Kontrast

Nexia Website Nexia Website
Nexia GmbH
Wirtschaftsprüfungsgesellschaft
Steuerberatungsgesellschaft
Georg-Glock-Straße 4
40474 Düsseldorf
+49 211 171700
kontakt@nexia.de
Print

Privacy notice for Clients

Information pursuant to Art. 13 of the General Data Protection Regulation (GDPR) regarding the use of your personal data


Controller and Data Protection Officer

The Controller for data protection purposes is:

Nexia GmbH
Wirtschaftsprüfungsgesellschaft | Steuerberatungsgesellschaft
Georg-Glock-Straße 4, 40474 Düsseldorf, Germany

Further information about our company, details of the authorized representatives, and additional contact options can be found in the legal notice on our website: 
https://www.nexia.de/en/legal-notice

Data Protection Officer
datenschutz@nexia.de

 

Purpose and Legal Basis of Processing

We process your personal data on the following legal bases:

Performance of Contract (Art. 6(1)(b) GDPR): 
To carry out the client relationship

Legal Obligations (Art. 6(1)(c) GDPR): 
To fulfil statutory requirements (e.g. German Public Accountant Act, German Commercial Code, Anti-Money Laundering Act)

Legitimate Interests (Art. 6(1)(f) GDPR): 
For business management, legal defence, and IT security

Consent (Art. 6(1)(a) GDPR): 
If you have given us consent for specific processing purposes

We process data that we receive directly from you, as well as information from publicly accessible sources (e.g. registers, media) or from third parties (e.g. authorities, courts, your contractual partners) with whom you have a legal relationship.

The collection of this data is a prerequisite for successful client service, including pre-contractual enquiries.

 

Special Categories of Personal Data

The information you provide may include special categories of personal data pursuant to Art. 9 GDPR (e.g. health data, religious beliefs, trade union membership), which are subject to special protection. We only process such data:

  • With your explicit consent for specified purposes pursuant to Art. 9(2)(a) GDPR
  • For the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity pursuant to Art. 9(2)(f) GDPR
  • If required due to social security, tax or employment law obligations, processing is carried out on the basis of Art. 9(2)(b) GDPR.

 

Recipients or Categories of Recipients

Your personal data will be shared under strict observance of professional confidentiality obligations pursuant to § 50 of the German Public Accountant Act (WPO) and only if there is an appropriate legal basis with the following recipients:


Public Authorities and Institutions

  • Tax authorities
  • Health insurance providers
  • Pension insurance providers
  • Employers' liability insurance associations
  • German Federal Employment Agency

Financial Service Providers and Pension Institutions

  • Pension funds
  • Contractual partners for company pension schemes

IT Service Providers and Data Processing

  • DATEV eG, Nuremberg (accounting and tax software)
  • iDeals/Schuster & Walter IT Business GmbH (secure data exchange platform)
  • Dracoon (secure data exchange platform)
  • Providers of audio and video conferencing solutions
  • Cloud service providers (details see section "Cloud Service Providers")

Credit Agencies and Business Information Services

  • Providers of credit checks and business information (exclusively for the fulfilment of legal obligations, particularly in the context of anti-money laundering prevention)

Cloud Service Providers

We use the cloud service Microsoft 365, which includes applications such as Word, Outlook, Excel, PowerPoint, Microsoft Teams, and SharePoint.
To ensure an appropriate level of data protection and compliance with the GDPR, we use Microsoft's EU Data Boundary for Microsoft 365. This technical measure ensures that your personal data is stored and processed exclusively within the European Union (EU). Additionally, we have concluded appropriate contracts with Microsoft in accordance with Art. 28 GDPR.
 

Access Authorisations

Within our company, only authorised employees who are bound by confidentiality obligations have access to your personal data, and only to the extent necessary to perform their professional duties.
 

Categories of Data Processed

The type and scope of personal data processed by us depends on the respective client relationship, the specific assignment, and the information provided to us by the client. Depending on the type of assignment, we do not process all of the data categories listed below.

Basic Data:

  • Personal identification data (form of address, first and last name, date of birth)
  • Contact details (address, email, telephone number)
  • Bank account details

Personal Characteristics:

  • Marital status
  • Religious affiliation (where relevant for tax purposes)

Professional and Economic Information:

  • Professional activity and career history
  • Income details (salary, other sources of income)
  • Asset information
  • Company shares and investments

Tax and Social Security Relevant Data:

  • Tax number/Tax ID
  • Social security number
  • Tax class
 
Transfer to Third Countries

As a general rule, no data is transferred to countries outside the EU/EEA. Should this nevertheless be necessary, the requirements pursuant to Chapter 5 of the GDPR will be adhered to.

 

Duration of Data Storage

We store your data in accordance with the statutory retention periods, which arise from the following legal bases:

Statutory Retention Periods

Commercial Law and Tax Law Retention Obligations

  • 10 years pursuant to § 147(1) of the German Fiscal Code (AO) and § 257(1) No. 1-4 of the German Commercial Code (HGB) for:
    • Books, records, annual financial statements, management reports
    • Accounting documents and invoices
    • Commercial books and tax-relevant documents
    • Annual financial statements, opening balance sheets and similar documents
  • 6 years pursuant to § 257(1) No. 2-3 HGB and § 147(1) No. 5 AO for:
    • Received commercial or business letters
    • Reproductions of sent commercial or business letters
    • Other documents, insofar as they are significant for taxation

Professional Law Retention Obligations

  • 10 years pursuant to § 51b(1) of the German Public Accountant Act (WPO) for:
    • Working papers of public accountants after completion of the engagement
    • Work results and reports
  • 10 years pursuant to § 66(1) of the German Tax Consultancy Act (StBerG) for:
    • Working papers of tax consultants after completion of the engagement

Anti-Money Laundering Retention Obligations

  • 5 years pursuant to § 8(4) of the German Anti-Money Laundering Act (GwG) for:
    • Records and evidence relating to identifications, transactions and business relationships
    • This period may be extended to up to 10 years if necessary according to official instructions for the prevention or prosecution of money laundering

 

Storage without Statutory Retention Obligation

Data for which there is no statutory retention obligation will generally be deleted or excluded from further processing at the latest 36 months after the end of the contractual relationship, provided they are no longer necessary for the purposes stated in our data protection notice. The 36-month period is based on the limitation period according to § 195 of the German Civil Code (BGB).

 

Extended Storage

Longer storage only occurs if:

  • You have consented to further storage (Art. 6(1)(a) GDPR),
  • This is necessary for the establishment, exercise or defence of legal claims (Art. 17(3)(e) GDPR), especially taking into account the tax and professional law limitation periods for liability claims,
  • Other legal obligations require longer storage (Art. 6(1)(c) GDPR).

The periods begin at the end of the calendar year in which the respective data was collected or the contractual relationship was terminated.
 

Your Rights

You have the following rights:

  • Access to stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of data processing (Art. 18 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of consent given (Art. 7(3) GDPR)
  • Data portability (Art. 20 GDPR)
  • Complaint to a supervisory authority (Art. 77 GDPR)

Our competent data protection supervisory authority is:

North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen)
Kavalleriestr. 2-4
40213 Düsseldorf
Germany
 

Obligation to Provide Data

For the client relationship, you only need to provide the personal data that is necessary for carrying out the assignment or which we are legally obliged to collect (e.g. identification obligations under the Anti-Money Laundering Act, information on professional independence).

The provision of this data enables us to work for you within the framework of legal requirements.
 

Automated Decision-Making and Profiling

We do not use automated decision-making pursuant to Art. 22 GDPR or profiling pursuant to Art. 4 No. 4 GDPR.
 

Right to Object pursuant to Art. 21 GDPR

Case-by-case right to object: You may object at any time to the processing of your data that is based on Art. 6(1)(e) or (f) GDPR. We will then no longer process this data unless we can demonstrate compelling legitimate grounds for the processing or the processing serves legal claims.
 

Further Information

If you have any questions about the processing of your personal data, we are available at any time. Should you require information that is not answered by this data protection notice, or if you need more detailed information on any point, please contact us using the contact details provided above.

We reserve the right to update this data protection notice in the event of legal or technical changes.

 

Executive Committee
Düsseldorf, March 2025