{"id":121,"date":"2026-06-05T14:43:47","date_gmt":"2026-06-05T12:43:47","guid":{"rendered":"https:\/\/kaganlegal-germany.com\/?page_id=121"},"modified":"2026-07-05T20:19:15","modified_gmt":"2026-07-05T18:19:15","slug":"privacy-policy","status":"publish","type":"page","link":"https:\/\/kaganlegal-germany.com\/en\/privacy-policy\/","title":{"rendered":"Privacy Policy"},"content":{"rendered":"\n<main id=\"main-content\">\n\n\n\n    <nav class=\"breadcrumb-nav\" aria-label=\"Breadcrumb\">\n      <div class=\"container\">\n        <ol class=\"breadcrumb-list\" role=\"list\">\n          <li class=\"breadcrumb-item\"><a href=\"\/en\/\">Home<\/a><\/li>\n          <li class=\"breadcrumb-item\"><span class=\"breadcrumb-sep\" aria-hidden=\"true\">\u203a<\/span><\/li>\n          <li class=\"breadcrumb-item is-current\" aria-current=\"page\">Privacy Policy<\/li>\n        <\/ol>\n      <\/div>\n    <\/nav>\n\n    <section class=\"legal-page-section\">\n      <div class=\"container legal-page-container\">\n\n        <header class=\"legal-page-header\">\n          <div class=\"section-label\">Legal<\/div>\n          <h1 class=\"page-h1\">Privacy Policy<\/h1>\n          <p class=\"page-intro\">Information on the processing of personal data pursuant to Art. 13, 14 GDPR (General Data Protection Regulation).<\/p>\n        <\/header>\n\n        <div class=\"legal-page-body\">\n          <section class=\"legal-section\" aria-labelledby=\"pp-controller\">\n            <h2 id=\"pp-controller\">Controller and contact<\/h2>\n            <p>The controller within the meaning of the General Data Protection Regulation (GDPR) is: Kanzlei Kagan \u2013 Attorney-at-law Alexander Kagan, Neuer Wall 75, 20354 Hamburg, Germany. Phone: +49 40 38655400, Email: info@kaganlegal-germany.com. No data protection officer has been appointed. For all data protection enquiries, please use the above contact details.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-scope\">\n            <h2 id=\"pp-scope\">Scope and legal bases<\/h2>\n            <p>We process personal data only insofar as necessary to provide a functional and secure website, to communicate with you, and to initiate and perform mandates. Depending on the purpose, the legal bases are in particular Article 6(1)(a) GDPR (consent), Article 6(1)(b) GDPR (contract\/pre-contractual steps), Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests). Where we use external service providers (e.g. hosting, CDN, consent or analytics tools), we conclude data processing agreements pursuant to Article 28 GDPR.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-hosting\">\n            <h2 id=\"pp-hosting\">Provision of the website, hosting and server log files<\/h2>\n            <p>Our website is hosted on servers of IONOS SE (Germany\/EU). When the website is accessed, server log files are processed automatically (including the IP address of the end device, date\/time of access, URL\/file retrieved, referrer URL, browser type\/version, operating system, provider). The purpose is technical delivery, stability and IT security. The legal basis is Article 6(1)(f) GDPR. We have concluded a data processing agreement with IONOS pursuant to Article 28 GDPR. Log files are generally retained for up to 30 days and then deleted or anonymised; longer retention may be necessary in individual cases to defend against or clarify attacks.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-cdn\">\n            <h2 id=\"pp-cdn\">Content Delivery Network and security service (IONOS CDN powered by Cloudflare)<\/h2>\n            <p>To improve loading times and protect against attacks (e.g. DDoS), we use a content delivery network (CDN) provided via IONOS; the technical network partner is Cloudflare acting as a sub-processor. IONOS is our contractual partner; the processing is covered by our agreement with IONOS, no separate agreement with Cloudflare is required. In particular, the IP address, access data (date, time, URL) and technical information about browser and device are processed. For bot\/attack mitigation, the technically necessary cookie &#8220;__cf_bm&#8221; (lifetime approx. 30 minutes) may be set. The legal basis is Article 6(1)(f) GDPR (legitimate interest in secure and efficient provision); for strictly necessary cookies, Section 25(2) TDDDG applies. Where data are transferred to the USA, we rely on the adequacy decision under Article 45 GDPR (EU-US Data Privacy Framework) for the certified Cloudflare, Inc.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-cookies\">\n            <h2 id=\"pp-cookies\">Cookies, comparable technologies and consent management (incl. WPML)<\/h2>\n            <p>We distinguish between technically necessary cookies (required for operation, security and consent management) and optional cookies (analytics\/convenience), which are set only after consent. Consent to store information on, or access information from, the user&#8217;s terminal equipment is based on Section 25(1) TDDDG; exceptions for strictly necessary cookies follow Section 25(2) TDDDG. We use the self-hosted consent tool Borlabs Cookie (Borlabs GmbH, Hamburg) to obtain, manage and document consent. Borlabs sets a technically necessary cookie storing, inter alia, your consent status, timestamp and a technical identifier; server-side logging is performed for evidence purposes. The Borlabs cookie is stored for 60 days; thereafter, consent is requested again. The legal bases are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. You may change or withdraw your consents at any time via the cookie banner\/icon. WPML (multilingual): a technically necessary language-selection cookie (e.g. &#8220;wp-wpml_current_language&#8221;) is set; the browser language redirection is deactivated, so no redirect cookies (&#8220;_icl_visitor_lang_js&#8221;, &#8220;wpml_browser_redirect_test&#8221;) are set.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-webfonts\">\n            <h2 id=\"pp-webfonts\">Local web fonts<\/h2>\n            <p>For a consistent appearance we use the fonts &#8220;Newsreader&#8221; and &#8220;IBM Plex Sans&#8221;, served exclusively from our own server. No data are transmitted to external font providers (in particular no Google Fonts CDN). Legal basis: Article 6(1)(f) GDPR (legitimate interest in an appealing, data-minimising presentation).<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-forms\">\n            <h2 id=\"pp-forms\">Contact and mandate request forms (Fluent Forms), email and phone<\/h2>\n            <p>For contact and mandate requests we use self-hosted forms (WordPress plugin &#8220;Fluent Forms&#8221;). Data remain on our servers with the host; no external form service providers are used. We process in particular your name, email address, the content you enter in the form and, technically, the IP address, browser, device, source URL and timestamp (evidence, IT security). The purpose is to handle your enquiry and assess a potential mandate. The legal bases are Article 6(1)(b) GDPR (mandate initiation\/performance) and Article 6(1)(f) GDPR (response to other enquiries); the form also contains a consent statement covering voluntary information, which you can withdraw at any time with effect for the future. Submitting the form does not require consent to optional cookies. The same applies to enquiries by email\/phone. Retention: until the enquiry has been finally processed; where a mandate is established, statutory professional and tax retention periods apply, followed by deletion unless legal obligations or overriding legitimate interests require longer storage.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-ga4\">\n            <h2 id=\"pp-ga4\">Web analytics with Google Analytics 4 (GA4)<\/h2>\n            <p>We use Google Analytics 4 (Google Ireland Limited) for reach measurement and analysis of usage behaviour to optimise our website. GA4 is activated only after your consent via the cookie banner (opt-in). The legal bases are Section 25(1) TDDDG (storing\/reading information on terminal equipment) and Article 6(1)(a) GDPR. Data categories include page views, events\/interactions (e.g. clicks, scroll depth), approximate location data, browser\/device information, referrer as well as GA4-related online identifiers (e.g. Client ID). GA4 uses the IP address only temporarily in volatile memory to derive approximate location information (e.g. country\/region\/city); the IP address is not permanently logged or stored. Cookie lifetimes: &#8220;_ga&#8221; and &#8220;_ga_*&#8221; up to 2 years. Server-side retention: event data 2 months, user data 14 months. Where data are transferred to the USA, we rely on the adequacy decision under Article 45 GDPR (EU-US Data Privacy Framework) for the certified Google LLC. Data sharing for general Google products\/services is deactivated in our GA4 settings. You can withdraw your consent at any time via the cookie banner with effect for the future.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-google-reviews\">\n                <h2 id=\"pp-google-reviews\">Google Reviews (displayed as text)<\/h2>\n                <p>On our website, we display excerpts from public Google reviews as static text. No connection to Google servers is established and no data is processed by Google. A simple link allows you to visit our Google profile; Google&rsquo;s privacy policy applies only once you access Google.<\/p>\n            <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-linkedin\">\n            <h2 id=\"pp-linkedin\">LinkedIn (profile link)<\/h2>\n            <p>Our website contains a simple text\/image link to our LinkedIn profile. With this pure link, no data processing by LinkedIn takes place on our website; LinkedIn&#8217;s privacy policy applies only when you visit LinkedIn.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-self-check\">\n            <h2 id=\"pp-self-check\">Blue Card self-check (client-side tool)<\/h2>\n            <p>Our self-check is a purely client-side JavaScript tool with fixed decision logic. All inputs are processed exclusively locally in your browser; we do not collect, store or transmit your entries at any time. It is not an AI application. For transparency, the tool indicates that your inputs are processed locally and are neither stored nor transmitted.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-backups\">\n            <h2 id=\"pp-backups\">Backups (UpdraftPlus)<\/h2>\n            <p>To ensure data security and restoreability in case of disruption, we create regular backups of the website including the database (self-hosted &#8220;UpdraftPlus&#8221; plugin). Backups are stored exclusively on servers of our host (IONOS) in a password-protected area; no external cloud storage is used. Where backups contain personal data (e.g. form contents), processing takes place on the basis of Article 6(1)(f) GDPR (legitimate interest in data security and integrity).<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-storage\">\n            <h2 id=\"pp-storage\">Storage periods and deletion<\/h2>\n            <p>Unless stated otherwise above, we delete or anonymise personal data once the respective purpose ceases to apply and no statutory retention obligations or overriding legitimate interests prevent deletion. For contact\/mandate data, statutory professional and tax retention periods apply. Consent records are retained for the duration of statutory evidence obligations. Log files are generally deleted or anonymised after no more than 30 days; GA4 cookies (&#8220;_ga&#8221;, &#8220;_ga_*&#8221;) may be stored for up to 2 years.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-rights\">\n            <h2 id=\"pp-rights\">Rights of data subjects<\/h2>\n            <p>You have the right of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR), to object to processing based on Article 6(1)(e) or (f) GDPR (Article 21 GDPR), and the right to withdraw consent at any time with effect for the future (Article 7(3) GDPR). You also have the right to lodge a complaint with our competent supervisory authority, the Hamburg Commissioner for Data Protection and Freedom of Information (Article 77 GDPR). You may also contact the supervisory authority at your habitual residence. To exercise your rights, please use the contact details above.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-obligation\">\n            <h2 id=\"pp-obligation\">Obligation to provide data and automated decision-making<\/h2>\n            <p>There is generally no obligation to provide personal data for mere use of the website. Certain information is required for use of the contact\/mandate request forms and for mandate initiation; without it, we may be unable to process your enquiry or take on a mandate. No solely automated decision-making, including profiling, takes place.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-data-security\">\n            <h2 id=\"pp-data-security\">Data security<\/h2>\n            <p>We implement appropriate technical and organisational measures within the meaning of Article 32 GDPR, in particular SSL\/TLS encryption, role-based access controls, logging and regular security and backup processes, and we continuously adapt our security measures to the state of the art.<\/p>\n          <\/section>\n\n          <section class=\"legal-section\" aria-labelledby=\"pp-updates\">\n            <h2 id=\"pp-updates\">Updates to this privacy notice<\/h2>\n            <p>Status: June 2026. Due to further development of our website or changes in legal\/administrative requirements, an update may become necessary. The current version is available on our website at all times.<\/p>\n          <\/section>\n        <\/div>\n      <\/div>\n    <\/section>\n\n  \n<\/main>\n\n\n\n<script type=\"application\/ld+json\">\n  {\n    \"@context\": \"https:\/\/schema.org\",\n    \"@graph\": [\n      {\n        \"@type\": \"WebPage\",\n        \"@id\": \"https:\/\/kaganlegal-germany.com\/en\/privacy-policy\/#webpage\",\n        \"name\": \"Privacy Policy \u2014 Kagan Legal Hamburg\",\n        \"description\": \"Privacy policy of Kagan Legal Hamburg \u2014 data processing under GDPR, TDDDG, and BDSG.\",\n        \"url\": \"https:\/\/kaganlegal-germany.com\/en\/privacy-policy\/\",\n        \"inLanguage\": \"en\",\n        \"isPartOf\": { \"@id\": \"https:\/\/kaganlegal-germany.com\/\" }\n      },\n      {\n        \"@type\": \"BreadcrumbList\",\n        \"@id\": \"https:\/\/kaganlegal-germany.com\/en\/privacy-policy\/#breadcrumb\",\n        \"itemListElement\": [\n          { \"@type\": \"ListItem\", \"position\": 1, \"name\": \"Home\", \"item\": \"https:\/\/kaganlegal-germany.com\/en\/\" },\n          { \"@type\": \"ListItem\", \"position\": 2, \"name\": \"Privacy Policy\", \"item\": \"https:\/\/kaganlegal-germany.com\/en\/privacy-policy\/\" }\n        ]\n      }\n    ]\n  }\n  <\/script>\n","protected":false},"excerpt":{"rendered":"<p>Home \u203a Privacy Policy Legal Privacy Policy Information on the processing of personal data pursuant to Art. 13, 14 GDPR (General Data Protection Regulation). Controller and contact The controller within the meaning of the General Data Protection Regulation (GDPR) is: Kanzlei Kagan \u2013 Attorney-at-law Alexander Kagan, Neuer Wall 75, 20354 Hamburg, Germany. Phone: +49 40 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-leistung","meta":{"footnotes":""},"class_list":["post-121","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/pages\/121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/comments?post=121"}],"version-history":[{"count":3,"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/pages\/121\/revisions"}],"predecessor-version":[{"id":186,"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/pages\/121\/revisions\/186"}],"wp:attachment":[{"href":"https:\/\/kaganlegal-germany.com\/en\/wp-json\/wp\/v2\/media?parent=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}