Part 1: Information on data protection
Information on data protection concerning our data processing under Articles (Art.) 13, 14 and 21 of the General Data Protection Regulation (GDPR). We take data protection seriously; in this section, we would like to provide you with information on how we process your data and what claims and rights you are entitled to under the relevant legal provisions on data protection. In effect from 25 May 2018 onwards.
1. Controller responsible for the data processing and contact details of the controller within the meaning of data protection law
Tel: +49 821 50910-000
Fax: +49 821 50910-999
In exceptional cases there may also be a joint controllership with other third parties. This is currently limited to individual constellations in the area of property and facility management.
Contact details of our data protection officer:
HEC Harald Eul Consulting GmbH
Data Protection + Data Security
Harald Eul (PATRIZIA data protection officer)
Auf der Höhe 34
2. Purposes and legal bases for our processing of your data
We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data protection regulations (details in the following). The details of what specific data are processed and the manner in which they are used depend primarily on the respective services requested or agreed. Further details and supplemental information on the purposes of data processing can be found in the respective contractual documents, forms, declarations of consent and/or other information provided to you (e.g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time.
2.1 Purposes for the fulfilment of a contract or of pre-contractual measures (Art. 6 [1b] GDPR)
The processing of personal data takes place for the performance of our contracts with you and the implementation of your orders, as well as for the execution of measures and activities in the context of pre-contractual relationships, e.g. with potential customers. In particular, the processing thus serves to facilitate the performance of services in accordance with your orders and wishes, and encompasses the services, measures and activities this requires. This includes all business activities focusing on real estate (especially acquisition, sale, brokerage, lease-out and management) and investments in real estate (funds and direct investments). These primarily include contract-related communication with you, the traceability of transactions, orders and other agreements, for quality control through corresponding documentation, goodwill procedures, measures for the control and optimisation of business processes, and for the fulfilment of general due diligence obligations, management and control by associated companies (e.g. a parent company); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, settlement and tax evaluation of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security (including system and plausibility tests) and general security, including building and plant security, safeguarding and exercising domiciliary rights (e.g. through entry controls); ensuring the integrity, authenticity and availability of data, prevention and clarification of criminal offences; controls by supervisory committees or other supervisory bodies (e.g. Internal Audit).
2.2 Purposes in the context of our legitimate interests or those of third parties (Art. 6 [1f] GDPR)
Beyond the actual fulfilment of the contract / preliminary contract, we may potentially process your data if necessary in order to protect our legitimate interests or those of third parties, particularly for the following purposes:
- advertising or market and opinion research, provided you have not objected to the use of your data;
- collection of information and exchange of data with credit agencies if this exceeds our economic risk;
- review and optimisation of needs analysis procedures;
- further development of products and services as well as existing systems and processes;
- disclosure of personal information as part of due diligence in the context of company sale negotiations;
- for comparison with European and international antiterrorism lists, if beyond the statutory obligations;
- enrichment of our data, including by using or researching publicly accessible data;
- statistical assessments or market analysis;
- assertion of legal claims and defence in the event of legal disputes that cannot be directly attributed to the contractual relationship;
- limited storage of data in the event that deletion is impossible or only possible with disproportionate effort due to the specific type of storage;
development of scoring systems or automated decision-making processes;
- prevention and clarification of criminal offences, if not exclusively for the fulfilment of statutory requirements;
- building and plant security (e.g. through entry controls and video surveillance), if beyond the general due diligence obligations;
internal and external investigations, security inspections;
- potential listening-in or recording of telephone conversations for quality control and training purposes;
- receiving and maintaining certifications of a private law or official nature;
- safeguarding and exercising domiciliary rights through corresponding measures as well as through video surveillance for the protection of our customers and employees and in order to secure evidence in the event of criminal offences and the prevention thereof and also
the involvement of service providers as independent or joint controllers to carry out activities for the performance of a contract or for pre-contractual measures (cf. clause 2.2) or for the purposes of the legitimate interests as listed above.
2.3 Purposes in the context of your consent (Art. 6 [1a] GDPR)
Processing of your personal data for specific purposes (e.g. use of your email address for marketing purposes) can also take place on the basis of your consent. You can generally revoke this consent at any time. This also applies for the revocation of declarations of consent that were issued to us before the GDPR entered into effect, i.e. before 25 May 2018. You will be informed of the purposes and of the consequences of revoking or withholding consent separately in the corresponding text of the consent.
As a general principle, revocations of consent apply only to the future. Instances of processing which took place before the revocation are not affected by it and remain legitimate.
2.4 Purposes for the fulfilment of statutory requirements (Art. 6 [1c] GDPR) or in the public interest (Art. 6 [1e] GDPR)
In the same manner as anyone involved in business affairs, we are also subject to numerous legal obligations. These primarily encompass statutory requirements (e.g. commercial law and tax law), but may also include supervisory or other official provisions. The purposes of processing may potentially include identity and age verification, fraud and money laundering prevention, the prevention, combating and detection of terrorism financing and asset-endangering criminal offences, comparisons with European and international antiterrorism lists, the fulfilment of control and reporting requirements under tax law and the archiving of data for purposes of data protection and data security as well as review by tax authorities and other public agencies. In addition, the disclosure of personal data may be necessary in the context of official/judicial measures for purposes of evidence collection, criminal prosecution or the enforcement of civil claims.
3. The categories of data we process in the event that we do not receive data directly from you and where these are obtained from
If necessary for the performance of our services, we process personal data permissibly obtained from other companies or other third parties (e.g. credit agencies, address publishers, property and facility management). In addition, we process personal data that we have permissibly collected, obtained or acquired from publicly accessible sources (such as telephone directories, commercial registries and registers of associations, civil registers, records of debtors, land registers, press, internet and other media) and are permitted to process.
Relevant personal data categories may include the following in particular:
- personal details (name, date of birth, place of birth, nationality, civil status, profession/industry and comparable data);
contact data (address, email address, telephone number and comparable data);
- address data (residential registration data and comparable data);
- payment/cover confirmation for bank cards and credit cards;
- information on your financial situation (credit data including scoring, i.e. data for assessing economic risk);
- customer history;
- data on your use of the telemedia we provide (e.g. time of access of our websites, apps or newsletters; clicked pages/links of ours or entries and comparable data);
- video data.
4. Recipients or categories of recipients of your data
Within our company, your data are received by the internal departments or organisational units that need them for the fulfilment of our contractual and statutory obligations or in the context of the handling and implementation of our legitimate interests. Your data are shared with external parties exclusively:
- in connection with contract execution;
for purposes of the fulfilment of statutory requirements under which we are obligated to disclose, report or share data or when sharing data is in the public interest (cf. Section 2.4);
- if external service providers process data on our account as contracted processors or function-holders (e.g. external computer centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data validation / plausibility checks, data destruction, purchasing/procurement, customer management, letter shops, marketing, media technology, research, risk controlling, billing, telephone services, website management, property and facility management, audit services, credit institutions, printing services or companies for data disposal, courier services, logistics);
- on the basis of our legitimate interests or the legitimate interests of third parties for purposes within the scope specified under Section 2.2 (e.g. with authorities, credit agencies, debt collection agencies, attorneys, courts, external experts, associated group companies, committees and supervisory bodies);
- when you have given us your consent to the transmission of your data to third parties
We will not share your data with third parties under any other circumstances. If we hire service providers in the context of contracted processing, your data will be subject to the same security standards there as with us. In other cases, the recipients are only permitted to use the data for the purposes for which it was shared with them.
5. Duration of the storage of your data
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various obligations of retention and documentation such as those under the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods of retention or documentation specified therein amount to up to ten years beyond the end of the business relationship / pre-contractual legal relationship.
Furthermore, special statutory provisions may require a longer period of retention, such as the retention of evidence within the scope of statutory limitation requirements. While the regular statutory limitation period under sections 195 et seq. of the German Civil Code (BGB) amounts to three years, limitation periods of up to 30 years may be applicable.
If the data are no longer needed for the fulfilment of contractual or statutory obligations and rights, they are normally deleted unless temporary continued processing of them is required for the fulfilment of purposes listed under Section 2.2 on the basis of an overriding legitimate interest. An overriding legitimate interest of this type also exists, for example, if deletion is impossible or only possible with disproportionate effort due to the type of storage and processing for other purposes has been made impossible by means of appropriate technical and organisational measures.
6. Processing of your data in a third country or by an international organisation
Data are only shared with parties in countries outside the European Union (EU) / the European Economic Area (EEA) (‘third countries’) when this is necessary for the execution of an order/contract from/with you, when required by law (e.g. reporting obligations under tax law), when this falls within the scope of a legitimate interest of us or a third party or when you have given us your consent.
In this context, processing of your data in a third country may also take place in connection with the engagement of service providers (e.g. in the context of contracted processing). If there is no European Commission resolution on the existence of an appropriate level of data protection for the country in question, then we will ensure that your rights and freedoms are appropriately protected and guaranteed by means of corresponding contracts in accordance with EU data protection provisions. We can provide you with corresponding detailed information on request.
Information on the suitable or appropriate guarantees and the possibility of obtaining a copy for you can be requested from the company data protection officer.
7. Your data protection rights
Subject to specific requirements, you can assert your data protection rights against us:
- You thus have the right to obtain information on your data stored with us in accordance with the provisions of Art. 15 GDPR (potentially with restrictions pursuant to Section 34 GDPR).
- At your request, we will correct the data stored on you in accordance with Art. 16 GDPR if it is incorrect or incomplete.
- If you would like, we will delete your data in accordance with the principles of Art. 17 GDPR if doing so is not in conflict with other statutory provisions (e.g. statutory retention periods or the restrictions pursuant to Section 35 GDPR) or an overriding interest on our part (e.g. for the defence of our rights and claims).
- In consideration of the prerequisites of Art. 18 GDPR, you can request that we restrict the processing of your data.
- Furthermore, you can lodge an objection to the processing of your data pursuant to Art. 21 GDPR, on the basis of which we are required to end the processing of your data. However, this right of objection applies only in the case of highly specific circumstances of your personal situation, in which case our company’s rights may potentially stand in opposition to your right of objection.
- Subject to the prerequisites of Art. 20 GDPR, you also have the right to receive your data in a structured, common and machine-readable format or have it sent to a third party.
- In addition, you have the right to revoke any consent given to us for the processing of personal data with future effect at any time (cf. Section 2.3).
- You also have a right to complain to a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always direct any complaints to our data protection officer first.
Whenever possible, your applications for the exercise of your rights should be made in writing and addressed to the address provided above or directly to our data protection officer.
- You are also entitled to the aforementioned rights if we process personal data in the context of joint controllership with a third party in accordance with Art. 26 GDPR. This is currently limited to individual constellations in the field of property and facility management. Insofar as you interact with a property or facility manager commissioned by us and we have concluded a contract with this party on joint controllership, it is agreed that the parties must fulfil their obligations under data protection law in accordance with their respective responsibilities for the individual process stages. It is stipulated that the property/facility manager is available as the primary contact point for the rights to which you are entitled under the GDPR. On the basis of the contractual agreements made in these cases, the contractual partners support each other in order to comprehensively guarantee your data protection rights.
8. Scope of your obligations to provide us with your data
You only need to provide the data which is required for the establishment and implementation of a business relationship or for a pre-contractual relationship with us or which we are obligated by law to collect. Without these data, we are generally unable to conclude or implement the contract. This can also pertain to data required later within the scope of the business relationship. If we request any data beyond this from you, you will be separately informed of the voluntary nature of providing the information.
9. Existence of any automated decision-making processes in individual cases (including profiling)
We do not employ any purely automatic decision-making procedures as defined in Article 22 GDPR. If we employ any such procedure in individual cases in the future, however, we will inform you of this separately if legally required to do so.
We may potentially process your data in some cases with the goal of evaluating specific personal characteristics (profiling).
We may potentially employ evaluation tools in order to be able to provide you with information on products and advise you in a targeted manner. These facilitate needs-oriented product design, communication and advertising including market and opinion research.
Such procedures may also be employed in order to be able to evaluate your creditworthiness and for combating money-laundering and fraud. ‘Scores’ may be used to evaluate your creditworthiness. In the event of scoring, mathematical procedures are employed to calculate the probability that a customer will meet their payment obligations in compliance with the contract. Scores like this provide us with assistance for purposes such as the evaluation of creditworthiness and decision-making in the context of product conclusions, and are also taken into consideration by our risk management. The calculation is based on recognised and proven statistical mathematical procedures and is carried out based on your data, particularly income situation, expenses, existing liabilities, profession, employer, duration of employment, experiences from previous business relationships, contractually compliant repayment of past loans and information from credit agencies.
Information on nationality and special categories of personal data as defined in Art. 9 GDPR are not processed in this context.
Information on your right of objection under Art. 21 GDPR
1. You have the right to lodge an objection to the processing of your data on the basis of Art. 6 (1f) GDPR (data processing on the basis of a balancing of interests) or Art. 6 (1e) GDPR (data processing in the public interest) if there are reasons for doing so which originate from your specific situation. This also applies for any profiling based on this determination within the meaning of Art. 4 No. 4 GDPR. If you lodge an objection, we will no longer process your personal data unless we can produce evidence of compelling reasons worth protecting for the processing which outweigh your interests, rights and freedoms, or if the processing serves the purpose of the assertion, exercise or defence of legal claims.
2. We also may potentially process your personal data in order to conduct direct advertising. If you would not like to receive any advertising, however, you have the right to lodge an objection to it at any time. This also applies to profiling, insofar as it is connected with direct advertising of this type. We will comply with this objection in the future.
We will no longer process your data for direct advertising purposes if you object to processing for these purposes. The objection does not need to be made in accordance with any specific formal requirements, and should be directed to the following address if possible:
86150 Augsburg, Germany
Tel: +49 821 50910-000
Fax: +49 821 50910-999
Our data protection declaration and the information on data protection concerning our data processing under Articles (Art.) 13, 14 and 21 of the GDPR may change from time to time. We will publish all changes on this page.