Privacy Notice

At Gleiss Lutz, we are committed to protecting your personal data. This Privacy Notice sets out how your personal data is processed by Gleiss Lutz when 

  • you visit our website (see section B),
  • we process your data in connection with working on a client matter (section C),
  • we maintain business relations with you or a company to which you belong independent of any client matters (suppliers, service providers, other contractual partners, section D),
  • you consent to receiving information from us about current legal developments and events we host or otherwise participate in such events (section E),
  • you have applied for a position at Gleiss Lutz through our career portal or have otherwise expressed interest in a career at Gleiss Lutz (section F), or
  • you participate via Microsoft Teams, an application by Microsoft Deutschland GmbH (Walter-Gropius-Straße 5, 80807 Munich, Germany – “Microsoft”), in an audio- or video conference, a chat and/or desktop sharing session with us or if you work together with us via the respective co-working-platform (section G),
  • you, your employer, partner or another person applies or has applied to take part in the Gleiss Lutz Start-up Program on behalf of the start-up you work for (section H),
  • we process your data as part of company research (section I),
  • you use our Client Collaboration Platform (section J).

In addition, this Privacy Notice contains general information about the forwarding of your data to third parties (section K) as well as your rights regarding the processing of your data (section L).

Gleiss Lutz processes your data in accordance with the data protection provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz - “BDSG”) in the version of 25 May 2018 and Regulation (EU) 2016/679 (hereinafter the “GDPR”).

Should you still have questions or concerns after reading this Privacy Notice, please contact our data protection officer at datenschutz@gleisslutz.com.

For information on the processing of personal data by Gleiss Lutz’s notaries, please read our Privacy Notice, Notaries

The party responsible for processing your personal data, i.e. the “controller” within the meaning of Article 4, no. 7 GDPR, is Gleiss Lutz Hootz Hirsch PartmbB Rechtsanwälte, Steuerberater, Lautenschlagerstrasse 21, 70173 Stuttgart (hereinafter “we” or “us”).

I. What data do we process when you visit our website?

When you visit our website, our servers automatically store various data about your system, such as the type and version of your browser, your operating system, the website from which you arrive, the pages you access, the date and time of your access, your IP address, your internet service provider, and other, similar data.

We use such data to make the website accessible, to detect and resolve any technical issues, and to prevent and, if necessary, prosecute any misuse of our website. In addition, we use these data in anonymous form, i.e. without the possibility of identifying the user, for statistical purposes and to improve the website. The legal basis for processing personal user data is Article 6(1)(f) GDPR.

II. How are cookies used?

Our website uses cookies and similar technologies (hereinafter “cookies”). Cookies are small text files that are stored on the user’s hard drive to exchange certain settings and data with our systems via the browser. A cookie generally contains the name of the domain from which the cookie data were sent, as well as information about the age of the cookie and an alphanumeric identifier. Information stored in cookies are not used to identify users and are not merged with any other stored personal data about users. 

Cookies can be blocked or restricted by changing your browser settings. Cookies that have already been stored may be deleted at any time. This can also be done automatically. If cookies are blocked it may affect how our website functions for you.

The cookies currently used on our website are described in our cookie banner under “Settings”. You can access the cookie banner here. There, you can withdraw any consent granted with future effect by either choosing “Deny” or deselecting the options selected under “Settings”.

III. How are data I enter into the contact form processed?

Our website has a form you can use to contact us. To do so, you must provide your title (Ms/Mr), first and last name, and e-mail address, as well as the text and purpose of your inquiry (career/media/events/general). In addition, you may provide your professional title, address, and telephone number, if you wish. Personal data transmitted to us in this connection will be used exclusively to process your inquiry. The legal basis for processing such data is Article 6(1)(f) GDPR.

IV. What happens when I subscribe to a newsletter?

You can subscribe to Gleiss Lutz newsletters on our website. To do so, you must consent to the processing of your personal data and provide your e-mail address, first and last name, professional title, position in the company, if applicable, the name of your company, and the topics on which you wish to receive information. Additional information can be provided on a voluntary basis. This information will only be used to send you the newsletter and will not be transferred to any third parties. The legal basis for processing such data is Article 6(1)(a) GDPR. You may withdraw your consent at any time, without this affecting the lawfulness of data processing that occurs before consent is withdrawn. If consent is withdrawn, you will no longer receive the newsletter.

When you subscribe to our newsletter, your IP address and the date and time of subscription and e-mail verification will be collected. These data will be processed exclusively for the purpose of allowing us to reconstruct any possible misuse of your e-mail address. The legal basis for processing the aforementioned data is Article 6(1)(f) GDPR.

Our newsletter contains a tracking pixel. A tracking pixel is a miniature image file that is embedded in e-mails in HTML format. The embedded tracking pixel allows us to recognise whether and, if so, when you open the newsletter and on which of the links in the newsletter you click. Data collected via tracking pixels are stored and processed in anonymised form for statistical purposes to optimise distribution of our newsletter and tailor the content of future newsletters even more to the interests of the recipient.

V. How long are my personal data stored?

Personal data of visitors to our website will be deleted if and when they are no longer necessary for the purposes described in this Privacy Notice, unless a longer storage period is required by law. Data about your use of our website is generally stored for a period of 30 days (section B.I). Cookies are stored for the aforementioned (section B.II.) periods. You can also delete the cookies at any time, as described above. Information you enter into the contact form will be deleted as soon as your inquiry has been fully processed (section B.III.) Newsletter subscription data will be stored until you unsubscribe from the newsletter (section B.IV.). 

We process personal data where this is necessary for establishing client relationships and handling client matters.

I. Who are the data subjects?

We processes personal data of

  • clients and their employees and board members (management board members, managing directors),
  • third parties whose personal data are required for establishing the client relationship or handling the client matter. Such third parties include the client’s direct and indirect shareholders, its business and contractual partners as well as advisors, (potential) opponents in a legal dispute and their legal advisors as well as in each case the employees and board members of the aforementioned persons and entities,
  • employees of authorities and courts,
  • witnesses and experts.

II. What personal data are processed?

We process the following categories of personal data to the extent necessary for establishing a client relationship or handling a client matter:

  • contact information, in particular first and last name, title where applicable, address, telephone number, e-mail address,
  • information on occupation,
  • information on income and assets,
  • other personal data necessary for determining and legally assessing the facts of the matter and providing appropriate legal advice and representing the client in connection with the matter.

In individual cases, the data we process may also include special categories of personal data within the meaning of Article 9 GDPR (e.g. data concerning health) and data on criminal convictions and offences within the meaning of Article 10 GDPR.

III. From what sources does Gleiss Lutz receive the data it processes?

Where we do not receive personal data either directly from the data subjects (e.g. when corresponding with contact persons at the client and/or opposing party) the data are collected from the following sources:

  • clients,
  • courts and authorities (e.g. when inspecting files and/or receiving information),
  • other third parties (e.g. parties to the proceedings, witnesses etc.),
  • publicly accessible sources (public registers, internet searches).

IV. For what purposes are the data processed?

We process data in connection with a client matter for the following purposes:

  • to fulfil legal requirements (e.g. according to the Money Laundering Act) of identifying the client and the beneficial owners associated with the client. The legal basis for this processing is Article 6(1)(c) GDPR,
  • to check for possible conflicts of interest before accepting a matter,
  • to determine and legally assess the facts of the matter,
  • to provide legal advice and represent the client,
  • to correspond with clients, authorities, courts and other parties involved,
  • to issue invoices,
  • to process and assert other claims arising from the client relationship.

The legal basis for this processing is, insofar as personal data of our clients are processed, Article 6(1)(b) GDPR; otherwise, Article 6(1)(f) GDPR applies. The legal basis for the processing of special categories of personal data is Article 9(2)(f) GDPR.

V. Who is personal data transferred to?

Insofar as is necessary for work on a client matter, we transfer personal data to the following recipients:

  • clients,
  • authorities and courts,
  • other third parties. These include direct and indirect shareholders of the client, business and contractual partners as well as advisors of the client, (potential) opponents in a legal dispute and their legal advisors.

In individual cases, data is also be transferred to recipients in third countries outside the European Union or the European Economic Area for which the European Commission has not formally established the existence of an adequate level of data protection in accordance with Article 46 GDPR. Insofar as the transfer is not required for the establishment, exercise or defence of legal claims (Article 49(1)(e) GDPR) and there is no other reason for the transfer pursuant to Article 49(1) GDPR, we will ensure that appropriate safeguards are in place for the protection of the personal data at the recipient, generally in the form of data protection agreements on the basis of standard data protection clauses pursuant to Article 46(2)(c) GDPR. Further information on these safeguards can be obtained from our data protection officer at datenschutz@gleisslutz.com.

VI. How long are personal data stored?

Personal data are stored for as long as is necessary to process these for the purposes described in IV., unless a longer storage period is required by law.

We process personal data when cooperating with service providers, suppliers and other business partners (hereinafter “business partners”).

I. Who are the data subjects?

We process personal data of our business partners and their employees.

II. What personal data are processed? 

We process the following categories of personal data to the extent necessary for the establishment or performance of our contractual relationships with business partners:

  • contact information, in particular first and last name, title where applicable, address, telephone number, e-mail address,
  • information on occupation,
  • bank account details.

III. From what sources does Gleiss Lutz receive the data it processes?

Where we do not receive personal data directly from the data subjects themselves (e.g. when corresponding with contact persons at business partners), they are usually collected from our business partner as the employer of the data subject.

IV. For what purposes are the data processed?

We process the personal data referred to in II. for the purpose of establishing and performing contractual relationships with our business partners. The legal basis for this processing is, insofar as personal data of our business partners are processed, Article 6(1)(b) GDPR; otherwise, Article 6(1)(f) GDPR applies.

V. How long are personal data stored?

Personal data are stored for as long as is necessary to process these for the purposes described in IV., unless a longer storage period is required by law.

If you have consented to receiving information about current legal developments and Gleiss Lutz events, we will use your contact information (title, first and last name, professional title, business address and position, and e-mail address) to send you the requested information (generally by e-mail). The legal basis for this processing is Article 6(1)(a) GDPR. You may withdraw your consent at any time with future effect. If you do so, we will no longer send you information and will delete your contact information. The same applies, whether or not you withdraw your consent, if we have had no contact with you for more than two years. Your contact information will not be deleted if we have a right or obligation to continue to store your information for other legal reasons (e.g. in connection with work on a client matter).

If we invite you to an event based on your consent, we will process the aforementioned data in order to provide you with a prefilled registration form. If you register for the event, we will process your name, your company or organisation and your position, so that we can provide you and the other attendees with a list of all those attending. If the event is organised and/or held together with our European Network, your name, job title/position and company affiliation may in particular be shared with and processed by our partner firms Chiomenti Law Firm (No. 43 XXIV Maggio, 00187 Rome), Cuatrecasas, Gonçalves Pereira, S.L.P. (Diagonal 191, 08018 Barcelona) and Gide Loyrette Nouel Law Firm, LLP (15 rue de Laborde, 75008 Paris) for the purposes of holding the event. The legal basis for this processing is Article 6(1)(f) GDPR.

There may also be instances where you are invited to a joint event as a contact of one of our partner firms and we take care of invitation management for the event, i.e. particular document and manage acceptances and declines. For this purpose, we will collect your name, contact details, data on your company affiliation and your possible participation in the respective event, if you register via the online registration form provided by us after having been invited by a partner firm. If you accept or decline, possibly also updating your contact details, this will be managed by us and we may pass on your updated data to the partner firm that invited you to the event. If you do not respond to the invitation, we will not process any personal data about you in connection with the event. The legal basis for this processing is Article 6(1)(f) GDPR, as Gleiss Lutz and its partner law firms have a legitimate interest in the effective running of the event and in keeping the data you have provided to us up-to-date. This does not affect the sharing of names, job title/position and company affiliation as described above.

This section contains information about how we process your personal data if you

  • have applied for a position at Gleiss Lutz through our career portal,
  • have worked for us as an intern, research assistant, or legal clerk,
  • have applied to attend or have attended an event for lawyers-in-training, or
  • plan to attend or have attended an event for lawyers-in-training organised by a third party and at which Gleiss Lutz is present as an exhibitor.

I. What personal data are processed?

1. We process the following categories of personal data:

1.1 contact information, in particular first and last name, title where applicable, address, telephone number, e-mail address,

1.2 information about your qualifications, in particular your academic credentials and other information included in your curriculum vitae, including information about prizes, scholarships, and extracurricular activities, information about dissertation projects, your educational and professional experience, and copies of your academic transcripts and certificates,

1.3 any photographs that you may enclose with your application, and

1.4 information about any (planned or desired) future steps in your education or career and about your professional focuses and interests.

2. We generally collect such data directly from you. In some cases, we receive data about you from third parties who independently organise events for lawyers-in-training and to whom you have made your data available for sharing with potential employers. Depending on the event, such third parties may be universities, career portals (such as e-fellows.net), student organisations (such as ELSA), or trade fair organisers (such as myjobfair.de).

II. For what purposes and on what legal basis are my personal data processed?

1. Users of our career portal

If you apply online for a position at Gleiss Lutz through our career portal, we will process the data referenced in section D. I. above to the extent necessary for processing your application. The legal basis for this processing is section 26 BDSG in conjunction with Article 88 GDPR.

If your application does not immediately result in a job offer, we would like to continue processing your data after the application process has been completed in order to notify you of future job openings and events at Gleiss Lutz that match your profile, and to send you information about current developments at Gleiss Lutz three to four times a year. We will process your data after the application process has been completed only with your explicit consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time with future effect. Your refusal or withdrawal of consent has no impact on the processing of your application. However, without your consent, we will not be able to contact you with regard to future job openings or events or send you information about current developments at Gleiss Lutz.

2. Former interns, research assistants, and legal clerks

We would like to stay in touch with lawyers-in-training who have worked for us even after they leave Gleiss Lutz. As a former intern, research assistant, or legal clerk, you may therefore become a member of our “Gleiss Lutz Fellows’ Club”. Club members will receive information about job openings and invitations to Gleiss Lutz events that match their profile. In addition, they will receive information about current Gleiss Lutz events by e-mail three to four times a year.

We may process your personal data referenced in section D. I. for the aforementioned purposes after you have left our firm and may send you the aforementioned information, but only with your explicit consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time with future effect. If you do so, we will however no longer be able to stay in touch with you.

3. Attendance at events for lawyers-in-training

If you apply to attend an event for lawyers-in-training organised by Gleiss Lutz or at which Gleiss Lutz is present as an exhibitor, we will process your data referenced in section D. I. to hold the event and to facilitate your attendance. For events organised by Gleiss Lutz, we may also include your name and current professional position in an list of attendees that will be made available to other attendees of the event (possibly also in electronic form). The legal basis for this processing is Article 6(1)(b) GDPR.

Even after the event, we would like to continue processing your data in order to notify you of future job openings and events at Gleiss Lutz that match your profile, and to send you information about current developments at Gleiss Lutz once or twice a year. We will process your personal data for this purpose only with your explicit consent (Article 6(1)(a) GDPR). You may withdraw your consent at any time with future effect. If you do so, we will however no longer be able to stay in touch with you.

III. How long are my personal data stored?

1. If your application does not result in employment at Gleiss Lutz, personal data collected on the career portal or otherwise for purposes of the application will be further processed for evidentiary purposes for a maximum period of three years after the application process has ended, after which they will be deleted or anonymised.

2. If you attend events for lawyers-in-training, your personal data will be deleted or anonymised within three months of the end of the event, unless you consent to further processing of such data (see section 3 below).

3. If you have consented to the processing of your personal data so we can stay in touch with you and send you information, your personal data stored for these purposes will be deleted after a maximum period of five years.

We process personal data to the extent necessary for communication and cooperation with you via Microsoft Teams.

We process personal data of

  • you as the person communicating or cooperating with us via Microsoft Teams,
  • other persons who are the subject of such communication or cooperation, such as your employees, colleagues or advisors.

We process the following categories of personal data to the extent necessary:

  • information you have entered into your own Microsoft Teams account,
  • technical data necessary for providing Microsoft Teams functions, in particular your IP address, the time and duration of usage, protocol and other usage data,
  • audio and/or video data of participants in audio/video conferences,
  • contact information, in particular first and last name, title where applicable, address, telephone number, e-mail address,
  • information on business or professional activity,
  • other information in connection with the communication or cooperation.

The purpose and legal basis for the processing of these personal data are generally derived from the context of the communication or cooperation. This context and the respective legal bases are described in sections B to G of this Privacy Notice. In all other respects, the legal basis is Article 6(1)(f) GDPR.

In order to provide the relevant Microsoft Teams functions, we transfer the aforementioned data to Microsoft. Microsoft is obliged to maintain strict confidentiality in this regard, and only processes the data on our behalf and in accordance with our instructions. For this purpose, the aforementioned data may be transferred to countries outside the EU/EEA, in particular the United States. To ensure the adequate protection of the data there, we have concluded the standard contractual clauses adopted by the European Commission and also agreed on supplemental terms. We are happy to provide you with a copy of these clauses on request. The European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies where such companies are certified under the DPF and included on the DPF list (https://www.dataprivacyframework.gov/s/participant-search). Data transfers from the EU to certified organisations in the US are now possible without the need for additional transfer mechanisms pursuant to Article 46 GDPR or additional measures. Microsoft Corporation is included in this list.

Audio and video data collected during an audio/video conference or a screen sharing session are processed only for the duration of the conference or session after which they are then immediately deleted. Records stored beyond that will not be created without your explicit and specific consent.

Communication via text and data from cooperation on a co-working platform are stored for as long as is necessary based on the context of such cooperation (see in particular section C. of this Privacy Notice). Otherwise, they are deleted or anonymised as soon as they are no longer necessary, unless a longer storage period is permitted or required by law.

We process personal data to the extent necessary for the purpose of processing and deciding on applications in connection with the Gleiss Lutz Start-up Program.

We processes personal data of

  • the applicant,
  • if necessary, to the extent relevant for the business case of the start-up and provided by the applicant, owners, shareholders, employees, board members, investors, creditors, debtors, suppliers, customers and/or advisors of the start-up (or, as applicable, their employees and/or board members) which is subject of the application, and
  • other relevant persons in connection with the start-up, if necessary.

We process the following categories of personal data to the extent necessary:

  • contact information, in particular first and last name, title where applicable, address, telephone number, e-mail address,
  • information on business or professional activity,
  • information on income and/or assets,
  • information on qualification, curriculum vitae and/or particular skills or attributes,
  • other information in connection with the business case of the start-up.

Where we do not receive personal data directly from the data subjects (e.g. when corresponding with contacts at the start-up), the data are collected from the start-up or the applicant.

The legal basis for processing these personal data is generally Article 6(1)(f) GDPR. In individual cases where a natural person applies as a sole trader, the legal basis for processing is Article 6(1)(b) GDPR.

If the application is successful, resulting in the establishment of a client relationship, the aforementioned personal data may be processed further in connection with such relationship (see section C.). If the application is not successful the data will be deleted without undue delay.

For business development purposes, we conduct research into companies that we may wish to work with, be it as clients, suppliers or other business partners. To this end we process, to the extent necessary, personal data of owners, board members or employees of such companies.

I. What personal data are processed?

We process the following categories of personal data to the extent necessary for the aforementioned purpose:

  • contact information, in particular first and last name, title where applicable, business address, business phone number, business e-mail address, and
  • information about professional activity, in particular company affiliation and position,

II. From what sources does Gleiss Lutz receive the data it processes?

Where we do not receive personal data directly from the data subjects, they are collected from the following sources:

  • the companies, in particular their websites,
  • publicly available professional/business databases, such as Mergermarket, Lexisnexis, Debtwire and the Federal Gazette (Bundesanzeiger),
  • publicly available professional/business social networks, such as LinkedIn,
  • publicly available press products, especially online, such as Handelsblatt, Financial Times,
  • partner law firms, and
  • publicly available lists of event attendees. 

III. What is the legal basis for processing the data?

We generally process personal data on the basis of our legitimate interest in optimising our business activities (Article 6(1)(f) GDPR). Data subjects are only contacted by e-mail or telephone if they have given their consent (Article 6(1)(a) GDPR).

IV. Who are the personal data transferred to?

The personal data are not transferred to other data controllers.

For certain technical data processing procedures, we use the services of external service providers, who are given access to your personal data in order to provide these services. These service providers are carefully selected and meet high data protection and data security standards. They are obliged to maintain strict confidentiality in this regard, and only process the data on our behalf and in accordance with our instructions.

V. How long are the personal data stored?

Unless a longer storage period is required by law, personal data are stored for as long as is necessary to process these for the aforementioned purpose. They are deleted after two years at the latest if they have not been used for the aforementioned purpose.

In the context of certain client matters, we offer clients the use of our CCP to be able to communicate, exchange data and collaborate with them in a secure manner. In order to provide the platform’s services and ensure its security, we process personal data of individuals who access and use the CCP.

I. What personal data are processed?

We process the following categories of personal data to the extent necessary for the aforementioned purpose:

  • contact information, in particular first and last name, title where applicable, business e-mail address, user account where applicable,
  • information about professional activity, in particular company affiliation and position,
  • technical data on access to and use of the CCP, in particular IP address, user name, password, date/time of access, duration of use, usage events, history of use, authorship of documents/actions; authentication method, authorisation level to view certain files.

II. From what sources does Gleiss Lutz receive the data it processes?

Where we do not receive personal data directly from the data subjects, they are collected from the respective client for whom the data subject works or which the data subject is advising.

III. What is the legal basis for processing the data?

We generally process personal data on the basis of our legitimate interest in providing the CCP in accordance with the relevant legal requirements and the needs of the client (Article 6(1)(f) GDPR). Where the data subject and the client are one and the same, the legal basis is Article 6(1)(b) GDPR. 

IV. Who are the personal data transferred to?

Depending of the needs of a client, the personal data processed for the purposes of the CCP may be disclosed to the client, companies affiliated with the client or other advisors of the client to the extent this is necessary for providing and/or using the CCP for work on client matters.

Furthermore, such personal data is only transferred to third parties insofar as this is necessary to work on the respective client matter (cf. section C above), satisfy legal obligations or assert, defend or exercise legal claims.

For certain technical data processing procedures, we use the services of external service providers, who are given access to your personal data in order to provide these services. These service providers are carefully selected and meet high data protection and data security standards. They are obliged to maintain strict confidentiality, and only process the data on our behalf and in accordance with our instructions.

V. How long are the personal data stored?

Unless a longer storage period is required by law, personal data are stored for as long as is necessary to process these for the aforementioned purpose.

  1. For certain technical data processing procedures, we use the services of external service providers, who are given access to your personal data in order to provide these services. These service providers are carefully selected and meet high data protection and data security standards. They are obliged to maintain strict confidentiality, and only process the data on our behalf and in accordance with our instructions.
  2. We work with companies and other entities with particular expertise in individual areas or certain specialised subjects (e.g. tax auditors, lawyers, consulting firms, logistics service providers). These either have a duty of professional confidentiality or have been obliged by us to maintain secrecy. Should it be necessary to forward personal data to them, the legal basis for this is Article 6(1)(b) or (f) GDPR, depending on what the respective cooperation involves.
  3. Except as stated in this Privacy Notice, we will not transfer your data to any third parties without your explicit consent, unless we are required to do so by law, regulatory directive, or court order.
  1. You have the right to information about your personal data stored by us and, if certain legal requirements are satisfied, the right to have it corrected, deleted, and to have processing restricted. In addition, you have the right to receive personal data that you have made available to us in a structured, commonly used, and machine-readable format. This includes the right to transfer such data to another controller. If technically feasible, you may also demand that we transfer your personal data directly to other controllers.
  2. If the processing of your personal data is based on a weighing of interests within the meaning of Article 6(1)(f) GDPR, you have the right to object to this processing under the conditions described in Article 21 GDPR.
  3. If you have any complaints, you may also seek assistance from the relevant regulatory authority.