Privacy Policy

We (BUSE) are delighted that you have visited our website.

Here we provide information about how we process your personal data when you use our website (www.buse.de), when you use our services, and when you visit our social media profiles (LinkedIn, Xing).

1. Name and contact details of the data controller and the company data protection officer

This privacy policy applies to the processing of personal data in connection with our website and our social media profiles (LinkedIn).

Data Controller: BUSE Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB, Bavariaring 14, 80336 Munich, Germany, email: info@buse.de, telephone: +49 89 288030-185, fax: +49 89 288030-189

For further information, please refer to our legal notice (https://buse.de/en/imprint/).

The company data protection officer at BUSE Rechtsanwälte Steuerberater PartG mbB is Mr. Assessor Andreas Riehn, Einsteinstraße 183, 81677 Munich, Germany, email: datenschutz@buse.de, telephone: +49 89 380 123 120

2. Collection and storage of personal data and the nature and purpose of its use

The categories of personal data we process depend on which of our offers and services you or your employer use.

a) When visiting the website
When you visit our website https://buse.de, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until it is automatically erased:

• IP address of the requesting device,
• date and time of access,
• name and URL of the file accessed,
• website from which access is made (referrer URL),
• browser used and, if applicable, the operating system of your device and the name of your access provider,
• cookie data (e.g. with information about your use of our website).

We process the aforementioned data for the following purposes:

• To ensure a smooth connection to the website,
• To ensure the comfortable use of our website,
• To evaluate system security and stability, and
• To statistically evaluate and improve our offer,
• For other administrative purposes.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above for data collection. Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person.

Our website uses cookies.You can find more detailed information on this in section 7 of this privacy policy.

b) When registering for our newsletter
If you have expressly consented to this in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, we will use your email address to send you our newsletter on a regular basis. To receive the newsletter, it is sufficient to provide an email address. We use the Mailchimp tool from Rocket Science Group, LLC (675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA), https://mailchimp.com/, to send the newsletter.

The legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is the secure and efficient provision of our information. You can object to data processing based on a balancing of interests (see 10. below). Mailchimp is prohibited from selling your data and using it for purposes other than sending newsletters.

We use the double opt-in procedure to ensure that no third party has registered you for our newsletter. To do this, you first enter your email address on the registration page and then receive a confirmation email from Mailchimp, which temporarily stores your email address for this purpose, containing a time-limited activation link. Only if you click on the link will the address be permanently stored by the service provider until it is erased by you or by us as the list owner. Otherwise, the email address will be erased. To document your consent, our service provider stores your IP address and the time of confirmation in connection with your email address.

Mailchimp enables us to statistically evaluate usage data and analyze usage behavior such as opening and clicking behavior. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is to optimize our information offering and to be able to delete inactive newsletter recipients in order to reduce the load on the distribution list. You can object to data processing based on a balancing of interests (see 10. below).

You can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you can send your unsubscribe request at any time by email to datenschutz@buse.de.

The provider processes your personal data for dispatch and evaluation on our behalf on the basis of a contract in accordance with Art. 28 GDPR. The data is processed on servers in the USA. The provider is certified under the Data Privacy Framework, meaning that the transfer to the USA is covered by the adequacy decision.

c) Contact
If you have any questions, you can contact us using the form provided on the website, by email, telephone, fax, or video conference.

Depending on the communication channel you choose and any documents you may send us, we will process the following personal data:

• Individual personal data (e.g., title, first name, last name)
• Contact details (e.g., email address, telephone number, fax number, if applicable)
• Metadata of your message or other contact (e.g., date and time of sending)
• Message content/subject of your request/content of the conversation
• Any video or audio content transmitted
• Any content from documents

The legal basis and storage period for data processing in connection with establishing contact depend on the purpose of the contact. For enquiries relating to establishing our client relationship, the legal basis is Art. 6 para. 1 lit. b GDPR. For natural persons who are not involved in the client relationship, or who communicate with us within the scope of their employer’s client relationship, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in fulfilling our contractual obligations to a third party.

d) Online meetings via “Teams”
For the simple and efficient conduct of meetings and webinars, we use “Teams” software from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”).

ImIn the context of client relationships, this is done on the legal basis of Art. 6 para. 1 sentence 1 lit. b GDPR, and otherwise on the basis of the above-mentioned legitimate interest, Art. 6 para. 1 sentence 1 lit. f GDPR.

The following data may be processed, among other things:

• When you register, your email address and, if applicable, your name will be processed and you will receive a confirmation email with an invitation link or a calendar appointment.
• Participant data: if applicable, display name, first name, last name, telephone number, email address, password (encrypted for authentication), profile picture;
• Metadata: topic and description of the meeting, IP address, participant’s phone number, type of device/software, time of participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, duration of audio, video, and screen sharing;
• When using features such as chat or channel messages, audio, video, or screen sharing, the corresponding content data and metadata are transmitted.
• When connecting via telephone, incoming and outgoing phone numbers, country name, start and end time, any additional connection data, and the IP address of the device are processed.

You can disable the camera and microphone yourself at any time. We only record meetings or log text data with your consent and prior notification. Microsoft stores and uses the metadata to enable us to analyze and report on the use of Teams.

In the event that data is nevertheless processed by Microsoft in the USA in exceptional cases, the adequacy decision for the USA applies due to the certification of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA for the EU-US Data Privacy Framework.

For more information, please refer to Microsoft’s privacy policy, available at: https://privacy.microsoft.com/de-de/privacystatement.

e) Social media presence
BUSE maintains a social media presence on LinkedIn in order to communicate with interested parties and provide information about its services, among other things. When you visit our LinkedIn presence, we process the following categories of data, depending on your interaction:

• Reactions (“likes”) to our posts or our profile
• Your username and profile picture
• Message content from comments and direct messages
• Photos of people shown in posts on our social media pages

The provider of the company page, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”), may provide us with information such as aggregated statistics on the use of our online presence as part of the operation of this presence. These statistics may include demographic and employment-related information, as well as data on interactions with our online presence and the posts and content distributed through it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. We may also use this information to optimize our company page for our audience (legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR). With regard to the collection and use of these statistics, we share joint controllership with the operator of the social network. Further information can be found here: LinkedIn Page Insights Joint Controller Addendum.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b (for communication for the purpose of establishing a client relationship or in the context of a client relationship with a natural person) or f (for communication with employees of clients or for purely informational contact) GDPR.

We would like to point out that we have no influence on data that LinkedIn processes on its own controllership in accordance with its terms of use. Further information on this can be found in LinkedIn’s privacy policy (https://www.linkedin.com/legal/privacy-policy).

f) Legal advice and tax advice
In the client relationship, we may process personal data that is necessary for legal and tax advice, including the establishment and defense of the client’s rights. This may also include special categories of personal data in accordance with Art. 9 para. 1 GDPR.

This includes the following categories of data:

• Individual personal data (e.g., title, first name, last name)
• Business contact details (e.g., email address, telephone number, fax number, if applicable)
• Company details (e.g., company name, address, country)
• Private contact and address details (email address, telephone number, street, postal code, city, country)
• Contents of your messages and requests to us
• Employment data (e.g., personnel number, date of entry, date of departure, data on business trips and stays abroad, data on business expenses)
• Salary data and financial data
• Social data (e.g., severe disability)
• Religious affiliation
• Political opinions
• Health data
• Bank details
• Data on criminal convictions and offenses
• Other data relevant to the mandate, if applicable

3. Storage period

Personal data will only be stored for as long as is necessary to fulfill the respective purpose for which it was stored (e.g., contract execution/mandate processing). Once this purpose has been fulfilled, we will erase or anonymize the data, provided that there are no legitimate reasons or obligations for storage (e.g., under tax or professional law). Insofar as BUSE processes the personal data collected for the purpose of the mandate for the purpose of performing a conflict check, the legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. Beyond this, the data will only be stored if the client has consented to a longer storage period in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

4. Purposes for which your personal data is processed

We use the personal data you provide for the following purposes:

• Processing your enquiry(ies) (e.g. via our newsletter registration form, contact forms of contact persons)
• Processing mandates as tax advisors or lawyers for our clients
• Direct marketing (e.g. newsletters)
• Sending invitations to specific seminar topics
• Contract execution and implementation of pre-contractual measures (e.g., webinar or event registration)
• Other contact
• Client care
• Company or law firm management (e.g., budget planning and reporting)
• Compliance with legal requirements (e.g., for the fulfillment of tax and commercial law (retention) obligations and the implementation of compliance management, including compliance audits, requirements of the Money Laundering Act)
• Data protection and security management and audits
• Distribution of our website content on social media you use
• Operation of our social media channels
• Measuring success
• Improving our offer

5. Legal basis for processing, including details on the purposes of processing

The basis for the processing of personal data is the GDPR, the German Federal Data Protection Act (BDSG) and other European and German regulations and laws.

When processing your personal data, we always rely on one of the following legal bases:

• Consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, and in the case of special categories of personal data, Art. 9 para. 2 lit. a GDPR. This applies, for example, to subscribing to our newsletter.
• Performance of a contract or implementation of pre-contractual measures pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR. This applies, for example, to communication for the purpose of contract initiation and client work.
• Performance of a legal obligation pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR.

This applies, for example, to statutory retention obligations, compliance with the requirements of the Money Laundering Act, or other professional obligations.

• Legitimate interests of our own or of third parties pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

6. Individual processing activities

a) Cookies
We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, Trojan horses, or other malware.

Information is stored in the cookie that is related to the specific device used. However, this does not mean that we are immediately aware of your identity.

The use of cookies serves to make our website more user-friendly. We use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after you leave our website.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a specific period of time. If you visit our site again to use our services, the system will automatically recognize that you have already visited us and what entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you (see sections 2 b), 4.). These cookies enable us to automatically recognize that you have already visited our site when you return. These cookies are automatically deleted after a defined period of time.

The data processed by cookies is necessary for the purposes mentioned above to protect our legitimate interests and those of third parties in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.

b) Social media plug-ins
We use social plug-ins from the social networks LinkedIn and Xing on our website on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR in order to make our law firm better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Controllership for data protection compliance lies with the respective providers. We integrate these plug-ins using the two-click method to protect visitors to our website as best as possible.

LinkedIn
Our website uses the “Share button” of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. If you click on the LinkedIn “Share button” (plug-in), you will be redirected to your user account in a separate browser window, provided you are logged into your LinkedIn user account, and you can share the electronic publication stored on our website by adding a comment. The plug-in establishes a direct connection between your browser and the LinkedIn server. LinkedIn receives information that you have visited our website with your IP address. LinkedIn can then associate your visit to our website with you and your user account. We would like to point out that we have no knowledge of the content of the (personal) data transmitted or its use by LinkedIn. For more information, please refer to LinkedIn‘s privacy policy at: https://www.linkedin.com/legal/privacy-policy.

XING
Our website uses the “Share button“ of the XING network. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. If you click on the XING “Share button” (plug-in), you will be redirected to your user account in a separate browser window, provided you are logged into your XING user account, and you can share the electronic publication stored on our website by adding a comment. The plug-in establishes a direct connection between your browser and the XING server. This informs XING that you have visited our website with your IP address. We would like to point out that we have no knowledge of the content of the (personal) data transmitted or its use by XING. For more information, please refer to XING’s privacy policy at: https://privacy.xing.com/de/datenschutzerklaerung.

c) Matomo
We use the open source software Matomo (InnoCraft Limited, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand) in the “cookieless tracking” version to analyze and statistically evaluate the use of the website. Information about the use of the website is transferred to our servers and summarized in pseudonymous usage profiles. The information is used to evaluate the use of the website and to enable us to design our website in line with your needs. The information is not passed on to third parties.

Under no circumstances will the IP address be linked to other data relating to the user. The IP addresses are masked so that they cannot be traced back to you.

d) Google Maps
To make it easier for you to navigate to our locations, we have integrated Google Maps from Google Ireland Limited, based in Gordon House, Barrow Street, Dublin 4, Ireland, into our website. It cannot be ruled out that data may also be transferred to Google LLC, based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google LLC is certified under the Data Privacy Framework.

By using Google Maps, information about your use of this website, including your IP address and the (start) address entered in the route planner function, may be transferred to Google in the USA. When you visit a page on our website that contains Google Maps, your browser establishes a direct connection to Google‘s servers. The map content is transmitted directly from Google to your browser and integrated into the website. We therefore have no influence on the scope of data collected by Google in this way. To the best of our knowledge, this includes at least the following data:

• Date and time of the request,
• IP address
• Browser type and language
• IP address, (start) address entered for route planning
• One or more cookies that may uniquely identify your browser
• The maps displayed and your interaction with them
• The URL on which the map was integrated

We have no influence on the further processing and use of the data by Google and therefore cannot accept any responsibility for this.

The purpose and scope of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and settings options for protecting your privacy, can be found in Google‘s privacy policy (https://policies.google.com/privacy?hl=de).

The legal basis for the processing of personal data is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and, for the use of cookies and similar technologies for this tool, Section 25 para. 1 TDDDG (consent).

e) Applicant data
We process inventory and contact data, as well as applicant data and other information provided by applicants, for the purpose of processing their applications, in accordance with Art. 6 para 1lit. b GDPR.The personal data processed in the course of the application process will be erased at the latest six months after the rejection of the applicant. If an applicant is hired, we will erase your data upon termination of the employment relationship, unless there are legal retention periods that prevent this.

7. Transfer to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only pass on your personal data to third parties if:

• You have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,
• the transfer is necessary for the establishment, exercise, or defense of legal claims pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and there is no reason to assume that you have an overriding interest in the non-transfer of your data,
• in the event that there is a legal obligation or an enforceable official or court order for the transfer pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR, and
• this is legally permissible and necessary for the performance of contractual relationships with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR.

8. Transfer to third countries

In the course of our activities, it may be necessary to transfer personal data to recipients in countries outside the European Union (EU) or the European Economic Area (EEA) – so-called third countries. This may be the case in particular if we work with international service providers or involve our locations outside the EU.

In the event of such a transfer, we ensure that either an adequate level of data protection recognized by the European Commission exists or that appropriate safeguards within the meaning of the GDPR are in place. These include, in particular, the conclusion of EU standard contractual clauses or comparable contractual provisions that ensure the protection of your data even outside Europe.

You can request detailed information on the protective measures used and the possibility of obtaining a copy of these guarantees from our data protection officer at any time.

9. Data sources

As a rule, we collect your personal data directly from you. In certain circumstances, however, we may receive it from third parties. This is particularly the case if it is provided to us by our client in the context of establishing or executing the client relationship (e.g., in the event of labor court disputes). In addition, we may receive data relating to you from public authorities responsible for you, such as tax authorities, social security institutions, etc., which is particularly the case if we enter into or have already entered into an employment relationship with you. If we receive data relating to you via our online forms (e.g., newsletter registration form, contact forms for contact persons), this data will be disclosed to us by the person who enters it in the respective form. Finally, in the case of job applications, we may receive data relating to you from a recruitment agency if you have engaged such an agency and it forwards your application documents to us.

If you transfer personal data of third parties to us (e.g., as a recruitment agency), you are obliged to comply with all data protection requirements, in particular those of Art. 5 to 9 and 12 et seq. GDPR. Otherwise, we have no intention of collecting this data and reserve the right to take legal action.

10. Rights of data subjects

You have the right:

1. Right to information
   pursuant to Art. 15 GDPR to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the source of your data if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
2. Right to rectification
   pursuant to Art. 16 GDPR, you have the right to request the immediate rectification of inaccurate personal data concerning you or the completion of your personal data stored by us;
3. Right to erasure
   pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for performing a legal obligation, for reasons of public interest, or for establishing, exercising, or defending legal claims;
4. Right to restriction of processing
   pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is contested by you, the processing is unlawful, but you oppose to the erasureand we no longer need the data, but you need it to establish, exercise or defend legal claims or you have objected to the processing pursuant to Art. 21 GDPR;
5. Right to data portability
   pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transfer to another controller;
6. Right to withdraw consent
   pursuant to Art. 7 para. 3 GDPR to withdraw your consent to us at any time. As a result, we will no longer be permitted to continue processing the data based on this consent for the future and
7. Right to lodge a complaint with the supervisory authority
   pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our law firm’s registered office.

The data protection supervisory authority responsible for BUSE is:

Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision)
Promenade 27
91522 Ansbach
https://www.lda.bayern.de

11. Right to object

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without specifying a particular situation.

If you wish to exercise your right of withdrawal or objection, simply send an email to datenschutz@buse.de.

12. Are you obliged to provide your personal data?

There is no legal obligation to provide us with your personal data.

If you fail to provide information or technically prevent us from processing personal data that is necessary for the use of our website, it is possible that you will only be able to use our offer to a limited extent.

The provision of your data when contacting us via our contact form or one of our contact persons is voluntary. However, without the necessary information, in particular a means of contact, we will not be able to process your request.

With the exception of identity checks within the scope of our obligations under the Money Laundering Act, there is no legal obligation to provide us with your personal data within the scope of a client relationship. However, failure to provide personal data in the client relationship may mean that we are unable to advise you or your employer, or that we are unable to do so accurately or completely.

13. Automated decision-making, including profiling, in accordance with Art. 22 GDPR

We do not process your personal data for automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 GDPR. If these are used, we will provide meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject.

14. Data security

When you visit our website, we use the widely used SSL (Secure Socket Layer) procedure in conjunction with the highest level of encryption supported by your browser. This is usually 256-bit encryption. If your browser does not support 256-bit encryption, we will use 128-bit v3 technology instead. You can tell whether an individual page of our website is being transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

15. Validity and changes to this privacy policy

This privacy policy is currently valid and was last updated in May 2025.

Due to the further development of our website and offers or due to changes in legal or regulatory requirements, it may be necessary to change this privacy policy. The current privacy policy can be accessed and printed at any time on the website at https://buse.de/en/privacy-policy/.