I. General Information
1. Controller and Data Protection Officer
Controller
Kreutz & Partner Rechtsanwälte PartG mbBSonsbecker Straße 61
46509 Xanten
Tel.: +49 2801 77 100
Email: mail@kreutzlaw.de
Further information about the controller can be found at https://kreutzlaw.de/de/impressum/.
Data Protection Officer
Dennis Tenge
acting under Black on White
Advertising and Communications Agency
Nordring 13
47495 Rheinberg
post@b-o-w.de
2. Legal Bases for Data Processing
As a matter of principle, any processing of personal data is prohibited by law and is only permitted if the processing falls under one of the following legal bases:
- Art. 6(1) sentence 1 lit. a GDPR (Consent): If the data subject has voluntarily, in an informed manner and unambiguously indicated, by a statement or other clear affirmative action, that they consent to the processing of personal data relating to them for one or more specific purposes;
- Art. 6(1) sentence 1 lit. b GDPR: If processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
- Art. 6(1) sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a statutory retention obligation);
- Art. 6(1) sentence 1 lit. d GDPR: If processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Art. 6(1) sentence 1 lit. e GDPR: If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Art. 6(1) sentence 1 lit. f GDPR (Legitimate Interests): If processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (especially where the data subject is a minor).
Storing information in the end user’s terminal equipment or accessing information that is already stored in the end user’s terminal equipment is only permissible if it is covered by one of the following legal bases:
- Section 25(1) TDDDG: If the end user has given consent on the basis of clear and comprehensive information. Such consent must be given in accordance with Art. 6(1) sentence 1 lit. a GDPR;
- Section 25(2) no. 1 TDDDG: If the sole purpose is the transmission of a message over a public telecommunications network; or
- Section 25(2) no. 2 TDDDG: If the storage or access is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.
For each processing operation carried out by us, we specify below the applicable legal basis. Processing may also be based on multiple legal bases.
3. Data Security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
4. Disclosure of Data to Third Parties
The following recipients or categories of recipients—generally processors (see section 5 below)—may be granted access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted through the systems (e.g., data center services, IT security). The legal basis for disclosure is then Art. 6(1) sentence 1 lit. b or lit. f GDPR, insofar as they are not processors.
- Public bodies/authorities, insofar as this is necessary to comply with a legal obligation. The legal basis is then Art. 6(1) sentence 1 lit. c GDPR.
- Persons involved in the operation of our business (e.g., auditors, banks, insurers, supervisory authorities, parties involved in company acquisitions or the formation of joint ventures). The legal basis is then Art. 6(1) sentence 1 lit. b or lit. f GDPR.
Beyond this, we will only disclose your personal data to third parties if you have given your express consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
5. Processors
Where we use external service providers in Germany or abroad (e.g., for IT, telecommunications, marketing), they act only on our instructions and have been contractually obligated within the meaning of Art. 28 GDPR to comply with data protection requirements (processors). Where we use processors for the processing activities described below, they are named in the relevant section.
6. Transfers to Third Countries
In the context of our business relationships, your personal data may be transferred to or disclosed to group companies. These may also be located outside the European Economic Area (EEA), i.e., in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and for maintaining your business relationship with us (legal basis: Art. 6(1) sentence 1 lit. b or lit. f in conjunction with Art. 44 et seq. GDPR).
If a transfer to a third country is intended and the European Commission has not issued an adequacy decision for that country (Art. 45 GDPR), we have implemented appropriate safeguards to ensure an adequate level of data protection. These include, inter alia, the European Union Standard Contractual Clauses or binding internal data protection rules. Where this is not possible, we rely on derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for performance of a contract.
If a third-country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, it is possible— and there is a risk—that authorities in the respective third country (e.g., intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights may not be guaranteed.
7. Storage Period
We process and store your personal data only for as long as the purpose of storage applies. If statutory retention, documentation or other obligations require it, we also store your personal data beyond the original purpose.
After expiry of retention and documentation obligations, we delete the data unless legitimate interests justify further storage.
8. No Automated Decision-Making (Including Profiling)
We do not intend to use your personal data for automated decision-making procedures (including profiling).
9. No Obligation to Provide Personal Data
As an interested party or client, you are generally under no legal or contractual obligation to provide us with your personal data; however, it may be the case that we can only provide certain offers/services to a limited extent or not at all if you do not provide the data required for that purpose. If this should exceptionally be the case within the scope of the services presented below, we will inform you separately.
10. Statutory Obligation to Provide Certain Data
We may, under certain circumstances, be subject to a special statutory or legal obligation to provide lawfully processed personal data to third parties, in particular public authorities (Art. 6(1) sentence 1 lit. c GDPR).
11. Your Rights
- Right of access (Art. 15 GDPR): You have the right to request information about the processing of your personal data. As part of providing this information, we will explain the processing and provide an overview of the data stored about you.
- Right to rectification (Art. 16 GDPR): If data stored by us is incorrect or no longer up to date, you have the right to have it corrected.
- Right to erasure (Art. 17 GDPR): You may request deletion of your data. If deletion is exceptionally not possible due to other legal provisions, the data will be restricted so that it is only available for that statutory purpose.
- Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing of your data (e.g., if you believe the data stored by us is not correct).
- Right to data portability (Art. 20 GDPR): Upon request, we will provide you with a digital copy of the personal data you have provided to us.
To exercise your rights described here, you may contact us at any time using the contact details provided above under section 1. This also applies if you wish to receive copies of safeguards to demonstrate an adequate level of data protection.
Right to lodge a complaint
You also have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR in conjunction with section 19 BDSG). You may exercise this right with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. In North Rhine-Westphalia, the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), which can be reached at the following contact details:
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
P.O. Box 200444
40102 Düsseldorf
Phone: +49 211 38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de
12. Right to Withdraw Consent and Right to Object
Pursuant to Art. 7(3) GDPR, you have the right to withdraw any consent you have given at any time with effect for the future. This means that we will no longer continue the data processing based on that consent in the future. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you that is based on Art. 6(1) sentence 1 lit. e GDPR (processing in the public interest) or Art. 6(1) sentence 1 lit. f GDPR (processing based on a balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4(4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
Where the objection concerns processing for direct marketing purposes, you have a general right to object, which will be implemented by us even without stating reasons.
If you wish to exercise your right to withdraw consent or your right to object, an informal notice to the contact details provided above is sufficient.
II. Contacting Us Outside Our Website
Contact by Phone and Contact by Email
We process the data you provide during a phone call or transmit when contacting us by email in order to respond to your inquiry. The legal basis for this data processing is Art. 6(1) sentence 1 lit. f GDPR (our legitimate interest in effectively handling inquiries addressed to us) or, where your consent was requested, Art. 6(1) lit. a GDPR. If the contact is aimed at concluding a contract with us (mandate agreement), the processing is based on Art. 6(1) lit. b GDPR.
The data collected in this context will be automatically deleted after your inquiry has been fully processed—unless we still need your inquiry to fulfill contractual or statutory obligations.
III. Processing of Personal Data When Visiting Our Website
1. Hosting
Our website is hosted externally by Dennis Tenge, acting under Black on White Agency for Advertising and Communication, Nordring 13, 47495 Rheinberg (“host”).
Your personal data collected on this website (see below) is stored on the host’s servers. The legal basis for external hosting is Art. 6(1) sentence 1 lit. b GDPR (for the purpose of performing a contract with prospective and existing clients) and otherwise Art. 6(1) sentence 1 lit. f GDPR (for the purpose of providing our website).
2. Visiting Our Website
Each time you use our website—including purely informational use—we collect access data that your browser automatically transmits in order to enable you to visit the website. This access data includes in particular:
- Date and time of access;
- Name of the requested file;
- Website from which the file was requested (referrer URL);
- Websites accessed by your system via our website;
- Access status (e.g., file transferred, file not found);
- Browser type and browser version;
- Operating system of your device;
- Internet service provider;
- IP address of the requesting device.
Processing this access data is necessary to enable the visit to the website and to ensure the long-term functionality and security of our systems. The legal basis is Art. 6(1) sentence 1 lit. f GDPR, with our legitimate interest arising from the purposes stated.
4. Google Analytics
Our website uses the web analytics service Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies and similar technologies to analyze and improve our website based on your user behavior.
Access data is aggregated by Google on our behalf into pseudonymous usage profiles and, together with anonymized IP addresses, is generally transferred to and processed on a Google server in the USA. For these cases, Google has committed to the EU-U.S. Privacy Framework.
Google Analytics sets the following cookies for the stated purpose with the respective storage periods: “_ga” (2 years), “_gid” (24 hours) (both to recognize and distinguish website visitors via a user ID), “_gat” (1 minute) (to reduce requests to Google servers) and, if applicable, “IDE” (13 months) (third-party cookie to recognize and distinguish website visitors via a user ID, to record interaction with advertising and for delivering personalized advertising).
The legal basis for processing this information is your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR. If you have not consented to the use of Google cookies, your data will not be collected within the scope of Google Analytics.
Further ways to prevent web analytics by Google:
- Configure your browser to block Google Analytics cookies.
- Adjust your Google ad settings: https://support.google.com/ads/answer/7395996
- Install the deactivation plug-in provided by Google (not for mobile devices): https://support.google.com/ads/answer/7395996
More information on handling user data:
- Google Privacy Policy: https://policies.google.com/privacy?hl=de
- Google Analytics information: https://support.google.com/analytics/answer/6004245?hl=de
4. Plugins
This site uses so-called web fonts provided by Google for uniform display of fonts. The Google Fonts are installed locally. No connection to Google servers takes place. Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=de.
We do not use any social media plug-ins. Instead, the buttons present in some places on the website provide links to the website of the respective social media service (in our case Facebook, Instagram and LinkedIn). The mere presence of these buttons does not necessarily result in data being collected and transmitted to these services. Further details can be found in section IV. of this privacy policy.
5. Contact Form
We offer you the possibility to send us messages via a contact form on our website. Providing an email address is required so that we can contact you. We also ask for your name so we can address you. Mandatory fields are marked as such.
We process the data you provide in the contact form to respond to your inquiry. The legal basis for this data processing is Art. 6(1) sentence 1 lit. f GDPR (our legitimate interest in effectively handling inquiries addressed to us) or, if your consent was requested, Art. 6(1) sentence 1 lit. a GDPR. If the contact is aimed at concluding a contract with us (mandate agreement), the processing is based on Art. 6(1) sentence 1 lit. b GDPR.
The data collected in this context will be automatically deleted after your inquiry has been fully processed—unless we still need your inquiry to fulfill contractual or statutory obligations.
V. Processing of Personal Data of Applicants
We offer you the opportunity to apply for open positions with us (e.g., by email or post). The purpose of data collection is the selection of applicants for the possible establishment of an employment relationship.
For processing your application, we collect the data you provide; this typically includes first and last name, email address, application documents such as references and CV, date of earliest possible start date and salary expectations.
Please note that confidentiality cannot be guaranteed when applications are sent by unencrypted email. In general, you can also apply by post or by handing in your documents directly on site.
The legal basis for processing your application documents is Art. 6(1) sentence 1 lit. b and Art. 88(1) GDPR in conjunction with Section 26 BDSG.
We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we store your applicant data for as long as it is required for the employment relationship and insofar as statutory provisions establish an obligation to retain it.
If we reject your application, we store your applicant data for a maximum of 6 months after the rejection of your application, unless you give us your consent for longer storage. If you have given us separate consent, we will store the data you submitted as part of the application in our applicant pool for a further twelve months after completion of the application process, in order to identify any other potentially suitable positions for you and, if necessary, contact you again.
Longer storage may also take place if you have given corresponding consent (Art. 6(1) sentence 1 lit. a GDPR) or if statutory retention obligations prevent deletion. After the expiry of the period, the data will be deleted. You can withdraw this consent at any time with effect for the future by sending us a message to the contact details provided above.
Status: January 2026
IV. Processing of Personal Data in Connection With Our Social Media Profiles
We maintain various profiles on so-called social media platforms. We operate profiles with the following providers:
We use the technical platforms and services of the providers for these information services. Please note that you use our profiles on social media platforms and their functions at your own responsibility. This applies in particular to the use of interactive functions (e.g., commenting, sharing, rating).
When visiting our profiles, the providers of the social media platforms collect, among other things, your IP address as well as other information that is stored on your device in the form of cookies. This information is used to provide us, as the operator of the accounts, with statistical information about interactions with us.
The data processed about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. The collected information is stored on the providers’ servers, including outside Europe. For these cases, the provider has committed to the EU-U.S. Privacy Framework. If the provider is not certified, we have agreed on standard data protection clauses, the purpose of which is to ensure an adequate level of data protection in the third country.
We are not aware of how the social media platforms use data from your visit to our account and your interactions with our posts for their own purposes, how long they store this data, and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network, or whether you visit the page as a non-registered and/or non-logged-in user.
When accessing a post or the account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device may be used to track how you have moved around the web. Via buttons embedded in websites, the platforms can record your visits to these websites and associate them with your respective profile. Based on this data, content or advertising can be offered that is tailored to you.
If you want to avoid this, you should log out or deactivate the “stay logged in” function, delete the cookies stored on your device, and restart your browser.
As the provider of the information service, we also process only the data from your use of our service that you provide to us and that requires an interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing described in this privacy policy. The legal basis for processing your data on the social media platform is Art. 6(1) sentence 1 lit. f GDPR.
To exercise your data subject rights, you may contact either us or the provider of the social media platform. If one party is not responsible for answering or must obtain the information from the other party, we or the provider will forward your request to the respective partner.
Please contact the operator of the social media platform directly if you have questions about profiling or the processing of your data when using the website. If you have questions about the processing of your interactions with us on our page, please write to the contact details provided above.
The providers describe which information the social media platform receives and how it is used in their privacy policies (see links in the table above). There you will also find information about contact options and settings for advertisements.