Data privacy

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
h2x Partnerschaft von Rechtsanwält:innen und Steuerberater:innen mbB  
Blenk Hauser Holm Marquart  
Klarastr. 18, 80636 Munich
T +49 89 307 06 293
F +49 80 307 06 294
info@h2x.law
www.h2x.law  

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
h2x Partnerschaft von Rechtsanwält:innen und Steuerberater:innen mbB  
Blenk Hauser Holm Marquart  
Klarastr. 18, 80636 Munich
T +49 89 307 06 293
F +49 80 307 06 294
info@h2x.law
www.h2x.law  

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
h2x Partnerschaft von Rechtsanwält:innen und Steuerberater:innen mbB  
Blenk Hauser Holm Marquart  
Klarastr. 18, 80636 Munich
T +49 89 307 06 293
F +49 80 307 06 294
info@h2x.law
www.h2x.law  

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
h2x Partnerschaft von Rechtsanwält:innen und Steuerberater:innen mbB  
Blenk Hauser Holm Marquart  
Klarastr. 18, 80636 Munich
T +49 89 307 06 293
F +49 80 307 06 294
info@h2x.law
www.h2x.law  

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
h2x Partnerschaft von Rechtsanwält:innen und Steuerberater:innen mbB  
Blenk Hauser Holm Marquart  
Klarastr. 18, 80636 Munich
T +49 89 307 06 293
F +49 80 307 06 294
info@h2x.law
www.h2x.law  

II. Provision of website / creation of server log files

To provide our website, we use storage space, computing capacity, and software obtained from Webflow, Inc., with its business address at 398 11th St., Floor 2, San Francisco, CA 94103 (hereinafter referred to as “Webflow”), as our web host. When you just visit our website without actively contacting us, Webflow will only process the personal data transmitted automatically by your browser. Such data, including

• browser type and version
• operating system used
• referrer URL
• hostname of the accessing computer
• date and time of the server query
• IP address

is stored in server log files. When using this data and information, we do not draw any conclusions about you as an individual. The purposes for which we may use the data include, in particular,

• provision of our website
• provision of our online services and enhancing user-friendliness

• operation and security of our information systems
• utilization of a Content Delivery Network (CDN)
• ensuring a smooth connection to the website
• investigating acts of abuse or fraud
• conducting network problem analyses
• assessing system security and stability.

The recipient of your data in this context is our service provider, Webflow, and its subprocessors. Webflow was carefully selected, commissioned in writing, and is bound by our instructions. To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

The legal basis for processing your data is our legitimate interest under Article 6(1)(f) of the GDPR in the optimal and secure technical operation of our website.

Any data transmitted is deleted as soon as it is no longer needed for the purpose for which it was collected. If data is collected to operate the website, it will be deleted once the respective session ends. Data stored in server log files is generally deleted no later than seven days after it is recorded. It is possible for data to be stored beyond this period under certain conditions. In such cases, user IP addresses are either deleted or anonymized, making it impossible to identify the accessing client.

III. Contact Options

1. E-Mail, website, phone

It is possible to contact us on our website through e-mail, via the contact form, and by telephone. In such cases, the personal data provided by the user will be stored. This data is used exclusively to process the conversation. The purpose of contact is communication, management, and response to enquiries.

We process the following personal data:

• E-mail address

• Name (first name, last name)
• Contact reason
• Text of your message

The legal basis for processing data transmitted through e-mail, the contact form, and by telephone is Art. 6(1)(f) of the GDPR. If the contact aims at concluding a contract, an additional legal basis for processing is Art. 6(1)(b) of the GDPR.  

The data will be deleted as soon as it no longer serves the purpose for which it was collected. This applies to personal data transmitted through e-mail, the contact form, and by telephone once the respective conversation with the user concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

2. Microsoft Bookings

On the website, we also use Microsoft Bookings to schedule (online) appointments. The connection to the service is only established when the online booking function is accessed on our website. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is Art. 6(1)(a) of the GDPR (your consent), Art. 6(1)(b) of the GDPR (in the context of contractual relationships), and Art. 6(1)(f) of the GDPR (we have a legitimate interest in ensuring that appointments with clients and prospective clients can be scheduled as easily as possible).  

You have the option to revoke your consent to data processing in relation to “Microsoft Bookings” or to object to the use of the data at any time. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent via “Microsoft Bookings”, this is the case when the respective conversation with the concludes. A conversation is considered concluded when circumstances suggest the matter in question has been fully resolved.

The recipient of your data in this context is our service provider Microsoft Ireland Operations Limited, with business address at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 (hereinafter referred to as “Microsoft”). To ensure an adequate level of data protection for your personal data transferred to the USA, we have concluded the standard contractual clauses of the European Commission for the protection of personal data, in accordance with Article 46(1) and 2(c) of the GDPR. For further information, please contact info@h2x.law.

IV. LinkedIn

We maintain a company presence on professional networks, such as LinkedIn, to share information about our services and offer users the opportunity to communicate with us. This online presence supports job applications, provides information, and facilitates the active solicitation of clients.

Generally, LinkedIn Ireland Unlimited Company, with its business address at Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), is solely responsible for the processing of personal data when visitors interact with our LinkedIn page. For more detailed information on how LinkedIn processes personal data, please refer to their Privacy Policy available at LinkedIn’s website (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy).

When visitors interact with our LinkedIn company page – by visiting, following, or engaging with it – LinkedIn processes personal data in anonymized form to provide us with statistics and insights. These insights help us understand the actions visitors take on our page, known as “Page Insights”. LinkedIn processes data you have already shared with them, including details like your role, country, industry, seniority level, company size, and employment status, as well as how you interact with our LinkedIn page, such as whether you follow it. However, LinkedIn does not share any personal data about individuals with us through Page Insights, and it is impossible for us to deduce individual member identities from this information.

LinkedIn and we operate as joint controllers for the processing of personal data in the context of Page Insights. We have established an agreement with LinkedIn defining the distribution of data protection obligations between us. This agreement, which outlines our collaboration as joint controllers, is accessible at https://www.linkedin.com/legal/l/page-joint-controller-addendum.

Under this agreement:

• LinkedIn is responsible for enabling you to exercise your rights under the GDPR. Should you wish to exercise your rights, you can contact LinkedIn directly through their online support center (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or via the contact details provided in their Privacy Policy . LinkedIn Ireland's Data Protection Officer can be reached via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You are also welcome to contact us using the provided contact details for any inquiries related to the processing of personal data in the context of Page Insights, and we will forward your query to LinkedIn.

• We have agreed with LinkedIn that the Irish Data Protection Commission will act as the lead supervisory authority overseeing the processing for Page Insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority at any time.

Please be aware that LinkedIn may also process personal data in the USA or other third countries in accordance with their Privacy Policy. LinkedIn transfers personal data internationally only to countries recognized by the European Commission as having adequate data protection or by implementing appropriate safeguards as outlined in Art. 46 GDPR.

The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

V. Applications

If you apply for an open position by e-mail, we will collect and process your personal data for the purpose of handling the application process.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

• Name (first name and surname)
• Gender
• E-mail address
• Place of residence
• Salary expectations
• Availability
• Telephone number

You also have the option of providing informative documents such as a cover letter, your CV, and references. These may contain further personal data, such as date of birth, address, etc.  

Only the partners directly involved in the application process have access to your data. Personal data is stored exclusively for the purpose of filling the vacant position for which you have applied.  

The legal basis for processing your data is contract initiation at your request, as stipulated by Article 6(1)(b) of the GDPR. If we obtain your consent (e.g., for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Article 6(1)(a) of the GDPR.  

Your data will be stored for a period of 180 days after the end of the application process, usually to fulfill legal obligations or to defend against any claims arising from applicable legal regulations. We are then obliged to delete or anonymize your data. In this case, the data will only be available to us as so-called metadata without direct personal reference for statistical analyses (e.g., proportion of female applicants, number of applications per period, etc.).

VI. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Article 15 of the GDPR)

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification (Article 16 of the GDPR)

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing (Article 18 of the GDPR)

Under the following conditions, you may request the restriction of the processing of your personal data:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the controller(s) outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

‍

4. Right to erasure (Article 17 of the GDPR)

(1) Cancellation obligation

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

(2) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, he/she shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

‍

(3) Exceptions

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

‍

6. Right to data portability (Article 20 of the GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

• the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

‍

7. Right to object (Article 21 of the GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on data processing in the public interest pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR or on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Please send us an email in this regard to info@h2x.law.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

‍

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

‍

9. Automated decision-making in individual cases including profiling (Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or fulfilment of a contract between you and the controller,

• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in 1 and 3, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

‍

VII. Status of and changes to the data protection information

This privacy policy is currently valid and has the following status: March 2024.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.

‍

VIII. Use of cookies