We would like to inform you below about the processing of personal data in connection with the use of our website. Further information on data protection can be found below.
Privacy policy
We are
ENERPARC AG
Kirchenpauerstraße 26
20457 Hamburg
Tel.: +49 (0)40 75 66 449-0
E-Mail: mail@enerparc.com
represented by the Management Board: Christoph Koeppen, Frank Müllejans, Stefan Müller.
We have appointed an external data protection officer. He can be contacted at the above address with the address suffix ‘personal - confidential for the data protection officer’ and via datenschutz@enerparc.com.
Provided certain conditions are met, you have the right to
- Information about your data, correction of incorrect data,
- to the erasure of your data for which there is no longer a reason for storage,
- to restriction of processing,
- to data portability, to object to processing based on our legitimate interest (Article 6 (1) sentence 1 lit. f GDPR),
- to revoke consent once given with effect for the future and
- to lodge a complaint with the competent supervisory authority.
Of course, these rights are subject to conditions that are set out in the relevant laws, in particular the General Data Protection Regulation (GDPR).
If we transfer your data to countries that do not belong to the European Union (third countries), we need additional safeguards that are regulated in Articles 44 et seq. of the GDPR. These include in particular
- Adequacy decisions where the EU Commission has decided that a country or sector has an adequate level of data protection (Article 45 GDPR),
- standard contractual clauses by which data recipients from third countries contractually undertake to observe an adequate level of data protection (Article 46 GDPR),
- binding internal data protection rules that have been reviewed by EU supervisory authorities and by which data recipients from third countries undertake to observe an adequate level of data protection (Article 47 GDPR),
- Declarations of consent with which you accept in individual cases that your data will be transferred to a third country (Article 49(1)(a) GDPR). Any risk information can be found in the glossary.
We have the following information:
- When we process your data, there is no automated decision-making and, in particular, no profiling.
- We are only legally obliged to process your data if we expressly point this out in the following data protection information.
Contact us
Firstly, we collect your data in order to establish initial contact. It is possible for us to contact you first, for example in the context of acquiring shepherds and biologists. It is also conceivable that you contact us first. In any case, we process all data that we have either researched in advance and/or that you provide to us voluntarily. This is often your contact details (name, e-mail address, address, telephone number) and communication data (e.g. description of the content of the conversation, conversation notes, form entries). On this basis, we check your offer and store the corresponding data. The purpose of this processing is to initiate or establish a contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.
Video conferencing
In some cases, you can communicate with us by video conference. In doing so, we process the resulting video and audio data as well as any transcripts taken. With this processing, we either want to negotiate a contract with you or, later, even fulfil it. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.
Recordings are only made if we suggest this and you consent. In order to fulfil a legal obligation (Article 7 (1) GDPR), we first store the information as to whether you have given your consent. The legal basis for this is Article 6 (1) sentence 1 lit. c GDPR. We then record the conversation and store the resulting image and audio data to document the conversation. The legal basis for this is Article 6 (1) sentence 1 lit. a GDPR. The prohibition under Article 9(1) GDPR does not prevent this, as the exception under Article 9(2)(a) GDPR applies.
Contract fulfilment
If a contract is actually concluded between us, we will communicate with you, make payments, etc., and process communication and billing data (e.g. for the delivery of services and answering enquiries) in order to fulfil the contract. The purpose of this processing is to fulfil the contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.
Notification of changes to data processing
If we change the way we process your data (e.g. use new tools), we will inform you about the changes, e.g. by email. As a rule, we will send you updated data protection information. The processing is intended to fulfil a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6 paragraph 1 sentence 1 lit. c GDPR.
Data processing for the purpose of asserting rights
If you assert your rights under the GDPR or other legal provisions, we process your data in order to verify these claims and, if necessary, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.
Involvement of tax consultancy firm
We forward data relevant to you under tax law (e.g. offers, order confirmations, contracts, invoices, account statements, etc.) to an external tax consultancy firm. In doing so, we process your name and all data resulting from invoices and incoming payments. We therefore seek assistance with accounting and other tax-related matters. The legal basis for this is Article 6 (1) sentence 1 point (f) GDPR, whereby our legitimate interest follows from the stated purpose. Insofar as the external tax consultancy processes this data, it is not a matter of order processing (see DSK short paper 13), but of a data transfer that is justified by Article 6 (1) sentence 1 point (f) GDPR.
Data storage/storage period
We store your data both during and after the end of the contract. This is to inform you how long the data will be stored:
- We keep internal records (e.g. annual financial statements, accounting vouchers) for ten years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
- We keep business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do this (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
- If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
- If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
- When you consent to data processing,
- we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
- we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.
Deletion of data
We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.
Recipient
The following recipients and other external bodies process your data:
Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:
- Backup tool providers
- Software hosting company
- Video conferencing system providers
- Law firms specialising in legal, tax and auditing services
- Project management tools,
- Providers of whistleblower platforms
- Provider of accounting solutions
- Providers of Microsoft assistance tools
- Translation tool vendor
Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):
- Microsoft: Various applications are used by Microsoft Corporation (USA), which has been commissioned in accordance with Article 28 of the GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 of the GDPR.
- New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (here the USA) that cannot be excluded is justified in accordance with Article 45 of the GDPR.
- Lacework: The IT security tool ‘Lacework’ from Lacework, Inc. (USA) is used. A transfer of data to a third country (here the USA) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
- ShareFile:The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
- Monday.com: The collaboration tool Monday.com, from Monday.com Ltd. (Israel), is used. The transfer of data to a third country (in this case, Israel) cannot be ruled out, but this is justified under Article 45 of the GDPR.
- Atlassian: The project management tool from Atlassian Pty Ltd (Australia) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case, Australia) that cannot be ruled out is justified in accordance with Article 46 of the GDPR.
- Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case the USA) cannot be ruled out for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR.
On the special features of the responsibilities
- We are always looking for owners on whose land we can build solar parks and the like. We contact landowners for this purpose.
- In some cases, we are supported by KLM-Architekten Leipzig GmbH and KLM Projektentwicklung GmbH & & Co. KG. These companies research the contact details and also approach the property owners on our behalf.
If you have been contacted in this way, please note that these companies and we have contractually agreed to process your data jointly. These contracts stipulate that you can contact both us and the above-mentioned companies if you wish to assert your rights. We have also agreed that both we and our contractors will independently ensure the lawfulness and security of the processing.
Making contact
Firstly, we collect your data in order to establish initial contact. We may research the data ourselves or have it researched by land registry or land registry offices (see the special features of the responsibilities). In this case, we receive and process your name, your address and the information as to which property belongs to you. The purpose of the processing is that we may wish to negotiate a lease agreement with you. The legal basis for the processing depends on the federal state in which your property is located.
The following laws come into consideration:
- §§ 13ff. Hamburg Law on Surveying
- § Section 5 (2) of the Lower Saxony Surveying Act
- § Section 10 of the Bremen Land Surveying and Cadastre Act
- § Section 13(3) of the Schleswig-Holstein Land Surveying and Cadastre Act
- § Section 33(2) of the Act on Official Geoinformation and Surveying in Mecklenburg-Western Pomerania
- § Section 10(1) of the Act on Official Surveying in the State of Brandenburg
- § Section 17 (1) of the Law on Surveying in Berlin
- § Section 13(1) of the Surveying and Geoinformation Act of Saxony-Anhalt
- § Section 14(2) of the Surveying Act of Saxony
- § Section 18 (2) of the Thuringian Surveying and Geoinformation Act
- § Section 16 (2) of the Hessian Law on the Real Estate Cadastre and Land Surveying
- Article 11(1) of the Bavarian Land Survey and Cadastre Act
- § Section 2(3) of the Surveying Act for Baden-Württemberg
- § Article 10(1) of the Saarland Land Survey and Cadastre Act
- § Section 13(2) of the Rhineland-Palatinate Land Survey Act
- § Section 14(2) of the North Rhine-Westphalia Land Surveying and Cadastre Act
In any case and if your property is located outside Germany, the processing is based on Article 6 (1) sentence 1 lit. f GDPR, whereby our legitimate interest follows from your expectable interest in a lease agreement.
Contract fulfilment
If a lease agreement is actually concluded between us, we will communicate with you, make payments, etc., and process communication and billing data (e.g. for the delivery of services and answering enquiries) in order to fulfil the contract. The purpose of this processing is to fulfil the contract. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. b GDPR.
Notification of changes to data processing
If we ever change the way we process your data (e.g. use new tools), we will inform you of the changes, e.g. by email. As a rule, we will send you updated data protection information. The purpose of the processing is to fulfil a legal obligation (Articles 12 to 14 GDPR). The legal basis for this is Article 6 paragraph 1 sentence 1 lit. c GDPR.
Data processing for the assertion of rights
If you assert your rights under the GDPR or other legal provisions, we process your data in order to examine and, if necessary, fulfil these claims. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6 (1) sentence 1 lit. c GDPR in conjunction with the respective legal provision from which your right or claim arises.
Storage of the data/storage period
We store your data both during and after the end of the contract. Here we inform you how long the data will be stored:
- We keep internal records (e.g. annual financial statements, accounting vouchers) for ten years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (§ 147 AO, § 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with. We retain business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with.
We keep business communications (e.g. customer letters) and other tax-relevant documents for six years. This period begins on 31 December of the calendar year in which the respective document was created. We are legally obliged to do so (Section 147 AO, Section 257 HGB) and the legal basis is Article 6 (1) sentence 1 lit. c GDPR in conjunction with.
If you assert your rights under the GDPR, communication data (correspondence by email, post, etc.) will be generated. We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. This is in our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and additionally on the statute of limitations for administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).
- If you assert other, non-GDPR rights, communication data is also created, which we retain for three years. This period begins on 31 December of the calendar year in which we responded to your request. In doing so, we are safeguarding our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB).
- When you consent to data processing,
- we store the information that you have consented to for three years. This period begins as soon as you withdraw your consent or the associated purpose expires, whichever comes first. In doing so, we are safeguarding our own legitimate interests. In the event of a dispute, we want to be able to prove that we have handled your claims correctly. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) BGB) and additionally on the statute of limitations for administrative offences (Section 31 (2) (1) OWiG in conjunction with Article 83 GDPR).
- we store the data that we process on the basis of your consent until you withdraw your consent. The purpose results from the respective declaration of consent and the legal basis for this is Article 6 paragraph 1 sentence 1 lit. a GDPR.
Deletion of the data
As soon as the above-mentioned retention periods end, we will delete your data. In doing so, we fulfil a legal obligation (Article 5(1)(a), (e) GDPR). The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR.
Recipients
The following recipients and other external bodies process your data:
Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:
- Backup tool providers
- Software hosting companies,
- Providers of video conferencing systems,
- Law firms, tax and auditing firms
- Project management tools,
- Providers of whistleblowing platforms,
- Providers of accounting solutions
- Provider of Microsoft assistance tools
- Providers of translation tools
Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):
Microsoft: Various applications are used by Microsoft Corporation (USA), which has been commissioned in accordance with Article 28 GDPR, namely: Microsoft365-Cloud, Microsoft Teams (project management tool), Microsoft Teams (video conferencing tool), Microsoft Bookings, Microsoft Forms, Sharepoint. A transfer of data to a third country (in this case the USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.
New Relic: The website monitoring tool ‘New Relic’ from New Relic, Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR.A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 45 GDPR.
Lacework: The IT security tool ‘Lacework’ from Lacework, Inc (USA) is used. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
ShareFile: The IT tool ‘ShareFile’ from Citrix Systems Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here USA) that cannot be ruled out is justified in accordance with Article 46 GDPR.
Monday.com: The collaboration tool ‘Monday.com’ from Monday.com Ltd (Israel) is used. A transfer of data to a third country (here Israel) that cannot be ruled out is justified in accordance with Article 45 GDPR.
Atlassian: The project management tool of Atlassian Pty Ltd (Australia), which was commissioned in accordance with Article 28 GDPR, is used. A transfer of data to a third country (in this case Australia) that cannot be ruled out is justified in accordance with Article 46 GDPR.
Autodesk: The project management tool ‘Autodesk’ from Autodesk, Inc. (USA) is used, which was commissioned in accordance with Article 28 GDPR. A transfer of data to a third country (here USA) that cannot be ruled out is justified for employee data in accordance with Article 46 GDPR and for all other data in accordance with Article 45 GDPR.
Special features of the responsibilities
Insofar as we maintain company pages on social media/networks, we would like to point out that
- Insofar as we analyse your use of our company website, we and the respective provider are jointly responsible under data protection law in accordance with Article 26 of the GDPR.
- we have commissioned the providers in all other cases in accordance with Article 28 of the GDPR.
Website display
You have the option of using our website for information purposes only. This means that you can simply access the page without clicking on anything or entering anything. Even then, we process the following data from you so that you can view the website in your browser:
- IP address,
- Date and time of the request,
- Time zone difference to Greenwich Mean Time (GMT),
- Content of the request (specific page),
- Access status/HTTP status code,
- transferred data volume,
- the page from which the request comes,
- Browser,
- operating system and its interface,
- Language and version of the browser software.
The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.
Web hosting
We use an external web host to make our website accessible. The web host processes all the data mentioned in the previous section (display of the website) for this purpose. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from this purpose.
Cookie-Consent
We give you the opportunity to consent to the use of cookies and use a cookie consent tool for this purpose. In doing so, we process all the data already mentioned in the previous section (presentation of the website), as well as the information as to whether, in what and when you have given your consent. By processing this data, we intend to fulfil a legal obligation (Article 7(1) GDPR). The legal basis is Article 6(1) sentence 1 point (c) GDPR.
Form
On our website, there is a form that you can use to communicate with us. All the information you enter there will be transmitted to us and processed by us.
Either:
- the processing serves the initiation, execution and/or termination of contracts (purpose 1) or
- it enables you to contact us for another reason, e.g. to assert claims for information (purpose 2).
The legal basis for purpose 1 is Article 6 paragraph 1 sentence 1 point b of the GDPR and for purpose 2 Article 6 paragraph 1 sentence 1 point f of the GDPR, whereby the legitimate interest follows from your request.
Recruiting
You have the option of applying for a job with us via our website in the recruiting section or through other contact channels. We collect this data in order to determine whether or not we can enter into an application process. The legal basis for this is Article 6(1)(b) of the GDPR. In addition, our data protection information for employees applies.
Analysis of user behaviour
We use cookies to analyse how you arrive at our website and what you do there exactly. Cookies are text files that are stored on your computer and enable us to perform this analysis (reports on your activities and interactions on the website, e.g. order of interactions, length of stay).
We use this data and analysis to improve our website and the user experience and to tailor it to you and other users. Further details can be found in the information on the tools (see below).
The purpose of the processing is to optimise our website. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.
Social media/networks
We are active on social media and networks. If you access our company pages on social media/networks from our website, some of your data will be processed. Of course, this also applies if you access our company pages on social media/networks by other means than our website.
We would like to make it clear from the outset that we have no influence over which data is processed, how it is processed and how long it is stored. There is always the possibility that the providers of these platforms may store your data and use it for advertising purposes, market research and/or to tailor their services to your needs. You can find more details below in the information about the providers.
The following data is processed:
- cookie- or pixel-based data about your interactions with our company pages
- your email address
- your name
- your contact details
The processing serves to present our company. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.
Video playback
Our website displays videos that are embedded via plugins from video and streaming portals. Every time you access a subpage/page with a video clip, a direct connection to a server of the video portal is established. Further details can be found in the information about the providers.
The following data is processed:
- cookie-based data about your interactions with the video subpages
- information about which video you clicked on
The purpose of the processing is to display videos and optimise our website. The legal basis is Article 6(1)(a) GDPR.
External fonts
We display the texts on our website using external fonts. In doing so, data is transmitted to the providers of these directories in order to analyse and optimise the frequency of use and the success of certain fonts. As soon as you visit our website, your browser sends HTTP requests to the provider's server, whereby, among other things, the URL of the requested font is transmitted. This data is logged in order to determine the frequency of use and to create statistical reports. In addition, cookie-based data about your interactions (e.g. order of interactions, length of stay) is processed.
The purpose of this processing is to generate aggregated usage statistics on the popularity of fonts. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.
Citizen participation
Under certain conditions, you can participate in one of our projects by using a registration form on our website. For this purpose, you will be redirected to the provider AUDITcapital GmbH, to whose data protection declaration we refer. In doing so, we receive all the data necessary to carry out your investment (contact details, information from investment contracts, billing data). The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.
Data processing for the assertion of rights
If you assert your rights under the GDPR or other legal provisions, we process your data to check these claims and, if applicable, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.
Data storage/storage period
We store your data both during and after the end of the contract. This is where we inform you how long the data will be stored:
- If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
- If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
- When you consent to data processing,
- we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
- we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.
Deletion of data
We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.
Recipient
Recipients within the European Union: Within the European Union, your data will be processed by companies (recipients) in the following categories:
- Hosting provider
- Providers of cookie consent tools
- Social networks
- Software hosting company
- Video conferencing system providers
- law firms specialising in legal, tax and auditing services
- Project management tools,
- Providers of whistleblower platforms,
- Provider of accounting solutions
- Providers of Microsoft assistance tools
- Translation tool vendor
Recipients outside the European Union: Outside the European Union, your data will be processed by the following specific companies (recipients):
- Google: Various applications from Google Ireland Ltd. (Ireland - EU) are used, which were commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case to Google LLC in the USA) that cannot be ruled out is justified under Article 45 of the GDPR. The following Google tools are used:
- We use Google Analytics. Google generally processes IP addresses only within the European Union or the signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a provider server in the United States and shortened there. To the best of our knowledge, the transmitted IP address is not merged with other data. We also use Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID.
- We use Google Remarketing and Google Ads. This is how it works: when you interact with us online, for example by visiting our website, you can be identified as a suitable recipient of advertisements (so-called ‘ads’) through the use of cookies (so-called ad server cookies). These cookies also help us measure and evaluate the success of an advertising campaign. If you then visit Google pages (YouTube, Google search engine, etc.), you will be recognised by these cookies and our ‘ads’ will be displayed to you (so-called ‘remarketing’). This happens when your browser automatically establishes a direct connection to the Google server. The ads are then delivered via Google Ad Servers. The ad server cookies used are generally valid for 30 days and are not used for personal identification. Typically, the following analysis values are stored: a unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) and opt-out information (indication that you do not wish to receive any further ads).
- You can restrict or prevent tracking, for example (a) by making the appropriate settings in your browser software (in particular, blocking third-party cookies prevents you from receiving advertisements) or (b) by disabling cookies for conversion tracking by setting your browser to block cookies from the provider's domain. However, this setting will be deleted if you delete the cookies in your browser.
- The purpose of this processing is to present our company, to analyse user behaviour in relation to interaction with our website and to communicate with you via social media, including for advertising purposes if applicable.
- We use Google Tag Manager. This is how it works: the tool enables us to integrate various codes and services into our website in a structured and simplified way. The tool implements tags or triggers the integrated tags. When a tag is triggered, Google may also process personal data under certain circumstances.
- We use DoubleClick. This is how it works: DoubleClick uses cookies to show you relevant adverts, to improve reports on campaign performance and to prevent you from seeing the same adverts multiple times. Google uses a cookie ID to record which adverts were shown in which browser in order to avoid showing the same advert twice. It also allows cookie IDs to be used to record conversions that are associated with advertising requests. This is the case, for example, if you see a DoubleClick ad and later visit our company's website using the same browser and make a purchase there. Through the marketing tools used, your browser automatically establishes a direct connection with the Google server. Through the integration of DoubleClick, Google receives the information that you have accessed the corresponding part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your respective account. Even if you are not registered or logged in, it is possible that Google will collect and store your IP address.
- My Fonts Counter: The analysis tool ‘My Fonts Counter’ from My Fonts Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case to Google LLC in the USA) that cannot be ruled out is justified under Article 45 of the GDPR. - Vimeo: The video playback tool ‘Vimeo’ from Vimeo, LLC (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. The transfer of data to a third country (in this case, the USA) cannot be ruled out. This is justified for employee data in accordance with Article 46 of the GDPR and for all other data in accordance with Article 45 of the GDPR. The controller uses this video portal as follows: Operating your own channel, publishing media recordings. The terms used here are explained in the glossary at the end of the declaration.
- X (formerly Twitter): The social network ‘X’ from Twitter International Company (Ireland - EU) is used. Further details on the processing methods of this provider can be found here: https://twitter.com/de/privacy. A transfer of data to a third country (here the USA) that cannot be ruled out is justified under Article 46 of the GDPR. The controller uses this social network as follows: to operate a company page. The terms used here are explained in the glossary at the end of the declaration.
- LinkedIn: The social network ‘LinkedIn’ from LinkedIn Ireland Unlimited Company (Ireland - EU) is used. A transfer of data to a third country (here the USA) that cannot be ruled out is justified under Article 46 of the GDPR. The controller uses this social network as follows: to operate a company page. The terms used here are explained in the glossary at the end of the declaration.
- Cloudflare: The content delivery network (CDN) ‘Cloudflare’ from Cloudflare, Inc. (USA) is used, which has been commissioned in accordance with Article 28 of the GDPR. A transfer of data to a third country (in this case, the USA) that cannot be ruled out is justified under Article 45 of the GDPR.
Entering the premises
When you visit the above-mentioned property, we collect the following data when you enter: name, reason for visit, date, time of entry and exit, and any additional voluntary information. The processing of this data serves both to protect you (for example, to be able to determine in the event of a fire whether you are still in the building) and to protect the right of access to the building, property and possessions, as well as access control. The legal basis for this is Article 6(1)(f) GDPR, whereby our legitimate interest arises from the stated purposes.
Data processing in the event of the assertion of rights
If you assert your rights under the GDPR or other legal provisions, we process your data to check these claims and, if applicable, fulfil them. The purpose of this processing is to fulfil a legal obligation. The legal basis for this is Article 6(1) sentence 1 point (c) GDPR in conjunction with the respective legal provision from which your right or claim arises.
Data storage/storage period
We store your data both during and after the end of the contract. This is where we inform you how long the data will be stored:
- If you assert your rights under the GDPR, this will result in the creation of communication data (correspondence by email, post, etc.). We store this data for three years. This period begins on 31 December of the calendar year in which we responded to your request. We do this in order to protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 (f) GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)) and, in addition, on the statute of limitations for administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 GDPR).
- If you assert other, non-GDPR rights, communication data will also be created, which we will store for three years. This period begins on 31 December of the calendar year in which we respond to your request. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6(1)(1)(f) of the GDPR. The period of three years is based on the statute of limitations for claims for damages (Sections 195, 199 (1) of the German Civil Code (BGB)).
- When you consent to data processing,
- we store the information that you have given your consent for three years. This period begins as soon as you revoke your consent or the associated purpose expires, whichever occurs earlier. This is how we protect our own legitimate interests. This is because we want to be able to prove that we have handled your claims correctly in the event of a dispute. The legal basis is Article 6 (1) sentence 1 lit. f GDPR. The three-year period is based on the statutes of limitation for claims for damages (Sections 195 and 199 (1) of the German Civil Code (BGB)) and, in addition, on the statutes of limitation under the law governing administrative offences (Section 31 (2) (1) of the German Act against Regulatory Offences (OWiG) in conjunction with Article 83 of the GDPR).
- we store the data that we process based on your consent until you withdraw your consent. The purpose is evident from the respective declaration of consent and the legal basis for this is Article 6(1)(a) of the GDPR.
Deletion of data
We will delete your data as soon as the above-mentioned retention periods have ended. In doing so, we are complying with a legal obligation (Article 5 (1) (a), (e) GDPR). The legal basis is Article 6 (1) sentence 1 (c) GDPR.
Recipient
Recipient within the European Union Within the European Union, your data will be processed by companies (recipients) in the following categories:
- Supplier of room management systems