Data privacy statement of Ferner Hornung & Partner Rechtsanwälte GmbH

 

1 General Information on Data Processing and Legal Bases

• For Ferner Hornung & Partner Rechtsanwälte GmbH (hereinafter referred to as: “the Law Firm” or “the Controller”), data protection is of particular importance. The Law Firm is endeavouring to comply with all principles for the processing of personal data. Therefore, you can generally use the Law Firm’s website without providing any personal data whatsoever. However, if a data subject decides to use any of the services of the Law Firmvia its website or to contact the Law Firm, the processing of your personal data may be necessary.
• This Privacy Notice provides information on the type, scope and purpose of the personal data processed by the Law Firm. The processing of personal data such as, for example, name, address, e-mail address or telephone number of a data subject always takes place in accordance and compliance with the applicable (Austrian) data protection provisions, in particular the General Data Protection Regulation (hereinafter referred to as: “GDPR) as well as the Datenschutzgesetz [Data Protection Act] (hereinafter referred to as: “DSG”). Furthermore, this Privacy Notice informs data subjects on the data protection rights to which they are entitled.
• As controller for the processing of personal data, the Law Firm has implemented appropriate technical and organisational measures in order to ensure a level of security of the personal data processed by the Law Firm appropriate to the risk of processing.
• The Privacy Notice is based upon the definitions in the GDPR. In accordance with the transparency requirement, this Privacy Notice should be easy to read and understand.

2 Controller

2.1 Name and address of the Controller

• The Controller as defined in the GDPR as well as in the other applicable data protection laws, in particular the DSG, as amended, is:
  Ferner Hornung & Partner Rechtsanwälte GmbH
  Hellbrunnerstraße 11
  A-5020 Salzburg
  Commercial Register Number of the Salzburg Provincial Court: FN 262615z
  Phone: +43/(0)662/84 16 16 – 0
  Fax: +43/(0)662/84 16 16 16
  E-Mail: office@lawconsult.at
  Website: www.lawconsult.at

2.2 Employees of the Controller (data secrecy)

• The Controller obliged its employees under Sec. 6 DSG to transfer personal data from data processing operations only based upon instructions and its employees are obliged to comply with and safeguard data secrecy even after termination of the employment relationship (service relationship).

3 Website of the Controller

3.1 Cookies

• The Controller uses cookies on its website (lawconsult.at).
• Cookies are text files which are deposited and stored by the server in a computer system via internet browser used. Cookies contain a cookie ID. A cookie ID is a unique identifier of the cookie. It is comprised of a string which can be used in order to assign the website and the server to the specific web browser in which the cookie has been stored. The stored cookie enables the websites and servers that are visited to distinguish the specific web browser of the data subject from other web browsers. Thus, a specific web browser can be recognised and identified due to the unique cookie ID.
• The website of the Controller uses two kinds of cookies:
• Session cookies: These are temporary cookies which remain in the cookie file of the browser of the data subject until you leave our website; once your visit has been finished, these cookies are erased.
• Permanent cookies: These cookies remain permanently stored in the computer system of the data subject in order to recognise them during their next visit to the website.
• Through the use of cookies, the Controller provides the users of its website with more user-friendly services, which would not be possible without the setting of cookies. With the cookies, the information and offerings on the Controller’s website can be optimised in favour of the users. Cookies allow the Controller to recognise the users of its website.

3.2 Deactivation of cookies

• The data subject can prevent the placement of cookies by the Controller’s website at any time by correspondingly setting the internet browser used and thus permanently object to the placement of cookies. Furthermore, cookies which have already been placed can be erased at any time via the internet browser or other software programmes of third developers. If the placement of cookies is deactivated in the web browser used, however, in certain circumstances, it may not be possible to use all the features of the Controller’s website to their full extent.

3.3 Google Analytics (with anonymisation function)

3.3.1  General information and purpose

• The Controller integrated Google Analytics on its website. Google Analytics is a web analysis service by Google LLC (Google) with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, California, United States of America (USA). The Controller extended Google Analytics was extended to include the “gat._anonymizeIp();” code on its website to ensure IP addresses are collected anonymously (so-called IP masking).
• Web analysis means the collection, compilation and evaluation of data concerning the behaviour of visitors of websites. A web analysis service collects, among other things, data which discloses which website a data subject comes from (so-called referrers), which subpages have been accessed, and how often and for how long a subpage has been viewed. Web analysis is carried out mainly to optimise a website and to optimise the cost-benefit analysis of any internet advertising.
• The purpose of the Google Analytics components is to analyse the stream of visitors to the Controller’s website. On behalf of the Controller, Google uses the data and information it has gained, for example, to assess your use of the website, to compile online reports for the Controller about activity on the websites, and to provide further services connected with the use of the website.

3.3.2  Operating principle

• Google Analytics uses cookies as defined under item 3.1. With help of the cookie set by Google Analytics, personal data is stored, generally including the IP address, the period of access, the place from where access took place and how often a data subject has visited the website.
• Data on website usage created by those cookies are generally transferred to Google servers in the US where they are stored. In case of activation of IP anonymisation, as was chosen by the Controller on its website, however, the IP address is shortened by Google within the members states of the EU and the EEA before transfer. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address sent within the scope of Google Analytics by the data subject’s browser is not linked to other data from Google.

3.4 Deactivation of Google-Analytics

• The data subject can prevent the placement of cookies by the website at any time in accordance with item 3.2 and thus permanently object to the placement of cookies. This setting of the Internet browser in use also prevents Google from placing a cookie into the data subject’s computer system. You may also at any time delete a cookie which has already been placed by Google Analytics via the internet browser or another third-party software programme.
• Furthermore, you may prevent any data created by the cookie and relating to website usage on your part (including the IP address) from being transmitted to and being processed by Google by downloading and installing the browser plug-in available at the link below: Deactivate Google Analytics.
• Further information on the data usage by Google
• The applicable data protection regulations of Google
• Terms of use for Google Analytics

3.5 Gathering of general data and information

• The website of the Controller collects general data and information with every access to the website by a data subject or an automated system. The general data and information are stored in the log files of the server of the Controller.
• We may record (i) the browser types and versions used, (ii) the operating system used by the accessing system, (iii) the website from where an accessing system has come across the website (so called referrer), (iv) the sub pages accessed on the website via an accessing system, (v) the date and time of access to the website, (vi) an IP address, (vii) the Internet service provider of the accessing system and (viii) other similar data and information utilised to avert or defend against danger in the case of attacks on the information technology systems.
• When using this general data and information, the Controller does not draw conclusions on the identity of the data subject. This information is rather required (i) to correctly display the contents of the website, (ii) to optimise the contents of as well as the advertising relating to the website, (iii) to guarantee the permanent functionality of the IT systems and the technology of the website and (iv) to provide law enforcement authorities with the information necessary for prosecution in case of a cyber attack. This anonymously collected data and information is thus evaluated by the Controller, on the one hand for statistical purposes and on the other hand to improve data protection and data security in the Law Firm with the final aim of providing an ideal level of protection for the personal data processed. The anonymous data from the server log files is retained separately from all personal data provided by a data subject.

4 Obligation to provide personal data and consequences of non-provision of the personal data or of provision of incorrect personal data

• The provision of personal data is, to some extent, a statutory requirement (e.g. tax regulations) or results from contractual regulations (e.g. details about the contractual partner/client). Sometimes, to enter into a contract, it can be necessary for a data subject to provide the Controller with personal data which, as a result, must be processed by the Controller. For example, the data subject is obliged to provide personal data if the Controller enters into a (client) contract with the data subject. If the personal data is not provided, this would mean that the contract could not be entered into with the data subject and/or that the Controller could not fulfil the contract.
• Before provision of personal data by the data subject, the data subject can contact the Controller. The Controller will inform the data subject on a case-by-case basis about whether the provision of the personal data is a statutory or contractual requirement or necessary to enter into the contract, whether there is any obligation to provide the personal data, and what the consequences of not providing such personal data would be.

5 Processing of personal data

5.1 Types of data

• The Controller endeavours to process only personal data for its processing purposes – to the extent this is possible for fulfilment of the purposes – the processing of which is lawful based upon Art 6 GDPR. Nevertheless, in some cases, the processing of special categories of personal data (e.g. representation in criminal matters, marriage matters, accident matters with personal injuries) as defined in Art 9 GDPR and Sec. 4 para. 3 DSG is mandatory for fulfilment of the purposes. Personal data will only be collected if it is genuinely necessary for the carrying out and processing of our lawyer services, or if they have been voluntarily provided to the Controller.
• The personal data processed by the Controller include, inter alia:
  Name (incl. title), address, date of birth, social insurance number, profession, employer, representation relation, sex, marital status, e-mail address, IP address, homepage, telephone and fax number, telephone details and evidence on conversations, bank details, VAT identification number, car licence plate, commercial register data (in particular company name, legal form, commercial register numbers, shareholding structure, representation authorities), trust relationships, land register data (e.g. land registry number, plot number, plot size, use and type of the property/flat), insolvency data (e.g. receivables and liabilities, voting behaviours and rates), execution data (e.g. claim pursued, title), asset and creditworthiness data including annual accounts, data in and/or from civil court, execution or insolvency processes (e.g. civil court matters, claims, liabilities), data in and/or from administrative procedures (also in and/or from processes before administrative courts; in particular processes with regards to construction, trade, finances and/or duties or labour law), data in and/or from (administrative) criminal processes (including investigation procedures, in particular criminal convictions, criminal acts and/or criminal matters, security measures), image and audiotape data, identity card data, health data, data concerning the sex life or sexual orientation

5.2 Purposes of processing

5.2.1 Fulfilment of client contracts

• The Controller processes personal data primarily for the fulfilment of contracts (client contracts) entered into with the clients, for the performance of precontractual measures which take place upon request of the data subject as well as for the establishment, exercising or defence of legal claims.

5.2.2 Legal obligations

• The Controller also processes personal data in the course of and for the fulfilment of legal monitoring, reporting, recording and retention obligations (in particular monitoring of terrorist financing and money laundering as well as tax-related retention obligations) as well as for the fulfilment of process supports.

5.2.3 Communication

• Furthermore, the Controller processes personal data for the purpose of communicating with the data subject, in particular for the handling of requests and establishment of claims.

5.3 Legal bases of the processing

• The lawfulness of processing of personal data by the Controller is based upon Art 6 and 9 GDPR as well as Sec. 4 DSG. The principles for the processing of personal data as defined in Art 5 GDPR are complied with.

5.3.1 Consent (Art 6 (1) point (a) and 9 (2) point ( a) GDPR)

• The Controller processes personal data if it has been provided with the data subject’s consent to the processing of the personal data affecting them (Art 6 (1) point (a) GDPR as well as Art 9 (2) point (a) GDPR). An explicit consent of the data subject to the processing particularly exists if the data subject independently and voluntarily transfers and/or provides personal data to the Controller, regardless of the manner.

5.3.2 Contract fulfilment (Art 6 (1) point (b) GDPR)

• • If the data are required for fulfilment of the contract to which the data subject is party (client contract), the lawfulness of the processing of personal data is based upon Art 6 (1) point b) GDPR. The same applies to such processing activities which take place for the performance of precontractual measures based upon request of the data subject (examples for this are requests from data subjects regarding consulting services of the Law Firm).

5.3.3 Legal obligations (Art 6 (1) point (c) DS-GVO)

• The Law Firm of the Controller is subject to numerous legal obligations. If processing of personal data of the data subject is required due to such obligations, for example for the fulfilment of monitoring, reporting, recording and retention periods in connection with tax and money laundering tax as well as for representations in processing support matters, the lawfulness of processing is based upon Art 6 (1) point (c) GDPR.

5.3.4 Legitimate interests (Art 6 (1) point (f) GDPR)

• Processing operations which are not covered by any of the above legal bases are ultimately based upon the lawfulness of safeguarding legitimate interests of the Controller or a third party in accordance with Art 6 (1) point (f) GDPR. The processing of the personal data of the data subject by the Controller is required for safeguarding a legitimate interest – if such interest is not overridden by the interests, fundamental freedoms and fundamental rights of the data subject – of the Controller or a third party if the data subject is a customer (client) or employee of the Controller. (Recital 47 GDPR).
• In present case, the Controller relies on such legitimate interest which results from the contractual relationship with the client as well as on the legitimate interest in performing its business activities in favour of the welfare of its client. The legitimate interests of the Controller and/or a third party (usually the client) further, inter alia, include the legal protection interest and the interest in establishing, exercising or defending legal claims.

5.3.5 Establishment of legal claims (Art 9 (2) point (f) GDPR)

• The processing of special categories of personal data is based upon Art 9 (2) point (f) GDPR case the processing is required for the establishment, exercise or defence of legal claims.

5.3.6 Statutory due diligence obligations and legal interests (Sec. 4 para. 3 DSG in connection with Sec. 9 RAO [Lawyer Code] and Art 6 (1) point (f) GDPR)

• The processing of personal data about criminal convictions and criminal offences, i.e. personal data on acts or omissions punishable by courts or administrative authorities, in particular about the suspicion of criminal offences as well as preventive measures, is based by the Controller on its statutory due diligence obligations (Sec. 9 RAO) and the requirement to safeguard the legitimate interests of the Controller or a third party (usually client) (Art 6 (1) point (f) GDPR) in accordance with item 3.4. The manner in which data processing takes place ensures safeguarding of the interests of the data subject in accordance with the data protection provisions.

5.4 Transfer of the personal data

5.4.1 Recipients

• The Controller may disclose personal data of the data subjects to certain persons and companies. These are, in particular, the following categories of persons and companies with registered office in the European Union:
• judicial authorities (courts)
• public prosecutor’s offices, executive and security authorities (in particular police authorities)
• administrative authorities (incl. tax offices and financial authorities)
• notaries public
• clients
• involved parties (in particular defendants, joint plaintiffs) and witnesses
• parties and counsellors of the opposing party
• creditors
• insurances and banks
• Salzburg Bar Association
• tax consultants and auditing firms
• social insurance companies including their main association
• experts and interpreters
• physicians and hospitals

5.4.2 Processors

• For the fulfilment of its purposes, the Controller may use one or several processors as defined in Art 28 GDPR, for example Substituten, ADVOKAT Unternehmensberatung Greiter & Greiter GmbH, interpreters, experts or mail delivery agents. The contracts entered into by the Controller with the processors authorise the processors to use the personal data only for the fulfilment of the purposes determined by the Controller in this Privacy Notice.

5.4.3 Other third parties

• Any disclosure and/or transfer of personal data to third parties – except for item 4.1 and item 5.4.2 – as well as into a third country or an international organisation does generally not take place if there is no corresponding consent by the data subject, no legal obligation to disclose and if the disclosure does not serve law enforcement purposes.

5.5 Automated decision-making and profiling

• As a responsible enterprise, the Controller refrains from automated decision-making or profiling.

6 Rights of the data subject

• In accordance with Art 15 to Art 22 as well as Art 7 (3) and Art 77 GDPR, the data subject has the rights set forth under item 6.1 to item 6.10 of this Privacy Notice, unless they impair the Controller’s right to secrecy to guarantee the protection of the party (client) or the rights and freedoms of other persons or enforcement of claims under civil law (Sec. 9 para. 3a RAO). Upon request, the Controller provides the data subject with corresponding information within one months after receipt of the request. Such time period can be extended by the Controller by another two months if this is required taking into account the complexity and number of requests. In any case, the Controller informs the data subject on any period extension as well as the reasons for the delay within one month after receipt of the request. If the data subject makes the request electronically, it is to be informed electronically where possible.
• A data subject can contact the Controller itself at any time in order to exercise such rights.

6.1 Right to confirmation

• In accordance with Art 15 (1) GDPR, each data subject has the right to request from the Controller a confirmation whether personal data relating to such data subject is processed.

6.2 Right of access

• In accordance with Art 15 GDPR, each data subject has the right to request from the Controller free-of-charge access to information about personal data stored about such data subject as well as about more details on the processing thereof as defined in Art 15 (1) point (a) to (h) GDPR and to obtain a copy of such information. For all further copies requested by the data subject, the Controller may demand a reasonable fee based upon the administrative costs.
• Furthermore, the data subject has a right to information on the appropriate safeguards existing for the transfer of personal data to a third country or an international organisation in accordance with Art 46 GDPR.

6.3 Right to rectification

• Each data subject has the right to request from the Controller immediate rectification of incorrect personal data relating to such data subject in accordance with Art 16 GDPR. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

6.4  Right to erasure (right to be forgotten)

• Each data subject has the right to request from the Controller to erase personal data relating to it without undue delay in accordance with Art 17 GDPR to the extent one of the reasons set forth in Art 17 (1) point (a) to (f) GDPR exists and to the extent the processing is not required in accordance with Art 17 (3) point (a) to point (e) GDPR.

6.5 Right to restriction of processing

• In accordance with Art 18 GDPR, each data subject has the right to request from the Controller the restriction of the processing if one of the conditions set forth in Art 18 (1) point (a) to (d) GDPR is fulfilled.

6.6 Right to data portability

• In accordance with Art 20 GDPR, each data subject has the right to receive any personal data related to them that has been provided by them to the Controller in a structured, commonly used and machine-readable format. Furthermore, the data subject has the right to transfer such data to another controller without impairment by the Controller to whom the personal data were provided to the extent the processing is based upon the consent in accordance with Art 6 (1) point (a) GDPR or Art 9 (2) point (a) GDPR or a contract in accordance with Art 6 (1) point (b) GDPR and if the processing was carried out by automated means.
• That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Furthermore, when exercising his or her right to data portability according to Art 20 (2) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and where this does not adversely affect the rights and freedoms of others.

6.7 Right to object

• In accordance with Art 21 GDPR, each data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them that is based on Art 6 (1) points (e) or (f) GDPR. This also applies to profiling based on those provisions.
• If the personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for the purpose of such marketing. This also includes profiling to the extent that it is related to such direct marketing.
• Moreover, where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Art 89 (1) GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
• A successful objection results in the data subject’s entitlement to restriction and erasure.

6.8 Automated individual decision-making including profiling

• In accordance with Art 22 GDPR, each data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This does not apply in the cases mentioned in Art 22 (2) point (a) to (c) in connection with (3) and (4) GDPR.

6.9 Right to withdraw consent given under data protection law

• In accordance with Art 7 (3) GDPR, each data subject has the right to withdraw any consent to personal data provided by him or her at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

6.10 Right to lodge a complaint with a supervisory authority

• In accordance with Art 77 GDPR, each data subject has, without prejudice to any other administrative or judicial remedy, right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of their personal data infringes the GDPR.
• The supervisory authority established in Austria is
• Österreichische Datenschutzbehörde [Austrian Data Protection Authority], Wickenburggasse 8, 1080 Vienna.

7 Duration for which the personal data will be retained

• The Controller processes personal data of the data subject until the point in time in which it is determined for the Controller that no further communication and no business relationship will be established with the data subject in the future. For the Controller, such point in time is reached, in general, after expiry of three years after the last communication with the data subject, however, no sooner than after expiry of legal retention obligations. The personal data will be deleted two months after expiry of such time period.
• In case of contract conclusion of the data subject with the Controller and/or the establishment of the mandate, the personal data will be deleted two months after the point in time at which it is determined that all claims under a contract or in connection with a contract have been fulfilled to the extent there are no longer legal retention obligations. In the event of full contract processing, this is the case two months after expiry of the respective applicable guarantee, warranty and limitation periods to the extent there are no longer statutory retention obligations. If claims are established against the Controller or in connection with a legal transaction entered into with the Controller, the data will be deleted two months after the final clarification of the claims established to the extent there are no longer legal retention periods; in the event of pending processes, this is the case after entry into legal force and fulfilment of all claims resulting from such processes.