Privacy Policy

1.1 When visiting the MLL Websites

When you visit the MLL Websites, our servers temporarily save each access in a log file. The following data is collected without your intervention and stored by us until automated deletion, at the latest after twelve months:

• the IP address of the requesting computer
• the name of the internet access provider (usually your own internet access provider)
• the date and time of access
• the name and URL of the retrieved file
• the page and address of the website from which you were redirected to the MLL Websites and, if applicable, the search term used
• the country from which the MLL Websites are accessed
• the operating system of your computer and the browser you are using (provider, version and language)
• the transmission protocol used (e.g. HTTP/1.1)

The collection and processing of this data is carried out for the purpose of enabling the use of the MLL Websites (establishing a connection), to permanently guarantee system security and stability and to enable the optimisation of our internet offering as well as for internal statistical purposes. Our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR lies in the purposes described above.

Only in the event of an attack on the network infrastructure or a suspicion of other unauthorised or abusive website use will the IP address be evaluated for the purpose of investigation and defence and, if necessary, used in the context of criminal proceedings to identify and take civil or criminal action against the users concerned. Our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR lies in the purposes described above.

Finally, we use cookies and other applications based on cookies when you visit our websites. For further information, please refer to section 3 “Cookies” and 4 “Tracking tools” below.

1.2 When you contact us by e-mail

You have the possibility to contact us or one of our experts by e-mail through the MLL Websites.

You are responsible for the message and/or transmitted content that you send to us. We recommend that you do not send any confidential data. Personal data is only collected if you provide it to us voluntarily. Therefore, you yourself are responsible for whatever data you transmit to us. In order to be able to answer your questions, we may ask you to provide us with additional information, e.g. your address, telephone number, etc. We only collect personal data from you if this is necessary to answer your questions or to provide the services you have requested.

When processing your enquiry by e-mail, we have a legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR. You can object to this data processing at any time (see section 14 “Contact”).

1.3 Use of Microsoft 365 for online meetings, telephone communication and data processing for mandate work

1.3.1 Use of Microsoft 365 in general

For our daily work, we use Microsoft 365 and various applications of Microsoft 365. Microsoft 365 software is produced by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. However, our contractual partner is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”).

The Microsoft Office suite contains numerous services that are used in everyday office life, such as Word, PowerPoint, Excel, Outlook and Teams. Microsoft 365 also offers additional online services. These include several cloud services, such as OneDrive and Exchange Online, where the data is stored on Microsoft servers instead of within the company. We use Office 365 E5.

A direct exchange of personal data between you and our Microsoft 365 applications will primarily take place during online meetings via the “Microsoft Teams” tool (see below) and during communication via e-mail. In most cases, you will not be directly involved with the other functionalities of Microsoft 365. In exceptional cases, however, we may provide you with access to Microsoft 365 functions with your consent if this is necessary or useful for the administration of your mandate.

If we should exceptionally grant you direct access to Microsoft 365, even if only for a limited period of time, the following data will be processed from you:

• IP address used to access the Microsoft 365 applications
• Your user name (access data to the Microsoft 365 applications), data within the scope of the so-called multifactor authentication that you yourself have stored in your Microsoft account (e.g. optionally your (private) mobile phone number).
• Identifiers: Information about you that identifies you as a user, sender or recipient of data within the Microsoft 365 applications. This includes in particular the following master data: name, first name, business contact data such as telephone number, e-mail address, business fax number, if provided by you. Further data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you at all times in your profile, but also in Outlook, and can be individually adjusted by you.
• Data required for authentication and license use. In the Microsoft 365 applications, all user activities, such as time of access, date, type of access, indication of the data/files/documents accessed and all activities related to the use, such as creating, modifying, deleting a document, setting up a team (and channels) in Teams, making notes in the notebook, starting a chat, replying in the chat are processed.

Apart from this, we process via Microsoft 365 all data that you provide to us by telephone or e-mail when you contact us. If the data processing takes place in connection with an attorney-client relationship, we process the data listed in section 1.10 “When you mandate us”.

Currently, the following Microsoft 365 applications store data at rest in Switzerland: Exchange Online, SharePoint, OneDrive, Teams, Azure. However, data at rest in Switzerland can be transferred to other countries while using these applications. Microsoft 365 applications other than those mentioned above can also store data at rest outside of Switzerland. According to Microsoft, in this case the data is primarily stored on servers in the EU. For these data processing operations, we have concluded a data processing agreement with Microsoft in accordance with Art. 28 GDPR and Art. 10a DSG. Accordingly, we have agreed extensive technical and organisational measures with Microsoft for Microsoft 365 that correspond to the current state-of-the-art in IT security, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers. Microsoft also undertakes towards us to be bound by professional secrecy and to implement corresponding protective measures. In addition, Microsoft has extended the EU standard contractual clauses incorporated in its contracts with further protective provisions. Accordingly, Microsoft undertakes to take action against any request from a government agency and to compensate users in the event of government access. Where data is transferred to third countries, Microsoft always uses state-of-the-art encryption and promises that the data will be returned to the EU’s internal storage location immediately after processing. Microsoft provides assurances that – even if it is legally obliged to disclose the data to security authorities – it will not disclose the encryption key or enable the circumvention of encryption.

Furthermore, we have implemented the “Customer Lock Box” functionality in Microsoft 365. This means that Microsoft has no access whatsoever to our data in Office 365 (with the exception of data that is processed during the use of the “Microsoft Teams” tool, see below). Microsoft may request access for the purpose of remote maintenance. Access requests will be checked by us in each individual case and access granted only with our approval.

In connection with the aforementioned data processing by Microsoft, access may also be granted to affiliated companies of Microsoft from outside the European Union. Solely for such instances of access from outside the European Union in individual cases approved by us, we have concluded EU standard data protection contracts (standard contractual clauses) with Microsoft. In order to guarantee an appropriate level of data protection when transferring personal data to a third country such as the USA in this specific case, we have agreed with Microsoft and implemented supplementary measures in the form of state-of-the-art technical and organisational measures such as access authorisation and encryption concepts for data lines, databases and servers, as described above.

The legal basis for the processing of personal data within Microsoft Teams is described below. The legal basis for all other data processing in Microsoft 365 is primarily the processing for pre-contractual purposes or for the performance of a contract, i.e. the client relationship, according to Art. 6 para. 1 lit. b GDPR. If you contact us outside of a client relationship (by telephone or email), our legal basis is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in correctly answering and administering your enquiry. You can object to this data processing at any time (see section 14 “Contact”). In this case, however, we may no longer be able to process your request.

In connection with the use of Microsoft 365, Microsoft also processes certain data as an independent controller rather than as our data processor. This poses a data protection risk for the data subjects whose data is processed in Microsoft 365. We have concluded data protection agreements and EU standard data protection contracts with Microsoft, as already mentioned, and have agreed and implemented additional protective measures to guarantee a minimum level of data protection. Please note that we have no influence on Microsoft’s data processing activities. To the extent that Microsoft processes personal data in connection with the use of Microsoft 365, Microsoft is the independent data controller for such processing and as such is responsible for compliance with all applicable laws and obligations of a data controller. For more information about the purpose and scope of these data processing activities, please see Microsoft’s privacy policy here. You will also find further information there on your rights in this regard.

In particular, Microsoft collects and processes diagnostic data to keep Microsoft 365 secure and up to date, fix problems and make product improvements. By using Windows Restricted Traffic Limited Functionality, we restrict the connections of Microsoft 365 applications to Microsoft. This minimises the diagnostic data shared with Microsoft.

1.3.2 Microsoft Teams

We use the Microsoft Teams application to conduct conference calls, online meetings, video conferences and/or webinars (hereinafter: “Online Meetings”). Microsoft Teams is part of Microsoft 365.

When using Microsoft Teams, various types of data are processed. The scope of the data also depends on the data you provide before or during participation in an online meeting.

The following personal data may be the subject of processing:

• User details: e.g. display name, e-mail address if applicable, profile picture (optional), preferred language
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location, and text, audio and video data
• Authentication data
• Log files, log data
• Contents of the online meeting (if you make contributions attributable to you personally)
• You may have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device are processed during the meeting. You can turn off or mute the camera or microphone yourself at any time via the Microsoft Teams application
• When dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.

If we wish to record online meetings, we will tell you transparently before the online meeting and – where necessary – ask for consent. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

The legal basis for this data processing is for pre-contractual purposes or for the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR, insofar as the meetings or telephone communication take place within the framework of the customer relationship. Outside of the customer relationship, the legal basis is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR, namely to respond to your request for contact in an optimal way by telephone or in the form of a meeting. Insofar as our legal basis is our legitimate interest, you can object to this data processing at any time (see section 14 “Contact”).

Note: If you access the Microsoft Teams website, Microsoft is responsible for data processing. Accessing the website is only necessary for the use of Microsoft Teams in order to download the software for the use of Teams.

You can also use Teams if you enter the respective meeting ID and, if applicable, other access data for the meeting directly in the Teams app or click on the link to the meeting that may have been sent to you.

Microsoft reserves the right to process the personal data processed with Microsoft Teams for its own business purposes, if Microsoft has access to this data at all. This poses a data protection risk for Microsoft Teams users. We have concluded data protection agreements and EU standard data protection contracts with Microsoft to guarantee a minimum level of data protection. Please note that we have no control over Microsoft’s data processing activities. To the extent that Microsoft Teams processes personal data in connection with Microsoft’s legitimate business operations, Microsoft is the independent data controller for such use and, as such, is responsible for compliance with all applicable laws and obligations of a data controller. For more information about the purpose and scope of data collection and processing in connection with Microsoft Teams, please see Microsoft’s privacy policy here. For information on data processing specific to Microsoft Teams, please click here. You can also find more information there about your rights in this regard. Microsoft may also process your personal data in the United States (see section 10 “Notice of transfers to the United States” below).

1.4 When you sign up for our newsletter

When you sign up for our newsletter and consent to receive communications from us, we collect the following information from you:

• First name*
• Surname*
• E-mail address*
• Gender*
• Company name*
• City
• Country

The fields marked with * are mandatory.

Our newsletter or other mail communication contains a so-called web beacon (tracking pixel) or similar technical means. A web beacon is an invisible 1×1-size pixel graphic that is associated with the user ID of the respective newsletter subscriber or mail recipient.

For each newsletter or other marketing communication sent, there is information on the address file used, the subject and the number of emails sent. Furthermore, it is possible to see which addresses have not yet received the newsletter or other communication, to which addresses they were sent and for which addresses the sending failed. It is also possible to see which addresses have opened the newsletter or other communication. And finally, it is possible to see which addresses have unsubscribed. We use this data for statistical purposes and to optimise the content and structure of the newsletter and our other communication with you. This enables us to better tailor the information and offerings in our newsletter and our marketing communication in general to the individual interests of the recipients. The tracking pixel is deleted when you delete the newsletter or email.

In order to block the use of the web beacon in our newsletter or other communication, please set your mail programme so that no HTML is displayed in messages, if this is not already the case by default. You will find explanations on how to change this setting in the most common e-mail programmes on the following pages.

• Microsoft Outlook
• Mac

By registering for our newsletter on www.mll-legal.com and/or www.mll-news.com, you give us your consent to process the personal data provided within the meaning of Art. 6 para. 1 lit. a GDPR for marketing purposes, such as sending emails with advertising or marketing content (newsletter), invitations and customised advertising.

We use the services of HubSpot for our email marketing. HubSpot is a software company from the USA with a branch in Ireland. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Phone: +353 1 5187500. You can find out more about HubSpot’s data processing here. In the context of processing via HubSpot, data may be transferred to the USA (see section 10 “Notice on data transfers to the USA” below).

Your email address will be used for promotional and marketing purposes until you withdraw your consent. You can withdraw your consent at any time and unsubscribe from all marketing activities at any time by contacting us (see section 14 “Contact”) or by unsubscribing via the unsubscribe link at the end of each newsletter or other communication.

1.5 When you open a customer account for MLL-Docs

On our website you have the option to open a user account. We collect the following data during registration:

• Username/E-mail address*
• Password*

The fields marked with * are mandatory.

Once your account login has been created, you can update your profile with the following information:

• First name
• Last name
• Displayed name

We need this information to provide you with an overview of your orders and the contracts concluded with you in this context. The legal basis for the processing of your personal data lies in the processing for pre-contractual purposes or for the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR as well as our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If we invoke our legitimate interest for data processing, you can object to this data processing at any time (see section 14 “Contact”).

1.6 When you buy a product on MLL-Docs

To purchase a product, you must either already have a user account or create a new user account. When you purchase products from our online shop on MLL-Docs, we collect the following data:

• First name*
• Surname*
• Company name*
• Country*
• Street/house number*
• Postcode*
• Place /City*
• Canton
• Phone*
• E-mail address*
• Order note
• Consent to the General Terms and Conditions and the Privacy Policy*.

The fields marked with * must be completed.

We need this information to process your order and to provide you with the requested products/services. The legal basis for the processing of your personal data lies in pre-contractual measures and the performance of a contract within the meaning of Art. 6 (1) lit. b GDPR.

Finally, when you pay by credit card on the website, we forward your credit card information to your credit card issuer and to the credit card acquirer. We work with the Stripe software platform from Stripe Inc., 185 Berry Street, Suite 550, CA 94107 San Francisco, USA. If you decide to pay by credit card, you will be asked to enter all mandatory information. The legal basis for the forwarding of this information is the performance of a contract in accordance with Art. 6 para. 1 lit. b GDPR. Regarding the processing of your credit card information by Stripe, we ask you to read their terms and conditions and their privacy policy under this link.

1.7 When you generate a purchased, automated template on MLL Docs

To generate a personalised template purchased on MLL-Docs, you must provide certain information in a Q&A process. We do not directly store such data permanently. However, the data used to generate the template is temporarily stored for 90 days by Metanet, Josefstrasse 218, 8005 Zurich, Switzerland, on a server in Switzerland.

In addition, data may be processed and stored by the hosting platform of Exari Solutions (Europe) Limited, 20 St Dunstan’s Hill, London EC3R 8HL (“Exari”). Exari’s current provider of its hosting platform is Amazon Web Services, which stores the data in Dublin, Ireland.

The legal basis for the transfer of data is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

1.8 When you apply for a job

If you submit a letter of application by post or e-mail, we process the personal data you provide in order to check your application and, if necessary, to contact you in this context.

The legal basis for the processing of your personal data lies in pre-contractual processing and the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR as well as in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Insofar as we process data based on legitimate interest, you can object to this data processing at any time (see section 14 “Contact”).

1.9 When you register for events or provide us with your details at events

We regularly hold events, be they physical events on specific legal topics, general law firm events, webinars, etc., for which clients and other interested parties can register. As part of the registration process, we collect various information about the participants. You will be informed in each case during the registration process which information about you is mandatory. We collect the following information, among others:

• First name
• Last name
• Company name
• Country
• Street/house number
• Postcode
• Place /City
• Canton
• Phone
• E-mail address
• Consent to the General Terms and Conditions and the Privacy Policy
• For events for which a fee is charged, payment information
• Depending on the event, further information (e.g. regarding meal requests, etc.)

We need this information to arrange for your participation at the events and occasions in question and to organise the occasions and events. The legal basis for the processing of your personal data lies in pre-contractual processing and the implementation of a contract within the meaning of Art. 6 para. 1 lit. b GDPR.

In the context of these events, and also at events organised by other organisations, we may also receive information from you, e.g. if you provide us with your business card or network with us or our employees on LinkedIn. You provide this information to us voluntarily. We will include this information, together with other personal data referred to in this Privacy Policy, in our central electronic data processing system, where it will be used to manage our business relationship with you (see section 2 “Central storage and CRM data processing” below). The legal basis for the processing of your personal data lies in pre-contractual processing and the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR or in our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR for the targeted and efficient management of contacts and business relationships. You can object to this data processing by us at any time. However, we will then no longer be able to provide the services you have requested.

1.10 When you mandate us

Within the scope of a client relationship, we process the following personal data, among others:

• Your name and contact information (including name, address, telephone number or email address).
• Information about the company you work for, your position or title
• Identification and background information that you provide to us or that we collect from you in the course of opening the client relationship
• Billing and payment information
• Information which you have disclosed to us in the context of and for the purposes of the processing of the mandate or which we produce in the context of our services to you, including mandate-related communication
• All other information relating to you which you provide to us in connection with the mandate

We collect and record this information when you interact with us, for example when you communicate with our employees. We also collect or create this information in the course of providing services to you. We may also obtain information about you from other sources, for example, by consulting publicly available sources to update your details, as part of the engagement process and also in the course of providing services to you.

We process the information in order to communicate with you, to carry out money laundering, conflict and reputation checks before opening a mandate, to be able to offer you the services or legal advice you require, to invoice you for the services and to manage the business relationship with you, including the assertion, enforcement and defence of legal claims.

The legal basis for the processing of your personal data for the above purposes lies in pre-contractual processing and the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR, in the fulfilment of legal obligations within the meaning of Art. 6 para. 1 lit. c GDPR and, if applicable, in our legitimate interest in the targeted and efficient support of the client relationship within the meaning of Art. 6 para. 1 lit. f GDPR.

We store the personal data affected by and mentioned in this data privacy policy in a centralised electronic data processing system. For this purpose, we work with the software platform of STP, Herostrasse 9, 8048 Zurich, Switzerland.

In addition to the aforementioned processing purposes, we also use this personal data to optimise the organisation and management of our business relations with you. For this purpose, we assign various characteristics to you in our centralised data processing system (e.g. which areas of our services you are interested in, etc.). We derive these characteristics from the information provided by you or the data collected about you as mentioned above. However, we do not carry out comprehensive profiling for this purpose. The following personal data in particular are relevant for these purposes:

• Name, title, age, year of birth
• Gender
• Contact details
• Professional data (e.g. function, position; your business website, business email; professional qualifications, training and specialisation).
• Details of interactions with us, such as topics covered, questions asked about our company and products, which events you attended; your feedback on events, etc.

This processing is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR for the customer-friendly and efficient management of customer data. The processing also takes place in order to display interest-related content to you on the MLL Websites or in our communications with you. The legal basis for this processing is then also the performance of a contract within the meaning of Art. 6 para. 1 lit. b GDPR. You can object to this data processing at any time (see section 14 “Contact”).

If you have given us your consent to do so or if we have a legitimate interest in doing so, we will use the data stored in the centralised data processing system to send you information about us and our services (e.g. information about events organised by us that might interest you, information about current legal developments that might interest you). This processing is based either on your consent pursuant to Art. 6 para. 1 lit. a GDPR or on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR (in particular in the case of an existing business relationship). You can revoke your consent or object to data processing at any time (see also section 1.4 “When you register for the newsletter” regarding e-mail communication).

When you access the MLL Websites, we collect information using cookies and tracking tools. Cookies are information files that your web browser automatically stores on the hard drive of your terminal device when you visit our websites. Cookies do not damage the memory of your terminal device, nor do they transmit the users’ personal data to us.

Among many other aspects, cookies help to make your visit to our websites easier, more pleasant and more meaningful.

Most internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your end device or so that a message always appears when you receive a new cookie.

On the following pages you will find explanations on how to configure the processing of cookies in the most common browsers.

• Microsoft Windows Internet Explorer
• Microsoft Windows Internet Explorer Mobile
• Mozilla Firefox
• Google Chrome for Desktop
• Google Chrome for Mobile
• Apple Safari for Desktop
• Apple Safari for Mobile

Please note that disabling cookies may prevent you from using all features of the MLL Websites.

4.1 Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland or Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Analytics uses methods that enable an analysis of the use of the websites, such as cookies. These generate information about your use of the websites, such as:

• Navigation path that a visitor follows on the MLL Websites
• How long you spend on the MLL Websites and subpages
• The subpage from which you leave the MLL Websites
• The country, region or city from where you access the MLL Websites
• End device (type, version, colour depth, resolution, width and height of the browser window)
• Returning or new visitor
• Browser provider/version
• The operating system used
• The referrer URL (previously visited website)
• Host name of the accessing computer (IP address)
• Time of the server request

This information is transmitted to Google servers in the USA and stored there. In doing so, the IP address is shortened by activating IP anonymisation (“anonymizeIP”) on the MLL Websites before transmission within the Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area, as well as in Switzerland. The anonymised IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure that Google complies with a sufficient level of data protection by means of contractual guarantees, in particular by agreeing to the EU standard contractual clauses and additional measures.

The information is used to evaluate the use of the MLL Websites, to compile reports on website activities and to provide other services associated with website and internet use for the purposes of market research and demand-oriented design of the MLL Websites. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. According to Google, under no circumstances will the IP address be associated with other data relating to the user.

The legal basis for processing the data for the above purposes is your consent, which you give us by using the cookie banner, in terms of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time (section 14 “Contact”).

You can prevent the collection of the data generated by the cookies (including the IP address), which relate to the use of the websites, by Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

An opt-out cookie will be stored on your device. If you delete all cookies, the link must be clicked again.

4.2 Google Tag Manager

We use Google Tag Manager, a service of Google Ireland Limited, Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, to manage cookies and pixels for tracking tools and other tools. The Tag Manager tool itself is a cookie-less domain and does not collect any personal data. Instead, the tool triggers other tags that may in turn collect data. If you opt for a deactivation at the main or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

This processing is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. You can object to this data processing at any time (see section 14 “Contact”).

4.3 HubSpot

We use the services of the software manufacturer HubSpot. HubSpot is a software company from the USA with a branch in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).

HubSpot is a service platform. The service used is an integrated software solution that allows us to manage customer data and cover various aspects of our online marketing. This includes, among other things, the analysis of landing pages and reporting. In the process, so-called “web beacons” are used (see section 1.4 “When you sign up for our newsletter”) and cookies are stored on the end device you use.

For example, the following personal data may be collected:

• IP address
• Geographical location
• Browser type
• Duration of the visit
• Pages viewed

The information collected and the content of the MLL Websites are stored on HubSpot servers in Ireland. We use HubSpot to analyse the use of the MLL Websites. This allows us to constantly optimise the MLL Websites and make them more user-friendly. We also use information to determine which of our  services are of interest to clients and newsletter subscribers and to contact them for marketingpurposes. In addition, we use the analysis to optimise the MLL Websites for you.

We only use your IP address in a shortened version. This means that the IP address of the user is shortened by HubSpot within the Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area as well as in Switzerland. Only in exceptional cases will the full IP address be transmitted to a HubSpot server in the USA and only shortened there.

The cookies have a standard lifetime of 13 months. In addition, we delete the personal data collected via HubSpot as soon as the purpose for which it was collected has been achieved, unless the deletion conflicts with legal retention periods.

The information generated by the cookie about the use of the online offering by the user may also be transmitted to a Google server in the USA and stored there. The processing takes place on the basis of the EU standard contractual clauses. For information on data transfer to the USA, see also section 10 “Information on data transfer to the USA” below.

The aforementioned data processing is based on Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time (see section 3 “Cookies” or section 14 “Contact”). Further information on how HubSpot works can be found in the privacy policy of HubSpot Inc.

4.4 Yoast

We use plugins from Yoast SEO on our websites. This is an offer from Yoast BV, Don Emanuelstraat 3, 6602 GX Wijchen, The Netherlands.

These plugins take care of the complete technical optimisation of our websites for search engines. They also support the development of content. For more information, please refer to the privacy policy of Yoast BV.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of the MLL Websites.

4.5 Woocommerce

We offer products and download products for purchase via the MLL Websites. We use the Woocommerce service for this purpose. As soon as you click on one of our product buttons, you leave the MLL Websites and are redirected to our individual sales page. The service is offered by Automattic Inc, 60, 29th Street #343, San Francisco, CA 94110-4929, USA (see section 10 “Notice on data transfers to the USA”). We have no knowledge about the further processing and the duration of the storage of your data. Further information on this can be found here. All functions on the sales page as well as the entire downstream sales processing steps are carried out via Woocommerce and the German Market plug-in.

The legal basis for the aforementioned data processing results in the present case from Art. 6 para. 1 lit. b GDPR, i.e. in the performance of a contract.

4.6 WPML Plugins

Our websites use WPML plugins from OnTheGoSystems Limited, 22/F 3 Lockhart Road, Wanchai, Hong Kong, to offer, among other things, a German and English language version of the websites. WPML uses cookies to determine the visitor’s current language, the language last visited and the language of users who have logged in. Details of the cookies used can be found at https://wpml.org/documentation/support/browser-cookies-stored-wpml.

The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. f GDPR, i.e. our legitimate interest in analysing and optimising our online offer. The plugins have been configured in a data protection compliant manner.

We use Google Maps API (Application Programming Interface, “Google Maps”) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, on our websites for the visual display of geographical information (maps). By using Google Maps, information about the use of our websites, including your IP address, is transmitted to a Google server in the USA and stored there.

The legal basis for processing the data for this purpose is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. You can object to this data processing at any time (see section 14 “Contact”).

It is possible to deactivate Google Maps and prevent data transfers to Google if you deactivate JavaScript in your browser. However, we would like to point out that in this case you will not be able to use the map display.

For more information about the collection, processing and use of your data by Google and your rights in this regard, please see Google’s privacy policy at https://policies.google.com/privacy, as well as the additional terms of use for Google Maps or Google Earth at https://www.google.com/help/terms_maps/.

We have integrated social media plugins of various social networks on the MLL Websites. These social media plugins may be, for example, the “Like button” or other functionalities, e.g. sharing content of the websites on social networks. You can recognise the social media plugins by the logos of the social networks concerned.

To ensure data protection on our websites, we only use these plugins together with the so-called “Shariff” solution. This application prevents the plugins integrated on the MLL Websites from transmitting data to the respective provider the first time you enter the sites.

Only when you activate the respective plugin by clicking on the associated button (consent)is a direct connection to the provider’s server established. As soon as you activate the plugin, the respective provider receives the information that you have visited the MLL Websites with your IP address. If you are logged in to your respective social media account (e.g. Facebook) at the same time, the respective provider can assign the visit to the MLL Websites to your user account. If you want to prevent this, you should log out before clicking on the plugin. An assignment is made in any case when you log in to the respective network after clicking on the plugin.

Activating the plugin constitutes consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time with effect for the future.

We have integrated plugins from the following social networks into the MLL Websites:

• Twitter Inc,1355 Market Street, Suite 900, San Francisco, CA 94103, USA, https://twitter.com/de/privacy
• Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA, https://de-de.facebook.com/privacy/explanation
• LinkedIn, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA, https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
• XING SE, Dammtorstrasse 30, 20354 Hamburg, Germany, https://privacy.xing.com/de/datenschutzerklaerung

On the MLL Websites, we have set up links to our social media presence on the following social networks:

• LinkedIn Corp., 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA;
• Twitter Inc, 1355 Market Street Suite 900 San Francisco, CA 94103, USA.

If you click on the corresponding icons of the social networks, you will automatically be redirected to our profile on the respective social network. In order to be able to use the functions of the respective network there, you must partially log in to your user account for the respective network.

When you open a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network in question. This provides the network with the information that you have visited our website with your IP address and accessed the link. If you access a link to a network while logged in to your account on the network concerned, the content of our site may be linked to your profile on the network, i.e. the network may link your visit to the MLL Websites directly to your user account. If you want to prevent this, you should log out before clicking on the relevant links. In any case, an association takes place when you log in to the relevant network after clicking on the link.

If you click on one of these links, you thereby give your consent within the meaning of Art. 6 para. 1 lit. a GDPR to the resultant data processing.

We consider the personal data referred to in this Privacy Policy to be confidential and will treat it accordingly. All of our lawyers, trainees and other employees in all of our locations (including our offices in London and Madrid) may have access to your personal information unless we do not consider it appropriate or you instruct us to limit access to certain information to a specific group of people.

We will not disclose your information to third parties unless it is necessary to comply with laws, court orders or legal process, to enforce or apply our agreements or to protect us or our rights, or unless you have consented to this.

In addition, we share your data with third parties to the extent necessary for the use of the MLL Websites, the processing of your contact requests, the sending of marketing communications and the analysis of your user behaviour, as well as for other processing purposes mentioned above. The use by third parties of the data disclosed is strictly limited to the aforementioned purposes.

Various third-party service providers are explicitly mentioned in this privacy policy (e.g. in section 4 “Tracking tools”). Other service providers to which personal data collected via the MLL Websites is disclosed or to which they have or may have access are the companies that set-up and maintain the MLL Websites, namely appamics LLC, Steinenvorstadt 33, CH-4051 Basel, Switzerland . The data is passed on to them for the purpose of providing and maintaining the functionalities of the MLL Websites. For this processing, we rely on our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR.

We may transfer your data to third parties (contracted service providers) based abroad for the purposes of the data processing described in this Privacy Policy.

Such third party companies are obliged to protect the privacy of individuals to the same extent as we do. If the level of data protection in a country does not correspond to the Swiss or EU standard, we contractually ensure that the protection of your personal data corresponds to that in Switzerland or the EU at all times. To this end, we agree on the EU standard contractual clauses with our partners and implement additional technical and organisational measures if necessary.

Certain third-party providers mentioned in this Privacy Policy are based in the USA (see section 4 “Tracking tools”). Further explanations of the data that may be transferred to the USA can be found below under section 10 “Notice on data transfers to the USA”.

Some of the third-party service providers mentioned in this Privacy Policy are based in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that there are US authority surveillance measures in place in the USA which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and their subsequent use to specific, strictly limited purposes that are capable of justifying the intrusion associated with both the access to and the use of this data. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies that allow them to obtain access to the data concerning them and to obtain their correction or deletion, and that there is no effective judicial legal protection against general access rights of US authorities. We explicitly draw the attention of data subjects to this legal and factual situation so that they can make an appropriately informed decision to consent to the use of their data.

We would like to point out to users who are resident in Switzerland or a Member State of the EU that the USA does not have a sufficient level of data protection from the point of view of the European Union and Switzerland – among other things due to the issues mentioned in this section. Insofar as we have explained in this data protection declaration that recipients of data (such as Google) are based in the USA, we will ensure through contractual arrangements with these companies, as well as any additional appropriate guarantees required, that your data is protected with our partners to an appropriate standard.

You can object to data processing, in particular data processing in connection with direct marketing (e.g. against advertising emails) at any time. You have the following rights:

Right of access: If we process your personal data, you have the right to request access to your personal data stored by us at any time and free of charge. This gives you the opportunity to check what personal data we process about you and that we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned of the adjustments made, unless this is impossible or involves disproportionate effort.

Right to deletion: You have the right to have your personal data deleted in certain circumstances. In individual cases, the right to deletion may be excluded.

Right to restrict processing: You have the right, under certain conditions, to request that the processing of your personal data be restricted.

Right to data transfer: If you are a resident of an EU or EEA Member State, you have the right, in certain circumstances, to obtain from us, free of charge, the personal data you have provided to us in a readable format.

Right to lodge a complaint with a supervisory authority: If you are a resident of an EU or EEA Member State, you have the right to lodge a complaint with a competent supervisory authority about the way in which your personal data is processed.

Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past do not become unlawful as a result of your revocation.

We only retain personal data for as long as necessary to provide you with services that you have requested or for purposes to which you have given your consent.

Please note that special statutory retention periods may apply to certain data. We must store this data until the end of the retention period. Accordingly, business communications or concluded contracts, for example, must be stored for up to 10 years. We block access to such data in our system and use it exclusively to fulfil our legal obligations.

We use appropriate technical and organisational security measures to protect personal data from loss, misuse or alteration. Nevertheless, it is not possible to guarantee the absolute security of personal data. In this context, please also note that data transmitted over an open network such as the Internet or an e-mail service is openly accessible. We cannot guarantee the confidentiality of messages or content shared over these networks. If you share personal data over an open network, you should be aware that third parties may access this data and collect and use it for their own purposes.

We also take internal data protection very seriously. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to comply with the provisions of data protection law.

If you have any questions about data protection, if you would like further information or if you would like to request the deletion of your personal data, please contact us by e-mail at privacy@mll-legal.com. Alternatively, you can write to:

MLL Legal Ltd
Data Protection Coordination
Schiffbaustrasse 2
PO Box
8031 Zurich
Switzerland

Date: 30 January 2024