Privacy Policy

1. Introduction

Nikol & Goetz Partnerschaft von Rechtsanwälten mbB (“Nikol & Goetz“, „we“, „us“) is a data protection boutique firm. As such, the protection of your personal data is a top priority for us. The purpose of this privacy policy (the “Policy”) is to inform you about our processing of your personal data.

This Policy is addressed to visitors of our website www.nikolgoetz.com (the “Website”) and other individuals outside Nikol & Goetz with whom we communicate with or have a business relationship. This includes in particular:

  • our (potential) clients to whom we provide our services to or whom we communicate with regarding our services. This includes employees and other staff members, representatives, consultants, advisors and counterparties (e.g. in legal proceedings) of our (potential) clients;
  • our other business partners (e.g., our service providers) and their employees and staff members;

2. Controller

Nikol & Goetz is the controller of the personal data processed in accordance with this Policy, unless expressly stated otherwise.

Contact Details

Nikol & Goetz Partnerschaft von Rechtsanwälten mbB, Konrad-Goldmann-Str. 5a, 79100 Freiburg, Germany, email: info@nikolgoetz.com.

Further information about Nikol & Goetz can be found in our Legal Information section.

3. Categories of Personal Data

The kinds of personal data that we process may fall under any of the categories set out below (the “Data Categories”) and is subject to the type of business relationship between you and us.

  • Identity Data
    data that relates directly to your identity (e.g., first name, surname, gender, nationality, date of birth);
  • Contact Data
    data that enables communication (e.g., correspondence address, email address, telephone number);
  • Professional Data
    data that relates to your job and other professional activities (e.g., your role, name of your employer, your areas of responsibility);
  • Communication Data
    data that forms the content of communication (e.g., content of conversations, written correspondence, application documents);
  • Services Data
    data that relates to our provision of services (e.g., content of documents, reports or contracts, content of notes, memos, or other legal documents created by us, types of clients or customers, lists of participants);
  • Provider Data
    data that relates to the provision of services from services providers to us (e.g., content of contracts, notes and protocols from meetings with our service providers).
  • Visitor Data
    data that relates to visits of our premises (e.g., time and date of visit, purpose of visit, specific needs of visitor);
  • Consent Data
    data that relates to consent to processing of personal data (e.g., date and time of consent given, the fact that consent has been given or withdrawn);
  • Payment Data
    data that relates to the issuance or payment of invoices (e.g., billing address, invoice number, content of time sheets, bank account details, payment history);
  • Usage Data
    data that relates to your visit of our Website (e.g., IP-Addresses, device information, location).

4. Sources of Personal Data

The personal that we process may originate from any of the following sources:

  • Data Subject: we may collect personal data that you provide to us (e.g. in person, via email, by telephone, when you give us your business card). This would usually include any of the following Data Categories: Identity Data, Contact Data, Communication Data, Payment Data or Services Data.
  • Our Website: we may collect certain personal data when you visit our Website. This would usually include the following Data Category: Usage Data.
  • Third Parties: we may obtain your personal data from third parties. This is the case, for example, if you are the counterparty in a proceeding in which we represent one of our clients. The client and/or a court may provide us with your personal data as part of the proceedings or negotiations. This would usually include any of the following Data Categories: Identity Data, Contact Data or Services Data. Your personal data may also be provided to us by law firms or other advisors that cooperate with us.
  • Publicly Available Sources: in some cases, we may obtain your personal data from publicly available sources. This includes, but is not limited to, public registers or information available on the Internet. This would usually include any of the following Data Categories: Identity Data, Contact Data.
  • Self-created Data: depending on the business relationship between you and us, or your employer and us, we may also create personal data about you (e.g. in connection with meetings, participation in our events or job interviews). This would usually include any of the following Data Categories: Identity Data, Services Data.

5. Our Clients

We may process the personal data of our (potential) clients to whom we provide our services or to whom we are in communication with about our services. This would very often also include the processing of personal data of the (potential) clients’ employees, representatives, advisors or of the clients’ counterparties (e.g., as part of court proceedings or contract negotiations) and their employees and representatives. In the table below, we have set out the purposes of the relevant processing activities, the relevant Data Categories, and the legal basis for each processing activity.

Taking on a new client or opening a new matter

Purpose of Processing
  • identifying you as our (potential) client;
  • pre-contractual correspondence, providing details about our offers and cost estimates;
  • conducting conflict checks to avoid conflicts of interest.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
Legal Basis
  • Taking steps prior to entering into a contract (Art. 6(1)(b) GDPR) with respect to the processing of personal data of the (potential) client.
  • For the rest: compliance with legal obligations (Art. 6(1)(c) GDPR, sec. 43(a) BRAO).

Providing our client services

Purpose of Processing
  • performance of our services (e.g., providing legal advice, defending the interests and enforcing the rights of our clients, responding to requests, assessment of the facts of a particular case, communication with the counterparty and its representatives, communication with courts or regulatory bodies).
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Services Data
Legal Basis
  • Performing of the contract with the client (Art. 6(1)(b) GDPR), with respect to the processing of personal data of the client.
  • For the rest: legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is the performance of the contract with our client.

Operating our business

Purpose of Processing
  • internal management and administration, including record management or maintaining other internal protocols;
  • management of our IT and security systems;
  • financial administration (e.g., invoicing);
  • accounting;
  • compliance with tax laws and regulations.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Services Data
  • Payment Data
Legal Basis
  • Compliance with legal obligations (Art. 6(1)(c) GDPR).
  • For the rest: legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is the operation of our business.

Compliance with certain legal obligations

Purpose of Processing
  • conducting compliance checks to comply with our legal obligations (“know your customer”-checks)
  • disclosure to courts or regulatory bodies, where legally required
Data Category
  • Identity Data
  • Professional Data
Legal Basis
  • Compliance with legal obligations (Art. 6(1)(c) GDPR).

Communication and direct marketing

Purpose of Processing
  • updating your contact details (if relevant);
  • communicating with you (via email, by telephone or post, or via social media channels) about legal news, in particular news relating to data protection matters, or news regarding our firm or our services;
  • inviting you to our events.
Data Category
  • Identity Data
  • Contact Data
  • Consent Data
Legal Basis
  • Your consent (Art. 6(1)(a) GDPR).
  • To the extent consent is not required and we have not asked for your consent: legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is maintaining our relationship with our clients and organising events.

Naming references

Purpose of Processing
  • providing information and naming references to publishers in connection with law firm rankings.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Consent Data
Legal Basis
  • Your consent (Art. 6(1)(a) GDPR).

Retention of documents relating to our clients and the services provided by us

Purpose of Processing
  • protecting our interests and enforcing our rights.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Services Data
  • Payment Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is protecting our interests and enforcing our rights.

6. Other Business Partners of Nikol & Goetz

We may process the personal data of our other (potential) business partners and their employees and staff members. This includes third parties that provide services to us. In the table below, we have set out the purposes of the relevant processing activities, the relevant Data Categories, and the legal basis for each processing activity.

Entering into a contract with a third party

Purpose of Processing
  • pre-contractual correspondence;
  • requesting details about the third party’s offers and cost estimates.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
Legal Basis
  • Taking steps prior to entering into a contract (Art. 6(1)(b) GDPR) with respect to the processing of personal data of the (potential) business partner.

Performance of the contract

Purpose of Processing
  • receiving goods or services, performing the contract and communication in relation the performance of the contract; 
  • payment processing;
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Provider Data
  • Payment Data
Legal Basis
  • Performing of the contract with the business partner (Art. 6(1)(b) GDPR), with respect to the processing of personal data of the business partner.
  • For the rest: legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is the performance of the contract with our business partner.

Operating our business

Purpose of Processing
  • internal management and administration, including record management or maintaining other internal protocols;
  • management of our IT and security systems;
  • financial administration (e.g., invoicing);
  • accounting;
  • compliance with tax laws and regulations.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Provider Data
  • Payment Data
Legal Basis
  • Compliance with legal obligations (Art. 6(1)(c) GDPR).
  • For the rest: legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is the operation of our business.

Retention of documents relating to our business partners and the services provided by them to us

Purpose of Processing
  • protecting our interests and enforcing our rights.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Communication Data
  • Provider Data
  • Payment Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is protecting our interests and enforcing our rights.

7. Participants in Events

We may process the personal data of participants in our events (e.g., workshops or seminars). The events are mostly offered for or conducted by our clients. However, from time to time, other persons may be permitted to register for and participate in an event. In the table below, we have set out the purposes of the relevant processing activities, the relevant Data Categories, and the legal basis for each processing activity.

Organising, hosting and running an event

Purpose of Processing
  • creating and managing lists of participants;
  • communicating with participants regarding details of the event(s).
Data Category
  • Identity Data
  • Contact Data
  • Communication Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is organising, hosting, and running an event.

Retention of documents relating to our events and participants attending the events

Purpose of Processing
  • protecting our interests and enforcing our rights.
Data Category
  • Identity Data
  • Contact Data
  • Communication Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is protecting our interests and enforcing our rights.

8. Applicants

We may process the personal data of individuals that apply for a job or internship with us (e.g., interns, trainees, or lawyers). In the table below, we have set out the purposes of the relevant processing activities, the relevant Data Categories, and the legal basis for each processing activity.

Carrying out the application process

Purpose of Processing
  • reviewing applications;
  • contacting and communicating with applicants;
  • carrying out interviews.
Data Category
  • Identity Data
  • Contact Data
  • Communication Data
Legal Basis
  • Taking steps prior to entering into a contract (Art. 6(1)(b) GDPR; sec. 26 BDSG).

Retention of documents relating to the application and the application process

Purpose of Processing
  • protecting our interests and enforcing our rights.
Data Category
  • Identity Data
  • Contact Data
  • Communication Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is protecting our interests and enforcing our rights.

9. Visitors to Our Premises

We may process the personal data of individuals visiting our premises. In the table below, we have set out the purposes of the relevant processing activities, the relevant Data Categories, and the legal basis for each processing activity.

Managing visits to our premises

Purpose of Processing
  • creating and managing lists of visitors;
  • taking measures to meet specific needs of our visitors.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Visitor Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is managing visits to our premises and meeting specific needs of our visitors.

Retention of documents relating to the visit of our premises

Purpose of Processing
  • protecting our interests and enforcing our rights.
Data Category
  • Identity Data
  • Contact Data
  • Professional Data
  • Visitor Data
Legal Basis
  • Legitimate interests (Art. 6(1)(f) GDPR) – the legitimate interest is protecting our interests and enforcing our rights.

10. Visitor of the Website (Cookies)

When you visit our Website, certain Usage Data will automatically be processed.

Cookies

“Cookies” are small text files that may be transferred to your device (e.g. computer, smartphone) when you visit a website by means of your web browser or other programmes. These are stored locally on your end device and kept ready for later retrieval.

We only use cookies on our website, including those of our service providers, to enable the technical functions of the website (Art. 6 (1)(f) GDPR). This is for the purpose of adequately presenting the content.

Refusing/Deleting Cookies

The Website only uses cookies that are necessary to allow the technical operation of the Website. You can set your internet browser to warn you before accepting cookies, to refuse cookies or to restrict their use. However, if you set your browser to refuse cookies or to restrict their use, you may not be able to use certain functions or features of the Website anymore. Your internet browser also allows you to delete stored cookies at any time.

More information on how to manage cookies in your internet browser is available from the following links for the most commonly used internet browsers:

Google Chrome

Firefox

Microsoft Edge

Safari

Unless you have different settings, cookies that enable and ensure the technical operation of our Website remain on your device for a maximum of one day, but most cookies only remain until you close the browser.

11. Disclosure of Personal Data to Third Parties

In some case, we may transfer your personal data to third parties. This will be done solely in connection with the purposes of processing as set out above and always in compliance with our professional duties. The possible recipients of your personal data include the following companies, institutions, or persons:

  • Courts and Regulatory Bodies
    we may disclose your personal data to courts and regulatory bodies either in connection with our provision of services (Art. 6(1)(b) GDPR) or because we have a legal obligation to do so (Art. 6(1)(c) GDPR). We may also disclose your personal data where we have a legitimate interest in doing so (e.g., for protecting our interests or enforcing our rights) (Art. 6(1)(f) GDPR).
  • Tax Consultants and Legal Advisors
    we may disclose your personal data to our tax consultants and legal advisors for the purpose of operating our business (Art. 6(1)(f) GDPR). In some cases, we may also disclose the data for the purpose of protecting our interests or enforcing our rights (Art. 6 (1)(f) GDPR).
  • Service Providers (IT and Logistics)
    we may disclose your personal data to our service providers (IT and logistics) for the purpose of operating our business (Art. 6(1)(f) GDPR). In addition, such disclosure may be for the purpose and in connection with the provision of our services. The legal basis for this disclosure is either your consent (Art. 6(1)(a) GDPR) or because it is necessary for the performance of our contract with you (Art. 6(1)(b) GDPR).
  • Service Providers (Print and Advertising)
    we may disclose your personal data to our service providers (print and advertising) for the purpose of direct marketing. The legal basis for this disclosure is either your consent (Art. 6(1)(a) GDPR) or our business interests (Art. 6(1)(f) GDPR).
  • Others
    we may also disclose your personal data to other third parties (e.g. law firms or consultants), but only if you have requested us to do so (Art. 6(1)(a) GDPR) or if such disclosure is necessary for the performance of our contract with you (Art. 6(1)(b) GDPR).

12. International Transfer of Personal Data

For the purposes of processing your personal data as set out in this Policy, we may need to transfer your data to other third parties as noted in section 10 above. For this reason, the data may have to be transferred to a recipient in a country that is neither a Member State of the European Union nor a member of the European Economic Area (“Third Country”). For some Third Countries, the European Commission has determined that they provide an adequate level of protection for personal data (e.g., Switzerland, Canada, Argentina) (“Adequate Jurisdiction”). Where we transfer personal data to a recipient that is located in a Third Country that has not been determined to be an Adequate Jurisdiction, we do so on the basis of Standard Contractual Clauses as adopted by the European Commission. You can contact us at info@nikolgoetz.com to request copies of the relevant Standard Contractual Clauses.

13. Data Retention

We will only process your personal data for as long as it is necessary for the purposes set out in this Policy or as required by applicable law. When determining the retention period, we take into account the purposes for which we process the relevant personal data and whether such purposes can be achieved without the data, the categories of the relevant data, risks in the event of a data breach and legal obligations that require us to retain the data. For example, personal data that relates to your enquiries or orders are usually retained for six years as a “business letter” (sec. 257(4) HGB, Art. 6(1)(c) GDPR) or ten years as a “commercial letter” (sec. 147(3) AO, Art. 6(1)(c) GDPR).

14. Your Legal Rights

Generally, you have the right not to provide us with your personal data. However, in some cases, we have a legal obligation to process your personal data (e.g., for the purpose of running conflict checks) or we require your personal data to be able to respond to your enquiries or to provide our services. In a relationship between us as your legal advisor and you as our client, such mandatory data includes at the minimum, your name, your address, and the content of your enquiry.  Without the provision of this mandatory data, we will not be able to process your enquiries or perform our services.

If you have any questions about our processing of your personal data, we are of course happy to provide you with the information about the personal data concerning you and the related processing activities (Art. 15 GDPR). Subject to the legal requirements being met, you also have a right to obtain: (i) rectification of your personal data (Art. 16 GDPR); (ii) erasure of your personal data (Art. 17 GDPR); and (iii) restriction of processing of your personal data (Art. 18 GDPR). You also have a right to data portability (Art. 20 GDPR) and a right to lodge a complaint with a data protection authority (Art. 77 GDPR, sec. 19 BDSG). Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7(3) GDPR).

Your right to object: Where we process your personal data on the basis of Art. 6(1)(f) GDPR, you have the rights to object to such processing at any time on grounds relating to your particular situation (Art. 21(1) GDPR). Furthermore, where we process your personal data for direct marketing purposes, you have a right to object to such processing at any time (Art. 21(2) GDPR).

To exercise your rights, you can contact us at any time at our postal address or by email (info@nikolgoetz.com). 

15. Definitions

BDSG“ means the German Federal Data Protection Act (Bundesdatenschutzgesetz der Bundesrepublik Deutschland).

controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

GDPR“ means Regulation (EU) 2016/679 (General Data Protection Regulation).

personal data“ means any information relating to an identified or identifiable natural person.

processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.