Mandatory Information acc. to Art. 12 contd. GDPR

Contact details of the responsible 

Companies: 
btu beraterpartner Holding AG Steuerberatungsgesellschaft
btu beraterpartner GmbH Steuerberatungsgesellschaft
btu beraterpartner GmbH Wirtschaftsprüfungsgesellschaft

Address: 
Feldbergstraße 27–29, 61440 Oberursel, Germany 

Phone: 
+49(0) 6171/5904-0

E-mail:
datenschutz@btu-beraterpartner.com 

Contact details Data Protection Officer 

Name: 
Marc Fuchs 

Company: 
DATEV eG 

Address:
Sigmundstraße 172, 90329 Nuremberg; Germany

Telephone: 
+49(0) 160/98926390

E-mail: 
marc.fuchs@datev.de 

From which source do we obtain your personal data?

In principle, the collection of your data takes place on your premises. The processing of personal data provided by you is necessary for the fulfillment of the obligations arising from the contract you have concluded with us. Due to your obligations to cooperate, it is inevitable to provide the personal data requested by us; otherwise, we will not be able to fulfill our contractual obligations. Accounting and/or tax disadvantages for you can otherwise no longer be ruled out for you.

Provision of your personal data is necessary within the framework of pre-contractual measures (e.g., master data entry in the interested party process). If the requested data is not provided by you, a contract cannot be concluded. 

In order to provide our services, it may be necessary to process personal data that we have received from other companies or other third parties, e.g., tax offices, your business partners or similar, permissibly and for the respective purpose.

Furthermore, we may process personal data from sources that are publicly accessible, e.g., websites, which we use legitimately and only for the respective contractual purpose.

Purposes and legal basis of processing 

The personal data provided by you will be processed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

Due to legal requirements (acc. to art. 6 para. 1 subpara. c GDPR) or in the public interest (acc. to art. 6 para. 1 subpara e GDPR) 
The purposes of data processing result from legal requirements or are in the public interest (e.g. compliance with retention obligations; proof of compliance with the tax advisor's notification and information obligations).

For the fulfillment of contractual obligations (acc. to § 11 StBerG (German Tax Advisory Act) in connection with art. 6 para. 1 subpara. b GDPR) 
On the one hand, the purposes of the data processing result from the introduction of pre-contractual measures that precede a contractually regulated business relation, and on the other hand from the fulfillment of the obligations from the contract concluded with you.

Based on consent (acc. to art. 6 para. 1 subpara. a GDPR) 
The purposes of processing of personal data result from giving consent. Your consent can be revoked at any time with effect for the future. Consents given before the GDPR took effect (25 May 2018) can also be revoked. Processing that took place before the revocation remains unaffected by the revocation. For example: Sending a newsletter; release from professional secrecy to data disclosure to third parties at your request (e.g., banks, insurance companies, shareholders, etc.). 

Within the framework of the balancing of interests (acc. to art. 6 para. 1 subpara. f GDPR)
The purposes of the processing result from the protection of our legitimate interests. It may be necessary to process the data provided by you beyond the actual performance of the contract. Our legitimate interest may be used to justify further processing of the data that you have provided, subject to the condition that your interests or fundamental rights and freedoms are not overridden. Our legitimate interest may be in individual cases: enforcement of legal claims; defense against liability claims; prevention of criminal offenses.

Who receives the personal data provided by you? 

Within our company, only those divisions receive access to the personal data that you have provided to us, which are required to fulfill contractual and legal obligations and which are entitled to process this data.

In fulfillment of the contract that has been concluded with you, only those divisions receive the data that you have provided to us, which require this data for legal reasons, e.g., tax authorities; social insurance carriers; competent authorities and courts.

As professional secrecy holders, we are obliged to observe and implement professional secrecy. Other recipients will only receive the data you have provided to us at your request if you give us the necessary consent.

Within the scope of our services, we commission contractors who contribute to the fulfillment of contractual obligations, e.g., computer center service providers; EDP partners; companies who shredder documents, etc. We contractually oblige these data processors to observe professional confidentiality and to comply with the requirements of the GDPR and the BDSG. 

Will the data provided by you be transferred to third countries or international organizations? 

Data that you provide to us will in no case be transferred to a third country or an international organization. If in individual cases, you wish the data you have provided to us to be transferred to a third country or an international organization, we will only do so with your written consent and release from professional secrecy. 

Does automated decision-making including profiling, take place? 

No fully automated decision-making (including profiling) according to art. 22 GDPR is applied to process the data you have provided to us. 

Duration of processing (criteria for deletion) 

The data you have provided to us will be processed for as long as it is necessary to achieve the contractually agreed purpose, in principle, as long as the contractual relationship with you exists. After the end of the contractual relationship, the data you have provided to us will be processed to comply with legal retention obligations or on the basis of our legitimate interests. After the legal retention periods have expired or our legitimate interests have ceased to exist, the data that you have provided to us will be deleted. 

Expected periods of storage obligations and our legitimate interests are: 

• Fulfillment of commercial, tax, and professional retention periods: The periods for storage and documentation specified therein range from two to ten years.
• Preservation of evidence under the statute of limitations: According to sections 195 contd. of the German Civil Code (BGB), the limitation period can be up to 30 years, whereas the standard limitation period is three years.

Additional data protection information when using our video conference system or telephone conference via a video conference system 

We use the tool Teams of the company Microsoft as video conference system. You will find more details on data processing by the provider of the video conference system we use, company Microsoft, under https://privacy.microsoft.com/de-de/privacy . 

Processing of your personal data within the scope of the use of our video conference system 

When using our video conference system, the data you provide before or during participation in an "online meeting" is processed: 

• User information: user name, display name, e-mail address (optional), profile picture, profile information (optional), preferred language, etc.
• Meeting metadata: Meeting ID, attendee IP addresses, service data for the respective session and use of the system (data of devices/used hardware), telephone numbers (if dialing in by telephone), location, name of the meeting and, if applicable, password from the host
• Chat, audio and video data: In order for audio and video transmission to take place, the application needs access to your microphone or video camera. You can mute or unmute them yourself at any time via the respective application. Any text entries you make in the chat are also processed, e.g. to record the results of an online meeting.
• For recordings (optional, or only with consent): MP4 file of all video, audio and presentation recordings, text file of the online meeting chat. If "online meetings" are to be recorded, we will inform you transparently in advance and - if necessary - ask for your consent. Your consent is voluntary. You can revoke it at any time with effect for the future. Upon revocation, the recording will be stopped.

In order to participate in an "online meeting" or to enter the "meeting room", you must at least provide information about your name (or pseudonym). 

Purposes and legal basis of the processing within the scope of the use of our video conferencing system 

The purposes and legal basis for data processing when conducting "online meetings" are

• Art. 6 para. 1 lit. f DS-GVO - we have a legitimate interest in the effective conduct of "online meetings",
• Art. 6 para. 1 lit. b DS-GVO, if applicable in connection with § 11 StBerG - the meetings are held within the framework of contractual relationships or for the implementation of pre-contractual measures.

Will the data you have provided be transferred to third countries or international organizations? 

A transfer of personal data to a third country or international organization takes place if: 

• participants in the "online meeting" are in a country outside the scope of the DS-GVO (so-called third country). In this case, the routing of data takes place via Internet servers located outside the EU. The data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.
• the video conferencing system of a provider whose headquarters are located in a third country is used. Adequate data protection is ensured by so-called EU standard contract clauses, by an adequacy decision of the EU Commission or corresponding guarantees of the video conference provider. Details will be made available to the participants for their information within a reasonable period of time before the video conference begins.

Information and access to personal data 

Right of access acc. to art. 15 GDPR: 
Upon request, you have the right to receive information free of charge as to whether and what data about you is stored and for what purpose it is stored.

Right to rectification acc. to art. 16 GDPR: 
You have the right to request from the Data protection officer to correct your incorrect personal data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration. 

Right to erasure (“Right to be forgotten”) acc. to art. 17 GDPR: 
You have the right to demand from the Data protection officer to delete your data immediately. The person responsible is obliged to delete personal data immediately, if one of the following reasons applies:  

a) Purposes shall cease to apply for which the personal data was collected.
b) You are revoking your consent to the processing. There is no other legal basis for the processing.
c) You object to the processing. There is no other legal basis for the processing.
d) The personal data have been processed unlawfully.
e) The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the Data protection officer is subject.
f) The personal data has been collected in relation to information society services provided in accordance with article 8 para. 1.

Right to restriction of processing acc. to art. 18 GDPR and § 35 BDSG:
You have the right to request a limitation of the processing, if one of   the following conditions is given: 

a) You doubt the accuracy of the personal data.
b) The processing is unlawful, but you refuse to have it deleted.
c) Personal data is no longer required for the purposes of processing; however, you will need the data to assert, exercise, or defend legal claims.
d) You have filed an objection against the processing acc. to art. 21 para. 1 GDPR. As long as it has not yet been determined whether the legitimate reasons of the responsible person outweigh you, the processing will be restricted.

Right to data portability acc. to art. 20 GDPR:
You have the right to receive the data you provided from the person responsible in a structured, current, and machine-readable format. Forwarding it to another responsible person may not be hindered by us. 

Right to object acc. to with art. 21 GDPR: 
In this case, please contact the person responsible for processing (see above).

Right to lodge a complaint with a supervisory authority acc. to art. 13 para. 2 subpara. d, 77 GDPR in connection with § 19 BDSG: 
If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. For this purpose, please contact the competent supervisory authority.

Withdrawal of consent acc. to art. 7 para. 3 GDPR: 
If the processing is based on your consent acc. to art. 6 para. 1 subpara. a or art. 9 para. 2 subpara. a (processing of special categories of personal data), you are at any time entitled to withdraw the appropriately bound consent without prejudice to the legality of the processing which has taken place on the basis of the consent until revocation.