Information obligations according to art. 13 & 14 GDPR
- Suppliers and third-party service providers
- Prospective buyers and tenants
- Tenants, tenants´ contact partners, contractors, facility service provider
- Applicant in case of direct collection (art. 13 GDPR)
- Applicant (art. 14 GDPR)
The following information is to give you, the "data subject", an overview of our processing of your personal data, and of your rights according to data protection laws. The use of our website is generally possible without any submission of personal data. Should you wish, however, to make use of special company services via our website, the processing of personal data may be necessary. If the processing of personal data is required and there is no legal basis for such processing, we generally ask you to consent to the procedure.
We as the controller have taken numerous technical and organisational steps to provide as much protection as possible of the personal data we process via this website. Nevertheless, because safety holes are generally possible in Internet-based data transmissions, we cannot guarantee absolute protection. For this reason, you are free to choose alternative forms of transfer of personal data, for example over the phone or in the post.
The controller within the meaning of the GDPR is:
Heilbronner Str. 190, 70191 Stuttgart, Germany
Phone: 0711/ 1653-0
Fax: 0711/ 1653-100
The controller is represented by the executive board or management
3. Data protection officer
You can reach the data protection officer as follows:
You are always welcome to contact our data protection officer if you have any queries or recommendations concerning data privacy.
1. Personal data
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by controllers (our company.)
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or other body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
9. Third party
Third party means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. Legal basis for processing
For our company, point (a) of Art. 6(1) GDPR (in combination with Section 15(3) of the German Telemedia Act) is the legal basis for processing procedures by which we request consent to a particular purpose of processing.
Where the processing of personal data is necessary for the performance of a contract to which you are party, as in the case of processing procedures which are necessary for the delivery of goods or to provide a service or return service, the processing is based on point (b) of Art. 6(1) GDPR. The same applies to processing procedures which are necessary prior to entering into a contract, for instance in the case of queries concerning our products and services.
If our company has a legal obligation which necessitates processing of personal data, for example in order to comply with tax responsibilities, the processing is based on point (c) of Art. 6(1) GDPR.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would for example apply if a visitor to our company were to suffer injury, upon which his/her name, age, health insurance company data or other vital interests would have to be disclosed to a doctor, a hospital or other third parties. Here, the basis of processing would be point (d) of Art. 6(1) GDPR.
Lastly, processing procedures could be based on point (f) of Art. 6(1) GDPR. This is the legal basis for processing procedures not covered in any of the preceding legal bases, for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. We are in particular permitted to carry out such processing procedures because they were explicitly mentioned by the EU legislature. It took the view that such legitimate interest could exist where you are a customer of our company (recital 47, second sentence GDPR).
6. Transfer of data to third parties
A transfer of your personal data to third parties for purposes other than those in the following does not take place.
We only disclose your personal data to third parties if:
- you have given us your express consent to do so pursuant to point (a) of Art. 6(1) GDPR,
- the transfer is necessary pursuant to point (f) of Art. 6(1) GDPR for the protection of our legitimate interests, and there is no reason to believe that you have an overriding legitimate interest in restricting transfer of your data,
- in the event that a legal obligation exists for the disclosure pursuant to point (c) of Art. 6(1) GDPR, and
- this is permitted by law and pursuant to point (b) of Art. 6(1) GDPR is required for the execution of contractual relationships with you.
To protect your data, and if need be to enable the transfer of information to third countries (outside of the EU/EEA), we have signed data processing agreements on the basis of the European Commission’s standard contractual clauses.
7.1 SSL/TLS encryption
For safety reasons, and to protect the transfer of confidential content you have sent to us as the website operator, such as orders, login details or contact requests, our website uses SSL or TLS encryption. You can tell if a connection is encrypted when instead of "http://", you have an "https://" address line in your browser, and also by the padlock symbol in your browser line.
We implement this technology to safeguard your transferred information.
7.2 Data collection when visiting the website
If you use our website merely for information purposes, i.e. when you do not register or transfer information for any other reason, we only process the data your browser transmits to our server (in so-called server log files.) Every time you or an automated system accesses a page, our website collects an amount of general data and information. This general data and information is stored in the server’s log files. This may include:
- the types of browser and versions in use,
- the operating system used by the accessing system,
- the website from where the accessing system finds its way to our site (the so-called referrer),
- the sub-websites on our website which were called at via an accessing system,
- the date and time of access to the website,
- an internet protocol address (IP address),
- the Internet service provider of the accessing system.
When using this general data and information, we draw no conclusions on your identity. The information is instead required:
- to properly present our website content,
- to optimise the content and the advertising of our website,
- to guarantee the long-term functionality of our IT systems and website technology, and
- to provide the law enforcement authorities with necessary information in the case of a cyber attack.
This collected data and information, is processed on the one hand for statistical purposes, and on the other hand with the aim of increasing data protection and data safety in our company. In this way, we strive to ensure the best possible level of security for the personal data we process. When stored, the data from the server log files is separated from all the personal data submitted by a data subject.
The legal basis for data processing is point (f) of Art. 6(1) GDPR. Our legitimate interest results from the aforementioned data processing purposes.
9. Content of our website
9.1 Making contact / contact form
When you make contact with us, for example via contact form or email, personal data is collected. The information collected in a contact form is specified in the corresponding form. This data is used solely to respond to your query or to make contact, whereupon the technical details are stored and utilised. The legal basis for data processing is our legitimate interest in answering your query pursuant to point (f) of Art. 6(1) GDPR. If you are making contact to perform a contract, the additional legal basis for processing is point (b) of Art. 6(1) GDPR. After the processing of your query is finalised, your data is erased, providing it is clear from the circumstances that the matter in question has been concluded and insofar as there are no statutory storage obligations.
10. Plugins and other services
10.1 Google Maps
On our website we utilise Google Maps (API) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Éire. Google Maps is a web service for the display of interactive maps, allowing the visualisation of geographic information. This service can for example show you where we are based, and if need be show you how to find your way to us.
As soon as subpages are accessed which are linked to Google Maps, information on your use of our site (such as your IP address) is transferred to Google servers in the USA and stored there. This takes place regardless of whether Google provides you with a user account to which you are logged in, or whether you are without one. If you are logged into Google, your data is directly assigned to your account. If you do not wish to be assigned to your Google profile, you must log out of your Google account. Google stores data as user profiles (even if users are not logged in) and analyses it. You have a right to object to the generation of this user profile, however in order to do so, you must contact Google directly.
This processing activity occurs only when you have explicitly consented to it in accordance with point (a) of Art. 6(1) GDPR.
10.2 Google Fonts
Our website uses Google Fonts to display so-called fonts as provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Éire. When a page is accessed, your browser uploads the required fonts to your browser cache in order to properly display texts and fonts.
To this aim, the browser you utilise must make contact with Google’s servers. In this way, Google is informed that our website was accessed via your IP address. The use of Google Fonts takes place in the interest of an appealing, uniform display of our website.
This processing activity occurs only when you have explicitly consented to it in accordance with point (a) of Art. 6(1) GDPR.
11. Your rights as a data subject
11.1 Right to obtain confirmation
You shall have the right to obtain confirmation from us as to whether personal data concerning you is being processed.
11.2 Right of access Art. 15 GDPR
You shall have the right at any time to obtain from us, free of charge, access to stored personal data concerning you as well as a copy of this information in accordance with legal stipulations.
11.3 Right to rectification Art. 16 GDPR
You shall have the right to obtain the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you furthermore have the right to have incomplete personal data completed.
11.4 Right to erasure Art. 17 GDPR
You shall have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the relevant legal grounds applies and except where the processing or storage is not necessary.
11.5 Right to restriction of processing Art. 18 GDPR
You shall have the right to obtain from us the restriction of processing where one of the legal stipulations applies.
11.6 Right to data portability Art. 20 GDPR
You shall have the right to obtain the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You furthermore have the right to transmit this data to another controller without hindrance from us to which the personal data has been provided, where the processing is based on consent pursuant to point (a) of Art. 6(1) or point (a) of Art. 9(2) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR; and the processing is carried out by automated means, except where processing is necessary for the performance of task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, in exercising your right to data portability pursuant to Art. 20(1), you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible, and where the rights and freedoms of others shall not be adversely affected.
11.7 Right to object Art. 21 GDPR
You shall have the right, on grounds relating to your personal situation, at any time to object to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR (data processing for reasons of public interest) and point (f) of Art. 6(1) GDPR (data processing on the basis of a balancing of interests):
This right also applies to profiling based on one of these provisions within the meaning of Art. 4(4) GDPR.
Where you object to processing, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
In isolated cases we process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning you for the purpose of such marketing. This right also applies to profiling, insofar as it is applied to such marketing purposes. Where you object to processing for reasons of direct marketing, we shall no longer process your personal data for such purposes.
Furthermore, where we process personal data for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you shall, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
11.8 Withdrawal of consent to processing
You shall have the right to withdraw your consent to processing of personal data at any time with effect for the future.
12. Routine storage, erasure and blocking of personal data
We shall process and store your personal data only until the purpose of storage has been fulfilled or for as long as our company is required to do so by law.
When the purpose of storage has been concluded, or a prescribed deadline is arrived at, the personal data shall routinely be blocked or erased in accordance with the legal provisions.
13. Duration of storage of personal data
The criterion for the duration of storage is the respective statutory retention period. After expiry of the deadline, the respective data is routinely erased, unless it is required for the performance or initiation of a contract.