Privacy Policy

Privacy Policy

1. General

We take the protection of your personal data very seriously. We ‘process’ data in accordance with the applicable statutory data protection provisions, in particular the European General Data Protection Regulation (hereinafter referred to as the ‘GDPR’) and country-specific data protection regulations.

‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is carried out on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or any other form of making available, the matching or linking, the restriction, erasure or destruction.

Below, we provide information on the processing of your data, in particular regarding the nature, scope and purposes of the collection and use of personal data, as well as the relevant legal bases for the individual processing operations on our website, when customer data and applicant data are transmitted, and regarding the handling of suppliers’ data. Furthermore, as part of our privacy policy, we explain the rights you are entitled to with regard to data processing.

2. Data controller

You can contact the data controller using the contact details provided below:

SiBa Wirtschaftskanzlei GmbH
Friedrichstraße 171
D-10117 Berlin
Represented by the managing director: Michaela Sieker
Email: post@siba-wirtschaftskanzlei.de
Telephone: +49 30 77 00 600 88

3. Nature, scope, purposes and legal bases for the processing of your data

We only process personal data where this is permitted or required by law, in particular to handle enquiries, to fulfil contractual obligations, to comply with legal obligations, where there is a legitimate interest, or where you have consented to the processing of your personal data.

Below, we provide information on the nature, scope, purposes and legal bases for the processing of your personal data:

a) Visiting our website (hosting and server log files)

Our website is hosted on a virtual private server (VPS) operated by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. For the purpose of providing and securely delivering the website, IONOS processes personal data on our behalf, in particular IP addresses and server log files. The processing is carried out on the basis of Article 6(1)(f) of the GDPR (legitimate interest in the secure and efficient operation of the website). A data processing agreement has been concluded with IONOS in accordance with Article 28 of the GDPR.

Further information on data protection at IONOS can be found in IONOS’s privacy policy: https://www.ionos.de/terms-gtc/terms-privacy.

When you visit our website, the server stores data in so-called server log files which your web browser automatically transmits to the server, in particular:

– Website visited
– Time of access
– Amount of data sent in bytes
– Source/referrer from which you accessed the page
– Browser used
– Operating system used
– IP address used

The data collected is used solely for anonymised statistical analysis and to improve the website. However, the website operator reserves the right to review the server log files retrospectively should there be concrete evidence of unlawful use.

This data is processed in order to enable you to access the web pages you have visited, for statistical purposes, to improve our website, to protect against unlawful cyber-attacks, and to exercise, assert or defend legal claims. Your IP address is stored only for as long as is necessary to defend against potential cyber-attacks and to provide law enforcement authorities with the information required for criminal prosecution.

The data specified above is processed separately from any personal data that you provide to us when visiting our website and/or using a service, and is under no circumstances combined with such data.

The legal basis for the data processing described above is Article 6(1)(b) of the GDPR for the implementation of necessary pre-contractual measures undertaken in response to your enquiry, in order to enable you to use the web pages you have accessed in the first place. Insofar as the aforementioned data is processed for security against unlawful cyber attacks, or to exercise, assert or defend legal claims, this is carried out on the legal basis of Article 6(1)(f) of the GDPR. Our legitimate interest in this data processing lies in analysing the data to improve our website, to exercise, assert or defend legal claims where necessary, and to protect our systems against unlawful cyber attacks.

Please note the right to object as set out in section 7 of this privacy policy.

b) Processing of personal data for the performance of a contract or for the implementation of necessary pre-contractual measures undertaken at your request

If you wish to make use of the services and offerings we provide, you will need to provide us with personal data for this purpose.

We process your personal data for the above purposes on the legal basis of Article 6(1)(b) of the GDPR in order to fulfil a contract with you or to carry out necessary pre-contractual measures undertaken at your request.

The purpose of processing your personal data is therefore, for example, to process enquiries or to provide the requested service. Without the provision of personal data, we cannot process your enquiry and/or conclude a contract with you, nor can we provide the services offered.

c) Processing of suppliers’ data

Where we process suppliers’ data, the following applies:

The specific data processed, as well as the nature, scope, purpose and necessity of its processing, are determined by the underlying contractual relationship or pre-contractual relationship. We process, or may process, the following categories of data:

– Master data (e.g. names and addresses),
– Contact details (e.g. email addresses and telephone numbers),
– Contractual data (e.g. services used, other contractual details, contractual correspondence, names of contact persons)
– Payment details (e.g. bank details, payment history).

The processing of suppliers’ data is carried out on the legal basis of Article 6(1)(b) of the GDPR in order to fulfil contractual or pre-contractual obligations towards our contractual partners and to provide any services that may be due.

d) Enquiries via contact forms on our website and enquiries by email, messenger, telephone or fax

If you send us enquiries via the contact form on our website and/or via email, messenger, telephone or fax, we will store your details, including the contact details you provide there, for the purpose of processing the enquiry and in the event of follow-up questions, until the purpose no longer applies. We will not disclose this data without your consent or where there is a legal authorisation or obligation to do so.

The legal basis for the data processing described above is Article 6(1)(b) of the GDPR, provided that your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures in response to your enquiry. In all other cases, the processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Article 6(1)(f) of the GDPR) or on your consent (Article 6(1)(a) of the GDPR) provided that this has been requested; consent may be withdrawn at any time.

The data you enter in the contact form will remain with us until you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies (e.g. once your enquiry has been fully processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

e) Payment providers

Where we offer various payment options on our website during the ordering process, we will forward your payment details to the relevant provider once you have selected a payment provider during the ordering process, for the purpose of processing the payment and thus fulfilling the contract with you: The legal basis for the transfer of your data to the payment provider you have selected is then Article 6(1)(b) of the GDPR.

f) Disclosure of your data to data processors and third parties

Your data may be disclosed to service providers who support us – and whom we have carefully selected – for the purpose of fulfilling the contract or carrying out necessary pre-contractual measures undertaken at your request. These may be technical service providers or service providers assisting us with payment processing or bookkeeping, all of whom are bound by confidentiality obligations.

We also reserve the right to embed external content from third-party providers (e.g. YouTube videos, external map services, external graphics, etc.) on our website. Where we use third-party tools, we will inform you about their use, how they work, the legal basis and further details regarding the respective tools in section 15 of this privacy policy.

Otherwise, your personal data will only be disclosed to other third parties if we are legally obliged to do so on the legal basis of Article 6(1)(c) of the GDPR.

g) Logging of consents and withdrawal details

Where you have given us your consent to the processing of personal data and/or have withdrawn that consent, we log these declarations (in particular the date, time, content and the relevant IP address) in order to be able to provide evidence of your consent and your withdrawal of consent, and thereby to be able to defend against any legal claims where necessary and to enable law enforcement authorities to investigate any misuse of our services.

We store the log data until the expiry of the limitation period for any liability claims, for a period of up to 3 years following the withdrawal of your consent.

The logging of confirmation and login data is carried out on the basis of our legitimate interests in accordance with Article 6(1)(f) of the GDPR. Our legitimate interests lie in defending against any legal claims and preventing the misuse of our services. The generation and storage of log data takes place exclusively for the aforementioned purpose.

h) Checking payment history

Where we provide services in advance for certain types of contract, or where we have a legitimate interest in avoiding payment defaults, we reserve the right to obtain a credit reference. For this purpose, we will transmit your name, addresses and date of birth to infoscore Consumer Data GmbH, Rheinstrasse 99, 76532 Baden-Baden.

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in minimising the risk of non-payment and assessing the financial viability of contractual relationships.

As part of the credit check, probability scores may be used to assess credit risk. These are taken into account when deciding whether to enter into, fulfil or terminate a contractual relationship. No decision is made solely by automated means.

The information pursuant to Article 14 of the EU General Data Protection Regulation regarding the data processing carried out by infoscore Consumer Data GmbH can be found here:
here: https://www.experian.de/icd-infoblatt.

i) Data processing for the purposes of administration, organisation, financial accounting and compliance with legal obligations

Where we process personal data for the purposes of administration, the organisation of our business, financial accounting and compliance with legal obligations (e.g. archiving, retention obligations), the legal bases for processing are Article 6(1)(c) and (f) of the GDPR.

The retention periods for documents under tax and commercial law are determined in accordance with Section 147(1) of the German Fiscal Code (AO) and Section 257(1)(1) and (4) of the German Commercial Code (HGB). The documents listed in paragraph 1, Nos. 1 and 4a of the German Fiscal Code (AO) must be retained for ten years, those listed in paragraph 1, No. 4 for eight years, and the other documents listed in paragraph 1 for six years.

The retention period begins at the end of the calendar year in which the last entry was made in the ledger, the inventory, the opening balance sheet, the annual accounts or the management report was drawn up, the commercial or business letter was received or sent, or the accounting document was created; furthermore, the record was made or the other documents were created (Section 147(4) of the German Fiscal Code (AO)).

j) Data processing for the purpose of complying with the legal obligations under the Money Laundering Act

As a service provider for companies, we are an obligated party in accordance with Section 2(1)(13) of the Money Laundering Act (GwG) and are therefore obliged to identify contractual partners, any persons acting on their behalf where applicable, and beneficial owners in accordance with Section 11(1) of the Money Laundering Act (GwG), to collect the data in accordance with Section 11(4) of the Money Laundering Act or Section 11(5) of the Money Laundering Act, and to retain it in accordance with Section 8 of the Money Laundering Act. The legal basis for processing is therefore Article 6(1)(c) of the GDPR.

According to Section 11(4) of the Money Laundering Act, the identification data includes the personal data (first name, surname, place of birth, date of birth, nationality, residential address) and, in accordance with Section 8(2) of the Money Laundering Act, also the details and a copy of the document presented for identity verification (identity document). In the case of beneficial owners, the data must be collected in accordance with Section 11(5) of the Money Laundering Act.

In accordance with Section 6(6) of the Money Laundering Act, you, as a contracting party, are obliged to provide us with this information and these documents.

Pursuant to Section 8(4) of the Money Laundering Act, this data must be retained for five years, unless other statutory provisions regarding record-keeping and retention obligations stipulate a longer period.
In any event, the records and other supporting documents must be destroyed no later than ten years after the end of the calendar year in which the business relationship ends.

If, in accordance with Section 11a(2) of the Money Laundering Act (GwG), we transfer personal data to the competent supervisory authorities or to the persons and bodies engaged by the competent supervisory authorities in the performance of their duties, or to the Central Office for the Investigation of Financial Transactions, the obligation to inform the data subject under Article 13(3) of the GDPR and the data subject’s right of access under Article 15 of the GDPR do not apply.

k) Storage in and data transfer via the Hidrive cloud system

We use the Hidrive cloud system (hidrive.ionos.de) to back up data and, where necessary, to exchange data with you and our contractual partners. This data is stored on the servers of our service provider, IONOS SE. A data processing agreement (DPA) in accordance with Article 28 of the GDPR. This ensures that IONOS processes your data only in accordance with our instructions and strictly complies with data protection requirements. IONOS generally operates its data centres within the EU (e.g. Germany) in accordance with the privacy policy https://www.ionos.de/terms-gtc/datenschutzerklaerung/

Your data will only be stored for as long as is necessary for the respective purpose (e.g. performance of a contract, compliance with statutory retention periods).

l) Direct marketing

Your name and address may also be processed for an indefinite period for our own postal marketing purposes on the legal basis of Article 6(1)(f) of the GDPR, whereby our legitimate interest lies in postal direct marketing for our own services. Please note your right to object as set out in section 7 of this privacy policy.

m) Applicant data

We process applicant data solely for the purpose of and within the scope of the recruitment process, in accordance with statutory requirements. The processing of applicant data is carried out for the purpose of deciding on the establishment of an employment relationship on the legal basis of Section 26 of the Federal Data Protection Act (BDSG).

The recruitment process requires applicants to provide us with their application data. The necessary application data is set out in the job descriptions. In general, this includes personal details, postal and contact addresses, and the documents relating to the application, such as a covering letter, CV and references. In addition, applicants may voluntarily provide us with further information.

Where, as part of the application process, special categories of personal data within the meaning of Article 9(1) of the GDPR are provided on a voluntary basis, their processing is carried out on the legal basis of Article 9(2)(b) of the GDPR in conjunction with Section 26 of the BDSG (e.g. health data, such as severe disability status or ethnic origin)
. Where, as part of the application process, special categories of personal data within the meaning of Article 9(1) of the GDPR are requested from applicants, their processing is also carried out in accordance with Article 9(2)(a) of the GDPR (e.g. health data, where this is necessary for the performance of the job).

If applicants submit their applications to us via email, please note that emails are generally not sent in encrypted form and applicants must ensure encryption themselves. We are therefore unable to accept any responsibility for the transmission of the application between the sender and receipt on our server. As an alternative to applying by email, applicants have the more secure option of sending their application to us by post.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job vacancy is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a valid withdrawal by the applicant, the data will be deleted after a period of six months has elapsed, so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the Equal Treatment Act. Invoices for any travel expense reimbursements will be archived in accordance with tax regulations.

4. Use of cookies on our website

In addition to the data mentioned above, cookies may be stored on your computer when you use our website. Cookies are text files that contain data from websites or domains visited and are stored by a browser on the user’s computer.

We use only technically necessary cookies on our website for the purpose of operating the site, on the legal basis of Article 6(1)(b) of the GDPR.

Where we use ‘cookies’ on our website that are not technically necessary, we will first obtain your active consent via a so-called ‘cookie banner’ on the legal basis of Article 6(1)(a) of the GDPR, from which you can find further details about the cookies set by our site, in particular regarding how they work, their duration and third-party access to the data contained in the cookies. You can also object to the use of non-technically necessary ‘cookies’ at any time via our cookie banner by deselecting the use of cookies in the cookie settings.

You can also determine for yourself whether cookies can be set and accessed via the settings in your browser. For example, you can disable the storage of cookies altogether in your browser, restrict it to specific websites, or configure your browser to automatically notify you as soon as a cookie is about to be set and ask for your permission. You can also set your browser to automatically delete cookies when you close it.
Finally, you may be able to activate a ‘Do Not Track’ (‘DNT’) function in your browser, so that you are automatically excluded from being tracked by any web analytics tools that may be in use. You can find information on how to configure your browser settings in the help section of your respective web browser.

5. Retention and deletion periods for personal data

If the purpose of processing your personal data no longer applies, the personal data we process will be routinely deleted or blocked, unless you have consented to the permanent storage of your personal data.

Where individual data must be retained after the purposes of processing have ceased to apply due to statutory retention periods (e.g. tax and commercial law retention requirements), the data will be blocked rather than deleted. The data to be retained may then be processed exclusively for the aforementioned purposes on the legal basis of Article 6(1)(c) of the GDPR.

6. Rights as a data subject

You have the rights described below at any time:

– Right to confirmation and access to the personal data we process in accordance with Article 15 of the GDPR
– Right to rectification of your personal data in accordance with Article 16 of the GDPR
– Right to erasure of your personal data (‘right to be forgotten’) in accordance with Article 17 of the GDPR
– Right to restriction of processing of your personal data in accordance with Article 18 of the GDPR
– Right to data portability of your personal data in accordance with Article 20 of the GDPR
– In accordance with Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

Please send your request to us using the contact details provided in section 2 of this privacy policy.

7. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR.

In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

Where personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such marketing. In this case, we will no longer use your personal data for direct marketing purposes.

8. Right to withdraw consent

You may withdraw any consent you have expressly given to us under data protection law at any time with future effect. The lawfulness of the processing carried out on the basis of your consent up until the time of withdrawal remains unaffected by the withdrawal.

9. Complaints regarding data protection breaches to the supervisory authorities

If you believe that your data protection rights have been infringed, you may contact the supervisory authority in your federal state or in the federal state where our company is based. If a complaint concerns a company based in another federal state, the supervisory authority will forward the complaint to the competent supervisory authority there.

The supervisory authority for our registered office is as follows:

Berlin Commissioner for Data Protection and Freedom of Information,
Alt-Moabit 59-61
10555 Berlin
Telephone: +49 30 13889-0
Fax: +49 30 2155050
Email: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de/

10. Obligation to notify in connection with the rectification or erasure of personal data or the restriction of processing

We shall notify all recipients to whom personal data has been disclosed of any rectification or erasure of the personal data or any restriction on processing in accordance with Article 16, Article 17(1) and Article 18 of the GDPR, unless this proves impossible or involves a disproportionate effort. We shall also inform you of these recipients if you so request.

11. Legal or contractual requirements regarding the provision of your personal data, as well as information on the necessity for the conclusion of a contract, your obligation to provide personal data, and the possible consequences of non-provision

As described above, we collect and process your personal data in particular for the purpose of fulfilling a contract with you or for taking pre-contractual measures in response to your enquiry. In some cases, the provision of personal data when concluding contracts (e.g. for invoices) is required by law due to tax and/or commercial law provisions; otherwise, it constitutes a contractual or pre-contractual obligation. If you do not provide us with any personal data, this means that we will be unable to enter into a contract with you and/or respond to your enquiries.

Where we process your personal data on the basis of a legitimate interest in accordance with Article 6(1)(f) of the GDPR, the provision of your data for these purposes is neither contractually nor legally required. Details of data processing on the basis of a legitimate interest can be found in the relevant sections of the information above. If you do not provide us with personal data for these purposes, this may mean that you are unable to use our website and services, or unable to use them to their full extent.

Please note the right to object as set out in section 7 of this privacy policy.

12. Automated decision-making in individual cases, including profiling

We do not use automated decision-making – including profiling in accordance with Article 22(1) and (4) of the GDPR.

13. Data security

We implement technical and organisational security measures to protect the processing of personal data, in particular against accidental or deliberate manipulation, loss, destruction or unauthorised access. Our security measures are continuously improved in line with technological developments.

14. Questions / Comments

Please feel free to direct any questions or comments regarding this privacy policy or data protection in general to the contact details provided in Section 2 of this privacy policy.

15. Use of third-party tools on our website

Where we use third-party tools (programmes) on our website that utilise cookies, you can find detailed information on the use of cookies by these third parties in our cookie consent banner.

Where, for your further information, we refer below to data protection information from third parties – which may only be available in English or another foreign language – you can easily have the foreign-language texts translated into German (or another language) free of charge using services such as the following:

– Deepl Translator: https://www.deepl.com/de/translator
– Prompt Translator: https://www.online-translator.com/
– Google Translate: https://translate.google.de/
– iOS apps: ‘Deepl’, ‘iDict’
– Android apps: ‘Deepl’, ‘Prompt Online Translators’
There are other translation programmes available via app stores and/or search engines that you can use to translate foreign-language texts into German (or another language).

Important risk notice

We use third-party tools from the USA on our website that are not technically necessary; these tools use cookies or may process your full IP address, your location or other personal data.

The USA is currently considered a country with a level of data protection that is insufficient by EU standards. In particular, there is a risk that your data may be processed by US authorities for monitoring and surveillance purposes in the USA or comparable third countries with inadequate data protection standards, without you being informed of this data processing and without you having the possibility of seeking legal redress against such data processing by the authorities of the third country with inadequate data protection standards.

If you consent to the use of the technically non-essential tools provided by the third-party providers listed below, this personal data will be processed by the specified third-party providers.

If you do not consent to the use of these technically non-essential third-party tools, the third-party tool will not be launched and the transfer and processing of your data by the third-party providers, as described above, will not take place.

We use the following third-party tools (programmes) from the USA on our website:

Google Maps

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose of the tool: Map service
Privacy-friendly default settings: no use of cookies, launch without autoload, only after consent has been given on the website
Legal basis: Consent in accordance with Article 6(1)(a) of the GDPR. You may withdraw your consent at any time with future effect by clicking on ‘Change privacy settings’ and amending your selection there.
Place of processing: Unknown; may also include the USA
Scope of processing:
If you consent to the use of Google Maps, the following data, amongst others, will be collected:
– the page you have accessed
– your location
– your IP address
– technical information about your browser and the devices you use (e.g. language settings, screen resolution)
– your internet service provider
– the referrer URL (the website or advert through which you arrived at this website)
– if you are logged into your Google account, Google records all activity on websites and in apps.
The provider’s privacy policy:
https://policies.google.com/privacy?hl=de
https://business.safety.google/adscontrollerterms/

Date of privacy policy: 30 April 2026

Change privacy settings