Privacy Policy

This statement was updated on 6 March 2025.

NHS GmbH Steuerberatungsgesellschaft (hereinafter ‘NHS’), is pleased that you are visiting our website. Data protection and data security are very important to us. We would like to inform you which of your personal data we collect when you visit our websites, NHSGROUP and NHSGROUP-CAREER, and for what purposes it is used. Changes to the law or changes to our internal company processes may make it necessary to adapt this data protection declaration, which is why this data protection declaration will be updated in good time.

Controller and scope of application

The controller within the meaning of the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

NHS GmbH Steuerberatungsgesellschaft

Am Wehrhahn 100

D-40211 Düsseldorf

Principles of data processing

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, your age, your address, your telephone number, your date of birth, your e-mail address or technical (connection) data such as your IP address. Information for which we cannot (or can only with disproportionate effort) establish a link to your person, e.g. anonymous or anonymised information, is not personal data.

The processing of personal data (e.g. the collection, retrieval, use, storage, transmission or other processes) always requires a legal basis. Your personal data processed by us will be deleted as soon as the purpose of the processing has been achieved and there are no longer any statutory retention obligations to be complied with.

Individual processing operations

We will inform you below about the processes, the scope and purpose of the data processing, the legal basis for the processing, the respective storage period and, if applicable, the transfer of personal data to processors or to third countries.

Auditing and tax consultancy

Purpose

We collect and process personal data in order to provide tax consultancy services in accordance with Section 33 StBerG and auditing services in accordance with Section 2 WPO as well as related services and ancillary services. This includes, among other things, advice on tax and business matters, the preparation of tax returns, the preparation of annual financial statements and tax audits as well as representation in tax matters.

Data categories

We process the following personal data as part of our tax consultancy and auditing services:

· Master data (e.g. first name, surname, name affixes, date of birth, place of birth, nationality)

· Contact data (e.g. private address, (mobile) telephone number, e-mail address)

· Financial and tax data (e.g. income, expenses, tax identification numbers, bank details, assets, debts)

· Contract and billing data (e.g. contract content, fees, invoices)

· Professional data (e.g. employment details, professional qualifications, employer)

· Correspondence (e.g. emails, letters)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes. Tax and accounting-related data is subject to statutory retention obligations of up to ten years (see, among others, Section 257 (1) HGB, Section 147 (1) AO). After this period has expired, the data will be deleted, provided there are no further legal obligations to retain it.

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract performance)

· Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)

Order processing

We use the services of software and IT service providers to provide tax consulting and auditing services. These are processors in accordance with Art. 28 GDPR. For this purpose, we have concluded an order processing contract with these service providers in accordance with Art. 28 para. 3 GDPR. Your personal data will only be processed on our instructions.

Provision of accounting software

Purpose

We process your personal data in order to provide you with our accounting software as a cloud application. This also includes data storage, maintenance and support of the software and ensuring its proper functioning.

Data categories

We process the following personal data as part of the provision and use of the accounting software:

· Master data (e.g. name, title)

· Contact data (e.g. telephone number, e-mail)

· Contract master data (contractual relationship, product or contractual interest)

· Accounting data (e.g. accounts, transactions, invoices, accounting documents)

· Usage data (e.g. log-in data, usage behavior)

· Technical metadata (e.g. IP address, browser type, operating system)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes. Due to statutory retention obligations, certain data may be stored for up to ten years (see, among others, Section 257 (1) HGB, Section 147 (1) AO). After this period has expired, the data will be deleted, provided there are no further legal obligations to retain it. You can also instruct us at any time to delete personal data before these periods expire.

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract performance)

· Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)

Order processing

We use the services of external software and IT service providers to provide the accounting software. These are processors in accordance with Art. 28 GDPR. For this purpose, we have concluded an order processing contract with these service providers in accordance with Art. 28 para. 3 GDPR. Your personal data will only be processed on our instructions.

Operation and provision of the website

Purpose

We collect and use the personal data of our users in order to provide a functional website as well as our content and services. When you access and use our website, we collect the personal data that your browser automatically transmits to our server. This information is stored temporarily. We process your personal data in order to offer the functional scope of the website and to be able to fulfill the user agreement entered into with you.

We also process your data if it is necessary to protect our legitimate interests or those of third parties. This may be the case in particular to ensure IT security and IT operations, as well as to be able to trace and prove facts in the event of legal disputes. In addition, we process your data to fulfill legal obligations.

Data categories

When you use our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access is made (referrer URL)

· Amount of data transferred

· Header data transmitted by your browser (see https://de.wikipedia.org/wiki/Liste_der_HTTP-Headerfelder and https://www.rfc-editor.org/rfc/rfc9110.html)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website during use. Consequently, the user has no option to object. After use has been completed, the data is deleted as soon as the purposes for which it was collected no longer apply. Further storage may take place in individual cases if this is required by law.

· Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)

· Art. 6 para. 1 lit. f GDPR (legitimate interest)

Order processing

We use the services of an external hosting provider and a web agency to operate the website. These are processors in accordance with Art. 28 GDPR. There is a possibility that your personal data may be passed on. For this purpose, we have concluded an order processing contract with these service providers in accordance with Art. 28 para. 3 GDPR. Your personal data will only be processed on our instructions.

Online contact form by e-mail

Purpose

We provide general contact forms so that you can get in touch with us by e-mail.

Data categories

The data categories can be taken from the forms and generally include:

· First and last name

· Contact details such as individual e-mail addresses, telephone numbers and fax numbers

· Address data

· Other data and free text fields

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. The duration of storage depends largely on your request and the further purpose of processing and can therefore not be specified in general terms.

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract performance)

Contact and communication by e-mail

Purpose

We offer you the option of contacting us and communicating by e-mail.

Data categories

The data categories cannot be specified in full, but depend on the data you provide us with. We usually process at least:

· Technical metadata when sending your email

· Content of your email

· Communication history with you

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. E-mails are business letters and are therefore subject to archiving obligations under tax law. The longest retention period is 10 years (e.g. § 257 para. 1 HGB, § 147 para. 1 AO). E-mails are deleted year by year when the retention periods expire.

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and performance of a contract)

· Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)

Receiving the newsletter

Purpose

We process your personal data so that we can send you our newsletter, which you have actively opted for. We use the double opt-in procedure to subscribe to our newsletter. After you have entered your e-mail address in the field provided or provided it to us in another way, you will receive an e-mail from us. This will contain a confirmation link. You only subscribe to our newsletter when you click on the link. If you click on the link in the confirmation e-mail you receive, we will process your personal data for a specific purpose in order to prove that we have received a declaration of consent.

Data categories

The data categories can be taken from the forms and generally include:

· Required information such as e-mail address

· Voluntary information such as first name and surname, company, company sector

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. As long as you are an active recipient of a newsletter, we will store your data. We usually delete your data immediately if you withdraw your consent and unsubscribe from the newsletter.

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

Order processing

To send our newsletter, we use the services of a processor in accordance with Art. 28 GDPR. This involves the transfer of your personal data. For this purpose, we have concluded an order processing contract with our service provider in accordance with the provisions of the GDPR. Your personal data will be processed exclusively on our instructions.

Integration of media content (video and sound)

Purpose

We process your personal data for a specific purpose with the help of so-called “plug-ins” of the social media services YouTube and Spotify on our website. The integration of the services enables the playback of media content within our website.

Data categories

The following data is regularly processed for the use of social media:

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access is made (referrer URL)

· Amount of data transferred

· Header data transmitted by your browser (see https://de.wikipedia.org/wiki/Liste_der_HTTP-Headerfelder and https://www.rfc-editor.org/rfc/rfc9110.html)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is necessary for technical reasons. If you revoke your declaration of consent, we will delete your personal data. When integrating plug-ins of social media services on our website, so-called session cookies are regularly set. These can be used to store your personal data for the duration of your visit to the website. If you close our website, your personal data will be deleted. For further information, you can visit the data protection information of the respective social media service (YouTube, Spotify).

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

Order processing

When embedding social media plugs, personal data is regularly passed on to the provider of the social media service to provide the service. For this purpose, we have concluded an agreement with the provider on joint responsibility in accordance with Art. 26 GDPR. We transmit your personal data to:

· YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066 USA

· Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm Sweden

Spotify: The social media service is headquartered in Sweden and has subsidiaries in other countries, including Germany (Spotify GmbH, Unter den Linden 10, 10117 Berlin). A data processing agreement has been concluded for the transfer of your personal data within the EU/EEA.

Transfer to a third country

YouTube: The social media service is based in the USA and its subsidiaries are based in Ireland. Nevertheless, data is regularly transferred to a third country. For the transfer of your personal data to the USA, there is an adequacy decision by the Commission of the European Union in accordance with Art. 45 GDPR. There is also a standard data protection clause for the transfer in accordance with Art. 46 para. 2 lit. c GDPR, which the Commission has issued in the review procedure in accordance with Art. 93 para. 2 GDPR. You can request a copy of this guarantee via our e-mail address above.

Website analysis with Google Analytics

Purpose

We use technologies to analyze user behavior and for tracking. For this purpose, we use the analysis tool Google Analytics from the provider Google LLC, which is provided by the subsidiary Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The processing of your personal data serves the purpose of improving our website, improving our offer and making our website more customer-friendly. Your consent is obtained for processing.

Data categories

With the help of cookies used by the analysis tool Google Analytics, we can process various personal data of our users. Among other things, we process:

· Pages accessed

· User actions, such as submitting forms, watching videos, etc.

· Behavioral data such as the duration of the visit, clicks and behavior within individual websites

· Approximate location

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access was made (referrer URL)

· Header data transmitted by your browser (see https://de.wikipedia.org/wiki/Liste_der_HTTP-Headerfelder and https://www.rfc-editor.org/rfc/rfc9110.html)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. We require your consent to process your data for this purpose. You can withdraw your consent at any time. If you withdraw your declaration of consent, we will delete your personal data.

Session cookies are regularly set when Google Analytics is integrated. These can be used to store your personal data for the duration of your visit to the website. If you close our website, your personal data will be deleted. For further information, you can visit the data protection information of the social media service (https://policies.google.com/privacy).

If you set your browser software accordingly, you can generally prevent the storage of cookies. Please note, however, that in this case you may not be able to use all the functions on our website.

We only store your personal data for as long as the purpose requires. If you revoke your declaration of consent, we will delete your personal data. We can view your personal data for 14 months.

Cookies are stored in your web browser by Google Analytics for a period of two years since your last visit. This contains a user ID that allows Google to recognize you on future visits to the website.

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

Order processing

Google processes the website usage data on our behalf. The company is contractually obliged to guarantee measures for the security and confidentiality of the processed data. For this purpose, we have concluded an order processing contract with the service provider Google LLC (address: 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA) in accordance with Art. 28 GDPR. Google, or Google Analytics, only processes your personal data on our instructions.

Transfer to a third country

The service is based in the USA and its subsidiaries are based in Ireland. Nevertheless, data is regularly transferred to a third country. For the transfer of your personal data to the USA, there is an adequacy decision by the Commission of the European Union in accordance with Art. 45 GDPR.

There is also a standard data protection clause for the transfer in accordance with Art. 46 para. 2 lit. c GDPR, which the Commission has issued in the review procedure in accordance with Art. 93 para. 2 GDPR. You can request a copy of this guarantee via our e-mail address above.

Processing your application

Purpose

Your personal data is generally collected from you as part of the recruitment process, in particular from the application documents, the job interview and the personnel questionnaire. We also receive data from third parties (e.g. from personnel service providers or the employment agency as part of the job placement process).

We process your personal data in the course of your application to us in order to establish the employment relationship. Your data will only be processed to fill the position for which you have applied. If your application is to be considered for other vacancies in the company, we require a declaration of consent from you. If you would like to be included in our applicant pool in the event of a rejection, we require a declaration of consent for this.

Data categories

We process the following personal data as part of the application process:

· Your master data (e.g. first name, surname, name affixes, date of birth, place of birth, nationality)

· Contact details (e.g. private address, (mobile) telephone number, e-mail address)

· Work permit / residence permit

· Data on education and skills (information on education and work experience, data on professional interests, special skills, special knowledge, job references)

· Application-related data (e.g. cover letter, salary expectations, documents and attachments)

· Data relevant to recruitment (e.g. income tax number, social security number, bank account number, etc.)

· Results of online procedures and, if applicable, video interviews

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. If you are hired, we will transfer your application documents to your personnel file. After termination of the employment relationship, we will continue to store the personal data that we are legally obliged to retain. The storage periods thereafter are up to ten years. In addition, personal data may be stored for the period during which claims can be asserted against us (statutory limitation period of at least three to a maximum of thirty years).

In the event of a rejection, your application documents will be deleted for reasons of proof (for example, a burden of proof in proceedings under the General Equal Treatment Act) no later than six months after completion of the application process, unless you have given us your consent for longer storage (applicant pool).

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and performance of a contract) in conjunction with Art. 88 para. 1 GDPR in conjunction with Section 26 para. 1 BDSG

· Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)

· Art. 6 para. 1 lit. f GDPR (legitimate interest)

Integration of Google Maps

Purpose

We use technologies to display map material and to use interactive maps. For this purpose, we use the API (application programming interface) of the provider Google LLC, which is provided via the subsidiary Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Your personal data is processed for the purpose of using the interactive maps directly within the NHS website.

If you use and consent to the use of the plug-in, personal data and other metadata will be forwarded to Google. If you are logged in to a Google service, the data passed on will be assigned to your Google user account or summarized in a user profile. If you do not wish to be associated with your Google user account, log out of all Google services and delete your cache. The transferred data is used for the purposes of advertising, market research and/or needs-based advertising. To object to the creation of user profiles or the assignment to your Google account, please address your right of objection directly to Google.

Data categories

With the help of cookies, which use the Google Maps API, various personal data and other metadata of our users can be processed. This includes, among other things:

· IP address and host name of the requesting computer

· Approximate location

· Date and time of access

· Time zone difference to Greenwich Mean Time (GMT)

· Access status/HTTP status code

· Amount of data transferred

· Website from which access was made (referrer URL)

· Type and version of browser used and language version usedn

· Type and version of the operating system you are using

· Header data transmitted by your browser (see https://de.wikipedia.org/wiki/Liste_der_HTTP-Headerfelder and https://www.rfc-editor.org/rfc/rfc9110.html)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. We require your consent to process your data for this purpose. You can revoke your consent at any time. If you revoke your declaration of consent, we will delete your personal data.

Session cookies are regularly set when Google Maps is integrated. These can be used to store your personal data for the duration of your visit to the website. If you close our website, your personal data will be deleted. For further information, you can visit Google's privacy policy (https://policies.google.com/privacy).

If you set your browser software accordingly, you can generally prevent the storage of cookies. Please note, however, that in this case not all functions on our website may be available to you and the map function will be deactivated.

We only store your personal data for as long as the purpose requires. If you revoke your declaration of consent, we will delete your personal data.

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

Order processing

Google processes the website usage data on our behalf. The company is contractually obliged to guarantee measures for the security and confidentiality of the processed data. For this purpose, we have concluded an order processing contract with the service provider Google LLC (address: 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA) in accordance with Art. 28 GDPR. Google, or Google Maps, only processes your personal data on our instructions.

Transfer to a third country

Kicktipp

Purpose

We process your personal data to provide the ‘kicktipp’ service. The service is provided by Kicktipp GmbH, Klever Straße 35, 40477 Düsseldorf, Germany, and is integrated on the NHS website as a link in the header menu. By clicking on the link, you will be redirected from our website to the kicktipp membership page for our betting community. A valid e-mail address and a password are required to participate in the service.

Data categories

In order to use the service, the following data is processed by you during forwarding:

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access was made (referrer URL)

· Amount of data transferred

· Browser and operating system version

In addition, the following data may be stored by kicktipp:

· E-Mail addresse

· Password

· Tips

· Forum posts

· Texts

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. The respective retention period of different data records can be found in kicktipp's privacy policy (https://www.kicktipp.de/info/service/datenschutz/). Storage takes place within the EU/EEA.

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

Order processing

Kicktipp processes the data for the use of the service on our behalf. The company is contractually obliged to guarantee measures for the security and confidentiality of the processed data. For this purpose, we have concluded an order processing contract with the service provider Kicktipp GmbH (address: Klever Straße 35, 40477 Düsseldorf, Germany) in accordance with Art. 28 GDPR. Kicktipp GmbH processes your personal data only on our instructions.

Data exchange with the help of Dracoon

Purpose

We use services for the digital exchange of data records and files as well as for the centralised storage and versioning of Dracoon GmbH. The contractor Dracoon GmbH (address: Galgenbergstraße 2a, 93053 Regenburg, Germany) provides software solutions for this purpose and is responsible for the maintenance and updating of server and software configurations.

Data categories

The following categories of data can usually be processed when using the service:

· Primary data (e.g. processed files and documents, e-mails, messages)

· Personal master data (e.g. name, title)

· Communication data (e.g. telephone, e-mail)

· Contract master data (contractual relationship, product or contract interest)

· Customer history

· Contract billing and payment data

· Planning and control data

· Information data (from third parties, e.g. credit agencies, or from public directories)

· System log entries (relevant user actions), including the time of the last successful or failed login; shortened IP address

In addition, the following categories of server log files are affected by the processing when using Dracoon:

· Date and time of the request

· Name of the requested file

· Page from which the file was requested

· Access status (file transferred, file not found, etc.)

· Web browser and operating system used

· Complete IP address of the requesting computer

· Amount of data transferred

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary.

Due to the processing and storage of all files and documents within the Dracoon software solution, documents with a retention period of several years may be necessary, depending on the purpose of use. It is therefore not possible to provide a generalised storage period. In the order processing agreement, the contractor undertakes to return or delete all data in its possession upon termination of the contractual relationship. A log of the deletion can be provided.

The storage duration of the automatically generated server log files when visiting the website are either deleted immediately after closing your browser or anonymised after 7 days at the latest, so that it is no longer possible to draw conclusions about your person and are processed in anonymised form for statistical purposes.

Legal basis

· Art. 6 para. 1 lit. a GDPR (consent)

· Art. 6 para. 1 lit. b GDPR (fulfilment of contract)

· Art. 6 para. 1 lit. c GDPR (fulfilment of a legal obligation)

Order processing

Dracoon processes the data for website use and provision of the service on our behalf. The company is contractually obliged to guarantee measures for the security and confidentiality of the processed data. For this purpose, we have concluded an order processing contract with the service provider Dracoon GmbH (address: Galgenbergstraße 2a, 93053 Regenburg, Germany) in accordance with Art. 28 GDPR. Dracoon processes your personal data only on our instructions.

DATEV Online

Purpose

We process your personal data to provide the ‘DATEV Online’ service on our website. By integrating DATEV content, e.g. videos, banners, etc., your personal data is automatically processed for the purpose of statistical analysis and error tracking. The recipient of the data is DATEV eG (address: Paumgartnerstr. 6-14, 90429 Nuremberg).

Data categories

Technical metadata required to access the website:

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access is made (referrer URL)

· Amount of data transferred

Other data processed by DATEV Online:

· IP address

· Information that your browser automatically transmits (operating system of your device, browser name, browser version, last page accessed, time spent on the website, date and time)

· language settings

· Log-in information

· Location/neighbourhood information

· Search terms entered

· Frequency of page views

· Utilisation of website functions

Data that is processed within the software solutions of DATEV eG:

· Master data

· Payments (open payments, archived payments, payment templates)

· Account transactions incl. additional data (entered by the user via Bank online)

· Mandate data SEPA mandate master data

· EBICS banking access data

· EBICS customer logs

· Financial year

· Accounting

(This data has a retention period of 10 years)

Storage period

In principle, we delete your data as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary.

Due to the processing and storage of all files and documents within the DATEV software solution, documents with a retention period of several years may be applicable and necessary depending on the purpose of use. The files stored in the DATEV eG software solutions usually have a retention period of 10 years and a deletion period of 14 years (10+4).

· Master data

o Retention period: 10 years

o Basis: Documents required to understand the accounting for business transactions that must be recorded

· Payments (open payments, archived payments, payment templates)

o Retention period: 10 years

o Basis: Proof of payment orders for accounting (GoBD)

· Account transactions including additional data (entered by the user via Bank online)

o Retention period: 10 years

o Basis: Principle of traceability and verifiability, § 145 para. 1 AO, § 238 para. 1 sentence 2 and sentence 3 HGB, retrograde verifiability according to para. 30,33 GoBD, DATEV Bankdatenservice as pre-system according to para. 20 GoBD

· Mandate data SEPA mandate master data

o Retention period: 10 years

o Basis: Proof of payment orders for accounting (GoBD)

· EBICS banking access data

o Retention period: none

o Basis: Legitimate interest

· EBICS customer protocols

o Retention period: none

o Basis: Legitimate interest

· Financial year

o Retention period: 10 years

o Basis: Retention obligation, through § 147 para. 1 no. 1 AO, also § 257 para. 4 HGB; para. 113 to 144 GoBD

· Accounting

o Retention period: 10 years

o Basis: Section 147 (1) no. 1, (3) AO and Section 257 (1) and (4) HGB

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract fulfilment)

· Art. 6 para. 1 lit. c GDPR (fulfilment of a legal obligation)

Order processing

DATEV eG processes the data to provide the service on our behalf. The company is contractually obliged to guarantee measures for the security and confidentiality of the processed data. For this purpose, we have concluded an order processing contract with the service provider DATEV eG (address: Paumgartnerstr. 6-14, 90429 Nuremberg) in accordance with Art. 28 GDPR. DATEV eG processes your personal data only on our instructions.

Appointment booking

Purpose

We offer you the option of booking an appointment.

Data categories

The data categories cannot be specified in full, but depend on the data you provide us with. We usually process at least the following categories of data:

Technical metadata required to access the website:

· IP address and host name of the requesting computer

· Date and time of access

· Name and URL of the retrieved file

· Website from which the access is made (referrer URL)

· Amount of data transferred

Further data categories when booking an appointment:

· Available date and time

· Free text field

· E-mail address

· Telephone number

Storage period

Legal basis

· Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract fulfilment)

Your rights as a data subject

As a data subject, you have the following rights when your personal data is processed:

· Right to information (Art. 13 GDPR): You have the right to clear, transparent and easily understandable information about how we process your personal data and about your rights. We therefore provide you with this information in this Privacy Policy.

· Right of access (Art. 15 GDPR): You can request information about your personal data that we process.

· Right to rectification (Art. 16 GDPR): You can request the correction of incorrect or the completion of your personal data stored by us.

· Right to erasure (Art. 17 GDPR): You may request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

· Right to restriction of processing (Art. 18 GDPR): The have the right to have your personal data restricted for the period necessary to verify the accuracy of the data or in the event of unlawful data processing.

· Right to data portability (Art. 20 GDPR): You have the right to portability of your personal data.

· Right to object (21 GDPR): If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the case of direct marketing, you have a general right to object, which we will implement without you having to specify a particular situation.

· Complaint to a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your workplace or our company headquarters.

· Revocation of consent in accordance with Art. 7 para. 3D GDPR: You can withdraw your consent at any time. The revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Data security and security measures

In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organisational security precautions, which are regularly reviewed and adapted to technological progress. These include the use of recognised encryption methods (SSL or TLS). However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data - e.g. when sent by e-mail - can be read by third parties. We have no technical influence on this. It is the responsibility of the user to protect the data provided by him/her against misuse through encryption or in any other way.