- Infor­mation pursuant to Article 12 et seq. of the General Data Protection Regulation (GDPR) -

In the following, we inform you about the processing of your personal data by us and the claims and rights to which you are entitled according to the data protection regula­tions, in parti­cular the European Data Protection Regulation (GDPR).

Personal data in the sense of the GDPR are all data that can be perso­nally related to you, e.g. name, address, e-mail addresses, date of birth etc.

We use the data protection terms used in our data protection infor­mation according to the GDPR. This includes terms such as personal data, processing, restriction of processing, profiling, pseud­ony­mi­sation, controller, processor, recipient, third party, consent, under­taking, super­visory authority and inter­na­tional organi­sation. For these terms, you can find corre­sponding defini­tions in Art. 4 GDPR.

Notice regarding the trans­mission of third party data by yourself:

If you transfer personal data about your spouse, life partner, relatives or other third parties (such as guarantors), please inform them about the processing of their personal data by us and refer to this data protection infor­mation. If necessary, the consent of these persons to the data transfer is required.

1. Who is respon­sible for data processing and whom can I contact?

Controller:

Hines Immobilien GmbH
Joachims­thaler Str.1
10623 Berlin

Please direct any enquiries regarding data protection to us as follows:

Deutschland.Datenschutz@hines.com

2.For what purposes do we process your data and on what legal basis?

We process personal data that we receive from you as part of your use of our website and, if appli­cable, our business relationship/management of the rental contract.

In the case of solely infor­mative use of the website, i.e if you do not register or otherwise provide us with infor­mation, we only collect the personal data that your browser transmits to our server. When you visit our website solely for infor­mation purposes, we collect the following access data, which are techni­cally necessary for us to display our website to you and to ensure its stability and security. This access data includes the IP address, date and time of the request, time zone diffe­rence to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific website accessed), access status/HTTP status code, amount of data trans­ferred in each case, referrer URL (previously visited page), operating system and its interface, browser type as well as language and version of the browser software, notifi­cation of successful retrieval.

Furthermore, we receive your personal data if you contact us, for example via contact form or e-mail. Personal data here are e.g name, address, e-mail, telephone number and, if appli­cable, the data you send us as a message (herein­after referred to as „contact data“). We process personal data for the following purposes and on the following legal basis:

Consent, art. 6 para 1 sentence 1 lit. a GDPR

If you have given us consent to process personal data for certain purposes, in parti­cular for contacting you (e.g. via our contact form or by e-mail for processing and handling the enquiry, sending newsletters, adver­tising by telephone, e-mail, SMS, etc.), this processing is lawful on the basis of your permission.

Consent may be withdrawn at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is therefore not affected. The withdrawal can be sent to the above contact details or to Deutschland.Datenschutz@hines.com.

Perfor­mance of a contract or execution of pre-contractual measures upon request of the person, art. 6 para 1 lit b GDPR

When contacting us (via contact form or e-mail), your data will be processed for the purpose of handling the contact request and its processing.

Consent, art. 6 para. 1 sentence 1 lit. a GDPR

When you visit our website for the first time, you will be asked whether you also wish to accept non-essential cookies. If you consent to the use of non-essential cookies, this will allow us to analyze the use of our website. Furthermore, we may carry out various marketing activities based on your inter­ac­tions with the website, other marketing channels and other third parties, such as social networks.

To find out more about the cookies we use, including in parti­cular how to manage and delete cookies, see the section on cookies below.

As part of the balancing of interests for the safeguarding of legitimate interests, art. 6 para. 1 sentence 1 lit. f GDPR

We process your access data to safeguard our legitimate interests or those of third parties. In parti­cular, we pursue the following legitimate interests:

• • Ensuring IT security, in parti­cular the security of the Website; we also store the IP address in the event that someone leaves behind illegal content using the comment function (insults, prohi­bited propa­ganda, etc.) and we must be able to determine the author’s identity for our own legal protection.
  • Adver­tising or market and opinion research, unless you have objected to the use of your data;
  • Assertion of legal claims and defense in case of legal disputes.

3. Who can access my data?

Within our company, only those depart­ments will have access to your data that need it to fulfil our contractual and legal obligations.

Processors used by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories of IT services for the maintenance of our hardware and software, logistics or letter dispatch. If we use processors to provide our services, we take appro­priate legal precau­tions and technical and organiza­tional measures to ensure the protection of personal data in accordance with the relevant legal requirements.

Data is only trans­ferred to third parties within the framework of legal requi­re­ments. We only pass on user data to third parties if this is necessary, e.g. on the basis of Art. 6 para. 1 b) GDPR for contractual purposes or based on legitimate interests pursuant to Art. 6 para. 1 f) GDPR in an economic and effective operation of our business or if you have consented to the data transfer. Under these condi­tions, recipients of personal data can be in particular:

• • • Suppliers, IT-service providers, insofar as they are not processors
    • Brokerage companies

4. How long will my data be stored?

For security reasons (e.g. to clarify acts of abuse or fraud), log file infor­mation is stored for a maximum of seven days and then deleted (see point 2 above). Data whose further storage is necessary for eviden­tiary purposes is exempt from deletion until the final clari­fi­cation of the respective incident.

As far as necessary, we process and store your personal data for the duration of our business relati­onship, which also includes, for example, the initiation and processing of a rental agreement.

In addition, we are subject to various storage and documen­tation obliga­tions, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documen­tation periods specified there are two to ten years. For example, we must retain the rental agreement containing your personal data for at least 10 years - calcu­lated from the end of the rental agreement.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are usually 3 years, but in certain cases can be up to thirty years, whereby the regular limitation period is three years.

5. Is data trans­ferred to a third country or to an inter­na­tional organisation?

The data provided will be processed within the European Union and if consent is given in the USA. For countries without an adequacy decision by the Commission according to Article 45 GDPR, this is so in the case of the USA, we generally agree on EU standard contractual clauses with the recipients of your data or obtain your consent for the data transfer.

Note: The protection of personal data in the USA does not corre­spond to the level of data protection required by the EU. In parti­cular, there are no enforceable rights to protect your data against access by government autho­rities. Therefore, there is a risk that these government agencies can access the personal data without the data trans­mitter or the recipient being able to effec­tively prevent this.

6. What are my data subject rights?

You may have the following rights in relation to your data

• • • the right to access their data according to Art. 15 GDPR (i.e. you have the right to request infor­mation about your personal data stored by us at any time),
    • the right to recti­fi­cation in accordance with Art. 16 GDPR (i.e. in the event that your personal data is inaccurate or incom­plete, you may request that it be rectified),
    • the right to erasure according to Art. 17 GDPR and the right to restriction of processing according to Art. 18 GDPR (i.e. you may have the right to request the erasure or restriction of the processing of your personal data if, for example, there is no longer a legitimate business purpose for such processing and legal retention obliga­tions do not require the continued storage),
    • the right to data porta­bility from Art. 20 GDPR (i.e. you may have the right to receive the personal data concerning you that you have provided to us in a struc­tured, common and machine-readable format and to transfer this data to another controller without hindrance).

Furthermore, you can withdraw your consent, in principle with effect for the future.

In addition, you have the right to lodge a complaint with a data protection super­visory authority (Art. 77 GDPR in conjunction with § 19 BDSG). You can find the super­visory authority respon­sible for you at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

In addition, we would like to point out your right of objection according to Art 21 GDPR:

Infor­mation about your right to object according to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your parti­cular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR which we use for questi­on­naire evaluation or adver­tising purposes. If you object, we will no longer process your personal data unless we can demons­trate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The objection can be made form-free and no trans­mission costs other than those according to the base rates will be incurred. The objection should be sent to the contact details provided above.

7. To what extent is there automated decision making including profiling in individual cases?

We do not use fully automated decision-making pursuant to Article 22 GDPR. We also do not process your data automa­ti­cally with the aim of evaluating certain personal aspects (profiling).

8. Is there an obligation for me to provide data? 

You must provide the personal data that is required for the use of our website for technical or IT security reasons. If you do not provide this data, you will not be able to use our website.

When contacting us by form or e-mail, you only need to provide the personal data that is required to process your request. Otherwise we will not be able to process your request.