Annex – Processing of personal information by Elvinger Hoss as processor

In most cases we act as the controller of the personal information we process when providing our legal service. When, however, in specific circumstances, we receive strict and detailed instructions to process personal information on your behalf we act as a processor of that personal information in the meaning of the GDPR. Examples include when we process copies of identity cards or passports to represent persons in front of a notary public to pass a notarial deed or when we process names, e-mail addresses and telephone numbers to organise a meeting on behalf of a client (such as a board meeting).

Insofar as we process personal information as a processor on your behalf, we shall:

• a) only process that personal information in accordance with your documented instructions, including with regard to transfers to third countries;
• b) ensure that the members of our staff who process that personal information have committed themselves to confidentiality or are under an appropriate legal obligation of confidentiality;
• c) take all measures pursuant to Article 32 of GDPR;
• d) respect the conditions laid down in Article 28 of the GDPR when engaging sub-processors;
• e) if necessary, taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR;
• f) if necessary, assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of processing and the information available to us;
• g) upon your request, delete or return to you all that personal information (insofar as we processes such personal information only in our capacity as processor), and delete all existing copies of any such personal information, unless it is mandatory for us to retain that personal information;
• h) make available to you, upon request, all necessary information to demonstrate compliance with Article 28 of the GDPR and allow for audits and inspections by you or your designated auditor on reasonable written notice.