With the following information we would like to give you an overview of how Andersch AG (“Andersch“) processes your personal data and your rights as per the data protection law. Which individual data is processed and how the data are used depends substantially on your relationship to us, whether you are a client, employee, website user or other data subject (such as a freelancer appointed for a certain project or someone who is interested in our services). Therefore, not all parts of this information will apply to you.
Who is responsible for the data processing (the controller) and who can I contact for information?
The controller is
Neue Mainzer Straße 80
60311 Frankfurt am Main, Germany
You can contact our data protection officer at:
RA Dr. Ralf-Thorsten Henn LL.M.
- Data Protection Officer -
Neue Mainzer Straße 80
60311 Frankfurt am Main, Germany
Which data and sources do we use?
We process personal data that we have received from our clients in the scope of our business relationships or from our employees in the scope of the employment (including trainees and working students), from website users or other data subjects. Furthermore, we process–if required to carry out our services–personal data that we have obtained legally from publicly accessible sources (e.g. commercial and company registers, land registers, press, internet) or that third parties have been authorized to give us (e.g. from a credit agency).
Relevant personal data are personal details (name, address and other contact information, date and place of birth as well as nationality) and identification data (e.g. information on passports or ID cards). These can also include order information (e.g. from our assignment letter), data from fulfilling our contractual obligations (e.g. from our payment transactions), documentation data (e.g. consultation report) as well as other data comparable to the categories stated here).
Why and on which legal basis do we process your data?
We process personal data as per the provisions in the
- General Data Protection Regulation (GDPR) and the
- German Federal Data Protection Act (BDSG).
(1) Within the scope of employment (Art. 26 (1) sentence 1 GDPR)
We process the personal data of our employees (including trainees and working students) in order to enter into, perform and end the respective employment.
(2) Based on consent having been given (Art. 6 (1) point a) GDPR)
If you have given us consent to process personal data for certain purposes (e.g. to establish contact, receive newsletters, register to our annual restructuring meeting), the lawfulness of this processing is based on your consent. The data subject has the right to withdraw his or her consent at any time. This also applies to the withdrawal of a declaration of consent that was given to us before the GDPR became valid, thus prior to 25 May 2018. The withdrawal of consent only applies to the future and is without prejudice to the lawfulness of the data processed before the withdrawal.
(3) For fulfilling (pre)contractual obligations (Art. 6 (1) point b) GDPR)
The processing of personal data belonging to our clients and to freelancers appointed by us for a certain project is necessary to perform and fulfill our contractual services with our clients or in order to take steps at the request of the data subject prior to entering into a contract. Further details on the data processing purposes are available in the relevant contractual documents and terms and conditions.
(4) Based on legal obligations (Art. 6 (1) point c) GDPR)
Furthermore, as a public limited company and an auditing company, we are subject to various legal obligations (e.g. in the German Auditors’ Ordinance (WPO), professional code of conduct for auditors/certified accountants, the German Commercial Code (HGB), German Stock Corporation Act (AktG), the German Securities Trading Act (WpHG), the German Money Laundering Act (GwG), tax laws). Processing purposes include, among others, the identification obligation to prevent money laundering, the obligation to set up and store reference files and compliance with reporting obligations under tax law.
(5) Based on overriding interests (Art. 6 (1) point f) GDPR)
If required in order to safeguard legitimate interests on our part, we will process your data beyond the purposes stated above, especially for
- measures to manage the business and to further develop services and products,
- marketing (also for direct contact) and market research provided you have not objected to the use of your data,
- for establishing legal claims and in defense during legal disputes.
Who can get hold of my data?
At Andersch, the people who require access to your data in order to fulfil our contractual and legal obligations are given access to your data. External third parties (especially freelancers and IT services) appointed by us and their vicarious agents may also be given data for these purposes and are bound by contract to treat all data confidentially. Data may also be transferred to other recipients, for instance, if you have given your consent to such bodies receiving your personal data or if we are authorized, based on overriding interests, to transfer the data to such bodies.
Are data transmitted to third countries?
There is basically no data transmission to bodies in countries outside of the European Union (in so-called third countries), unless
- it is prescribed by law (e.g. due to reporting obligations under tax law, provisions for combatting money laundering, terrorist financing and other criminal acts),
- you have given us your consent for this, or
- it is necessary in order to ensure IT operations and the CRM system at Andersch to transmit your personal data possibly to an IT service in the US or another third country that is in keeping with the same level of data protection as in Europe.
How long will my data be stored for?
We process and store your personal data as long as it is required for us to fulfil our contractual and legal obligations. It should be noted that our business relationship is a contract for the performance of a continuing obligation that certainly lasts several months and in many cases many years.
Once the data is no longer required for fulfilling contractual or legal obligations, such data is erased regularly unless the further processing (for a limited period) is required for the following purposes:
- to fulfill the obligation to preserve records under trade or tax law that may in particular arise from the German Auditors’ Ordinance (WPO), the German Commercial Code (HGB), German Stock Corporation Act (AktG), the German Money Laundering Act (GwG), the German Securities Trading Act (WpHG) and the German Tax Code). The time limits prescribed there for the preservation of relevant documents generally amount to between two and ten years.
- Keeping evidencing documents in line with the statute of limitations.
As per Sections 195 et seq. of the German Civil Code (BGB) statutes of limitation may last up to thirty years whereby the standard limitation period is three years.
What data protection rights do I have?
Each and every data subject has the
- right to access as per Art. 15 GDPR,
- the right to request rectification as per Art. 16 GDPR,
- the right to erasure as per Art. 17 GDPR,
- the right to restriction of processing as per Art. 18 GDPR,
- the right to object as per Art. 21 GDPR,
- the right to data portability as per Art. 20 GDPR.
The restrictions as per Sections 34 and 35 German Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure. Moreover, the right to lodge a complaint with a competent data protection supervisory authority applies as per Art. 77 GDPR in conjunction with Section 19 German Federal Data Protection Act (BDSG).
You may withdraw consent given for processing personal data at any time. This also applies to the withdrawal of a declaration of consent that was given to Andersch before the GDPR became valid, thus prior to 25 May 2018. Please note that the withdrawal only applies to the future. It does not affect processing that took place before the withdrawal.
How does Art. 21 GDPR determine the right to object?
On grounds relating to your particular situation, you have the right to object at any time to processing of personal data concerning you which is based on Art. 6 (1) point f) GDPR (weighing up different interests); this also includes profiling within the meaning of Art. 4 (4) GDPR based on those provisions.
If you object, we will no longer process the personal data concerned, unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also includes profiling provided to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be written informally with the subject line “objection”, including your name, address and date of birth, and be sent to our data protection officer (see above).
Am I under obligation to make data available?
Within the scope of your business relationship with Andersch, you must make available any personal data that are required to enter into, perform and end a business relationship and that are required to fulfill the contractual obligations relating thereto or that we are legally required to collect. Generally, we will not be able to conclude, perform or end a contract with you without such data.
In particular, we are bound by the money laundering rules to identify you by means of your ID document before entering into a business relationship and thereby to collect and record your name, date and place of birth, nationality, address and ID information (cf. Section 11 (1) and (4) of the German Money laundering Act (GwG). To enable us to comply with this obligation, you are required under the German Money Laundering Act (GwG) to make available the necessary information and documents and inform us without undue delay of any changes to such information that may occur during our business relationship. If you do not make available to us the necessary information and documents, we will not be able to honor your request to begin or continue the business relationship.
To what extent does automated decision-making or profiling take place?
Andersch does not employ any fully automated decision-making as per Art. 22 GDPR to enter into or perform business relationships.
We process some of your data automatically in order to evaluate certain personal aspects (so-called profiling), for example in order to inform you about and offer advice on our products and services. This enables us to communicate, undertake marketing and market research on an as-needed basis.
Which data is collected, processed or used on the Andersch website and for what purposes?
It could however result in not all features on our website being available for use.
(2) Log files
Each time a page is clicked on, the Andersch website records various general data and information. This general data and information is stored in the server’s log files.
- The browser type and versions used,
- the operating system used by the accessing system,
- the referrer website from which an accessing system reaches our website,
- the sub-pages that an accessing system wants to reach on our website,
- the date and time the page was accessed,
- an internet protocol address (IP-address),
- the internet service provider of the accessing system and
- other similar data and information that serve to avert danger in the event of attacks on our information technology systems
may be collected.
When using this general data and information, Andersch has no inference on the data subject. In fact, this information is required to
- deliver the website content correctly,
- optimize the content of our website and website marketing,
- ensure our information technology systems and our website technology function permanently, and
- to make available any information required for criminal prosecution to the prosecution authorities in the event of a cyber attack.
These anonymous data and information collected are thus analyzed by Andersch for statistical reasons and with the objective of increasing data protection and data security in our company in order to ensure an optimal level of protection for the personal data that we process. The anonymous data of the server log files are stored separately from all personal data made available by the data subject.
In order to contact you, send newsletters, register you to our annual restructuring meeting etc. as offered on our website, we ask you to provide us with your name, address and email address via the standard contact form. By entering your data, you consent to us storing your data and to using your data for the purposes stated above. The data subject has the right to withdraw his or her consent at any time.
(4) Google Analytics, Google-AdWords
Andersch has integrated the Google Analytics components on its website (with anonymization function).
Google Analytics is a web analysis service. Web analysis is the collection, compilation and evaluation of behavioral data of people using the website. A web analysis service records, for instance, data showing from which website the data subject accessed a website (referrer website), which sub-pages were accessed and how often a sub-page was visited and how much time was spent on it.
The controller, who is responsible for the processing, uses the ending “_gat._anonymizeIp” for the web analysis via Google Analytics. This ending means that the IP address of the data subject’s internet connection is shortened and anonymized by Google if our website is accessed from a Member State of the European Union or another state party to the Agreement on the European Economic Area.
The purpose of the Google-Analytics component is to analyze the streams of visitors on our website. Google uses the data and information collected, among other things, to analyze how our website is used, to collate online reports for Andersch which show the activity on our website, and to perform other services in connection with the use of our website.
Andersch has also integrated Google AdWords on its website.
Google AdWords is a service for internet marketing that allows the advertiser to advertise in the Google search engine results as well as in the Google advertising network. Google AdWords allows an advertiser to pre-determine certain key words with which an advertisement is then shown in the Google search engine results only if the user enters a search that is relevant to the key word in the search engine. In the Google advertising network, advertisements are distributed among relevant websites by means of an automatic algorithm taking into consideration the key words that were set in advance.
The purpose of Google AdWords is to advertise our website by displaying interest-relevant advertisement on third party websites and in the search engine results of the Google search engine and, if applicable, to display third party advertisements on our website.
Website users may object to the interest-related advertisements on Google. To do this, the data subject must go to www.google.de/settings/ads on all browsers used and make the appropriate settings there.
Both Google Analytics and Google AdWords generally place cookies on the information technology system of the respective data subject (for cookies see above).
The Google Analytics component and Google AdWords are operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Click on https://www.google.com/intl/de_de/analytics/ for a more detailed description of Google Analytics.
Andersch has also integrated YouTube components on its website.
YouTube is an internet video site that allows video publishers to upload videoclips free of charge and also allows other users to watch, evaluate and comment on them free of charge. YouTube allows all kinds of videos to be published and full-length films and television programs, music videos, film trailers or videos made by users can be accessed via the website.
Each time that one of the Andersch web pages with an integrated YouTube component (YouTube video) is clicked on, the respective YouTube component automatically triggers the internet browser on the data subject’s information technology system to download the respective YouTube component information from YouTube.
Within this technical process, YouTube and Google are given information as to which exact sub-page on our website the data subject is visiting. If the data subject is simultaneously logged into YouTube, YouTube recognizes upon calling up a sub-page that includes a YouTube video, which exact sub-page on our website the data subject is visiting. This information is collected by YouTube and Google and attributed to the data subject’s YouTube account.
YouTube and Google gain information via the YouTube components whenever the data subject has visited our website if the data subject is logged into YouTube when he or she clicks on our website; it is irrelevant whether the data subject clicks on a YouTube video or not. If the data subject does not want such information to be transmitted to YouTube and Google, the transmission can be prevented if the data subject logs out of YouTube before clicking on our website.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data policy published by YouTube can be accessed via this link: https://www.google.de/intl/de/policies/privacy/.
Click on https://www.youtube.com/yt/about/de/ for further details on YouTube.
(6) LinkedIn, Xing
Andersch has also integrated components from LinkedIn Corporation on its website.
LinkedIn is an internet-based social network that connects users with existing business contacts and enables new business contacts to be made.
Each time that one of our web pages with an integrated LinkedIn component (LinkedIn plug-in) is clicked on, this component triggers the internet browser used by the data subject to download the respective component information from LinkedIn. Within this technical process, LinkedIn is given information as to which exact sub-page on our website the data subject is visiting.
If the data subject is simultaneously logged into LinkedIn, LinkedIn recognizes which exact sub-page on our website the data subject is visiting each time the data subject clicks on our website and during the entire time spent on our website. This information is collected by the LinkedIn component and attributed by LinkedIn to the data subject’s LinkedIn account. If the data subject clicks on the LinkedIn button integrated on our website, LinkedIn attributes this information to the data subject’s personal LinkedIn account and stores the personal data.
LinkedIn gains information via the LinkedIn component whenever the data subject has visited our website when the data subject is logged into LinkedIn when he or she clicks on our website; it is irrelevant whether the data subject clicks on the LinkedIn component or not. If the data subject does not want such information to be transmitted to LinkedIn and Google, the transmission can be prevented if the data subject logs out of LinkedIn before clicking on our website.
LinkedIn allows you to unsubscribe from emails, text messages and targeted advertisements and to manage the advertisement settings by clicking on https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua und Lotame which may set cookies. Such cookies can be rejected by clicking on https://www.linkedin.com/legal/cookie-policy.
Further information on LinkedIn plug-ins is available at https://developer.linkedin.com/plugins.
Andersch has also integrated Xing components on its website.
Xing is an internet-based social network that connects users with existing business contacts and enables new business contacts to be made. Individual users can set up a personal profile on Xing. Companies can set up a company profile or publish job offers on Xing.
Each time that one of our web pages with an integrated Xing component (Xing plug-in) is clicked on, the respective Xing component automatically triggers the internet browser on the data subject’s information technology system to download the respective Xing component information from Xing. Further information on Xing plug-ins is available at https://dev.xing.com/plugins.
Within this technical process, Xing is given information as to which exact sub-page on our website the data subject is visiting.
If the data subject is simultaneously logged into Xing, Xing recognizes which exact sub-page on our website the data subject is visiting each time the data subject clicks on our website and during the entire time spent on our website. This information is collected by the Xing component and attributed by Xing to the data subject’s Xing account. If the data subject clicks on the Xing button integrated on our website, for example the “Share” button, Xing attributes this information to the data subject’s personal Xing account and stores the personal data.
Xing gains information via the Xing components whenever the data subject has visited our website when the data subject is logged into Xing when he or she clicks on our website; it is irrelevant whether the data subject clicks on the Xing component or not. If the data subject does not want such information to be transmitted to Xing, the transmission can be prevented if the data subject logs out of his or her Xing account before clicking on our website.
Xing is operated by XING SE, Dammtorstraße 30, 20354 Hamburg, Germany.