Information on Data Protection in accordance with Art. 13 of the General Data Protection Regulation

The following information is intended to provide you with an overview of how your personal data is processed by MÖHRLE HAPP LUTHER and your rights under the new data protection law. You can find out what data is processed in detail and how it is used in the following explanations.

1 Name and contact data

The controller responsible for the website in accordance with Art. 4 section 7 GDPR can be contacted at the following address:

Brandstwiete 3
20457 Hamburg

Phone: +49 40 85 301 - 0
Fax: +49 40 85 301 - 166

For further information see the Legal disclosures page.

Our company data protection officer can be contacted at:

Attn: Data Protection Officer
Brandstwiete 3
20457 Hamburg

Phone: +49 40 85 301 - 0
Fax: +49 40 85 301 - 166

When processing your personal data it is possible that the operating companies of the MÖHRLE HAPP LUTHER Group may work closely with MÖHRLE HAPP LUTHER Service GmbH when it comes to certain processing activities and may also be jointly responsible for processing your personal data. We have reached a contractual agreement with regard to the specific manner of cooperation in the event of joint responsibility. We will be happy to provide you with information on this upon request.

2 Processing of personal data

General overview

On our website we offer various services and employ data processing procedures as listed below:

Operation of the firm’s website and storage of log files
Processing of personal data when using our firm's website

Use of cookies
List of cookies employed for the provision of our services.

E-mail newsletter
Processing of your e-mail address if you wish to stay informed by receiving our newsletter.

Job applications
Information on current job offers and contacting the firm to apply.
Additional information on data protection can be found here.

Calendar of events
Information on events and registration.

Online Conferences
Information regarding online meetings, video conferences and webinars

Reach measurement using Google Analytics
Use of the service Google Analytics to continuously improve our firm’s website.

Facebook fan page
Information about our fan page (‘Insights’) in joint responsibility with Facebook

Advisories about social media links and our client portal

In order to offer our services and optimize our firm’s website on an ongoing basis, your personal data may also be transferred to other service providers which process the data.

We carefully select service providers and contractually bind them as required by law, including as processors pursuant to Art. 28 GDPR. If these providers process your data outside the European Union or European Economic Area, we ensure that they are bound by standard EU standard data protection clauses or certified under the US-EU Privacy Shield, a data protection agreement framework, in case of processing in the US. Accordingly, these service providers guarantee that an appropriate level of data protection will be upheld.

3 Operation of the firm’s website and storage of log files

3.1 Type of processing

When you visit the firm’s website, your internet browser automatically sends the following data to our server and stores a log file for a limited period of time:

  • Browser type and version
  • Operating system used
  • Name of website just visited prior
  • IP address/your device’s hostname
  • Date and time of server request

3.2 Purposes and legal basis of processing

Your data are processed for the following purposes on the basis of our legitimate interest per Art. 6 section 1 (f) GDPR:

  • to enable usage of our firm’s website
  • to present our service portfolio
  • for uniform and attractive presentation with online fonts
  • to make it possible for existing and prospective customers to conveniently contact us
  • to ensure proper operation of our firm’s website
  • to fulfill legal obligations, such as defending against and investigating cyberattacks.

3.3 Recipients and categories of recipients

Our firm’s website is hosted by domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany. A processing agreement per Art. 28 GDPR has been concluded with the service provider. Personal data are only transferred to third parties as necessary to defend against or investigate criminal acts and as otherwise required by law.

The online fonts are loaded from the server of Monotype Imaging Holdings, Inc. 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA ( When you view a page your browser loads the required fonts into its browser cache in order to correctly display text and fonts. This enables the provider to know that our website has been accessed via your IP address, and it also provides some technical information regarding your browser as virtually every web browser automatically sends this data to the server each time it is accessed. Even if the provider requires the transmitted information – the IP address in particular – only for delivery of the retrieved contents, it is beyond our knowledge and control as to whether and to what extent the provider also statistically evaluates or stores such information.

3.4 Duration of storage

Personal data are automatically deleted seven (7) days after ending of the connection unless a statutory retention period applies or we or a third party have a legitimate interest otherwise.

3.5 Right to erasure, objection and rectification

Providing and operating our firm’s website requires the collection of data and the storage of data in log files. Accordingly, you have no options for their erasure or rectification, or to lodge objection.
If your browser does not support online fonts, then a standard font is used by your computer. You can prevent online fonts from being loaded by deactivating the “Java-Script” function in your browser.

3.6 Additional Information

Information on data protection at
Information on data protection at Monotype GmbH:

4 Use of cookies

4.1 Type of processing

We utilize text files (cookies) on our website which are stored and can be read on your device. There are session cookies, which are deleted as soon as you close your browser, and permanent cookies which are stored for a period beyond ending of a specific session. Cookies may contain data which make it possible to identify the device utilized. In some cases, cookies may only contain data on certain settings which do not render you personally identifiable.

4.2 Purposes and legal basis of processing

Our firm’s website employs a cookie to record your range analytics and map display settings. Processing is performed on the basis of your consent per Art. 6 section 1 (a) GDPR.

4.3 Duration of storage

Data on your chosen setting is permanently stored so that you do not have to make the setting again when revisiting our firm’s website.

4.4 Right to Erasure, Object and Rectification

You can also set your browser in general so that you are transparently informed about the placement of cookies. You have the option of deleting cookies at any time using the corresponding browser setting or preventing the placement of cookies in general. Please note that you will be prompted to accept or reject cookies each time you access our website and that not all functions on our website may be available to you.

5 E-mail newsletter

5.1 Type of processing

On our firm’s website you can subscribe to receive a regular e-mail newsletter free of charge informing you about our auditing, tax advice and legal counsel services and relevant news.

We require your e-mail address to register you for our e-mail newsletter, employing a double opt-in procedure for registration. This means that we will only send you the e-mail newsletter if you confirm a link contained in an e-mail sent to you after registering.

Your registration and confirmation are logged. The IP address of your device, your e-mail address and the time of confirmation are saved. This is to ensure that you yourself have registered for our e-mail newsletter service as user of the e-mail address specified.

5.2 Purposes and legal basis of processing

After confirmation your e-mail address is processed to ensure delivery of the e-mail newsletter to the proper target group members. Your e-mail address is used solely in order to send the e-mail newsletter. The legal basis for data processing after you register for the e-mail newsletter is your consent as per Art. 6 section 1 (a) GDPR.

The logging of your registration prior to your confirmation and the processing of your IP address and time of registration represent a legitimate interest on our part in accordance with Art. 6 section 1 (f) GDPR, in that they enable and document your registration, and they may be utilized if necessary to inform you of any potential improper use of your personal data.

5.3 Recipients and categories of recipients

We have a processing agreement per Art. 28 GDPR in place with and utilize the service provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, for the distribution of our e-mail newsletter and the collection of user data for this purpose. When you register for our e-mail newsletter, the data provided during registration are transferred to CleverReach for processing at that company’s location. Data are not transferred to third countries.

5.4 Duration of storage and any applicable parameters for determining storage criteria

Your personal data are erased pursuant to a revocation of your consent, or upon discontinuation of the service. If you revoke your consent, you will no longer receive the e-mail newsletter. Your data will be deleted from all IT systems unless another legal basis exists for the processing of your e-mail address. If you have not confirmed your registration to receive the e-mail newsletter, your data will be automatically deleted within a period of four (4) weeks.

5.5 Right to erasure, objection and to rectification

You can unsubscribe from the e-mail newsletter at any time. This may be done via a specially provided link appearing at the bottom of the e-mail newsletter, or by sending notification accordingly to the e-mail address

6 Calendar of events

6.1 Type of processing

You can register for events on our firm’s website. The following data are sent to us via the event form:

  • Personal master data (first and last name, also title and company affiliation as applicable)
  • Communication data (e-mail address)
  • Login data (date and time, IP address of your device in the registration process)
  • Information on events you are interested in attending or are unable to participate in/attend; whether you would like to receive information about other events.

For verification, you will receive an email with a registration link to finalize your participation (double opt-in process).

6.2 Purposes and legal basis of processing

The processing of your data for the registration process, planning and execution of the event is carried out on the basis of your acceptance of our terms of participation in accordance with Article 6(1)(b) of the EU General Data Protection Regulation [GDPR]. By sending the registration form your data will be processed for planning and execution of the event. In accordance with our terms of participation, we reserve the right to inform you about future events. Within the scope of the event, your participation in the event will be processed on the basis of statutory retention periods in accordance with Article 6(1)(c) of the EU General Data Protection Regulation [GDPR].

6.3 Recipients and categories of recipients

We process your data exclusively for the purposes of planning and holding events. The data is transferred to public offices and institutions (government agencies, tax authorities, etc.) for billing purposes when obligated to do so by law or regulation.


6.4 Duration of storage and any applicable parameters for determining storage criteria

Your data are deleted upon conclusion of the event if there is no further legal basis or legal obligation for its processing. In this regard we are subject to a number of retention and documentation requirements, including under German Commercial Code (HGB) and Tax Code (AO), providing for retention and documentation periods of up to ten years.

6.5 Right to erasure, objection and rectification

You may cancel registration for an event or correct your data by sending a corresponding e-mail to

7 Online Conferences

7.1 Type of Processing

The information on data protection is provided in connection with your registration for and participation in online meetings, video conferences and webinars (hereinafter referred to as online conference). We need your data in order to plan and conduct your participation in the online conference. Depending on the field of application, different regulations serve as the legal basis for the processing of your data.

We process personal data which we have received from you or which you yourself transmit within the scope of the online conference. The online conferences can be operated in different ways. In the process various personal data are processed by us or by the operator. The extent of the data processing also depends on the data you transmit prior to or during participation in the online conference. We process the following categories of personal data from you:

  • Personal master and communication data, such as display name, first and last name, language setting, company and e-mail address if applicable
  • Meeting metadata, such as subject and duration of the meeting, start and end (time) of participation, meeting description (optional), chat status, participants, IP addresses, Mac addresses and other device IDs (if applicable); approximate location of the end device to connect to the nearest data center; device/hardware, information such as device type, operating system type and version, client version, camera type, microphone or speaker, or type of connection or survey details
  • Meeting recordings: mp4 of all video and audio recordings and presentations, m4a of all audio recordings, text file of everyone in the meeting, chats, audio log file, and other information shared while using the service
  • Chat logs
  • Telephone usage data, such as caller’s phone number, country name, IP address, emergency contact number, start and end time, host name, host e-mail, Mac address of the device in use

Special functions:
When using the online conferences, privacy-enhancing settings have been made, such as

  • The recording function is always deactivated during our online conferences. In the event that an online conference is to be recorded in an individual case, then this will be communicated in advance in a transparent and timely manner and your consent will be obtained if your personal data is processed during the recording.
  • If it is required for the purpose of logging the results of an online conference, then chat content or survey details may be logged. As a rule, however, this is not the case and will also be communicated in advance.
  • During the webinar software-based “attention monitoring” (“attention tracking”) is used. For each participant the products register whether the window in which the online conference is running is active at the front or not. For example, if you are reading your e-mails, then the e-mail program is the active window and no longer the online conference. If the attention span drops dramatically, then the presenter can make his or her online conference more attractive. Unfortunately, it is currently not possible to turn off this function.
  • Automated profiling or decision-making is not planned and does not take place.
Please note: The processing of special personal data (such as health data) as well as data with high and very high protection requirements for data subjects and the respective company is not permitted with the selected service provider. In general, prior to using the online conference, it should be checked whether sensitive data is able to be processed in a communication and whether an alternative must be used if necessary.

7.2 Purpose and Legal Basis of the Processing

If we conduct the online conference as part of the initiation or execution of contractual relationships, e.g. when conducting seminars, then your data will be processed in accordance with Article 6 Paragraph 1 letter b of the General Data Protection Regulation [GDPR]. This also includes follow-up processing of participation data for our event management.

Insofar as we are legally obliged to process personal data, this is done in accordance with Article 6 Paragraph 1 letter c GDPR. This is routinely taken into consideration if participation in seminars must be verified.

Should the online conference be required for initiation or execution of a contractual relationship or an employment relationship, then processing shall be carried out in accordance with Article 6 Paragraph 1 letter b of the General Data Protection Regulation [GDPR]. In the case of an employment relationship the processing is carried out in conjunction with Section 26 of the German Federal Data Protection Act.

If the online conference is to be recorded and your personal data is processed, then your consent shall be obtained in advance in accordance with Article 6 Paragraph 1 letter a GDPR in conjunction with Article 7 of the General Data Protection Regulation.

Unless there are any contractual or legal obligations, the planning and implementation of the online conference is based on a weighing of interests in accordance with Article 6 Paragraph 1 letter f of the General Data Protection Regulation [GDPR]. Our legitimate interest is

  • a flexible and efficient realization of online conferences in terms of both time and space;
  • to be able to verify participation as well as the granting and/or revocation of consent;
  • averting or assertion of legal claims.
We also prepare additional statistical evaluations. Our legitimate interest is, among other things, to increase the efficiency of our online conferences by measuring customer satisfaction.

We use the products “GoToMeeting” and “GoToWebinar” from the provider LogMeIn, Inc., 320 Summer Street, Boston, MA 02210 in order to conduct online conferences. LogMeIn, Inc. is responsible for provision of this service and the associated data processing. Personal data is transferred to the service provider within the scope of registration for the cloud service. An agreement in accordance with Article 28 of the General Data Protection Regulation [GDPR] has been concluded with the processor for order-related execution of the online conference.

7.3 Recipients or Categories of Recipients

Your personal data will be transmitted to

  • internal authorized staff for planning and conducting the online conferences;
  • service providers (contract processors) and their subcontractors commissioned with the organization and implementation of an event or with its statistical evaluation. Our service providers are given instructions regarding access to your data when it comes to implementation of the aforementioned purposes;
  • public bodies and institutions (e.g. government offices, fiscal authorities) if there is a legal or official obligation to do so, e.g. for billing purposes when attending events;
  • legal advisers, insofar as this is required for averting and assertion of legal claims.
With regard to the passing on of data to recipients outside MÖHRLE HAPP LUTHER, it should be noted that we are obliged to maintain secrecy with regard to all client-related data. Within the online conference it is prohibited to transmit any corresponding data that is subject to professional secrecy to the service provider.

7.4 Transfers to a Third Country and Existence of the Adequacy Decision

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) insofar as this is necessary in order to conduct the online conferences, is required by law (e.g. tax reporting obligations) or if you have given us your consent.

An adequate level of protection has been established for data processing with the aforementioned provider through agreement on the EU standard data protection clauses. A draft of this agreement can be found here.

The European Commission decided in its Adequacy Decision (EU) 2016/1250 of 12 July 2016 (EU-U.S. Privacy Shield) that an adequate level of data protection exists in the USA. You can view the corresponding certificate from LogMeIn, Inc. here.

7.5 Storage Term and, if applicable, Criteria for Determination of Storage Criteria

We delete data in compliance with statutory retention periods; after six years with regard to business correspondence, after ten years with regard to invoices. In the case of the participant’s consent, data will be deleted upon revocation of consent in compliance with any statutory retention periods. If you wish to object to the processing of your data, then please contact us directly.

7.6 Additional Information

Below you will find further information on data processing and the service provider:

Questions and answers regarding data protection

Information regarding data protection

Terms and conditions of use

Trust & Privacy Center

Data protection regulations

8 Reach measurement using Google Analytics

8.1 Type of processing

We utilize the Google Analytics web analytics service to gather, collect and analyze data on the behavior of visitors to our firm’s website. The data collected by a web analytics service includes the web page from which you navigated to our firm’s website, what pages of the website you have accessed and how often and how long you have visited pages of the website. The IP address of your device is truncated and anonymized by Google if you access our website from a member state of the European Union or a country which is party to the Agreement on the European Economic Area.

8.2 Purposes and legal basis of processing

Personal data are processed so that we can analyze the web surfing behavior of our users. Collected data are analyzed to enable us to compile and optimize information about usage of the individual components of our firm’s website. When you visit our firm’s website you can determine whether your personal data may be processed by way of your consent in accordance with. Article 6 section 1 (a) GDPR.

8.3 Recipients and categories of recipients

The operator of the Google Analytics component is Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland.

8.4 Transfers to a third country and obtaining an adequacy decision

Your personal data may be transferred to a third country internally within the Google organization. In its Implementing Decision (EU) 2016/1250 of July 12, 2016 on the EU-US Privacy Shield the European Commission found that there is an adequate level of data protection in the USA. You can read the corresponding certificate held by Google here.

8.5 Duration of storage and any applicable parameters for determining storage criteria

Data are deleted as soon as they are no longer needed for the purposes for which we recorded them. Data are saved for a period of 26 months for use so that we can identify optimization potential for our firm’s website, after which they are automatically deleted.

8.6 Right to erasure, objection and rectification

You can prevent the placement of cookies at any time via the corresponding settings of your web browser, permanently blocking the placement of cookies. Configuring your web browser this way will prevent Google as well from placing a cookie on your device. In addition, cookies placed by Google Analytics may be deleted at any time via your web browser or other software programs.

You also have the possibility of opting out and preventing the collection of data generated by Google Analytics about use of this website, and to the processing of this data by Google. This requires that you download and install a browser add-on available via this link: This browser add-on informs Google Analytics via JavaScript that data and information about visits to the web pages may not be transmitted to Google Analytics. Google considers installation of the browser add-on to be equivalent to opting out. If your device is erased, formatted or reinstalled at a later point in time, you will need to reinstall the browser add-on in order to disable Google Analytics. If you have uninstalled or deactivated the browser add-on, you would have to reinstall or reactivate the browser add-on.

You can use the following links for more information and to review Google data privacy policies:

9 Facebook fan page

We additionally provide information about our services and news about the firm on our Facebook fan page.

9.1 Type of data processing

We use the personal data you transmit to Facebook when using the fan page to analyze usage of the fan page and design our offering specifically for the target group. We utilize statistical reports on such data as total pageviews, likes, devices used, page activity, post interactions and reach, user activity (comments, shared content, responses), place of origin (country and city), language, age group, gender, level of education, occupation, relationship status, clicks on phone numbers and Facebook groups linked to our page. For example, we utilize age and gender distribution to target our marketing, make our design more attractive and schedule our posts around the preferred visit times of users, optimizing content around their interests as well. As part of Facebook ad campaigns, additional target group-specific data is also used to delimit the target group. For our usage however this data is displayed in anonymized form.

9.2 Purposes and legal basis of processing

For the information service offered we are joint controller per Art. 26 GDPR with Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The legal basis for processing is our legitimate interest in accordance with. Art. 6 section 1 (f) GDPR in marketing our services and being able to enter into contact with you.

9.3 Categories of personal data processed

We as provider of the information service do not process any further data derived from usage of our fan page. In accordance with the Facebook Terms of Service, which you agreed to when creating your Facebook profile, we are able to identify you however as a registered user of our fan page, view your profile and other shared information you have shared and contact you.

9.4 Right to information, rectification, objection and erasure

Facebook is the only party that has full access to user data, thus we recommend that you contact Facebook directly to assert your rights as outlined under point 11.

Additional information is available via links to the pages on page insights data processing and data privacy.

See the full Facebook data use policy for an overview of data processing by Facebook. As an alternative we offer assistance at the address stated under point 1 on asserting your rights against Facebook.

10 Client portal

10.1 Type of processing

In our client portal you can send and receive documents to and from our staff and permanently save documents for the purposes of our business relationship. For this, you receive a login and password from us. The following data are typically processed when you upload documents:

  • Personal master data (first and last name, also title and company affiliation as applicable)
  • Communication data (e-mail address)
  • Data contained in files which you yourself upload to our client portal.
  • Login data (date and time, IP address of your device in the login process and your activities on the client portal)

9.2 Purposes and legal basis of processing

The registration process and use of our client portal are logged on the basis of our legitimate interest in securely and conveniently exchanging documents with you and documenting proper legal usage of our client platform.

10.3 Recipients and categories of recipients

Only authorized employees have access to your data on the portal. IT service providers are utilized for maintenance and support with whom processing agreements are in place. Data are not transferred to third countries.

10.4 Duration of storage and any applicable parameters for determining storage criteria

The deletion of your data may be performed by authorized users of the client portal if necessary. The data are deleted from the client portal upon ending of the business relationship.

10.5 Right to information, erasure, rectification and to object

You may have your uploaded documents corrected and deleted at any time if you have been granted the rights to do so. In other cases, we request that your contact person get in touch with us regarding exercising of your rights.

11 Miscellaneous provisions

Social media links

We utilize social media links from various providers on our website. No personal data is transmitted to the provider just because you visit our website. Personal data are only transmitted if you click on a link to the respective provider, which then receives the information that you have visited our website. Please use the information on data protection made available by the respective providers if you would like to obtain further information:

Xing / Kununu:

12    Your rights as data subject

If your personal data are processed when visiting firm’s website and when using our services, you as ‘data subject’ enjoy the following rights under the GDPR:

Art. 15 GDPR: the data subject’s right to information
You have the right to know what personal data of yours we are processing.

Art. 16 GDPR: right to rectification
If the data about you are incorrect or incomplete, you may require that any incorrect or incomplete data be corrected/completed.

Art. 17 GDPR: Right to erasure
You may demand the deletion of your personal data under the conditions outlined under Art. 17 GDPR. Your entitlement to erasure depends, among other factors, on whether we still require your data to fulfill our legal duties.

Art. 18 GDPR: Right to restriction of processing
If the conditions are met per Art. 18 GDPR, you may request that your personal data be restricted from processing.

Art. 20 GDPR: Right to data portability
You may demand to receive your data in a structured, commonly used and machine-readable report format and that this report be transmitted to other data controllers.

Art. 21 GDPR: Right to object
You may at any time object to the processing of your data for personal reasons.
If you object, then we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. If your personal data are processed for the purpose of direct marketing, then you have the right to object, at any time, to the processing of personal data concerning you for the purpose of such marketing, including profiling, insofar as it relates to such direct marketing. If you object, then your personal data will no longer be used for the purpose of direct marketing.

Art. 7 section 3 GDPR: Right to withdraw consent
You have the right to withdraw your previously granted consent to processing of your personal data at any time. Withdrawing consent does not affect the legality of processing performed on the basis of consent prior to withdrawal thereof.

Art. 77 GDPR: Right to lodge a complaint with a supervisory authority
If you believe that your personal data has been processed in breach of law, you may lodge a complaint with the data protection supervisory authority with jurisdiction at your place of residence or employment, or at the location of the alleged breach. The competent supervisory authority for our organization is: the Hamburg Commissioner for Data Protection and Freedom of Information (

13 Version and Updating of this Information

We reserve the right to update this information in due course in order to adapt it to changes in official practice or jurisdiction.

Date: May 2020.