Data Protection Policy per Art. 13 of the General Data Protection Regulation (GDPR)

This Data Protection Policy document provides information on the processing of personal data on the website of MÖHRLE HAPP LUTHER in accordance with Art. 13 of the General Data Protection Regulation (GDPR).

1 Name and contact data

The controller responsible for the website in accordance with Art. 4 section 7 GDPR can be contacted at the following address:

Brandstwiete 3
20457 Hamburg

Phone: +49 40 85 301 - 0
Fax: +49 40 85 301 - 166

For further information see the Legal disclosures page.

Our company data protection officer can be contacted at:

Attn: Data Protection Officer
Brandstwiete 3
20457 Hamburg

Phone: +49 40 85 301 - 0
Fax: +49 40 85 301 - 166

2 Processing of personal data

General overview

On our website we offer various services and employ data processing procedures as listed below:

Operation of the firm’s website and storage of log files
Processing of personal data when using our firm's website

Use of cookies
List of cookies employed for the provision of our services.

E-mail newsletter
Processing of your e-mail address if you wish to stay informed by receiving our newsletter.

Job applications
Information on current job offers and contacting the firm to apply.
Additional information on data protection can be found here.

Calendar of events
Information on events and registration.

Reach measurement using Google Analytics
Use of the service Google Analytics to continuously improve our firm’s website.

Facebook fan page
Information about our fan page (‘Insights’) in joint responsibility with Facebook

Advisories about social media links and our client portal

In order to offer our services and optimize our firm’s website on an ongoing basis, your personal data may also be transferred to other service providers which process the data.

We carefully select service providers and contractually bind them as required by law, including as processors pursuant to Art. 28 GDPR. If these providers process your data outside the European Union or European Economic Area, we ensure that they are bound by standard EU contractual clauses or certified under the US-EU Privacy Shield, a data protection agreement framework, in case of processing in the US. Accordingly, these service providers guarantee that an appropriate level of data protection will be upheld.

3 Operation of the firm’s website and storage of log files

3.1 Type of processing

When you visit the firm’s website, your internet browser automatically sends the following data to our server and stores a log file for a limited period of time:

  • Browser type and version
  • Operating system used
  • Name of website just visited prior
  • IP address/your device’s hostname
  • Date and time of server request

3.2 Purposes and legal basis of processing

Your data are processed for the following purposes on the basis of our legitimate interest per Art. 6 section 1 (f) GDPR:

  • to enable usage of our firm’s website
  • to present our service portfolio
  • to make it possible for existing and prospective customers to conveniently contact us
  • to ensure proper operation of our firm’s website
  • to fulfill legal obligations, such as defending against and investigating cyberattacks.

3.3 Recipients and categories of recipients

Our firm’s website is hosted by domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany. A processing agreement per Art. 28 GDPR has been concluded with the service provider. Personal data are only transferred to third parties as necessary to defend against or investigate criminal acts and as otherwise required by law.

3.4 Duration of storage

Personal data are automatically deleted seven (7) days after ending of the connection unless a statutory retention period applies or we or a third party have a legitimate interest otherwise.

3.5 Right to erasure, objection and rectification

Providing and operating our firm’s website requires the collection of data and the storage of data in log files. Accordingly, you have no options for their erasure or rectification, or to lodge objection.

4 Use of cookies

4.1 Type of processing

We utilize text files (cookies) on our website which are stored and can be read on your device. There are session cookies, which are deleted as soon as you close your browser, and permanent cookies which are stored for a period beyond ending of a specific session. Cookies may contain data which make it possible to identify the device utilized. In some cases, cookies may only contain data on certain settings which do not render you personally identifiable.

4.2 Purposes and legal basis of processing

Our firm’s website employs a cookie to record your range analytics and map display settings. Processing is performed on the basis of your consent per Art. 6 section 1 (a) GDPR.

4.3 Duration of storage

Data on your chosen setting is permanently stored so that you do not have to make the setting again when revisiting our firm’s website.

You can configure your browser generally to notify you transparently when a cookie is to be placed. You have the options of deleting cookies at any time via the corresponding browser setting, or of preventing the placement of cookies in general. Please note that in such case whenever you open a web page a message will appear asking for you to accept or reject the cookie, and you may not be able to utilize all features of our firm’s website.

5 E-mail newsletter

5.1 Type of processing

On our firm’s website you can subscribe to receive a regular e-mail newsletter free of charge informing you about our auditing, tax advice and legal counsel services and relevant news.

We require your e-mail address to register you for our e-mail newsletter, employing a double opt-in procedure for registration. This means that we will only send you the e-mail newsletter if you confirm a link contained in an e-mail sent to you after registering.

Your registration and confirmation are logged. The IP address of your device, your e-mail address and the time of confirmation are saved. This is to ensure that you yourself have registered for our e-mail newsletter service as user of the e-mail address specified.

5.2 Purposes and legal basis of processing

After confirmation your e-mail address is processed to ensure delivery of the e-mail newsletter to the proper target group members. Your e-mail address is used solely in order to send the e-mail newsletter. The legal basis for data processing after you register for the e-mail newsletter is your consent as per Art. 6 section 1 (a) GDPR.

The logging of your registration prior to your confirmation and the processing of your IP address and time of registration represent a legitimate interest on our part in accordance with Art. 6 section 1 (f) GDPR, in that they enable and document your registration, and they may be utilized if necessary to inform you of any potential improper use of your personal data.

5.3 Recipients and categories of recipients

We have a processing agreement per Art. 28 GDPR in place with and utilize the service provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, for the distribution of our e-mail newsletter and the collection of user data for this purpose. When you register for our e-mail newsletter, the data provided during registration are transferred to CleverReach for processing at that company’s location. Data are not transferred to third countries.

5.4 Duration of storage and any applicable parameters for determining storage criteria

Your personal data are erased pursuant to a revocation of your consent, or upon discontinuation of the service. If you revoke your consent, you will no longer receive the e-mail newsletter. Your data will be deleted from all IT systems unless another legal basis exists for the processing of your e-mail address. If you have not confirmed your registration to receive the e-mail newsletter, your data will be automatically deleted within a period of four (4) weeks.

5.5 Right to erasure, objection and to rectification

You can unsubscribe from the e-mail newsletter at any time. This may be done via a specially provided link appearing at the bottom of the e-mail newsletter, or by sending notification accordingly to the e-mail address

6 Calendar of events

6.1 Type of processing

You can register for events on our firm’s website. The following data are sent to us via the event form:

  • Personal master data (first and last name, also title and company affiliation as applicable)
  • Communication data (e-mail address)
  • Login data (date and time, IP address of your device in the registration process)
  • Information on events you are interested in attending or are unable to participate in/attend; whether you would like to receive information about other events.

For verification, you will receive an email with a registration link to finalize your participation (double opt-in process).

6.2 Purposes and legal basis of processing

The processing of your data for the registration process, planning and execution of the event is carried out on the basis of your acceptance of our terms of participation in accordance with Article 6(1)(b) of the EU General Data Protection Regulation [GDPR]. By sending the registration form your data will be processed for planning and execution of the event. In accordance with our terms of participation, we reserve the right to inform you about future events. Within the scope of the event, your participation in the event will be processed on the basis of statutory retention periods in accordance with Article 6(1)(c) of the EU General Data Protection Regulation [GDPR].

6.3 Recipients and categories of recipients

We process your data exclusively for the purposes of planning and holding events. The data is transferred to public offices and institutions (government agencies, tax authorities, etc.) for billing purposes when obligated to do so by law or regulation.


6.4 Duration of storage and any applicable parameters for determining storage criteria

Your data are deleted upon conclusion of the event if there is no further legal basis or legal obligation for its processing. In this regard we are subject to a number of retention and documentation requirements, including under German Commercial Code (HGB) and Tax Code (AO), providing for retention and documentation periods of up to ten years.

6.5 Right to erasure, objection and rectification

You may cancel registration for an event or correct your data by sending a corresponding e-mail to

7 Reach measurement using Google Analytics

7.1 Type of processing

We utilize the Google Analytics web analytics service to gather, collect and analyze data on the behavior of visitors to our firm’s website. The data collected by a web analytics service includes the web page from which you navigated to our firm’s website, what pages of the website you have accessed and how often and how long you have visited pages of the website. The IP address of your device is truncated and anonymized by Google if you access our website from a member state of the European Union or a country which is party to the Agreement on the European Economic Area.

7.2 Purposes and legal basis of processing

Personal data are processed so that we can analyze the web surfing behavior of our users. Collected data are analyzed to enable us to compile and optimize information about usage of the individual components of our firm’s website. When you visit our firm’s website you can determine whether your personal data may be processed by way of your consent in accordance with. Article 6 section 1 (a) GDPR.

7.3 Recipients and categories of recipients

The operator of the Google Analytics component is Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland.

7.4 Transfers to a third country and obtaining an adequacy decision

Your personal data may be transferred to a third country internally within the Google organization. In its Implementing Decision (EU) 2016/1250 of July 12, 2016 on the EU-US Privacy Shield the European Commission found that there is an adequate level of data protection in the USA. You can read the corresponding certificate held by Google here.

7.5 Duration of storage and any applicable parameters for determining storage criteria

Data are deleted as soon as they are no longer needed for the purposes for which we recorded them. Data are saved for a period of 26 months for use so that we can identify optimization potential for our firm’s website, after which they are automatically deleted.

7.6 Right to erasure, objection and rectification

You can prevent the placement of cookies at any time via the corresponding settings of your web browser, permanently blocking the placement of cookies. Configuring your web browser this way will prevent Google as well from placing a cookie on your device. In addition, cookies placed by Google Analytics may be deleted at any time via your web browser or other software programs.

You also have the possibility of opting out and preventing the collection of data generated by Google Analytics about use of this website, and to the processing of this data by Google. This requires that you download and install a browser add-on available via this link: This browser add-on informs Google Analytics via JavaScript that data and information about visits to the web pages may not be transmitted to Google Analytics. Google considers installation of the browser add-on to be equivalent to opting out. If your device is erased, formatted or reinstalled at a later point in time, you will need to reinstall the browser add-on in order to disable Google Analytics. If you have uninstalled or deactivated the browser add-on, you would have to reinstall or reactivate the browser add-on.

You can use the following links for more information and to review Google data privacy policies:

8 Facebook fan page

We additionally provide information about our services and news about the firm on our Facebook fan page.

8.1 Type of data processing

We use the personal data you transmit to Facebook when using the fan page to analyze usage of the fan page and design our offering specifically for the target group. We utilize statistical reports on such data as total pageviews, likes, devices used, page activity, post interactions and reach, user activity (comments, shared content, responses), place of origin (country and city), language, age group, gender, level of education, occupation, relationship status, clicks on phone numbers and Facebook groups linked to our page. For example, we utilize age and gender distribution to target our marketing, make our design more attractive and schedule our posts around the preferred visit times of users, optimizing content around their interests as well. As part of Facebook ad campaigns, additional target group-specific data is also used to delimit the target group. For our usage however this data is displayed in anonymized form.

8.2 Purposes and legal basis of processing

For the information service offered we are joint controller per Art. 26 GDPR with Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The legal basis for processing is our legitimate interest in accordance with. Art. 6 section 1 (f) GDPR in marketing our services and being able to enter into contact with you.

8.3 Categories of personal data processed

We as provider of the information service do not process any further data derived from usage of our fan page. In accordance with the Facebook Terms of Service, which you agreed to when creating your Facebook profile, we are able to identify you however as a registered user of our fan page, view your profile and other shared information you have shared and contact you.

8.4 Right to information, rectification, objection and erasure

Facebook is the only party that has full access to user data, thus we recommend that you contact Facebook directly to assert your rights as outlined under point 11.

Additional information is available via links to the pages on page insights data processing and data privacy.

See the full Facebook data use policy for an overview of data processing by Facebook. As an alternative we offer assistance at the address stated under point 1 on asserting your rights against Facebook.

9 Client portal

9.1 Type of processing

In our client portal you can send and receive documents to and from our staff and permanently save documents for the purposes of our business relationship. For this, you receive a login and password from us. The following data are typically processed when you upload documents:

  • Personal master data (first and last name, also title and company affiliation as applicable)
  • Communication data (e-mail address)
  • Data contained in files which you yourself upload to our client portal.
  • Login data (date and time, IP address of your device in the login process and your activities on the client portal)

9.2 Purposes and legal basis of processing

The registration process and use of our client portal are logged on the basis of our legitimate interest in securely and conveniently exchanging documents with you and documenting proper legal usage of our client platform.

9.3 Recipients and categories of recipients

Only authorized employees have access to your data on the portal. IT service providers are utilized for maintenance and support with whom processing agreements are in place. Data are not transferred to third countries.

9.4 Duration of storage and any applicable parameters for determining storage criteria

The deletion of your data may be performed by authorized users of the client portal if necessary. The data are deleted from the client portal upon ending of the business relationship.

9.5 Right to information, erasure, rectification and to object

You may have your uploaded documents corrected and deleted at any time if you have been granted the rights to do so. In other cases, we request that your contact person get in touch with us regarding exercising of your rights.

10 Miscellaneous provisions

Social media links

We utilize social media links from various providers on our website. No personal data is transmitted to the provider just because you visit our website. Personal data are only transmitted if you click on a link to the respective provider, which then receives the information that you have visited our website. Please consult the providers’ respective privacy policies for further information:

Xing / Kununu:

11    Your rights as data subject

If your personal data are processed when visiting firm’s website and when using our services, you as ‘data subject’ enjoy the following rights under the GDPR:

Art. 15 GDPR: the data subject’s right to information
You have the right to know what personal data of yours we are processing.

Art. 16 GDPR: right to rectification
If the data about you are incorrect or incomplete, you may require that any incorrect or incomplete data be corrected/completed.

Art. 17 GDPR: Right to erasure
You may demand the deletion of your personal data under the conditions outlined under Art. 17 GDPR. Your entitlement to erasure depends, among other factors, on whether we still require your data to fulfill our legal duties.

Art. 18 GDPR: Right to restriction of processing
If the conditions are met per Art. 18 GDPR, you may request that your personal data be restricted from processing.

Art. 20 GDPR: Right to data portability
You may demand to receive your data in a structured, commonly used and machine-readable report format and that this report be transmitted to other data controllers.

Art. 21 GDPR: Right to object
You may at any time object to the processing of your data for personal reasons.

Art. 7 section 3 GDPR: Right to withdraw consent
You have the right to withdraw your previously granted consent to processing of your personal data at any time. Withdrawing consent does not affect the legality of processing performed on the basis of consent prior to withdrawal thereof.

Art. 77 GDPR: Right to lodge a complaint with a supervisory authority
If you believe that your personal data has been processed in breach of law, you may lodge a complaint with the data protection supervisory authority with jurisdiction at your place of residence or employment, or at the location of the alleged breach. The competent supervisory authority for our organization is: the Hamburg Commissioner for Data Protection and Freedom of Information (

12 Amended date and updating of this Data Protection Policy

This Data Protection Policy is dated 4. July 2019. We reserve the right to update the Data Protection Policy as necessary to improve data protection and/or adapt the Policy to reflect regulatory or legal changes.

Any laws referenced in this Data Protection Policy as legal basis apply to the processing of personal data as amended.