Framework (DPF). Data that is transferred to such certified companies in the USA is subject to an appropriate level of protection according to an adequacy decision by the EU Commission. You can access the list of certified companies here and the adequacy decision here.
​
Microsoft's current privacy policy can be viewed here:
​
The audio and video data created during an audio or video conference will only be processed for the duration of the conference and deleted immediately afterwards. No recordings will be made or stored beyond this without your express consent.
​
8. For business development research
​
We carry out market and company research in order to identify companies that are of interest to us as clients, suppliers or other business partners. In doing so, we process the personal data of the following categories of employees, board members or shareholders of these companies to the extent necessary:
​
-
address (Mr, Mrs, Ms, Mx), first name, surname, title
-
e-mail address
-
business address
-
telephone number (landline and/or mobile)
-
information on professional activity, company affiliation and position
​
This data, if we have not received it from the data subjects themselves, comes from publicly accessible sources, namely
​
-
the company itself, e.g. from information material or from the company's website
-
publicly accessible professional or business databases and industry services
-
public registers or publications (e.g. commercial register, Federal Gazette)
-
publicly visible social networks used for business purposes (e.g. LinkedIn)
-
media and press releases
-
lists of participants in events in which our employees or partners have also taken part
​
The processing of personal data in this context is generally carried out in the exercise of our legitimate interest in the development of our business activities (Art. 6 para. 1 lit. f GDPR). Data subjects are only contacted by email or telephone on the basis of consent (Art. 6 para. 1 lit. a GDPR).
​
II. Disclosure of data to third parties
​
Unless otherwise stated above under I.1 (use of the website) and I.7 (communication via Microsoft Teams), we transmit your personal data to third parties exclusively for the purposes listed below, but never beyond these purposes.
​
Insofar as this is necessary for the processing of client relationships, for the purpose of correspondence and for the assertion and defence of our clients' rights or if there is a legal obligation to pass on your personal data, your personal data will be passed on to the following recipients:
​
-
service providers commissioned by us (or their employees) in order to fulfil our obligations arising from the client relationship (e.g. IT service providers, subcontracted law firms);
-
opposing parties and their representatives (in particular their lawyers);
-
courts and other public authorities.
​
The attorney-client privilege remains unaffected. Any data subject to legal professional privilege will only be disclosed to third parties after prior consultation with you.
​
III Rights of data subjects
​
You have the right:
​
-
to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
-
in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
-
to demand the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
-
in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
-
in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;
-
in accordance with Art. 7 para. 3 GDPR, to revoke your consent once given to us at any time. As a result, we may no longer continue the data processing based on this consent in the future; and
-
to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at the registered office of our law firm.
​
If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation. If you wish to exercise your right of cancellation or objection, simply send an email to flag.privacy@greenflag.law.
​
V. Up-to-dateness and amendment of this privacy policy
​
This privacy policy is currently valid and is dated December 2023.
​
Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to amend this privacy policy. You can access and print out the current privacy policy at any time on the website at www.greenflag.law.