Privacy Statement

1. Name and contact details of the controller

This privacy statement provides information concerning the processing of personal data on the firm’s website of:


GTK GINSTER THEIS KLEIN & PARTNER mbB Wirtschaftsprüfer Steuerberater Rechtsanwälte 
Am Strauchshof 2
50321 Brühl
Telephone: +49 2232 9345-0
Fax: +49 2232 9345-67

Contact details of the data protection officer:

Stefan Liebert

Zertifizierte Datenschutzfachkraft (DEKRA)

Tel. +49 (0) 2862/580123


The law firm’s data protection officer can be reached at the address given above and at

2. Scope and purpose of processing personal data

2.1 Accessing the website

When accessing the website, data is automatically sent to this website’s server by the Internet browser used by the visitor and stored in a log file for a limited period of time. The following data is stored without any further input from the visitor until it is automatically deleted:

    IP address of the visitor’s device,
  • Date and time of access by the visitor,
  • Name and URL of the page accessed by the visitor,
  • Website from which the visitor reaches the firm (so-called referrer URL),
  • Browser and operating system of the visitor’s device as well as the name of the access provider used by the visitor.

The processing of this personal data is justified in accordance with Article 6 (1) (1) (f) of the GDPR. The firm has a legitimate interest in the processing of the data for the purpose of

  • swiftly establishing the connection to the law firm’s website,
  • enabling user-friendly use of the website,
  • recognising and guaranteeing the security and stability of the systems, and
  • facilitating and improving the administration of the website. The processing of the data is categorically not for the purpose of gaining knowledge about the person visiting the website.

2.2 Contact form

Visitors can send messages by means of an online contact form on the website. In order to be able to receive a reply, you must provide your first name, last name, a valid email address, subject and message text. The person making the inquiry can provide all other information voluntarily. By sending the message via the contact form, the visitor consents to the processing of the personal data transmitted. Data processing takes place exclusively for the purpose of handling and answering inquiries via the contact form. This is done on the basis of the voluntary consent given in accordance with Article 6 (1) (1) (a) of the GDPR. The personal data collected for the use of the contact form will be deleted automatically as soon as the request has been dealt with and there are no reasons for further storage (e.g. subsequent instruction of our firm).

2.3 Newsletter

By registering to receive the newsletter, the visitor expressly agrees to the processing of the personal data transmitted. To register for the newsletter, only the visitor’s email address needs to be entered. The legal basis for processing the visitor's personal data for the purpose of sending newsletters is the consent in accordance with Article 6 (1) (1) (a) of the GDPR. The visitor can unsubscribe from receiving future newsletters at any time. This can be done by using a special link at the end of the newsletter or by sending an email to

3. Disclosure of data

Personal data is transmitted to third parties if

  • the data subject has expressly consented to this in accordance with Article 6 (1) (1) (a) of the GDPR,
  • disclosure under Article 6 (1) (1) (f) of the GDPR is necessary to assert, exercise or defend legal rights and there are no grounds to assume that the data subject has an overriding legitimate interest in his/her data not being disclosed,
  • there is a legal obligation to transmit data in accordance with Article (6) (1) (1) (c) of the GDPR and/or
  • this is required under Article 6 (1) (1) (b) of the GDPR for the fulfilment of a contractual relationship with the data subject.

Personal data is not passed on to third parties in any other cases.

4. Cookies

So-called cookies are used on the website. These are data packets that are exchanged between the server of the firm's website and the visitor's browser. When you visit the website, these are saved by the devices used (PC, notebook, tablet, smartphone, etc.). Cookies cannot cause any damage to the devices used in this respect. In particular, they do not contain any viruses or other malware. The cookies store information arising in connection with the specific device used. This means that the firm cannot gain direct knowledge of the identity of the visitor to the website under any circumstances.


Cookies are largely accepted according to the basic settings of the browser. The browser settings can be configured in such a way that cookies are either not accepted on the devices used or a special notification is given before a new cookie is created. It is pointed out, however, that deactivating cookies can mean that not all of the website’s functions can be used in the best possible way.

The employment of cookies helps to make the firm's website more convenient to use. For example, session cookies can be used to track whether the visitor has already visited individual pages of the website. After leaving the website, these session cookies are deleted automatically.

Temporary cookies are used to improve user-friendliness. They are stored on the visitor's device temporarily. When you visit the website again, it is recognised automatically that the visitor has already accessed the page at an earlier point in time and what entries and settings were made so that they do not have to be repeated.


Cookies are also used to analyse visits to the website for statistical purposes and to improve the site. When the website is visited again, these cookies make it possible to automatically recognise that the website has already been accessed by the visitor. The cookies are deleted automatically after a specified time. The data processed by cookies is justified for the above-mentioned purposes to protect the firm’s legitimate interests in accordance with Article 6 (1) (1) (f) of the GDPR.


Cookie Name

Expiry date


Google Analytics Further information (English)


2 years

This cookie is used to differentiate between visitors.


24 hours



1 minute

Used to throttle the polling rate.

Google AdWords


3 months

Google AdWords Cookie to improve coordination between conversions and clicks.

Web server


When closing    the browser

This cookie is a reference to a unique session ID set by our website code for a current browser session. This cookie does not collect any personal user data.


5. Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Inc. (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Use includes the “Universal Analytics” operating mode. This makes it possible to assign data, sessions and interactions to a pseudonymous user ID across multiple devices and in this way analyse the activities of a user across several devices.

Google Analytics uses so-called “cookies”, text files that are saved on your computer and which enable an analysis of your use of the website. The information generated by the cookie about your use of this website is normally transmitted to a Google server in the USA and stored there. If IP anonymization is activated on this website, your IP address will, however, be shortened by Google beforehand within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address is transmitted to a Google server in the USA and abbreviated there in exceptional cases only. We would like to point out that Google Analytics has been expanded on this website to include IP anonymization in order to guarantee anonymous collection of IP addresses (so-called IP masking). The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can find more information on terms & conditions of use and data protection at or at

5.1 Purposes of processing

On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website activity and internet usage.

5.2 Legal basis

The legal basis for the use of Google Analytics is your consent in accordance with Article (6) (1) (1) (a) of the GDPR.

5.3 Recipients / categories of recipients

The recipient of the data collected is Google.

5.4 Transmission to third countries

The personal data is transmitted to the USA under the EU-US Privacy Shield based on the adequacy decision taken by the European Commission. You can access the certificate here.

5.5 Duration of data storage

The data sent by us and linked with cookies, login names (e.g. user ID) or advertising IDs will be deleted automatically after 14 months. Data whose retention period has expired is automatically deleted once a month.

5.6 Data subject rights

You can revoke your consent at any time with effect for the future by preventing the storage of cookies by setting your browser software accordingly; we would like to point out, however, that in this case you may not be able to use the full extent of all the functions offered on this website.

You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and the processing of such data by Google by downloading and installing the browser add-on. Opt-out cookies prevent the future collection of your data when you visit this website. In order to prevent acquisition by Universal Analytics across different devices, you have to perform the opt-out on all the systems used. Clicking here sets the opt-out cookie: deactivate Google Analytics

6. Plugins and Tools

6.1 YouTube

Our website uses plugins from the Google-operated YouTube site. The operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

If you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers will be established and the YouTube server will be informed which of our pages you have visited.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

YouTube is used in the interest of providing an attractive presentation of our online offers. This represents a legitimate interest within the meaning of Article 6 (1) (f) of the GDPR.

You can find further information on the handling of user data in YouTube's privacy statement at:

6.2 Google reCAPTCHA

Our website uses “Google reCAPTCHA” (referred to here as “reCAPTCHA”). The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

reCAPTCHA is used to check whether the entry of data on our websites (e.g. in a contact form) is carried out by a person or an automated program. For this purpose, reCAPTCHA analyses the behaviour of the visitor to the website on the basis of various characteristics. This analysis begins automatically as soon as the visitor enters the website. reCAPTCHA evaluates various information for the analysis (e.g. IP address, length of time the visitor spends on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Visitors to the website are not advised that an analysis is taking place.

The data is processed on the basis of Article 6 (1) (f) of the GDPR. The website operator has a legitimate interest in protecting its websites against improper automated spying and SPAM.

Further information about Google reCAPTCHA and Google’s privacy statement can be found at the following links: and

6.3 Google Maps

Our website uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the functions of Google Maps, your IP address has to be saved. This information is normally sent to a Google server in the USA and stored there. The provider of this site does not have any influence on this data transmission.

The Google Maps service is used in the interest of providing an attractive presentation of our online offers and to make it easier to find the places specified by us on the website. This represents a legitimate interest within the meaning of Article 6 (1) (f) of the GDPR.

More information on the handling of user data can be found in the Google privacy statement at:

7. Your rights as a data subject

Insofar as your personal data is processed when you visit our website, you, as the “data subject”, have the following rights under the GDPR:

7.1 Access

You can request information from us with regard to whether we process your personal data. There is no right of access if the provision of the requested information would violate the duty of confidentiality under Article 83 of the German Tax Consulting Law (Steuerberatungsgesetz, StBerG) or the information has to be kept secret for other reasons, in particular because of an overriding legitimate interest of a third party. In derogation of this, there may be an obligation to provide access if your interests outweigh the interests of secrecy, especially having regard to impending harm or damage. The right of access is also excluded if the data is only stored because it may not be deleted due to legal or statutory retention periods or serves the exclusive purpose of data backup or data protection monitoring, insofar as providing access would require disproportionate effort and the processing for other purposes is ruled out by suitable technical and organisational measures. If the right of access is not excluded in your case and your personal data is processed by us, you can request access from us to the following information:

  • Purposes of the processing,
  • Categories of your personal data undergoing processing,
  • Recipients or categories of recipients to whom your personal data is disclosed, especially in the case of recipients in third countries,
  • Where possible, the planned duration over which your personal data will be stored or, if this is not possible, the criteria for determining the storage period,
  • The existence of a right to correction or deletion or restriction of the processing of the personal data pertaining to you or a right to object to such processing,
  • The existence of a right to complain to a supervisory authority for data protection,
  • If the personal data has not been collected from you as the data subject, the available information concerning the origin of the data,
  • Where applicable, the existence of automated decision-making, including profiling and meaningful information about the logic involved as well as the scope and intended effects of automated decision-making,
  • Where necessary, in the case of transmission to recipients in third countries, unless a decision has been taken by the EU Commission on the adequacy of the level of protection in accordance with Article 45 (3) of the GDPR, information with regard to what suitable guarantees are provide for under Article 46 (2) of the GDPR concerning the protection of personal data.

7.2 Rectification and completion

If you find that we have incorrect personal data pertaining to you, you can request that we rectify such incorrect data immediately. If your personal data is incomplete, you can request that it be supplemented to render it complete.

7.3 Erasure

You have a right to erasure (“the right to be forgotten”) unless the processing is necessary to exercise the right to freedom of expression, the right to information or to fulfil a legal obligation or perform a task that is in the public interest and one of the following reasons applies:

  • The personal data is no longer necessary for the purposes for which it was processed.
  • The basis of justification for the processing was exclusively your consent, which you have withdrawn.
  • You have objected to the processing of your personal data that we have made public.
  • You have objected to the processing of personal data not made public by us and there are no overriding legitimate reasons for the processing.
  • Your personal data was processed unlawfully.
  • Deletion of the personal data is required to meet a statutory obligation that we are subject to.

There is no entitlement to erasure if the deletion in the case of lawful non-automated data processing is not possible or is only possible with disproportionate effort due to the special type of storage, and your interest in the deletion is classified as low. In this case, the deletion is replaced by restriction of processing.

7.4 Restriction of processing

You can ask us to restrict processing if one of the following grounds applies:

  • You contest the accuracy of the personal data. In this case, the restriction can be requested for the period we need to check the accuracy of the data.
  • The processing is unlawful and you request that the use of your personal data be restricted instead of being deleted.
  • We no longer need your personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims.
  • You have lodged an objection in accordance with Article 21 (1) of the GDPR. Restriction of processing can be requested for as long as it is still uncertain whether our legitimate grounds outweigh your reasons.

Restriction of processing means that the personal data is only processed with your consent or for asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of important public interest. We have a duty to inform you before we lift the restriction.

7.5 Data portability

You have the right to data portability insofar as the processing is based on your consent (Article 6 (1) (1) (a) or Article 9 (2) (a) of the GDPR) or on a contract to which you are a party and the processing is carried out using automated processes. In this case, the right to portability includes the following rights, insofar as these do not affect the rights and freedoms of others. You can request us to provide you with the personal data you have provided to us in a structured, commonly-used and machine-readable format. You have the right to transfer this data to another controller without any hindrance on our part. As far as technically feasible, you can require us to transfer your personal data directly to another controller.

7.6 Objection

If the processing is based on Article 6 (1) (1) (e) of the GDPR (performance of a task carried out in the public interest or in the exercise of official authority) or on Article 6 (1) (1) (f) of the GDPR (legitimate interests pursued by the controller or by a third party), you have the right to object to the processing of the personal data pertaining to you for reasons arising from your particular situation. This also applies to profiling based on Article 6 (1) (1) (e) or (f) of the GDPR. After the right of objection has been exercised, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

You can object to the processing of your personal data for direct marketing purposes at any time. This also applies to profiling associated with such direct marketing. After this right of objection has been exercised, we will no longer use the personal data concerned for direct marketing purposes.

You have the possibility to notify our firm of your objection informally by phone, email, fax or at the postal address listed at the beginning of this privacy statement.

7.7 Withdrawal of consent

You have the right to withdraw your consent at any time with effect for the future. Notification of the withdrawal of consent can be given informally by phone, email, fax or to our postal address. The withdrawal does not affect the lawfulness of the data processing that took place based on consent up to the time the withdrawal notice was received. After receipt of the withdrawal notice, data processing based solely on your consent will be discontinued.

7.8 Complaint

If you believe that the processing of your personal data is unlawful, you can lodge a complaint with a data protection supervisory authority responsible for the location in which you reside or work or for the location of the alleged violation.

8. Version and updating of this privacy statement

This privacy statement is the version as per 25 May 2018. We reserve the right to update the privacy statement in due course in order to improve data protection and/or adapt to changes in official practice or case law.