PKF Deutschland

Accountants &
business advisers

Data Privacy Statement

I. Name and address of the Data Controller

The Data Controller, as defined in the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions, is:

1. Company and address of the responsible body:

PKF Deutschland GmbH Wirtschaftsprüfungsgesellschaft
Jungfernstieg 7
20354 Hamburg
Telephone: +49 40 35552-0
Telefax: +49 40 35552-222

E-Mail: info@pkf.de
Internet: www.pkf.de

Commercial Register: Local Court (Amtsgericht) of Hamburg, HRB 38381

2. Management:
Managing Director:  WP StB RA Prof. Dr. Bertram Fischer

II. General Information on Data Processing

1. Scope of the processing of personal data

We generally process the personal data of our users only to the extent necessary for the provision of a functional website and our content and services.  The processing of the personal data of our users is routinely carried out only after users have given consent.  An exception applies in those cases where obtaining prior consent is not possible for practical reasons and where the processing of the data is permitted by law.

2. Lawful grounds for processing personal data

Article 6(1) a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data, insofar as we obtain the consent of the data subject for processing operations involving personal data.
Article 6(1) b) GDPR serves as the legal basis when we process personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Article 6(1) c) GDPR serves as the legal basis insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject.
Article 6(1) d) GDPR serves as the legal basis in the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person.
Article 6(1) f) GDPR serves as the legal basis for the processing if it is necessary for the purposes of safeguarding the legitimate interests of our company or a third party and where the first-mentioned interests are not overridden by the interests, fundamental rights and freedoms of the data subject.

3. Data erasure and retention period

The personal data of the data subject get erased or blocked as soon as the purpose for retaining the data ceases to apply.  Furthermore, data may be retained if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the Data Controller is subject. The data will also be blocked or erased if a retention period prescribed by the aforementioned standards expires, unless there is a need for further retention of the data for the conclusion or performance of a contract.

III. Provision of the website and creation of log files

1. Description and scope of data processing

Every time you call up our website our system automatically records data and information from the computer system of the calling computer. 
In the course of this, the following data are collected:
(1)    Information about the browser type and version used
(2)    The user's operating system
(3)    The user's IP address
(4)    Date and time of access
(5)    Websites from which the user's system reaches our website
(6)    Websites called up by the user's system via our website

2. Lawful grounds for processing data

Article 6(1) f) GDPR is the legal basis for the temporary storage of data and log files.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose the user's IP address has to remain stored for the duration of the session.

The data is stored in log files in order to ensure the functionality of the website. Furthermore, we use the data to optimise the website and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.

Our legitimate interest in data processing pursuant to Article 6(1) f) GDPR also lies in these purposes.

4. Retention period

The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. If the data were collected for the provision of the website this is the case once the respective session has ended. 

If the data are stored in log files this is the case at the latest after 30 days. It is possible for data to be stored for periods that exceed the above limits. In such a case, the IP addresses of the users are erased or disassociated so that the calling client can no longer be assigned.

With regard to the use of Google Analytics, we have set the retention period to the minimum prescribed by Google.

5. Possibilities for objecting and removing

The collection of data for the provision of the website and storing data in log files is vital for the operation of the website. Consequently, there is no possibility for users to opt out of this.

IV. Use of cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files stored in the web browser or by the web browser on the user’s computer system. When a user accesses a website a cookie can thus be stored on the user's operating system. This cookie contains a distinctive character string which allows for unique identification of the browser when the website is accessed again. 
We use a session cookie that prevents forms from being able to be filled out automatically.
In this case, an ID is stored in the cookie and this is deleted again when you leave the website.

b) Lawful grounds for processing data

Article 6(1) f) GDPR is the legal basis for the processing of personal data with the use of cookies.

c) Purpose of data processing

The purpose of using cookies is to prevent website tampering and to simplify the use of the website for users.
User data collected by cookies, which are required for technical reasons, are not used to create user profiles.

V. Contact form and e-mail contact

1. Description and scope of data processing

On our website there is a contact form that can be used to contact us electronically. If a user chooses this option then the data entered into the input mask is transmitted to us and stored. These data are:

Last name,
First name,
Company,
E-mail

When you send a message the following data will also be stored:

(1)    User’s IP address
(2)    Date and time of dispatch

In the course of the dispatching process your consent to the processing of the data is obtained and reference is made to this Data Privacy Statement.

Alternatively, you can contact us using the e-mail address provided. In this case, the user's personal data transmitted with the e-mail are stored.

In this context, data will not be passed on to third parties. The data are used solely for the purposes of processing the conversation.

2. Lawful grounds for processing data

Article 6(1) a) GDPR is the legal basis for the processing of data where the user's consent has been obtained.

Article 6(1) f) GDPR is the legal basis for the processing of data transmitted in the course of sending an e-mail. Article 6(1) b) GDPR is the additional legal basis for the processing of data if the aim of the e-mail contact is to conclude a contract.

3. Purpose of data processing

Our sole purpose for processing the personal data from the input mask is to manage the establishment of the contact. In the case of a contact made by e-mail, the required legitimate interest in the processing of the data also lies therein.
The rest of the personal data processed during the dispatching process serves to prevent misuse of the contact form and to ensure the security of our information technology system.

4. Retention period

The data get erased as soon as they are no longer necessary for the achievement of the purpose of their collection. This is then the case for the data from the input mask in the contact form and the data transmitted via e-mail once the respective conversation with the user ends. The conversation will be deemed to have ended if, from the circumstances, it is possible to infer that the issue in question has been conclusively clarified. 

5. Possibilities for objecting and removing

Users have the option of withdrawing consent for the processing of personal data at any time. If users contact us via e-mail they are thus able to object to the retention of their personal data at any time. In such a case it is not possible to continue the conversation.

All the personal data that were saved in the course of establishing contact would be erased in this case.


VI. Rights of the data subject

If your personal data are processed then you are deemed to be a data subject as defined in the GDPR and you are entitled to the following rights vis à vis the Data Controller:

1. Right to information

You can request confirmation from the Data Controller as to whether or not personal data that concern you are being processed by us.
If there is such processing then you may request the Data Controller to disclose the following information:
(1) the purposes of the processing for which the personal data are intended;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been disclosed or have yet to be disclosed;
(4) the planned period for which the personal data concerning you will be stored, or if it is not possible to provide specific criteria for this then the criteria used to determine the retention period;
(5) the existence of the right to rectification or erasure of personal data concerning you, the right to restrict the processing by the Data Controller or the right to object to this processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) all the available information about the origin of the data if the personal data have not been collected from the data subject;
(8) the existence of automated decision-making, including profiling pursuant to Article 22(1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether or not personal data concerning you will be transferred to a third country or an international organisation. In this connection, you may request information about the appropriate safeguards pursuant to Article 46 GDPR in conjunction with such transmissions.

2. Right to rectification

Insofar as the processed personal data concerning you are inaccurate or incomplete you have the right to have these rectified or completed by the Data Controller. The Data Controller has to carry out the rectification without undue delay.

3. Right to restriction of processing

You may request a restriction on the processing of the personal data concerning you under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period that enables the Data Controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and, instead, you request the restriction of the use of the personal data;
(3) the Data Controller no longer needs the personal data for the purposes of the processing, however, you need them for the establishment, exercise or defence of legal claims, or
(4) if you have objected to processing pursuant to Article 21(1) GDPR and the verification as to whether or not the legitimate grounds of the Data Controller override your grounds is still pending.
If the processing of personal data concerning you has been restricted, these data may only be processed - with the exception of storage - with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained a restriction on processing based on the above-mentioned conditions then you will be informed by the Data Controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erase data

You can request the Data Controller to erase the personal data concerning you without undue delay and the Data Controller is obliged to erase these data without undue delay if any of the following reasons apply:

(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based pursuant to Article 6(1) a) or Article 9(2) a) GDPR and where there is no other legal basis for the processing;
(3) you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
(4) the personal data concerning you have been unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation under EU law or the laws of Member States to which the Data Controller is subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.

b) Information to third parties

Where the Data Controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase them, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the data controllers processing the personal data that you have requested erasure by them of any links to, or copy or replication of, these personal data.

c) Exceptions

The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under EU law or the laws of the Member States to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9(2) h) and i) as well as Article 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in clause a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right to be informed

If you have asserted your right to rectification or erasure of data or restriction of processing vis à vis the Data Controller then the latter is obliged to communicate the rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You are entitled vis à vis the Data Controller to the right to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, insofar as:
(1) the processing is based on consent pursuant to Article 6(1) a) GDPR or Article 9(2) a) GDPR or on a contract pursuant to Article 6(1) b) GDPR and
(2) the processing is carried out with the help of an automated procedure.
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one data controller to another data controller insofar as this is technically feasible. The rights and freedoms of other people may not be adversely affected because of this.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Article 6(1) e) or f) GDPR; this also applies to profiling based on these provisions.
The Data Controller shall no longer process the personal data concerning you unless the Data Controller is able to demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is intended for the establishment, exercise or defence of legal claims.
If the personal data concerning you are processed for direct marketing purposes then you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes then the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services and notwithstanding Directive 2002/58/EC, you may exercise your right to object with the help of an automated procedure where technical specifications are used.

8. Right to withdraw data privacy statement of consent

You have the right to withdraw your data privacy statement of consent at any time. The withdrawal of consent will not affect the lawfulness of the processing carried out based on consent prior to its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This will not apply if the decision: 
(1) is necessary for the conclusion or performance of a contract between you and the Data Controller;
(2) is permissible under the laws of the Union or the Member States to which the Data Controller is subject and which also includes appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
(3) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) GDPR if Article 9(2) a) or g) GDPR applies and appropriate measures have been adopted to safeguard your rights and freedoms as well as your legitimate interests.  

With respect to the cases referred to in (1) and (3), the Data Controller will adopt suitable measures to safeguard your rights and freedoms as well as your legitimate interests that will at least include the right to obtain human intervention on the part of the Data Controller, to express your own point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

11. Further information

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google").  Google Analytics uses cookies. The information generated by a cookie about your use of this website (including your IP address) will be transmitted to a Google server in the USA and stored there.

Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activities for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will never associate your IP address with any other data held by Google Inc.

In order to prevent the transmission of full addresses we use the anonymisation function made available by Google. Moreover, we have the option of using Google’s browser add-on to deactivate Google Analytics. This tells the JavaScript (ga.js) of Google Analytics that no information about the website visit may be transmitted to Google Analytics.

You can prevent cookies from being stored by selecting the appropriate settings in your internet browser software; however, we would like to point out that, in this case, you might not be able to make full use of all the functions on this website. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

In addition or as an alternative to the browser add-on, you can use the Prevent capture by Google Analytics by clicking on the following Click Link: Disable Google Analytics.

Source: Google Analytics Data Privacy Statement

Social Plugins

Our website makes use of social plugins from the following social networks:

facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;
twitter, which is operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA;
google+, which is operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA;
LinkedIn, which is operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA;
XING, which is operated by Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany;
WhatsApp, which is operated by WhatsApp Inc., 4 Grand Canal Square, Dublin 2, Ireland.

These social plugins are identified with the respective logos, so-called placeholders. These placeholders are only activated when you click on them and they create a direct connection via your browser to the servers of Facebook, Twitter, Google+, Xing, LinkedIn or WhatsApp. In this way, information is transmitted to Facebook, Twitter, Google+, Xing, LinkedIn or WhatsApp that you have accessed the page on our website that contains the social plugin. This will also happen even if you are not logged into Facebook, Twitter, Google+, Xing, LinkedIn and WhatsApp, or do not have a corresponding account.

However, if you do have a corresponding account and, at that time, are logged in with Facebook, Twitter, Google+, Xing, LinkedIn or WhatsApp then the visit to our web pages as well as all your interactions associated with the social plugins (e.g. creating comments, etc.) will be assigned to your profile there and stored in Facebook, Twitter, Google+, Xing, LinkedIn or WhatsApp.

To read about the purpose and scope of data collection as well as the processing and use of data by Facebook, Twitter, Google+, Xing, LinkedIn and WhatsApp and, in this respect, your rights and the settings options available to protect your privacy, please refer to the privacy notices of Facebook (http://www.facebook.com/policy.php), Twitter (https://twitter.com/privacy), Google+ (https://www.google.de/intl/de/policies/terms/regional.html), Xing (https://www.xing.com/privacy), LinkedIn (https://www.linkedin.com/legal/privacy-policy), WhatsApp (https://www.whatsapp.com/legal/?lang=de).

In order to prevent Facebook, Twitter, Google+, Xing, LinkedIn or WhatsApp from collecting the above-mentioned data when you visit our website you must log out of Facebook,Twitter, Google+, Xing, LinkedIn or WhatsApp before you visit our website.