Data Pri­vacy Policy for cli­ents of CMS Reich-Rohr­wig Hainz

Version from: 28 May 2018

CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH, Gauermanngasse 2, 1010 Wien (“CMS” or “we”) collects and processes your personal data in order to manage the client relationship.

This Data Privacy Policy describes the types of personal data we process, the purposes for which we collect the personal data, and the third parties with whom we exchange these personal data. Additionally, we will inform you about your rights in relation to your personal data and how you can contact us.

1. Who is responsible for data processing and who can I contact?

The data controller is:
CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH
Gauermanngasse 2
1010 Vienna
AUSTRIA

You can contact us under:
Tel: +43 1 40 443 2450
Email: [email protected]

The responsible person for data protection issues is:
Dr. Johannes Juranek

2. What personal data do we use?

2.1 General information on personal data

Personal data means any information relating to an identified or identifiable natural person. This can also include information on personal or material circumstances, such as name, postal address, email address, telephone number, date of birth, age, gender, social security number, video recordings, photos, personal voice recordings, as well as biometrical data such as finger prints. Special categories of data such as health data, or data related to criminal proceedings may also be covered.

Personal data will only be collected when it is required for us in order to provide our legal services, on the basis of our legitimate interests or when you have willingly provided the personal data to us or consented. If you should fail to provide the necessary personal data, we will not be able to provide you with our legal services or, at least not in a sufficient manner.

2.2 Personal data that we always process

We process the following personal data:

  • Name of the client or contact person 
  • Address
  • Email
  • Telephone number
  • Fax number
  • Bank details
  • Records of the time spent on the mandate
  • Correspondence with clients and authorities
  • Information relating to proceedings in front of authorities
  • Tax number
  • Personal data that we gather from public registers (e.g. company register, trade register, money laundering database, etc.)

2.3 Further personal data that we collect, as the case may be

As a law firm, we may collect further personal data, if necessary. This varies from case to case. Upon request, we will be happy to provide you with further information on the respective data categories.

3. For what purpose and on what legal basis do we process your personal data?

As a law firm, we can collect, process and use the data as defined under point no. 2.2 and 2.3 for the following purposes:

3.1 the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Art 6(1)(b) GDPR)

The processing of the personal data is necessary in order to provide our legal services to the client. The purposes highly depend on the specific mandate (e.g. consulting services, drafting or review of contracts, legal support in connection with legal proceedings, support in the course of legal transactions, etc.)

3.2 the processing is necessary for the purposes of the legitimate interests pursued by us as the data controller (Art 6(1)(f) GDPR)

To the extent necessary, we will process your personal data in order to protect legitimate interests of our own, in particular, in the following cases:

  • consultation and transfer of personal data with our CMS-network partners in order to provide our legal services,
  • marketing activities, as long as you have an active mandate with us and you have not opted-out from receiving marketing materials;
  • lodging legal claims and defence in case of legal disputes;
  • prevention and investigation of criminal acts;
  • video surveillance to exercise domiciliary rights (in the building at Gauermanngasse 2, 1010 Wien).

3.3 on the basis of statutory regulations (Art 6(1)(c)GDPR)

Moreover, law firms are subject to various legal obligations (e.g. Bar Regulations, the Federal Fiscal Code, etc.). For example, for the purposes of preventing money laundering, we may carry out identity checks to determine who the “ultimate beneficial owner” is or whether the client is a politically exposed person (PEP).

3.4 because you have given your consent (Art 9(2)(a) GDPR)

If special categories of personal data (e.g. medical records, union membership) are processed, or if you have given your consent for the processing for specific purposes, the legality of the processing is based on your consent. You may withdraw your consent from the partner in charge of the mandate at any time.

This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Withdrawal of consent will have an effect only for the future and does not affect the legitimacy of data processed until that date.

4. Who will receive my personal data?

For the purpose of providing our legal services and fulfilling the contract concluded with you, it may be necessary to transfer your personal data to other recipients. However, we will only transfer your personal data for the purpose of providing our legal services to you. Our recipients could be:

  • the opposing party,
  • substituting law firms,
  • insurance companies,
  • data processors, who perform certain services on our behalf,
  • our partner firms, who are part of the CMS network (www.cmslegal.com), provided that the case involves foreign elements,
  • courts,
  • authorities, or
  • other recipients who you indicate to us.

Some of the above-mentioned recipients of your personal data are located outside the European Union. The data protection level in other countries may not have the same standards as in Austria. However, we either transfer your personal data to countries having an adequate level of data protection due to the EU Commission’s decision or who are Privacy Shield certified recipients or we guarantee that the recipients maintain a sufficient level of data protection by having them agree to the Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC). For a copy of these Standard Contractual Clauses, please contact: [email protected].

5. From which sources will my personal data be collected?

Please note that as part of the legal representation and support you receive from our law firm, factual and case-related information about you will be obtained from third party- or publically available sources (e.g. the record of debtors, land registries, company registers, the press, the internet). Third parties could, for example, be partner law firms inside and outside the CMS network that consulted us in the course of the mandate (e.g. because the legal case included a foreign element relating to the Austrian legal system).

Upon request, we will be happy to inform you about the specific third parties from whom we have received personal data.

6. For how long will my personal data be stored?

We process and store your personal data under point 2.2 and 2.3 as long as it is required to meet the purposes as set out under point 3. If the personal data are no longer necessary due to our legitimate interest (e.g. processing for the purposes of defence in liability cases), the personal data shall be deleted. The same applies if data are prepared on the basis of consent and such consent is withdrawn. 

7. What data protection rights do I have?

You have the right of access of your personal data, including information on the source, recipients and purpose of the data processing; as well as the right to rectification, the right to data portability, the right to objection, the right to restriction of processing and erasure of personal data that has been processed unlawfully or that is incorrect.

If your personal data changes, we would kindly request that you inform us.

Your consent to the processing of personal data for marketing purposes may be withdrawn at any time by contacting us [email protected].

If you believe that our processing of your personal data violates the data protection laws currently in force or your data protection rights in any other way, you have the right to appeal to a competent data protection supervisory authority. For Austria, the Austrian Data Protection Authority is the competent supervisory authority.