Data protection information in accordance with the EU General Data Protection Regulation for “natural persons”
Version: May 2018
The following information gives you an overview of the way in which we process your personal data and your rights under data protection law. The specific types of data processed, and how they are processed, are largely determined by the requested/agreed services in question.
Please also pass on the information to current and future authorised representatives and economic beneficiaries. This includes, for example, beneficiaries in the event of death or authorised signatories.
- Who is responsible for data processing and whom should I contact
The responsible entity is the company referred to in the cover letter as landlord (“landlord”):
Our data protection officers may be contacted at
Deutsche Asset Management Investment GmbH
Data Protection Officers
Mainzer Landstr. 11-17
60329 Frankfurt am Main
Telephone: +49 (0) 69 910-12380
Email address: email@example.com
- What sources and what data do we use
We process personal data obtained from our tenants in the course of the business relationship. Where necessary for the provision of our service, we also process personal data we have received on an authorised basis from other affilitate companies or from other third parties (such as the Federal Central Tax Office) e.g. data needed for the purpose of executing instructions or performing contracts, or which we are entitled to process by virtue of your consent. We also process personal information we have obtained on an authorised basis from publicly accessible sources (e.g. register of companies and associations, press, media, internet) and which we are authorised to process.
Relevant personal data can include:
Name, address/other contact details (telephone, email address), date/place of birth, gender, nationality, marital status, legal capacity, professional group key/type of partnership (employed/self-employed), identification data (e.g. ID card data), authentication data (e.g. specimen signature), tax ID, FATCA status.
- Why do we process your data (purpose of processing) and on what legal basis
We process the aforementioned personal data in accordance with the EU General Data Protection Regulation (GDPR) and German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):
a. For the performance of contractual duties (Art. 6 paragraph 1 (b) GDPR)
Personal data is only processed for the purpose of of the fulfilment of our lease agreenments with our tenants, or for the performance of pre-contractual measures taken. These include in particular leasing, sale and commercial / technical management of apartments, commercial properties, land, parking spaces (such as cars, bicycles) as well as the accounting within the ownership structure. Furthermore, this could also be the exchange of data with a credit enquiry agency for the determination of creditworthiness or default risks.
b. In connection with legitimate interests (Art. 6 paragraph 1 (f) GDPR)
Where necessary, we process your data beyond the actual performance of the contract in order to safeguard the legitimate interests of ourselves or third parties. Examples:
— Assertion of legal entitlements and defence in the event of legal disputes
— Ensuring IT security and IT operations of the Company
— Prevention of criminal acts
— Videos surveillance to safeguard against trespassers, to gather evidene in the event of robbery or fraud or to document disposals and deposits, e.g., at ATMs
— Measures for building and systems security (e.g., admittance control)
— Measures to ensure against trespassing
— Measures for business control and the further development of products and services
— Risk management within the Group
c. By virtue of your consent (Art. 6 paragraph 1 (a) GDPR)
Where you have given us your consent to the processing of personal data for specific purposes (e.g. dissemination of data within the association/group or to your investment advisor), such processing is legal by virtue of your consent. Consent granted may be revoked at any time. This also applies to the revocation of declarations of consent issued to us before the EU GDPR took effect, i.e. prior to 25 May 2018. Please note that revocation only takes effect in the future. Processing that occurred prior to the revocation is unaffected. A status overview of the consents you have granted to us may be requested at any time.
d. In compliance with legal obligations (Art. 6 paragraph 1 (c) GDPR) or in the public interest (Art. 6 paragraph 1 (e) GDPR)
In addition, as a company we are subject to various legal obligations or statutory requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) as well as supervisory requirements (e.g. of the German Federal Financial Supervisory Authority). The purposes of processing include identity verification, prevention of fraud and money laundering, compliance with monitoring and reporting duties required by tax law as well as the assessment and control of risks within the Company and the Group. Furthermore we have to provide information to third parties (for example, investigative authorities) if statutory required.
- Who gets access to my data
The landlord and its affiliates that require your data for the performance of our contractual and statutory duties are given access. Service providers and agents we employ may be given access to data for such purposes, provided they ensure confidentiality and compliance with our written data protection policies. These are mainly companies from the categories listed below.
With regard to the exchange of data with recipients outside the management company, it should first be noted that as a management company, we are required to maintain confidentiality regarding all client-related facts and assessments of which we become aware. We may only pass on information about you where required by statutory provisions, if you have granted your consent, where we are authorised to disclose information and/or where the order processors we employ likewise ensure confidentiality and comply with the requirements of the EU General Data Protection Regulation/German Federal Data Protection Act.
Accordingly, recipients of personal data may include:
— In the case of a statutory or official requirement, public-sector entities and institutions, e.g. Deutsche Bundesbank, German Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, financial authorities, Federal Central Tax Office, Central Allowance Authority for Pension Assets (Zentrale Zulagenstelle für Altersvermögen – ZfA).
— Other credit and financial services institutions, comparable institutions and order processors, to which we transfer personal data for the purpose of conducting the business relationship with you.
— Specifically: Processing of bank information, support/maintenance of computer/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing/procurement, customer management, lettershops, marketing, reporting, research, risk controlling, expenses claims, telephony, video identification, website management, securities service, share register, fund management, auditing service, payment transactions, leasing, sale and commercial / technical management of apartments, commercial properties, land, parking spaces (such as cars, bicycles) as well as the accounting within the ownership structure
Other data recipients may be entities in relation to which you granted your consent to data transmission.
- Is data transferred to third countries or international organisations
Data is only transferred to countries outside the EU or EEA (“third countries”) insofar as this is necessary for the performance of your instructions (e.g. payment and securities instructions), as this is required by law (e.g. reporting duties in accordance with tax law) or as you have granted us your consent, or in the course of processing order data. Where third-country service providers are used, they are required to comply with European data protection standards through the agreement of standard EU contractual clauses in addition to written policies.
- How long is my data stored for
We process and store your personal data for as long as is necessary in order to perform our contractual and legal obligations. However, it should be noted that our business relationship is a continuing obligation lasting several years.
If the data is no longer required for the performance of contractual or statutory duties, it is deleted on a regular basis unless further processing (for a limited period) is required for the following purposes:
— Compliance with retention periods required under commercial and tax law: these include the Commercial Code, Tax Code, Banking Act, Money Laundering Act and Securities Trading Act. The deadlines for retention or documentation stipulated therein amount to two to ten years.
— Collection of evidence in the context of the limitation rules. In accordance with §§195 et seq. of the Civil Code (BGB), the period of limitation may be up to 30 years; however, the standard period of limitation is 3 years.
- What data protection rights do I have
Every affected person has the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right of erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object pursuant to Art. 21 GDPR and the right to data portability pursuant to Art. 20 GDPR. The restrictions pursuant to §§34 and 35 of the Federal Data Protection Act apply in the case of the right to information and the right of erasure. A right of appeal to a data protection authority also exists (Article 77 GDPR in conjunction with §19 of the Federal Data Protection Act).
You can revoke consent granted to us for the processing of personal information at any time. This also applies to the revocation of declarations of consent issued to us before the EU GDPR took effect, i.e. prior to 25 May 2018. Please note that revocation only takes effect in the future. Processing that occurred prior to the revocation is unaffected.
- Am I under any obligation to provide data
As part of our business relationship, you must provide the personal data required for the opening and execution of a business relationship and for the fulfilment of the associated contractual obligations, or that which we are required by law to collect. Without this data, we will normally have to decline the conclusion of the contractual agreement or the execution of the instruction, or we may no longer be able to perform an existing contract and may have to terminate it.
In particular, we are required by the money laundering rules to identify you prior to establishing the business relationship (for example, on the basis of your ID card), and to collect and record your name, place of birth, date of birth, nationality and home address. To ensure we are able to meet this statutory requirement, you must make the required information and documentation available to us in accordance with §4 paragraph 6 of the Money Laundering Act, and notify us immediately of any changes that occur during the business relationship. If you do not provide us with the required information and documentation, we are entitled to refuse to accept or continue the requested business relationship with you.
- Does profiling take place
We process your data to some extent automatically with the aim of evaluating certain personal factors (profiling). We use profiling in the following cases, for example:
in compliance with legal obligations we are required to combat money laundering and fraud. Data analysis (including in relation to payment transactions) is also undertaken. These measures simultaneously serve to protect you.
Information about your right to object pursuant to Art. 21 of the EU General Data Protection Regulation (GDPR)
- Right to object on an individual basis
For reasons arising on account of your particular circumstances, you have the right to lodge an objection to the processing of data relating to you carried out on the basis of Art. 6 paragraph 1 (e) GDPR (data processing in the public interest) and Art. 6 paragraph 1 (f) GDPR (data processing on the basis of legitimate interests) at any time; this also applies to profiling based on this provision within the meaning of Art. 4 no. 4 GDPR.
If you lodge an objection, we will no longer process your personal information unless we can prove compelling, legitimate reasons for processing that outweigh your interests, rights and freedoms, or where processing serves the assertion, performance or defence of legal entitlements.
- Right to object to the processing of data for advertising purposes
In individual cases, we will process your personal data in order to engage in direct advertising. You have the right to lodge an objection to the processing of data relating to you for the purpose of such advertising at any time.
If you object to processing for the purpose of direct advertising, we will no longer process your personal data for such purposes.
The objection may be lodged informally, and where possible should be sent to firstname.lastname@example.org