Privacy Policy


Compulsory Information in accordance with Article 12 et seq. GDPR

The protection and security of the data of our clients, users and applicants is our top priority. This principle applies to our website as well as our conventional services. Therefore, our data protection practice with the help of a company data protection officer is in accordance with the GDPR.

In addition, we are required to uphold confidentiality pursuant to § 62 Steuerberatungsgesetz (StBerG) or § 50 Wirtschaftsprüferordnung (WPO).

This Privacy Policy informs about the processing of personal data of FAIR AUDIT Geries Harder Stubley PartG mbB Wirtschaftsprüfungsgesellschaft:

  • to provide our services,
  • on the website,
  • during the application process.


1. Name and contact details of the responsible person



Raboisen 38, 20095 Hamburg

Tel:                            +49 40 334 753-50




2. Contact details of the data protection officer

Mr. Thomas Niediek

Raboisen 38, 20095 Hamburg

Tel:                            +49 40 334 753-50




3. Where do we get your personal Information from?

The collection of your data takes place in principle with you. The processing of the personal data provided by you is necessary for the fulfillment of the contractual obligations arising from the contract concluded with us or the orders placed with us. It is essential to provide the personal data requested by us, otherwise we cannot fulfill our contractual obligations, which may cause accounting and / or tax disadvantages for you.

In the context of pre-contractual measures (for example master data collection in the prospect process) the provision of your personal data is necessary. If the requested data is not provided by you, a contract cannot be concluded. To provide our services, it may be necessary to process personal data that we collect from other companies or other third parties, e.g. Tax offices, your business partners or similar for this purpose.

Furthermore, we may process personal data from publicly available sources, e.g. Internet presences, which we use admissibly and only for the respective purpose of the order.


4. Purposes and legal Basis of processing

4.1 Provision of our services

The personal data provided by you will be processed in accordance with the provisions of the European Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):


4.1.1 According to a consent

The purposes of the processing of personal data arise from the granting of consent. Any given consent can be revoked at any time by you with effect for the future. Consents granted prior to the application of the GDPR (May 25, 2018) can also be revoked. Processing that took place before the revocation remains unaffected by the revocation. Example: sending a newsletter, transfer of the data you have given to third parties at your request (for example, banks, insurers, shareholders, etc.), within the confidentiality agreement clause.


4.1.2 For the fulfillment of contractual obligations

The purposes of data processing arise on the one hand from the initiation of pre-contractual measures, which precede a contractually regulated business relationship and, on the other hand, to the fulfillment of the obligations arising from the contract concluded with you or the orders you have placed.


4.1.3 Due to legal requirements or public interest

The purposes of the data processing arise from the legal requirements or are in the public interest (for example, compliance with retention obligations, proof of compliance with the information and information duties of the tax consultant).


4.1.4 In the context of the Balance of interests

The purposes of processing arise from the protection of our legitimate interests. It may be necessary to process the data provided by you beyond the actual fulfillment of the contract (s). Our legal interest may be used to justify the further processing of the data you have provided, unless your interests or fundamental rights and freedoms prevail. Our legitimate interest may be in individual cases: Assertion of legal claims, defense against liability claims, prevention of criminal offenses.


4.2 Website

4.2.1 Website access

When this website is accessed, the Internet browser used by the visitor automatically sends data to the server of this website and stores it in a log file for a limited time. Until the automatic deletion, the following data is stored without further input by the visitor:

  • IP address of the visitor’s terminal,
  • date and time of access by the visitor,
  • Name and URL of the page accessed by the visitor,
  • Website from which the visitor arrives at the firm’s website (so-called referrer URL),
  • Browser and operating system of the visitor’s terminal and the name of the access provider used by the visitor.

The processing of these personal data is acc. Article 6 (1) (1) (f) of the GDPR. The firm has a legitimate interest in the processing of data for the purpose of

  • build up the connection to the website of the law firm quickly,
  • to enable a user-friendly application of the website,
  • to identify and ensure the safety and stability of the systems and
  • to facilitate and improve the administration of the website.

The processing is expressly not for the purpose of gaining knowledge about the person visiting the Website.


4.2.2 Contact form

Visitors can submit messages to the firm via an online contact form on the website. In order to be able to receive a reply, a valid e-mail address is required. All further information can be given voluntarily by the requesting person. By submitting the message through the contact form, the visitor consents to the processing of the transferred personal data. The data processing takes place exclusively for the purpose of processing and answering inquiries via the contact form. This is done on the basis of the voluntarily granted consent acc. Article 6 (1) (1) (a) GDPR. The personal data collected for the use of the contact form will be automatically deleted as soon as the request has been completed and there are no reasons for further storage ( eg subsequent appointment of our law firm).


4.2.3 Newsletter

By registering for the newsletter, the visitor expressly agrees to the processing of the transmitted personal data. To register for the newsletter, you only need to enter an e-mail address of the visitor. The legal basis for the processing of the personal data of the visitor for the purpose of sending newsletters is the consent acc. Article 6 (1) (1) (a) GDPR.
The visitor can unsubscribe from receiving future newsletters at any time. This can be done by using a special link at the end of the newsletter or by sending an e-mail to


4.3. Application process

We process personally identifiable information for the purpose of applying for employment, to the extent necessary for the decision to establish employment with us. (Section 26 (1) in conjunction with Section 8 (2) BDSG). This may include general personal information (such as name, address and contact details), details of your professional qualifications and education, or CVET information, or other information that you provide to us in connection with your application. In addition, we can process job-related information made public by applicants, such as a profile in professional social media networks.

Furthermore, we may process personal data, as far as this is necessary to defend against legal claims arising from the application process against us. (§ 6 para. 1, f GDPR). The legitimate interest is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

The provision of personal information is not required by law or contract, nor are applicants required to provide personal information. However, the provision of personal data is required to conclude a contract of employment with us. Insofar as an applicant does not provide any personal data with an application, no employment relationship can be entered into.

Insofar as it comes to an employment relationship, we may further process the data already received for employment purposes in accordance with § 26 (1) BDSG if this is necessary for the execution or termination of the employment relationship or for exercise or fulfillment of a law or a collective bargaining agreement, an operating or service agreement rights and obligations of the interests of the employees is required.


5. Who receives the personal data provided by you?

Within our company, personal data provided by you in order to fulfill the contractual and legal obligations or in the application process, individuals of the company are authorized to process this data.

In fulfillment of the contract concluded by you / the orders you have given, only those offices will receive the data you have provided for legal reasons, e.g. Tax authorities, social security funds, competent authorities and courts.

As a professional body, we are obliged to comply with the confidentiality agreement clause. Other recipients receive the data provided by you only at your request and  if you release us from this agreement clause.

As part of our service delivery, we hire contractors who contribute to the performance of the contractual obligations, e.g. Data center service providers, computer partners, document shredders, etc. These contractors are contractually bound by us to comply with the professional confidentiality and compliance with the requirements of the GDPR and the BDSG.

In the application process, personal data are also processed on our behalf on the basis of contracts pursuant to Art. 28 GDPR, in particular by host providers or providers of applicant management systems.


6. Disclosure of data

Personal data will be transmitted to third parties, if

  • was expressly consented to by the data subject under Article 6 (1) (1) (a) GDPR,
  • Disclosure under Art. 6 (1) (1) (f) GDPR is required to assert, exercise or defend legal claims and there is no reason to believe that the data subject has an overriding interest in not disclosing their rights Has data,
  • for the transmission of data according to Art. 6 (1) sentence 1 letter c) GDPR a legal obligation exists, and / or
  • this is required under Article 6 (1) (1) (b) of the GDPR to fulfill a contractual relationship with the data subject.


In other cases, personal data will not be disclosed to third parties.

Data transfer to third countries (states outside the European Economic Area – EEA) only takes place if this is necessary for the execution of the mandate contract (eg payment orders) or if you have given us your consent or if this is otherwise permitted by law. In this case, we take steps to protect your privacy, for example through contractual arrangements. We only forward to recipients who ensure the protection of your data in accordance with the provisions of the GDPR for transmission to third countries (Articles 44 to 49 GDPR).


7. Cookies

Cookies are used on the website. These are data packets that are exchanged between the server of the firm’s website and the visitor’s browser. These are stored when visiting the website of the devices used (PC, notebook, tablet, smartphone, etc.). Cookies can cause no damage on the equipment used. In particular, they contain no viruses or other malicious software. In the cookies, information is stored, each resulting in connection with the specific terminal used. The law firm can by no means immediately gain knowledge of the identity of the visitor to the website.

Cookies are largely accepted according to the basic settings of the browser. The browser settings can be set up so that cookies are either not accepted on the devices used, or that a special notice is given before a new cookie is created. It should be noted, however, that the deactivation of cookies may result in not all the features of the website being used in the best possible way.

The use of cookies serves to make the use of the website of the law firm more comfortable. For example, session cookies can be used to track whether the visitor has already visited individual pages on the website. After leaving the website, these session cookies are automatically deleted.
To improve usability, temporary cookies are used. They are stored on the visitor’s device for a temporary period. When the website is visited again, it automatically recognizes that the visitor has already visited the site at an earlier point in time and what inputs and settings have been made so that they do not have to be repeated.

The use of cookies is also used to analyze the website’s views for statistical purposes and for the purpose of improving the offer. These cookies make it possible to automatically recognize on re-visit that the website has already been accessed by the visitor. An automatic deletion of cookies takes place here after a specified time.
The data processed by cookies are for the o. G. Purposes of safeguarding the legitimate interests of the firm under Article 6 (1) (1) (f) GDPR.


8. Automated decision-making

For processing the data provided by you no fully automated decision-making (including profiling) acc. Art. 22 GDPR is used. This applies equally in the application process.


9. Duration of processing (deletion criteria)

The processing of the data provided by you takes place as long as it is necessary to achieve the contractually agreed purpose or the fulfillment of the orders placed with us, in principle as long as the contractual relationship with you exists. Upon termination of the contractual relationship, the data provided by you will be processed to comply with statutory retention requirements or our legitimate interests. After expiry of the statutory retention periods and / or the loss of our legitimate interests, the data provided by you will be deleted.

Expected deadline of our storage obligations and our legitimate interests:

  • fulfillment of commercial, tax and professional retention periods. The periods for storage or doc-umentation specified there are two to ten years
  • Preservation of evidence under the statute of limitations. According to §§ 195 ff. BGB, these limitation periods may be up to 30 years, whereby the regular period of limitation is three years.

In the application process, personal data will be stored for as long as it is necessary to decide on an application. Insofar as an employment relationship between an applicant and the law firm does not materialize, we may also continue to store data as far as necessary in order to defend against possible legal claims. The application documents will be deleted two months after the announcement of the rejection decision, unless a longer storage due to legal disputes is required.


10. Your rights as an affected person

As far as your personal data are processed during the visit of our website, you have the following rights as “data subject” within the meaning of the GDPR:


10.1 Information

You can ask us for information about whether personal data is processed by us. No right of access exists if the granting of the coveted information against the duty of confidentiality acc. § 57 Abs. 1 StBerG would violate or the information for other reasons, in particular because of a predominant legitimate interest of a third party, must be kept secret. Deviating from this, there may be an obligation to provide the information if your interests outweigh the interests of secrecy, in particular taking into account any imminent damage. The right of access is also excluded if the data are stored only because they may not be deleted due to statutory or statutory retention periods or serve exclusively for purposes of data protection or data protection control, if the disclosure would require a disproportionate effort and the processing for other purposes is excluded by appropriate technical and organizational measures. If in your case the right to information is not excluded and your personal data are processed by us, you can ask us for information about the following information:

  • purposes of processing,
  • categories of personal data that you process,
  • recipients or categories of recipients to whom your personal data are disclosed, in particular for beneficiaries in third countries,
  • if possible, the planned duration for which your personal data will be stored or, if this is not possible, the criteria for determining the duration of storage,
  • the right of rectification or erasure or restriction of the processing of personal data concerning you or a right of opposition to such processing,
  • the existence of a right of appeal to a data protection supervisory authority,
  • if the personal data have not been collected from you as the data subject, the information availa-ble on the origin of the data,
  • the existence of automated decision-making, including profiling and meaningful information on the logic involved, as well as the scope and intended impact of automated decision-making, where appropriate;
  • if applicable, in the case of transmission to recipients in third countries, unless there is a decision by the EU Commission on the adequacy of the protection level under Art. 45 (3) GDPR, information on which suitable guarantees pursuant to Art. Art. 46 para. 2 GDPR for the protection of personal data.


10.2 Correction and completion

If you discover that we have inaccurate personal information, you may require us to promptly correct this incorrect information. In the case of incomplete personal data concerning you, you can request the completion.


10.3 Deletion

You have the right to have your information deleted (“right to be forgotten”), unless the processing is necessary for the exercise of the right to freedom of expression, the right to information or to fulfill a legal obligation or to perform a task of public interest and one of the following is true:

  • The personal data are no longer necessary for the purposes for which they were processed.
  • The justification for processing was only your consent, which you have revoked.
  • You have objected to the processing of your personal data that we have made public.
  • You have objected to the processing of personal data not disclosed to us and there are no legitimate reasons for the processing.
  • Your personal data has been processed unlawfully.
  • The deletion of personal data is required to fulfill a legal obligation to which we are subject.

There is no entitlement to deletion if, in the case of legitimate non-automated data processing, deletion is not possible or only possible with disproportionately high outlay due to the special nature of the storage and your interest in deletion is low. In this case, the deletion is replaced by the restriction of processing.


10.4 Restriction of processing

You may require us to restrict processing if any of the following applies:

  • You deny the accuracy of your personal data. The restriction may be required in this case for the duration that allows us to verify the accuracy of the data.
  • The processing is unlawful and you require instead of deletion the restriction of the use of your personal data.
  • Your personal information is no longer needed by us for the purposes of processing, but you need to assert, exercise or defend legal claims.
  • You have contradiction gem. Art. 21 para. 1 DSGVO. The limitation of processing may be required as long as it is not certain that our justified reasons outweigh your reasons.

Restriction of processing means that the personal data will be processed only with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest. Before we lift the restriction, we have a duty to inform you.


10.5 Data portability

You have the right of data transferability if the processing is based on your consent (Article 6 (1) sentence 1 (a) or Article 9 (2) (a) GDPR) or on a contract to which you are a party and the processing is done using automated procedures. The right to data portability in this case includes the following rights, provided that this does not affect the rights and freedoms of others: You may require us to receive the personal information you provide us in a structured, common and machine-readable format, You have the right to transfer this data to another person without hindrance on our part. If technically feasible, you may require us to transfer your personal information directly to another person in charge.


10.6 Opposition

Insofar as the processing is based on Article 6 (1) sentence 1 (e) of the GDPR (exercise of a task in the public interest or in the exercise of official authority) or on Article 6 (1) (1) (f) GDPR (legitimate interest of the controller or a third party), you have the right, at any time, to object to the processing of the personal data concerning you for reasons of your particular situation. This also applies to a profiling based on Art. 6 (1) sentence 1 letter e) or letter f) of the GDPR. After exercising your right to object, we will no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or processing for the purposes of asserting, exercising or defending legal claims.
You may at any time object to the processing of the personal data relating to you for direct marketing purposes. This also applies to a profiling associated with such direct mail. After exercising this right of objection, we will no longer use the personal data concerned for direct marketing purposes.
You have the option of informing us informally, by telephone, by e-mail, if necessary by fax or to our postal address listed at the beginning of this privacy policy.


10.7 Revocation of consent

You have the right to revoke your consent at any time with effect for the future. The revocation of the consent can be communicated by phone, by e-mail, or to our postal address informal. The revocation does not affect the lawfulness of the data processing which has taken place on the basis of the consent until receipt of the revocation. Upon receipt of the revocation, the data processing, which was based solely on your consent, is set.


10.8 Complaint

If you believe that the processing of your personal information is unlawful, you may lodge a complaint with a data protection supervisory authority that has jurisdiction over your place of residence or employment or the location of the alleged breach.


11. Status and update of this Privacy Policy

This Privacy Policy is as of 25 May 2018. We reserve the right to update the privacy statement in due course to improve privacy and / or adapt it to changes in regulatory practice or jurisdiction.


12. Data protection in email traffic

Encryption at FAIR AUDIT