Data Protection Declaration

The protection of your personal data is of central concern to LENLAKE Corporate Advisors (hereinafter referred to as “we”, “us” or “LENLAKE”). With this data protection declaration, in accordance with the specifications of the EU General Data Protection Regulation (Regulation (EC) 2016/679 of the European Parliament and the Council, dated 27th April 2016 – hereinafter referred to as “GDPR”), we wish to inform you of the processing of your personal data when accessing the website of the LENLAKE Corporate Advisors, http://www.lenlake.com (hereinafter referred to as “website”):

1. Controller

LENLAKE Corporate Advisors
Diplom-Volkswirt Torsten Löbbert

Ludwigstr. 8 Ludwigpalais
80539 Munich
Germany
Tel. +49 (0) 89 206 021 385
Fax +49 (0) 89 206 021 610
Email: info@lenlake.com
LENLAKE Corporate Advisors – Mr Diplom-Volkswirt Torsten Löbbert operates the website as responsible controller.

2. Data Protection Officer

Data Protection Officer of LENLAKE Corporate Advisors:
Diplom-Volkswirt Torsten Löbbert
LENLAKE Corporate Advisors
Ludwigstr. 8 Ludwigpalais
80539 München
Germany
E-Mail: dataprotection@lenlake.com

3. Categories of personal data which we process

The listed personal data are collected, processed and used by the following operations for the purposes hereinafter referred to:
3.1. Using our website
• Information on the browser used and its version
• Operating system of the terminal unit used
• Your Internet service provider
• Your IP address
• Date and time of access
• Websites from which you accessed our website (so-called Referrer)
• Websites which are called up by your IT-system over our website
• Cookie data (e.g. pseudonym Cookie ID, dwell time on our website, page call-ups, your movement over links), provided that you should not prevent this, as explained under Item 8,

3.2 Distribution of publications, information material and/or press releases
• Personal master data (e.g. address, title, first name, last name)
• As appropriate, company information (e.g. name of the company, your department)
• Contact data (e.g. e-mail address)
• Address data (street, house number, post code/location, country)

4. Sources of the processed personal data

In principle, we collect personal data only from you as the relevant data subject. If personal data is retained from a different source in exceptional cases we provide you with the required information separately. If personal data is processed by using our online forms (e.g. contact form), we are provided with the personal data by the person who fills in the respective form.
If you should send us personal data of third parties through our online services, you are obliged to comply with all data-protection law requirements, in particular those of articles 5 to 9 and 12 et seq. GDPR. Failing this, we do not have any intention to obtain this data and reserve the right to initiate legal proceedings against you.

5. Storage limitation

The personal data obtained is stored no longer than necessary for the purpose for which it was collected (e.g. contract performance). If this data is no longer serving this purpose, we generally erase or anonymize the data, provided that, and insofar as, there exists no legitimate interest or legal obligation to retain the data (e.g. according to requirements under fiscal law or professional standards). In the latter case, the processing of your data is restricted to the compliance with the afore-mentioned right or obligation to store data for a specified period. Beyond these cases, data will only be stored with your consent or for the assertion, exercise or defense of legal rights, for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the European Union or a member state. In case of the existence of an overriding interest or obligation to preserve account records for a specified period, we shall erase or anonymize the data following certain expiry of the afore-mentioned obligation to retain the data.

6. Purposes for which the personal data is processed
We comply with the principle that personal data can only be collected for specified purposes and process your personal data only for those purposes as laid down in this data protection declaration.
In case you visit our website you are not legally or contractually required to actively provide information related to your person. Nevertheless, we collect certain data for the assessment of user behavior through pseudonymization. Also, so-called cookies and social plug-ins are used on our website (see more under Item 8).
We use the personal data made available by you for the following objectives:
• Processing of your inquiry (inquiries) (e.g. over our contact form)
• Direct advertising
• Contract performance, as well as implementation of pre-contract signing measures
• Other establishing of contact
• Customer service
• Compliance with legal requirements (e.g. for compliance with fiscal and commercial legal obligations and the implementation of a compliance management system, including compliance checks)
• Data protection, as well as security management and testing

7. Legal basis for the processing

The GDPR, the German Federal Data Protection Law (BDSG), as well as further European and German regulations and statutes, form the basis for the processing of personal data.
7.1 Using our website
For technical reasons, with every call-up, we automatically record data and information with regard to the IT system of the calling terminal unit for granting access to our websites. We process the data types from you in this case, as designated under Item 3.1. The legal basis for the processing is Art. 6 Sect. 1 p. 1 a) GDPR. Further details on cookies used by us within the framework of the appropriation of accessing our website can be found under Item 8 of this declaration.
7.2 Distribution of newsletters and publications, information material and/or press releases
Provided that you request newsletters, other publications, information material or press releases from us, we process the data types listed under Item 3.2. In case of a transfer by e-mail, the specification of your e-mail address only is required for this. If you should request further publications by post the specification of your first and last name, your address data, as well as possibly the name of your company and department (in case of forwarding to your business address) are required. The legal basis for the processing in this case is Art. 6 Sect. 1 p. 1 a) GDPR, since we carry out the processing of your data for distribution based on your consent.
7.2.1 Consent declaration (e-mail newsletter or other publications)
Provided that you have given us your consent to the utilization of your data for the distribution (electronic and/or postal) of publications, you declared yourself in agreement with the processing of your data for this purpose as follows:
“I herewith agree that the personal data entered by me, within the framework of the registration for an e-mail newsletter or other publication, may be processed for the distribution of the publications selected by me. I can revoke this consent at any time in the future and thus cancel the respective publication. I have taken note of the precise details of the processing of my data, as well as the rights to which I am entitled concerning the data processing, as explained in the data protection declaration.”
7.2.2 Consent declaration (press releases)
Provided that you have given us your consent for the processing of your data for the purpose of electronic distribution of press releases, you declared yourself in agreement with the processing of your data for this purpose as follows:
“I herewith agree that the personal data entered by me, within the framework of the order of electronic press releases, may be processed for the dispatch of electronic press releases. I can revoke this consent at any time in the future and thus cancel the press releases. I have taken note of the precise details of the processing of my data, as well as the rights to which I am entitled concerning the data processing, as explained in the data protection declaration.”
7.2.3 Revoking your consent
You have the possibility to revoke your consent at any time with effect for the future. The legitimacy of the processing of your data is not affected by the revocation up to the time of the revocation. You can declare your revocation as described under Item 11 g) and i).
7.2.4 Use of the contact data of our points of contact
Provided that you should contact one of our points of contact by e-mail or by telephone, we process the data types indicated under Item 3.2. The processing of the indicated data is required in order to answer your inquiry and, as appropriate, also in order to implement the pre-contract-signing measures requested by you (e.g. in order to send you requested information on a seminar). Legal situations for this processing are according to Art. 6 Sect. 1 p. 1 b) and f) GDPR.
7.2.5 Other purposes
It is possible that the data types designated under Item 3 will also be processed for the following objectives and on the basis of the following legal situations:
• Compliance with legal requirements we are obliged to meet (e.g. for fulfillment of fiscal and commercial-legal obligations and the application of a compliance management including compliance tests), where the legal basis for this is Art. 6 Sect. 1 p. 1 c) GDPR.
• Data protection and security management, including corresponding tests by our Data Protection Officer. Legal basis is with respect to tests by our Data Protection Officer Art. 6 Sect. 1 p. 1 c) GDPR, particularly in assoc. with Art. 24 Sect. 2 pp. 2 and Art. 38 Sect. 2 and Art. 39 Sect. 1 b) and c) GDPR, and additionally Art. 6 Sect. 1 p. 1 f) GDPR. Our legitimate interest can be found in a secure and data-protection-consistent processing of personal data.

8. Utilization of cookies

On our website we use cookies. Cookies are small data packets which are generated by our web server and filed on the hard disk of your computer when communicating with the web server. A distinction has to be made between so-called session cookies, which serve for the pure functionality of our websites and which are deleted immediately again after the closing of the browser, and so-called persistent cookies, which are stored and used beyond a session. As a result of the use of our websites, in combination with the overlaid cookie banner, you have given your approval that we be allowed to process your data over cookies, as explained below. The legal basis regarding the processing of your data is according to Art. 6 Sect. 1 p. 1 a) GDPR. If you should wish to exercise your right of revocation or objection, please proceed as explained below – regardless of the explanations in Item 11 g) and i):
a. Prevention of session cookies
You can exercise your right to reject cookies at any time. For this, regardless of the other possibilities to prevent cookies explained in the following, you can adjust your browser so that it does not accept any cookies or your approval is requested before the setting of a cookie. Please refer to the Help function of your browser for more details on this. If you do not accept any cookies, you possibly cannot use the complete bandwidth of the website functions.
b. Prevention of persistent cookies for range analysis
For us it is important to understand how our websites are used, in order to enable them to be improved and structured more attractively for visitors. Therefore we analyze how you use our websites, where we process cookie data with the use of an external service provider as described in the following. You can also find out how to prevent this from these descriptions.
Google Analytics cookies:
Our website uses Google Analytics, a web analysis service of Google Inc. (“Google”), which uses cookies for the analysis of the use of our websites by you.
The information about your use of these web pages generated by the cookie is transferred to a Google server in the USA and stored there. Before the transfer, in the European Union or the European Economic Region, your IP address is shortened by the last octet. In exceptional cases only the full IP address is transferred to a Google server in the USA and shortened there. Google will use this information on our request to evaluate your use of the web page, to compile reports about the website activities and to provide further services associated with the web page use and Internet use with respect to the LENLAKE Corporate Advisors. The IP address sent from your browser (shortened) by the use of Google Analytics is not combined with any other Google data.
You can prevent the recording of the data generated by the cookie and related to your use of the web pages (including your IP address) at Google, as well as the processing of this data by Google, where you download and install the browser plug-in available under the following external link:
http://tools.google.com/dlpage/gaoptout?hl=de
Please find more detailed information on conditions of use and data protection under the following external links: http://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/.
Please note that you leave the LENLAKE Corporate Advisors websites through these external links. No processing of the data involved occurs with us.

9. Recipients or categories of recipients of the personal data

The personal data is passed on to the following recipients:
• Public agencies to which the data must be sent due to legal stipulations (e.g. financial authorities, supervisory authorities)
• Internal agencies which participate in the implementation of the respective tasks (basically: Marketing, IT & Security)
• External contractors (service enterprises, such as Lettershop, IT service provider etc.), which become active for LENLAKE Corporate Advisors on instruction and which we have placed under obligation according to Art. 28 GDPR
• Further external agencies, insofar as the data subject has declared consent in writing or a transfer is admissible as a result of predominating authorized interests.

10. Transfer of personal data to third countries

Basically we do not send personal data which we record over these web pages to countries outside of the European Union or the European Economic Area (third countries). If data is transferred to third countries because this is required for the contract performance, or transferred within the LENLAKE Corporate Advisors for internal communication or administration, or due to the headquarters of a service provider being sited in a third country, this is always implemented after detailed testing and evaluation by our Data Protection Officer. It is then implemented only if an adequate data protection level exists with the agency in the third country or suitable guarantees exist to ensure an adequate level of data protection (Art. 45 ff. GDPR) or if neither a decision regarding appropriateness nor suitable guarantees are required (Art. 49 Sect. 1 Subsect. 1 GDPR). Provided that, and insofar as, you wish to be provided with further information about the guarantees on an individual basis, please feel free to refer to our Data Protection Officer designated under Item 2.

11. Your rights with respect to data processing

You have the following rights with respect to us as explained below, from Art.15 to 21 GDPR, as well as the right to revocation of your consent at any time and the right to lodge a complaint with the supervisory authority. Your can exercise your rights form-free with respect to us either directly with the contact data designated under Item 1 or with the consultation of our Data Protection Officer, whose contact data you can find under Item 2.
a. Right to information (Art. 15 GDPR)
You have the right to demand confirmation from us as to whether and which personal data are processed related to your person and, with respect to this data, information in particular about the objectives and the legal basis related to the processing (Item 6, 7 and 8), the categories of the data that we process (Item 3), the categories of recipients (Item 9) and our intent to send the data to recipients in a third country (Item 10). The information furthermore includes information about the origin of the data, provided that it was not recorded by you yourself. You have furthermore the right to demand a copy of the personal data which is subject to processing, insofar as the rights and freedoms of other persons with respect to their personal data are not infringed by this.
b. Right to correction (Art. 16 GDPR)
You have the right to demand from us the immediate correction of incorrect personal data referring to you. You have furthermore the right, considering the objectives of the processing, to demand the completion of incomplete personal data – also by means of an extended declaration.
c. Right to deletion (Art. 17 GDPR)
You have the right to demand the immediate deletion of your personal data from us if there exists one of the following grounds and none of the exceptions explained below are relevant:
• The data processed by you is no longer necessary for the objectives outlined in this data protection declaration
• You have revoked your given consent (see also Item 11. i)) and we do not have any other legal grounds for the processing of your data
• The data was processed illegal, or
• The deletion is required for compliance with a legal obligation according to Union or member state law which applies to us.
• You have lodged an objection to the processing of your data with us (see also Item 11. g)) and we do not have any overriding legitimate interests for the processing of your data.
However, your desire for deletion must not, and may not, be complied with where one of the following justifications applies:
• The processing is required for the exercise of the right to free opinion and information,
• The processing is required in order to fulfill a legal obligation affecting us, according to the law of the European Union or a member state (e.g. legal obligations to preserve account records for a specified period),
• The processing is required for the establishment, exercise or defense of legal claims, or
• The processing is required for reasons of public interest in the area of public health.
d. Right to restriction of the processing (Art. 18 GDPR)
You have the right to demand the restriction of the processing of your personal data by us. You are entitled to this right in particular if one of the following grounds exists:
• You dispute the correctness of your data,
• The processing of the data is illegal and you refuse the deletion of the data,
• We do not require your data any longer, however, you still require it for the establishment, exercise or defense of legal claims, or
• You have objected to the processing (see also Item 11 g)) and we check further whether our legitimate interest outweighs your legitimate interest in the processing of the objection.
e. Right to instruction (Art. 19 GDPR)
If you have exercised the right to correction, deletion or restriction of the processing with respect to us, we are obliged to inform all recipients, to whom the personal data concerning you was disclosed, of this correction or deletion of the data or the restriction of the processing, unless this proves impossible or is associated with a disproportionate effort. You have also the right with respect to us to be instructed of these recipients.
f. Right to data transferability (Art. 20 GDPR)
You have the right to be provided with the personal data concerning you in a structured, standardized and machine-readable format, and to send this data to another controller, or to have it sent by us, insofar as you have provided this data to us based on consent or due to a contract, and the data is processed with the aid of an automated process. You have the right to have the data sent by us directly to the new controllers, provided this is technically feasible and the rights and freedoms of other persons are not infringed.
g. Right of objection (Art. 21 GDPR)
You have the right at any time, for reasons which result from your special situation, to make an objection at any time to the processing of personal data concerning you, insofar as the processing of this data is required for the protection of the legitimate interests of LENLAKE Corporate Advisors or a third party, or for the implementation of a task that is in the public interest.
You can object to the processing of your data for advertising objectives at any time for the future. We will certainly proceed according to your request. However, please note that we cannot exclude the case where we, on an individual basis, we are no longer capable of recalling a possible advertising resource if your objection should reach us at a time when this advertising resource was already activated irrevocably by us. In such a case, however, we will of course exclude the use of any future advertising resource.
h. Right to complaint with a supervisory authority (Art. 77 GDPR)
In addition, you can submit a complaint at any time with the responsible data protection authority, for example at your place of residence, your workplace or at the location of the probable violation.
The following data protection authority is responsible for LENLAKE Corporate Advisors:
Bavarian State Office for Data Protection Supervision
Promenade 27
91522 Ansbach
Germany
https://www.lda.bayern.de
i. Right to the revocation of consent
Provided that, and insofar as, you have given a consent declaration for the processing of your data with respect to us, you have the right to revoke this consent at any time for the future. The legitimacy of the processing implemented due to the consent up to the time of the revocation is not affected by the revocation, rather the revocation can affect only the legitimacy of future processing.

12. No obligation on your part to provide data
No legal obligation exists whereby you would be obliged to provide your personal data to us.
Should you, e.g. technically, prevent that we receive data which is required for the use of our website, it is possible that you will not be able to use our services or use them to a limited extent only.
The appropriation of personal data, within the framework of the ordering of publications, information material and press releases, is implemented voluntarily and is not prescribed either contractually or legally. A non-appropriation of the required data can result in our not being able to send you any publications, any information material or any press releases.
The appropriation of your data, within the framework of establishing contact with us over our contact form, or the establishing of contact with one of our experts, is also voluntary. Without the required specifications, in particular a contact possibility, however, it is not possible for us to address your concern.

13. Automated decisions, including profiling, as specified by Art. 22 GDPR

Your personal data is not used for automated decision-making, including profiling, in accordance with Art. 22 Para. 1 and 4 GDPR. Insofar as this data is used, we make special reference here to the logic, as well as the range and targeted effects, of such processing for the person concerned.

14. Data protection

We take technical and organizational security measures to protect your personal data against unintentional or illegal deletion, change or against loss, as well as inadmissible forwarding or inadmissible access.

15. Status and future adjustments of this data protection declaration

This data protection declaration corresponds to the calendar date designated below. The right to an adjustment of this data protection declaration remains reserved. We therefore request that you inspect the data protection declaration continuously, so that you can be informed of any possible changes.
Status: March 2019