Privacy Policy

Privacy Policy www.pplaw.com

 

Berlin:
Potsdamer Platz 5
10785 Berlin
+49 (30) 25353-0
F +49 (30) 25353-999
ber@pplaw.com

Frankfurt aM:
An der Welle 3
60322 Frankfurt aM
+49 (69) 247047-0
F +49 (69) 247047-30
fra@pplaw.com

Munich:
Hofstatt 1 (Entrance: Färbergraben 16)
80331 Munich
+49 (89) 24240-0
F +49 (89) 24240-999
muc@pplaw.com

 

Information on data processing at POELLATH

Unsubscribe from the newsletter

Overview

In this privacy policy, we inform you in accordance with Art. 12 GDPR about how, to what extent and for what purposes we process personal data

  • in the use of our website (see section 2)
  • regarding advice from POELLATH (see section 3)

Further information relevant to all the above-mentioned data processing operations is provided in Sections 1 and 4 to 9.

1. Responsible party and data protection officer

Responsible party in terms of data protection law: P+P Pöllath + Partners Rechtsanwälte und Steuerberater mbB (hereinafter POELLATH)

Data protection officer: Anna Cardillo. You can contact our data protection officer c/o P+P Pöllath + Partners, Potsdamer Platz 5, 10785 Berlin, T +49 (30) 25353-0, DSB@pplaw.com.

2. Website: processing of your personal data

2.1 Use of the website, access data

You may use our website for purely informational purposes without disclosing your identity. When visiting individual pages of the website in this sense, only access data is transmitted to our provider so that the website can be displayed to you. This includes the following data:

  • Browser type/browser version,
  • Operating system used,
  • Language and version of the browser software,
  • Host name of the accessing terminal,
  • IP address,
  • Website from which the request comes,
  • Content of the request (specific page),
  • Date and time of the server request,
  • Access status/HTTP status code,
  • Referrer URL (the previously visited page),
  • Amount of data transmitted,
  • Time zone difference from Greenwich Mean Time (GMT).

Temporary processing of this data is necessary in order to make it technically possible for a website visit to take place and for the website to be transmitted to your terminal. The access data is not used to identify individual users and is not merged with other data sources. Further storage in log files takes place to ensure the functionality of the website and the security of the information technology systems. The legal basis for processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests lie in ensuring the functionality of the website and the integrity and security of the website. The storage of access data in log files, in particular the IP address, for a longer period of time enables us to recognize and ward off misuse. This includes, for example, the defense against requests that overload the service or any bot usage. The access data will be deleted as soon as they are no longer required for the purpose of their processing. In the case of the data collection provide access to the website, this is the case when you end your visit to the website. In principle, the data is deleted after seven days at the latest; processing beyond this time period is possible in individual cases. In this case, the IP address will be deleted or encrypted in such a way that it is no longer possible to associate it with the accessing client.

You can appeal against the processing. Your right of objection exists for reasons arising from your particular situation. You can send us your objection via the contact data mentioned in the section “Responsible party and data protection officer”.

2.2 Cookies

In addition to the aforementioned access data, so-called cookies are stored in the Internet browser of the terminal device you use when using the website. These are small text files with a sequence of numbers which are stored locally in the cache of the browser used. Cookies do not become part of the terminal and cannot execute programs. They serve to make our website user-friendly. The use of cookies may be technically necessary or may be used for other purposes (e.g. analysis / evaluation of website use).

2.2.1 Technically necessary cookies

Some elements of our website require that the accessing browser be identified even after you change to another page. Language settings, for example, are processed in the cookies.

The user data collected through technically necessary cookies is not processed to create user profiles. If we use unnecessary cookies, we will inform you separately within the scope of this data protection declaration. We also use so-called "session cookies", which store a session ID with which various requests from your browser can be assigned to the common session. Session cookies are necessary for the use of the website. In particular, they enable us to recognize the terminal device used when you return to the website. The session cookies are deleted as soon as you log out or close the browser. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in processing are to provide the aforementioned special functionalities and thereby make the use of the website more attractive and effective.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can also prevent data processing based on cookies as follows: by deactivating or restricting or deleting cookies in the settings of your browser software or by opening the browser used in “private mode”.

2.2.2 Cookie management

We use a consent management tool on our website to request consent for the use of cookies or similar technologies. By means of a banner displayed on the website or the possibility to refuse your consent for certain functionalities of our website, e.g., for the purpose of integrating streaming content, statistical analysis and range measurement. You can use the cookie banner to give or refuse your consent for all functions or to give your consent for individual purposes or individual services. You can also subsequently change the settings you have selected under the link “Advanced Settings”. The purpose of integrating the cookie banner is to allow the users of our website to decide whether to set cookies and similar technologies and to offer the possibility to change settings already made in the course of further use of our website. In the course of utilizing the cookie banner, personal data as well as information from the terminals used, such as the IP address, are processed. The legal basis for the processing is Art. 6(1) Sentence 1(f) DSGVO. Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. We store your data as long as your user settings are active. After two years after the user settings have been made, you will be asked for your consent again. The user settings are then stored again for this period.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can also prevent data processing based on cookies as follows: by deactivating or restricting or deleting cookies in the settings of your browser software or by opening the browser used in “private mode”.

You can view and subsequently change the settings you have selected under the link “Advanced Settings”.

2.3 Newsletter and e-mail advertising by us and P+P Training GmbH

You may subscribe to the e-mail newsletter sent by us and our event partner P+P Training GmbH on our website, which will keep you regularly informed about our publications, seminars and events. In order to receive the newsletter, a valid e-mail address is required. The registration for our e-mail newsletter is a double opt-in procedure. After you enter the data marked as mandatory, we will send you an e-mail to the e-mail address you have provided, in which we ask you to explicitly confirm your registration for the newsletter (by clicking on a confirmation link). In this way, we ensure that you actually wish to receive our e-mail newsletter. After your confirmation, we process the e-mail address of the recipient concerned for the purpose of sending our e-mail newsletter. The legal basis for the processing is Art. 6(1) Sentence 1(a) GDPR. We delete this data when you cancel the newsletter subscription. We process the data until you exercise your right of revocation by cancelling our newsletter.

You can revoke your consent to the processing of your e-mail address for the receipt of the newsletter and e-mail advertising at any time, either by sending us a message (see the contact details in the section “Responsible party and data protection officer”), on our website or by directly clicking on the unsubscribe link contained in the newsletter. The legality of the processing carried out on the basis of consent until revocation is not affected by the revocation.

We process your IP address, the time of registration for the newsletter and the time of your confirmation in order to document your newsletter registration and to prevent the misuse of your personal data. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interest in this processing lies in the prevention of fraud. We delete these data at the latest when the newsletter subscription ends.

You have the right to object to this processing of your data. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the section “Responsible party and data protection officer”.

2.4 Services for statistical, analysis and marketing purposes (Google Analytics)

In order to tailor our website perfectly to user interests, we use Google Analytics, a web analytics service from Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001). Google Analytics uses cookies (see “Cookies” above), which are stored on your terminal device. Google uses the cookies to process the information generated about the use of our website by your device – e.g. the fact that you have visited a certain page – and processes, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited previously and the date and time of the server request, for the purpose of statistical analysis of how people use our website. For this purpose, it is also possible to determine whether different devices belong to you or to your household. This website uses Google Analytics with the “anonymizeIp()” extension. This shortens IP addresses before they are processed, in order to make it much more difficult to identify individuals. According to Google, your IP address is shortened beforehand within member states of the European Union. Only in exceptional cases will the full IP address be transferred to a Google server in the US and shortened there. On our behalf, Google will process this information for the purpose of evaluating your use of this website, compiling reports for us on website activity, and – where we point this out separately – providing us with other services relating to website usage. Google will not associate the IP address transmitted by your browser for these purposes with any other data held by Google. The legal basis of this processing is your consent under Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has not issued an adequacy decision for data transfers to the US; the legal basis for transfers to the US is your consent under Art. 49(1) Sentence 1(a) GDPR. Your data processed in connection with Google Analytics will be erased after 14 months at the latest. For further information about privacy at Google, please refer here.

You can withdraw your consent to the processing and transfers to third countries at any time by moving the slider back in the consent tool “Advanced Settings”. This does not affect the legality of the processing carried out on the basis of the consent prior to the withdrawal.

2.5 Integration of: YouTube videos         

On the website, we use plug-ins of the video platform “YouTube.de” or “YouTube.com”, a service of YouTube LLC (headquarters at 901 Cherry Avenue, San Bruno, CA 94066, USA; hereinafter “YouTube”), for which “Google” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001) is the responsible party in terms of data protection law. With the integration, we aim to include visual content (videos) that we have published on “Youtube.de” or “Youtube.com” on our website. When using the streaming function, information that is stored on your terminal device (e.g., IP address) is also processed. The videos are integrated in “extended data protection mode”, which means that no data about you as a user is transferred to “YouTube” if you do not play the videos. While playing the videos on our website, “YouTube” receives the information that you have accessed the corresponding subpage of our website. In addition, some of the data mentioned in the section “Use of the website” is transmitted to “Google”. This happens regardless of whether “YouTube” provides a user account through which you are logged in or whether no user account exists. If you are logged in at “Google”, your data will be assigned directly to your account. If you do not want the attribution to your profile on “YouTube”, you have to log out before activating the button. “YouTube” stores your data as user profiles and processes them independently of the existence of a user account at “Google” for the purposes of advertising, market research and/or demand-oriented design of its website. The legal basis for the processing is Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the USA. There is no adequacy decision by the EU Commission for data transfer to the USA; the legal basis for the transfer to the USA is your consent according to Art. 49(1) Sentence 1(a) GDPR. The storage period of your data can be found in the following descriptions of the individual third-party services. Further information on the purpose and scope of processing by “YouTube"” and the storage period at “YouTube” can be found in the privacy policy

You can revoke your consent to processing at any time, either by sending us a message (see the contact details in the “Responsible party and data protection officer” section) or by moving the slider back in the “Advanced Settings” of the content tool. The legality of the processing carried out on the basis of the consent until revocation is not affected by the revocation.

2.6 Social media

We do not use so-called social media plug-ins. However, we do offer you the opportunity to visit our presence on social networks such as LinkedIn and Instagram at various places on our website. If you click on the respective logo or the name of a social network, you will be redirected to our respective site via a link. In addition, you can also “share” certain contents of our website on the social networks. If you click on the “Share” logo on our website, the logos of the various social networks will appear. If you click on one of these logos, you will be redirected to the website of the corresponding social network. There - if you have an account and are logged in or log in - you can share the desired content from our website.

No personal data is sent to the social networks before you click on the logos or links which take you to the social network’s website. The possibility of personal data being transmitted to and processed by the social network only exists from the moment you click on the logo on our website and are redirected to the social network website. Personal data is processed, in particular, if you are logged in with your respective social media account and post the content with your account on the social networks. However, data - such as your IP address - can also be processed if you do not have a social media account.

We have no influence on the collected data and data processing procedures, nor are we aware of the full extent of the data collection, the purposes of the processing, the storage periods. We also have no information on the deletion of the collected data by the respective social network.

Further information on the purpose and scope of data collection and processing can be found in the data protection declaration of the respective network. There you will also find further information on your rights and settings to protect your privacy:

LinkedIn 
Instagram

2.7 Registration for events

If you register for one of our events on our website, by email or through an invitation link we send you, we process your personal data to the extent necessary for the organization and implementation of and follow-up to the event. For this purpose, we collect the following data from you: First and last name, company, address, email address. The legal basis for this is Art. 6 para. 1 p. 1 lit. b) DSGVO (General Data Protection Regulation / GDPR). Providing your data is necessary for participation in the event and you are contractually obliged to provide this data. If you do not provide your data, it will not be possible to conclude and/or execute the contract. After the purpose has been achieved (e.g., fulfillment of the contract), the personal data will be blocked for further processing or deleted, unless we are authorized to process it further if you grant consent (e.g., consent to process the email address for sending electronic advertising), a contractual agreement, a legal authorization (e.g., authorization to send direct advertising) or on the basis of legitimate interests (e.g., retention for enforcement of claims). For guest management, we use the cloud solution “guestoo” (www.guestoo.de) from the company Code Piraten GmbH, which specializes in events, separately for individual events, as well as within our online offering. We have concluded an order processing contract with the service provider in accordance with Art. 28 DSGVO to ensure compliance in protecting your data.

In order to document your registration and prevent the misuse of your personal data, registration for our event used the so-called double opt-in procedure. After entering the data marked as mandatory, we will send you an email to the email address you provided, in which we ask you to explicitly confirm your registration by clicking on a confirmation link. In doing so, we process your IP address, the date and time of registration and the time of your confirmation. We are legally obliged to substantiate your consent to the processing of your personal data in connection with the registration for the event (Art. 7 (1) DSGVO). Due to this legal obligation, data processing is based on Art. 6 (1) p. 1 lit. c) DSGVO.

When you register with us for events managed via the guestoo cloud solution, you enter the following personal data in the registration form:

  • Email address
  • First name, last name
  • Company name
  • Number of accompanying persons
  • First name, surname of the accompanying person(s)
  • Company of the accompanying person(s)

The personal data you provide will be stored in guestoo and processed only for the purpose of admission control for the respective event. The data will first be entered into the guest list. As soon as the guest list is finalized, we will send you a QR code generated by guestoo, which you can use to legitimize yourself upon entry to the event. In order to grant you admission, we will scan your QR code on-site on the day of the event. You will be admitted as soon as the system confirms that you are on the guest list. The system stores the fact that you have checked in and at what time you did so.

The legal basis is Art. 6 (1) lit. f DSGVO. Our legitimate interest is to control access to our events within the scope of our house rights and to grant admission only to invited guests.

We store your data for the duration of the organization (including relevant preparation for and follow-up to) of the respective event. Any existing legal obligations to retain data shall remain unaffected. Within two weeks after the end of the event, your data will be deleted from guestoo.

You may object to the processing. Your right to object exists for reasons arising from your particular situation. You may send us your objection using the contact details listed in the “Responsible party and data protection officer” section.

2.8 Contact with POELLATH

If you contact our company, e.g. by e-mail, the personal data you provide will be processed by us in order to answer your inquiry. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR or Art. 6(1) Sentence 1(b) GDPR, if the contact is aimed at the conclusion of a contract. If the inquiry is aimed at the conclusion of a contract, the information you provide is necessary and obligatory for the conclusion of a contract (see section 3). If the data is not provided, it is not possible to conclude or execute a contract in the form of establishing contact or processing the inquiry. The processing of personal data serves solely to process the establishment of contact, in which our legitimate interest also lies. In this context, the data will not be passed on to third parties. We delete the data accrued in this connection after the processing is no longer necessary - usually after the expiry of the legally binding storage obligations - or if they contradict further processing.

You can object to the processing. Your right of objection exists for reasons arising from your particular situation. You can send us your objection via the contact data mentioned in the section “Responsible party and data protection officer”.

2.9 Applications

If you send a job application to us by e-mail, the data you provide (your contact details, date of birth, professional background) will be processed by us to process your job application. The legal basis for processing your personal data in this job application procedure is primarily § 26 BDSG. According to this law, the processing of data required in connection with the decision to establish an employment relationship is permissible. Should the data be required for legal action after the application procedure has been completed, processing may be carried out on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests in accordance with Art. 6(1) Sentence 1(f) GDPR. Our legitimate interest then consists in the assertion or defense of claims. Data of applicants will be deleted after 6 months in case of a rejection. In the event that you have agreed to further storage of your personal data, we will transfer your data to our job applicant pool. There the data will be deleted after your revocation.

Insofar as the processing is based on the legal basis in accordance with Art. 6(1) Sentence 1(f) GDPR, you have the right to object to the processing of your other data. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the section “Responsible party and data protection officer”.

2.10 Tool “Legatics” used in the context of transaction management

We offer our clients the use of the “Legatics” platform (Legatics Ltd., 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, hereinafter: “Legatics”) for the purpose of centralized and structured processing of transactions, the exchange of documents and the implementation of projects (project management), including temporary file storage, transaction-related information and documents.

If you [as our client] wish to cooperate via Legatics as part of the client relationship, we will send you invitations to the e-mail addresses of the project participants provided to us with a link to the Legatics platform, where the invitees can register and open a user account. In this context, we process the first name, last name and e-mail address of the persons involved. We are responsible for processing your e-mail in the context of sending the invitation and for processing your personal data in the context of processing transactions and projects.

If you are invited to Legatics as part of a transaction or an exchange of documents, your personal data will be processed by Legatics as part of the invitation, registration and use of the platform. Legatics is responsible for the registration process, your user account with Legatics and the processing of your data on the platform. Further information on the processing of personal data by Legatics can be found here.

As soon as you have registered on the Legatics platform and set up a user account, you will be automatically logged in and will see an overview of the projects to which we have added you. Under “My account” you can enter further information at Legatics if you wish. We do not need the additional information you can enter there and will not process it.

As part of our cooperation, we process the following personal data in accordance with the respective functions when using Legatics:

  • Contact details, such as first and last name, e-mail address
  • Project data, such as affiliation to projects
  • Content data, such as shared text or image files and other attachments/documents, chat messages, wiki, whiteboard meeting notes, along with the date and time of entry
  • Communication data, such as calendar display and tasks, including completion status, mentions or notifications, changes and adjustments you have made to documents, comments, annotations

We receive the aforementioned personal data either from you or the documents made available on Legatics or from our clients who initiate the invitation to Legatics.

The legal basis for the processing of your personal data by us is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests lie in the digitalization of our process in the context of transactions and project management, as well as in offering our clients and the project participants the ability to handle their concerns digitally and efficiently.

We automatically delete the personal data we have processed as part of the use of Legatics in Legatics six months after the transaction has been completed. If statutory retention periods apply, we transfer the relevant documents and information to our document management system and delete them after the statutory retention periods have expired, unless further retention is permitted for other legal reasons.

Legatics also processes your data in the UK. The EU Commission has issued an adequacy decision for the processing of your data in the UK.

You can object to the processing. You have the right to object on grounds relating to your particular situation. You can send us your objection using the contact details provided in the “Responsible party and data protection officer” section.

3. Advisory by POELLATH

We hereby inform you about the processing of your personal data when we advise or legally represent you as attorneys or tax advisors.

3.1. Requirement to provide your personal data, purposes of processing and legal basis

We process your personal data to establish and execute the client-lawyer relationship. Providing your personal data is required for this purpose. If you do not provide your personal data, the establishment and execution of the client-lawyer relationship may not be possible. The legal basis for processing is Art. 6(1) lit. b GDPR.

3.2. Recipients and categories of recipients

Your personal data will or can be transmitted to the following recipient or categories of recipients:

  • P+P Training GmbH (see 2.3.)
  • Berliner Steuergespräche e.V.
  • Münchner Unternehmenssteuerforum e.V.
  • Münchner M&A Forum e.V.
  • Stiftung Hilfe zur Selbsthilfe
  • Max-Planck-Förderstiftung
  • Courts or authorities who are involved in your case.
  • Third parties who are involved in your case, such as the opposing party and their authorized proxies.
  • Colleagues from other law firms whom we consult on your case.

In particular, documents and personal data contained therein that are relevant for tax purposes may be passed on to other recipients (e.g., tax consultants, auditors, lawyers). We will only forward your data to third parties if you have given us your consent to do so (Art. 6 (1) lit. a GDPR), if the forwarding is necessary in accordance with Art. 6 (1) lit. f GDPR for the assertion, exercise or defense of legal claims and if there is no reason to assume that you have an overriding interest worthy of protection which requires non-disclosure of your data, if there is a legal obligation for the forwarding (Art. 6 para. 1 lit. c GDPR) or this is legally permissible or necessary for the fulfillment of contractual relationships with you in accordance with Art. 6 (1) lit. b GDPR. If we suspect a criminal offense, we may pass on your data to law enforcement authorities (e.g., police, public prosecutor’s office).

3.3 E-mail information

We reserve the right to use the e-mail address provided by you within the scope of the client relationship in accordance with the statutory provisions from time to time in order to send you information on publications, seminars and events by e-mail during or after our consultation, provided that you have not already objected to this processing of your e-mail address:

If the sending of electronic information is not necessary for the execution of the contract (e.g., e-mail in informational form), the processing is based on the legal basis according to Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in the above-mentioned processing are to increase and optimize our services, to send information on current market developments, to inform you of consulting offers, to invite you to free events, to send direct advertising and to ensure customer satisfaction. We delete your data at the latest after receiving your objection.

We would like to point out that you can object to receipt of this information, as well as the processing for the purpose of this information, at any time without incurring any costs other than the transmission costs according to the basic tariffs. You have a general right to object without stating reasons (Art. 21(2) GDPR). You can declare your objection by sending us a message (see the contact details in the section “Responsible party and data protection officer”) or by directly clicking on the unsubscribe link contained in the e-mails.

4. Transmission to third parties

We only pass on the personal data described here to the extent that this is necessary for the provision of our service or is required by law in this context (see Art. 6(1) lit. a and c GDPR). Within the scope of the purposes described here, personal data is forwarded to service providers who work for us and support us in particular in the provision of services. In addition to their legal obligation to ensure that we comply with all data protection regulations, these service providers are bound by further contractual provisions on data protection. As a rule, this includes an obligation as a processor in accordance with Art. 28(3) GDPR.

Otherwise, we only transfer personal data to third parties if we have a legal permission to do so or if you have given your prior consent. You can revoke any consent you may have given at any time with effect for the future. We will only pass on your data to government agencies within the framework of legal obligations or on the basis of an official order or court decision and only to the extent permitted by data protection law.

5. Transmission to countries outside the EU

As far as necessary for our purposes, we may also transfer your data to recipients outside the EU. We only do this within the framework of the data protection requirements for transfers to third countries, if it is ensured that the recipient of the data guarantees an adequate level of data protection in the sense of Chapter V of the GDPR and no other interests worthy of protection speak against the data transfer.

6. Deletion

We delete your personal data as soon as they are no longer required for the purposes pursued by the processing and as long as there are no conflicting legal storage obligations.

7. Your rights

You can request access to the personal data stored by POELLATH about you at any time, free of charge (Art. 15 GDPR), and – subject to the relevant legal requirements – you can request that such data be rectified (Art. 16 GDPR), erased (Art. 17 GDPR), or that its processing be restricted (Art. 18 GDPR). If POELLATH processes your data to pursue legitimate interests, you can exercise your right to object (Art. 21 GDPR). Whether and to what extent these rights exist in individual cases and which conditions apply is determined by the law, in particular the GDPR. The GDPR also grants you a right to data portability under certain circumstances (Art. 20 GDPR). If you have given your consent under data protection law, you can withdraw it at any time with effect for the future (Art. 7(3) GDPR). You also have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). However, if you have any questions or complaints about data protection at POELLATH, we recommend that you first contact our data protection officer. To exercise these rights or if you have any other questions regarding data protection, please contact our company’s data protection officer (see (1) above). To ensure that your request is dealt with quickly, we recommend that you provide us with your last name, first name and, if available, your e-mail address and – if you have received advertising and wish to object – that you send us a copy of the offending promotional material.

8. No automated individual decision-making

We will not use your personal data for automated individual decision-making in terms of Art. 22(1) GDPR.

9. Changes to this privacy notice

New legal requirements, business decisions or technical developments may require changes to our privacy notice. The privacy notice will then be adjusted accordingly. The latest version is always available on our website.

Last amended: February 2024