Privacy policy

1. Name and contact details of the controller
2. Contact details of the data protection officer
3. Collection and processing of personal data
4. Recipients of the data
5. Data transfer to third countries
6. Storage period
7. Rights of the data subject
8. Withdrawal of consent
9. Right to object
10. Up-to-dateness and changes to this privacy policy

---

RÖDL takes the protection of personal data very seriously. When handling personal data, we ensure that it is processed in accordance with the requirements of data protection laws (in particular the GDPR and the German Federal Data Protection Act (BDSG)).

Below, we would like to inform you about how we process personal data when you use our website and what rights you have in relation to your personal data.

1. Name and contact details of the controller

Rödl GmbH Rechtsanwaltsgesellschaft Steuerberatungsgesellschaft
Äußere Sulzbacher Straße 100
90491 Nuremberg
Tel.: +49 911 9193 0
Fax: +49 911 9193 1900
info@roedl.com

2. Contact details of the data protection officer

You can contact our data protection officer at dsb@roedl.com or at our postal address with the addition “The Data Protection Officer”.

3. Collection and processing of personal data

The protection of your data is important to us. We would like to provide you with a transparent explanation of how we handle your personal data. The scope and nature of processing of your personal data depends on whether you visit our website only to access information or whether you use services or features on our website that require you to provide additional data about yourself, for example when using our contact form or subscribing to a newsletter.

3.1 Logging of access data (server log files)

(1) When you visit our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security: Your IP address, the date and time of the request, the time zone difference to Greenwich Mean Time (GMT), the content of the request (specifically the page accessed), the website from which the request originates, the browser used, the operating system and its interface, and the language and version of the browser software.

(2) The legal basis for processing is Article 6 (1) (f) GDPR. We have a legitimate interest in providing you with a technically functional and user-friendly website and in ensuring the security of our systems.

(3) For security reasons (e.g. to investigate misuse or fraud), this data is stored for a maximum of 7 days and is deleted thereafter. Data that needs to be kept for evidence purposes is excluded from deletion until the respective incident has been fully resolved.

(4) For security reasons and to protect the transmission of confidential content, such as enquiries via the contact form, we use SSL or TLS encryption on our website. You can recognise an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and by the lock icon in your browser bar. When encryption is enabled, the data you transmit cannot be read by third parties.

3.2 Newsletters and information offers

(1) Registration

With your consent, you can subscribe to our newsletters and other information services to enable us to keep you up to date with the latest developments in the fields of law, tax and economics and to provide you with other interesting and important information from these areas and from and about RÖDL.

The only mandatory information required to send you the newsletter is your email address. The provision of additional, separately marked data is voluntary and is used to address you personally. After your confirmation, we will store your email address for the purpose of sending you the selected content.

In addition, your personal data will be passed on to other companies in the RÖDL group of companies for the purpose of sending you the newsletters you have selected and, if applicable, other information.

The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR.

(2) Registration confirmation and verification

We use the double opt-in procedure for registration. In these cases, after you have registered, we will send you an email to the email address you provided, in which you must confirm that you wish to receive our content. If you do not confirm your registration, your information will be automatically deleted after 72 hours at the latest. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of this procedure is to verify your registration and, if necessary, to investigate any possible misuse of your personal data.

If you do not confirm your registration within 72 hours of receiving the activation email, your registration will be automatically deleted for security reasons and you will need to register again, which can be done at any time.

The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR.

(3) Unsubscription

If you no longer wish to receive email content from us, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each email. You can also revoke your consent in any other way; see the Article below entitled “Revocation of consent”.

3.3 Contact

(1) If you contact us by email or via the contact form on our website, we will process the personal data you provide in your message. When using the contact form, certain information is required so that we can process your enquiry (e.g. your email address for our reply). Additional information, such as your telephone number, is voluntary and is used exclusively to improve the processing of your enquiry.

(2) The legal basis for processing is Article 6 (1) (b) GDPR, provided that your enquiry is aimed at initiating or fulfilling a contract. Otherwise, processing is based on our legitimate interest pursuant to Article 6 (1) (f) GDPR, namely effective communication with you.

(3) We store the transmitted data only for as long as is necessary to process your request and provided that no statutory retention obligations apply.

3.4 Consent management tool

(1) We use the consent management tool “Borlabs Cookie” from Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany, on our website. With Borlabs Cookie, we manage your consent to the storage of certain cookies and the use of external services. Consent is obtained, stored and documented via Borlabs Cookie. Borlabs Cookie sets a technically necessary cookie (“borlabs-cookie”) to store your cookie consents. This cookie does not process any personal data.

(2) The legal basis for processing is Article 6 (1) (c) GDPR. Processing is necessary to fulfil legal obligations regarding the documentation of consent. In addition, processing is based on Article 6 (1) (f) GDPR. We have a legitimate interest in the legally compliant and efficient management of your consent.

(3) The storage period for your consent is 60 days . The “borlabs-cookie” cookie stores the consents you gave when you accessed the website. If you wish to revoke these consents, simply delete the cookie in your browser. When you re-access or reload the website, you will be asked again for your cookie consent.

3.5 Cookies

(1) We use cookies on our website for the purposes described below. A cookie is a small text file that is transferred from our web server to your browser and stored on your device. Cookies contain information that enables the device used to be recognised and provides certain settings or functions.

(2) The different categories of cookies and their respective purposes are described below:

Essential

These cookies are necessary to enable basic website functions. Without them, error-free use is not possible. They are only set during your visit and are usually deleted after you close your browser. For example, they ensure a secure connection (switch from http to https) and optimised display on mobile devices.

Analytics

These cookies collect information about the use of our website in order to improve content and functions. The evaluation is always carried out in aggregated form, unless you have expressly consented to a personalised analysis.

Marketing

Marketing cookies are used to display content and advertisements that match your interests. They also help to measure the effectiveness of campaigns. Based on your usage behaviour, profiles can be created to provide you with relevant content.

External Media

These cookies enable the display and use of external content, such as embedded media content or maps. Without these cookies, certain content cannot be displayed.

(3) The legal basis for processing is Article 6 (1) (f) GDPR in conjunction with Section 25 (2) of the German Telecommunications Digital Services Data Protection Act (TDDDG; Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) for essential cookies. Our legitimate interest lies in providing cookies that are necessary for the operation of our website. For all other cookie categories, processing is based on Article 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG. In these cases, processing is based on your consent.

(4) Details on the cookies and services used can be found in our consent management tool, which you can access at any time via the cookie settings.

 

3.6 Web tracking and analysis

3.6.1 Google Tag Manager

(1) We use Google Tag Manager (GTM), a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to centrally manage and implement analytics and marketing tags on our website. GTM and the tags it controls are only activated if you give your consent.

(2) Once you have consented to the use of Google Tag Manager (GTM), the required script is first routed through our servers, which act as a proxy, and then delivered to your browser. Depending on the additional analytics or marketing technologies you have approved, tags can be triggered on the client-side or on the server-side. In the case of client-side triggering, a script is loaded in your browser that transmits data directly to the respective third-party provider (e.g. LinkedIn, Meta). In the case of server-side triggering, the data is transmitted to the third-party provider (e.g. Google) via our systems. In this case, your browser does not communicate directly with the third-party provider.

(3) Google also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure the protection of your data in accordance with the European Union data protection regulations. In addition, we have agreed on standard data protection clauses with Google to ensure an adequate level of data protection in third countries.

(4) Further information on the Google Tag Manager can be found at: https://marketingplatform.google.com/about/tag-manager.

(5) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR, which we obtain via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of the processing until revocation.

3.6.2 Google Analytics (essential configuration)

(1) We use an essential configuration of Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), on our website. This version is used exclusively for basic functional control of our website and uses short-term device identifiers (cookies) that expire after 24 hours. No user identifiers (such as hashed email addresses) are used, so there is no cross-device tracking.

(2) The purpose of processing is to ensure that the services you have requested are provided correctly from a technical perspective. For this purpose, we collect essential interaction data, such as content accessed, time and duration of sessions, and the origin of accesses. Data collection is kept to a minimum: geographical location is only processed at the regional level, and we only collect general technical information about the device (e.g. browser type and device category), not detailed specifications.

(3) To protect your data, all information collected by this service is first processed via our systems. There, the IP address is truncated before the data is forwarded to Google Analytics. There is no direct contact between your browser and Google’s servers.

(4) Google also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure the protection of your data in accordance with the data protection regulations of the European Union. In addition, we have agreed on standard data protection clauses with Google to ensure an adequate level of data protection in third countries.

(5) You can object to the collection and processing of your data by Google Analytics at any time. You can find an opt-out option at: https://tools.google.com/dlpage/gaoptout. Further information on data processing by Google can be found at: https://policies.google.com/privacy.

(6) The legal basis for processing is Article 6 (1) (f) GDPR. Our legitimate interest lies in ensuring the technical functionality of our website and reviewing the performance of the content offered.

3.6.3 Google Analytics (standard configuration)

(1) We use a standard configuration of Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to perform user analyses based on long-term identifiers. This includes the use of cookies and user data (such as hashed email addresses from forms), provided that consent has been given, or modelling via Google’s extended consent mode if no consent has been given. This serves to assign analysis information to a device or user and to recognise users across devices, provided that a user ID is available.

(2) This allows us to track which content users have accessed in one or more sessions, which search terms they have used, which they have accessed again, and how they have interacted with our online offering. In addition, we process the time and duration of the sessions, the sources that referred users to our offering, and technical information about their end devices and browsers. We also collect geographical information about the user, in particular continent, country, region and subcontinent.

(3) To protect your data, all information collected by this service is first processed via our systems . There, the IP address is truncated before the data is forwarded to Google Analytics. There is no direct contact between your browser and Google’s servers.

(4) Google also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure the protection of your data in accordance with the data protection regulations of the European Union. In addition, we have agreed standard data protection clauses with Google to ensure an adequate level of data protection in third countries.

(5) You can object to the collection and processing of your data by Google Analytics at any time. You can find an opt-out option at: https://tools.google.com/dlpage/gaoptout. Further information on data processing by Google can be found at: https://policies.google.com/privacy.

(6) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR, which we obtain via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of the processing until revocation.

3.6.4 Google Signals

(1) We use Google Signals, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), on our website. By giving your consent, you allow Google to link your visit data with information from your Google account (provided you are logged in and have enabled ad personalisation). This allows Google to identify you based on this data and use it for its own purposes, e.g. to personalise ads on other services.

(2) At the same time, this process enables Google to provide us with aggregated data on the demographic characteristics (e.g. age, gender) and interests of our users. We use these aggregated insights solely to better understand the general characteristics of our website audience. All data we receive from Google Signals is anonymised and aggregated, so we cannot identify you personally.

(3) Google also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure the protection of your data in accordance with the data protection regulations of the European Union. In addition, we have agreed on standard data protection clauses with Google to ensure an adequate level of data protection in third countries.

(4) You can control the use of Google Signals at any time via your Google account settings: https://myactivity.google.com/myactivity?pli=1. For more information about data processing by Google, please visit: https://policies.google.com/privacy.

(5) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR, which we obtain via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of the processing until revocation.

3.6.5 LinkedIn Insight Tag

(1) We use the LinkedIn Insight Tag from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”) on our website. By integrating this JavaScript tag, you as a user of our website may be shown interest-based advertisements (“ads”) when visiting the social network LinkedIn or other websites that also use this process. We also receive statistics about website visitors and their demographic characteristics. Furthermore, we can analyse your use of our LinkedIn advertising and your interest in our offers using a conversion tracking function and display LinkedIn ads to you through retargeting on other websites. The aim is to measure and optimise the effectiveness of our LinkedIn advertising campaigns.

(2) By integrating the LinkedIn Insight Tag, a direct connection to LinkedIn’s servers is automatically established when you visit our website. LinkedIn receives information that you have accessed the corresponding page of our website or clicked on one of our advertisements. If you are registered with LinkedIn, LinkedIn can link your visit to your account. Even if you are not registered or logged in, LinkedIn can collect certain information about your visit and link it to your actions. The LinkedIn Insight Tag enables the collection of data about visits to our website, including URL, referrer URL, IP address, device and browser characteristics (user agent) and timestamp.

(3) LinkedIn also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure the protection of your data in accordance with the data protection regulations of the European Union. In addition, we have agreed on standard data protection clauses with LinkedIn to ensure an adequate level of data protection in third countries.

(4) Deactivation of the the LinkedIn Insight Tag and further options to object to advertising can be found in the ad settings at https://www.linkedin.com/psettings/advertising and additionally at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information on the LinkedIn Insight Tag can be found at https://business.linkedin.com/marketing-solutions/insight-tag. Information on data processing at LinkedIn can be found in the LinkedIn Privacy Centre: https://privacy.linkedin.com.

(5) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR. Consent is obtained via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of processing until revocation.

3.6.6 Meta Pixel

(1) We use the meta pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Meta”) on our website. By integrating this JavaScript tag, we can display our advertising measures (“Meta Ads”) to users of our website and the social networks Facebook and Instagram and measure and evaluate their success (“conversion tracking”).

(2) By integrating the Meta Pixel, your browser automatically establishes a direct connection to Meta’s servers when you visit our website. This provides Meta with the information that you have accessed the corresponding page of our website or clicked on one of our advertisements. If you are registered with a Meta service, Meta can link the visit to your account. Even if you are not registered or logged in, Meta can collect certain information about your visit and link it to your actions. The Meta pixel enables the collection of data about visits to our website, including visited web pages, click behaviour, and device and browser information.

(3) Meta also processes your personal data in the United States, relying on the EU-U.S. Data Privacy Framework to ensure that your data is protected in accordance with the data protection regulations of the European Union. In addition, we have agreed on standard data protection clauses with Meta to ensure an adequate level of data protection in third countries.

(4) For information on how to customise advertisements on Facebook, please visit https://www.facebook.com/help/568137493302217. Setting options for advertisements are available at https://www.facebook.com/settings/ads. Further information about Meta Pixel can be found at https://de-de.facebook.com/business/help/742478679120153. Information about data processing at Meta can be found in the Meta Privacy Centre: https://www.facebook.com/about/privacy.

(5) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR. Consent is obtained via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of the processing until revocation.

3.6.7 The Trade Desk

(1) We use technologies from The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001, USA (“The Trade Desk”) on our website to enable the delivery, optimisation and measurement of our advertising campaigns. Pixel tags and JavaScript tags are used for this purpose. The aim is to analyse user behaviour and display interest-based advertising.

(2) By integrating these tracking technologies, your browser automatically establishes a direct connection to The Trade Desk’s servers when you visit our website. Cookies are set and additional technologies such as local storage and fingerprinting are used to identify end devices and store user preferences. The following data is collected in particular: IP address, location data (via IP), user behaviour (e.g. clicks, pages visited), device information (browser, operating system), cookie IDs and other pseudonymised identifiers. The data is generally pseudonymised but not completely anonymised.

(3) The Trade Desk also processes your personal data in third countries, in particular in the USA. To protect your data, The Trade Desk relies on standard contractual clauses and additional safeguards to ensure an adequate level of data protection in accordance with the requirements of the GDPR.

(4) Further information on data processing by The Trade Desk can be found in The Trade Desk’s privacy policy at: https://www.thetradedesk.com/legal/privacy-policy.

(5) The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR. Consent is obtained via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of processing until revocation.

3.7 Map Service

(1) On our website, we use the Leaflet service, an open-source JavaScript framework for map display, as well as map materials provided by the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom (“OpenStreetMap”). By integrating this service, we can provide interactive maps and display geographical information.

(2) For data protection reasons, the maps are initially displayed as placeholders. A connection to the OpenStreetMap servers is only established once you have actively consented via our consent manager and unlocked the content.

(3) Once you have given your consent, a connection to the OpenStreetMap servers is established. The following data may be transmitted: IP address, information about your browser and operating system, date and time of access, the page from which the request originates (referrer URL), and the requested URL (map tile). This data is usually processed on OpenStreetMap servers in the United Kingdom and other countries. We have no influence on the scope of data collected and stored by OpenStreetMap.

(4) Further information on data processing by OpenStreetMap can be found in OpenStreetMap’s privacy policy at: https://wiki.osmfoundation.org/wiki/Privacy_Policy.

(5) Please note that OpenStreetMap may also transfer the collected data to countries outside the European Union and store it there. We have no influence on this data processing.

(6) The legal basis for the processing is your consent in accordance with Article 6 (1) (a) GDPR. Consent is obtained and recorded via our consent manager. You can revoke your consent at any time via the consent manager without affecting the lawfulness of the processing until revocation.

4. Recipients of the data

(1) Your data may be made available to the following recipients for the purposes mentioned above:

• Internal departments: Employees who process personal data within the scope of their respective responsibilities in order to perform their tasks.
• External service providers: Companies that provide services on our behalf, such as in the areas of IT, hosting, maintenance and support of our website. These service providers are contractually obliged to process the data in accordance with data protection regulations.
• Authorities and public bodies: In cases where there is a legal obligation to disclose information, e.g. to comply with tax or legal requirements.
• Companies that process personal data under their own responsibility: Third parties, such as external platforms and social networks, that process personal data under their own responsibility and in accordance with their own data privacy policies.
• Companies within the RÖDL Group: Other companies within the RÖDL Group that process personal data for the purposes described. These companies are also obliged to process the data in accordance with data protection regulations.

(2) Your personal data will only be disclosed without your express prior consent in the cases explicitly mentioned in this privacy policy or where such disclosure is legally permissible or necessary. In all cases, we ensure that the recipients take appropriate technical and organisational measures to protect your data.

5. Data transfer to third countries

(1) Your personal data is normally processed within the European Union (EU) and the European Economic Area (EEA). In some cases, your personal data may also be transferred to countries outside the EU and the EEA and processed there, e.g. because we use service providers based outside the EU or the EEA, or because other companies within the RÖDL Group have offices in these countries.

(2) If personal data is transferred to recipients outside the EU or the EEA without an adequacy decision pursuant to Article 45 GDPR, we will take appropriate safeguards pursuant to Article 46 et seq. GDPR to ensure that your data is adequately protected in accordance with the applicable data protection laws, e.g. by concluding standard contractual clauses approved by the EU Commission (Article 46 GDPR). Upon request using the contact details provided above, we will provide you with further information on the relevant safeguards for data transfer.

6. Storage period

Unless an explicit storage period is specified above, your personal data will be stored for as long as the respective purpose requires such storage and provided that no statutory retention periods prevent deletion or the processing is not necessary for the establishment, exercise or defence of legal claims.

7. Rights of the data subject

If the respective legal requirements are met, you have the following rights:

• Upon request, you have the right to obtain information from us regarding the personal data that we process about you within the scope of Article 15 GDPR.
• You have the right to request the immediate rectification of personal data concerning you, provided that such data is inaccurate, in accordance with Article 16 GDPR.
• You have the right to request that we erase personal data concerning you under the conditions described in Article 17 GDPR. These conditions provide in particular for a right to erasure if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject.
• You have the right to request that we restrict processing in accordance with Article 18 GDPR. This right applies in particular if the accuracy of the personal data is contested between you and us for the period required to verify its accuracy, as well as if you request restricted processing instead of erasure where you have a right to erasure; furthermore, if the data is no longer required for the purposes pursued by us, but you need it to establish, exercise or defend legal claims, and if the successful exercise of an objection between us and you is still disputed.
• You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with Article 20 GDPR.
• Furthermore, pursuant to Article 77 GDPR, you have the right to lodge a complaint about our data processing with a supervisory authority, for example the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht), Promenade 18, 91522 Ansbach, Germany, which is responsible for us.