Home / Privacy Notice

Privacy Notice

LAST UPDATED: July 2024 

This Privacy Notice explains the processing of your Personal Data on the websites that are operated by CMS Legal Services EEIG/EWIV, Neue Mainzer Straße 2–4, 60311 Frankfurt, Germany as the controller under GDPR and your rights under GDPR. 

The respective CMS Member Firms provide client services and process Personal Data for their respective clients, events or other local services (please see the section on Country-Specific Provisions below for their privacy notices). 

When we say… …we mean 
"CMS", “we”, “us” or “our” CMS LTF Ltd., CMS Legal Services EEIG/EWIV and/or the CMS Member Firms depending on context. CMS Legal Services EEIG/EWIV owns and operates our websites.
"CMS Offices" CMS Member Firms and their connected businesses. 
"Cookies" A small text file that is stored by your browser. Each time you return to the same website, your browser retrieves and sends the relevant cookie(s) to the website’s server. We also refer to similar technologies such as web storage or pixel tags by the term "Cookies". 
"GDPR" Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and/or Regulation (EU) 2016/679 as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, as applicable. 
"Personal Data" Information relating to you, which can be used to personally identify you (either directly or indirectly). Examples: your Name, telephone number or IP address. 
"Websites" Our Websites at cms.law, cms-lawnow.com and CMS online tools 

A. WHY DO WE USE YOUR PERSONAL DATA? 

1. Delivery of the Websites 

If you access our Websites Personal Data is temporarily stored. The following data is collected in this context: 

  • IP address and host name of your computer 
  • Date and time of access 
  • Page visited on our Websites 
  • Website from which the Websites were accessed.
  • Whether the access was successful, and the amount of data transferred.
  • Your browser type and operating system.
  • And any Personal Data you are providing to us. The processing of this Personal Data is necessary to deliver the Websites to you. The legal basis for this processing of your Personal Data is our legitimate interest (Art. 6 (1) f) GDPR). 

To provide the Websites we use the following service providers: 

Cloudflare 

Cloudflare is our content delivery network, i.e., a geographically distributed group of servers which work together to provide fast delivery of our Websites. We also use Cloudflare's IT security services like DDoS protection, Turnstile (confirming that visitors are real) and web application firewall (checking web requests if they match attack patterns or originate from hackers or bots). Cloudflare is a service provided by Cloudflare, Inc., 701 Townsend St., San Francisco, CA 94107, which acts as our processor. CMS has concluded a data processing agreement with Cloudflare (Art. 28 GDPR) and any transfers to the US are covered by Cloudflare's participation in the EU-US Data Privacy Framework. which has been found to provide an adequate level of data protection (Art. 45 GDPR).  

Google Tag Manager 

Google Tag Manager is a tag management system provided by Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland ("Google") that we use on our Websites. Google Tag Manager has access to all personal data described under A.1. The Google Tag Manager allows us to add code and other snippets such as pixels to our Websites. Google is only processing your IP address as an independent controller. Any transfers to the US are covered by Google's participation in the EU-US Data Privacy Framework which has been found to provide an adequate level of data protection (Art. 45 GDPR). Google will not combine your IP address with Personal Data from other sources. The legal basis for the transfer to Google is our legitimate interest (Art. 6 (1) f) GDPR) in providing the Website efficiently. You can find more information in Google's Privacy Policy

Ceros 

Ceros studio is a service provided by Ceros Crowd Fusion, Ltd., Broadgate Tower, 20 Primrose Street, London, UK to publish website content in a magazine style and to allow website customised user experience, for that purpose, the system tracks user IPs. Ceros is only processing your IP address as our processor. CMS has concluded a data processing agreement with Ceros (Art. 28 GDPR) and any transfers to Personal Data according to the EU Standard Contractual Clauses.  

Other website service providers 

Further service providers used to provide the Websites are described in our Cookie Notice

2. Log data 

Further storage of the data used to deliver the Websites takes place in log files in order to ensure the functionality of our website and, if necessary, to check and enforce our rights or property, our terms of use and the rights of third parties. The log files are stored as long as necessary for the respective purpose (at most for 30 days). The legal basis is our legitimate interest (Art. 6 (1) f) GDPR).  

3. Analytics 

We use analytics services (without Cookies) to better understand your interests and to continuously improve our Websites. These services allows us to analyze traffic and usage patterns of individual users (without further identifying them) or groups. The legal basis is our legitimate interest (Art. 6 (1) f) GDPR) in improving our website. In particular, we use the following analytics services: 

Piwik Pro 

We are using Piwik PRO to process the Personal Data described in A.1 for basic application and user statistics. Piwik PRO does not place any cookie, does not transfer any Personal Data to third parties or outside the EU/UK and does not track any Personal Data. Your visitor IP address is only retrieved on country level. Piwik Pro is Piwik PRO GmbH, Kurfürstendamm 21, 10719 Berlin as our processor. 

Kaisa

Kaisa, a service provided by Kaisa Technologies AB, works with Google Tag Manager and uses Cookies (and similar technologies), to track and analyse user behaviour on Websites.

Where a telephone call is triggered through our Websites by the user clicking on the telephone icon, Kaisa collects the following information about the user making the call: telephone number, IP address or other device address or ID, geographic location of the user, web browser and/or device type, the web pages or sites visited just before or just after visiting our Websites, the pages or other content the user views or interacts with, and the dates and times of the user’s visit. Kaisa then shares this information with us.

We use feedback provided to us by Kaisa to help us analyse the effectiveness of our marketing campaigns, including by checking if a user who clicks on the telephone icon actually places a call to the lawyer whose number he/she has clicked on.

4. Cookies 

For our use of Cookies see our Cookie Notice

5. Registration, communication and contact forms 

We use your Personal Data to communicate with you, for example when you register, log in, participate in training courses and events, or send us messages. 

We collect your Personal Data, if you provide it to us by filling out forms on our Websites. We may use this Personal Data to respond to your queries or to provide services that you have requested. We also use the Personal Data you provide to us when you participate in campaigns on our social media channels (LinkedIn etc.) or send us inquiries or comments.  

The legal basis is performance of a contract to which you are party or for answer to your messages or requests (Art. 6 (1) b) GDPR). The provision of your personal data is required as otherwise it will not be possible to communicate with you. 

6. Webinars 

We use the Personal Data that you provide when you register for a CMS Webinar to:  

  • identify you as a registered attendee of the relevant Webinar; give you access to the webinar, 
  • contact you in relation to the Webinar agenda and speakers, 
  • send reminders and let you know if there are any changes to the Webinar (e.g., a change in the time and date when it will take place). 

The legal basis is performance of a contract to which you are party or for answer to your messages or requests (Art. 6 (1) b) GDPR). The provision of your personal data is required as otherwise it will not be possible to participate in the webinar. 

We may share your contact details (e.g., email address) with the speakers in order to contact you after the webinar to provide you with their presentations and webinar recordings and to request your feedback. Webinars are recorded for training purposes and to help us improve the services that we provide. We may also use your Personal Data to contact you after the Webinar, in order to request your feedback. We use service providers to offer you webinars. These service providers allow us to track registration, participation, and the quality of the webinars. The legal basis is our legitimate interest (Art. 6 (1) f) GDPR). 

7. Social media pages 

Our social media partners provide us with statistics and analytics on the use of our social media offerings. These statistics do not contain any names or other information about individual users. With the help of these services, we can analyse and improve our social media activities. This is our legitimate interest for using these statistics (Art. 6 (1) f) GDPR). 

We do not use any social media share plugins by which information is automatically transferred to the provider of social media services when you visit our Websites. Any forwarding to social media providers such as LinkedIn or X (previously Twitter) takes place exclusively via link. 

In particular, we use the following social media platforms: 

X (previously Twitter) 

We offer a X (previously Twitter) channel, which you can access via a link on this page. Our X channel provides you and us with the opportunity to communicate with you, respond to our and your posts, comment on them, repost (previously retweet) them, and send private messages. We use the data you provide in this context, and which may be accessible to us (e.g., X username, images, content of posts (previously tweets), interests if applicable, contact details) exclusively for the purpose of communication. The legal basis for processing Personal Data when using the X channel is our legitimate interest (Art. 6 (1) f) GDPR). X itself is responsible for processing of your Personal Data related to your usage of its service. You can find more information about X's usage of your Personal Data in X's Privacy Policy

LinkedIn 

We use LinkedIn to communicate with you and to advertise our work. The legal basis is legitimate interest (Art. 6 (1) f) GDPR). For more information see LinkedIn’s Privacy Policy

When processing Personal Data on our LinkedIn page, we and LinkedIn act as so called “Joint Controllers” according to Art. 26 GDPR. We have therefore concluded a separate agreement that can be found under https://legal.linkedin.com/pages-joint-controller-addendum. For any further processing of your data, LinkedIn is the sole controller. If you wish to exercise your rights to information, deletion, etc. (see section “Your Rights”), LinkedIn is responsible for the fulfilment of your rights as part of our Joint Controllership.  

8. Newsletters & publications 

We will only send you publications or newsletters when you have provided us with your specific consent or have expressed your interest to us in a certain type of information or legal area. We also process your Personal Data in order to provide you with tailored and relevant marketing, updates and invitations including, with your consent, how you access and use our emails. We use service providers to provide you with tailored marketing, publications and information about our services, and invitation to events. These service providers allow us to track with your consent deliverability, opt outs, clicks on links and downloads of stored materials in order to optimise our mailing campaigns. Where possible we are anonymising IP addresses.  

The legal basis is your consent (Art. 6 (1) a) GDPR). 

In particular, we use the following service provider for sending newsletters analytics: 

Sendgrid 

Sendgrid is a service for email marketing. We use this service to send newsletters and other emails and to provide link tracking and open rate reporting. The service is provided by Twilio Ireland Ltd., 3 Dublin Landings, North Wall Quay, Dublin 1 D01 C4E0, as our processor. Any transfers to the US are covered by Twilio's participation in the EU-US Data Privacy Framework. which has been found to provide an adequate level of data protection (Art. 45 GDPR). 

9. LawNow/RegZone

Law-Now/RegZone - if you choose to subscribe to the Law-Now and/or RegZone portal(s), we use Personal Data that you provide during the subscription process to set-up and maintain your Law-Now/RegZone account and to send you relevant Law-Now/RegZone content by email. This will consist of information on legal and business issues that are relevant to your preferences. We will also tell you about our events and seminars. Within RegZone, you have the option to receive invitations to our events. If you want to receive such invitations you can let us know by ticking the relevant box on the subscription form.

Your agreement to the use of your Personal Data for these purposes is optional. If you decide not to subscribe to Law-Now and/or RegZone, we will not send you Law-Now and/or RegZone communications, but your use of our Websites will remain otherwise unaffected. You can change your Law-Now/Regzone preferences at any time by logging into your account.

Law-Now/RegZone opt-out - you are entitled to opt-out from receipt of Law-Now/RegZone communications at any time. You can do so by visiting the Manage your Law-Now or Manage your RegZone preference management pages and deselecting all email options. You can also use the “unsubscribe” option included in all Law-Now/RegZone e-mails. Alternatively, you can email the Law-Now/RegZone support team who will process “unsubscribe” requests for you. When you unsubscribe we will keep a record of this, and once your request has been processed, you will stop receiving Law-Now/RegZone emails. You can still use our Websites once you have unsubscribed.

The legal basis for sending you Law-Now/RegZone emails is your consent (Art. 6 (1) a) GDPR).

Concep mailer

In order to provide you with tailored marketing, publications and information about our services, and invitation to events, we are using "Concep mailer" provided by Concep Group Ltd, London, United Kingdom. Concep Group is bound by a processing agreement with CMS. All user information, contact information and analytics are hosted by Concep Group on Amazon servers in the EU and can be shared with local CMS systems.

Concep allows us to track deliverability, opt outs, clicks on links and downloads of stored materials in order to optimise our mailing campaigns. If you do not like emails and their use to be tracked any longer, please let us know via dpo@cmslegal.com. Where possible we are anonymising IP addresses. Concep Group encrypts emails during transmission.

10. Recruitment 

If you apply to a vacancy to CMS Legal Services EEIG/EWIV or to a local CMS Office, we use the Personal Data you provide to us to decide on our application. CMS Legal Services EEIG/EWIV and local CMS Office act as separate controllers. The legal basis is to take steps at your request to evaluate your application (Art. 6 (1) b) GDPR). The provision of your personal data is required as otherwise it will not be possible to communicate with you. With your consent (which you can withdraw at any time) your application may be stored for future vacancies in case that your application is not accepted (Art. 6 (1) a) GDPR). 

In some cases, you will be directed to our dedicated application portals. In these cases, you will be provided with specific information about how your Personal Data will be handled in connection with your application at the time that you submit your Personal Data.  

For other vacancies we do not use an application portal. Instead, we either ask you to contact us directly by email or we request that you upload a copy of your C.V. and covering letter so that we can consider your suitability for the role.  

Pre-screen 

CMS Reich Rohrwig Hainz Rechtsanwälte GmbH utilizes New Work SE as a central platform for applicant management via the e-recruiting system pre-screen under the domain jobbase.io, on which CMS Reich Rohrwig Hainz Rechtsanwälte GmbH can post job advertisements and receive and manage applications. Within the scope of these activities, pre-screen processes personal data only on behalf of and for the purposes of CMS Reich Rohrwig Hainz Rechtsanwälte GmbH and is therefore a so-called processor within the meaning of Art. 4 No. 8 GDPR. When using the pre-screen widget on https://cms.law/de/aut/offene-stellen, your personal data will be collected directly in jobbase.io. Further, in the case of a postal or email application, your data may be transferred to the e-recruiting system. These are used to make the online application more user-friendly and effective. The Cookies used by pre-screen can be found in the pre-screen Privacy Policy at: https://prescreen.io/de/datenschutzerklaerung/. 

11. Further purposes 

If necessary, we process your Personal Data for additional purposes, especially to fulfil contracts and in the context of existing or new business relationships (please note that for client services CMS Member Firms  will act as a separate controllers). We will process this Personal Data for the performance of a contract (Art. 6 (1) b) GDPR), to comply with legal obligations, court orders or other binding decisions of public authorities (Art. 6 (1) c) GDPR) and to satisfy our legitimate interests, including but not limited to protecting the rights of CMS and others and exercising legal claims (Art. 6 (1) f) GDPR).  

B. WHO WILL WE SHARE YOUR PERSONAL DATA WITH? 

1. Service providers 

In addition to the service providers described under A. we also share your Personal Data with other third-party service providers who act on our behalf to: 

  • provide support services in relation to our Websites for the purposes of hosting and maintaining our Websites; providing data storage; assisting us with database management, and to assist us with related tasks or processes 
  • send out our surveys and record and process the results 
  • manage the invitation and registration process for our events. 

All of our service providers are bound by written contract to process Personal Data provided to them only for the specific service and to maintain appropriate security measures to protect your Personal Data. 

2. Sharing within CMS 

CMS Legal Services EEIG/EWIV and CMS Member Firms share your Personal Data with other CMS Member Firms: 

  • if you ask us to do so in an online form (legal basis: performance of a contract pursuant to Art. 6 (1) b) GDPR) 
  • to organise and/or manage an event that you have registered to attend (legal basis: performance of a contract pursuant to Art. 6 (1) b) GDPR) 
  • where we need to do so in order to provide the services or information that you have requested. (legal basis: performance of a contract pursuant to Art. 6 (1) f) GDPR). 

3. Other third parties 

We share your Personal Data with: 

  • our accountants, auditors, lawyers, or similar advisers when we ask them to provide us with professional advice 
  • investors and other relevant third parties in in the event of an actual potential sale or other corporate transaction related to CMS 
  • to comply with a legal obligation 
  • to comply with a court, tribunal, regulator, or government agency order. 

C. IN WHICH COUNTRIES IS MY PERSONAL DATA TRANSFERRED? 

CMS Legal Services EEG is located in Germany. CMS Offices located outside of the EEA, service providers and other third-party recipients may also process personal data outside the EEA/UK. In these cases, we ensure an adequate level of data protection to comply with the requirements of European/UK law (this is usually done with the help of EU standard contractual clauses of the European Commission, the UK Addendum to the EU standard contractual clauses and, if necessary, other appropriate guarantees). You can request a copy of the of EU standard contractual clauses from our data protection officer listed in the contact information below.  

D. HOW LONG DO WE STORE YOUR PERSONAL DATA? 

Unless a specific duration of data storage is specified in this Privacy Notice, we will only process your data as long as this is necessary for the respective purposes. After the respective processing purpose ceases to apply and retention obligations end, your data will be routinely deleted. 

This means for example, that we store your user account data (login, profession, name etc.) until you delete it. In some cases, we are obliged to store your data for longer in order to comply with statutory retention periods. For information on how long Cookies are stored, please refer to our Cookie Notice. 

E. WHAT ARE MY RIGHTS? 

You can request access to your Personal Data. If you have provided Personal Data based on a contract or consent, you have the right to receive this Personal Data in a commonly used and machine-readable format. 

In addition, you can also request the deletion, rectification, or restriction of the processing of your Personal Data subject to the conditions and limitations set out in GDPR. 

If your Personal Data is transferred to a country outside the EEA that does not provide an adequate level of data protection, you can request a copy of the contract that ensures the adequate level of protection. 

You can withdraw your consent at any time. 

You can make a complaint to a data protection authority, in particular in particular in the Member State of your residence, your place of work or the place of the alleged infringement. For CMS Legal Services EEIG/EWIV the competent data authority is the Hessian Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, poststelle@datenschutz.hessen.de.  

Right to object: 

To the extent we base the processing of your Personal Data on our legitimate interests (Art. 6 (1) f) GDPR), you may object to such processing at any time on grounds of your particular situation. In this case, we will not process such Personal Data any longer, unless our interests prevail. You can object to the use of your Personal Data for direct marketing purposes at any time without stating a reason. 

F. WHO CAN I CONTACT? 

Please address your questions or concerns regarding the processing of your Personal Data to: dpo@cmslegal.com.

G. COUNTRY-SPECIFIC PROVISIONS 

Contact data, legal information and privacy notices for CMS Offices can be found in the Legal Information

1. Mexico 

CMS Woodhouse Lorente Ludlow delivers its services in Mexico through its office in Mexico City at Paseo de la Reforma 115, 19 floor, tel. +52 55 26230552.  

The current Policy of Treatment of Personal Information is available for download below: 

English 

Spanish 

2. Chile 

CMS Carey & Allende provides client services in Chile through its office in Santiago at Av. Costanera Sur 2730, 10th floor, Las Condes, Santiago. telephone: (+56) 22 485 20 00. When visiting our website, you are not required to provide any personal information unless you decide to fill-in and send us a “contact form. In such case, and when applicable, we will differentiate between personal and non-personal data and retain that information in order to process your inquiries or requests. 

Additionally, you may decide to communicate with us when you apply for a job through our Job Opportunities on Careers sections where, with the aim of being able to contact you back, you will be prompted to enter your name and email address and accept the terms of our website disclaimer. Unless otherwise required by law, CMS Chile will not share your personal information with third parties nor will we include your personal data in our distribution bases without your express consent. Your data will be used exclusively to communicate with you. 

3. Colombia 

CMS Rodríguez-Azuero delivers its services in Colombia through its office in Bogotá at Cra. 11 # 77a - 99, tel. +57 1 321 8910.  

The current Privacy Policy is available for download below: 

English 

Spanish 

4. France 

The following Privacy Policy covers the use by CMS Francis Lefebvre  whose registered office is located at 2 rue Ancelle, 92522 Neuilly-sur-Seine Cedex (“we”, “us”, “our”, “CMS Francis Lefebvre ”) of personal data concerning (I) its clients, prospects and (II) members of the alumni community (“your information”). CMS Francis Lefebvre is a member of the CMS network. CMS Francis Lefebvre may be required to disclose certain information about you to other member firms of the CMS network. The terms and conditions of use of the data concerned by the recipients are governed by a “data sharing” contract concluded between the members of the CMS network and aimed at ensuring the security of your data. For more information on the transfer of some of your data with the CMS network, please refer to our website (cms.law). Please review the following Privacy Policy which explains how we use and protect your information. For any request concerning the processing of your personal data, you may contact our Data Protection Officer, by e-mail at dpo[at]cms-fl.com, in person or by post at 2 rue Ancelle, 92522 Neuilly-sur-Seine Cedex France, accompanied by a copy of a signed identity document, or by contacting us on +33 1 47 38 55 01. For the purposes of this document, the terms “Personal Data”, “Processing”, “Controller” and “Processor” have the definition given to these terms in Article 4 of the European Regulation, 2016/679 of 27 April 2016 (hereinafter the “General Data Protection Regulation” or “GDPR”). The expression “Applicable Data Protection Legislation” refers to the GDPR and French Data Protection Law No. 78-17 of 6 January 1978. 

You will find the access to our privacy policy here.  

5. Netherlands 

The following privacy statement applies to the legal service provision of CMS Derks Star Busmann N.V. Furthermore, CMS Derks Star Busmann N.V. provides (communication) services relating to newsletters and events, the so-called Client Services. To this service provision, the following privacy statement applies. 

6. Norway 

The privacy policy regarding CMS Kluge Advokatfirma AS’ (org. no. 913 296 117) handling of personal data when providing their services can be found here (in Norwegian). 

7. South Africa 

CMS provides client services in South Africa through the locally registered companies CMS RM Partners Incorporated (Registration Number: 2018/243548/21) and CMS RM Partners (Proprietary) Limited (registration number: 2018/221212/07) (collectively referred to as "CMS South Africa"). CMS South Africa is located at 3rd Floor, 82 Maude Street, Sandton, 2196. 

CMS recognises the importance of protecting your privacy in respect of your Personal Information in terms of the Protection of Personal Information Act No 4 of 2013 ("POPI") when using our Websites. 

By using our Websites, you agree to CMS, its directors, consultants, employees, agents and subcontractors, affiliates and/or third parties to process (which will include collecting, using and disclosing) your Personal Information for the purposes stated in this Privacy Notice. Please do not use our Websites if you do not agree with the processing activities described in this Privacy Notice. 

CMS will not use your Personal Information for any purposes not mentioned in this Privacy Notice without your consent. 

If you have any questions, concerns or complaints regarding CMS' processing of your Personal Information in terms of this Privacy Notice, please email us at popi@cms-rm.com

Please also refer to CMS South Africa’s PAIA and POPI Manual which provides, amongst others, further information relating to the treatment of personal information, including in relation to giving effect to the rights granted under POPI terms of which you may access your personal information, object to processing and request the correction of any of your personal information held by CMS South Africa. A copy of CMS South Africa’s PAIA and POPI Manual can be accessed here

8. Slovakia 

CMS provides client services in Slovakia through CMS Reich-Rohrwig Hainz s. r. o. and CMS Cameron McKenna Nabarro Olswang, advokáti, v.o.s., organizačná zložka, both offices residing at Staromestská 3, 811 03 Bratislava (collectively referred to as “CMS Slovakia”). The respective CMS Slovakia office collects and processes personal data in order to manage its client relationships. Separate data privacy notices for clients used by the two CMS Slovakia offices describe the types of personal data processed, the purposes for which the personal data are collected, and the third parties with whom these personal data are exchanged. Additionally, the respective notices provide information about the clients’ rights in relation to their personal data and about relevant contact channels.