Privacy Notice pursuant to Articles 13 and 14 General Data Protection Regulation (GDPR)

With the following information, we (Rimôn Falkenfort Rechtsanwälte und Steuerberater GmbH & Co KG) inform you about the processing of your personal data and your data subject rights under the General Data Protection Regulation (GDPR) outside the scope of matters-related processing. Information regarding the matter-related processing of personal data can be found in the engagement agreement.

1. Name and Contact Details of the Controller

Rimôn Falkenfort Rechtsanwälte und Steuerberater GmbH & Co KG
Taunus Turm, Taunustor 1
60310 Frankfurt am Main
Telephone: +49 (0)69 5899624 0
Email: services@rimonlaw.de

2. Contact Details of the Data Protection Officer

BRAUN Unternehmensdienstleistungen
Sennteichplatz 1
68199 Mannheim
info@bqs-braun.de 

3. Website 

This Section 3 applies to the website of Rimôn Falkenfort Rechtsanwälte und Steuerberater GmbH & Co KG, accessible under this rimonlaw.de and its various subdomains (“our website”).

Our website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as contact enquiries sent to us as website operator. An encrypted connection is indicated by “https://” in the browser address line and the lock symbol in your browser. If SSL or TLS encryption is activated, the data you transmit to us cannot generally be read by third parties.

a) Provision of the Website

Collection and Sources of Personal Data

When you access and use our website, we collect personal data that your browser automatically transmits. The following information is temporarily stored in a log file:

• IP address of the requesting device
• Date and time of access
• URL of the receiving resource
• Website from which access is made (referrer URL), if applicable
• Browser used and, if applicable, the operating system of your device

Purposes and Legal Bases of Processing

Your personal data are processed for the following purposes:

• to comply with contractual obligations via-à-vis our clients (Art. 6(1)(b) GDPR);
• to comply with our statutory data retention obligations and to ensure our website’s security and stability according to Art. 32 GDPR (Art. 6(1)(c) GDPR); and 
• to protect our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) for the display of our website to website visitors and to optimize and ensure provision of our website (Art. 6(1)(f) GDPR).

Recipients of Personal Data

The recipient of your personal data is our website hosting service provider, which processes data on our behalf pursuant to Art. 28 GDPR.

Retention Period

We delete your aforementioned personal data after 7 days from the hosting server. Our hosting provider generally does not store any personal data for the purpose of maintaining the website. Should this exceptionally occur, the personal data will be deleted once the maintenance purpose has been fulfilled, for example after resolving a technical malfunction.

b) Contact Forms

Collection and Sources of Personal Data

When you contact us (e.g. via contact form), necessary personal data are collected. The data collected follows the respective contact form. You may also voluntarily provide additional information that you consider necessary for processing your enquiry. We receive the form contents as an email. Further information on the processing of emails received by us is provided in Section 5.

Purposes and Legal Bases of Processing

Your personal data are processed on the basis of your consent (Art. 6(1)(a) GDPR), or, if you contact us with a view to engaging us (Art. 6(1)(b) GDPR).

There is no statutory or contractual obligation to provide your personal data; however, processing your enquiry is not possible without the information marked as mandatory. If you do not wish to provide this data, please contact us by other means.

Recipients of Personal Data

The recipient of your personal data is our website hosting service provider, which processes data on our behalf pursuant to Art. 28 GDPR.

Retention Period

We delete contact enquiries from the website hosting server after 7 days.

c) Application Forms on the Website

Collection and Sources of Personal Data

As part of contacting us (e.g., via the contact form), personal data is collected. The data collected follows the respective contact form. You may also voluntarily provide additional information that you consider necessary for processing your inquiry. We receive the contents of the form content as an email. Further information on the processing of messages we receive by email can be found under Section 5.

Purposes and Legal Bases of Processing

Your personal data are processed for the following purposes:

• on the basis of your consent or to comply with (pre-)contractual obligations (Art. 6(1)(a)(b) GDPR; Art. 26 BDSG) or xxx for the purpose of handling your application and deciding on the establishment of an employment or other relationship pursuant to Section 26 German Federal Data Protection Act (BDSG);
• on the basis of your consent (Art. 6(1)(a) GDPR) beyond the current application procedure or for additional personal data.

There is no statutory or contractual obligation to provide your personal data; however, processing your application is not possible without the required information.

Recipients of Personal Data

The recipient of your personal data is our website hosting service provider, which processes data on our behalf pursuant to Art. 28 GDPR.

Retention Period

We delete your application from the website hosting server after 7 days.

d) Use of Cookies

Collection and Sources of Personal Data, Retention Period

When you first visit our website, we use a technically necessary cookie called "dp_cookieconsent_status". The cookie may store your consent to the setting of further non-technically necessary cookies only in the event that you expressly consent to the use of Google Maps. After your consent, the value of this cookie will change from "open" to "approved". Otherwise, we only use cookies that are technically necessary and do not require consent.

After your consent to the use of Google Maps, the following technically unnecessary cookies of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, may be stored in your browser:

Depending on your browser settings and your login status with Google, fewer or more cookies may be set by Google when you use Google Maps on our website.

Purposes and Legal Bases of Processing

Your personal data are processed for the following purposes:

• for accessing the website non-essential cookies on the basis of your consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG);
• for necessary cookies to safeguard our legitimate interests on the provision of our website (Art. 6(1)(f) GDPR).

Recipients of Personal Data

The recipient of your data is, insofar es necessary cookies are concerned, our website hosting service provider, which processes data on our behalf pursuant to Art. 28 GDPR.

When you use Google Maps on our website, data is transmitted to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We have no influence on the data processing by Google in the context of your use.
Further information on the processing of personal data by Google can be found here: https://policies.google.com/privacy?hl=en

e) Use of Google Maps

Collection and Sources of Personal Data

We use Google Maps. When accessing this content, a connection is established to servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Your IP address and, if applicable, browser data (e.g. user agent) are transmitted.

Purposes and Legal Bases of Processing

Processing is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG) and exclusively for the stated purposes.

Recipients of Personal Data

Data are transmitted to Google Ireland Limited. We have no influence over Google’s data processing. Only Google has full access to your data.

Retention Period

The specific retention period is determined by Google and cannot be set by us and depends on whether, and if so which, consents you have otherwise granted to Google regarding the processing of personal data, for example in the context of registering with Google.

Further information on the processing of personal data by Google can be found here: https://policies.google.com/privacy?hl=en.

4. Social Media Presence

Collection and Sources of Personal Data

We maintain a company profile on LinkedIn to provide information and communication channels. If you contact us via comment, like, messaging or otherwise via LinkedIn, we typically process your username and any additional information you provide, to the extent necessary.

We collect data via our profile to enable communication and interaction. This generally includes your name, message and comment content, and publicly available profile information.

For certain processing activities related to the operation of our LinkedIn page, LinkedIn and we act as joint controllers within the meaning of Article 26 GDPR. LinkedIn provides us with statistical analyses regarding the use of our LinkedIn page, in particular through the “Page Insights” feature. These statistics are based on the processing of personal data of visitors on our page. The underlying data processing is carried out by LinkedIn.

The Joint Controller Addendum concluded between us and LinkedIn provides that LinkedIn is primarily responsible for:

• informing data subjects about the processing of their personal data,
• enabling and responding to the exercise of data subject rights under the GDPR, and
• ensuring the security of the processing.

We only receive aggregated and anonymized statistical information from LinkedIn regarding the use of our page and do not have access to personal data of individual users.

Purposes and Legal Bases of Processing

Processing is carried out to safeguard our legitimate interests in providing an information and communication channel (Art. 6(1)(f) GDPR).

Recipients of Personal Data

Data are transmitted to LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We have no influence over LinkedIn’s processing activities.

Retention Period

The specific retention period is determined by LinkedIn and cannot be set by us.

The specific retention period is determined by LinkedIn and cannot be set by us.

Further information on the processing of personal data by LinkedIn can be found here: https://de.linkedin.com/legal/privacy/eu? Information on the joint responsibility agreement can be found here: https://legal.linkedin.com/pages-joint-controller-addendum.    

5. Processing Outside the Website and Social Networks

Collection and Sources of Personal Data

We process personal data where necessary for the conclusion of a mandate agreement or where another legal basis under the GDPR applies. Data are generally collected from you, from your company/employer (if our client), or lawfully from third parties.

In particular:

• Contact data (salutation, title, name, address, email, telephone numbers);
• Copies of identification documents, information on beneficial ownership, status as politically exposed person, and further AML information;
• Information and communications for mandate initiation, other communication, IT security, operations, and potential assertion or defence of legal claims;
• Billing and payment data.

Certain data are required for matter onboarding and performance (e.g. AML compliance). Without such data, acceptance or processing is generally not possible.

Purpose and Legal Basis of Processing

Your personal data are processed for the following purposes:

• Establishment of the matter, including necessary correspondence (Article 6(1) sentence 1 lit. (b) GDPR);
• Compliance with legal obligations, in particular under the German Commercial Code (HGB), the Fiscal Code (AO), or for the identification of beneficial owners and anti-money laundering checks under the German Money Laundering Act (GwG)
  (Article 6(1) sentence 1 lit. (c) GDPR);
• Protection of legitimate interests (Article 6(1) sentence 1 lit. (f) GDPR), for example for collecting personal data from third parties, maintaining client relationships, and ensuring business operations;
• Conducting recruitment procedures (Art. 6(1)(b) GDPR, Section 26 BDSG), in particular the collection of personal data, application and qualification documents, interview notes, and references.
• Other purposes based on voluntary consent
  (Article 6(1) sentence 1 lit. (a) GDPR).

Depending on the nature of the contact, we process identification and contact data, payment data, communication data, IT usage data, data transmitted for the initiation and performance of contracts, including special categories of personal data (e.g., identity card numbers), as well as the contact details and communication content you provide.

Recipients of Personal Data

Within our firm, only those persons who require access to your personal data (need-to-know principle) and who are bound by confidentiality obligations will have access.

Personal data may also be transferred to external recipients, including via electronic communication channels such as email services, cloud sharing solutions, including the special electronic lawyer’s mailbox (beA) of the German Federal Bar (Bundesrechtsanwaltskammer) and the special electronic mailbox for tax advisors.

External recipients or categories of recipients may include:

• Project partners, experts, other parties involved in matters or their service providers;
• Courts, public authorities, professional chambers and opposing counsel;
• Financial accounting and tax advisory service providers, in particular for bookkeeping, billing of services and preparation of annual financial statements;
• Our banks and insurance companies;
• IT, maintenance and cloud service providers, provided they are bound by confidentiality and a data processing agreement pursuant to Article 28 GDPR has been concluded;
• Office, secretarial and translation service providers;
• Lawyers, tax advisors, auditors, and other advisors for conflict checks, matter handling or pitch documentation;
• Compliance services providers.

Further related information can be found in our terms of engagement.

Retention

Your personal data will be stored for as long as required by statutory retention periods or for the performance of the matter. This generally includes retention for:

• 6 years from the end of the calendar year of mandate termination;
• 6–10 years under HGB, AO or GwG;
• 6 months after completion of recruitment procedures, unless included in personnel file.

6. General Information

a) Transfers to Third Countries

Where we transfer personal data to third countries, either an adequate level of data protection within the meaning of the GDPR exists in the third country or at the recipient; or the transfer is based on an exemption pursuant to Article 49 GDPR, in particular where the data subject has explicitly consented after being informed, or where the transfer is necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures at the request of the data subject. An adequate level of protection may exist on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR, for transfers to the United States, certification under the EU–US Data Privacy Framework adequacy decision; and/or appropriate safeguards pursuant to Article 46 GDPR, in particular the conclusion of the EU Standard Contractual Clauses with the data importer.

Where an adequacy decision or appropriate safeguards exist, a transfer is additionally based on a legal ground under Article 6 or Article 28 GDPR, in particular explicit consent of the data subject, necessity for the performance or preparation of the matter, overriding legitimate interests (e.g. for the establishment, exercise or defence of legal claims), or a data processing agreement.

b) Data Subject Rights

You have the right:

• Pursuant to Article 7(3) GDPR, to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
• Pursuant to Article 15 GDPR, to request access to your personal data processed by us. This includes information on the purposes of processing, the categories of personal data concerned, the categories of recipients, the envisaged retention period, the existence of the right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the source of the data where not collected from you, and the existence of automated decision-making, including profiling, and meaningful information about its logic;
• Pursuant to Article 16 GDPR, to obtain without undue delay the rectification of inaccurate personal data or completion of incomplete data;
• Pursuant to Article 17 GDPR, to obtain the erasure of personal data, unless processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation, reasons of public interest, or for the establishment, exercise or defence of legal claims;
• Pursuant to Article 18 GDPR, to request the restriction of the processing of your personal data where you contest the accuracy of the data, the processing is unlawful but you oppose erasure,  we no longer need the personal data but you require it for the establishment, exercise or defence of legal claims, or you have objected to the processing pursuant to Article 21 GDPR;
• Pursuant to Article 20 GDPR, to receive the personal data you have provided in a structured, commonly used and machine-readable format or to request transmission to another controller; and
• Pursuant to Article 77 GDPR, to lodge a complaint with a supervisory authority. Normally, you may contact the supervisory authority of your place of habitual residence, your place of work, or the place of our firm’s registered office. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority in accordance with Article 77 GDPR.

c) Automated Decision-Making

Automated decision-making within the meaning of Article 22 GDPR, including profiling, does not take place.

d) Objection to Email Marketing

The use of contact data published under legal notice or data protection information obligations for unsolicited advertising is hereby objected to. Legal action is reserved in the event of unsolicited promotional information (e.g. spam emails).

e) Version & Updates

This information is dated March 2026 and may be amended in the future. We recommend reviewing the current version from time to time.