StartData protection

Data protection

Data Protection Statement 

Data Protection Notes 

The contents of this website serves exclusively for general information. It is not designed for the particular situation of a specific client.

The contents of the following cannot replace professional advice for the specifics of an individual scenario. Before deciding on taking or abstaining from any concrete steps, seek professional advice. A client-attorney relationship is created only at the time of written acceptance by LHP, not by reading, downloading or other forms of use of the information provided.

Emails sent by LHP are designed exclusively for the attention of the addressed person or organisation. They may be confidential and/or privileged in nature and are a legally protected form of communication between client and legal counsel. Persons or organisations for whom the material is not intended may not read, re-transmit, distribute or make use of the contents in other ways or take any kind of action as a result.

If you should receive such mails by mistake, you are requested to contact the sender and to delete the item from your computer. We point out that emails can be modified, lost or tampered with even without the intervention of a third party. Conventional emails are not protected from third-party access and confidentiality may not be always preserved. 

We recommend that confidential data are not sent by email unencrypted. We assume no liability for the integrity of emails after they leave our domain and cannot compensate any damage suffered by you as a result. We take reasonably prudent measures to prevent the risk of transmitting computer viruses.

If inspite of our anti-virus programs, a virus should infect your system as a result of an email from us, note that we assume no liability for any possible damage. This limitation of liability applies only where permitted under law. Please verify your emails for the absence of viruses, in particular before opening any attachments. The receipt of emails may be affected for technical or operational reasons. 

The timely dispatch of an email to us does not meet a deadline per se. We therefore recommend that time-critical or urgent news be additionally dispatched by mail, courier or fax. If you want to be sure that your email has been properly received, request a written acknowledgement of receipt from the recipient. 

Communication by email is insecure in principle as there is the possibility of interception or manipulation by a third party. When a link to another website (hyperlink) is offered, note that we have no influence on the design and contents of the site which does not represent contents or opinions of LHP. LHP endeavours to observe the intellectual property rights of graphics and texts used in its online offers.


The use of self-made graphics and texts or of royalty-free graphics and texts is of paramount importance to us. All brand names and trademarks quoted on our website and possibly held by third parties are subject to the provisions of current trademark law and ownership rights of the registered owner without limitation. Duplication or the use of such graphics and texts in other digital or printed publications is permitted only with the explicit consent of the respective holder.

Data Protection Statement 

The present Data Protection Statement explains the type, scope and purpose of the processing of personal data (hereafter referred to as „data”) within our online offer and the associated websites, functions and contents as well as our external online presence as e.g. our social media profile (hereafter collectively referred to as „online offer”). With regard to the definitions employed as e.g. „processing” or „data controller”, we refer to the definitions given in Sec. 4 of the General Data Protection Regulation (GDPR). 

Data Controller

LHP Luxem Heuel Prowatke Rechtsanwälte und Steuerberater PartG mbB

[Attorneys at Law and Tax Advisers, Partnership Company with Limited Professional Liability] 

An der Pauluskirche 3-5
50677 Cologne
Tel.: +49 (0)221 39 09 77-0
Fax: +49 (0)221 39 09 77-333


Dr. jur. Jörg Luxem, attorney & tax adviser
Ingo Heuel, attorney & tax adviser
Roswitha Prowatke, attorney & tax adviser
Lars Kelterborn, attorney & tax adviser

Data Protection Officer Contact: 

Category of Processed Data:

  • Inventory data (e.g., names, addresses)
  • Contact data (e.g., email address, telephone numbers)
  • Contents data (e.g., text, photographs, videos)
  • Access data (e.g., websites visited, contents of interest, access times)
  • Meta and communication data (e.g., device data, IP addresses)

Categories of Data Subjects 

Visitors and users of the online offer (hereafter data subjects are collectively referred to as „users”).

Processing Purpose 

  • Supply of the online offer, its functions and contents
  • Responding to contact enquiries and communication with users
  • Security measures
  • Range measurements, marketing

Definitions Employed

“Personal Data” means any information that refer to an identified or identifiable person (hereafter “Data Subject”). A natural person is considered identifiable when it can be identified directly or indirectly, in particular by way of an identifier such as a name, code, location, online marker (e.g. a cookie) or one or several characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person. 

“Processing” means any process using an automated or non-automated procedure or a series of such procedures in connection with personal data. The term has a wide definition and encompasses practically any interaction with a third party. 

“Anonymization” is the processing of personal data in such a way that the personal data can no longer be allocated to a particular person without the use of additional information provided the additional information is stored separately and subject to technical and organisational measures which ensure that the personal data are not allocated to an identified or identifiable person.

“Profiling” is any type of automated processing of personal data which uses the given personal data to evaluate certain personal aspects of a natural person, in particular to analyse and forecast aspects of performance, financial situation, health, personal preferences, hobbies, reliability, conduct, habitual residence or change of location. 

 “Data Controller” means any natural person or legal entity, authority, facility or agency which on its own or together with others decides on the purpose and means of processing personal data. 

„Data Processor” is a natural person or legal entity, authority, facility or agency which processes personal data on instructions of the Data Controller.

Relevant Legal Bases 


Pursuant to Sec. 13 GDPR, we hereby inform you of the legal bases of our data processing. When the legal basis is not quoted in the Data Protection Statement, the following applies: The legal basis for obtaining consent is Sec. 6 Subsec. 1 lit. a and Sec. 7 GDPR, the legal basis for the processing to perform our services or the execution of contractual undertakings and for attending to enquiries is Sec. 6 Subsec. 1 lit. b GDPR, the legal basis for the processing to meet our legal obligations is Sec. 6 Subsec. 1 lit. c GDPR and the legal basis for the processing to safeguard our legitimate interest is Sec. 6 Subsec. 1 lit. f GDPR. In the event that vital interests of the data subject or of another natural person require the processing of personal data, the legal basis is Sec. 6 Subsec. 1 lit. d GDPR. 

Security Measures 

As per Sec. 32 GDPR, we adopt suitable technical and organisational measures, taking into account the state of technology, implementation costs and type, scope, circumstances and purpose of processing as well as the variable probability of occurrence and the gravity of risk to the rights and options of natural persons, to ensure a level of protection that is commensurate to the risk.

These measures include in particular the protection of confidentiality, integrity and availability of data by controlling the physical access to the data, likewise the digital access to them, the entry, transfer and the protection of their availability and segregation. Moreover, we have installed procedures which guarantee safeguarding the rights of data subjects, the erasure of data and a response to a data hazard. We furthermore take the protection of personal data into account already at the time of developing and selecting hard- and software and procedures in harmony with the principles of data protection through design engineering and data protection-friendly default settings (Sec. 25 GDPR).

Cooperation with Data Processors and Third Parties 

When during processing we disclose or transfer data to other persons or companies (data processors or third parties) or allow access to the data in other ways pursuant to Sec. 6 Subsec. 1 lit. b GDPR, this occurs only on the basis of lawful consent (e.g. when a data transfer to a third party, e.g. a payment provider, is required), if you have granted consent, when a legal obligation provides for it or when based on our legitimate interest (e.g. when employing an agent, web hoster, etc.).

Data processing by a third party appointed under a so-called „data processing agreement” is done on the basis of Sec. 28 GDPR. 

Transfer to Non-Member States 

When we process data in a non-member state (i.e., one outside the European Union (EU) or the European Economic Area (EEA)) or when this occurs as part of the services by a 

third party or disclosure or transfer of data to a third party, this takes place only when required for the performance of our (pre)contractual services, with your consent, due to a legal obligation or on the basis of our legitimate interest. Assuming statutory or contractual consent, we process data or have them processed in a non-member country only when the special preconditions of Sec. 44 ff GDPR are met, i.e. only if the processing is performed in the presence of specific guaranties, like e.g. an officially acknowledged data protection level that corresponds to the EU level (e.g. the „Privacy Shield” in the USA) or in the case of special officially recognized contractual undertakings (so-called „standard contract clauses”). 

Rights of Data Subjects

Under Sec. 15 GDPR, you have the right to demand a confirmation whether the data in question are being processed and request information on these data and on other information and duplicates of these data. 

Under Sec. 16 GDPR, you have the right to demand the completion of data concerning you or the correction of incorrect data concerning you. 

Under Sec. 17 GDPR, you have the right to demand that the respective data are immediately erased or alternatively, as per Sec. 18 GDPR, demand to limit the processing of these data.

You have the right to demand that data concerning you and supplied to us by you are maintained in line with Sec. 20 GDPR and request their transfer to other data controllers.

Furthermore, under Sec. 77 GDPR you have the right to lodge a complaint with the competent supervisory authority. 

Right of Revocation

Under Sec. 7 Subsec. 3 GDPR, you have the right to revoke your consent previously granted with immediate effect.

Right of Objection 

As per Sec. 21 GDPR, you may object to the future processing of your data at any time. An objection can be lodged in particular when the purpose of processing is advertising by direct mail. 

Cookies and Right of Objection to Online Advertising 

Cookies are small files that are stored on computers of users. These cookies may have various tasks. The primary purpose of a cookie is to store information on a user (or on the device on which the cookie is stored) during or even after access to an online offer. Temporary cookies, so-called „session cookies” or „transient cookies” are those which are 

deleted when the user leaves the online offer and closes the browser. Such a cookie may store e.g. the contents of a shopping basket in an online shop or the log-in status. „Permanent” or „persistent” cookies are those which remain even after closing the browser. Thus, the log-in status may remain stored when the user returns after several days. Likewise, the preferences of a user can be stored in such a cookie and used for range measurements or marketing purposes. A „third-party cookie” is one which is deposited by suppliers other than the data controller operating the online offer (cookies only placed by the latter are called „first-party cookies”).
We may use temporary and permanent cookies and explain their nature in our Data Protection Statement. 

Users who do not wish cookies to be stored on their computer are requested to disable the respective option in their system settings. Stored cookies can be deleted through the system settings of the browser. The exclusion of cookies may result in functional limitations of the online offer.

A general objection against the use of cookies used for purposes of online marketing can be declared for a large number of services, above all in the case of tracking, though the US website or the EU website Moreover, the storage of cookies can be prevented by a setting of your browser. Please note that in this case it is possible that not all functions of this online offer may be available. 

Erasure of Data 

Pursuant to Secs. 17 and 18 GDPR, the data processed by us are erased or their processing limited. If not explicitly stated otherwise in the present Data Protection Statement, data stored by us will be erased as soon as they are no longer required and no statutory retention obligation exists in their regard. When data are not erased because they are needed for other and legally permitted purposes, their processing is limited, i.e. the data are blocked and no longer processed for other purposes. That applies e.g. to data that must be preserved under commercial or tax-related provisions. 

Under the legal provisions in Germany, retention is required in particular for 10 years under Sec. 147 Subsec. 1 AO, Sec. 257 Subsec. 1 Nos. 1 and 4, Subsec. 4 HGB (accounting books, records, management reports, chits, ledgers, records relevant to tax matters) and for 6 years under Sec. 257 Subsec. 1 Nos. 2 and 3, Subsec. 4 HGB (commercial correspondence).

Under the legal provisions in Austria, retention is required in particular for 7 years under Sec. 132 Subsec. 1 BAO (accounting records, chits, invoices), for 22 years for real estate matters and for 10 years in connection with digitally provided services, telecommunications and for radio and TV broadcasting services provided to non-merchants in EU member states and used for the Mini-One-Stop-Shop (MOSS).  

Contractual Services

Pursuant to Sec. 6 Subsec. 1 lit. b. GDPR, we process the data of our contract partners and prospects as well as of other clients, customers, law office clients or contract partners (collectively referred to as „contract partners”) for the performance of our contractual or pre-contractual services. The data processed in this connection, the type, scope, purpose and necessity of their processing is a function of the underlying contract. 

Processed data include the master data of our contract partners (e.g. name and address), contact data (e.g. postal and email addresses, telephone numbers), contract data (e.g. services used, contract contents, contractual communications, name of contact persons) and payment data (banking data, payment history). 

Not processed in principle are specific categories of personal data except when these are to be processed under a separate order or agreement. 

We process data that are required to substantiate and perform a contractual service and illustrate the necessity of the underlying task when this is not obvious to the contract partner. Disclosure to other persons or companies is made only when required under an agreement. When processing data supplied to us during a commission, we act in accordance with the instructions of the client as well as the legal provisions.

When providing online services, we may store the IP address and the time of the respective access. The storage is made on the basis of our legitimate interest, but also in the interest of users in protection from abuse or other form on unauthorized use. In principle, these data are not transferred to a third party except when required to enforce a claim as per Sec. 6 Subsec. 1 lit. f. GDPR or in the event of a legal obligation to disclosure as per. Sec. 6 Subsec. 1 lit. c. GDPR.

The data are erased when they are no longer required for the performance of a contractual or statutory social security obligation or for the performance of possible guaranty and equivalent obligations whereby the need for storing the data is examined every three years; for all other matters, the statutory retention periods apply. 

Administration, Financial Accounting, Office Administration, Contact Management 

We process data as part of our administrative functions and office organisation, payroll accounting and in compliance with statutory obligations such as record-keeping. When doing so, we process the same data that we process during the performance of our contractual services. The processing bases are rooted in Sec. 6 Subsec. 1 lit. c. GDPR and Sec. 6 Subsec. 1 lit. f. GDPR. This processing affects customers, prospects, business partners and website visitors. The purpose and our interest in processing lies in the administration, payroll accounting, office management, data archiving, i.e. all tasks that allow us to maintain and perform our services. The erasure of data relating to contractual services and contractual communications corresponds to the tasks underlying their processing. 


We disclose or transmit data to tax offices, advisors as e.g. tax advisors or auditors and to other billing centres or payment providers.

Reflecting our business interest, we furthermore store data on suppliers, organisers and other business partners, e.g. for the purpose of a future entry into contact. These data which are primarily business-related are in principle stored indefinitely.

Entry into Contact 

When contact is made with us (e.g. via the contact form, by email, telephone or the social media), the data of the user are processed to deal with the enquiry and its subsequent handling pursuant to Sec. 6 Subsec. 1 lit. b) GDPR. The data of the user may be stored in a Customer Relationship Management System (“CRM System”) or comparable software package.

We delete enquiries when they are no longer required. We examine the necessity every two years; in all other matters, the statutory archiving obligation applies. 


The hosting services allow us to offer the following services: Infrastructural and platform services, computing capacity, storage and database services, security services as well as technical maintenance services performed by us to operate the present online offer. 


In this connection, we or our hosting provider process the inventory data, contact data, contents data, contract data, meta and communication data of customers, prospects and visitors of our website on the basis of our legitimate interest in an efficient and secure supply of our online offer, as per Sec. 6 Subsec. 1 lit. f GDPR in connection with Sec. 28 GDPR (Conclusion of Data Processing Agreement). 

Collection of Access Data and Log Files

On the basis of our legitimate interest in the sense of Sec. 6 Subsec. 1 lit. f GDPR, we or our hosting provider, collect data on every access to the server which hosts our website (so-called server log files). Access data include name of the accessed website, file, date and time of the access, downloaded data volume, reports on a successful download, browser type and version, operating system of the user, referrer URL (i.e. the website visited just prior thereto), IP address and the enquiring provider.

For security reasons (e.g. for investigation of abusive or fraudulent conduct), log file data are store for a maximum of 7 days and thereafter deleted. Data which are needed as evidence are excepted from the above up to the final clarification of the case in question. 

Google Tag Manager

Google Tag Manager is a solution by which we can administer so-called website tags on a screen Google Tag Manager is a solution by which we can administer so-called website tags on a screen (and thus integrate other Google marketing services as e.g. Google Analytics into our online offer). The Tag Manager itself (which implements the tags) does not process personal user data. see the following on Google services: see the following on Google services:

Google Analytics

On the basis of our legitimate interest (i.e. an interest in the analysis, optimisation and economical operation of our online offer in the sense of Sec. 6 Subsec. 1 lit. f. GDPR), we use Google Analytics, a web analyser service of Google LLC („Google”). Google uses cookies. The information generated by these cookies on the use of our online offer by the user are as a rule transferred to a Google server in the USA and stored there. 

Google is certified under the Privacy Shield Agreement which guarantees that European data protection law will be respected (

On our instructions, Google will use this information to evaluate the use of our online offer by the user, compile reports on activities within our website and to provide further online offer and website-related services to us. While doing so, anonymous user profiles may be generated from the processed data.

We use Google Analytics, a web analyser service of Google LLC only with IP anonymisation enabled. This means that the IP address of the user is truncated by Google within member states of the European Union and in other signatories of the Treaty on the European Economic Area. Only in exceptions is the full IP address transmitted to a Google server in the USA and truncated there. 

The IP address transmitted by the user’s browser is not aggregated with other Google data. Users can prevent the storage of cookies by a corresponding setting of their browser; in addition, users can prevent the logging of the data generated by the cookie that deals with viewing the website and the processing of these data by Google by downloading and installing a browser plugin available from the following link

Further information on the data use by Google, setting and objection options can be found in Google’s Privacy Policy Statement at ( as well as in the settings for the display of online ads faded in by Google (

Personal data of users are deleted or anonymised after 14 months. 

You can also deactivate the data collection by Google Analytics for this domain and this browser via the following link: Deactivate Google Analytics for this domain on this browser. Note: If you click on the link, you will notice no change. This behavior is normal. However, the collection of the data is successfully stopped after clicking on the link.

Google Universal Analytics

We use Google Analytics in the „Universal-Analytics“ version. Universal Analytics is a procedure of Google Analytics which analyses users on the basis of anonymous user ID, thus creating an anonymous user profile with information from the use of various devices (so-called „cross device tracking”). 

Google AdWords and Conversion Tracking 

On the basis of our legitimate interest (i.e. an interest in the analysis, optimisation of our online offer in the sense of Sec. 6 Subsec. 1 lit. f. GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google”). 

Google is certified under the Privacy Shield Agreement which guarantees that European data protection law will be respected (

We use the online marketing system Google “AdWords” to place advertisements in the Google Advertising Network (e.g. in search results, videos, on webpages, etc.) for display to users who are presumed to have an interest in the subject. This makes it possible for us to show ads for and as part of our online offer and to present to users only ads of potential interest to them. The display of ads to the user of a product for which he or she has shown an interest in other website offers is called „remarketing”. For these purposes when our or other websites are called up for which the Google Ad network is active, a Google code is implemented by Google and so-called remarketing tags (invisible graphics or code also known as web beacons) are deposited in the website. With their help, an individual cookie, a small file, is placed on the device of the user (instead of cookies, comparable technologies may also be used). This file notes which websites the user has visited previously, what contents was of interest and which offers the user has clicked on, furthermore technical information on the browser, the operating system, website referred from, time of access as well as information on the use of the online offer.

Furthermore, we receive an individual „conversion cookie”. Information obtained with the help of the cookie serve Google to prepare conversion statistics for us. However, this allows us to merely learn the total number of anonymous users who have clicked on our ad and were transferred to a website with conversion tracking. We do not receive any information that allows is to identify a user by name. 

User data are anonymously processed as part of the Google Advertising Network, i.e. Google stores and processes not the name or email address of the user e.g., but the relevant 


cookie-provided data as part of an anonymous user profile. I.e., from the viewpoint of Google, the ads are managed and displayed not for a concretely identified user but for the cookie owner, irrespective of who the owner of the cookie is. This does not apply when a user has explicitly permitted Google to process the data without anonymisation. Information on users collected in this way are transferred to Google and stored on Google server in the USA.

Further information on how Google uses the data and on setting and objection options can be found in Data Protection Statement of Google at but also in the settings for the display of ad insertions by Google (

Bing Ads

On the basis of our legitimate interest (i.e. an interest in the analysis, optimisation of our online offer in the sense of Sec. 6 Subsec. 1 lit. f. GDPR), we use the conversion and tracking tool „Bing Ads” of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. For this purpose, Microsoft places cookies on the devices of users which permits analysing how users access our online offer provided that the user has reached our website via a Microsoft Bing ad (this is called conversion tracking). In this way, Microsoft and we ourselves can recognize if someone has clicked on our ad, was transferred to our online offer and reached a certain webpage prior thereto (the so-called conversion page) whereby only the total number of users who click on a Bing ad and are transferred to the conversion page are revealed. No IP addresses are stored and no personal information on the identity of the user is disclosed.

Microsoft is certified under the Privacy Shield Agreement which guarantees that European data protection law will be respected (

If you do not wish to participate in Bing Ad tracking, you can disable the placement of a cookies required for this purpose by setting your browser accordingly or use the opt out page of Microsoft at

Further information on data processing and on the use of cookies by Microsoft Bing Ads can be found in the Privacy Policy statement of Microsoft at

Online Presence in the Social Media

We maintain an online presence in social media networks and platforms to communicate with customers, prospects and users actively engaged in them and to be able to inform them of our services. When calling up such a network or platform, the terms of access and data processing guidelines of the respective operator apply. 

If not stated otherwise in our Data Protection Statement, we process the data of users when these communicate with us through the social media network or platform in question, e.g. by sending us contributions on our online presence or news items.

Integration of Third-Party Services and Contents 

For our online offer, on the basis of our legitimate interest (i.e. an interest in the analysis, optimisation and economical operation of our online offer in the sense of Sec. 6 Subsec. 1 lit. f. GDPR), we utilize the contents and service offers of third-party suppliers and integrate such contents and services as e.g. videos or fonts (hereafter collectively referred to as „contents”). 

This supposes at all times that the third-party suppliers of the contents log the IP address of the user as they are unable to upload the contents to the browser without the user’s IP address. We endeavour to use only contents whose suppliers make use of the IP address only to display their contents. Third-party suppliers may furthermore make use of so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. These pixel tags allow analysing information such as the web traffic to the pages of this website. Anonymous information may furthermore be stored in cookies on the device of the user and may contain among other items technical information on the browser and operating system, the website referred from, the time of access and other data on the use of our online offer but may also be linked to such information from other sources. 


We integrate the videos of the “YouTube” platform supplied by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy Statement:, Opt out:

Google Fonts

We integrate the fonts of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google Fonts”). Privacy Policy Statement:, Opt out:

Google Maps

We integrate “Google Maps” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include in particular IP addresses and location data of the users which, however, are not collected without their consent (generally, through the settings of their mobile devices). The data may be processed in the USA. For their Privacy Policy statement, see, Opt out:



LHP: Attorneys at Law, Tax Law Specialists, Tax Advisers PartmbB


An der Pauluskirche 3-5, 50677 Cologne,
Telephone: +49 221 39 09 770


Tödistrasse 53, CH-8027 Zurich,
Telephone: +41 44 212 3535

Auszeichnungen & Zertifikate als Steuerkanzlei - LHP Rechtsanwälte