Privacy Statement for Clients

For Consulting Services by Scheja & Partner Rechtsanwälte mbB

We, Scheja & Partner Rechtsanwälte mbB, appreciate and welcome your interest in our consulting activities. Your privacy has the highest priority for us. We take the protection of your personal data and the confidential treatment of your personal data very seriously. We would like to inform you by means of the information below about the processing of your personal data in the context of our consulting services as well as about your data protection rights.

1. Controller

  • Scheja & Partner Rechtsanwälte mbB
  • Adenauerallee 136
  • D-53113 Bonn
  • Germany
  • tel.: +49 (0) 228-227 226-0
  • e-mail:

Encrypted contact form:

2. Data Protection Officer

You can reach our data protection officer here:

  • Scheja & Partner Rechtsanwälte mbB
  • Data Protection Officer
  • Adenauerallee 136
  • D-53113 Bonn
  • Germany

Encrypted contact form:

3. Categories of data

As part of our consulting activities, we process the following personal data:
- Contact details: first name and last name, e-mail address, possibly also the address, telephone numbers, position, client and/or corresponding company/institution;
- Data pertaining to the consultation services: contents of inquiries, communication in the context of the consulting services, documents, notes for the files;
- Activity data: consulting documentation, performance records, invoices.

4. Purposes and legal bases of the data processing

a. Preparation and implementation of our consulting activities

We process personal data when this is necessary for the preparation and implementation of our consulting activities. The processing is applied in particular to respond to incoming inquiries and to issue invoices.

The data processing is implemented on the basis of Article 6(1)(b) and/or (f) of the GDPR. In doing so, we pursue the interest of fulfilling our contractual and statutory obligations to clients and data subjects.

b. Fulfilment of legal obligations

We also process personal data in order to comply with statutory obligations to which we are subject. In our role as data protection officers, the data processing is implemented based on our statutory duties under Article 38(4) and Article 39 of the GDPR. Other obligations may arise pursuant to commercial law, tax law, finance law, or criminal law. The purposes of the processing are based on the corresponding statutory obligation; in such cases, the processing usually serves the purpose of complying with governmental monitoring obligations and information obligations.

The data processing is effected on the basis of Article 6(1)(c) of the GDPR.

5. Obligation to provide data

You are not obliged to provide any personal data to us. However, as the specific case may require, it may be necessary to provide certain personal data for a consultation. If you do not provide such personal data, we may not be able to provide any consulting services.

6. Sources

In addition to a direct collection of data, we may also collect personal data in the context of the preparation and implementation of our consulting activities from clients, other companies/bodies, data subjects, and supervisory authorities.

7. Recipients

In our firm, only those persons have access to your personal data who need access for the purposes listed in Number 4. We only transfer your personal data to external recipients if this is necessary for the performance of our consulting activities or in the event that another statutory permission applies.

External recipients may include:

Processors: Service providers that we use for the provision of services, for example in the fields of technical infrastructure and maintenance of our IT systems.

Public bodies: public authorities and official institutions to which we have to transfer personal data for mandatory reasons prescribed by statutory law.

Private bodies: contact persons of our clients, other companies or bodies which have to be contacted for the processing of the client matter as well as assistants to whom data are transferred based on a legal basis.

8. Transfer to third countries

In the context of IT-Services and IT-Infrastructure we engage service providers, which are not located within the European Union or the European Economic Area. In doing so, we ensure prior to the transfer that, outside of exceptional cases permitted by statutory law, the recipient either possesses an appropriate level of data protection or appropriate safeguards exist. You can obtain an overview on the recipients in third countries and a copy of the appropriate or suitable safeguards. Please use the data provided in Section 1.

9. Period of retention

The personal data collected by us for the consulting services will be deleted when the statutory retention period that applies to lawyers expires (6 years after the end of the calendar year in which the client matter was completed), unless we are subject to a longer period of retention on the basis of statutory retention obligations or documentation obligations. In this case, we will delete your personal data after the statutory obligation ceases to apply.

10. Data subject rights

In accordance with the GDPR, you are entitled to the following rights as a data subject, provided that the respective statutory requirements are met:

Access: You have the right to receive information about the personal data pertaining to you that we process.

Rectification: You may demand that inaccurate personal data will be rectified. Furthermore, you may demand that incomplete data will be completed.

Erasure: In certain cases, you are entitled to demand the erasure of your personal data.

Restriction of processing: In certain cases, you are entitled to demand that we restrict the processing of your data.

Data portability: If you have made the data available to us based on a contract or consent, you are entitled to demand to receive the data which you provided to us in a structured, commonly used and machine-readable format or to have them transmitted by us to another controller.

Right to object

You have the right to object at any time to the processing of your personal data on the basis of Article 6(1)(f) of the GDPR for reasons arising from your particular situation. We will then no longer process such personal data for those purposes, unless we can provide compelling protected reasons for such processing that outweigh your interests, rights and freedoms, or the processing is necessary for the assertion of, exercise of, or defense against any legal claims.

Asserting your rights: To assert any of your abovementioned rights, please contact us by means of the contact details indicated in Number 1 above. When doing so, please make sure that we can clearly identify you.

Right to lodge a complaint with the supervisory authority: If you believe that the processing of the personal data concerning you is illegal, you may lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your workplace, or at the location of the alleged breach.

11. Automated individual decision-making, including profiling

Automated individual decision-making, including profiling, within the meaning of Article 22 of the GDPR will not take place in connection with our consulting services.

Last update: October 2019