1. Name and contact details of the controller

The controller as defined in Article 4 (7) of the GDPR is GKM GmbH Steuerberatungsgesellschaft, Konrad-Adenauer-Platz 28, 53225 Bonn, email: datenschutz@gkm.tax, tel: +49 0228/289950.

The data protection officer is Henry Nallinger.

Our Firm’s data protection officer can be reached at the above address and at datenschutz@gkm.tax.

2. Scope and purpose of the processing of personal data

2.1 Visiting our website
When you visit our website at https://www.gkm.tax, your internet browser automatically sends data to the host server of this website, where it is temporarily stored in a log file for a period of 60 days. Until automatic erasure, the following data is stored without further input from the visitor:

• IP address of the visitor's device,
• date and time of access by the visitor,
• name and URL of the page accessed by the visitor,
• website that directed the visitor to our website (referrer URL),
• browser and operating system of the visitor's end device, as well as the name of the access provider used by the visitor.

The processing of this personal data is justified pursuant to Article 6 (1) (f) of the GDPR. Our Firm has a legitimate interest in processing the data for the purpose of:

• establishing a quick connection to the Firm's website,
• enabling user-friendly use of the website,
• recognising and ensuring the security and stability of systems, and
• facilitating and improving the administration of the website.

The data is explicitly not processed for the purpose of gaining insights into the identity of the visitors to our website.

2.2 Contact form
Visitors can submit messages to the Firm using an online contact form provided on our website. To enable us to respond, at least a valid email address must be provided. All other information is provided by the visitor on a voluntary basis. By submitting a message using the contact form, the visitor consents to the processing of the personal data thus transmitted. The data is processed exclusively for the purpose of handling and responding to queries submitted via the contact form. This is done based on your voluntarily given consent pursuant to Article 6 (1) (a) of the GDPR. All personal data collected when you use our contact form will be automatically erased as soon as your query has been resolved, unless there are grounds for further storage (e.g., you become our client).

2.3 Newsletter
By subscribing to the newsletter, the visitor expressly agrees to the processing of the transmitted personal data. The only data required for the purpose of subscribing to the newsletter is the visitor’s email address. The legal basis for the processing of the visitor's personal data for the purpose of sending the newsletter is consent pursuant to Article 6 (1) (a) of the GDPR.

The visitor can unsubscribe from receiving future newsletters at any time. To do this, the visitor must use a specific link at the end of the newsletter or send us a corresponding notification by email to datenschutz@gkm.tax.

The newsletter is distributed using the mailing service provider "MailChimp", which is a newsletter delivery platform of the US-based provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the mailing service provider can be accessed at the following link: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, thus guaranteeing compliance with European data protection standards. The mailing service provider is used based on our legitimate interests pursuant to Article 6 (1) (f) of the GDPR and a data processing agreement pursuant to Article 28 (3) sentence 1 of the GDPR.

The recipients' data, in its pseudonymous form (without assignment to a user), may be used by the mailing service provider for the optimisation or improvement of its own services, e.g., for the technical optimisation of the delivery and presentation of the newsletter, or for statistical purposes. Under no circumstances will the mailing service provider use the data of our newsletter recipients to contact them directly, nor will it pass such data on to third parties.

3. Transfer of data

Personal data is transferred to third parties where:

• the data subject has expressly consented to such transfer in accordance with Article 6 (1) (a) of the GDPR,
• the transfer is necessary for the establishment, exercise, or defence of legal claims pursuant to Article 6 (1) (f) of the GDPR, and there is no reason to believe that the data subject has an overriding legitimate interest in the non-disclosure of their data,
• there is a statutory obligation for the transfer of such data pursuant to Article 6 (1) (c) of the GDPR, and/or
• the transfer is necessary for the performance of a contract with the data subject pursuant to Article 6 (1) (b) of the GDPR.

In all other cases, no personal data is transferred to third parties.

4. Cookies

This website uses so-called cookies. These are data files exchanged between the host server of this website and the visitor's browser. They are stored on the device (PC, notebook, tablet, smartphone, etc.) used when visiting the website. Cookies cannot cause any damage to the devices used. Specifically, they do not contain viruses or any other malicious software. The information stored in cookies depends on the specific end device used. In no way can the Firm directly obtain knowledge of the visitor's identity by using cookies.

By default, browsers may be set to accept most cookies. Browser settings can be configured to either not accept cookies on the devices used or to display a special message before a new cookie is placed. However, please note that disabling cookies may result in you not being able to make the best possible use of all the functions of our website.

Cookies are used for the purpose of making the interaction with the Firm's website more user-friendly. For example, session cookies can be used to track which specific sections of our website have been accessed by the visitor during the current visit. These session cookies are automatically erased after the visitor leaves the website.

Temporary cookies are used to enhance user-friendliness. These are stored on the visitor's device for a limited period. On a subsequent visit to the website, it is automatically recognised that the visitor has previously accessed the site, while any previously made inputs and settings are retrieved, so that they do not need to be entered again.

Cookies also help us to analyse website visits for statistical purposes and to improve our offer. These cookies enable the website to automatically recognise that the visitor has already visited to the website before. After a specified period, the cookies are automatically erased.

The processing of data by cookies is justified for the aforementioned purposes to safeguard the legitimate interests of the Firm pursuant to Article 6 (1) (f) of the GDPR.

5. Application form

The personal data you enter in the application form, together with any uploaded documentation, is processed solely for the purposes of the application process. This includes reviewing your application documents, communicating with you during the application process, and making decisions regarding the establishment of an employment relationship.

The processing of your personal data as part of the application process is based on your consent in accordance with Article 6 (1) (a) of the GDPR and Section 26 of the Federal Data Protection Act for the purposes of the application process.

We process the data that you provide to us in the context of your application. This may include general data about you (such as name, address, and contact details), information about your professional qualifications and education, details of professional training, and any other data that you submit to us in connection with your application.

Within our Firm, your personal data will only be accessed by such individuals and departments (HR department) that require it to process your application. Your data will not be disclosed to third parties without your express consent.

Your personal data will be erased after the application process has been concluded, and by no later than 6 months, unless statutory retention obligations apply or you have expressly consented to a longer storage of your data within our talent pool.

As the data subject, you have the right to request information about your personal data processed by us, as well as the right to rectification or erasure, or to restriction of processing, the right to object to processing, and the right to data portability. You have the right to withdraw your previously given consent to the processing of your data at any time, with effect for the future.

Should you have any questions or concerns regarding the processing of your personal data, please contact our data protection officer at any time. In addition, you have the right to lodge a complaint with a data protection supervisory authority.

6. Google Maps

Our website uses the Google Maps service. The provider of the service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. The use of Google Maps is aimed at enhancing the visual appeal of our online platform and allowing the places specified on our website to be located easily. This represents a legitimate interest as defined in Article 6 (1) (f) of the GDPR.

As a result of Google Maps being used, information about the use of this website, including your IP address and the (starting) address provided within the scope of the route planner function, may be transmitted to a Google server in the USA. When you visit a website with an integrated Google Maps service, your browser establishes a direct connection to Google's servers. The map content is directly transmitted from Google to your browser and then integrated into the website by the browser. Therefore, we have no influence on the scope of the data collected by Google in this way.

The use of Google Maps serves the purpose of increasing the attractiveness of our website and making the places indicated on our website easier to locate. This represents a legitimate interest as defined in the GDPR.

The data transmitted as a result of Google Maps being used may be processed by Google for its own purposes and in accordance with Google's privacy policy. Google may also link the data collected through these services with other Google services. We have no influence on Google's data processing.

The legal basis for the integration of Google Maps and the associated data transfer to Google is Article 6 (1) (f) of the GDPR.

You can disable the Google Maps service, and thus prevent data being transferred to Google, by disabling JavaScript in your browser. However, please note that you will then not be able to make full use of all the functions of our website.

For more information on how user data is handled, please refer to Google's privacy policy at: https://https://policies.google.com/privacy?hl=en&gl=de. You can also adjust your privacy settings in the Safety Centre to protect your data.

7. Your rights as a data subject

7.1 Right of access
You can request information from us as to whether your personal data is being processed by us. No right of access exists where the provision of the requested information would violate a confidentiality obligation or if confidentiality must be maintained in respect of the information for other reasons, especially due to an overriding legitimate interest of a third party. Conversely, an obligation to provide information may exist where, particularly in situations of impending harm, your interests outweigh the interest in confidentiality. No right of access shall exist in respect of any data that is stored and may not yet be erased pursuant to legal or statutory retention periods or which exclusively serves the purposes of data backup or data protection control, where the provision of such information would require a disproportionate amount of effort and provided that there are appropriate technical and organisational measures in place to prevent the data being processed for other purposes. If, in your case, the right of access is not excluded and we do process your personal data, you can request information from us about the following:

• purposes of processing,
• categories of your personal data being processed,
• recipients or categories of recipients to whom your personal data is disclosed, especially recipients in third countries,
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine the storage period,
• the existence of the right to rectification or erasure or restriction of processing of your personal data or a right to object to such processing,
• the existence of the right to lodge a complaint with a data protection supervisory authority,
• where the personal data does not originate from you as the data subject, any available information about the origin of the data,
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the scope and intended effects of automated decision-making,
• in the event of transmission to recipients in third countries, in the absence of a decision by the EU Commission on the adequacy of the level of protection pursuant to Article 45 (3) of the GDPR, information about the appropriate safeguards provided for the protection of personal data in accordance with Article 46 (2) of the GDPR.

7.2 Rectification and completion
Should you discover that incorrect personal data concerning you is being processed by us, you can request that we immediately rectify any such incorrect data. Where personal data concerning you is incomplete, you can request completion.

7.3 Erasure
You shall have the right to erasure ("right to be forgotten"), unless the processing is required for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims, where one of the following grounds applies:

• the personal data is no longer necessary for the purposes for which it was processed,
• the processing was based solely on your consent, which you have since withdrawn,
• you have objected to the processing of your personal data that we have made public,
• you have objected to the processing of your personal data by us, and there are no overriding legitimate grounds for the processing,
• the personal data was processed unlawfully,
• the erasure of personal data is necessary to comply with a legal obligation under EU or Member State law.

No right to erasure shall exist where erasure is not possible or only possible with disproportionate effort due to the specific nature of storage in the case of lawful non-automated data processing, and provided that your interest in erasure is low. In this case, instead of the data being erased, its processing is restricted.

7.4 Restriction of processing
You can request restriction of processing where one of the following applies:

• you contest the accuracy of the personal data (in this case, processing may be restricted for a period enabling us to verify the accuracy of the data);
• the processing is unlawful, and rather than having the data erased, you request that its use should be restricted;
• we no longer require the personal data for the purposes of processing, but you require such data for the establishment, exercise, or defence of legal claims;
• you have objected to processing pursuant to Article 21 (1) of the GDPR. The restriction of processing may be requested for a period enabling us to verify whether our legitimate grounds override yours.

Restriction of processing means that the personal data will only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We must inform you prior to lifting the restriction again.

7.5 Data portability
You have the right to data portability insofar as the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the GDPR or on a contract to which you are a party, and the processing is carried out by automated means. In this case, the right to data portability includes the following rights, provided that this does not adversely affect the rights and freedoms of others: you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format; you have the right to transmit this data to another controller without any hindrance on our part; where technically feasible, you have the right to have the personal data transmitted directly from us to another controller.

7.6 Objection
Insofar as the processing is based on Article 6 (1) (e) of the GDPR (performance of a task carried out in the public interest or in the exercise of official authority) or on Article 6 (1) (f) of the GDPR (legitimate interests pursued by the controller or a third party), you have the right to object, on grounds relating to your particular situation and at any time, to the processing of personal data concerning you. This also applies to profiling based on points (e) or (f) of Article 6 (1) of the GDPR. If you exercise your right to object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

You have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing, including profiling related to such direct marketing. If you exercise your right to object, we will no longer process personal data concerning you for direct marketing purposes.

You have the option to notify us of your objection informally by telephone, email, or by post to the postal address of our Firm provided at the beginning of this Privacy Policy.

7.7 Withdrawal of consent
You have the right to withdraw your consent at any time, with effect for the future. The withdrawal of consent may be communicated by telephone, email, or by post to our postal address. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. On receipt of your withdrawal of consent, any processing of data based exclusively on your consent will be stopped.

7.8 Complaints
If you believe that the processing of personal data concerning you is unlawful, you have the right to lodge a complaint with a data protection supervisory authority that is responsible for your place of residence or employment or for the place of the alleged violation.

8. Data security

Throughout your visit to our website, we use the common SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser, which tends to be 256-bit encryption. If your browser does not support 256-bit encryption, we will resort to 128-bit v3 technology instead. You can tell whether an individual section of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are being improved continuously in line with technological developments.

9. Version and updates to this Privacy Policy

This Privacy Policy is dated 20th December 2023. We reserve the right to update this Privacy Policy periodically with a view to improving data protection and/or adapting it to changes in regulatory practices or case law.