Privacy notice

  • Processing of personal dataClose

    The purpose of this notice is to inform you about the processing of your personal data by Wendelstein Rechtsanwälte PartGmbB Budde Fischer Freytag Hofstetter Koenen Müller-Etienne Steuerberater (»Wendelstein« or the »law firm«). This information notice is intended for any natural person (in particular, representatives, contact persons or employees of our clients or other cooperation partners) with whom we have (or will imminently have) an attorney-client relationship, or a contract, service or business relationship or any other relationship of communication.

    We take the confidentiality and the protection of your personal data very seriously. Therefore, we process your personal data only to the extent permissible under statutory provisions, in particular, under the EU General Data Protection Regulation (EU-Datenschutz-Grundverordnung, »GDPR«) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, »BDSG«).

    If you have any questions about this information notice or our policies regarding the processing of your personal data, you can always address any of the contact details below.


    1. Responsibilities and contact details

    The data controller, i.e., the person responsible for processing your personal data is:

    Wendelstein Rechtsanwälte PartGmbB
    Bockenheimer Landstr. 33
    60325 Frankfurt am Main

    If you instructed our notary Dr. Lars F. Freytag, he is the data controller in the meaning of the GDPR.

    Our data protection officer is available by email at: or by regular post at:             

    Two Towers Consulting GmbH & Co. KG   
    Hohenzollernring 51
    50672 Cologne    


    2. Processing of your personal data

    Subject matter of our data processing are your contact details as well as, if applicable, other personal data required for the provision of our services or our communication with you. This includes, in particular, the following data:

    • Master data (e.g. name, address, contact information such as email, telephone number and internet address),
    • Client-related data (e.g. contracts, communication, shipping documents, evidence, witness data),
    • Advisory data (e.g., contents of inquiries, advisory documentation, documents, file notes, legal opinions and legal assessments),
    • Activity data (e.g. advisory documentation, proof of services, accounts as well as further information necessary for the assertion and defense of your rights within the scope of the mandate),
    • As well as other data that you voluntarily provide to us within the scope of the client relationship.

    We process the personal data collected from applicants as part of the application process (e.g. names, details from cover letters, CVs and interviews) by means of electronic storage. Only the employees and partners of Wendelstein PartGmbB involved in recruiting matters have access to this data. Data is not transferred to third parties. The legal basis for this processing is Sec. 26 para. 1 sent. 1 German Data Protection Act. If the application does not result in an employment relationship with the applicant, we store the applicant’s data for a further period of six months. This is done to protect our legitimate interests in order to be able to defend ourselves against any claims for damages. The legal basis for this is Art. 6 para. 1 sent. 1 lit. f) GDPR.

    Data processing usually follows your request and, pursuant to Art. 6 para. 1 sentence 1 lit. b) GDPR, is necessary for a proper handling of the mandate and the mutual fulfillment of obligations. Moreover, we process your personal data to the extent that this is necessary for the purposes of the legitimate interests pursued by Wendelstein (Art. 6 para. 1 sentence 1 lit. f) GDPR). The processing of your personal data based on the above-mentioned provisions, is particularly necessary

    • in order to enter into or execute engagement letters, instructions of our notaries, contracts and other business relationships (including the processing of purchase orders, deliveries or payments) or in order to prepare or reply to quotation requests and to determine the conditions of the contractual relationship, namely with our clients, service providers or cooperation partners for whom you act as representative or employee, as the case may be;
    • for internal administrative purposes of the law firm (e.g., for accounting purposes);
    • for any other communication purposes;
    • in order to ensure IT security and IT operations at the law firm;
    • in order to engage service providers (e.g., external IT service providers) who support our business processes;
    • in order to conduct compliance or similar investigations in individual cases.

    Moreover, personal data is also processed in order to perform contracts entered into or to fulfil orders placed by natural persons with whom we have business relationships (Art. 6 para. 1 sentence 1 lit. b) GDPR).

    If we know you personally and/or you have a client relationship with our law firm, we may send you greeting cards on special occasions, such as Christmas, based on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR. We assume that the recipients are pleased with the greetings on special occasions. If this is not the case, you can object to the sending of greeting cards in accordance with Art. 21 GDPR (see section 5.).

    If you choose not to provide us with your personal data, we are unable to perform the contractual relationship and/or cannot fulfil the above stated communication purposes.

    Pursuant to the provisions of the German Anti-Money Laundering Act (Geldwäschegesetz, »GWG«), we are obligated to identify our clients and, hence, need you to provide us with the necessary information (Sec. 11 para. 6 sentence 1 »GWG«). Pursuant to Sec. 50 of the German Federal Lawyers' Act (Bundesrechtsanwaltsordnung, »BRAO«) and Sec. 35 »BNotO«) and by the provisions of the Ordinance on the Maintenance of Notarial Records and Directories (Verordnung über die Führung notarieller Akten und Verzeichnisse, »NotAktVV«), we are obligated under professional law (Berufsrecht) to keep and manage attorneys' reference files and notarial books, registers and files, respectively; to this purpose, we may use electronic data processing. In these cases, data processing is required by law and is based on Art. 6 para. 1 sentence 1 lit. c) GDPR.

    If you have not provided us with your personal data yourself, we received such data from our clients or cooperation partners or obtained them from publicly available sources, in particular from company websites or industry directories or public registers, e.g. land register, commercial registers and registers of associations.


    3. Confidentiality and DELETION of your personal data

    Each of our employees as well as all staff members of third-party service providers who have access to personal data are obligated to treat such data confidentially. 

    We will continue processing your personal data also after termination of our attorney-client, contract or service relationship or our contact to the extent that this is necessary for the aforementioned purposes, to comply with post-contractual obligations or to fulfil statutory requirements for the retention of records or for the purposes of the legitimate interests pursued by us. The same applies if you have consented to additional data storage pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR. Thereafter, your personal data will be erased.

    The personal data obtained by us for the purpose of the mandate will be retained by us for a period of ten years and then deleted, unless we are obliged to retain the data for a longer period pursuant to Art. 6 para. 1 sentence 1 lit. c) GDPR due to retention and documentation obligations under tax and commercial law (from the German Commercial Code (Handelsgesetzbuch, »HGB«), German Criminal Code (Strafgesetzbuch, »StGB«) or German Fiscal Code (Abgabenordnung, »AO«) as well as professional regulations for the purpose of conflict checks or unless you have agreed to a longer retention pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR.

    • Insofar as our notary Dr. Lars F. Freytag has been commissioned, the following retention obligations apply pursuant to Sec. 50 para. 1 NotAktVV:Deed index, paper-based deed collection, electronic deed collection, inheritance contract collection, and special collection: 100 years,
    • Paper-based document collection, custody register, and general files: 30 years,
    • Collective file for bill of exchange and check protests and ancillary files: 7 years; the notary may determine a longer retention period in writing no later than the last time the ancillary file is processed in terms of content, e.g. in the case of dispositions upon death or in the case of recourse; the determination may also be made generally for individual types of legal transactions, e.g. for dispositions upon death.

    After expiry of the retention periods, your data will be deleted or the paper documents destroyed, unless the notary is obliged to retain them for a longer period of time pursuant to Art. 6 para. 1 sentence 1 lit. c) GDPR due to retention and documentation obligations under tax and commercial law (from HGB, StGB, GWG or AO) as well as professional regulations for the purpose of conflict checks.


    4. Disclosure of your personal data

    We will transmit your personal data only on the basis of (and in accordance with) the statutory provisions in the context of the correct execution of a mandate or of instructions to our notary or if and to the extent that you have consented to such transmission in the individual case.

    To the extent required for the purposes outlined under section 2., your personal data may be disclosed to service providers within and outside the European Economic Area (EEA) who perform specific services for us such as IT services (processors). In the course of our work, we also use, among other things, cloud-based IT solutions from third-party providers (e.g., Microsoft Office365). In particular, we use (cloud-based) services for document management, collaboration and automatization or analysis of documents as well as external (cloud-based) providers of Exchange servers and data rooms.

    In the course of our law firm's usual work processes and for the purposes specified under section 2., it is possible that we disclose your data to third parties within and outside the European Union, for example to our cooperation partners or to law firms with whom we work together on a client matter, to translators, opponents or to other third parties.

    In addition, we can – to the extent legally permissible – disclose your data to domestic and foreign public authorities and courts (such as social security institutions, tax authorities or law enforcement agencies) in order to comply with statutory duties or in order to act in the interests of our law firm.

    The data disclosed may be used by our employees and third parties exclusively for the purposes stated. The attorney-client privilege remains unaffected. We have also taken technical and organizational measures to process your data securely and to ensure an adequate level of data protection for transfers to third countries.


    5. Your Rights

    Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you have the right to receive information about your personal data, to require rectification or deletion of your personal data or the restriction of the processing outlined under section 2 (Art. 15 through Art. 18 and Art. 21 GDPR). You are further entitled to receive your personal data in a structured, commonly used and machine-readable format (data portability). You have the right to withdraw your consent at any time (Art. 7 para. 3 GDPR).

    As far as we base the processing of your personal data on the consideration of interests pursuant to Art. 6 para. 1 sentence. 1 lit. f) GDPR, you may object to the processing. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the merits of the case and either discontinue or adapt the data processing or show you our compelling legitimate grounds based on which we will continue the processing.

    Further, you are entitled to lodge a complaint with the competent supervisory authority, the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit), regarding the processing of your personal data (Art. 77 GDPR).


    Status: 3 August 2022

  • Website Data ProtectionClose

    We take data protection very seriously when it comes to our online presence. Therefore, we are providing you with complete information about this subject concerning our website We want you to know what data we collect, when, and how we use it. When processing your personal data, we observe all legal requirements, especially those set forth under the European General Data Protection Regulation (»GDPR«).

    The controller pursuant to Art. 4 (7) GDPR is:

    Wendelstein Rechtsanwälte PartGmbB
    Budde Fischer Freytag Hofstetter Koenen Müller-Etienne Steuerberater
    Bockenheimer Landstraße 33
    60325 Frankfurt am Main

    Wendelstein is entered in the partnership register of the Local Court of Frankfurt am Main, Germany, under number PR 2674.

    1. Personal data

    We obtain your personal data, such as name, telephone number, or email address, only if you share this data with us explicitly, for instance, when you give us your email address so we can contact you.

    We retain this data as long as it is necessary for the purpose for which you provided us with the data. After that, it is erased unless we are required to retain it for a longer amount of time on the basis of statutory retention periods. You may request information about your data at any time (for more information see the section »Your rights«).

    This data is processed based on Art. 6 (1) sentence 1 letter f GDPR or Art. 6 (1) sentence 1 letter b) GDPR if you have an attorney-client relationship with us.

    2. Collection, processing, and use of the data

    Personal data provided to us online is collected, processed, and used only for the purposes communicated in the specific case. More extensive collection, processing, or use is carried out only if this 

    • takes place for another purpose directly associated with the original purpose for which the personal data was collected,
    • is required based on a legal obligation or an official or court order
    • is necessary to substantiate or protect legal claims or to defend against lawsuits 
    • serves to prevent abuse or other illegal activities, e.g. deliberate attacks on our systems. 

    3. Logging 

    When you access our website, your browser sends technical data that is then logged. Your IP address, your browser detection and domain, the name of the file retrieved, date and time of retrieval, the transmitted data quantity, and successful retrieval are recorded in a log file.

    None of the data in the log files has any direct connection to personal data and is not combined with other personal data. We register your visits for reasons of data security in order to ensure the stability and operational security of our systems and to defend against unauthorized attacks. The log data therefore is used exclusively for internal purposes. It is deleted automatically after a period of 60 days. This data is processed on the basis of Art. 6 (1) sentence 1 letter f) GDPR. 

    4. Active components

    When you visit one of our websites, we may store information on your computer in the form of a cookie. Cookies allow us, for instance, to improve the display of our website. If you do not want our cookies on your computer, please configure your Internet browser so that it deletes cookies from your computer, blocks all cookies, or warns you before a cookie is stored.  

    5. Security

    We employ technical and organisational security measures to protect the data that you have provided from accidental or deliberate manipulation, loss, destruction or from access by unauthorized individuals. In so doing, we have adopted standards and we improve our measures according to the latest technological advancements. Nonetheless, please note that, according to the latest technical standards, data cannot be fully protected when it is transmitted online. 

    6. Your rights

    The GDPR defines a number of rights to which you are entitled in your dealings with us and any other enterprise processing your data. We would like to provide you with a more detailed explanation of these rights below.

    • You have the right to receive from us free of charge any information about the personal data being stored about you.
    • You have the right to request that your personal data be rectified.
    • You have the right to request that your personal data be erased unless statutory requirements oppose such erasure.
    • You have the right to request that your personal data be processed in a restricted manner unless statutory requirements state otherwise.
    • You have the right to obtain the personal data that you have provided to us in a structured, commonly used, and machine-readable format in order to transmit these data to another controller. In addition, you have the right to request that we transfer the personal data directly to another controller to the extent that this is technically feasible.
    • You have the right to object to the processing of your personal data. If you have approved the processing of your personal data you may withdraw this approval at any time.
    • Finally, you have the right to file a complaint about our processing of your personal data to the competent data protection supervisory authority, in our case the Hessian Commissioner for Data Protection and Freedom of Information, Gustav-Stresemann-Ring 1, 65189 Wiesbaden.

    To assert your rights, please write to our data protection officer (see the next section).  

    7. Data Protection Officer 

    We have appointed an external data protection officer. You can reach our data protection officer at the email address or by regular mail at Two Towers Consulting GmbH & Co. KG, Hohenzollernring 51, 50672 Cologne. If you want to contact our data protection officer by email through encrypted communication, you are welcome to first send an email to the email address stated above requesting the public S/MIME key.