Data Privacy Policy

Foreword

Dear users [1], 

In the following, we – SZA Schilling, Zutt & Anschütz Rechtsanwaltsgesellschaft mbH, hereby inform you about privacy, in particular the obligations under data protection law imposed on us within the scope of our data protection responsibility by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”), in order to ensure the protection of personal data relating to you (hereinafter, we address you as a data subject, for example, as “client”, “user”, “you” or “your”). Where we decide – either alone or jointly with others – on the purposes and means of data processing, this includes above all the obligation to inform you in a transparent manner about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 GDPR). With this statement (hereinafter: “SZA Schilling, Zutt & Anschütz Privacy Statement”), we inform you about the way in which your personal data is processed by us.

The SZA Schilling, Zutt & Anschütz Privacy Statement has a modular structure. This means that it consists of a general part, the content of which refers to all processing situations (Part A) and several special parts (Parts B to E), each of which refers only to the processing situation indicated therein with the designation of the respective service offer. Since you may not use all of our services, it is possible that not all parts of the SZA Schilling, Zutt & Anschütz Privacy Statement are relevant to you. In order to find the parts that are relevant to you, please refer to the following overview for the subdivision of the SZA Schilling, Zutt & Anschütz Privacy Statement:

PartDesignationFor you, this part is...
Part AGeneral provisions...always relevant.
Part BWebsite and social media presences...relevant if you use our German internet offer, including the presences in social media.
Part CBusiness partners...relevant if you want to work with us as a service provider, supplier or similar partner, are already in an ongoing business relationship with us or have been in the past.
Part DJob applications...relevant if you are applying for employment as an employee with us.
Part EHandling client matters...relevant if you, as a client or other party to the proceedings, are affected by our handling of a client matter.
Part FSZA as an ombudsman for whistleblowers:...relevant if you report a violation of the law as a whistleblower.
Part GCreditor Information System (CIS)...relevant if you, as a creditor in insolvency proceedings, would like to view information on the respective proceedings around the clock.

[1] For better readability, the male form is used when referring to individuals, but this is always meant to include the female and non-binary form as well.

A. General provisions

A.1. Definitions

For the purposes of the SZA Schilling, Zutt & Anschütz Privacy Statement, the following terms have the meanings described below:

  • Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The identifiability may also exist by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain Personal Data).
  • Processing” means any operation performed on Personal Data, whether or not by automated means (i.e. technology-based). This includes, in particular, the collection (i.e. obtaining), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data, as well as the change of a purpose or intended use on which a data Processing was originally based.
  • Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Third Party” means any natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process the Personal Data; this also includes other legal persons belonging to the same company group.
  • Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, in particular in accordance with the latter's instructions (e.g. IT service providers). In particular, for the purposes of data protection law a Processor is not a Third Party.

A.2. Name and contact details of the Controller

The controller of your personal data within the meaning of Art. 4 no. 7 GDPR is us, SZA Schilling, Zutt & Anschütz Rechtsanwaltsgesellschaft mbH, Otto-Beck-Straße 11, 68165 Mannheim, Germany, phone: +49 621 4257 0, Fax: +49 621 4257 280, e-mail: info@sza.de.

For further information on SZA Schilling, Zutt & Anschütz, please refer to the legal notice (imprint) on our website at https://www.sza.de/imprint.

A.3. Contact details of the data protection officer

Our data protection officer is available at all times to answer any questions you may have and to act as your contact on the subject of data protection at SZA Schilling, Zutt & Anschütz. You can reach our data protection officer. Dr. Steffen Henn, at privacy@sza.de or at our postal address with the addition “FAO Data Protection Officer”.

A.4. Legal bases of data Processing

By law, as a general rule, any Processing of Personal Data is prohibited and only permitted if the Processing can be based on one of the following grounds for justification:

a) Art. 6(1) point (a) GDPR (“Consent”): If the Data Subject has freely, in an informed manner and unambiguously indicated by a statement or by a clear affirmative action that he or she consents to the Processing of Personal Data relating to him or her for one or more specific purposes;
b) Art. 6(1) point (b) GDPR: If the Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
c) Art. 6(1) point (c) GDPR: If the Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g. a statutory obligation to keep records);
d) Art. 6(1) point (d) GDPR: If the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
e) Art. 6(1) point (e) GDPR: If the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or
Art. 6(1) point (f) GDPR (“Legitimate Interests”): If the Processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the Controller or by a Third Party, except where such interests are overridden by the conflicting interests or rights of the Data Subject (in particular where the Data Subject is a minor).
g) § 26 Federal Data Protection Act (BDSG) in conjunction with Art. 88 GDPR (data Processing for purposes of the employment relationship): If the Processing is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination.

The storage of information in the end-user's terminal device or access to information already stored in the terminal device is only permitted if this is covered by one of the following grounds for justification:

h) § 25(1) German Telemedia Data Protection Act (TTDSG): Where the end-user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6(1) sent. 1 point (a) GDPR;
i) § 25(2) no. 1 TTDSG: If the sole purpose is to carry out the transmission of a message via a public telecommunications network, or
j) § 25(2) no. 2 TTDSG: If the storage or access is absolutely necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.

For the Processing measures carried out by us, we indicate below the legal ground applicable in each case. Processing may also be based on several legal grounds.

A.5. Data erasure and storage period


For the processing measures carried out by us, we indicate below in each case how long the data will be stored by us and when it will be erased or blocked. If no explicit storage period is specified below, your Personal Data will be erased or blocked as soon as the purpose of or legal basis for the storage no longer applies. In principle, your data will only be stored on our servers in Germany, subject to any transfer that may take place in accordance with the provisions in A.7 and A.8 below.

However, storage may take place beyond the specified period in case of an (imminent) legal dispute with you or other legal proceedings or if storage is provided for by statutory regulations to which we are subject as Controller (e.g. § 257 German Commercial Code (HGB), § 147 German Tax Code (AO)). If the storage period prescribed by legal regulations expires, the Personal Data will be blocked or erased unless further storage by us is necessary and there is a legal basis for this.

A.6. Data security


We use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by Third Parties (e.g. TLS encryption for our website), taking into account the state of the art, implementation costs and the nature of, scope, context and purpose of the Processing, as well as existing risks of a data breach (including its likelihood and impact) for the Data Subject. Our security measures are continuously improved in line with technological developments.

We are happy to provide you with more information upon request. For this purpose, please contact our data protection officer (see A.3. above).

A.7. Cooperation with Processors


In order to process our business transactions, various domestic and foreign service providers act as Processors on our behalf – as is the case with every major law firm. They will act exclusively according to our instructions and have been contractually obligated within the meaning of Art. 28 GDPR to comply with data protection regulations.

A.8. Conditions for the transfer of Personal Data to third countries


As a result of the global orientation of our law firm, your Personal Data may be transferred or disclosed to Third Party entities in the course of our business relations. Such entities may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and for maintenance of your business relationship with SZA Schilling, Zutt & Anschütz (the legal basis is Art. 6(1) point (b) or point (f), in each case in conjunction with Art. 44 et seqq. GDPR). Below, we inform you about the respective details of the transfer at the relevant points.

The European Commission certifies a level of data protection comparable to the EEA standard in some third countries by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/...). However, in other third countries to which Personal Data may be transferred, there may not be a consistently high level of data protection due to a lack of statutory provisions. Where this is the case, we ensure that data protection is sufficiently guaranteed. This is possible via binding corporate policies, standard contractual clauses of the European Commission for the protection of Personal Data pursuant to Art. 46(1), (2) point (c) GDPR (the 2021 standard contractual clauses are available at https://eur-lex.europa.eu/lega...), certificates or recognized codes of conduct. Please contact our data protection officer if you would like to receive more detailed information on this.

A.9 Statutory obligation of SZA Schilling, Zutt & Anschütz to transfer certain data


As a law firm, we are subject to various statutory obligations, the fulfillment of which may make it necessary to provide your lawfully processed data (Art. 6(1) point (c) GDPR); this may be due to statutory provisions of the tax laws or the Commercial Code.

A.10. No automated decision-making (including profiling)


We will not use Personal Data collected from you for any automated decision-making process (including profiling).

A.11. No obligation to provide Personal Data


We do not make the conclusion of contracts with us dependent on you providing us with Personal Data beforehand. For you as our client, there is also no legal or contractual obligation to provide us with your Personal Data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide us with the data required therefor. Should this exceptional case apply within the scope of the services we offer presented below, you will be informed of this separately.

A.12. Your rights


You can exercise your rights as a Data Subject at any time by contacting us using the contact details provided above under A.2. You have the following rights as a Data Subject:

  • pursuant to Art. 15 GDPR, to request information about your Personal Data processed by us. In particular, you may request information about the purposes of the Processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the envisaged storage period, the existence of a right of rectification, erasure, restriction of Processing or objection, the existence of a right to lodge a complaint, the source of your data if it has not been collected from us, as well as the existence of an automated decision-making, including profiling, and, if applicable, meaningful information on its details;
  • pursuant to Art. 16 GDPR, to request, without undue delay, the rectification of inaccurate or the completion of data stored by us;
  • pursuant to Art. 17 GDPR, to demand the erasure of your data stored by us, unless Processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims;
  • pursuant to Art. 18 GDPR, to demand the restriction of the Processing of your data where the accuracy of the data is disputed by you or the Processing is unlawful;
  • pursuant to Art. 20 GDPR, to receive your data which you have provided to us in a structured, commonly used and machine-readable format or to request the transmission to another Controller (“Data Transferability”);
  • pursuant to Art. 21 GDPR, to object to the Processing provided that the Processing is based on Art. 6(1) point (e) or point (f) GDPR. This is the case, in particular, if the Processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, if you exercise such an objection right, we would like to ask you to explain why you do not want us to process your data as we have done. In the event of your justified objection, we will examine the circumstances of the case and either discontinue or adapt the data Processing or demonstrate to you our compelling legitimate grounds on the basis of which we will continue the Processing;
  • pursuant to Art. 7(3) GDPR, to revoke your consent given once (also before the GDPR came into force, i.e. before May 25, 2018) – i.e. your free will, expressed in an informed manner and unambiguously by a statement or by a clear affirmative action that you consent to the Processing of the relevant Personal Data for one or more specific purposes – vis-à-vis our firm at any time, if you have given such consent. The consequence of this is that we may no longer continue the data Processing based on this consent in the future; and
  • pursuant to Art. 77 GDPR, to complain to a data protection supervisory authority about the Processing of your Personal Data in our law firm, such as the data protection supervisory authority competent in our case: Der Landesbeauftragte für den Datenschutz (The State Commissioner for Data Protection) Baden-Württemberg, Königstraße 10a, 70173 Stuttgart, e-mail poststelle@lfdi.bwl.de.

A.13. Amendments to the SZA Schilling, Zutt & Anschütz Privacy Statement

In the context of the further development of data protection law as well as technological or organizational changes, the SZA Schilling, Zutt & Anschütz Privacy Statement is regularly reviewed for the need to adapt or supplement it. You will be informed about any changes in particular on our German website at https://www.sza.de/. This privacy statement was last revised in October 2022.

B. Website and Newsletter

B.1. Explanation of the function

For information on our law firm and the services we offer, please visit our website at https://www.sza.de/ and the associated sub-pages (hereinafter collectively referred to as the “Website”). When you visit our Website, your Personal Data may be processed.

B.2 What data do we process?


During the mere informative use of our Website, the following data is collected, stored and processed by us:

“Log data”: When you visit our Websites, a so-called log data record (so-called server log files) is stored temporarily and in anonymized form on our web server. This data record consists of:

  • the page from which the page was requested (so-called referrer URL)
  • the date and time of the call,
  • the description of the type of web browser used,
  • the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established.

In addition to the purely informative use of our Website, we offer a subscription to our newsletter, which will inform you about current developments in business law and events. When you register for our newsletter, the following data is collected, stored and processed by us:

  • the page from which the page was requested (so-called referrer URL)
  • the date and time of the call,
  • the description of the type of web browser used,
  • the IP address of the requesting computer,
  • the e-mail address,
  • the date and time of registration and confirmation

If you declare your consent as part of the newsletter registration process, we evaluate your user behavior when sending the newsletter. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID. The data is solely collected in pseudonymized form, i.e. the IDs are not linked with your other Personal Data, a direct personal reference is excluded.

B.3 For what purpose and on what legal basis (see A.4.) is this data processed?

We process the Personal Data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. To the extent the processing of Personal Data is based on Art. 6(1) point (f) GDPR, the aforementioned purposes also constitute our legitimate interests.

The processing of the log data serves statistical purposes and the improvement of the quality of our Website, in particular the stability and security of the connection (the legal basis is Art. 6(1) point ((a) as well as) (f) GDPR).

Your e-mail address is processed for the purpose of sending the newsletter. When registering for our newsletter, you consent to the Processing of your Personal Data (the legal basis is Art. 6(1) point (a) GDPR). We use the so-called double opt-in procedure for subscribing to our newsletter. This means that following your registration we will send you an e-mail to the e-mail address provided by you; in this e-mail, we will ask you to confirm that you wish to receive the newsletter. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your Personal Data. You may withdraw your consent to the sending of the newsletter and unsubscribe the newsletter at any time. Such withdrawal may be effected by clicking on the link provided in each newsletter e-mail, via e-mail to newsletter@sza.de or by a notice to the contact details stated in the imprint.

If the Processing of data requires the storage of information in your terminal device or access to information already stored in the terminal device, § 25(1), (2) TTDSG is the legal basis for this.

B.4. How long will this data be processed?

Your data will only be processed for as long as is necessary to achieve the above-mentioned Processing purposes; the legal bases stated in the context of the Processing purposes apply accordingly. With regard to the use and storage period of cookies, please note point A.5.

Third Parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.

For the storage period, see A.5.

B.5. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

The following categories of recipients, which are usually Processors (see A.7.), may be granted access to your Personal Data:

  • Service providers for the operation of our Website and the Processing of data stored or transmitted by the systems (e.g. for data processing center services, payment processing, IT security) (the legal basis for the transfer in these cases is Art. 6(1) point (b) or point (f) GDPR, to the extent that they are not Processors; in that case, the order processing agreement forms the legal basis);
  • Government agencies/authorities, to the extent that this is necessary to fulfill a legal obligation (the legal basis for the disclosure is then Art. 6(1) point (c) GDPR);
  • Persons appointed in the course of carrying out our business operations (such as auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures) (the legal basis for the disclosure is then Art. 6(1) point (b) or point (f) GDPR).

Furthermore, we will only pass on your Personal Data to Third Parties if you have given your express consent to do so in accordance with Art. 6(1) point (a) GDPR.

For sending the newsletter, we use the newsletter service of MailChimp (provider: The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA). With the help of MailChimp, the sending of newsletters can be organized and analyzed. MailChimp has signed and implemented the standard contractual clauses provided by the Commission so that an adequate level of data protection can be ensured in the event of data transfer to the United States (for more information, please refer to https://mailchimp.com/legal/da...). In addition, MailChimp has entered into a data processing agreement with us in which it undertakes to protect the data of our users and to process the data exclusively in accordance with the data protection provisions in our order and as per our instructions.

For more details on the safeguards for an adequate level of data protection in the event of data being passed on to third countries, please refer to A.8.

B.6 Cookies, plugins and other services on our Website

6.1. Cookies

We use cookies on our Websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard disk by means of a characteristic character string, and through which certain information flows to the party that sets the cookie. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause any damage. They serve to make the internet offer as a whole more user-friendly and effective, i.e. more comfortable for you.

Cookies may contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, the following distinction is made between cookies:

  • Technical cookies: These are indispensable to be able to move around the Website, use basic functions and ensure the security of the Website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;
  • Performance cookies: These cookies collect information about how you use our Website, which pages you visit and, for example, whether errors occur during Website use; they do not collect information that could identify you – all information collected is anonymous and is used only to improve our Website and find out what interests our users;
  • Advertising cookies, targeting cookies: These cookies are used to offer the Website user tailored advertising on the Website or offers from Third Parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
  • Sharing cookies: These cookies are used to improve the interactivity of our Website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

When you use our Websites, the cookies described in detail below are used. You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time using the appropriate browser settings and prevent new cookies from being set; please refer to your browser provider for more information. You can usually deactivate cookies via deactivation links.

Please note that if you deactivate cookies, our Websites may not be displayed in the best possible way and some functions may no longer be technically available.

The legal basis for cookies that are absolutely necessary in order to provide you with the service expressly requested by you is § 25(2) no. 2 TTDSG. Any use of cookies that is not absolutely technically necessary for this constitutes Processing that is only permitted with your explicit and active consent pursuant to Art. 6(1) sent. 1 point (a) GDPR in connection with § 25(1) TTDSG. To the extent performance, advertising, targeting or sharing cookies are used, this is only done with your prior consent (the legal basis is then § 25(1) TTDSG in conjunction with Art. 6(1) point (a) GDPR).

6.2. SZA Website

Certain technical cookies are always set as necessary cookies when you visit our Website; the data Processing is based on § 25(2) no. 2 TTDSG, Art. 6(1) point (f) GDPR.

The following cookies are currently used for this purpose:

Name

Purpose

Expiry

sza.cookies_statistic

sza.cookies_matomo

These cookies are set by the cookie layer and indicate whether or not the user has agreed to the marketing statistics category.

30 days

sza.cookies_thirdparty

sza.cookies_youtube

sza.cookies_lexcrm

These cookies are set by the cookie layer and indicate whether or not the user has agreed to the Third Party category.

30 days

Sza.i18n_redirected

This cookie is set by the Website and stores the user's language setting

1 year


6.3. Matomo

We create pseudonymous user profiles with the help of Matomo in order to design our Websites in accordance with requirements. We use Matomo exclusively in the no cookie variant, i.e. no cookies are set by Matomo. Since tracking can also take place by other technical means without setting a cookie, the Matomo functionalities are only used by us if you have consented to this. The data collection then takes place on the basis of § 25(1) TTDSG in conjunction with Art. 6(1) point (a) GDPR and in the interest of finding out how often our Websites have been accessed by different users. As we have activated IP anonymization on our Website, your IP address is shortened by Matomo and the information anonymized in this way is stored and used by us (for further information on privacy, please refer to https://matomo.org/privacy-policy/). We have also concluded an order processing agreement with Matomo in accordance with Art. 28 GDPR. Matomo will therefore only use any information strictly for the purpose of evaluating the use of our Website for us and compiling reports on Website activity.

6.4. Social Media Plugins

We do not use social media plugins on our Websites. If our Websites contain symbols from social media providers (e.g. from Xing or Facebook), we only use these for passive linking to the pages of the respective providers.

6.5. Integration of LexCRM (Third-Party cookie)

  • On this Website we use the services offered by LexCRM. This allows us to provide you with forms for a newsletter or event registration. We have no influence on the setting of cookies by LexCRM. This therefore only takes place with your consent.
  • In case of a newsletter or event registration, LexCRM receives the information that you have called up the corresponding subpage of our Website.
  • For more information on the purpose and scope of data collection and Processing by the plug-in provider, please refer to the provider's privacy statement. There you will also find further information on your rights in this regard and setting options for protecting your privacy (https://www.lexcrm.de/meta/dat...).

6.6. Integration of YouTube (Third-Party cookie)

On this Website we use a plugin from YouTube, belonging to Google Inc. based in San Bruno/California, USA. We use the YouTube function No-Cookies, i.e. we have activated Extended Privacy, videos are not accessed via youtube.com, but via youtube-nocookie.com. YouTube provides this itself and thus gives an assurance that YouTube will not initially store any cookies on your device. However, when the pages in question are called up, the IP address and the log data specified under B.2 will be transmitted. However, this information cannot be attributed to you if you are permanently logged in to YouTube or another Google service when you access the page.

As soon as you start the playback of an embedded video by clicking on it, due to the extended privacy mode, YouTube only saves cookies on your device which do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by appropriate browser settings and extensions. For more information on the purpose and scope of data collection and Processing by the plug-in provider, please refer to the provider's privacy statement. There you will also find further information on your rights in this regard and setting options for protecting your privacy (Google/YouTube : Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland – privacy statement: https://policies.google.com/pr..., opt-out: https://adssettings.google.com..., privacy shield: https://www.privacyshield.gov/....)

C. Business partners

C.1. Explanation

If you enter into a business relationship with SZA Schilling, Zutt & Anschütz as a service provider, supplier or similar partner (collectively: “Business Partners”), are already in an ongoing business relationship with us or have been in the past (collectively: “Collaboration”), your Personal Data may be processed. Where this concerns business relationships that have already been ended, the Processing activity relates solely to the Personal Data we already hold.

C.2 What data do we process?


Within the scope of our Collaboration, we collect, store and process the following categories of Personal Data:

  • Contact data”: Surname and first name of the Business Partner and, if applicable, of a different contact person, date of birth, (business) address, (business) e-mail address(es), (business) telephone, fax and mobile phone number(s)
  • Contract data”: Contract account number, customer number
  • Creditworthiness data”: Risk class, score and probability of default of the Business Partner
  • Payment data”: Bank details, surname and first name of the account holder, surname, first name and address of a different invoice recipient

C.3. For what purpose and on what legal basis (see A.4.) is this data processed?

We process the Personal Data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. To the extent the processing of Personal Data is based on Art. 6(1) point (f) GDPR, the aforementioned purposes also constitute our legitimate interests.

  • The processing of contact data and contractual data mainly fulfills the purpose of planning, managing and implementing the Collabration with you; in particular, it ensures smooth communication, the fulfillment of our obligations arising from the contractual relationship with you and the provision of other services (the legal bases are Art. 6(1) sent. 1 point (b) and point (f) GDPR).
  • We process creditworthiness data in order to assess the likely success of a Collaboration and any risk of a customer defaulting on payment (the legal bases are Art. 6(1) sent. 1 point (b) and point (f) GDPR).
  • The Processing of payment data is used for billing and collection of payments as well as for accounting purposes (the legal basis is Art. 6(1) sent. 1 point (f) GDPR).

C.4. How long will this data be processed?

Your data will only be processed for as long as is necessary to achieve the above-mentioned Processing purposes or for the fulfillment of legal retention periods; the legal bases stated in the context of the Processing purposes apply accordingly in this respect. Advertising measures will not be carried out beyond a period of 1.5 years after termination of the Collaboration.

Third Parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.

For more details on the storage period, see A.5.

C.5. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

The following categories of recipients, which are usually Processors (see A.7.), may be granted access to your Personal Data:

  • Service providers for the operation of our systems and the Processing of data stored or transmitted by the systems, e.g. for data processing center services, payment processing, IT security) (the legal basis for the transfer is the order processing agreement or Art. 6(1) point (b) or point (f) GDPR);
  • Government agencies or authorities, to the extent that this is necessary to fulfill a legal obligation (the legal basis for the disclosure is the order processing agreement or Art. 6(1) point (c) GDPR);
  • Persons appointed in the course of carrying out our business operations, such as auditors, banks, insurance companies, legal advisors, mailing service providers (the legal basis for the disclosure is the order processing agreement or Art. 6(1) point (b) or point (f) GDPR).

Furthermore, we will only pass on your Personal Data to Third Parties if you have given your express consent to do so in accordance with Art. 6(1) point (a) GDPR.

For the safeguards for an adequate level of data protection in the event of data being passed on to third countries, please refer to A.8. If there is neither an adequacy decision pursuant to Article 45(3) nor appropriate safeguards pursuant to Article 46, including binding internal data protection rules, a transfer of your Personal Data to a third country will only take place if the transfer becomes necessary for the performance of a contract or to take steps at your request prior to entering into a contract (Art. 49(1) sent. 1 point (b) GDPR) or for the assertion, exercise or defense of legal claims (Art. 49(1) sent. 1 point (e) GDPR).

D. Job applications

D.1. Explanation

We are always on the lookout for qualified employees for SZA Schilling, Zutt & Anschütz. If you are interested in working for SZA Schilling, Zutt & Anschütz, you can either apply for advertised positions or send us an informative unsolicited application for a specific position. When evaluating and processing these applications, we also process your Personal Data contained therein.

D.2 What data do we process?


Within the scope of applicant management for recruitment purposes, we collect, store and process the following categories of Personal Data:

  • “Contact data”: Surname and first name, address, e-mail address, telephone and/or mobile phone number
  • “Applicant data”: Resume, marital status (if applicable), religious affiliation (if applicable), photo (if applicable)
  • “Qualification data”: Qualification data, activities, assessments, disabilities if applicable

D.3. For what purpose and on what legal basis (see A.4.) is this data processed?

We process the Personal Data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. To the extent the processing of Personal Data is based on Art. 6(1) point (f) GDPR, the aforementioned purposes also constitute our legitimate interests.

The Processing of the contact data enables us to contact you after the evaluation of your application and to inform you of our decision on the application. The data Processing is based on a voluntary transmission on your part (the legal basis is § 26(2) sent. 1 Federal Data Protection Act) and also serves, if applicable, to prepare the conclusion of an employment contract (the legal basis is § 26(1) sent. 1 Federal Data Protection Act, Art. 88 GDPR).

Applicant data is processed to the extent that it is voluntarily provided by you (the legal basis is then § 26(1) sent. 1 Federal Data Protection Act, Art. 88 GDPR or Art. 6(1) sent. 1 point (a) GDPR).

The processing of qualification data serves the purpose of assessing your professional and personal suitability for the respective position or a possible alternative field of employment and, if applicable, to prepare the conclusion of an employment contract (the legal bases are § 26(1) sent. 1 Federal Data Protection Act, Art. 88 GDPR).

D.4. How long will this data be processed?


The data will only be processed for as long as is necessary to achieve the stated purposes for Processing. In the case of rejected applicants, your data will be retained for up to six months. The documents of accepted applicants will be placed in the personnel file. In all other respects, the legal bases stated in the context of the processing purposes apply accordingly to the storage of the data.

Besides, you can find more details on the storage period under A.5.

D.5. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

In connection with applicant management for recruitment purposes, we may transfer your Personal Data to service providers for the operation of our systems and the Processing of data stored or transmitted by the systems, e.g. to recruitment service providers or for data center services. The legal basis for this disclosure is § 26(1) sent. 1 Federal Data Protection Act, Art. 88 GDPR, to the extent that it does not involve Processors; in that case, the order processing agreement forms the legal basis. The transfer to jacando AG, a software developer, which processes the above-mentioned data via an applicant tool, is based on your consent to the data Processing (§ 26(2) sent. 1 Federal Data Protection Act, Art. 88 GDPR). If you consent to the Processing, your data will be collected in the applicant pool of jacando AG and you will then be considered for vacancies that open up following your application.The transfer to Switzerland as a so-called third country takes place on the basis of an adequacy decision of the EU Commission (Art. 45 GDPR), available at http://www.europarl.europa.eu/factsheets/de/sheet/169/der-europaische-wirtschaftsraum-ewr-die-schweiz-und-der-norden. For further details on order Processing, please refer to A.7; for third country data transfers, please refer to A.8.

In addition, government agencies or authorities may receive access to your data if and to the extent that this is necessary to fulfill a legal obligation (the legal basis is then § 26(1) sent. 1 Federal Data Protection Act, Art. 88 GDPR).

Otherwise, we will only pass on your data to Third Parties if you expressly request this (the legal basis is then § 26(2) sent. 1 Federal Data Protection Act, Art. 88 GDPR).

E. Handling client matters

E.1. Explanation

If you enter into a client relationship with SZA Schilling, Zutt & Anschütz as a client, are already in an ongoing client relationship with us or have been in the past (collectively: “Client Matter Handling”), your Personal Data may be processed. Where this concerns client relationships that have already been ended, the Processing activity relates solely to the Personal Data we already hold. If you will be, are or have been involved in such proceedings, which are part of a client matter to be handled by us, for example as an opposing party, its representative or advisor, employee of an involved insurer, expert, employee of courts and/or authorities or, if applicable, employee of tax advisor and/or auditing firms (hereinafter: parties to the proceedings), we also process your data within the scope of the Client Matter Handling.

E.2 What data do we process?

Within the scope of our Client Matter Handling, we collect, store and process the following categories of Personal Data:

  • Contact data”: Surname and first name of the client or party to the proceedings and, if applicable, of a different contact person, date of birth, (business) address, (business) e-mail address(es), (business) telephone, fax and mobile phone number(s)
  • Contract data”: Contract account number, client number of the client
  • Creditworthiness data”: Risk class, score and probability of default of the client
  • Payment data”: Bank details, surname and first name of the account holder, surname, first name and address of a different invoice recipient
  • Client matter data”: Data of the client or of the parties to the proceedings which are provided by a client in the course of our advice and representation, relate to the client matter and are required for the Client Matter Handling.
  • Correspondence data”: Data of the client or of the parties to the proceedings which are collected or obtained in the course of correspondence with all parties to the proceedings in connection with the Client Matter Handling (including data which arises in the course of electronic communication as so-called protocol data)
  • Generated data”: Data of the client or of the parties to the proceedings generated by SZA itself in the course of the Client Matter Handling (for example, in the form of briefs, cover letters or internal memoranda)

E.3. For what purpose and on what legal basis (see A.4.) is this data processed?

We process the Personal Data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. To the extent the processing of Personal Data is based on Art. 6(1) point (f) GDPR, the aforementioned purposes also constitute our legitimate interests.

  • The processing of contact data and contractual data mainly fulfills the purpose of planning, managing and implementing the Collabration with you as a client; in particular, it ensures smooth communication, the fulfillment of our obligations arising from the client relationship with you and the provision of other services (the legal bases are Art. 6(1) sent. 1 point (b) and point (f) GDPR).
  • We process creditworthiness data in order to assess the likely success of a Collaboration and any risk of a client defaulting on payment (the legal bases are Art. 6(1) sent. 1 point (b) and point (f) GDPR).
  • The Processing of payment data is used for billing and collection of payments as well as for accounting purposes (the legal basis is Art. 6(1) sent. 1 point (f) GDPR).
  • We process your Personal Data, which we receive from you as a client within the scope of retaining our services, for the successful Client Matter Handling. This begins with a conflict check when you first contact us and continues with the initiation of the client relationship, advising and representing you in asserting or defending your rights, our general client management and the enforcement of your own claims against you or any necessary defense against liability claims on your part. The purpose of the Processing of your data may also be, beyond the respective individual matter, the proper bookkeeping, the IT administration or the provision of data to tax advisors or auditors of our firm. (The legal basis is Art. 6(1) sent. 1 point (b) GDPR, contract initiation or implementation; Art. 6(1) sent. 1 point (f) GDPR, legitimate interests)
  • As the opposing party in the proceedings, we process your Personal Data, to the extent that they originate from a contractual relationship with the client, for the performance of that contract. (The legal basis is Art. 6(1) sent. 1 point (b) GDPR) If your data as the opposing party to the proceedings is not processed to enforce contractual claims of our client, the Processing is carried out for the purpose of fulfilling the client relationship with our client and/or to ensure the proper functioning of our internal processes (the legal basis is Art. 6(1) sent. 1 point (f) GDPR; legitimate interest).
  • If your Personal Data is processed by us as that of a party to the proceedings in other respects, we also process your data for the purpose of fulfilling the client relationship with our client (the legal basis is Art. 6(1) sent. 1 point (f) GDPR; legitimate interest)
  • In addition, your Personal Data may also be processed on the basis of a statutory Processing obligation to which we are subject, for example, due to provisions of the Anti-Money Laundering Act, statutory obligations vis-à-vis courts or authorities as well as professional, commercial and tax law obligations regarding the retention of records following the execution of the client matter. (The legal basis is Art. 6(1) sent. 1 point (c) GDPR; legal obligation)

E.4. How long will this data be processed?

Your data will only be processed for as long as is necessary to achieve the Processing purposes stated above or to comply with statutory retention periods (in particular, § 50 German Federal Lawyers' Act (BRAO): retention period for case files of at least 6 years after the end of the year in which the client matter was ended); in this respect, the legal bases stated in the context of the processing purposes apply accordingly. Advertising measures will not be carried out beyond a period of 1.5 years after termination of the Collaboration.

Third Parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.

For more details on the storage period, see A.5.

E.5. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

The following categories of recipients, may receive access to your Personal Data:

  • Opposing parties in the proceedings and their representatives or advisors against whom we are acting within the scope of the client matter. In relation to our clients, such disclosure is made for the purpose of fulfilling the client contract (the legal basis is Art. 6(1) point (b) GDPR) and in relation to other parties to the proceedings within the scope of the legitimate interest of fulfilling the contract with our client (Art. 6(1) point (f) GDPR) or for the purpose of fulfilling legal obligations (the legal basis is Art. 6(1) point (c) GDPR).
  • Courts, authorities, insurers and experts involved in the proceedings in the context of the Client Matter Handling. In relation to our clients, the disclosure is made for the purpose of fulfilling the client contract (the legal basis is Art. 6(1) point (b) GDPR) and in relation to other parties to the proceedings within the scope of the legitimate interest of fulfilling the contract with our client (Art. 6(1) point (f) GDPR) or for the purpose of fulfilling legal obligations (the legal basis is Art. 6(1) point (c) GDPR).
  • Tax advisors as well as auditors who are commissioned by us within the scope of the Client Matter Handling. In relation to our clients, the disclosure is made for the purpose of fulfilling the client contract (the legal basis is Art. 6(1) point (b) GDPR) and in relation to other parties to the proceedings within the scope of the legitimate interest of fulfilling the contract with our client (Art. 6(1) point (f) GDPR) or for the purpose of fulfilling legal obligations (the legal basis is Art. 6(1) point (c) GDPR).
  • Other service providers for the operation of our systems and the Processing of data stored or transmitted by the systems, e.g. for data processing center services, payment processing, IT security) (the legal basis for the transfer is the order processing agreement or Art. 6(1) point (b) or point (f) GDPR);
  • Government agencies or authorities, to the extent that this is necessary – irrespective of the specific client matter – for the fulfillment of a legal obligation (the legal basis for the disclosure is the order processing agreement or Art. 6(1) point (c) GDPR);
  • Persons appointed in the course of carrying out our business operations, such as auditors, banks, insurance companies, legal advisors, mailing service providers (the legal basis for the disclosure is the order processing agreement or Art. 6(1) point (b) or point (f) GDPR).

Furthermore, we will only pass on your Personal Data to Third Parties if you have given your express consent to do so in accordance with Art. 6(1) point (a) GDPR.

For the safeguards for an adequate level of data protection in the event of data being passed on to third countries, please refer to A.8. If there is neither an adequacy decision pursuant to Article 45(3) nor appropriate safeguards pursuant to Article 46, including binding internal data protection rules, a transfer of your Personal Data to a third country will only take place if the transfer becomes necessary for the performance of a contract or to take steps at your request prior to entering into a contract (Art. 49(1) sent. 1 point (b) or (c) GDPR) or for the assertion, exercise or defense of legal claims (Art. 49(1) sent. 1 point (e) GDPR).

E.6. Tools for communication – Microsoft Teams

For communication and Collaboration with our clients, we rely on modern communication tools in order to be able to record and process your client requests quickly and without compromise. We use the Microsoft Teams tool for video conferences with you or other parties to the proceedings. The following data is processed as part of the use of Microsoft Teams:

  • user details (display name, e-mail address, the respective language settings, IP address and optionally a profile picture)
  • Meeting metadata (time, date, meeting ID, phone number and location information)
  • Text, audio and video data (use of chat function, playback of audio during call if microphone is enabled during call; display of video during call if camera is enabled during call)

If we intend to record the conversation, we will notify you in advance and obtain your consent. If data is shared via Microsoft Teams during the call, it may be stored in our business account on One-Drive-for-Business, meaning that it will remain available beyond the individual call. In addition, the data listed above is used solely to carry out communication or Collaboration via teams.

Your Personal Data is processed on the following legal basis:

  • If you have consented to data Processing, on the basis of this consent pursuant to Art. 6(1) sent. 1 point (a) GDPR
  • If the data Processing is necessary for the execution of the client contract or as a step taken prior to entering into such a client contract, pursuant to Art. 6(1) sent. 1 point b GDPR
  • If the data Processing is necessary for other legitimate interests on our part, on the basis of Art. 6(1) sent. 1 point (f) GDPR. In this respect, the legitimate interest lies in the proper execution of the call for interests not directly related to the client matter.

As a matter of principle, we only store the transmitted data for as long as it is required for the purposes stated above. If there is no legal obligation to retain the data and it is not necessary to retain it in order to assert any claims, your data will be erased in accordance with the specifications under A.5.

Data will only be passed on to Third Parties if this is provided for at the time of data collection.

In addition, data is transferred to Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. This transmission is necessary for the use of the tool. We have concluded an order processing agreement with Microsoft including standard contractual clauses. Its content can be viewed here https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67

Microsoft also transfers data to companies in third countries and establishes lawfulness with appropriate legal mechanisms such as, in particular, contractual arrangements in the form of standard contractual clauses or Binding Corporate Rules (BCR).

For more information on Microsoft's data Processing and for further information on data protection at Microsoft, please visit https://privacy.microsoft.com/...

F. SZA as an ombudsman for whistleblowers

F.1. Explanation

The whistleblower system is used to report information on violations of the law. If you, as a whistleblower, report a violation of the law to SZA Schilling, Zutt & Anschütz in its role as ombudsman for whistleblowers, your Personal Data may be processed.

F.2 What data do we process?

We use the information you provide as part of the whistleblowing system. When you submit a report via the whistleblower system, we collect the following Personal Data:

  • your name, provided you disclose your identity,
  • whether you are employed by the company that is the subject of your report, and
  • where applicable, names of persons and other Personal Data of the persons you name in your report.

F.3. For what purpose and on what legal basis (see A.4.) is this data processed?

We process the Personal Data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. We use the information you provide via the whistleblower system, including any Personal Data, among other things for the purpose of verifying and documenting the reports. The Processing of Personal Data within the framework of the whistleblower system is justified by the legitimate interest of the respective company in the detection and prevention of wrongdoing and the associated prevention of damage and liability risks (Art. 6(1) sent. 1 point (f) GDPR in conjunction with §§ 30, 130 OWiG). If a tip received concerns an employee of the company, the Processing also serves to prevent criminal offences or other violations of the law related to the employee relationship (§ 26(1) Federal Data Protection Act).

F.4. How long will the Personal Data be processed?

Personal data will be processed for as long as clarification and final assessment require or there is a legitimate interest on the part of the company or this is prescribed by law. Thereafter, the Personal Data will be erased in accordance with applicable legal requirements. The duration of the storage depends, in particular, on the severity of the suspicion and the reported potential breach of duty.

F.5. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

The internal investigations conducted for the purpose of verifying the suspicion may include the passing on of the data to external lawyers, auditors or other professionals bound by professional secrecy as well as affected group companies. If necessary, the data may also be passed on to government authorities (such as the police, public prosecutor's office or courts). We assure all whistleblowers of confidential handling of the matter. The legal basis is Art. 6(1) sent. 1 point (f) GDPR or Art. 6(1) sent. 1 point (c) GDPR, respectively.

G. Creditor Information System (CIS)

G.1 Explanation

The Creditor Information System (CIS) is linked on our Website. CIS is a web system that provides creditors in insolvency proceedings with information on the respective proceedings around the clock. It supports creditors in filing claims and transmitting the recorded data electronically to the competent insolvency administrator. CIS is used to provide a comprehensive information service to creditors.

G.2 Controller

The Controller within the meaning of Art. 4 no. 7 GDPR is – in deviation from A.2. above – the insolvency administrator appointed in the respective insolvency proceedings. His/her identity and contact details can be found in the court order instituting the insolvency proceedings.

G.3 What data is being processed?

The use of CIS does not initially require the disclosure of Personal Data, such as name, address or bank details. If you wish to participate in the electronic procedure for filing claims in insolvency proceedings, the option of entering data and transmitting documents via CIS is available to you. You will need the PIN sent to you by the insolvency administrator for access. Alternatively, you may send the required information by post to the appointed insolvency administrator. If you opt for the electronic data transmission procedure via CIS, the insolvency administrator will process the following Personal Data:

  • Name,
  • Address,
  • Contact details such as phone number and email,
  • Data on the legal basis and amount of the claims filed, contract and invoice data,
  • Bank details and
  • other Personal Data contained in the documents you submit.

G.4 For what purpose and on what legal basis (see A.4.) is this data processed?

The Personal Data specified above will be processed in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. The Processing of Personal Data is carried out for the purpose of inspection, verification, making any corrections and completing your data already entered as part of the claim registration as well as for the recording of your claim data previously unknown. In addition, the data Processing is used for correspondence with you, for the preparation and maintenance of the insolvency table and for the payment of any insolvency quota. The justification for Processing Personal Data under the CIS is the protection of the legitimate interests of the insolvency administrator pursuant to Art. 6(1) sent. 1 point (f) GDPR. These interests arise from the purposes stated above, which the insolvency administrator is legally obliged to fulfill under the Insolvency Code. If your claim results from a contractual or quasi-contractual relationship with the insolvency debtor, the data Processing is carried out for the purpose of (partial) fulfillment of this contract pursuant to Art. 6(1) sent. 1 point (b) GDPR. If this contract is an employment relationship, the legal basis is Art. 88 GDPR in conjunction with § 26 Federal Data Protection Act.

G.5. How long will the Personal Data be processed?

The Personal Data will generally only be stored for the duration of the insolvency proceedings. After completion of the insolvency proceedings or the residual debt discharge proceedings, the data is regularly erased from the database within two months. However, the data retrieved by the insolvency administrator will be processed by the insolvency administrator for a limited period of time if this is necessary to comply with statutory retention periods or for documentation and evidence purposes within the scope of provisions on the statute of limitation.

G.6. Is this data passed on to Third Parties and if so, what is the legal basis (see A.4.) therefor?

GIS is provided by STP Informationstechnologie GmbH, Brauerstr. 12, 76135 Karlsruhe, Germany, as a Processor pursuant to Art. 28 GDPR. The technical and organizational security measures at STP Informationstechnologie GmbH were checked before granting the commission and are monitored regularly. The data you enter is transferred via an encrypted connection to a server of STP Informationstechnologie GmbH located in Germany and is stored there on behalf of the appointed insolvency administrator. Subsequently, the data will be accessed, processed and used exclusively within the scope of the purpose stated above by the appointed insolvency administrator via an encrypted connection. The transmission of your data takes place using an SSL certificate. Your personal data will only be transferred to Third Parties to the extent necessary for conducting the insolvency proceedings. After retrieving your data for filing a claim from CIS, it will be transmitted to the competent insolvency court (cf. § 175(1) Insolvency Code (InsO)). Furthermore, your data may be transferred to the following categories of recipients: Tax offices, tax advisors, lawyers and service providers with whom an order processing agreement has been concluded in accordance with Art. 28 GDPR.

G.7. Cookies (see B.6. in this respect)

The cookies used by CIS are exclusively so-called session cookies, with which your IP address is temporarily stored for the duration of the session at the beginning of the login process, exclusively due to mandatory security measures.  This is necessary, among other things, to be able to clearly assign your entries in the course of the filing of claims. Other logging techniques to evaluate your usage behavior either in a personalized or anonymized way are not used. Your IP address is not linked to other data. After the session ends (closing the browser), the content of the session cookies and thus your IP address is deleted immediately. The legal basis for the temporary storage of the data for the purposes stated above is Art. 6(1) point (f) GDPR.

Entschuldigung.

We're sorry.

Die Seite kann nicht dargestellt werden.

The page cannot be displayed.

Bitte aktualisieren Sie Ihren Browser.

Please update your browser.