Data protection notice for customers and prospective customers
Information to be provided to data subjects pursuant to Art. 13 ff. of the GDPR when personal data is collected from our customers and prospective customers.
Our offer is addressed exclusively to companies, enterprises, entrepreneurs, tradesmen and public institutions. Contracts with consumers according to Sec. 13 of the German Civil Code are not targeted.
Table of Contents
1. Identity and contact details of the controller
2. Contact details of the data protection officer
3. Purposes of the processing for which the personal data is intended as well as the legal basis for processing
3.1 Handling of inquiries and preparation of offers (Art. 6 Sec. 1 lit. f GDPR)
3.2 Implementation and execution of contracts (Art. 6 Sec. 1 lit. f GPDR)
4. Data transfer outside the EU/EEA
5. Recipients of data and data sources
5.1. Categories of recipients of the personal data
5.2. Data sources
6. Duration of data storage
7. Rights of data subjects
8. Right of appeal to a supervisory authority
9. Obligation to provide personal data
10. Automated decision-making and profiling
1. Identity and contact details of the controller
The controller for the processing of your personal data is your business partner as named in your consultancy contract (“goetzpartners”):
Prinzregentenstraße 56
80538 Munich
Germany
e-mail address: info@goetzpartners.com
2. Contact details of the data protection officer
Martin Holzhofer
Holzhofer Consulting GmbH
Lochhamer Str. 31
82152 Planegg, Germany
Tel.: +49 89 1 25 01 56 00
E-Mail: datenschutzbeauftragter@holzhofer-consulting.de
3. Purposes of the processing for which the personal data is intended as well as the legal basis for processing
3.1 Handling of inquiries and preparation of offers (Art. 6 Sec. 1 lit. f GDPR)
If you are interested in our corporate finance and management consulting services offered (e.g. M&A, Debt Advisory, Private Equity Consulting, Strategy Advisory services we process and store the following data (for the purpose of processing your inquiry and preparing an offer) when you contact us (e.g. by e-mail, telephone or contact form on our website):
- Title
- Name, first name
- Company/organization and possibly department in the company
- Position in the company
- Business address
- Business phone numbers
- Business fax number
- Business e-mail address
The legal basis for processing your data is our legitimate interest pursuant to Art. 6 Sec. 1 lit. f GDPR. A balancing of interests has taken place with the conclusion that the processing of your data is necessary to respond to your inquiry and possibly for further pre-contractual measures. Such interest supersedes potential privacy interests or fundamental rights and freedoms to protect your data.
3.2 Implementation and execution of contracts (Art. 6 Sec. 1 lit. f GPDR)
In order to implement and fulfill an existing contractual relationship, in particular to provide respective services stated in your contract with “goetzpartners” and to manage the contractual relationship, we and any third parties or processors commissioned by us process the following data from you, insofar as you have provided us with this data in the course of preparation or execution of the contractual relationship:
Contact details of contact persons and, if applicable, the team active on customer’s side in the course of our service rendering
- Title
- Name, first name
- Company/organization and possibly department in the company
- Position in the company
- Business address
- Business phone numbers
- Business fax number
- Business e-mail address
For invoicing, monitoring and collection of trade receivables, we process contact details of accounting contacts and other persons entrusted with these processing operations.
We also use online video conferencing systems of the respective customer or alternatively our own system for various services, e.g. for consulting services. The activation of video transmission is the responsibility of the respective participant and is not linked to any advantages or disadvantages in the provision of the services. A recording of the video conferences by us shall only be made upon request and in consultation with all participants. If, in exceptional cases, recording by us is necessary, consent will be obtained from the participants in accordance with Art. 6 Sec. 1 lit. a in conjunction with Art. 7 GDPR
The legal basis for processing your data is our legitimate interest pursuant to Art. 6 Sec. 1 lit. f GDPR. A balancing of interests has taken place with the conclusion that the interests of the data subjects do not override our interests in the processing. We have a legitimate interest in the implementation and execution of contractual obligations with our customers, for which the processing of the data and data categories mentioned here is necessary.
Some of your data (e.g. name, business e-mail address, business telephone number, account data (e.g. M365 user name and password), IP address, document meta data) is processed for the administration and security of the IT system (IT security). This includes created and archived text documents (e.g. correspondence).
Without this data processing, secure operation of the system and thus cooperation with our company is not possible.
The legal basis for processing your data is our legitimate interest pursuant to Art. 6 Sec. 1 lit. f GDPR. A balancing of interests has taken place with the conclusion that the interests of the data subjects, among other things due to the technical and organizational measures taken by us, do not override our interests in the safe and incident-free functioning of the IT system.
4. Data transfer outside the EU/EEA
Data transfers to countries outside the EU and the European Economic Area ("Third Countries") takes place only on the following basis:
- on an adequacy decision of the European Commission according to Art. 45 GDPR;
- on an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the Third Country;
- on standard data protection clauses adopted by the Commission pursuant to the examination procedure referred to in Art. 93 Sec. 2 GDPR.
Currently, in connection with the establishment and execution of contracts with customers and prospective customers, data transfer to countries outside the EU and the European Economic Area ("Third Countries") takes place in the following cases:
- Transfer of data to Microsoft Corporation, 1 Microsoft Way, Redmond, Washington 98052-8300, USA (e.g. in connection with the use of our video conferencing system Teams)
- Transfer of data to Salesforce, Inc. Salesforce Tower 415 Mission Street, 3rd Floor San Francisco, CA 94105. USA (in connection with the provision and use of our CRM system)
- Transfer of data to Project Affinity, Inc., 170 Columbus Avenue Floor 3, San Francisco, CA, 94133 USA (in connection with the provision and use of our relationship intelligence platform)
For the USA, the European Commission has issued an adequacy decision according to Art. 46 Sec. 3 GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. Microsoft and Salesforce are certified under the DPF and thus committing to comply with European data protection principles.
Standard data protection clauses according to Art. 46 Sec. 2 lit. c GDPR were concluded with Project Affinity and a Transfer Impact Assessment was carried out in addition.
Data processed on our systems are located exclusively on servers in Germany.
5. Recipients of data and data sources
5.1. Categories of recipients of the personal data
For the processing of personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:
- Service provider for hosting and operation of our online video conferencing system and our CRM-System
- Service provider for hosting and operation of our relationship intelligence platform
- Service provider for hosting of servers for provision of web-based services
- Service provider for operation of e-mail servers
- Software service providers for AI-based cybersecurity software
Other recipients who are not processors:
- Financial institutions and providers of payment services for billings as well as processing of payments
- Lawyers for the defense and enforcement of claims
- Tax consultants as well as accounts for (financial) accounting and preparation of balance sheets
- Debt collection service providers and competent courts to collect receivables and enforce claims in court. If personal data (customer and contact data, payment data and data on the claim) is transferred to a debt collection service provider in the event of collection, we will inform you in advance of the intended transfer)
- Competent auditing authorities.
In addition, we will only pass on your personal data to third parties if you have given your express prior consent. You have the right to withdraw your consent at any time with effect for the future.
Your data will also be passed on if we are legally obliged to do so.
5.2. Data sources
We process personal data that we have received from prospective customers and customers in the course of our business relationships.
Insofar as it is necessary for the provision of our services, we process personal data that we permissibly obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or that we are legitimately provided with by other third parties (e.g. a credit agency or an address service provider).
6. Duration of data storage
Personal data will only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law.
We delete data from inquiries about our products and services in accordance with the statutory retention obligations, which arise primarily from commercial and tax law (in particular Section 147 German Tax Code (Abgabenordung) and Section 257 German Commercial Code (Handelsgesetzbuch).
Furthermore, personal data is stored for the duration of your contractual relationship with goetzpartners. Personal data may also be stored for the performance of a task that is in the public interest or involves the exercise of official authority. In addition, personal data may be stored for the duration of the exercise or defense of or against legal claims.
After your contractual relationship with goetzpartners ends, your data will fundamentally be stored until the expiration of the statutory statute of limitations, i.e. basically for a duration of three years from the origin/knowledge of the claim, however, in other cases e.g. for the duration of six years (as per the German Income Tax Act (Einkommensteuergesetz) and the German Tax Code) or ten years (as per the German Commercial Code), for instance with respect to payroll accounts etc.
We store your data for advertising purposes until your objection to its use, the withdrawal of your consent or the use is no longer permitted by law. We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it after the purpose no longer exists.
7. Rights of data subjects
If not otherwise stated, goetzpartners is responsible for processing your data.
You have the right to request from us access to personal data (Art. 15 GDPR) and the rectification of inaccurate personal data(Art. 16 GDPR). Furthermore, you have the right to obtain the erasure of personal data(Art. 17 GDPR) concerning your person, the right to restriction of processing (Art. 18 GDPR) and the right to receive (Art. 20 GDPR) the personal data provided to us by you, in a structured, commonly used and machine-readable format.
In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).
Where the processing is based on your given consent you can withdraw the consent(Art. 7 Sec. 3 GDPR) at any time. Upon receipt of your withdrawal of consent, we will no longer use or process the data concerned for purposes mentioned in your consent.
If you wish to exercise your rights as a data subject, please send your request to:
goetzpartners
Prinzregentenstr. 56
80538 Munich
Germany
datenschutz@goetzpartners.com
8. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this regulation.
The Bayerische Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), PO-box 1349, 91504 Ansbach, Germany, is generally responsible for us. Alternatively, you can approach the supervisory authority that is locally responsible for you.
9. Obligation to provide personal data
The provision of personal data by the customer as specified in Section 3.2 above is necessary for the performance of contractual obligations of goetzpartners. The non-provision of this data would mean that the consultancy contract could not be concluded or performed.
10. Automated decision-making and profiling
goetzpartners does not employ any automated decision-making procedures or other profiling measures pursuant to Art. 22 Sec. 1 and Sec. 4 GDPR.
Status: June 2024