Data privacy Statement

Privacy policy


In this data protection declaration, we (caralegal GmbH) inform you about the processing of personal data when using our website. You can print or save this data protection declaration by using the usual functionality of your browser.


  1. Contact
  2. Data processing on our website
    2.1 Visiting our website/access data
    2.2. Contacting us
  1. Use of cookies and similar technologies
    3.1 Legal basis, consent and revocation
    3.1.1 Legal basis
    3.1.2 Obtaining your consent
    3.1.3. Revocation of your consent or change of your selection3.2 Necessary tools
    Google Tag Manager

3.3. Analysis tools
Google Analytics

  1. Online presence in social networks
  2. Disclosure of data
  3. Data transfer to third countries
  4. Storage period
  5. Your rights, in particular revocation and objection
  6. Changes to this privacy policy


  1. Contact person

The point of contact and so-called controller for the processing of your personal data when visiting this website within the meaning of the EU General Data Protection Regulation (GDPR) is:

caralegal GmbH

Am Hamburger Bahnhof 4

10557 Berlin

Phone +49 (0)30-213002885

For all questions regarding data protection in connection with our products/services or the use of our website, you can also contact our data protection officer at any time. He or she can be reached at the above postal address and at the email address given above (keyword: “attn. data protection officer”). We expressly point out that when using this email address, the contents are not exclusively noted by our data protection officer. If you wish to exchange confidential information, please contact us directly via this email address at first.


  1. Data processing on our website

2.1 Visiting our website/access data

Each time you use our website, we collect the access data that your browser automatically transmits to enable you to visit the website. In particular, the access data includes:

  • IP address of the requesting device,
  • date and time of the request,
  • address of the website visited and the requesting website,
  • information about the browser used and the operating system,
  • online identifiers (e.g. device identifiers, session IDs).

The data processing of this access data is necessary to enable the visit of the website and to ensure the permanent functionality and security of our systems. The access data is also temporarily stored in internal log files for the purposes described above, in order to compile statistical information about the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices with which the pages are accessed increases) and for general administrative maintenance of our website.

The processing of these access data is necessary in order to make the visit to the website possible. The legal basis is Art. 6 para. 1 lit. b GDPR. In the event, that the processing is based on our legitimate interest to ensure the permanent functionality and security of our systems, the legal basis is Art. 6 para. 1 lit. f GDPR.

For data protection reasons, log files are not permanently stored or analysed by us.

2.2 Contacting us

You have various options for contacting us, e.g., via the contact form or by telephone. In this context, we process data exclusively for the purpose of communicating with you.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in you contacting us and us being able to answer your enquiry. We only make promotional telephone calls if you have given your consent for this. If you are not an existing customer, we will also only send you promotional emails on the basis of your consent. In these cases, the legal basis is Art. 6 para. 1 lit. a GDPR.

The data we collect when you use the contact form will be automatically deleted after we have fully processed your request unless we still need your request to fulfil contractual or legal obligations (see section 7 “Storage period”).

  1. Use of cookies and similar technologies

This website uses cookies and similar technologies (collectively, “Tools”) provided either by us or by third parties.

A cookie is a small text file that is stored on your device by the browser. Cookies are not used to run programs or download viruses onto your computer. Comparable technologies are in particular web storage (local/session storage), fingerprints, tags or pixels. Most browsers are set by default to accept cookies and similar technologies. However, you can usually adjust your browser settings so that cookies or comparable technologies are rejected or only stored with your prior consent. If you reject cookies or comparable technologies, it is possible that some of our offers for you may not function properly.

In the following, we list the tools we use by category, informing you, in particular, about the providers of the tools, the storage period of the cookies and the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can revoke this consent.

If – even despite the greatest care – the information in the cookie banner contradicts that said in this data protection declaration, the information in this data protection declaration prevails.


3.1 Legal basis, consent and revocation 

3.1.1 Legal basis

We use tools necessary for website operation on the basis of our legitimate interest pursuant to Art. 6 para. 1lit. f GDPR to enable you to use our website more conveniently and individually and to make use of it as time-saving as possible. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR.

We use all other tools, in particular, those for marketing purposes, on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR and pursuant to Section 15 para. 3 p. 1 TMG (German Telemedia Act), insofar as user profiles are created for the purposes of advertising or market research. Data processing with the help of these tools only takes place if we have received your consent in advance.

If personal data is transferred to third countries, we refer you to section 6 (“Data transfer to third countries”), also with regard to the possible associated risks. We will inform you if we have concluded standard contractual clauses or other guarantees with the providers of certain tools. If you have given your consent to use certain tools, we (also) transfer the data processed when using the tools to third countries on the basis of this consent.

3.1.2 Obtaining your consent

We use the WordPress plugin “Borlabs Cookie” to obtain and manage your consent. This generates a banner informing you about data processing on our website and giving you the option to consent to all, some or no data processing through optional tools. This banner appears the first time you visit our website and when you revisit the selection of your preferences to change them or revoke consents.

In addition, the WordPress plugin “Borlabs Cookie” sets a necessary cookie (“borlabs-cookie”) to store your obtained consents and revocations. If you delete your cookies, we will ask you for your consent again when you visit the site at a later date.

The data processing by the WordPress plugin “Borlabs Cookie” is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis is Art. 6 para. 1 lit. f GDPR, justified by our interest in fulfilling the legal requirements for cookie consent management.

3.1.3 Revoking your consent or altering your choice

You can revoke your consent for certain tools at any time. To do so, click on the following link Cookie settings. There you can also change the selection of the tools you wish to consent to using, as well as obtain additional information on the cookies and the respective storage period. Alternatively, you can assert your revocation for certain tools directly with the provider.

3.2 Necessary Tools

We use certain tools to enable the basic functions of our website (“Necessary Tools”). Without these tools, we would not be able to provide our service. Therefore, Necessary Tools are used without consent based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR or for the performance of a contract or for the execution of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR.

Google Tag Manager

Our website uses Google Tag Manager, a service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (both referred to as “Google”).

The Tag Manager is used to manage tracking tools and other services, so-called website tags. A tag is an element that is stored in the source code of our website, for example, to record specified usage data. The Google Tag Manager ensures that the usage data required by our partners is forwarded to them.

The Google Tag Manager does not require the use of cookies.

The legal basis is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in integrating and managing multiple tags on our website in a straightforward manner.

We have concluded an order processing contract with Google. Partially, data is processed on a Google server in the USA. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Google in accordance with Art. 46 Para. 2 lit. c GDPR. For further information, please refer to section 6 (“Data transfer to third countries”).

You can find more information on this in Google’s information on the Tag Manager.

3.3 Analysis tools 

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). According to Google, the contact for all data protection issues is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and similar technologies to analyse and improve our website based on your user behaviour. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. The data generated in this context may be transferred by Google to a server in the USA for evaluation and stored there.

We have made the following data protection settings for Google Analytics:

  • IP anonymisation (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity).
  • Automatic deletion of old logs/limitation of the storage period
  • Deactivated advertising function (including target group remarketing through GA Audience)
  • Disabled personalised ads
  • Disabled Measurement Protocol
  • Disabled cross-page tracking (Google signals)
  • Disabled data sharing with other Google products and services

The following data is processed by Google Analytics:

  • Anonymised IP address;
  • Referrer URL (previously visited page);
  • Pages viewed (date, time, URL, title, time spent);
  • Downloaded files;
  • Clicked links to other websites;
  • Achievement of specific goals (conversions), if applicable;
  • Technical information: Operating system; Browser type, version and language; Device type, brand, model and resolution;
  • Approximate location (country and city, if applicable, based on anonymised IP address).

Google Analytics sets the following cookies for the stated purpose with the respective storage period:

  • “_ga” for 2 years and “_gid” for 24 hours (both to recognise and distinguish website visitors by a user ID);
  • “_gat” for 1 minute (to reduce requests to Google servers);
  • IDE” for 13 months (third-party cookie to recognise and distinguish website visitors by a user ID, to record interaction with advertising and in the context of playing out personalised advertising).

We have concluded an order processing agreement with Google for the use of Google Analytics as well as standard contractual clauses in the event, that personal data is transferred to the USA or other third countries.

You can find more information on this in Google’s privacy policy.

  1. Online presence in social networks

We maintain online presences in social networks in order to communicate there with customers and interested parties, among others, and to provide information about our products and services.

The users’ data is usually processed by the social networks concerned for market research and advertising purposes. In this way, user profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the users’ computers. On the basis of these user profiles, advertisements, for example, can be placed within the social networks but also on third-party websites.

As part of the operation of our online presences, it is possible that we can access information such as statistics on the use of our online presences, which are provided by the social networks. These statistics are aggregated and may include, in particular, demographic information and data on interaction with our online presences and the posts and content distributed via them. Please refer to the list below for details and links to the data of the social networks that we can access as operators of the online presences.

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effectively informing users and communicating with users, or Art. 6 para. 1 lit. b GDPR, in order to stay in contact with and inform our customers and to carry out pre-contractual measures with future customers and interested parties.

For the legal basis of the data processing carried out by the social networks on their own responsibility, please refer to the data protection information of the respective social network. The links below also provide you with further information on the respective data processing and the options to object.

We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. Below is a list of information about the social networks on which we operate online presences:

  1. Disclosure of data

The data we collect will only be transferred if:

  • you have given your express consent in accordance with Art. 6 Para. 1 lit. a GDPR,
  • the disclosure is necessary for the assertion, exercise or defence of legal claims in accordance with Art. 6 para. 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed,
  • we are legally obliged to disclose your data according to Art. 6 para. 1 lit. c GDPR or
  • this is legally permissible and necessary according to Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include, in particular, data centres that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. If we pass on data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.

In addition, disclosure may take place in connection with official enquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.

  1. Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your expressed consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.

If a third country transfer is provided for and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the cookie banner, you will also be informed of this.

  1. Storage period

In principle, we only store personal data for as long as is necessary to fulfil the purposes for which we collected the data. Thereafter, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.

For evidentiary purposes, we must retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims become statute-barred at this point at the earliest in accordance with the standard statutory limitation period.

Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents range from two to ten years.

  1. Your rights, in particular revocation and objection

You are entitled to the data subject rights formulated in Art. 15 – 21, Art. 77 GDPR at any time:

  • Right to withdraw your consent;
  • Right to object to the processing of your personal data (Art. 21 GDPR);
  • Right of access to your personal data processed by us (Art. 15 GDPR);
  • Right to rectify your personal data stored by us that is incorrect (Art. 16 GDPR);
  • Right to erasure of your personal data (Art. 17 GDPR);
  • Right to restrict the processing of your personal data (Art. 18 GDPR);
  • Right to data portability of your personal data (Art. 20 GDPR);
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise your rights described here, you can contact us at any time using the contact details above. This also applies if you would like to receive copies of guarantees to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.

Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, even longer for the assertion, exercise or defence of legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 (2) GDPR.






You have the right to revoke your consent at any time. This has the consequence that we will no longer continue the data processing based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to data processing for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.

If you wish to make use of your right of revocation or objection, it is sufficient to send an informal message to the contact details above.

Finally, you have the right to complain to the data protection supervisory authority responsible for us. You can assert this right at a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.

  1. Changes to this privacy policy

We occasionally update this privacy policy, for example if we adapt our website or if legal or regulatory requirements change.

Last amended: February 2021