The generic masculine form is used in the text below. This refers equally to male, female, and diverse individuals
As a law firm and as the operator of our law firm’s websites, we take the protection of your personal data very seriously. We process personal data collected in the context of the client relationship, when establishing a client relationship, and when visiting our websites in compliance with applicable data protection regulations. We will neither publish your data nor disclose it to third parties without authorization.
The subject matter of data protection is personal data. This refers to information relating to an identified or identifiable natural person. Unless otherwise apparent from this document or other circumstances, we are not in a position to identify you. To the extent that we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures. To the extent that the processing of personal data is necessary to comply with a legal obligation to which our company is subject, Article 6(1)(c) of the GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the aforementioned interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing.
The data subject’s personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies. Storage may also take place if this is provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a retention period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
Below, we outline the circumstances and provide an overview of the processing of personal data by our law firm when handling client matters.
We process personal data that we receive from our clients or other clients in the course of our business relationship. Furthermore, we process - if and to the extent necessary for the provision of our legal services -personal data that we have lawfully received from third parties (e.g., for the execution of orders, the fulfillment of contracts, or based on consent you have provided). This includes, for example, opposing parties, insurance companies (including legal expense insurers), courts (including court offices), and other administrative bodies.
Furthermore, we process personal data that we are permitted to obtain and process from publicly accessible sources (e.g., debtor directories, land registers, commercial and association registers, the press, media, the Internet; registries (e.g., DPMA)) and are permitted to process, or that are transmitted to us by third parties (e.g., opposing parties, authorities, insurers, hospitals, attorneys) in the course of our legal representation via legal correspondence.
Personal data collected during the creation of a client file, in the course of the engagement, and during its execution may include:
Name, company name, address/other contact details (phone, fax, email address, SAFE-ID), date/place of birth, gender, nationality, marital status, legal capacity, housing status (rental/ownership), social security data, health data (including data relevant under social security law), account details, payment transaction data, life and pension insurance data, employment, disability, and long-term care insurance data, private and public health insurance data, insurance numbers, information from correspondence with third parties.
When using digital processes to carry out legal services, e.g., through electronic correspondence with legal expense insurers, other insurers, hospitals, or government agencies, this may constitute data processing on behalf of a client, for which we enter into data processing agreements with the data processors.
Unless you object, we may occasionally use your contact information to inform you about relevant legal developments, changes in case law, professional events, or via newsletters. We may also refer to our collaboration or completed projects in a de-identified form in press releases or professional publications, provided that no confidentiality obligations or your consent preclude this.
We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
Personal data is processed for the purpose of providing and handling (including billing) legal services in connection with the performance of our contracts with our clients or for the purpose of taking pre-contractual measures in response to your inquiry. The processing of third-party personal data may also take place for the provision and handling of legal services within the scope of the respective service agreement, to the extent that such data is necessarily involved in the service agreement, e.g., personal data of other attorneys, experts, witnesses, contacts at third-party companies or government agencies, etc. The processing of third-party personal data is also carried out for the purpose of establishing and managing contractual relationships with such third parties—typically service providers or contractual partners from whom we procure resources or whose services we utilize to conduct and maintain our legal practice—exclusively for the purpose of initiating, establishing, or managing the relevant contractual relationship.
To the extent necessary, we process your data beyond the actual performance of the contract to safeguard our legitimate interests or those of third parties. Examples:
As part of the engagement process, we conduct checks to avoid conflicts of interest and perform a comparison with relevant sanctions lists. This serves to comply with professional and legal requirements and, ultimately, to ensure your security as a client.
To the extent that you have given us consent to process personal data for specific purposes (e.g., disclosure of data to legal expense insurers, other insurers, hospitals, government agencies), the lawfulness of this processing is based on your consent. You may revoke any consent you have given at any time. You may also revoke declarations of consent that were given to us prior to the entry into force of the EU GDPR, i.e., before May 25, 2018. However, such a revocation applies exclusively to the future for. This means that the lawfulness of data processing that took place prior to such a revocation remains unaffected by the revocation.
In addition, as a consulting firm, we may be subject to legal obligations (e.g., the Money Laundering Act or tax laws). The purposes of processing therefore also include any monitoring and reporting obligations to the extent required and mandated by law.
Within our law firm, all departments that are necessarily entrusted with the fulfillment of contractual and legal obligations and come into contact with such data have access to your data. Consequently, such data may also be processed by service providers or our vicarious agents if and to the extent that this satisfies the legal requirements for such processing and such processing is necessary.
When disclosing data to recipients outside our law firm, it should be noted that, as attorneys, we are bound by confidentiality regarding all engagement-related information and assessments within the scope of the attorney-client agreement of which we become aware. Such confidential information is therefore subject to special legal protection. We will only disclose such information to the extent necessary if required by law, if you have provided valid consent, or if processors commissioned by us guarantee compliance with attorney-client confidentiality as well as the requirements of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
To fulfill our legal and administrative obligations, we transfer your personal data to the following recipients in addition to the categories already mentioned:
Other data recipients may be those entities for which you have given your legally effective consent to the transfer of data in individual cases or for which you have released us from the obligation to maintain attorney-client confidentiality in accordance with the agreement or consent.
dd. Will data be transferred to a third country or to an international organization?
Data will only be transferred to countries outside the EU or the EEA (so-called third countries) in exceptional cases, insofar as this is absolutely necessary in individual cases for the execution of the legal assignment due to a foreign reference and you have given us legally effective consent or insofar as there is another legal justification, such as an appropriateness decision for the target country.
In the course of our work, it may be necessary to process personal data of third parties (such as witnesses, court personnel, opposing parties, or their representatives) to the extent that this is necessary for handling the specific case or required by law.
Data transfers to countries outside the EU or the EEA (so-called third countries) take place only in exceptional cases, to the extent that this is absolutely necessary in individual cases to carry out the legal mandate due to a foreign connection and you have provided us with legally valid consent, or to the extent that another legal justification exists, such as an adequacy decision for the destination country. To the extent that personal data is transferred to countries outside the EU/EEA and no adequacy decision exists, this is done on the basis of appropriate safeguards, in particular EU Standard Data Protection Clauses concluded with the recipient.
We use Hetzner Online GmbH, Industriestr. 25, D-91710 Gunzenhausen, Tel: +49(0)9831 505-0, Fax: +49(0)9831 505-3, Email: infohetzner.com, Web: https://www.hetzner.com/, within the framework of commissioned data processing, i.e., this company acts on our behalf to technically deliver the website to you. We remain the responsible party vis-à-vis you, so we will continue to refer to ourselves as “we” below, even though Hetzner Online GmbH handles this technically on our behalf.
When you visit our website, we receive your full IP address from your computer. Only with this IP address can we transmit the data from our website to you so that the website is displayed (Art. 6(1)(b) and (f) GDPR). The temporary storage of the IP address by the system is necessary to enable the website to be delivered to your computer. For this purpose, your IP address may need to be stored for the duration of the session. Since you requested the website, this is in our mutual legitimate interest. We must provide your IP address to the internet service provider in order for the website data to be transmitted to you.
Beyond the processing required to transmit the requested data, the full IP address is not stored.
There is no option to object, as these processes are strictly necessary for the operation of the website. Please do not visit our site if you wish to object.
Any use of your personal data is limited to the purposes stated and to the extent necessary to achieve those purposes.
Personal data is only transferred to government agencies and authorities within the framework of mandatory national laws or if disclosure is necessary for legal or criminal prosecution in the event of attacks on our network infrastructure. No data is disclosed to third parties for other purposes.
We use cloud-based services such as Microsoft 365 (Word, Outlook, Excel, PowerPoint, Teams, SharePoint) to process and store certain data. We ensure that your data is processed and stored exclusively within the European Union through the use of the “EU Data Boundary” solution. Should a transfer to a third country nevertheless be necessary, we ensure this only in compliance with applicable data protection requirements (adequacy decision or standard contractual clauses of the EU Commission).
When you use communication forms on our website, the information provided there is transmitted to us and stored. You consent to the following data processing as a precaution: We use the data exclusively to respond to your inquiry and, should the inquiry relate to a contractual relationship or result in a contractual relationship, to initiate and process the contractual relationship (Art. 6(1)(a), (b), (f) GDPR). Our legitimate interest lies in fulfilling your communication request. If you are already our customer or will become one in the future, we may collect, store, modify, and transmit the data for the purpose of establishing, performing, or terminating the contractual relationship without requiring your consent (Art. 6(1)(b) GDPR) and as long as permitted by law. In other cases, e.g., when processing with your consent, but also as long as the contractual relationship has not yet been established, we do not store your data for longer than 3 months, and you have the right to object to the processing of the data you provided to us via the contact form with your consent, effective for the future. You may exercise your right of withdrawal by notifying WALLINGER RICKER SCHLOTTER TOSTMANN - Patent and Law Firm Partnership mbB, Attn: Attorney Thomas Schachl, Zweibrückenstraße 5-7, 80331 Munich, Germany
If you wish to contact us via email, please note that the content of unencrypted emails may be viewed by third parties. We therefore recommend that you send confidential information in encrypted form or by mail.
We process your application data for the purpose of determining your suitability in relation to the firm’s needs. At least upon initial contact, this data is checked for viruses and malware by third-party service providers to ensure the security of our IT systems. By submitting your application, you are seeking to enter into an employment relationship with us, so the legal basis is Article 6(1)(b) of the GDPR. To the extent that special categories of personal data within the meaning of Article 9(1) of the GDPR are voluntarily provided during the application process, their processing is additionally carried out in accordance with Article 9(2)(b) of the GDPR (e.g., health data, such as severe disability status or ethnic origin). To the extent that special categories of personal data within the meaning of Article 9(1) of the GDPR are requested from applicants as part of the application process, their processing is additionally based on Article 9(2)(a) of the GDPR (e.g., health data, if such data is necessary for the performance of the job).
The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application (Article 6(1)(b) of the GDPR in conjunction with Section 26 of the BDSG). Upon hiring, we will again inform you about data processing in the employment relationship. Otherwise, if the application is unsuccessful, the applicants’ data will be deleted. The applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion takes place, subject to a justified revocation by the applicant, after a period of six months has elapsed, so that we can answer any follow-up questions regarding the application and fulfill our obligations to provide evidence under the Equal Treatment Act. Invoices for any travel expense reimbursements are archived for 10 years in accordance with tax law requirements.
We hereby inform you of those rights that, in our view, may even remotely apply to the data processing described above. Please note that you may be entitled to further rights under other data processing operations as well as under specific laws, e.g., professional regulations. You have the right:
To exercise your rights, please contact WALLINGER RICKER SCHLOTTER TOSTMANN - Patent and Law Firm Partnership mbB in writing, attn: Attorney Thomas Schachl, Zweibrückenstraße 5-7, 80331 Munich, Germany.
We explain your rights and restrictions of your rights in detail as follows:
You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may request the following information from the controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) the planned duration of storage of the personal data concerning you or, if specific details are not available, the criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) any available information regarding the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and—at least in such cases—meaningful information regarding the logic involved, as well as the significance and intended consequences of such processing for the data subject.
You have the right to request information regarding whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.
You have the right to request from the controller the rectification and/or completion of the personal data concerning you if the processed personal data is inaccurate or incomplete. The controller must carry out the rectification without undue delay.
Under the following conditions, you may request the restriction of the processing of personal data concerning you
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need it to assert, exercise, or defend legal claims; or
(4) if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
If the processing of your personal data has been restricted, such data—apart from its storage—may be processed only with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State. If the restriction on processing has been imposed in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
a) Obligation to Erase
You may request that the controller erase the personal data concerning you without undue delay, and the controller is obligated to erase such data without undue delay if any of the following grounds apply:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
b) Disclosure to third parties
If the controller has made your personal data public and is required to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account available technology and the cost of implementation , take reasonable measures, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the erasure of all links to such personal data or of copies or replications of such personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessar
(1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
(5) for the establishment, exercise, or defense of legal claims.
If you have exercised your right to rectification, erasure, or restriction of processing against the controller, the controller is obligated to notify all recipients to whom your personal data has been disclosed of such rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort
You have the right to be informed by the controller about these recipients
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided tha
(1) the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and
(2) the processing is carried out by automated means. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, provided this is technically feasible. The freedoms and rights of other individuals must not be infringed upon as a result
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out by pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes
You have the option, in connection with the use of information society services—notwithstanding Directive 2002/58/EC—to exercise your right to object by means of automated procedures using technical specifications.
You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.
Our websites may contain links to websites of other providers. Please note that this privacy policy applies exclusively to our websites. We have no influence over and do not control whether other providers comply with applicable data protection regulations.
If you have any complaints regarding data protection, you may contact our Data Protection Officer, Attorney Thomas Schachl, LL.M., at datenschutzwallinger.de or any data protection supervisory authority in the EU. The supervisory authority at our headquarters is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27, D-91522 Ansbach, Phone: +49 (0) 981 180093-0, Fax: +49 (0) 981 180093-800, Email: poststellelda.bayern.de.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint was submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.
We are the controller, i.e., the operator of this website as stated in the legal notice
For inquiries regarding your data protection rights, in particular access, rectification, restriction of processing, erasure, withdrawal, or objection, you may contact us at any time at datenschutz@wallinger.de or via the contact details provided in the legal notice.
Date of the Privacy Policy: March 26, 2026
