I. INTRODUCTION AND TERMINOLOGY
Our data protection provisions contain technical terms included in the GDPR and BDSG. For clarification, we would like to explain these terms in simple terms, as follows:
2.1 Personal data
‘Personal data’ means any information concerning an identified or identifiable individual (GDPR Art. 4 (1)). Information of an identified person can be, for example, the name or email address. However, personal data is also data where the identity is not immediately obvious, but can be determined by combining one’s own information or that of others, thereby identifying them. A person becomes identifiable, for example, by providing their address or bank details, date of birth or user name, IP addresses and/or location data. Of relevance here is any information that can possibly allow a conclusion to be drawn about a person.
Under GDPR Art. 4 No. 2, ‘processing’ is understood to mean any operation concerning personal data. This applies in particular to the collection, recording, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or any other form of making available, comparison or linking, restricting, deleting or destruction of personal data.
II. CONTROLLER AND DATA PROTECTION OFFICER
The person responsible for the processing of data is:
Company: MA-BA Immobilienbeteiligungsgesellschaft mbH
Address: Zum Königsgraben 2, 15806 Zossen, Germany
Telephone: +49 30-84 77 13 22
Fax: +49 30-84 77 13 33
represented by the Managing Director, Matthias Bahr
4. DATA PROTECTION OFFICER
We have appointed a data protection officer for our company. You can reach him at:
Name: Arne Platzbecker
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg
Telephone: +49 40-46 00 89 66
Fax: +49 40-46 00 89 77
III. SCOPE OF PROCESSING
5. SCOPE OF PROCESSING: WEBSITE
For the purposes of the website, we process the personal data from you set out in Section IV below. We only process data from you that you actively provide on the website (e.g. by filling out forms) or that you automatically provide when accepting our offer of services.
Your data will be processed exclusively by us and will not be sold, lent or passed on to third parties. If we use the help of external service providers to process your personal data, this is done within the framework of commissioned processing, in which we as the client are authorised to issue instructions to our contractors. We use external service providers for the hosting of our website. We host our website with netcup GmbH (address: Riedemannweg 60, 13627 Berlin), an external provider at a data centre location in Frankfurt-on-Main, Germany. If further external service providers are used for the individual processing operations set out in Section IV, they will be named there.
As a matter of principle, we do not transfer data to third countries and we do not plan to do so. We will provide information on exceptions to this principle in the processing operations outlined below. Any data transfer to third countries then takes place on the basis of EU standard contractual clauses.
IV. PROCESSING IN DETAIL
6. PROVIDING THE WEBSITE AND SERVER LOGFILES
6.1 Description of processing
Each time you access the website, we automatically collect information that your browser transmits to our server. This comprises the following data:
• IP address
• Browser software used, as well as its version and language
• The website from which visitors have accessed the website (the ‘referrer’)
• The date and time the website was accessed
These are also stored in our systems’ log files. The temporary storage of your IP address by the system is necessary to be able to deliver our website to a user’s terminal. For this purpose, the user’s IP address must remain stored for the duration of the session. Your IP address is also recorded in the log files for security reasons to prevent attacks on our website (in particular, DDos attacks) and to prevent
Processing is carried out to enable the website to be called up and to ensure its stability and security. Furthermore, the processing serves the statistical evaluation and improvement of our online offer.
6.3 Legal basis
Processing is necessary to protect the overriding legitimate interests of the controller (GDPR Art. 6 para. 1 point f)). Our legitimate interest is the purpose set out under Clause 6.2.
6.4 Storage period
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is when the respective session has ended. The log files are deleted after 30 days.
7. CONTACTING US BY EMAIL
7.1 Description of processing
You can also contact us via the email addresses provided on the website. In this case, the personal data transmitted with the email will be processed by us.
The data transmitted with and in the contact form or your email will be used exclusively for the purpose of processing and responding to your request.
7.3 Legal basis
Processing is necessary to protect the overriding legitimate interests of the controller (GDPR Art. 6 para. 1 point f)). Our legitimate interest is the purpose set out under Clause 7.2. If the email contact is aimed at the conclusion or performance of a contract, data processing is carried out for the performance of the contract (GDPR Art. 6 para. 1 point b).
7.4 Storage period
Data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is usually when the respective communication with you has ended. The communication is ended when it is clear from the circumstances that your request has been conclusively addressed. If legal retention periods prevent deletion, the data will be deleted immediately after expiry of the legal retention period.
8. FONT AWESOME
Our website uses ‘Font Awesome’, an icon display and integration service developed by the company Fonticons, Inc.. We run Font Awesome exclusively as an installation on our own server. Therefore, no data transmission is possible with the use and display of icons. Fonticons, Inc. hand in hand.
When our website is displayed, your terminal’s standard fonts are replaced by text fonts. This is done in order to make the display of the text on our customer portal clearer and more attractive. We have decided to adopt a privacy-friendly solution to font substitution. We do not use any external services, such as Google Fonts or Adobe Fonts. Instead, the fonts which are replaced are stored locally on our server. When you visit our site, this has the advantage that no request is made from your browser to external font substitution services, and therefore no data is transmitted to third parties, particularly linking your IP address to the address of our website.
10. EXTERNAL LINKS
In places, our website contains links to external websites. No data is processed on our website if you click on such a link. The operator of the website accessed via the link is responsible for any processing of data on that website.
11. PROCESSING OF APPLICANTS’ DATA
11.1. Description of processing
We process the data that you disclose in connection with your application in order to check your suitability for the post (or any other open positions in our company) and to conduct the application process. his is made up of general information about you (such as your name, address and contact details), information about your professional qualifications and education, information about further vocational training, knowledge and skills, and other information that you disclose to us in connection with your application. This is usually taken from application letters, your CV, certificates, correspondence and telephone or verbal information received from you.
We want to evaluate all applicants solely on the basis of their qualifications, and we therefore ask you so far as possible to avoid communicating “special categories of personal data” within the meaning of GDPR Art. 9 in your application (e.g. photos showing your ethnic origin, data on disabilities, etc.). If your application contains such information, please send us your consent to processing it; otherwise your application will not be considered.
If your application is successful, we shall include your data in your personnel file and use it to manage and terminate your employment relationship.
If we are currently unable to offer you employment, we shall process your data even after we have informed you of that fact, in order to defend ourselves against any legal claims, in particular for alleged discrimination in the application process. If you are not selected for the vacant post, provided we have your consent we shall transfer your data to our applicant pool.
Your data is processed in order to conduct the application process, to decide whether we will employ you and to document our compliance with the legal rules governing the application process.
11.3. Legal basis
The legal basis for processing data in connection with the application process is Federal Data Protection Act [BDSG] §26 para. 1, 1st sentence and GDPR Art. 6 para. 1(b). If your application is successful, your data will then be processed pursuant to GDPR Art. 6 para. 1 1st sentence(b) in conjunction with GDPR Art. 88 para. 1 and with BDSG §26 para. 1, for the purpose of establishing, managing and terminating the employment relationship. f you have given your consent, e.g. to include your data in our applicant pool, your data will be processed on the basis of GDPR Art. 6 para 1(a). Otherwise, the legal basis for processing after your application has been rejected is GDPR Art. 6 para. 1(f). Our legitimate interest lies in defending ourselves against legal claims.
11.4. Storage period
If your application is successful, your data will be transferred to your personnel file and will be deleted in accordance with the rules applicable to personnel files. If we are currently unable to offer you employment, we shall process your data for up to six months after we have informed you of that fact. If we transfer your data to our applicant pool after completion of the application process, we shall delete it from the applicant pool if we employ you at a later date, or otherwise two years after it was added to the applicant pool.
11.5. Recipients of your data, transmission of data to third parties and transfer to third countries
Your application data will be reviewed by our personnel department after your application has been received. Suitable applications are then forwarded internally to the department responsible for the open position in question. We shall then decide how to proceed. Within the firm, only those persons who need your data for the proper conduct of our application process will have access to it. our data will not be transmitted to third parties. Data is not transmitted to third countries, nor are there any plans to do so.
V. SECURITY MEASURES
12. SECURITY MEASURES
To protect your personal data from unauthorised access, we have protected our website with an SSL certificate. SSL stands for ‘Secure Sockets Layer’ and encrypts the communication of data between our server and the website on the user’s end device. You can recognize the active SSL or TLS encryption by a small lock logo that is displayed on the far left in the address line of the browser.
VI. YOUR RIGHTS
13. AFFECTED RIGHTS
With regard to the processing of data by our company as described above, you are entitled to the following affected rights:
13.1 Information (GDPR Art. 15)
You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, under the conditions set out in GDPR Art. 15, you have a right of access to this personal data and to the information as set out in GDPR Art. 15.
13.2 Rectification (GDPR Art. 16)
You have the right to demand that we rectify any inaccurate personal data concerning you and, if necessary, complete any incomplete personal data without delay.
13.3 Erasure (GDPR Art. 17)
You have the right to demand that we erase personal data concerning you without delay if one of the reasons set out in GDPR Art. 17 applies, e.g. if your data is no longer required for the purpose for which it was collected.
13.4 Restriction of data processing (GDPR Art. 18)
You have the right to request that we restrict processing if one of the conditions set out GDPR Art. 18 applies, e.g. if you dispute the accuracy of your personal data, the processing of data will be restricted for the period of time that allows us to verify the accuracy of your data.
13.5 Data portability (GDPR Art. 20)
Under the conditions set out in GDPR Art. 20, you have the right to request that the data concerning you be handed over in a structured, commonly used and machine-readable format.
13.6 Withdrawal of consent (GDPR Art. 7 para. 3)
You have the right to withdraw your consent at any time in the case of processing based on consent. The withdrawal of consent shall apply from the time it is asserted. In other words, it is applicable in the future. The processing therefore does not become retroactively unlawful by the withdrawal of consent.
13.7 Complaints (GDPR Art. 77)
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.
13.8 Automated individual decision-making, including profiling (GDPR Art. 22)
Decisions which have legal effects for you or significantly affect you must not be based exclusively on the automated processing of personal data, including profiling. Please be aware that we do not apply automated decision-making including profiling with regard to your personal data.
13.9 Right to object (GDPR Art. 21)
If we process your personal data on the basis of GDPR Art. 6 para. 1(f) (to protect overriding legitimate interests), you have the right to object to this under the conditions set out in GDPR Art. 21. However, this only applies if there are reasons arising from your particular situation. If an objection is raised, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. We also do not have to stop processing it if it serves the purpose of asserting, exercising or defending legal claims. In any case, and irrespective of a specific situation, you have the right to object to the processing of your personal data for direct marketing at any time.
As at: November 2021