Mandatory Information pursuant to Article 12 et seq. of the General Data Protection Regulation (GDPR)

Contact details of the controller

Surname: Bruno
First name: Simon

Surname: Falcenberg
First name: Christian

Contact details (business)
Company: Lübeck & Kollegen Steuerberater GbR
Address: Friedensstr. 11, 60311 Frankfurt am Main, Germany
Phone: 069 2426620
Email: email(at)

Contact details of the data protection officer

Contact details (business)
Full name: Marc Fuchs, DATEV eG
Address: Reichskanzler-Müller-Straße 21, 68165 Mannheim
Email: marc.fuchs(at)

Where do we get your personal information from?

Your data is basically collected from you personally. The processing of the personal data provided by you is necessary for the fulfilment of the contractual obligations resulting from the contract concluded with us. Because of your cooperation obligations, the provision of  the personal data requested by us is unavoidable, otherwise we cannot fulfil our contractual obligations. Accounting and/or tax disadvantages for you cannot be excluded otherwise.

The provision of your personal data is necessary as part of pre-contractual measures (e.g. master data acquisition in the prospective process). A contract cannot be concluded if you do not provide the requested data.

To provide our services, it may be necessary to process personal data that we have received with permission from other companies or other third parties, such as tax authorities, your business partner or the like for the respective purpose.

Furthermore, we may process personal data from publicly available sources, such as Internet sites which we use with permission and only for the purpose of the contract.

Purposes and legal bases of the processing

The personal data provided by you will be processed in accordance with the provisions of the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

On the basis of consent (pursuant to Art. 6 Para. 1 lit. a GDPR)
The purposes of the processing of personal data arise from the granting of consent. You can revoke any given consent at any time with effect for the future. Consents granted prior to the application of the GDPR (25 May 2018) can also be revoked. Processing that took place before the revocation remains unaffected by the revocation. Example: The sending of a newsletter, release from professional secrecy for the disclosure of the data provided by you at your request to third parties (e.g. banks, insurance companies, shareholders, etc.).

For the fulfilment of contractual obligations (pursuant to Art. 6 Para. 1 lit. b GDPR)
The purposes of the data processing arise, on the one hand, from the initiation of pre- contractual measures, which precede a contractually regulated business relationship and, on the other hand, for the fulfilment of the obligations arising from the contract concluded with you.

On the basis of legal requirements (pursuant to Art. 6 Para. 1 lit. c GDPR) or in the public interest (pursuant to Art. 6 Para. 1 lit. e GDPR)
The purposes of data processing arise from legal requirements or are in the public interest (e.g. compliance with record retention requirements, proof of compliance with notice and information obligations of the tax consultant).

In the context of weighing of interests (pursuant to Art. 6 Para. 1 lit. f of the GDPR)
The purposes of processing arise from the protection of our legitimate interests. It may be necessary to process the data provided by you beyond the actual performance of the contract. Our legitimate interest may be justification for the further processing of the data that you have provided, unless your interests or fundamental rights and freedoms prevail. In individual cases, our legitimate interest can be: Assertion of legal claims, defence against liability claims, prevention of criminal offences.

Who receives the personal data that you provide?

In our company, those areas that need the data to fulfil their contractual and legal obligations and that are authorised to process this data have access to the personal data that you provided.

In fulfilment of the contract concluded with you, only those entities that need the data for legal reasons, e.g. tax authorities, social security institutions, competent authorities and courts will receive the data that you provided.

As a custodian of professional secrets, we are obliged to comply with and ensure professional secrecy. Other recipients receive the data that you provided only at your request when you release us from professional secrecy.

As part of our provision of services, we hire processors who contribute to the fulfilment of contractual obligations, such as data processing centre service providers, IT partners, shredders, etc. These processors are contractually obliged by us to comply with both professional secrecy requirements and those of the GDPR and the German Federal Data Protection Act (BDSG).

Is the data that you provided transmitted to third countries or international organisations?

Data that you provided will never be transmitted to a third country or an international organisation. Should you wish to transfer the data that you provided to a third country or an international organisation in individual cases, we will only do so after having received your written consent and release from professional secrecy.

Does automated decision-making including profiling take place?

No fully automated decision-making (including profiling) pursuant to Art. 22 GDPR is used to process the data that you provided.

Duration of processing (deletion criteria)

The data that you provided is processed as long as it is necessary to achieve the contractually agreed purpose, basically for as long as the contractual relationship with you exists. After the termination of the contract, the data that you provided will be processed to comply with statutory record retention requirements or based on our legitimate interests. After the expiry of the statutory retention periods and/or the cessation of our legitimate interests, the data that you provided will be deleted.

Anticipated periods of our record retention requirements and our legitimate interests:

  • Keeping of commercial, tax and professional retention periods. The periods for retention and documentation are two to ten years.
  • Preservation of evidence under the statute of limitations. Pursuant to Sections 195 et seq. German Civil Code (BGB), these limitation periods can be up to 30 years, whereas the regular limitation period is three years.

Information about your rights

Right to information pursuant to Art. 15 GDPR:
You have the right, on request, to obtain free information as to whether and what data is stored about you and for what purpose the data is stored.

Right to rectification pursuant to Art. 16 GDPR:

You have the right to request the controller to immediately rectify your incorrect personal data. Taking the purposes of processing into account, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to deletion (“right to be forgotten”) pursuant to Art. 17 GDPR:

You have the right to ask the controller to delete your data immediately. The controller is obliged to delete personal data immediately if one of the following reasons applies:

  1. Cessation of the purposes for which the personal data were collected.
  2. You revoke your consent to processing. There is no other legal basis for the processing of the data.
  3. You object to the processing. There is no other legal basis for the processing of the data.
  4. The personal data were processed unlawfully.
  5. The deletion of personal data is required to fulfil a legal obligation under Union or national law to which the controller is subject.
  6. The personal data have been collected in relation to information society services offered pursuant to Article 8 Paragraph 1.

Right to restriction of processing pursuant to Art. 18 GDPR & Section 35 German Federal Data Protection Act (BDSG):
You have the right to request the restriction of processing of data if the following conditions are met:

  1. You question the accuracy of your personal data.
  2. The processing is illegal; you refuse deletion, however.
  3. The personal data is no longer needed for the purposes of processing; however, you need the information to assert, exercise or defend your legal rights.
  4. You have objected to the processing of data pursuant to Art. 21 Para. 1 GDPR. Processing will be restricted as long as it is not clear whether the legitimate reasons of the controller prevail over you.

Right to data portability pursuant to Art. 20 GDPR:
You have the right to receive the data that you provided in a structured, commonly used and machine-readable format from the controller. We may not obstruct the forwarding of the data to another controller.

Right to object pursuant to Art. 21 GDPR:
For this please contact the controller responsible for the processing (see above).

Right to complain at the supervisory authority pursuant to Art. 13 Para. 2 lit. d, 77 GDPR in conjunction with Section 19 German Federal Data Protection Act (BDSG):
If you are of the opinion that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. Please contact the responsible supervisory authority for this purpose.

Withdrawal of consent pursuant to Art. 7 Par. 3 GDPR:
If the processing of the data is based on your consent pursuant to Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a (processing of special categories of personal data), you are entitled to withdraw the consent for the specific purpose at any time without prejudicing the legality of the processing based on the consent given until it has been revoked.