Privacy Statement

1. Name and Contact Data of the Controller

This privacy statement contains information regarding the processing of personal data on the law firm website of MÖHRLE HAPP LUTHER.

The controller is

Brandstwiete 3
20457 Hamburg
Phone: +49 (40) 85 301 - 0
Fax: +49 (40) 85 301 - 166

You can reach our firm’s data protection officer at

Data Protection Officer
Brandstwiete 3
20457 Hamburg
Phone: +49 (40) 85 301 - 0
Fax: +49 (40) 85 301 - 166

2. Scope and Purpose of Processing of Personal Data

2.1 Accessing the Website

Whenever this website is accessed, the internet browser used by the visitor automatically transmits data to the server of this website and stores the data in a log file for a limited time. Until they are automatically erased, the following data are stored without any further action by the visitor:

  • IP address of the visitor’s device
  • Date and time of the visitor’s access
  • Name and URL of the site accessed by the visitor
  • Website that directs the visitor to the law firm’s website (so-called referrer URL)
  • Browser and operating system of the visitor’s device and the name of the access provider used by the visitor

The processing of these personal data is lawful pursuant to point (f) of Art. 6 (1) first sentence GDPR [General Data Protection Regulation]. The law firm has a legitimate interest in processing the data for these purposes:

  • Fast establishment of the connection to the law firm’s website
  • Enabling user-friendly use of the website
  • Determining and ensuring the security and stability of the systems
  • Simplifying and improving administration of the website

The processing is expressly not carried out for the purpose of gaining information about the person of the website’s visitor.


2.2 Newsletter

When visitors subscribe to the newsletter, they expressly declare their consent to the processing of the transmitted personal data. The only entry required for a subscription to the newsletter is the visi-tor’s email address. Legal ground for the processing of the visitor’s personal data for the purpose of transmitting newsletters is his or her consent pursuant to point (a) of Art. 6 (1) first sentence GDPR.
Visitors may unsubscribe and stop the receipt of future newsletters at any time. They can use the special link at the end of the newsletter or send an email message to this effect to


2.3    Events

Our internet site enables the visitor to register for our events free of charge. The following data will be transmitted to us via the Event Form:

  • Main personal data (name and surname, title and company affiliation as necessary)
  • Communication details (e-mail address)
  • Information on the events which the visitor wishes to attend or cannot attend.
  • Information whether the visitor is also interested in any further events.
  • Date and time, plus IP address when registering.

For verification the visitor will receive an e-mail with a registration link, in order finally to confirm attendance (double opt-in procedure). Registration will be processed, the event will be held, and any invitations to subsequent events will be issued pursuant to Article 6, (1) (a) of the GDPR. By sending the registration the visitor declares that he consents to the said data processing for the registration for the event until the end of the event.

Processing of these data will be made in accordance with Article 6 (1) (f) of the GDPR. Our legitimate interest is based on the demonstrability of the legal consent pursuant to Article 7 (1) of the GDPR.

The visitor’s data will be processed on our part only by internal authorised employees for the purposes of planning and holding events. In this process we shall employ IT service providers as processors under the terms of Article 28 of the GDPR. These data will not be transmitted to a third country.

Erasure of the visitor’s data will be made once the event is ended, providing no further legal basis or statutory obligation exists for their processing. Should participation in the registration process not be finally confirmed, the visitor’s foregoing personal data will be erased 14 days following the end of the event.

The visitor may revoke any individual or all consents for events without any detriment to himself, without affecting the legality of the processing which has taken place pursuant to the consent until the time of revocation. This revocation may be made by an e-mail to the said effect sent to

3. Transfer of Data

Personal data are transferred to third parties if and when:

  • The data subject has expressly given his or her consent to this transfer pursuant to point (1) of Art. 6 (1) first sentence GDPR;
  • The transfer is required for the establishment, exercise, or defense of legal claims pursuant to point (f) of Art. 6 (1) first sentence GDPR and there is no reason to assume that the data subject has an overriding legitimate ground opposing the transfer of his or her data;
  • There is a legal obligation pursuant to point (c) of Art. 6 (1) first sentence GDPR for the transfer of the data; and/or
  • The processing is necessary for the performance of a contract to which the data subject is a party pursuant to point (b) of Art. 6 (1) first sentence.

In all other cases, personal data will not be transferred to third parties.


4. Cookies

So-called cookies are used on the website. These are data packages that are exchanged between the law firm’s website server and the visitor’s browser. They are stored on the devices being used (PC, notebook, tablet, smartphone, etc.) when the website is accessed. Cookies are unable to cause any damage to the devices being used. In particular, they do not contain viruses or other types of malware. Information related to the specific device that is in use is stored in the cookies. The law firm cannot under any circumstances use this information to determine the identity of the visitor to the website.
The majority of cookies are accepted when the browser default settings remain unchanged. The browser settings can be changed in such a manner that cookies are either not accepted on the devices in use or that a special message is displayed before a new cookie is placed on the device. We point out, however, that blocking cookies may have the consequence that not all of the website functions can be used in the best way possible.
Cookies are utilized to make the use of the law firm’s web services more convenient. For instance, session cookies track whether the visitor has previously accessed certain pages of the website. These session cookies are automatically erased when visitors leave the website.
Temporary cookies are used to improve the site’s user friendliness. They are stored temporarily on the visitor’s device. When the visitor accesses the website again, the browser automatically recognizes that the visitor had accessed the page at an earlier point in time and what entries and settings were made at that time, rendering the repeated entries and settings unnecessary.
Cookies are also used to analyze hits to the website for statistical purposes and for the improvement of the services on the site. These cookies make it possible to see automatically that a visitor has previously accessed the website if he or she returns to the site. In this case, the cookies are automatically erased after a predetermined period of time.
The processing of these data by cookies is lawful for the aforementioned purposes in pursuit of the legitimate interests of the law firm pursuant to point (f) of Art. 6 (1) first sentence GDPR.

5. Analysis Services for Websites, Tracking

We use Google Analytics, the website analysis service for websites, on our website.
Legal ground for the use of the analysis tool is point (f) of Art. 6 (1) first sentence GDPR. The website analysis is a legitimate interest of our law firm and is used for the statistical recording of site use for the continuous improvement of our law firm’s website and our service portfolio.

6. Plugins of Social Networks (Social Plugins)

We have integrated plugins from the following social networks into our website: Facebook, XING, LinkedIn, and kununu.
Legal ground for the use of social plugins is point (f) of Art. 6 (1) first sentence GDPR. Our law firm’s legitimate interest and the purpose of the use of the plugins of social networks are to heighten awareness of our services with a broader public. The social networks are responsible for handling the data of their users in conformity with data protection law.

7. Your Rights as Data Subject

To the extent your personal data are processed during your visit to our website, you as the “data subject” are entitled to the following rights within the sense of the GDPR.

7.1 Access

You may obtain information from us as to whether we process personal data from you. The right to information does not exist if the disclosure of the requested information would be a breach of the obligation of confidentiality in accordance with Section 57 Art. 1 StBerG [German Tax Consultancy Act] or if the information must be kept secret for other reasons, in particular, but not solely, because of the overriding legitimate interest of a third party. In abrogation thereof, the obligation to provide information may exist if, in particular, your interests override the confidentiality interests in view of imminent loss or damage. The right to information is moreover precluded if and when the data have been stored solely because they may not be erased in compliance with legal or statutory retention periods or serve solely and exclusively purposes of data security or data protection control, to the extent that the provision of information would require unreasonable effort or costs and the processing for other purposes has been precluded by suitable technical and organizational measures. If and when in your case the right to access is not precluded and we process your personal data, you may obtain information from us regarding the following:

  • Purposes of the processing;
  • Categories of your personal data that are processed;
  • Recipients or categories of recipients to whom your personal data are disclosed, in particular recipients in third countries;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request rectification or erasure or restriction of processing of personal data concerning you or to object to such processing;
  • The right to lodge a complaint with a supervisory authority for data protection;
  • Where the personal data are not collected from you as the data subject, any available information as to their source;
  • The existence of any automated decision-making, including profiling and meaningful information about the logic involved as well as the significance and the envisaged consequences of any automated decision-making;
  • Where personal data are transferred to a third country and no decision regarding the adequacy of the level of protection has been made by the EU Commission pursuant to Art. 45 (3) GDPR, information as whether the appropriate safeguards relating to the transfer pursuant to Art. 46 (2) GDPR have been provided.

7.2 Rectification and Completion

If and when you determine that your personal data in our possession are inaccurate, you may request that we rectify this inaccurate data without undue delay. You may request completion of any incomplete personal data concerning you.

7.3 Erasure

You have the right to erasure (“right to be forgotten”), provided the processing is not necessary for the exercise of the right to freedom of expression, right to information, for compliance with a legal obligation, or for performance of a task carried out in the public interest, and that one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were processed;
  • The sole and exclusive legal ground for the processing was your consent that you have withdrawn;
  • You have objected to the processing of your personal data that we have made public;
  • You have objected to the processing of personal data that we have not made public, and there are no overriding legitimate grounds for the processing;
  • Your personal data have been unlawfully processed;
  • The personal data must be erased for compliance with a legal obligation to which we are subject.

You do not have a right to erasure in the case of legal, non-automated data processing if the erasure of the data is not possible or is possible only with unreasonable effort because of the special form of the storage and your interest in the erasure is slight. In this case, the processing of the data will be restricted in lieu of their erasure.

7.4 Restriction of Processing

You can obtain a restriction of the processing if one of the following grounds applies:

  • You contest the accuracy of the personal data. You can obtain restriction of processing in this case for a period enabling us to verify the accuracy of the data;
  • The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
  • We no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims;
  • You have objected to the processing pursuant to Art. 21 (1) GDPR. You may obtain restriction of the processing as long as verification whether our legitimate grounds override your grounds is pending.

Restriction of processing means that the personal data will be processed solely with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We are obligated to inform you before we lift any restriction of processing.

7.5 Data Portability

You have the right to data portability if and when the processing is based on your consent (point (a) of Art. 6 (1) first sentence or point (a) of Art. 9 (2) GDPR) or on a contract to which you are a party and the processing is carried out by automated means. The right to data portability in this case includes the following rights, provided that the rights and freedoms of other persons are not adversely affected:

  • You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format;
  • You have the right to transmit those data to another controller without hindrance on our part;
  • You have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

7.6 Objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) of Article 6 (1) first sentence GDPR (performance of a task in the public interest or exercise of official authority) or on point (f) of Art. 6 (1) first sentence GDPR (legitimate interest of the controller or a third party). The provision applies as well to profiling based on point (e) or point (f) of Art. 6 (1) first sentence GDPR. Once you exercise the right to object, we will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
You may object at any time to the processing of the personal data concerning you for purposes of direct marketing, including any profiling that is related to such direct marketing. If you exercise this right to object, we will no longer use your personal data for direct marketing purposes.
You may exercise your right to object by submitting an informal message by phone, email, fax, or letter to the postal address of our law firm shown at the beginning of this privacy statement.

7.7 Withdrawal of Consent

You have the right to withdraw at any time any consent you have given, effective for the future. You may withdraw your consent by sending an informal message by phone, email, fax, or letter to our postal address. The withdrawal of consent does not have any effect on the legality of any data processing carried out on the basis of the consent prior to the receipt of the withdrawal. After receipt of the withdrawal, the data processing based solely on your consent will be discontinued.

7.8 Complaint

If you consider that the processing of the personal data concerning you is unlawful, you may lodge a complaint with a supervisory authority for data protection that is competent for your habitual residence or place of work or place of the alleged infringement.

8. Status and Update of this Privacy Statement

This privacy statement was last revised on November 16, 2018. We reserve the right to update the privacy statement at any time for the improvement of data protection and/or to adapt it to changes in the practice of authorities or court decisions.