Data protection statement

1. Name and contact details of the person responsible

This Data Privacy Policy describes how personal data is processed on the website of:

Mazars GmbH & Co. KG
Wirtschaftsprüfungsgesellschaft
Steuerberatungsgesellschaft
Domstrasse 15
20095 Hamburg, Germany

Hereinafter referred to as "Mazars".

If you have any questions regarding our Data Privacy Policy, please feel free to contact our external data protection officer at any time. Our external data protection officer can be contacted at:

 datenschutz.hamburg@mazars.de.

2. Personal data

Personal data is information that can be used to obtain personal or factual information about you, such as your name, address, telephone number, or email address.

Information which we cannot directly use to identify you is not, in principle, personal data.

3. Legal basis of how the data is handled

Legislation, in principle, prohibits the processing of any personal data and is only permitted if the processing of data is subject to one of the following justifications:

• Art. 6 para. 1 sentence 1 lit. a) GDPR ("Consent"): If the data subject has voluntarily, in an informed manner and unambiguously, indicated by a statement or other unambiguous confirmatory act that he or she agrees to the processing of personal data concerning him or her for one or more specific purposes
• Art. 6 para. 1 sentence 1 lit. b) GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
• Art. 6 para. 1 sentence 1 lit. c) GDPR: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal retention obligation)
• Art. 6 para. 1 sentence 1 lit. d) GDPR: Where the processing is necessary to protect the vital interests of the data subject or another natural person
• Art. 6 para. 1 sentence 1 lit. e) GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Art. 6 para. 1 sentence 1 lit. f) GDPR ("legitimate interests"): If the processing is necessary for the legitimate (in particular, legal or economic) interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject which require protection of personal data, in particular where the data subject is a minor

In addition, information is stored in the terminal equipment of the end user and information that is already stored in the terminal equipment is only accessed after consent has been given in accordance with Art. § 25 para. 1 TTDSG (German Telecommunications-Telemedia Data Protection Act).

The storage of any non-technically essential information in an end device used by you and its reading is independent of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) based on your explicit consent in accordance with Art. § 25 para. 1 TTDSG, insofar as this is not dispensable according to § 25 para. 2 TTDSG.

You can express consent to this by opting in through our consent management programme. You can revoke your consent at any time in the same way as you do via the cookie settings. A later revocation has no effect on the permissibility of the data processing up to the time of the revocation.

Further processing of your personal data after it has been stored or read is also performed based on your explicit consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR. You can also revoke these at any time by changing the cookie settings.

You can declare and also withdraw the consents you have given according to § 25 para. 1 TTDSG and Art. 6 Para. 1 sentence 1 lit. a) GDPR by clicking on the corresponding consent button. Each consent can be revoked individually.

4. The scope and purpose of the processing of personal data

4.1 Accessing the website

When the website www.mazars.de is accessed, the internet browser used by the visitor automatically sends data to the website server and this data is temporarily stored in a log file. Until it is automatically deleted, the following information is stored without further input from the visitor:

• IP address of the visitor's end device
• Date and time the visitor accessed the website
• Name and URL of the page viewed by the visitor
• Website from which the visitor arrived at this website (the “referrer URL”)
• The browser and operating system of the visitor's end device, as well as the name of the access provider used by the visitor

The processing of this personal data is justified in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. Mazars has a legitimate interest in processing this data to:

• Enable a user-friendly use of the website
• Recognise and ensure the security and stability of the systems
• Facilitate and enhance the administration of the website

The processing is expressly not to gain information about the person accessing the website.

4.2 Newsletter

By registering for the newsletter, the visitor expressly agrees to the processing of the transmitted personal data. To register for the newsletter, the visitor must enter their email address, salutation, first name, last name, and company name. The legal basis for the processing of the visitor’s personal data for the purpose of sending newsletters is the consent described in Art. 6 para. 1 sentence 1 lit. a) GDPR.

When you subscribe to one of our newsletters, we will send a confirmation link to the email address you provided. Only after you have activated this confirmation link will you receive our newsletter (double opt-in).

If the visitor no longer wishes to receive any newsletters, they can unsubscribe from the newsletter at any time. This is done by using a special link displayed at the end of the newsletter or by sending a message to news@mazars.de.

Service provider

Mazars works with the email marketing software "Evalanche" from SC-Networks GmbH. There is a contract between Mazars and SC-Networks GmbH for the data processing of orders.

SC-Networks GmbH is ISO/IEC 27001:2013 certified.

The nature and purpose of the processing

The processing involves collecting, recording, organising, categorising, storing, adapting, or modifying, reading, retrieving, or using the data or – via transmission – disclosing, disseminating, or otherwise providing, comparing, linking, or restricting it. The purpose is to electronically send promotional information to customers and interested parties.

The following data is processed:

• Salutation
• First and last name
• Email
• Communications data
• Behavioural data (evaluation of user behaviour based on web beacons (tracking pixels)) and the email address linked to its own ID. It records when the newsletter is read and, for example, which links are clicked.

For each user profile, which is generated via a web form using the double opt-in procedure with a confirmed email address, we automatically store the following data:

• Entered/changed (via web form): Entry type (new or changed), date and time, IP address (optional)
• Confirmation (via a link from the double opt-in request): Date and time, IP address (optional)
• Unsubscribe request (via a link from emailed communication such as the newsletter): Date and time, IP address (optional), subscription status

The cookies collected:

The objects that set cookies by default:

The following data is collected as part of the regular tracking of the objects eMailing, LeadPage, Website, Webform, SmartLink, and WebTouchPoint.

Tracking:

• Date and time
• Type (object, e.g. eMailing, LeadPage, etc.)
• Browser referral
• User Agent
• Link ID (optional)
• Object IDs
• Optional object-dependent information

Conversion tracking:

• Date and time
• Individual transfer parameters

4.3. Contact form

On our website, we give you the opportunity to contact us via email and/or a contact form. In this case, your information (name and email address) will be stored for the purpose of processing your contact request. We use this data only to handle your contact request and not for any other services (e.g. newsletters).

4.4. Job application process

If you entrust us with personal data (name, contact details, job application documents) in the context of an application, these will only be used for the application process. The purpose is to select applicants for employment. Your data will not be used for any other processing purposes. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b) GDPR (pre-contractual measures) in connection with § 26 BDSG (German Federal Data Protection Act). The applicant’s data is permanently deleted after the purpose of the processing no longer exists (usually 6 months after the application process has ended).

4.5. Events

If you register for an event organised by us (such as a workshop), we process your personal data (in particular: salutation, name, and email address) to confirm your participation. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b) GDPR. The registration data is permanently deleted after the purpose of the processing no longer exists (usually 6 months after the event has been held).

If you have consented to have your data further processed as part of the registration procedure, we or our respective cooperation partner will also process your registration data in order to send you relevant information via email. In addition, if you have consented, photographs and sound recordings of you may be made during the event and further used after the event. The legal basis for this is Art. 6 para. 1 sentence 1 lit. a) GDPR. You can revoke your consent at any time (see point 12.7 of this Data Privacy Policy). Our contact details can be found under point 1 of this Data Privacy Policy. The revocation does not affect the legality of the processing performed on the basis of the consent until the revocation. Your data will be permanently deleted after the purpose of the processing no longer exists or if you revoke your consent.

5. Sharing of data

Your personal data may be shared or disclosed to third parties within the context of our business relationships. These third parties may also be located outside the European Economic Area (EEA), for example, in third countries. Such processing is performed solely to fulfil contractual and business obligations and administer your business relationship with us. Below, we provide detailed information about this data sharing in the relevant sections.

Some third countries are certified by the European Commission through so-called “adequacy decisions” designed to ensure a level of data protection comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, there may not be a consistently high level of data protection in other third countries to which the personal data may be transferred due to a lack of legal provisions in these countries. Where this is the case, we take measures to ensure that data protection is sufficiently guaranteed. This is possible through legally binding corporate regulations, standard contractual clauses of the European Commission on the protection of personal data, certificates, or recognised codes of conduct. With regard to the individual services, we will inform you (where appropriate) about the conditions for data transfer to third countries. Please contact our data protection officer to obtain more information on this.

6. Cookies

We use cookies on our websites. Cookies are small text files that your browser assigns and stores on your hard drive using a typical string of characters and through which certain information flows to the source that set the cookie. Cookies cannot run programmes or transmit viruses to your computer and therefore do not cause any harm. They serve to make website use more user-friendly and effective and thereby more pleasant for you.

Cookies may contain data that makes it possible to recognise the device used. In some cases, however, cookies only contain information about specific settings unrelated to an individual person. However, cookies cannot directly identify a particular user.

A distinction is made between session cookies that are deleted once you close your browser, and permanent cookies that remain after the individual session. In terms of their function, cookies are categorised as either:

• Technical cookies: These are required to navigate the website, use basic functions, and ensure the security of the website. They do not collect information about you for marketing purposes nor keep a record of which websites you have visited.
• Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur while you are using our website. They do not collect information that could identify you – all the information collected is anonymous and is only used to improve our website and to find out what appears interesting to our users.
• Advertising cookies, targeting cookies: These serve to offer the website user-targeted advertising on the website or offers from third parties and to measure the effectiveness of these offers. Advertising and targeting cookies are stored for a maximum of 13 months.
• Sharing cookies: These serve to improve how our website interacts with other services (e.g. social networks). Sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not required for technical reasons constitutes data processing that is only permitted with your explicit and active consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR. This applies especially to the use of advertising, targeting, or sharing cookies. In addition, we will only share your personal data processed by cookies to third parties if you have given us your explicit consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. The following is a list of the legal bases associated with the respective service.

Cookies required for the website to function properly:

Stored confirmation of your awareness of the cookie information we provide:

When you first visit our website, a pop-up message appears with information on how we use cookies. When you click the Accept All Cookies button, we store a cookie so that we know that you have read our message, and the message will not be redisplayed on your next visit.

7. Incorporation of third-party content

Our website contains hyperlinks to the websites of other providers. Clicking one of these links takes you directly from our website to the website of the other providers. You can recognise this by the different URL, among other things.

We cannot accept any responsibility for the handling of your data on these external websites by these providers as we have no control over how these providers handle your personal data. You can learn more about this on the websites of the respective providers.

8. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google LLC ("Google"). Google Analytics uses cookies – text files that are saved to your computer and enable an analysis of how you are using the website. The cookie provides information such as the following about your use of the website:

• Browser type/version
• Operating system used
• Referrer URL (the previously visited page)
• Host name of the accessing computer (IP address)
• Time of the server request

This information is usually transferred to, and stored on, a Google server in the United States. The IP address transmitted by your browser through Google Analytics will not be combined with other Google data. We have also added the code "anonymizeIP" to Google Analytics on this website. This guarantees that your IP address is masked so that all the data is collected anonymously. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and then truncated there.

On behalf of the website operator, Google will use this information to evaluate your use of the website, compile reports on how the website is being used, and provide the website operator with other services related to website and internet use. You can prevent cookies from being stored by changing your browser settings accordingly. In this case, however, you should be aware that you might not have full use of all the website functionality.

In addition, you can prevent Google from collecting and processing the data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB. As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent the collection by Google Analytics by clicking this link. An opt-out cookie is set that prevents the collection of your data when you visit this website in the future. The opt-out cookie is only valid in this browser and only for our website and will be stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. [Note: For information on integrating the opt-out cookie, see: https://developers.google.com/analytics/devguides/collection/gajs/#disable].

We continue to use Google Analytics to evaluate data from double-click cookies and AdWords for statistical purposes. If you do not wish to do so, you can disable this via the Display Preferences Manager (https://adssettings.google.com/anonymous?hl=en-GB).

For more information on data privacy as it relates to Google Analytics, please refer to the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=en-GB).

The legal basis for using the analysis tools is Art. 6 para. 1 sentence 1 lit. f) GDPR. The website analysis is in Mazar's legitimate interest and serves as the statistical documentation of page usage for the continuous enhancement of our website and the services we offer.

The personal data collected about you will be transmitted to servers managed by Google, most of which are located in the United States. As the EU-US Privacy Shield is no longer valid, data transfer to the USA must rely on standard contractual clauses and other guarantees issued by the EU Commission. Although the transfer of personal data is covered by standard contractual clauses, this does not eliminate the possibility that the US security authorities with extensive powers can access your personal data at any time and without justification. This is true even if the servers are located in Europe. There are no effective judicial remedies available to you.

9. Google Maps

Our website uses Google Maps on some subpages to display interactive maps and directions. Google Maps is a mapping service provided by Google. When you use Google Maps, information about how you use this website, including your IP address and the (start) address you entered in the route planner, can be transmitted to Google in the United States.

When you visit a page that contains Google Maps, your browser connects directly to the Google servers. Google sends the map content directly to your browser and integrates it into the website. We therefore have no influence on the scope of the data Google collects in this manner.

The legal basis for the processing of your data is your explicit consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

Data can be transferred to the United States without meeting any further requirements by companies certified according to the Data Privacy Framework. Google is certified in accordance with the Data Privacy Framework. In addition, Google has agreed to comply with the standard contractual clauses issued by the EU Commission for additional security.

If you do not want Google to collect, process, or use data about you via our website, you can deactivate JavaScript in your browser settings or choose the appropriate setting in our cookie banner. In this case, however, you cannot display the maps.

Click here to read Google's Data Privacy Policy:

https://policies.google.com/privacy?hl=en&gl=en.

Click here to read Google's cookie policy:

https://policies.google.com/technologies/cookies?hl=en  

10. Microsoft Forms

On our websites, we use the Microsoft Forms survey tool from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft"). With this service, we provide surveys for you, in which you may be asked to provide, among other things, personal data. Participation in surveys is optional and can be done without a Microsoft registration.

The legal basis for the processing of your personal data is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, which you provide not only explicitly but also implicitly by entering the corresponding personal data.

The data processed by Microsoft Forms is stored on servers located in the European Economic Area (EEA) according to information provided by the company. According to Microsoft, no personal data is transferred to a third country, such as the United States. In addition, Microsoft is certified in accordance with the Data Privacy Framework. Data transmission is thus possible without any further requirements. Microsoft has also agreed to comply with standard contractual clauses issued by the EU Commission for additional security.

Microsoft will delete your data as soon as it is not needed for processing purposes, but at the latest after one year and 25 days.

Click here to read the Microsoft Privacy Statement:

https://privacy.microsoft.com/en-gb/privacystatement

11. Social media plugins

For reasons of data protection, we have deliberately decided not to add social media plugins (such as the Facebook Like button, the X (formerly Twitter) button or the Google +1 button) directly to our site. Therefore, when you visit our site, no data is transmitted to social media services such as Facebook, X (formerly Twitter) or Google+.

12. Your rights as a data subject

Insofar as your personal data is processed when you visit our website, the GDPR considers you to be a “data subject” and that gives you the following rights:

12.1 Right of access

In accordance with Art. 15 GDPR, you may request information from us about whether, and how, we process your personal data. A right to access this information does not exist if the data is only stored because legal or statutory regulations require its retention or if it only serves the purposes of data backup or data protection monitoring. A right to access this information also does not exist if providing the information would require a disproportionate amount of effort and any processing for other purposes is prevented by appropriate technical and organisational means. If a right of access does exist in your case, and we are processing your personal data, you can request a disclosure from us about the following information:

• Purpose of the processing
• Categories of your personal data that we are processing
• Recipients, or categories of recipients, to whom your personal data is disclosed, in particular to recipients in third countries
• If possible, the planned retention period for your personal data or, if this is not possible, the criteria for determining the retention period
• Your right to rectify, delete, or restrict the processing of your personal data and the right to object to such processing
• Your right to complain to a data protection supervisory authority
• If the personal data has not been collected from you as a data subject, the available information on the source of the data and
• Where applicable, the existence of automated decision-making, including profiling and explanatory information on the logic used, as well as the scope and intended impact of the automated decision-making
• Where applicable, in the case of transmission to recipients in third countries, unless there has been a decision by the EU Commission on the adequacy of the level of protection in accordance with Art. 45 para. 3 GDPR, information on which suitable measures have been implemented in accordance with Art. 46 para. 2 GDPR to safeguard your personal data

12.2 Correction and completion

If you find that we have incorrect and/or incomplete personal data from you, Art. 16 GDPR gives you the right to request that we correct and/or complete this incorrect or incomplete data without delay.

12.3 Erasure

Art. 17 GDPR gives you the right to request that we delete the personal data that we have stored about you unless the processing is necessary for the exercise of the right to freedom of expression, the right to information or for the fulfilment of a legal obligation or for the performance of a task which is in the public interest, is required, and if one of the following reasons applies:

• The personal data is no longer needed for the purposes for which it was processed.
• The justification for the processing was exclusively your consent, which you have revoked.
• You have objected to the processing of your personal data that we have made public.
• You have objected to the processing of personal data not made public by us and there are no overriding legitimate reasons for the processing.
• Your personal data has been processed unlawfully.
• The deletion of personal data is necessary to fulfil a legal obligation to which we are subject.

There is no right to deletion if the deletion in the case of legitimate, non-automated data processing is not possible due to the unique way in which it is stored or only possible with disproportionately high effort and your interest in deletion is low. In this case, the data is not deleted but rather its processing is restricted.

12.4 Restriction of processing

You may contact us to request that we restrict the processing of your personal data in accordance with Art. 18 Require GDPR if one of the following reasons applies:

• You dispute the accuracy of the personal data. In this case, you may request that we restrict the processing until we can verify the accuracy of the data.
• The processing is unlawful and you request that the use of your personal data be restricted instead of deleted.
• We no longer need your personal data for the purposes of the processing, but you need this data to assert, exercise, or defend legal claims.
• You have submitted an objection in accordance with Art. 21 para. 1 GDPR. You can request that the processing be restricted as long as it is not yet clear whether our legitimate reasons outweigh your reasons.

Restriction of processing means that the personal data will only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. Before we remove the restriction, we must notify you of it.

12.5 Data portability

You have a right to data portability, provided that the processing is subject to your consent (Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR). The right to data portability in this case includes the following rights, provided that these do not affect the rights and freedoms of other persons: You may request us to receive the personal data you have provided to us in a structured, common, and machine-readable format. You have the right to transmit this data to another controller without hindrance on our part. As far as technically feasible, you can request us to transfer your personal data directly to another controller.

12.6 Right to object

If the processing is performed in accordance with Art. 6 para. 1 sentence 1 lit. e) GDPR (performance of a task in the public interest or in the exercise of public authority) or Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interest of the controller or a third party), you have the right to object at any time to the processing of your personal data for reasons arising from your particular situation. This also applies to profiling based on Art. 6 para. 1 sentence 1 lit. e) or lit. f) GDPR. After exercising your right to object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

You may also object to the processing of your personal data for direct marketing purposes. This also applies to profiling associated with such direct marketing. After exercising your right to object, we will no longer use the personal data in question for direct marketing purposes.

You can inform our data protection officer of your objection via email or by writing to our postal address, which is listed at the beginning of this Data Privacy Policy.

12.7 Withdrawal of consent

You have the right to revoke a given consent at any time with future effect. Withdrawal of consent can be communicated informally by telephone, by email, or by writing to our postal address. The withdrawal of consent shall not affect the lawfulness of the processing which occurred based on consent before its withdrawal. After the withdrawal is received, the data processing, which was based exclusively on your consent, will be discontinued.

12.8 Complaint

In accordance with Art. 77 GDPR, you have the right to complain to a data protection supervisory authority about the processing of your personal data in our company. For our company, complaints must be submitted to the data protection supervisory authority responsible for us:

Hamburgischer Beauftragte für Datenschutz und Informationsfreiheit (Hamburg Commissioner for Data Protection and Freedom of Information)

Ludwig-Erhard-Strasse 22
20459 Hamburg, Germany

Email: mailbox@datenschutz.hamburg.de

https://datenschutz-hamburg.de/beschwerde/

13. Status and update of this Data Privacy Policy

This Data Privacy Policy was last updated in November 2023. We reserve the right to update the Data Privacy Policy in due course to enhance data protection and/or to adapt it to changes in governmental practice or jurisprudence.