We appreciate you visiting our website. Personal data protection is important to us. In the following we inform you about which personal data we collect and how we process them for which purposes. This privacy statement applies to all our law firms with possible country-specific deviations (please see point 8).
1. Data controller and privacy officer
The party responsible for controlling the processing of personal data on the website within the meaning of Art. 4(7) GDRP [General Data Protection Regulation] is
ACT Legal Service Company GmbH | Zeppelinallee 77 | 60487 Frankfurt/Main | Email: firstname.lastname@example.org | Tel: +49 69 24 70 97-0.
The data protection officer can be contacted at the above postal address and via the following e-mail address email@example.com | Tel: +49 69 24 70 97-0.
In cases were you send your data directly to the individual law firms (e.g. newsletter registration, application, contact form, publications), the respective law firm is the responsible controller within the meaning of Art. 4 (7) GDPR. For more information about our individual law firms and their contact details can be found in the imprint (“ACT law firms”).
ACT Legal Service Company is not providing any client services. Such services are solely provided by the individual law firms.
2. Purposes of personal data processing and legal framework
2.1 Visiting our website
When accessing our website www.actlegal.com the browser that you use will automatically send information to our website’s server. This information is stored temporarily in a so-called log file. The following information is processed and stored until automatically deleted:
- IP address
- Date and time of the request
- Time zone difference compared to Greenwich Mean Time (GMT)
- Content of request (specific page)
- Access status/HTTP status code
- Data volume transmitted
- Website from which the request emanates
- Operating system and its interface
- Browser software language and version.
We process the above data to ensure a smooth connection setup and user-friendly application of our website, to guarantee network and information security, to analyse system security and stability and also for administrative purposes.
The legitimacy of our personal data processing is based on Art. 6 para 1 sentence 1 f GDPR. Our legitimate interest derives from the aforementioned personal data processing purposes. We do not use personal data to draw conclusions about you as an individual. We reserve the right to check this data retrospectively if we become aware of specific indications of unlawful use.
We also deploy cookies and tracking services on our website. Further details of this are to be found in paragraphs 7 of this Privacy Statement.
2.2 Subscribing for our newsletter | publications | invitations
If you have agreed to receive our newsletter, publications, invitations to events and other information of relevance to you (Art. 6 para 1 sentence 1 lit. a GDPR), we will use your name and email address to provide you with that information electronically.
In order to optimise this website in terms of system performance, user-friendliness and the provision of useful information about our services, the website provider automatically collects and stores information in so-called server log files that your browser automatically transmits to us. This includes your internet protocol address (IP address), browser and language setting, operating system, referrer URL, your internet service provider and date/time. We do not combine this data with personal data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of unlawful use.
You may withdraw your consent at any time with future effect and also unsubscribe. To do this you may use the link at the end of any newsletter or, alternatively, the above email address. This means that we will no longer continue in future to carry out any personal data processing to which your consent relates and will delete the data unless there should be any legal reason not to do so or a statutory obligation to retain the personal data.
2.3 Application portal
During the application process we process the following categories of personal data from you:
- Master data (this includes e.g. name, gender, date of birth),
- Contact details (this includes e.g. certificates, curriculum vitae),
- Data on professional development and acquired skills (including e.g. education and training, work experience, additional qualifications),
- in the case of online applications, usage and inventory data (this includes e.g. IP address, name if the file accessed, date and time of access, volume of data, transferred, notification of successful access, web browser).
All personal data is processed exclusively for the following purpose:
- initialization, establishment, implementation and termination of the employment relationship
- declarations and declarations based on legal obligations or otherwise permitted by law
- protection and enforcement of our legitimate interests
Legal bases for the processing of your data are included:
- Art. 6 para. 1 sentence 1 lit. b GDPR
- Art. 6 para. 1 sentence 1 lit. c GDPR
- Art. 6 para. 1 sentence 1 lit. f GDPR
If you have provided “special categories of personal data” as defined by Art. 9 GDPR in your application (e.g. a photograph showing your ethnic origin or your eyesight, information on being severely disabled, marital status), this is done on the basis of your consent according to Art. 9 para 2 lit. a GDPR. However, we would like to evaluate all applicants on the basis of their qualifications only and therefore ask that such information be omitted from the application if possible.
Your data will only be passed on to companies within the group of companies, unless we are legally obliged to pass on your data to other bodies.
2.4 Contract fulfilment
In the fulfilment of our contract with you we process the following personal data:
- client master data (title, forename, surname, email address, postal address, telephone and (where applicable) fax number(s)
- contract data
- information required to establish, exercise or defend rights when acting for you.
The legal basis for our personal data processing is Art. 6 para 1 sentence 1 lit. b GDPR. Personal data is processed so as to be able to identify you as a client, to enable us to provide you with appropriate legal advice and represent you, to correspond with you, to issue invoices and to establish, exercise or defend legal claims.
Personal data gathered by us whilst acting for you will be saved until the statutory period during which lawyers are obliged to keep it has expired and will then be deleted unless we are required under Art. 6 para 1 sentence 1 lit. c GDPR to keep it for longer than this for fiscal and commercial safekeeping and documentation reasons or unless you have consented to it being processed for a longer period of time pursuant to Art. 6 para 1 sentence 1 lit. a GDPR.
3. Disclosure of personal data
3.1 We share your personal information with the act legal law firms
- if you have asked for it and gave us your consent
- if your personal data will be necessary in order to fulfill your request
- or in order to provide the service or information that you have requested or to organize /manage an event that you have registered to attend
In cases where act legal law firms would like to use your personal data for new purposes, they will obtain your prior consent.
3.2 We will not disclose your personal data to third parties other than the act legal law firms unless:
- you have given your consent to this pursuant to Art. 6 para 1 sentence 1 lit. a GDPR,
- disclosure is necessary under Art. 6 para 1 sentence 1 lit. f GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding and legitimate interest in non-disclosure of your personal data,
- there should be a statutory obligation of disclosure pursuant to Art. 6 para 1 sentence 1 lit. c GDPR, or
- permissible by law and necessary for the performance of contracts with you pursuant to Art. 6 para 1 sentence 1 lit. b GDPR.
Where necessary under Art. 6 para 1 sentence 1 lit. b GDPR in order to manage our client relationship with you your personal data will be passed on to third parties. This includes, in particular, passing it on to your opponents and their representatives (especially their lawyers) as well as courts of law and other public authorities for correspondence purposes and in order to establish, exercise and defend your legal rights.
Lawyer confidentiality is not affected. In the case of personal data that is subject to lawyer confidentiality this will only be passed on to third parties by agreement with you.
Where we process personal data in a third country (i.e. outside the European Union (EU) or European Economic Area (EEA)), where this is done whilst using third-party services or when disclosing or transmitting personal data to third parties this will only be done so as to fulfil our (pre)contractual duties, with your consent, where required by law to do so, or where we have a legitimate interest in so doing. Unless there should be a statutory exemption, we will only process personal data in a third country if the special statutory conditions under Art. 44 et seq. GDPR are fulfilled.
The notarial duty of confidentiality remains unaffected. As far as it concerns data which are subject to the notarial obligation of secrecy, data will only be passed on to third parties in agreement with you.
4. Rights of data subjects
You have the right:
- under Art. 15 GDPR to ask for information about your personal data processed by us. You may specifically ask for information as to the purpose of such processing, the categories of personal data concerned, the categories of recipients to whom your personal data has been or is being disclosed and the length of time that it is intended to be kept, as to the existence of a right to amend, delete or limit such processing or raise an objection, the existence of a right of appeal, the origin of your personal data if it has not been obtained from us and as to the existence of automated decision-making, including profiling, and details of any significant information;
- under Art. 16 GDPR to require the rectification without undue delay of inaccurate personal data processed by us or the supplementation of personal data processed by us;
- under Art. 17 GDPR to require the erasure of personal data, without undue delay, processed by us unless its processing should be necessary in the exercise of the right of freedom of expression and information, to fulfil a legal requirement, for reasons of public interest or in order to establish, exercise or defend of or defend legal claims;
- under Art. 18 GDPR to require a restriction to be put on the processing of your personal data where the accuracy of the personal data is contested by you, processing is unlawful and (at the same time) you oppose the erasure of the personal data or when we no longer need the data but you require it in order to establish, exercise or defend legal claims or where you have filed an objection to processing under Art. 21 GDPR;
- under Art. 20 GDPR to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to require the data to be transmitted to another data controller;
- under Art. 7 para 3 GDPR to withdraw your consent at any time. This means that in future we will no longer be allowed to continue with personal data processing to which your consent relates, and
- under Art. 77 GDPR to lodge a complaint with a supervisory authority. You may generally address this to the supervisory authority in the EU member state of your habitual place of residence, your place of work, your place of business or in place where the GDPR breach supposedly occurred. The competent supervisory authority of us is:
Der Hessische Beauftrage für Datenschutz- und Informationsfreiheit
5. Right to object
Where your personal data is processed for the purpose of legitimate interests under Art. 6 para 1 sentence 1 lit. f GDPR you have the right under Art. 21 GDPR to object to the processing of your personal data on grounds relating to your particular situation or where the objection is levelled at direct marketing. In the latter case you have a general right to object which will be implemented by us without a particular situation having to be specified.
If you should wish to exercise your right to object or ask for rectification, we kindly ask you to send us an email to the above specified email address.
6. Data security
When our website is visited, we use the SSL method (Secure Socket Layer) in conjunction with the highest level of encryption that is supported by your browser. This will generally be 256-bit encryption. If your browser should not support 256-bit encryption we will have recourse to 128-bit v3 technology. You can see whether a particular page of our website is transmitted encrypted from the closed-form display of the key or padlock icon in the bottom status bar of your browser.
We also apply appropriate technical and organisational security measures to safeguard your personal data from accidental or deliberate manipulation, complete or partial loss, destruction or access by unauthorised third parties. Our security measures are continually being improved in line with technological progress.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:
- Technical cookies: these are essential to navigate the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes nor do they record which websites you have visited;
- Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur during use of the website; they do not collect any information that could identify you – all information collected is anonymous and is only used to improve our website and to find out what interests our website users;
- Advertising and targeting cookies: These are used to provide the website user with tailored advertising on the website or third party offers and to measure the effectiveness of these offers; Advertising and Targeting Cookies are stored for a maximum of 13 months;
- Sharing cookies: These are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.
For forms of electronic direct advertising outside the scope of application of Section 107 (3) of the Austrian Telecommunications Act (e.g. advertising to non-clients; advertising to customers about third-party goods/services), we will only process your data if you have given your express consent to the processing of your data (Art 6 (1) lit a GDPR). If we process your data on the basis of your consent, you have the right to revoke this consent at any time by email to firstname.lastname@example.org or by postal mail to Wiedenbauer Mutz Winkler & Partner Rechtsanwälte GmbH, Am Heumarkt 10, A-1030 Vienna. This does not affect the lawfulness of the data processing carried out up to this point (Art 7 (3) GDPR). If, despite our obligation to process your data lawfully, a breach of your right to lawful processing of your data should occur contrary to expectations, please contact us by post or email so that we can learn about and address your concerns.
We will only store your data for as long as is necessary for the purposes for which we collected your data:
- For reasons of tax law, we generally store contracts and other documents as well as related correspondence from our contractual relationship for a period of ten years.
- We are required by law to retain files from mandates for five years after termination of the mandate; in individual cases, such as for the assertion and defense of legal claims, we retain these files for up to 30 years after termination of the mandate.
You will remain on our newsletter distribution list until you unsubscribe from it.
Data on applicants who are not hired will be deleted after nine months unless we ask them for consent to keep records. For hired applicants, our internal data protection information for employees applies, which can be requested in the application process.
8.2 Czech Republic
The personal data that we collect for the purpose of fulfilling the contract will be stored for 5 years after the end of the calendar year in which the client was terminated and then deleted unless we have consented to longer storage in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR due to tax and commercial law retention and documentation obligations in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
Should your personal data be collected due to our notarial activity, the person responsible for the processing of personal data in the sense of Art. 4 No. 7 GDPR is lawyer and notary Dr. Marco Loesche, Zeppelinallee 77 | 60487 Frankfurt am Main | E-Mail: email@example.com | Phone: +49 69 2470970.
The data protection officer for notarial matters of the notary Dr. Marco Loesche can be contacted at the above address as well as at the e-mail address firstname.lastname@example.org | Phone: +49 69 2470970.
The transfer of your personal data, which were taken up in the context of the notarial activity and as far as it concerns personal data, which are subject to the notarial secrecy, a passing on to third parties takes place only in agreement with you. The notarial duty of confidentiality remains unaffected.
Unless we establish an employment relationship with you, your application data will be stored by us for up to 6 months after the end of the application process and then deleted.
The personal data that we collect for the purpose of fulfilling the contract will be stored for 6 years after the end of the calendar year in which the client was terminated and then deleted unless we have consented to longer storage in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR due to tax and commercial law retention and documentation obligations in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
The personal data that we collect for the purpose of fulfilling the contract will be stored for 5 years after the termination of the engagement or, in the case of an electronic document form, for 10 years, further in case of documents, data that is affected by countersigning, for 10 years; data will be then deleted unless we have consented to longer storage in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR due to tax and commercial law retention and documentation obligations in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
Unless we establish an employment relationship with you, your application data will be stored by us for up to 6 months after the end of the application process and then deleted, unless we have consented to keep records of the application data. In such a case, application data will be stored until revocation of the consent. For hired applicants, our internal data protection information for employees applies.
Personal data, processed for the above purposes, will be kept for the duration of the assignment and, subsequently, for as long as the professional is subject to retention obligations for tax or other purposes, as provided for by law or regulation. Personal data of candidates are kept for a maximum of 24 months from the date of receipt of the CV, after which period the personal data are deleted.
8.6 The Netherlands
We store data for as long as that is necessary to provide the service you requested. An exception applies to the data that we must store for a longer period because we are required to do so by law. We follow the guidelines of the Dutch Bar Association with regard to the retention of files, which we retain for a period of 20 years. You may access your personal data and request their rectification or erasure. You may do so by sending an email to email@example.com.
With respect to any personal data provided to act Poland, the data controller is going to be act Bieniak Smołuch Wielhorski Wojnar i Partnerzy. Adwokaci, Radcowie Prawni i Doradcy Podatkowi sp.p., with its registered office in Warsaw, at Chmielna 73, 00-801 Warsaw, tel: +48 22 420 59 59, e-mail: firstname.lastname@example.org. Your personal data will be processed primarily in order to respond to your inquiries, i.e. for the purposes of the legitimate interests pursued by the controller (article 6 section 1 item f) of GDPR). Your personal data will be stored by the controller for a period of [●]. If any personal data is processed for marketing purposes, the legal basis for such processing is the data subject’s consent (article 6 section 1 item a) of GDPR). In such case, your personal data will be processed no longer that until the withdrawal of consent. As a general rule, personal data will not be transferred to third parties. However, some personal data might be transferred to individuals or entities providing technical or marketing services for the controller. Data subjects hold the right to request, from the controller, access to and rectification or erasure of personal data, or restriction of processing. If processing is based on a consent, data subjects have the right to withdraw such consent at any time. Such withdrawal does not affect the compliance of processing before the withdrawal date. If processing is based on legitimate interests pursued by the controller, data subjects have the right to object to such processing. Additionally, data subjects are entitled to lodge a complaint with a supervisory authority, i.e. the President of the Office of Competition and Consumer Protection. It is voluntary to provide any personal data.
Your personal data will be stored as long as it is necessary for personal data processing. When storing personal data, we observe the recommended retention periods according to the Resolution of the Presidency of the Slovak Bar Association No. 29/11/2011, e.g.:
- attorneys keep the book of postal records regarding incoming and outgoing correspondence for ten years counting from the date of receipt or dispatch of the last document;
- attorneys keep the inventory list for ten years counting from the date of its preparation;
- the client file is kept for ten years from the day when all of the conditions for storing the file in the archive have been met.
Attorneys are subject to professional rules governing the duties of attorneys under the Act on Advocacy. According to these rules, the retention periods are extended or it is prohibited to shred documents, in case there are understandable reasons, e.g.:
- the file of the client contains originals of documents which were handed over to the attorney;
- file protocols of the client and the client list;
- documents which shall be handed over to the State Archive;
- it is precluded to shred files of the client in case there are any court proceeding, administrative proceedings, proceedings conducted by law bodies, proceedings conducted by the Bar in case these proceedings concern the action or omission of the attorney when providing legal assistance in the client’s matter and the matter relates to the content of the client’s file.
If personal data relates to a client (regardless of whether the client is a legal or natural person), the right of access to data or the right to data portability cannot be asserted by other persons due to our obligation to maintain confidentiality and with reference to Article 15 (4) of the GDPR, Article 20 (4) of the GDPR and Section 18 (8) of the Act on Advocacy: “The attorney is not obliged to provide information on the processing of personal data, to give access or to portability of personal data under a separate regulation, if this could lead to a breach of the attorney´s confidentiality obligation.”