Privacy notice pursuant to Art. 13, 21 of the Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) with further notes

We at Baker Tilly are very glad about your interest in our website and our services. The protection of personal data is of particular importance to us. We would like to inform you about the collection and processing of personal data that may be associated with the use of our website and about the rights of data subjects in this context. See below for a definition of the terms used below.

I. Name and address of the controller

The person responsible for the data protection measures taken in connection with the use of our website, www.bakertilly.de, its subpages and the social media appearances linked to it within the meaning of the GRPR and other data protection laws applicable to us and other provisions of a data protection nature is:

Baker Tilly Holding GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft
Cecilienallee 6-7, 40474 Düsseldorf, Deutschland
Tel.: +49 211 6901 01, E-Mail: info@bakertilly.de

 

II. Collection and storage of personal data in connection with visits on our website, type and purpose of use

1. Security

If personal data is transmitted to us via our website, we use several secure technologies, in particular the so-called "Transport Layer Security" transmission (TSL) or the "Secure Socket Layer" transmission (SSL). All information and data transmitted using these secure methods is encrypted before being sent to us. In order to further protect users and us against any misuse, the IP address of the system used for the visit is transmitted to us.

2. Collection of general data and information

Our website collects a series of general data and information with each visit. This general data and information are stored in the server’s log files. The following can be recorded:

  1. Browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system arrives at our website (so-called referrer),
  4. the sub-websites that are accessed via an accessing system on our website,
  5. the date and time of an access to the website,
  6. the Internet protocol address (IP address) of the accessing system,
  7. the Internet service provider of the accessing system,
  8. other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, we do not draw any conclusions about the data subject. Rather, this information is needed in order (1) to correctly deliver our website’s content, (2) to optimize the content of our website and the advertising for it, (3) to ensure our information technology systems’ permanent functionality and our website’s technology, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack. Therefore, the anonymously collected data and information are therefore statistically analyzed by Baker Tilly and, on the other hand, with the aim of increasing our enterprise’s data protection and data security, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

3. Cookies

4. Registration on our website

The data subject has the option of registering on our website by providing personal data. Which personal data is transmitted to us in the process depends on the respective input mask used for the registration. The personal data entered by the data subject is collected and stored exclusively for the purpose specified in each case. We may arrange for such data to be transmitted to one or more processors for precisely specified processing, or to a Baker Tilly company, if this is necessary in order to fulfill the specified purpose.
By registering on our website, the IP address assigned by the Internet service provider (ISP) of the system used by the data subject, the date and the time of registration are also stored. This data is stored because it is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences that have been committed. In this respect, the storage of this data is necessary for the controller’s protection. The data subject’s registration by voluntarily providing personal data serves to offer the data subject content or services which, due to the nature of the matter, can only be offered to registered users.

5. Newsletter subscription

On our website, users are given the opportunity to subscribe to several Baker Tilly newsletters. Which personal data is transmitted when ordering a newsletter, depends on the input mask used for this purpose.
We regularly offer clients and interested parties interesting information through newsletters. Generally, these newsletters can only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject registers to receive the newsletter or has an active client relationship with Baker Tilly and the corresponding newsletter contains information relevant to the client. For legal reasons, a confirmation e-mail is sent to the e-mail address entered by a data subject for the first time for the newsletter mailing using the double opt-in procedure. This confirmation e-mail serves to verify whether the owner of the e-mail address as the data subject has authorized the receipt of the newsletter.
When registering for the newsletter, we also store the IP address of the system used by the data subject at the time of registration, as assigned by the Internet service provider (ISP), as well as the date and time of registration. The collection of this data is necessary in order to be able to trace a (possible) misuse of the e-mail address of a data subject at a later point in time and therefore serves the controller’s legal protection.
The personal data collected in the course of a newsletter subscription are exclusively used for sending the newsletter. Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as might be the case in the event of changes to the newsletter offering or changes in technical circumstances. No personal data collected as part of the newsletter service will be passed on to third parties, with the exception of the Baker Tilly company responsible for the newsletter’s content. The subscription to the newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data the data subject has given us (exclusively) for the purpose of sending the newsletter can be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly on our website at any time or to inform us accordingly by e-mail to webmail(at)bakertilly(dot)de.

6. Newsletter-Tracking

The newsletters of Baker Tilly contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in emails that are sent in HTML format in order to enable log file recording and log file analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, Baker Tilly can see if and when an e-mail was opened by a data subject, and which links in the e-mail were clicked by the data subject.
Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by us in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to the data subject’s interests. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard through the double opt-in procedure. Baker Tilly automatically regards a withdrawal from the newsletter receipt as a revocation.

7. Contact through the website

Due to statutory provisions, our website contains data enabling data subject to quickly contact us and the other Baker Tilly companies in electronic form, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purpose of processing or contacting the data subject.

8. Comment function in the blog on the website

We offer users of our website the opportunity to leave individual comments on individual blog posts on a blog. A blog is a portal on a website, usually publicly available, in which one or more people, called bloggers or web bloggers, can post articles or write down thoughts in so-called blogposts. The blogposts can usually be commented on by third parties.
If a data subject leaves a comment on the blog published on our website, information on the time of comment entry and the user name (pseudonym) chosen by the data subject will be stored and published in addition to the comments left by the data subject. Furthermore, the IP address assigned by the Internet service provider (ISP) to the system used by the data subject is also logged. The IP address is stored for security reasons and in the event the data subject violates any third-party rights or posts illegal content through a submitted comment. The storage of this personal data is therefore in the interest of the controller, so that the controller could exculpate itself if necessary in the event of an infringement. There is no disclosure of this collected personal data to third parties, unless such disclosure is required by law or serves the controller’s legal defense.

9. Supplementary data protection provisions on the use and application of Google Analytics (with anonymization function)

The Google Analytics component (with anonymization function) is integrated on our website. Google Analytics is a web analysis service. Web analysis is the collection, compilation and evaluation of data about the behavior of visitors to websites. A web analysis service collects, inter alia, data as to from which website a data subject came to a website (so-called referrers), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is predominantly used for the optimization of a website and for the cost-benefit analysis of internet advertising.
The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
We use the extension "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this extension, the IP address of the system used by the data subject is shortened and anonymized by Google if access to our website is from a member state of the European Union or from another state being a party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyze the flow of visitors to our website. Among other things, Google uses the data and information obtained in order to evaluate the use of our website, to compile online reports for us showing the activities on our website, and to provide other services related to the use of our website.
Google Analytics sets a cookie on the data subject’s information technology system. The term cookies has already been explained above. By setting the cookie, Google is enabled to analyze the use of our website. By each visit of one of the individual pages of our website, which is operated by us and on which a Google Analytics component has been integrated, the internet browser on the data subject’s information technology system is automatically caused by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the system used by the data subject, which Google uses, among other things, to track the origin of visitors and clicks and subsequently enable commission calculations.
By means of cookies, personal information, for example the access time, the location from which an access originated and the frequency of visits to our website by the data subject, is stored. Each time the data subject visits our website, this personal data, including the IP address of the system used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may disclose this personal data collected via the technical procedure to third parties.
The data subject can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the data subject’s information technology system. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programs.
Furthermore, the data subject has the option to object to the collection of data generated by Google Analytics and related to the use of this website as well as to the processing of this data by Google and to prevent such processing. For this purpose, the data subject must download and install a browser add-on at the link tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics via JavaScript that no data and information about visits to websites may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google as an objection. If the data subject’s information technology system is deleted, formatted or reinstalled at a later point in time, the data subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person within the data subject's sphere of control, it is possible to reinstall or reactivate the browser add-on.
Further information and Google’s applicable data protection regulations are available at www.google.de/intl/de/policies/privacy/ and at www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail under this link www.google.com/intl/de_de/analytics/.

10. Social Media Plug-ins

We use social plug-ins from the social networks Facebook, LinkedIn, Twitter, Xing and YouTube on our website in order to make Baker Tilly better known. The underlying promotional purpose is to be regarded as a legitimate interest within the meaning of the GDPR. The responsibility for data protection-compliant operation is to be ensured by their respective providers. The corresponding social media buttons are made available by integrating the Shariff component.

a) Privacy policy on the use and application of Facebook

We have integrated components of the company Facebook on our website. Facebook is a social network.
A social network is a social meeting place operated on the Internet, an online community that generally allows users to communicate and interact with each other in virtual space. A social network can serve as a platform for sharing opinions and experiences or enables the Internet community to provide personal or company-related information. Facebook allows users of the social network to create private profiles, upload photos and network via friend requests, among other things.
Facebook’s operating company is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller of personal data is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Each time a person visits one of the individual pages of our website on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective Facebook component to download a representation of the corresponding Facebook component from Facebook. A complete overview of all Facebook plug-ins is available at developers.facebook.com/docs/plugins/. Within the scope of this technical procedure, Facebook obtains knowledge of which specific subpage of our website is visited by the data subject.
If the data subject is logged in to Facebook at the same time, Facebook recognizes which specific subpage of our website the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the data subject. If the data subject activates one of the Facebook buttons integrated on our website, for example the "Like" button, or if the data subject makes a comment, Facebook assigns this information to the data subject’s personal Facebook user account and stores this personal data.
Facebook always receives information via the Facebook component that the data subject has visited our website if the data subject is logged into Facebook when visiting our website; this takes place regardless of whether the data subject clicks on the Facebook component or not. If the data subject does not want this information to be transmitted to Facebook, he or she can prevent the transmission by logging out of his or her Facebook account before accessing our website.

The data policy published by Facebook, which is available at en.facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. It also explains which setting options Facebook offers to protect the data subject’s privacy. In addition, various applications are available that allow data transmission to Facebook to be suppressed. Such applications can be used by the data subject to suppress data transmission to Facebook.

b) Privacy policy on the use and application of Instagram

We have integrated components of the service Instagram on our website. Instagram is a service that qualifies as an audiovisual platform and allows users to share photos and videos and also to redistribute such data in other social networks.
The operating company of Instagram’s services is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.
By each visit of one of the individual pages of our website, which is operated by the controller and on which an Instagram component (Insta button) has been integrated, the internet browser on the data subject’s information technology system is automatically caused by the respective Instagram component to download a representation of the corresponding component from Instagram. Within the scope of this technical procedure, Instagram obtains knowledge about which specific subpage of our website is visited by the data subject.
If the data subject is logged in to Instagram at the same time, Instagram recognizes which specific subpage the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the Instagram component and assigned by Instagram to the data subject’s respective Instagram account. If the data subject activates one of the Instagram buttons integrated on our website, the data and information thus transmitted will be assigned to the data subject’s personal Instagram user account and stored and processed by Instagram.
Instagram always receives information via the Instagram component that the data subject has visited our website if the data subject is logged into Instagram when visiting our website; this takes place regardless of whether the data subject clicks on the Instagram component or not. If the data subject does not want this information to be transmitted to Instagram, he or she can prevent the transmission by logging out of his or her Instagram account before accessing our website.
Additional information and Instagram's applicable privacy policy can be found at help.instagram.com/155833707900388 and www.instagram.com/about/legal/privacy/.

c) Privacy policy on the use and application of LinkedIn

We have integrated LinkedIn Corporation’s components on our website. LinkedIn is an Internet-based social network allowing users to connect with existing business contacts and make new business contacts. Over 400 million registered individuals use LinkedIn in more than 200 countries. This makes LinkedIn currently the largest platform for business contacts and one of the most visited websites in the world.
The operating company of LinkedIn is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. For data protection issues outside the USA, LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible.
With each individual visit of our website that is equipped with a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a corresponding representation of the component from LinkedIn. Further information on LinkedIn plug-ins is available at developer.linkedin.com/plugins. As part of this technical procedure, LinkedIn obtains knowledge of which specific subpage of our website is visited by the data subject.
If the data subject is logged in to LinkedIn at the same time, LinkedIn recognizes which specific subpage of our website the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the LinkedIn component and assigned by LinkedIn to the data subject’s respective LinkedIn account. If the data subject activates a LinkedIn button integrated on our website, LinkedIn assigns this information to the data subject’s personal LinkedIn user account and stores this personal data.
LinkedIn always receives information via the LinkedIn component that the data subject has visited our website if the data subject is logged into LinkedIn when visiting our website; this takes place regardless of whether the data subject clicks on the LinkedIn component or not. If the data subject does not want this information to be transmitted to LinkedIn, he or she can prevent the transmission by logging out of his or her LinkedIn account before accessing our website.

LinkedIn offers the ability to unsubscribe from email messages, SMS messages, and targeted ads, as well as manage ad settings at www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame, which may set cookies. Such cookies can be rejected at www.linkedin.com/legal/cookie-policy. LinkedIn's applicable privacy policy is available at www.linkedin.com/legal/privacy-policy. LinkedIn's cookie policy is available at www.linkedin.com/legal/cookie-policy.

d) Privacy policy on the use and application of Twitter

We have integrated components of Twitter on our website. Twitter is a multilingual publicly accessible microblogging service on which users can publish and distribute so-called tweets, i.e. short messages limited to 140 characters. These short messages can be accessed by anyone, including people who are not registered with Twitter. However, the tweets are also displayed to the so-called followers of the respective user. Followers are other Twitter users who follow the tweets of a user. Furthermore, Twitter makes it possible to address a broad audience via hashtags, links or retweets.
Twitter’s operating company is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Each time a person visits one of the individual pages of our website operated by the controller and on which a Twitter component (Twitter button) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective Twitter component to download a representation of the corresponding Twitter component from Twitter. Further information on the Twitter buttons can be found at about.twitter.com/en/resources/buttons. Within the scope of this technical procedure, Twitter obtains knowledge of which specific sub-page of our website is visited by the data subject. The purpose of integrating the Twitter component is to enable our users to distribute the content of this website, to make this website known in the digital world and to increase our visitor numbers.
If the data subject is logged in to Twitter at the same time, Twitter recognizes which specific subpage of our website the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the Twitter component and assigned by Twitter to the data subject’s respective Twitter account. If the data subject activates a Twitter button integrated on our website, Twitter assigns this information to the data subject’s personal Twitter user account and stores this personal data.

Twitter always receives information via the Twitter component that the data subject has visited our website if the data subject is logged into Twitter when visiting our website; this takes place regardless of whether the data subject clicks on the Twitter component or not. If the data subject does not want this information to be transmitted to Twitter, he or she can prevent the transmission by logging out of his or her Twitter account before accessing our website.

Twitter’s applicable data protection information is available at twitter.com/privacy. 

e) Privacy policy on the use and application of Xing

We have integrated components of Xing on our website. Xing is an Internet-based social network that allows users to connect with existing business contacts and make new business contacts. Individual users can create a personal profile on Xing. Companies can, for example, create corporate profiles or publish job offerings on Xing. 
Xing’s operating company is XING SE, Dammtorstraße 30, 20354 Hamburg, Germany.
Each time a person visits one of the individual pages of our website operated by the controller on which a Xing component (Xing plug-in) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective Xing component to download a representation of the corresponding Xing component from Xing. Further information on the Xing plug-ins can be found at dev.xing.com/plugins. Within the scope of this technical procedure, Xing receives information of which specific sub-page of our website is visited by the data subject. 
If the data subject is logged in to Xing at the same time, Xing recognizes which specific subpage of our website the data subject is visiting each time the data subject visits our website and for the entire duration of the respective stay on our website. This information is collected by the Xing component and assigned by Xing to the data subject’s respective Xing account. If the data subject activates a Xing button integrated on our website, Xing assigns this information to the data subject’s personal Xing user account and stores this personal data.

Xing always receives information via the Xing component that the data subject has visited our website if the data subject is logged into Xing when visiting our website; this takes place regardless of whether the data subject clicks on the Xing component or not. If the data subject does not want this information to be transmitted to Xing, he or she can prevent the transmission by logging out of his or her Xing account before accessing our website.

The privacy policy published by Xing, which are available at www.xing.com/privacy provide information on the collection, processing and use of personal data by Xing. Furthermore, Xing has published its privacy notice for the Xing share button at www.xing.com/app/share. 

f) Privacy policy on the use and application of YouTube

We have integrated YouTube components on our website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programs, but also music videos, trailers or videos made by users themselves can be accessed via the Internet portal.
YouTube’s operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Each time a person visits one of the individual pages of our website operated by the controller and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the data subject’s information technology system is automatically caused by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be found at www.youtube.com/yt/about/de. Within the scope of this technical procedure, YouTube and Google receives information of which specific sub-page of our website is visited by the data subject. 
If the data subject is logged in to YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting each time the data subject visits a subpage of our website. This information is collected by YouTube and Google and assigned by YouTube to the data subject’s respective YouTube account.

YouTube and Google always receives information via the YouTube component that the data subject has visited our website if the data subject is logged into YouTube when visiting our website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube or Google, he or she can prevent the transmission by logging out of his or her YouTube account before visiting our website.

The privacy policy published by YouTube, which is available at www.google.de/intl/de/policies/privacy, provide information on the collection, processing and use of personal data by YouTube and Google. 

g) Privacy policy on the implementation and use of Shariff

We have integrated the Shariff component on our website. The Shariff component provides social media buttons in line with data protection laws. Shariff was developed for the German computer magazine c’t and is published through GitHub, Inc. 
The component’s developer is GitHub, Inc. 88 Colin P. Kelly Junior Street, San Francisco, CA 94107, USA. 
Usually, the button solutions provided by the social networks already transmit personal data to the respective social network when a user visits a website in which a social media button has been integrated. By using the Shariff component, personal data is only transmitted to social networks when the visitor to a website actively clicks one of the social media buttons. Further information on the Shariff component is provided by the computer magazine c't at www.heise.de/newsticker/meldung/Datenschutz-und-Social-Media-Der-c-t-Shariff-ist-im-Einsatz-2470103.html. The purpose of using the Shariff component is to protect the personal data of visitors to our website and at the same time to enable us to integrate a button solution for social networks on our website. 
Further information as well as GitHub’s applicable privacy policy is available at help.github.com/articles/github-privacy-policy/. 

III. Collection and processing of personal data for applications and application procedures

With your application, you consent to the processing of your personal data by Baker Tilly on the basis of our privacy (here) ​​​​​​for application procedures. 

IV. Collection and processing of personal data within the scope of client relationships

The collection and processing of personal data within the scope of client relationships is based upon the respective client requirements and is generally performed by the Baker Tilly company responsible for the respective client and in compliance with the professional requirements applicable to such company. Possible processing activities by Baker Tilly Holding GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft are only performed in the function as processor. 

V. Legal bases of processing 

  • Art. 6 I lit. a GDPR serves as legal basis for processing activities for which we obtain consent for a certain processing purpose. 
  • If the processing of personal data is necessary in order to perform a contract the contracting party of which is the data subject, as this is the case, for example, in processing activities required for a delivery of goods or performance of other services or return services, the processing is based upon Art. 6 I lit. b GDPR. The same applies to such processing activities required for the performance of pre-contractual measures, for example, in case of requests for our services. 
  • If we are subject to a legal obligation according to which a processing of personal data becomes necessary, for example, in order to fulfill tax obligations, the processing is based upon Art. 6 I lit. c GDPR. 
  • In rare cases, the processing of personal data may become necessary in order to protect the data subject’s or another individual’s vital interests. This would be the case, for example, if a visitor would get injured on our premises and his name, age, health insurance data or other vital information would have to be disclosed to a doctor, hospital or other third party. In such case, the processing would be based upon Art. 6 I lit. d GDPR. 
  • Finally, processing activities can be based upon Art. 6 I lit. f GDPR. Such Article is the legal basis for processing activities not covered by any of the aforementioned legal bases, if the processing is required in order to protect the legitimate interest of a company related to Baker Tilly or of a third party (e.g., clients), unless the data subject’s interests, fundamental rights and fundamental freedoms should prevail. In connection with our website, this applies in particular to processing activities pursuant to Sec. II. of this Privacy Notice. We are in particular entitled to such processing activities because they were explicitly mentioned by the European legislator. The legislator held the opinion that a legitimate interest could be assumed if the data subject is a customer of the controller. Another legitimate interest is the performance of our business activities for the benefit of all our employees’ and shareholders’ well-being as well as the processing for direct advertising purposes, in particular the dispatch of service information, information on legal developments, invitations, information on events and similar information. 

For the respective Baker Tilly affiliates, supplementary professional regulations may apply. 

VI. Disclosure of personal data

Personal data will be disclosed to third parties only if there is a data protection right to do so, for example, pursuant to Section V. of this privacy notice, and to external service providers for processing within the scope of strictly instruction-bound processing. 
We generally do not process data outside the EU or the EEA. If such a data transfer should be necessary in individual cases, it will be performed exclusively based on the EU standard contractual clauses or to countries with regard to which there is an EU adequacy decision and within the scope of a commissioned processing.

VII. Term for which personal data is stored

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data will be routinely deleted if and to the extent that they are no longer required for the performance or the initiation of the contract, or if the controller’s legitimate interests outweigh the data subject’s interest in the data’s deletion – for example, the preservation of legal defense options and liability insurance protection in case of clients’ and/or data subjects’ potential recourse claims which are not yet time-barred, even if only theoretically possible. If such a legitimate interest ceases to exist at a later time, such data will also be routinely deleted.

VIII. Rights of the data subject

Data subjects have the right

  • to request information about their personal data processed by us in accordance with Art. 15 GDPR. In particular, they can request information about the processing purposes, the category of personal data, the categories of recipients to whom their data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the source of their data if it has not been collected from them, as well as the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details (please note that we do not perform any profiling);
  • to demand, in accordance with Art. 16 GDPR, the immediate correction of incorrect or completion of their personal data stored by us;
  • to demand, pursuant to Art. 17 GDPR, the erasure of their personal data stored by us, unless the processing is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or even potential defense of legal claims;
  • to request the restriction of the processing of their personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is contested by them, the processing is unlawful, but they object to its erasure and we no longer need the data, but if they need the data for the assertion, exercise or defense of legal claims or have objected to the processing in accordance with Art. 21 GDPR;
  • to receive, pursuant to Art. 20 GRPR, their personal data, which they have provided to us, in a structured, common and machine-readable format or to request the transfer to another controller;
  • to revoke their consent at any time in accordance with Art. 7 Sec. 3 GDPR. This has the consequence that we may no longer continue the data processing based on such consent for the future, and
  • to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. In general, the supervisory authority of their habitual place of residence or workplace or our company headquarters is available for this purpose. In the latter case, this is the: State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf.

The foregoing rights may be restricted by overriding statutory provisions on the maintenance of professional confidentiality.

IX. Right of objection

If personal data is processed on the basis of legitimate interests pursuant to Article 6 Sec. 1 sentence 1 lit. f GDPR, the data subject has the right to object to the processing of his/her personal data pursuant to Article 21 GDPR, provided that there are grounds for doing so which arise from his or her particular situation or if the objection is directed against direct marketing. In the latter case, the data subject has a general right to object, which is implemented by us without specifying a particular situation.

If you would like to exercise your right of revocation or objection, an e-mail to webmail(at)bakertilly(dot)de is sufficient.

X. Data Protection Officer’s contact details

Our Data Protection Officer’s contact details are: 

Baker Tilly Holding GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft
Datenschutzbeauftragter

Cecilienallee 6-7, 40474 Düsseldorf, Germany
Tel.: +49 211 6901 0, E-Mail: DSB(at)bakertilly(dot)de

XI. Actuality and change of this privacy notice

This privacy notice is currently valid and has been amended May 2018. Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this privacy notice. The current privacy policy can be accessed and printed out at any time on the website at www.bakertilly.de/en/legal-notice/privacy-notice.

 

Definitions

Baker Tilly’s privacy notice is based on the terms used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy notice should be easy to read and understand for the public as well as for customers and business partners. In order to ensure this, we would like to explain some of the terms used therein based on the legal definitions.
In this privacy notice, we use, inter alia, the following terms: 

a) personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) data subject

Data subject is every identified or identifiable natural person whose personal data is processed by the Controller. 

c) Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. 

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

f) Pseudonymization

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

g) Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

h) Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

i) Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

j) Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. 

k) Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.