Privacy Policy

I. Name and contact details of the party responsible for processing data and its data protection officer

This information on data protection applies to data processed by:

Responsible Party
Schlun & Elseven Rechtsanwälte PartG
(hereinafter: the law firm)
Von-Coels-Str. 214
52080 Aachen
Tel: +49 (0) 241 4757140
Fax: +49 (0) 241 47571469

Data Protection Officer

DataCo GmbH
Dachauer Str. 63
80335 Munich

Tel: +49 (0) 89 8967 5516 93

II. Legal Basis of this Privacy Policy

Our law firm processes personal data in compliance with the data protection regulations set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as the Telecommunications Telemedia Data Protection Act (TTDPA). Personal data in the sense of the regulations above (Art. 4 No. 1 DSGVO) is information that relates to an identified or identifiable natural person. Your data will be processed by us if

you have consented to this (Art. 6 para. 1 sentence 1 lit. a) GDPR),
it is necessary for the performance of a contract with you or for the implementation of pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b) GDPR),
it is necessary for the performance of a contractual obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) or
it is necessary to protect the legitimate interests of our law firm or a third party, and if there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Accordingly, your personal data will not be transferred to third parties for purposes other than those listed above.

III. Collection and Storage of Personal Data: Type of Data and Purpose of Use

1. When visiting the website

When you visit our website, the browser on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called “logfile”. The following information is collected without any action on your part and stored until automatic deletion:

IP address of the device accessing the website,
date and time of access,
name and URL of the file accessed,
the website from which the access took place (referrer URL),
the browser and potentially the operating system used by your device and the name of your access provider.
We process the data mentioned above for the following purposes:
Ensuring that the device connects to the website smoothly,
ensuring that our website can be used comfortably,
evaluating the security and stability of the system.

The legal basis for the data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest results from the purposes for data collection listed above. We do not use in any case the collected data to conclude your person.

We also use cookies and analysis services. Cookies that are not necessary for the website’s functionality are only set after your consent. You can find more detailed explanations under points IV and V of this data protection declaration.

2. When using our contact form

For questions of any kind, we offer you the option to contact us via a form provided on our website. This requires providing us with a valid e-mail address, your first and last name, and telephone number. In this way, we know who the enquiry is from and can respond to it. Further information can be provided voluntarily.

Data processing to contact us is based on legitimate interest under Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the user-friendly collection as well as the processing and answering of your enquiry.

The personal data collected by us for the use of the contact form will be automatically deleted after the enquiry you made has been dealt with, or the purpose of the contact has ceased to exist. If a client relationship with you has come about and the purpose of processing your data has not yet ended, we will continue to store it. We comply with the requirements for purpose limitation, data minimisation and storage limitation set out in Art. 5 para. 1 lit. b), c) and e) GDPR. More detailed information on the storage period of personal data can be found under point VII.

3. KeyCDN

We use a Content Delivery Network (“CDN”) of the technology service provider proinity LLC, Frankenstrasse 9, 8832 Wollerau, Switzerland (“KeyCDN”) on our website.

This service is mainly used to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the Internet instead of the origin server. The use of KeyCDN’s Content Delivery Network helps us optimise our website’s loading speed and ensures that our visitors worldwide can access our website as quickly as possible. In the event of an attack (e.g., DDoS attack) on our website and similar unauthorised actions, KeyCDN helps us defend ourselves.

The processing is carried out under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in the safe and efficient provision and improvement of the stability and functionality of our website.

4. Sendinblue

Our law firm uses the email relay service “Sendinblue” for sending business emails. The service provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. The Sendinblue GmbH is a certified German provider that fulfils the requirements of GDPR and the Federal Data Protection Act.

The data you enter while using our contact form is stored both on the server of our law firm and on the Sendinblue GmbH server. This includes, for example, your name and email address. Our law firm does not use Sendinblue to send newsletters or other advertising products. The processing is based on Art. 6 para. 1 lit. a) GDPR. The legitimate interest lies in the reliable and secure delivery of business emails, which serve, among other things, to confirm appointments or the payment of initial consultation fees. Sendinblue does not sell or share your personal information with third parties or use it for any purpose other than for our designated business emails.

5. CleverReach

To create and send newsletters, our law firm uses the email marketing tool “CleverReach” of the company CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. CleverReach fulfils the requirements of the GDPR and guarantees data security through a TÜV-tested system.

CleverReach uses a double opt-in procedure (DOI) to register for the newsletter. Those interested in a subscription receive an email containing a link to confirm the subscription. As soon as the interested party has approved the link, the subscription to the newsletter takes place. Personal data is stored on the CleverReach servers, which are exclusively located in the EU.

The email marketing software by CleverReach complies with the European General Data Protection Regulation (GDPR) requirements and guarantees the highest level of data security. In addition, CleverReach has been audited and has received DIN ISO/IEC 27001 certification and confirmation as a (DSS/PCI) Level 1 service provider.

Your data is processed under Art. 6 para. 1 lit. a) GDPR based on your voluntary given consent.

6. Cryptshare in own Management

For the secure transfer of files of any kind and size, our law firm uses the ISO 27001 and NTA 7516 certified digital transfer service Cryptshare. Cryptshare AG, Schwarzwaldstr. 151, 79102 Freiburg, Germany, develops software solutions for companies.

Our law firm has its own Cryptshare server, thus ensuring the secure transmission of files. Before sending our emails, we can select an email classification, which allows us to determine the level of protection required for the information contained in the message. To ensure an optimal level of security, the sending of emails is always done through an encrypted data transfer.

Cryptshare is subject to the European General Data Protection Regulation (GDPR) requirements and the Federal Data Protection Act (BDSG). Personal data is processed under Art. 6 para. 1 lit. f) GDPR based on a legitimate interest in securely sending files of any size and type.

7. YOURLS URL Shortener in own Management

In the interest of data minimisation, we operate our own URL shortener. This creates a short URL for long internet addresses (URLs) and stores statistics about the calls to the respective short URL. To protect the calling IP address, we use the “YOURLS Pseudonymize Plugin”, which discards the last two digits of each IP address. It is an open-source software. Short URLs are used, among other things, on third-party websites, social media portals or blogs to measure reach. The data collected after pseudonymisation is processed by us and not passed on to third parties. The server is located in Germany.

The corresponding processing is carried out by Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest lies in measuring the reach of our website and in providing user-friendly links.

8. Salesforce

We use the Sales Cloud of the company Salesforce, represented in Germany by Germany GmbH (Erika-Mann-Str. 31, 80636 Munich, Germany) for customer service and to optimise our customer contact. The US parent company is based in San Francisco, CA 94105, USA.

We use the Sales Cloud of the company Salesforce, which is a customer relationship management system (CRM) that centrally records and processes the enquiries received via the various channels. The servers for processing all personal data are located within the EU. Under no circumstances will your data be sold to third companies, persons or institutions or passed on to service providers other than those mentioned here.

In addition, Salesforce undertakes to ensure an adequate level of data protection comparable to that of the European Union through binding corporate rules by Art. 46 para. 2 lit. b) and Art. 47 GDPR.

The data security and integrity of Salesforce´s systems are proven through numerous certifications. These include:

ISO 27001, ISO 27017, ISO 27018,
Privacy Shield,
Truste Privacy Verified Seal.

As a matter of principle, we do not use Salesforce services that result in the transfer of personal data to a non-European Salesforce infrastructure.

The legal basis for the collection and processing of data by Salesforce is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in processing your data with an efficient and secure customer management system and preparing it for further internal processing.

9. CookieFirst – Cookie Consent Management Platform (CMP)

Our website uses the Cookie Consent Management Platform (CMP) of CookieFirst ( to obtain your consent to store certain cookies on your terminal device and document this by data protection law. The provider of this platform is Digital Data Solutions B.V., Plantage Middenlan 42a, 1018-DH Amsterdam, the Netherlands (hereinafter “CookieFirst”).

When you access our website, the following personal data is transferred to CookieFirst:
Your consent(s) or withdrawal of your consent(s),
your IP address,
information about your browser,
information about your terminal device,
the time of your visit to the website.

In addition, CookieFirst stores a cookie in your browser to be able to assign your consent(s) or their revocation to you. The collected data is stored until you request to delete it, CookieFirst deletes the cookies itself, or the purpose of storing the data no longer applies. Mandatory legal storage obligations remain unaffected by this.

CookieFirst is used to obtain the legally required consent to the use of cookies. The legal basis for this is Art. 6 para. 1 p.1 lit. c) GDPR.

Contact for order processing

We have concluded an order processing contract with CookieFirst. This contract is required under data protection law, which ensures that CookieFirst only processes the personal data of our website visitors by our instructions and in compliance with the provisions of the GDPR.

IV. Cookies

We use so-called cookies on our website. When you visit our website, these small files are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.). Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware.

The cookie stores information created in connection with the specific end device used. However, this does not mean that we gain direct knowledge of your identity. Instead, the use of cookies serves to make our offer more pleasant for you. We use so-called “session cookies” to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our website.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a certain fixed period. If you revisit our website, it is automatically recognised that you have visited our website at an earlier time. In addition, the entries, and settings that you have made are also acknowledged so that you do not have to re-enter them.

We also use cookies to record the use of our website statistically and evaluate it to optimise our offer for you (see point V). If you return to our website, these cookies enable us to recognise that you have been on our website. These cookies are automatically deleted after a certain period.

The data processed by cookies are necessary for the purposes mentioned above to protect our legitimate interests and those of third parties by Art. 6 para. 1 sentence 1 lit. f) GDPR.

Please note: Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer, or a notice always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website. For more information about cookies on our website, please refer to our Cookie Policy.

V. Analysis and Tracking Tools

The tracking measures listed below and used by us are based on Art. 6 para. 1 p. 1 lit. f) GDPR. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our website. In addition, we use the tracking measures to statistically record the use of our website and evaluate it to optimise our offer for you. These interests must be regarded as legitimate within the provision above. The respective data processing purposes and data categories can be found in the corresponding tracking tools.


The provider of this website uses the services of etracker GmbH from Hamburg, Germany ( to analyse usage data. We do not use cookies for web analysis by default. As we use analysis and optimisation cookies, we obtain your explicit consent separately in advance. If this is the case and you consent, cookies will be used to enable a statistical coverage analysis of this website, a measurement of the success of our online marketing measures, as well as test procedures, e.g., to test and optimise different versions of our online offer or its components. Cookies are small text files stored by the internet browser on the user´s end device. etracker cookies do not contain any information that enables the identification of a user.

The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently audited, certified and awarded with the ePrivacyseal data protection seal of approval.

Data processing is carried out based on the legal provisions of Art. 6 para. 1 lit. f) (legitimated interests) of the General Data Protection Regulation (GDPR). Our concern regarding the GDPR (legitimate interests) is optimising our online offer and our web presence. Since the privacy of our visitors is important to us, data that may allow a reference to a person, such as the IP address, login or device identifiers, are anonymised or pseudonymised as soon as possible. No other use is made from the data, nor is it merged with other data or passed on to third parties.

You can object to the data mentioned above processing at any time. The objection has no adverse consequences.

VI. Duration of Storage

It follows from the provision on the storage of personal data standardised in Art. 5 para. 1 GDPR that personal data may be stored for the period required for the specific purpose. Your personal data provided to us will therefore be stored for as long as is necessary for the particular processing purpose. This means:

As a result of the lawyer´s duty to retain data as standardised in Section 50 of the Federal Lawyer´s Act (BRAO), we are obliged to retain the hand files and the electronic data processing used in the context of these for six years. Under Section 50 para. 1 sentence 3 BRAO, the period begins with the end of the calendar year in which the assignment was terminated.

If our law firm receives personal data from a potential client, we will process this data for the following purposes:

Possibility of contract,

verification of a conflict of interest,

pre-contractual exchange.

If no client relationship is established, your data will not be further processed by us.

VII. Data Subject Rights

If our law firm processes your personal data, you are entitled to the following rights as a data subject under the General Data Protection Regulation (GDPR):

Rights of access: By Art. 15 of the GDPR, the data subject has the right to obtain information about the personal data we process. In particular, you can request information regarding the following aspects:

the purpose of the processing,

the category of personal data,

the types of recipients to whom your data have been or will be disclosed,

the planned storage period,

the existence of a right to rectification, erasure, restriction of processing or objection,

the presence of a right of appeal,

the origin of your data (if we have not collected it), and

the existence of automated decision-making, including profiling and, if applicable, meaningful information on its details.

Right to rectification: Under Art. 16 GDPR, you may request the correction of incorrect or incomplete personal data stored by us without undue delay.

Right to erasure: Under Art. 17 GDPR, the data subject has the right to request the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. The right to erasure is therefore limited by the lawyer´s duty of retention standardised in Section 50 of the Federal Lawyer´s Act (BRAO). The aforementioned norm obliges a lawyer to retain hand files for six years (Section 50 para. 1 sentence 1 BRAO). This Pursuant to Section 50 para. 4 BRAO, this shall apply respectively if the lawyer uses electronic data processing to keep the case files or store documents in safekeeping. Under Section 50 para. 1 sentence 1 BRAO, the retention period begins with the end of the calendar year in which the mandate was terminated.

Right to restriction of processing: Under Art. 18 GDPR, you may request the restriction of the processing of your personal data to the extent that

you dispute the accuracy of the data,

the processing is unlawful, but you object to its deletion,

we no longer require the data, but you need it to assert, exercise or defend legal claims, or

you have objected to the processing by Art. 21 GDPR.

Right to data portability: Under Art. 20 GDPR, you may receive the personal data you have provided to us in a structured, commonly used and machine-readable format or request that it be transferred to another responsible party.

Revocation of consent: By Art. 7 para. 3 GDPR, you have the right to revoke your consent once given. This consequence is that we may no longer continue the data processing based on this consent.

Right to complain: Under Art. 77 of the GDPR, the data subject has the right to complain to a supervisory authority. You can contact the supervisory authority of your usual place of residence, workplace or our registered office.

VIII. Right of Objection

If your personal data is processed based on legitimate interests under Art. 6 para. 1 sentence 1 lit. f) GDPR, you have the right to object to the processing of your personal data under Art. 21 para. 1 GDPR. This is possible if there are grounds for arising from your particular situation. Unless we can prove grounds worthy of protection that outweigh your interests and rights, we will no longer process your personal data after exercising your right of objection. The objection will not be successful if the data processing serves the assertion, exercise or defence of legal claims.

The affected person also has the right to object to the processing of their personal data for direct advertising at any time by Art. 21 para. 2 GDPR. If you exercise this right, we will no longer use your personal data for advertising.

If you wish to exercise your right of revocation or objection, email

IX. Data Security

Within the website visit, we use the widespread SSL procedure (Secure Socket Layer) to connect the highest encryption level supported by your browser. Generally, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

X. Up-to-dateness and Amendment of this Data Protection Declaration

This data protection declaration is up to date as of August 2022 and is currently valid. Due to the further development of our website and the associated offers and changes in legal or official requirements, it may nevertheless be necessary to amend this data protection declaration. A current version of the data protection declaration can be accessed and printed out at any time on the website at