This privacy statement explains the nature, scope and purpose of the processing of your personal data (hereinafter referred to as “data” for short) as part of the services we provide as well as our Web offering and its associated websites, features, content and external online presence, such as our social media pages (hereinafter collectively referred to as “Online Services”). For definitions of the terms used here, such as “processing” and “controller”, please refer to Art. 4 of the EU’s General Data Protection Regulation (GDPR).
LUWIN Real Estate Managers GmbH
Mindspace / Eurotheum
Neue Mainzer Straße 66–68
60311 Frankfurt am Main
Types of data processed
- Existing data (e.g., personal master data, names and addresses)
- Contact data (e.g., e-mail addresses, telephone numbers)
- Content data (e.g., text input, photos, videos) – Usage data (e.g., websites visited, interest in content, access times)
- Metadata and communication data (e.g., device data, IP addresses)
Data subject categories
Visitors and users of our Online Services (hereinafter, data subjects are also referred to collectively as “users”)
Purpose of processing
- To provide the Online Services, their features and content
- To respond to requests for contact and communication from users
- To take security measures– To measure our reach and conduct marketing
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations that is performed on personal data or on sets of personal data. The term is comprehensive and encompasses practically every method of handling data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Key legal bases
Pursuant to Art. 13 of the GDPR, we hereby inform you of the legal bases for our data processing. For users within the scope of the General Data Protection Regulation (GDPR), i.e., users in the EU and the European Economic Community (EEC), the following rules apply where this Privacy Statement does not cite the legal basis: The legal basis for obtaining consent is Art. 6, para.1a; and Art. 7 of the GDPR.
The legal basis for processing as part of the services we provide and to perform a contract or respond to enquiries is Art. 6, para. 1b, of the GDPR.
The legal basis for processing to fulfil our contractual obligations is Art. 6, para. 1c, of the GDPR.
In the event that the vital interests of data subjects or another natural person makes it necessary to process personal data, the processing will be based on Art. 6, para. 1d, of the GDPR.
The legal basis for processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6, para. 1e, of the GDPR.
The legal basis for processing to safeguard our legitimate interests is Art. 6, para. 1f, of the GDPR.
Data processing for purposes other than those for which it was collected is governed by Art. 6, para. 4, of the GDPR.
The processing of special categories of data (as named under Art. 9, para. 1, of the GDPR) is governed by the provisions of Art. 9, para. 2, of the GDPR.
In accordance with statutory regulations requiring us to take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In particular, such measures include protecting the confidentiality, integrity and availability of data by controlling physical access to buildings, access to the associated data systems, access to the data for entry, editing or sharing, and by ensuring their availability and separation. Furthermore, we have instituted procedures that ensure the protection of data subjects’ rights, deletion of data and response to threats to the data. We also take into account the protection of personal data when developing and selecting hardware, software and processes in accordance with the principle of data protection by design and default.
Collaboration with processors, joint controllers and third parties
If, as part of our processing, we disclose data to other persons or companies (processors, joint controllers or third parties), share data with them or otherwise grant them access to the data, we do so only on the basis of legal authority (e.g., when sharing of data with third parties, such as payment processors, is necessary for performance of a contract), when users have given their consent, we are under a legal obligation to do so or on the basis of our legitimate interests (e.g., when employing agents, Web hosting services, etc.).
If we disclose or transmit data to other companies in our group or otherwise grant them access to the data, we do so in particular for administrative purposes as a legitimate interest and, moreover, based on one of the corresponding legal requirements.
Transfer to third countries
If we process data in a third country (i.e., outside the European Union (EU), European Economic Area (EEA) or the Swiss Confederation), or if this occurs as part of our use of third-party services or the disclosure of data to or sharing of data with other persons or companies, we do so only when necessary to fulfil our obligations prior to or after entering into a contract, on the basis of your consent, based on a legal obligation or on the basis of our legitimate interests. Subject to the express consent or contractually required sharing, we process data or have data processed only in third countries with a recognised level of data protection. Suitable providers include those in the US certified under the Privacy Shield Framework. Also sufficient are special guarantees, such as the standard protection clauses of the EU Commission, the submission of certification or binding internal data protection regulations (Arts. 44 to 49 of the GDPR, EU Commission information page).
Rights of data subjects
You have the right to obtain confirmation as to whether your personal data are being processed and access to the personal data and additional information and copies of the data in accordance with legal regulations.
In accordance with legal regulations, you have the right to request that any incomplete personal data are completed and that any inaccurate personal data about you are rectified.
In accordance with legal regulations, you have the right to request that your personal data are erased without delay or to restrict processing of the data in accordance with legal regulations.
You have the right to request, in accordance with legal regulations, that the personal data you provided to us are turned over to you or transferred to other controllers.
Furthermore, you have the right to lodge a complaint with the competent supervisory authority in accordance with legal regulations.
Right to withdraw consent
You have the right to withdraw your given consent permanently, effective from that point on.
Right to object
In accordance with legal regulations, you may at any time object to any future processing of your personal data. In particular, you may object to processing for purposes of direct advertising.
Cookies and the right to object to direct advertising
Cookies are small files that are stored on users’ computers. The cookies may contain a variety of information. The primary purpose of a cookies it to store information about a user (or the device on which the cookie is stored) during or after the user’s visit as part of the Online Services. Cookies that are deleted after a user leaves an Online Service and closes his or her browser are known as temporary cookies, session cookies or transient cookies. That kind of cookie can be used to store information such as the contents of your shopping basket in an online shop or your login status. Cookies that remain stored even after your browser has been closed are called permanent or persistent cookies. For instance, a user’s login status can be saved when the person visits the website several days later. This kind of cookie can also record the user’s interests, which can be used to measure reach or for marketing purposes. The term third-party cookie refers to cookies that are offered by service providers other than the controller who runs the Online Service (when only the controller’s are being referred to, they are called first-party cookies).
Those services include the American website http://www.aboutads.info/choices/ and the EU website http://www.youronlinechoices.com/. You can also prevent cookies from being stored on your device by turning them off in your browser settings. Please note that you may then not be able to use all the features of this Online Service.
Deletion of data
The data we process will be deleted or their processing restricted in accordance with legal regulations. Unless otherwise expressly indicated in this Privacy Statement, the data we have stored will be deleted as soon as they are no longer required for their intended purpose and as long as there are no statutory retention periods that prevent us from deleting them.
If the data are not deleted because they are needed for other lawful purposes, their processing will be restricted. That means the data will be made unavailable and not used for other purposes. For example, this applies to data that we are required to retain for accounting and tax purposes.
Collecting access data and log files
We, or our hosting service provider, collect data on every instance of access to the server where this Service is located (so-called server logfiles) on the basis of our legitimate interest within the meaning of Art. 6, para. 1f, of the GDPR. The access data includes the name of the website accessed, file, data, and time of retrieval, amount of data transferred, notice of successful retrieval, browser type and version, user’s operating system, referring URL (previously visited page), IP address and requesting provider.
For security reasons (e.g., to investigate cases of abuse or fraud), logfile information is stored for no more than seven days and then deleted. Data that must be retained for a longer time so they can be used as evidence are exempt from deletion until the incident has been definitively resolved.
We incorporate the fonts (Google Fonts) offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. According to information from Google, users’ data are used solely for purposes of displaying the fonts in their browsers. The fonts are incorporated on the basis of our legitimate interest in technologically secure, maintenance-free and efficient use of fonts, their consistent representation and consideration of possible licensing restrictions on their inclusion. Privacy statement: https://www.google.com/policies/privacy/.