1. preamble

Below we inform you about the details of data protection when visiting our website.

The use of our website is generally possible without providing personal data.

Insofar as personal data is collected when you visit our website, we process it exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TDDDG).

The processing of personal data takes place exclusively in accordance with this privacy policy.
This privacy policy applies to the use of the website at the address notar-steinmetz.de. For linked content from other providers, the data protection declaration on the linked website is authoritative.

We would like to point out that security gaps can occur during data transmission via the Internet, which cannot be prevented by the technical design of this website. Complete protection of personal data is not possible when using the Internet.

2. responsible body, Art. 13 para. 1 lit. a GDPR

is responsible for the processing of personal data in the context of the use of this website:

Notary Dr. Wenzel Steinmetz
Karolinenstraße 15-19
90402 Nuremberg
Phone: +49 (0)911/20 58 20
E-mail: info@notar-steinmetz.de

3. data protection officer

Our data protection officer is:
Mr. Dipl.-Inform. Olaf Tenti
GDI Gesellschaft für Datenschutz und Informationssicherheit mbH
Körnerstraße 45
58095 Hagen (NRW)
Phone: +49 (0)2331/356832-0
E-mail: datenschutz@gdi-mbh.eu
Internet: www.gdi-mbh.eu

4. hosting

Our website is operated on servers of 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabauer (hoster).

We have concluded an order processing contract with 1&1 IONOS SE.

When you visit our website, data is automatically collected and stored in log files on our host’s server. This data may have a personal reference. The data collected includes

• IP address of the requesting computer (in anonymized form)
• Date and time of access to our website
• Name and URL of the requested page of our website
• URL from which the page was requested or the desired action was initiated
• Amount of data transferred
• Access log
• Browser types and versions used
• the operating system of the requesting computer (referrer)

The hoster uses the collected data to ensure the trouble-free operation of the website as well as to ensure IT security and to improve our offer. If there are concrete indications, the log data may be subsequently analyzed. The temporary storage of the IP address by the hoster is necessary to enable the website to be delivered to the user’s computer. For this purpose, your IP address must remain stored for the duration of the session.

This data is not merged with other data sources.

The legal basis for data collection is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest in data collection arises from the aforementioned purposes.

The data is deleted by the host as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this technical information is deleted or made unrecognizable after eight weeks at the latest.

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, you do not have the option to object.

5. cookies

In addition to the aforementioned data, cookies are used on your computer when you use and visit our website.

When you visit our website for the first time, you will be asked whether you consent to the use of cookies and, if so, which categories you consent to.

Cookies are small text files that are stored by your browser on your end device to store certain information. Furthermore, these cookies are used to make the use of our website more pleasant and convenient for you or for analytical purposes.

Some of the cookies we use are so-called “session cookies”. They are used to make the services of our website technically available to you. After your visit, these cookies are automatically deleted by your browser.

Other cookies remain on your computer and enable us to recognize your end device on your next visit (so-called persistent or permanent cookies).

The next time you visit our website with the same end device, the information stored in cookies will be read either by our website (“first party cookie”) or by another website to which the cookie belongs (“third party cookie”).

These cookies are automatically deleted from your system after a preset period of time, which differs depending on the cookie.

Through the stored and returned information, the respective website recognizes that you have already accessed and visited it with the browser of your end device.

We use this information to optimize the design and display of the website according to your preferences. Only the cookie itself is identified on your end device.

Any further storage of personal data will only take place with your express consent or if this is absolutely necessary in order to be able to use the service offered and accessed by you accordingly.

This website uses the following types of cookies, the scope and function of which are explained below:

• Essential cookies: Essential cookies guarantee functions without which you cannot use our websites as intended. These cookies are used exclusively by us and serve, for example, to ensure that you, as a registered user, always remain logged in when accessing various subpages of our website and thus do not have to re-enter your login data each time you access a new page. The legal basis for their use is our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR.
• Functional cookies: Enable our website to store information you have already provided and to offer you improved functions based on this. The legal basis for the use of these cookies is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.
• Marketing or tracking cookies: These cookies are used to collect information about the websites visited by the user, to create targeted and more effective advertising for the user and to enable us to identify the interests of website visitors in order to make our website even more interesting in the future.

Marketing and/or tracking cookies are only set with your active consent.
The legal basis for data processing here is Art. 6 para. 1 sentence 1 lit. a GDPR.

Opt-out for marketing cookies

You can also manage cookies used for online advertising via the tools developed in many countries as part of self-regulatory programs, such as the US-based https://www.aboutads.info/choices/ or the EU-based https://www.youronlinechoices.com/de/praferenzmanagement/.

You can revoke this consent to cookies at any time with effect for the future in the Consent Manager.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, e.g. third-party cookies (cookies that are set by a third party, i.e. not by the actual website on which you are currently located), exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. You can use your web browser to delete stored cookies at any time.

You have the option of deactivating cookies in your browser at any time.

If cookies are deactivated, however, the functionality of this website may be restricted.

Deleting cookies

Cookies are stored on your end device until you delete them, which you can do at any time. Furthermore, expired cookies are automatically deleted by your browser if you have configured your browser accordingly. Expired cookies are no longer sent to our servers by your browser and can therefore no longer be used by us.

Here you will find information on how to delete cookies in your browser and manage the cookie settings for the most common browsers:

Desktop PC / Laptop

• Microsoft Edge
• Mozilla Firefox
• Apple Safari
• Google Chrome

Mobile devices

• Google Chrome (Android)
• Google Chrome (iOS)
• Apple Safari (iOS)
• Samsung Internet (Android)
• Mozilla Firefox (Android)

If you have not made or do not make any different settings, cookies that enable or ensure the necessary technical functions remain on your end device until you close the browser; other cookies may remain on your end device for longer (maximum 6 months).

To safeguard your privacy, you should regularly check the cookies on your end device and your browser history and delete them yourself.

We also use local storage and session storage technology (also known as “local data”, “local storage” and “session storage”), i.e. we use the storage capacity of your browser.

With local storage, data is stored locally in the cache of your browser, which continues to exist and can be read even after closing the browser window or exiting the program if you do not actively delete the cache.

Local Storage makes it possible for your preferences to be stored on your computer and used by you when you use our websites.

The function of Session Storage corresponds to the Local Storage described above, except that the corresponding data is automatically removed from the cache of your browser immediately after closing the browser (“session”).

Third parties cannot access the data stored in Local Storage or Session Storage. They are not passed on to third parties and are not used for advertising purposes. In particular, this technology is used to present our content to you in an appealing graphic display (e.g. pop-up windows, etc.) and to personalize our offer and navigation on our pages for you.

The data is not merged with other data (e.g. information from tracking tools, which is also stored separately in local storage).

Certain information and entries are also stored in local storage for transmission and evaluation by the tracking tools. This data is only used to analyze and evaluate the surfing behavior of visitors. The data stored in Local Storage is not used for advertising purposes.

Insofar as the use of this technology is necessary for the operation of the website, the processing is based on our legitimate interest in being able to provide you with an attractive, fully functional offer, on the basis of Article 6 para. 1 sentence 1 lit. f GDPR, otherwise on the basis of your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

6. SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties (end-to-end encryption). The protocols authenticate the communication partner and ensure the integrity of the transmitted data.

7. borlabs (Cookie Consent Tool)

On our website, we use the cookie consent technology of Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg (hereinafter referred to as Borlabs).

Borlabs Cookie is a plugin for WordPress and makes it possible to obtain your consent to the storage of certain cookies in your browser and to document this in compliance with data protection regulations.

When you enter our website, a technically necessary Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not passed on to the provider of Borlabs Cookie.

The data collected will be stored until you ask us to delete it or delete the Borlabs cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. Details on data processing by Borlabs Cookie can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

This data processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our legitimate interest in providing a cookie consent management service for website visitors.

Further information on Borlabs’ data protection can be found here: https://de.borlabs.io/datenschutz/.

8. storage duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the deletion will take place after these reasons no longer apply.

9. contact options (form / e-mail)

You can contact us by e-mail or using the contact form on our website.

In this context, your details from the form and/or from the e-mail, including the contact details you provide there, will be stored and processed by us for the purpose of processing the request and in the event of follow-up questions. This data (e.g. name, address, telephone number, e-mail address) will not be passed on to third parties without your consent.

The data is not merged with other data collected on this website.

The data may be stored as part of the notarial activity, provided that an appointment or commissioning has taken place.

The contact form is sent encrypted using TLS technology. The encryption serves to prevent unauthorized access to your personal data by third parties.

This data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 sentence 1 lit. f GDPR).

We will retain the data you provide on the contact form or in the email until you request its deletion, object to its processing or the purpose for its storage no longer pertains (e.g. after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

10. use of YouTube components with extended data protection mode

We use videos from the “YouTube” video portal of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: “Google”) on our website. The ” – extended data protection mode – ” option provided by YouTube is activated.

The YouTube videos are accessed by clicking on them separately. This means that only the data required to display the videos – i.e. the information about which of our pages you are visiting – is transmitted to the service provider. If you are logged in to YouTube during your visit to our website, the information transmitted will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.

When you access a page with a video embedded from YouTube, a connection to the YouTube servers is established in order to display the content (i.e. the video) on our site by sending a message to your browser.

The legal basis for the use of YouTube is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, insofar as you have given us your consent to this when you first access the site.

For the transfer of personal data, we have concluded an order processing contract with Google with EU standard data protection clauses in accordance with Art. 46 GDPR. Google has undertaken to comply with the standard contractual clauses for the transfer of personal data to third countries in accordance with Directive 95/46/EC (Standard Contractual Clauses – SCC).

Furthermore, the provider has joined the EU-US Data Privacy Framework for data transfers to the USA, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on data protection from YouTube is provided by Google at the following link: https://www.google.de/intl/de/policies/privacy/

11 Google

11.1 Google Maps

On this website we use the “Google Maps” service, operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you have your registered office or place of residence in the EU, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Maps is integrated on the website via the Google API in order to visualize location information and display it in the form of a map. The files required for this purpose are requested via the Google domains maps.googleapis.com, maps.gstatic.com, fonts.googleapis.com and/or fonts.gstatic.com.

Gstatic is a domain used by Google to load static content into a different domain name to reduce bandwidth usage and increase network performance for the end user.

The processing of the IP address by Google Maps is technically necessary to display the map. With regard to the other web services integrated via Google Apis, the regulations in the respective section of this data protection declaration for Google Apis apply.

The legal basis for the use of Google Maps is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, insofar as you have given us your consent to this when you first access the site.

By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition

• the IP address,
• Date and time of the request,
• Time zone difference to Greenwich Mean Time (GMT),
• Content of the request (specific page),
• Access status/HTTP status code,
• the amount of data transferred,
• the website from which the request originates (so-called referrer),
• Type and version of the browser used together with the language version used and
• Type and version of the operating system and the interface used

transmitted. This information (including your IP address) is transmitted directly from your browser to a Google server in the USA and stored there.

For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

The transmission takes place regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your Google profile, you must log out of your Google profile before using our website. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

You can revoke your consent to data processing and transmission at any time without giving reasons by deleting the cookies in your browser or in the Consent Manager.

The legality of data processing that has already taken place is not affected by the withdrawal of consent.

We have concluded a joint processing agreement with Google with regard to Google Maps. You can find the content at https://privacy.google.com/intl/de/businesses/mapscontrollerterms/.

Further information on the purpose and scope of data collection and its processing by Google can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy: http://www.google.de/intl/de/policies/privacy.

11.2 Google Fonts

By integrating “Google Maps”, “Google Fonts” are loaded, offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you have your registered office or place of residence in the EU, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

We have no influence on this.

The files required for this purpose may be requested via the Google domains fonts.googleapis.com, maps.gstatic.com, maps.googleapis.com and/or fonts.gstatic.com.

Gstatic is a domain used by Google to load static content into a different domain name to reduce bandwidth usage and increase network performance for the end user.

By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition

• the IP address,
• Date and time of the request,
• Time zone difference to Greenwich Mean Time (GMT),
• Content of the request (specific page),
• Access status/HTTP status code,
• the amount of data transferred,
• the website from which the request originates (so-called referrer),
• Type and version of the browser used together with the language version used and
• Type and version of the operating system and the interface used

transmitted directly from your browser to a Google server. According to its own information, Google does not store this information and only uses it to deliver the requested fonts and to recognize and, if necessary, ward off attacks on the IT system.

If you have given your consent for the aforementioned tools to be activated and for Google Fonts to be reloaded, the legal basis for data processing is this consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider’s privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy: https://policies.google.com/privacy?hl=de&gl=de

12. your rights and assertion of rights

You are entitled to the rights listed below. You can assert these claims against us. To assert your rights, please use the above data or contact us by e-mail at: info@notar-steinmetz.de

Information:
In accordance with Art. 15 GDPR, you have the right to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;

Correction:
In accordance with Art. 16 GDPR, you have the right to demand the immediate correction of incorrect or incomplete personal data stored by us;

Deletion:
In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;

Restriction of processing:
In accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;

Data portability:
In accordance with Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller;

Withdrawal of your consent:
In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent at any time. This means that we may no longer continue the data processing that was based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Please send your revocation to the data given above or by e-mail to: info@notar-steinmetz.de

Right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object in connection with the use of information society services by means of automated procedures using technical specifications.

Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for entering into, or performance of, a contract between you and the controller, is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a) or g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.

Complaint to a supervisory authority:
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at the registered office of our law firm.

13. links to third-party websites

We link to third-party websites on our website. These websites have their own data protection notices.

We have no influence on the content of these linked websites.

We are not responsible for these websites. However, we have selected them carefully.

If you click on such a link, you leave our domain and open the external website in your browser. Data, usually at least your IP address, is transmitted to the server of the linked website.

If we become aware of illegal content, e.g. through notification by third parties, we will remove the link immediately.

14. status of the data protection information

The constant development of the Internet makes it necessary to adapt our privacy policy from time to time. We reserve the right to make corresponding changes at any time.

Status: October 2025

The following information provides you as a client (m/f/d) with an overview of the processing of your personal data by us and your rights.

If you as our client are not a natural person, please forward this information to the persons whose personal data we process because they are our contact persons or are mentioned on documents such as invoices and deeds.

1. who is responsible for data processing and who can I contact?

The responsible body is

Notary Dr. Wenzel Steinmetz
Karolinenstrasse 15-19
90402 Nuremberg

Phone: 0911 20 58 20
E-mail: info@notar-steinmetz.de
www.notar-steinmetz.de

You can reach our data protection officer at

GDI Gesellschaft für Datenschutz und Informationssicherheit mbH
Mr. Dipl.-Inform. Olaf Tenti
Körnerstr. 45
58095 Hagen

Phone: +49 (0) 2331/356832-0
E-mail: datenschutz@gdi-mbh.eu

2. which sources and data do we use?

We process data that you transmit to us or that we have received from third parties, e.g. from lawyers, brokers or credit institutions commissioned by you, as part of the respective official act or with your permission. Furthermore, we also collect personal data from publicly accessible sources, e.g: Property data from the land registry, register data from the commercial register.

We also collect data from other sources, e.g. creditors. However, this is only done at your prior request and to process your specific request or to fulfill legal obligations or sovereign activities.

In particular, the following personal data and categories of data are processed for the purposes mentioned under point 3:

• Personal data (e.g.: Title, first name, surname, address, telephone number, e-mail address, nationality, registration numbers, marital status)
• Data on persons you represent (e.g.: Title, first name, surname, address, date of birth, place of birth, family relationship, nationality, marital status, registration numbers)
• Contents of declarations to be notarized
• Data on financial circumstances (e.g.: Property ownership, other rights to real estate, business interests, income, insurance, etc.).
• Data in connection with contracts (e.g.: for property purchase contracts, your tax identification number, if necessary information about your family situation or your financial situation or other sensitive data such as health data)
• Payment information such as bank details or data for internet-based payment services
• Legal relationships with third parties (e.g. file numbers, account or credit numbers, contracts)

We may also process special categories of personal data within the meaning of Art. 9 (1) GDPR on a case-by-case basis.

3. why do we process your data (purpose of processing) and on what legal basis?

In the following, we will inform you what we process your data for and on what legal basis.

3.1 IN THE CONTEXT OF PERFORMING A TASK ASSIGNED TO US, WHICH IS IN THE PUBLIC INTEREST OR IN THE EXERCISE OF PUBLIC AUTHORITY (ART. 6(1)(E) GDPR)

The processing of personal data is carried out for the performance of notarial activities in accordance with the official duties, in particular for the preparation of draft deeds, for the performance of consultations and notarization, for the execution of deed transactions and for the preparation of fee invoices, the processing of personal data is necessary for the performance of consultations.

3.2 due to legal requirements (art. 6 para. 1 lit. c GDPR)

We are subject to various legal obligations to carry out certain data processing (e.g.: the professional and procedural provisions applicable to notaries under the Federal Notarial Code and the Notarization Act).

3.3 IN THE FRAMEWORK OF INTEREST ASSESSMENT (Art. 6 para. 1 lit. F GDPR)

We may also use your data on the basis of a balancing of interests to protect our legitimate interests or those of third parties. This can be done in particular for the following purposes:

• Supporting our employees in client care
• Assertion of legal claims and defense in legal disputes
• Prevention and investigation of criminal offenses
• Ensuring IT security and IT operations

Our interest in the respective processing results from the respective purposes and is otherwise of an economic nature (efficient fulfillment of tasks, avoidance of legal risks). Where permitted by the specific purpose, we process your data in pseudonymized or anonymized form.

3.4 on the basis of your consent (art. 6 para. 1 lit. a GDPR)

If you have given us your consent to process personal data, the respective consent is the legal basis for the processing mentioned there. Consent can be withdrawn at any time. This also applies to the revocation of declarations of consent given before the GDPR came into force, i.e. before May 25, 2018. The revocation is only effective for the future. Processing that took place before the withdrawal is not affected. A revocation can be sent to the office named under point 1.

4. who receives my data?

Your data will only be passed on if a legal basis permits this. The data referred to in section 2 will be transmitted to public bodies if there is a legal obligation to do so or if you have given your consent to this transmission. Such public bodies may include, in particular, other notaries, the tax authorities, the registry courts, the land registry, the Central Register of Wills, the Central Register of Lasting Powers of Attorney and the Chamber of Notaries.

Data will only be transferred to private third parties to fulfill your specific request and only at your request.

Within our company, only those departments receive your data that need it to fulfill our contractual and legal obligations or to fulfill their respective tasks.

Furthermore, personal data may be passed on to IT service providers or similar for the purpose of order processing. This is necessary for the fulfillment of contractual obligations (see section 3). In addition, processors employed by us (Art. 28 GDPR), in particular in the area of IT services, notary software providers, web hosts and NotarNet GmbH, may process your data for us in accordance with our instructions.

5. how long is the data stored?

For notarial deeds and other documentation from notarial matters, the retention periods from the Service Regulations for Notaries (DONot) and in accordance with § 50 Para. 1 of the Ordinance on the Keeping of Notarial Files and Directories (NotAktVV) apply, namely:

• 100 years for the register of deeds, electronic collection of deeds, collection of inheritance contracts and special collection,
• 30 years for paper-based document collection, custody register and general files,
• 7 years for collective files for bill of exchange and cheque protests and ancillary files, whereby the notary may stipulate a longer retention period in writing at the latest when the content is last processed, e.g. in the case of dispositions upon death or in the event of a risk of recourse; the stipulation may also be made in general for individual types of legal transactions.

Furthermore, we are subject to various retention and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified there are two to ten years.

Finally, the storage period is also determined by the statutory limitation periods, which are generally three years in accordance with Sections 195 et seq. of the German Civil Code (BGB), for example. This applies to contractual and other data relating to the legal relationship between you and us.

6. is data transferred to a third country?

Your data will only be transferred to countries outside the European Economic Area – EEA (third countries) if and insofar as this is necessary for the execution of the contractual relationship or required by law (e.g. accounting, administration) or if you have given us your consent.

Insofar as we use software from providers based in third countries or software from providers with subcontractors / service providers in third countries to carry out notarial activities, your data or parts of your data may be transferred to third countries (e.g. the USA), depending on the purpose of processing.

An adequacy decision within the meaning of Art. 45 para. 3 GDPR exists for the USA. As a result, personal data can now be transferred from the EU to companies and organizations in the USA that have certified themselves for the EU-U.S. Data Privacy Framework without the need for further protective measures. This adequacy decision thus serves as the basis for the transfer of data to the service providers we use in the USA.

If there is no adequacy decision within the meaning of Art. 45 para. 3 GDPR or the company or organization in the USA has not certified itself for the EU-U.S. Data Privacy Framework, we conclude standard data protection clauses issued by the EU Commission within the meaning of Art. 46 para. 2 lit. c GDPR with the respective service providers/providers to protect your data. Furthermore, some of our service providers have implemented binding corporate rules (BCR) within the meaning of Art. 47 GDPR for their group of companies or the same group of companies, which have been approved by the respective competent supervisory authority.

7. what other data protection rights do i have?

You have the right to information (Art. 15 GDPR, Section 34 Federal Data Protection Act – BDSG), to rectification (Art. 16 GDPR), to erasure (Art. 17 GDPR, Section 35 BDSG), to restriction of processing (Art. 18 GDPR), to object (Art. 21 GDPR) and to data portability (Art. 20 GDPR) under the respective legal requirements. 20 GDPR).

The above rights only apply insofar as they do not conflict with the notarial confidentiality obligation pursuant to Section 18 BNotO (see Section 29 (1) sentence 2 BDSG).

You also have the right to lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR, Section 19 BDSG).

8. to what extent is there automated decision-making in individual cases?

We do not use automated decision-making in accordance with Art. 22 GDPR to carry out notarial activities. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

9. to what extent is my data used for profiling?

We do not process your data with the aim of evaluating certain personal aspects (so-called “profiling”).

10. Do I have an obligation to provide data?

You are not legally obliged to provide us with personal data. However, if you do not provide us with the data necessary for the execution of the official transaction and the requested notarial activity, as well as the data that we must collect and process for legal reasons during and after this activity, we will generally have to refuse to carry out the official transaction.

11. What rights of objection do I have? (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

The objection can be made informally and should preferably be addressed to the contact options listed under point 1.

INFORMATION ACCORDING TO ART. 13, 14, 21 OF THE GENERAL DATA PROTECTION REGULATION (GDPR)

The following information provides you as an applicant (m/f/d) with an overview of the processing of your personal data by us and your rights.

1. DATA CONTROLLER, CONTACT

Notary Dr. Wenzel Steinmetz
Karolinenstraße 15-19
90402 Nuremberg
info@notar-steinmetz.de

You can reach our data protection officer at

GDI Gesellschaft für Datenschutz und Informationssicherheit mbH Mr. Dipl.-Inform. Olaf Tenti
Körnerstr. 45, 58095 Hagen
Phone: +49 (0)2331/356832-0
datenschutz@gdi-mbh.eu

2. DATA USED AND ORIGIN
We process data that you transmit to us as part of your application. In particular, the following personal data and categories of data are processed for the purposes specified in Section 3:

• Personal data (first name, surname, address, marital status)
• Data on your qualifications (educational and professional qualifications, certificates, language skills, additional qualifications)
• Data on your curriculum vitae (type, start, end, place and duration of schooling, training, studies, further training and professional activities)
• Account details in the context of cost reimbursement, if applicable
• other documents submitted and the resulting information.

We may also process personal data about you that we have obtained from publicly accessible sources (e.g. information in social networks such as Xing or LinkedIn).

3. PURPOSE OF THE PROCESSING, LEGAL BASIS

3.1 ESTABLISHING THE CONTRACT
We process your data to decide on the establishment of an employment relationship with you. The legal basis for processing is therefore Art. 88 GDPR in conjunction with Section 26 para. 1 BDSG. § Section 26 (1) BDSG.
We only wish to assess all applicants on the basis of their qualifications and therefore ask you to refrain from providing information on racial and ethnic origin, political opinions, religious or ideological beliefs or trade union membership, genetic data, biometric data for the unique identification of a natural person, health data or data on sex life or sexual orientation in your application wherever possible.

3.2 YOUR CONSENT GIVEN
If you have given us your consent to process personal data, in particular to process any special categories of personal data you may have provided, the respective consent is the legal basis for the processing specified therein. This applies in particular to your possible consent to the further storage of the data in an applicant pool even in the event of the rejection of your current application in the event that a new need arises with us at a later date.

We process the data provided on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR or, in the case of special categories of personal data, Art. 9 para. 2 lit. a) GDPR. This consent can be revoked at any time with effect for the future. Processing that took place before the revocation is not affected by this.

You can address your revocation to the data protection officer named in Section 1.

3.3 REIMBURSEMENT OF COSTS
If we have promised to reimburse you for travel costs to a job interview or similar, we will process your account data to reimburse these costs. The legal basis is the fulfillment of our promise to reimburse costs within the meaning of Art. 6 para. 1 lit. b) GDPR.

4. TRANSFER OF DATA
Your data will only be transferred if a legal basis permits this. The data mentioned under point 2 will be transmitted to government agencies if there is a legal obligation to do so or if you have given your consent to this transmission. Such government agencies may include, in particular, the tax authorities, the customs administration, but also the trade supervisory authorities. Within our company, only those bodies will receive your data that need it to fulfill our contractual and legal obligations or to fulfill their respective tasks.
Furthermore, personal data may be transmitted for the purpose of order processing, in particular to IT service providers.

5. DURATION OF STORAGE / DELETION
We process your personal data for the selection of a suitable candidate for the position to be filled. The data will then be deleted, at the latest when no more civil law claims can be asserted against us, which may arise in particular from the General Equal Treatment Act. If we do not delete the data immediately, we will block the data.

6. TRANSFER OF DATA TO THIRD COUNTRIES
Your data will only be transferred to countries outside the European Economic Area – EEA (third countries) if and insofar as this is necessary for the execution of the contractual relationship or required by law (e.g. accounting, administration) or if you have given us your consent.

If we use software from providers based in third countries or software from providers with subcontractors/service providers in third countries to perform our contractual relationship, your data or parts of your data may be transferred to third countries (e.g. to the United States of America), depending on the purpose of processing.

We would like to point out that with the abolition of the EU-US Privacy Shield, there is currently no adequacy decision by the Commission for the United States within the meaning of Art. 45 (3) GDPR for an adequate level of data protection. We have therefore concluded standard data protection clauses within the meaning of Art. 46 para. 2 lit. c) GDPR with the service providers/providers we use to protect your data. Furthermore, some of our service providers have implemented binding corporate rules (BCR) approved by the competent supervisory authority for their internal companies within the meaning of Art. 47 GDPR.

7. EXISTING DATA PROTECTION RIGHTS
You have the right to information (Art. 15 GDPR, § 34 Federal Data Protection Act – BDSG), to rectification (Art. 16 GDPR), to erasure (Art. 17 GDPR, § 35 BDSG), to restriction of processing (Art. 18 GDPR), to objection (Art.21 GDPR) and to data portability (Art. 20 GDPR) under the respective legal requirements.
You also have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR, Section 19 BDSG).

8. DATA USE FOR PROFILING, AUTOMATED DECISION-MAKING
We do not process your data with the aim of evaluating certain personal aspects (so-called “profiling”).

9. OBLIGATION TO PROVIDE DATA
You are neither legally nor contractually obliged to provide personal data as part of the application process. We would like to point out that our ability to assess your skills and knowledge depends on the data you provide. If you do not provide any data, our assessment may not reflect your actual suitability for the position to be filled, which means that you may not be considered for employment.
As part of any recruitment process, we collect certain data that we need to fulfill the contract (e.g. to pay your salary) or that we are legally obliged to collect (e.g. social security data).

10. RIGHT TO OBJECT PURSUANT TO ART. 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Art. 6 (1) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
The objection can be made in any form and should preferably be addressed to the contact options listed under point 1 .

Status: March 2024

The following information provides you as a participant (m/f/d) in our online events with an overview of the processing of your personal data and your rights.

1. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHO CAN I CONTACT?

The responsible party is the
Notary Dr. Wenzel Steinmetz
Karolinenstrasse 15-19
90402 Nuremberg

Phone: 0911 20 58 20
E-mail: info@notar-steinmetz.de
www.notar-steinmetz.de

You can reach our data protection officer at

GDI Gesellschaft für Datenschutz und Informationssicherheit mbH
Mr. Dipl.-Inform. Olaf Tenti
Körnerstr. 45, 58095 Hagen

Phone: +49 (0) 2331/356832-0
E-mail: datenschutz@gdi-mbh.eu

2. WHICH SOURCES AND DATA DO WE USE?

We process data that you provide to us or that we have received from third parties under existing contracts or with your permission.

In particular, the following personal data and categories of data are processed for the purposes mentioned in section 3:

• Data about you as a user:
  First name, last name, or the selected display name, company, address, telephone number, e-mail address, optional: your profile picture
• Data on the event:
  Desired online event: online training, online meeting or video conference, date, time, meeting ID, telephone numbers, location
• Participation data for the relevant event:
  Text, audio and video data
  It may be possible to use the chat function in an “online meeting”. In this respect, the text entries made there are processed in order to display them in the “online meeting”. In order to enable the display of video and the playback of audio, the data from the microphone of the end device and from any video camera of the end device are processed accordingly for the duration of the meeting. The camera or microphone can be switched off or muted by the user at any time.
• Device/hardware data:
  IP address, MAC address, client version.

3. WHY DO WE PROCESS YOUR DATA (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS?

In the following, we will inform you about the purposes for which we process your data and the legal basis on which we do so.

3.1 FOR THE FULFILLMENT OF CONTRACTUAL OBLIGATIONS (ART. 6 PARA. 1 LIT. B GDPR)

If you yourself are our employee or customer and wish to participate in one of the events listed under no. 2, the processing of personal data is carried out to fulfill the contract concluded with you and is also necessary for this purpose.

3.2 AS PART OF THE BALANCING OF INTERESTS (ART. 6 PARA. 1 LIT. F GDPR)

If your employer is our customer and has registered you for the training or had you registered, we process your data on the basis of a balancing of interests. We have a legitimate interest in the processing in order to be able to fulfill the contract with your employer and only process the data necessary for this (see above under 3.1.).

We may also use your data on the basis of a balancing of interests to protect other legitimate interests of ours or of third parties. This can be done in particular for the following purposes:

• General business management,
• Assertion of legal claims and defense in legal disputes,
• Prevention and investigation of criminal offenses,
• Ensuring IT security and IT operations,
• Fulfillment of contracts with your employer in which you are involved due to your position and tasks.

Our interest in the respective processing arises from the respective purposes and is otherwise of an economic nature (efficient fulfillment of tasks, avoidance of legal risks).

3.3 ON THE BASIS OF YOUR CONSENT (ART. 6 PARA. 1 LIT. A GDPR)

If you have given us your consent to the processing of personal data (e.g. for the recording of the event), the respective consent is the legal basis for the processing mentioned there.

Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent that were issued before the GDPR came into force, i.e. before May 25, 2018. The revocation is only effective for the future. Processing that took place before the withdrawal is not affected. A revocation can be sent to the office named under point 1.

4. WHO RECEIVES MY DATA?

Your data will only be passed on if a legal basis permits this. The data referred to in section 2 will be transmitted to public bodies if there is a legal obligation to do so or if you have given your consent to this transmission. Such public bodies can be, in particular, the tax authorities, the customs administration, but also the trade supervisory authorities.

Within our company, those departments receive your data that need it to fulfill our contractual and legal obligations or to fulfill their respective tasks.

Within the aforementioned limits, we reserve the right to involve third-party service providers who act on our behalf and according to our instructions (processors) in the context of the provision of services. These service providers may receive personal data or come into contact with personal data as part of the provision of services and constitute third parties or recipients within the meaning of the GDPR. In such a case, we ensure that our service providers provide sufficient guarantees that appropriate technical and organizational measures are in place and that processing operations are carried out in such a way that they comply with the requirements of the GDPR and ensure the protection of the rights of the data subject (see Art. 28 GDPR).

One such processor is, for example, the

Webex:
Cisco Systems, Inc.
Corporate Headquarters
170 West Tasman Dr.
San Jose, CA 95134
USA
https://www.webex.com

Microsoft Teams:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
https://www.microsoft.com

Zoom:
Zoom Video Communications
55 Almaden Blvd, Suite 600
San Jose, California (95113)
USA
https://www.zoom.us

GoToMeeting / GoToWebinar:
GoTo Technologies Ireland Unlimited Company
The Reflector
10 Hanover Quay
Dublin 2, D02R573
Ireland
https://www.goto.com

Jitsi:
Open source software
https://jitsi.org

5. HOW LONG IS THE DATA STORED?

We will retain your personal data for as long as necessary to fulfill the purposes for which it was collected.

Provided there are no further retention obligations, the aforementioned data will be routinely deleted once the purpose has been achieved, insofar as this is possible for the system. Otherwise, the personal reference is removed by anonymization and access to your data is blocked.

In addition, we are subject to various retention and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified there are two to ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.

6. IS DATA TRANSFERRED TO A THIRD COUNTRY?

We use software from providers based in third countries and/or software from providers with subcontractors/service providers in third countries to organize and conduct online events.

It cannot be ruled out that your data or parts of your data may be transferred to third countries (e.g. the USA).

Insofar as personal data is transferred to third parties and/or recipients outside of commissioned processing, we ensure that this only takes place in accordance with the legal requirements and only if there is a corresponding legal basis or any necessary consent.

An adequacy decision within the meaning of Art. 45 para. 3 GDPR exists for the USA. As a result, personal data can now be transferred from the EU to companies and organizations in the USA that have certified themselves for the EU-U.S. Data Privacy Framework without the need for further protective measures. This adequacy decision thus serves as the basis for the transfer of data to the service providers we use in the USA.

If there is no adequacy decision within the meaning of Art. 45 para. 3 GDPR or the company or organization in the USA has not certified itself for the EU-U.S. Data Privacy Framework, we conclude standard data protection clauses issued by the EU Commission within the meaning of Art. 46 para. 2 lit. c GDPR with the respective service providers/providers to protect your data. Furthermore, some of our service providers have implemented binding corporate rules (BCR) within the meaning of Art. 47 GDPR for their group of companies or the same group of companies, which have been approved by the respective competent supervisory authority.

Webex has binding corporate rules for the protection of personal data (Binding Corporate Rules), which have been approved by European data protection authorities. In addition, Cisco Systems, Inc. has certified itself for the EU-U.S. Data Privacy Framework.

You can find further information on data protection from Cisco here:
https://www.cisco.com/c/de_de/about/legal/privacy-full.html

We have concluded the standard contractual clauses of the European Union with Microsoft. Furthermore, Microsoft has certified itself for the EU-U.S. Data Privacy Framework.

You can find further information on data protection from Microsoft here:
https://privacy.microsoft.com/de-de/privacystatement
https://www.microsoft.com/de-de/trust-center

Microsoft Teams: When using the chat function: The chat content is logged when using Microsoft Teams. Files that users share in chats are saved in the OneDrive for Business account of the user who shared the file. The files that team members share in a channel are saved on the team’s SharePoint site.

The standard contractual clauses of the European Commission were concluded with Zoom.

You can find further information on data protection at Zoom Video Communications here:
https://zoom.us/de-de/privacy.html#_Toc44414845

7. WHAT OTHER DATA PROTECTION RIGHTS DO I HAVE?

Under the respective legal requirements, you have the right to information (Art. 15 GDPR, § 34 Federal Data Protection Act (BDSG) in the version valid from 25.05.2018), to rectification (Art. 16 GDPR), to erasure (Art. 17 GDPR, § 35 BDSG), to restriction of processing (Art. 18 GDPR) and to data portability (Art. 20 GDPR).

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR, Section 19 BDSG).

8. DO I HAVE AN OBLIGATION TO PROVIDE DATA?

You are not legally obliged to provide us with personal data. However, if you do not provide us with the data required for the registration and implementation of the online event or do not provide it, you will not be able to participate in the respective online event.

It may then also not be possible to conclude or execute a contract.

9. TO WHAT EXTENT IS THERE AUTOMATED DECISION-MAKING IN INDIVIDUAL CASES?

We do not use automated decision-making in accordance with Art. 22 GDPR to carry out online events. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

10. to what extent is my data used for profiling?

We do not process your data with the aim of evaluating certain personal aspects (so-called “profiling”).

11. WHAT RIGHTS OF OBJECTION DO I HAVE? (ART. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

The objection can be made informally and should preferably be addressed to the contact options listed under point 1.

Status: October 2025