The Data Controller within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR) is: Mario Tiefenbacher, LL.M. Sobieskigasse 35/1/20, 1090 Vienna, Austria Phone: +43 660 3854856 Email: kanzlei@tiefenbacher-law.at Website: www.tiefenbacher-law.at (hereinafter „we“, „us“, or „Law Firm“)
We collect and process personal data fundamentally only insofar as this is necessary for the provision of our legal services or the operation of our website. Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR), e.g., name, address, email address, telephone number, date of birth, or social security number. In the context of client representation, special categories of personal data within the meaning of Art. 9 Para. 1 GDPR may also be processed, in particular health data or data relating to criminal convictions and offences (Art. 10 GDPR).
Depending on the purpose of the processing, we rely on the following legal bases:
Execution of mandate: Art. 6 Para. 1 lit. b GDPR (Performance of a contract) in conjunction with § 9 Para. 2 RAO (Austrian Lawyers‘ Act – professional secrecy)
Special data categories in the client relationship: Art. 9 Para. 2 lit. f GDPR (Establishment, exercise, or defense of legal claims)
Pre-contractual measures: Art. 6 Para. 1 lit. b GDPR (Inquiries from potential clients)
Legal obligations: Art. 6 Para. 1 lit. c GDPR (esp. tax retention obligations according to § 132 BAO, professional obligations)
Legitimate interests: Art. 6 Para. 1 lit. f GDPR (e.g., server log files, IT security)
Consent: Art. 6 Para. 1 lit. a GDPR (e.g., web analytics via Google Analytics 4, Google Maps)
To fulfill your mandate, it may be necessary to forward your data to the following categories of recipients:
Courts, authorities, administrative bodies
Opposing parties and their legal representatives
Substitute lawyers and attorneys we use to fulfill the mandate
Experts, notaries, tax advisors
Insurance companies (if required for the mandate)
The transfer takes place exclusively on the basis of the GDPR, in particular for the performance of a contract (Art. 6 Para. 1 lit. b GDPR) or based on your consent (Art. 6 Para. 1 lit. a GDPR). Furthermore, within the scope of our legal representation, we regularly obtain fact- and case-related information from third parties (e.g., land register, commercial register, authorities).
For the operation of our law firm and website, we use the following categories of data processors (Art. 28 GDPR):
Hosting providers (web server and email)
IT service providers and law firm software providers
CookieYes Ltd. (Consent Management Tool)
Google Ireland Limited (Google Analytics 4, Google Maps)
Data processing agreements pursuant to Art. 28 GDPR have been concluded with all processors. The processors process your data exclusively according to our instructions.
Certain service providers used by us (especially Google) may transfer personal data to the USA. The transfer is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR for the „EU-U.S. Data Privacy Framework“ (DPF), Implementing Decision (EU) 2023/1795 of July 10, 2023. Google LLC is certified under the DPF. Insofar as a transfer takes place to a third country without an adequacy decision, we use appropriate safeguards, in particular Standard Contractual Clauses (SCCs) according to Implementing Decision (EU) 2021/914 of the Commission. Note: Should the adequacy decision for the DPF be annulled or restricted by the ECJ or the European Commission in the future, we will immediately switch to Standard Contractual Clauses (SCCs) as the transfer mechanism.
When you visit our website, the hosting provider automatically collects information in server log files that your browser transmits. This includes: IP address, browser type and version, operating system, referrer URL, accessed pages, date, and time of access.
Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in the technical provision and security of the website).
Storage duration: The log files are automatically deleted after 14 days. This data is not merged with other data sources.
This website uses cookies. Technically necessary cookies are set on the basis of our legitimate interest (Art. 6 Para. 1 lit. f GDPR) and are required for the proper operation of the website. Non-essential cookies (e.g., for web analytics) are only set after your explicit consent (Art. 6 Para. 1 lit. a GDPR). We use CookieYes as a Consent Management Tool. On your first visit to our website, you will be asked for your consent via a cookie banner. You can revoke or adjust your consent at any time with future effect by accessing the cookie settings on our website. The tool itself stores a technically necessary cookie to remember your decision.
6.3 Google Analytics 4 Provided you have explicitly consented via our cookie banner (Art. 6 Para. 1 lit. a GDPR), this website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland („Google“). Google Analytics uses cookies to analyze visitor behavior. The collected data (e.g., page views, length of stay, devices used, approximate location) is transferred to Google servers, which may involve a transfer to Google LLC in the USA. The data transfer is secured by the EU-U.S. Data Privacy Framework (Art. 45 GDPR). With Google Analytics 4, IP anonymization is activated by default. Google truncates your IP address within the EEA prior to transmission.
Storage duration of analytics data: 14 months.
Data processing agreement: The use of Google Analytics is based on the Google Ads Data Processing Agreement according to Art. 28 GDPR.
You can revoke your consent at any time via the cookie settings on our website. Additionally, you can download the browser add-on to disable Google Analytics (https://tools.google.com/dlpage/gaoptout).
Provided you have consented via our cookie banner (Art. 6 Para. 1 lit. a GDPR), we integrate Google Maps (Google Ireland Limited) to display our law firm location. When using Google Maps, the following data is transmitted to Google: IP address, location data (if permitted), browser type, operating system. A transfer to Google LLC in the USA may occur; the transfer is secured by the EU-U.S. Data Privacy Framework. Google Maps will not be loaded without your consent. Instead, a static image or a placeholder with an activation button is displayed. Further information on data processing by Google: https://policies.google.com/privacy.
If you contact us by email or telephone, your details (name, email address, phone number, content of your inquiry) will be processed for the purpose of handling your inquiry.
Legal basis: Art. 6 Para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in responding to inquiries).
We store personal data only as long as necessary for the respective processing purpose or as long as statutory retention periods exist. Specifically, the following periods apply:
Tax retention: 7 years (§ 132 BAO – Austrian Federal Fiscal Code)
Professional retention: 5 years after the end of the mandate (§ 17 RL-BA 2015 – Guidelines for the Practice of the Legal Profession)
Civil law limitation: 3 years (general limitation period under § 1489 ABGB – Austrian Civil Code), in individual cases up to 30 years (absolute limitation)
Server log files: 14 days
Google Analytics 4: 14 months
After the respective period has expired, the data is deleted or anonymized, provided there are no further statutory retention obligations.
Under the GDPR – subject to the professional secrecy of lawyers (§ 9 RAO) – you have the following rights in particular:
Right of access (Art. 15 GDPR): You can request information about your personal data processed by us.
Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data or the completion of incomplete data.
Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligation opposes this.
Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request the restriction of the processing of your data.
Right to data portability (Art. 20 GDPR): You can request to receive the data concerning you in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests (Art. 6 Para. 1 lit. f GDPR) at any time.
Right to withdraw consent (Art. 7 Para. 3 GDPR): You can withdraw a given consent at any time with effect for the future. The lawfulness of the processing carried out until the revocation remains unaffected.
Automated decision-making (Art. 22 GDPR): We do not use automated decision-making, including profiling.
To exercise your rights, please contact us using the details provided in section 1 above.
As a law firm, we are subject to comprehensive professional secrecy obligations in accordance with § 9 Para. 2 RAO. This duty of confidentiality constitutes a specific safeguard within the meaning of Art. 9 Para. 2 lit. f GDPR and protects all mandate-related information. This means in particular: Third parties (e.g., opposing parties) have no right to information about mandate-related data of other data subjects, insofar as this would conflict with the duty of confidentiality. The duty of confidentiality remains in effect even after the termination of the mandate.
We take appropriate organizational and technical measures to protect your personal data in accordance with Art. 32 GDPR, in particular against unauthorized access, loss, destruction, or alteration. These measures are regularly reviewed and adapted to the state of the art. Please note that data transmission over the Internet (e.g., when communicating via email) may have security vulnerabilities. A complete protection of data against access by third parties is not possible.
In the event of a personal data breach (Art. 33, 34 GDPR), we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If there is a high risk, we will also inform you as the data subject without undue delay.
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR): Austrian Data Protection Authority (Datenschutzbehörde) Barichgasse 40–42, 1030 Vienna, Austria Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at https://www.dsb.gv.at
We reserve the right to adapt this privacy policy in order to adjust it to changed legal situations, technical innovations, or changes to our services. The current version can always be found on our website.
Status: April 2026
