- Information pursuant to Article 12 et seq. of the General Data Protection Regulation (GDPR) -
In the following, we inform you about the processing of your personal data by us and the claims and rights to which you are entitled according to the data protection regulations, in particular the European Data Protection Regulation (GDPR).
Personal data in the sense of the GDPR are all data that can be personally related to you, e.g. name, address, e-mail addresses, date of birth etc.
We use the data protection terms used in our data protection information according to the GDPR. This includes terms such as personal data, processing, restriction of processing, profiling, pseudonymisation, controller, processor, recipient, third party, consent, undertaking, supervisory authority and international organisation. For these terms, you can find corresponding definitions in Art. 4 GDPR.
Notice regarding the transmission of third party data by yourself:
If you transfer personal data about your spouse, life partner, relatives or other third parties (such as guarantors), please inform them about the processing of their personal data by us and refer to this data protection information. If necessary, the consent of these persons to the data transfer is required.
1. Who is responsible for data processing and whom can I contact?
Hines Immobilien GmbH
Please direct any enquiries regarding data protection to us as follows:
2.For what purposes do we process your data and on what legal basis?
We process personal data that we receive from you as part of your use of our website and, if applicable, our business relationship/management of the rental contract.
In the case of solely informative use of the website, i.e if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. When you visit our website solely for information purposes, we collect the following access data, which are technically necessary for us to display our website to you and to ensure its stability and security. This access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific website accessed), access status/HTTP status code, amount of data transferred in each case, referrer URL (previously visited page), operating system and its interface, browser type as well as language and version of the browser software, notification of successful retrieval.
Furthermore, we receive your personal data if you contact us, for example via contact form or e-mail. Personal data here are e.g name, address, e-mail, telephone number and, if applicable, the data you send us as a message (hereinafter referred to as „contact data“). We process personal data for the following purposes and on the following legal basis:
Consent, art. 6 para 1 sentence 1 lit. a GDPR
If you have given us consent to process personal data for certain purposes, in particular for contacting you (e.g. via our contact form or by e-mail for processing and handling the enquiry, sending newsletters, advertising by telephone, e-mail, SMS, etc.), this processing is lawful on the basis of your permission.
Consent may be withdrawn at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is therefore not affected. The withdrawal can be sent to the above contact details or to Deutschland.Datenschutz@hines.com.
Performance of a contract or execution of pre-contractual measures upon request of the person, art. 6 para 1 lit b GDPR
When contacting us (via contact form or e-mail), your data will be processed for the purpose of handling the contact request and its processing.
Consent, art. 6 para. 1 sentence 1 lit. a GDPR
When you visit our website for the first time, you will be asked whether you also wish to accept non-essential cookies. If you consent to the use of non-essential cookies, this will allow us to analyze the use of our website. Furthermore, we may carry out various marketing activities based on your interactions with the website, other marketing channels and other third parties, such as social networks.
To find out more about the cookies we use, including in particular how to manage and delete cookies, see the section on cookies below.
As part of the balancing of interests for the safeguarding of legitimate interests, art. 6 para. 1 sentence 1 lit. f GDPR
We process your access data to safeguard our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:
- Ensuring IT security, in particular the security of the Website; we also store the IP address in the event that someone leaves behind illegal content using the comment function (insults, prohibited propaganda, etc.) and we must be able to determine the author’s identity for our own legal protection.
- Advertising or market and opinion research, unless you have objected to the use of your data;
- Assertion of legal claims and defense in case of legal disputes.
3. Who can access my data?
Within our company, only those departments will have access to your data that need it to fulfil our contractual and legal obligations.
Processors used by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories of IT services for the maintenance of our hardware and software, logistics or letter dispatch. If we use processors to provide our services, we take appropriate legal precautions and technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal requirements.
Data is only transferred to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary, e.g. on the basis of Art. 6 para. 1 b) GDPR for contractual purposes or based on legitimate interests pursuant to Art. 6 para. 1 f) GDPR in an economic and effective operation of our business or if you have consented to the data transfer. Under these conditions, recipients of personal data can be in particular:
- Suppliers, IT-service providers, insofar as they are not processors
- Brokerage companies
4. How long will my data be stored?
For security reasons (e.g. to clarify acts of abuse or fraud), log file information is stored for a maximum of seven days and then deleted (see point 2 above). Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
As far as necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and processing of a rental agreement.
In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified there are two to ten years. For example, we must retain the rental agreement containing your personal data for at least 10 years - calculated from the end of the rental agreement.
Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are usually 3 years, but in certain cases can be up to thirty years, whereby the regular limitation period is three years.
5. Is data transferred to a third country or to an international organisation?
The data provided will be processed within the European Union and if consent is given in the USA. For countries without an adequacy decision by the Commission according to Article 45 GDPR, this is so in the case of the USA, we generally agree on EU standard contractual clauses with the recipients of your data or obtain your consent for the data transfer.
Note: The protection of personal data in the USA does not correspond to the level of data protection required by the EU. In particular, there are no enforceable rights to protect your data against access by government authorities. Therefore, there is a risk that these government agencies can access the personal data without the data transmitter or the recipient being able to effectively prevent this.
6. What are my data subject rights?
You may have the following rights in relation to your data
- the right to access their data according to Art. 15 GDPR (i.e. you have the right to request information about your personal data stored by us at any time),
- the right to rectification in accordance with Art. 16 GDPR (i.e. in the event that your personal data is inaccurate or incomplete, you may request that it be rectified),
- the right to erasure according to Art. 17 GDPR and the right to restriction of processing according to Art. 18 GDPR (i.e. you may have the right to request the erasure or restriction of the processing of your personal data if, for example, there is no longer a legitimate business purpose for such processing and legal retention obligations do not require the continued storage),
- the right to data portability from Art. 20 GDPR (i.e. you may have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer this data to another controller without hindrance).
Furthermore, you can withdraw your consent, in principle with effect for the future.
In addition, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). You can find the supervisory authority responsible for you at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
In addition, we would like to point out your right of objection according to Art 21 GDPR:
Information about your right to object according to Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR which we use for questionnaire evaluation or advertising purposes. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The objection can be made form-free and no transmission costs other than those according to the base rates will be incurred. The objection should be sent to the contact details provided above.
7. To what extent is there automated decision making including profiling in individual cases?
We do not use fully automated decision-making pursuant to Article 22 GDPR. We also do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
8. Is there an obligation for me to provide data?
You must provide the personal data that is required for the use of our website for technical or IT security reasons. If you do not provide this data, you will not be able to use our website.
When contacting us by form or e-mail, you only need to provide the personal data that is required to process your request. Otherwise we will not be able to process your request.