This document provides information on how we process your personal data and the rights you have in accordance with data protection regulations, in particular the European General Data Protection Regulation (GDPR).
Personal data as defined by the GDPR means all data which can be linked back to you as an individual, e.g. name, address, e-mail address, usage behaviour. The specific data that are processed and how these are used depends largely on which of our services are used.
1. Who is responsible for data processing and who can I contact?
Controller for the purpose of fulfilling our legal data protection obligations:
- Hines Immobilien GmbH
- Joachimsthaler Str. 1
- 10623 Berlin
2. What sources and data do we use?
We process personal data which we obtain from you within the context of your use of our Website and, where applicable, our business relationship.
If you are using the Website purely for information purposes, i.e. you do not register with us or send us other information, we only collect the personal data that your browser sends to our server. When you access our Website, we collect the following access data which we require for technical reasons in order to display our Website to you and to ensure stability and security. Access data include your IP address, the date and time of the request, time zone differences with respect to Greenwich Mean Time (GMT), the content of the request (i.e. the name of the specific website being accessed), access status/HTTPS status code, the volume of data transmitted in each instance, the referrer URL (previously visited website), the operating system and its interface, the language, version and type of browser software, and a notification of successful access.
We also obtain your personal data if you contact us by e-mail or using the contact form. Personal data here include your name, address, e-mail, telephone number and, where applicable, the information you send us in your message (hereinafter referred to as “Contact Data”).
3. Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for the following purposes and on the following legal bases:
|Insofar as you have granted us consent to process personal data for specific purposes, in particular for communicating with you (e.g. using our contact form or via e-mail for processing and resolving your query, sending out newsletters, sending out advertising by phone, e-mail, text etc.), the legal basis for this processing is your consent.
You can withdraw your consent at any time. Please note that your withdrawal of consent will only apply to future processing. Processing that has occurred before such time will therefore not be affected by you withdrawing your consent. You can withdraw your consent by contacting us at the above-mentioned address or by e-mail atGermany.Datenschutz@hines.com.
|Consent, Art. 6(1)(1) lit. a) GDPR|
|When contacting us (via e-mail or using the contact form), your details and any consent you provide for us to process and handle your contact request are also processed in order to take steps prior to entering into a contract, Art. 6(1)(1) lit. b) GDPR.||Taking steps at the request of the data subject prior to entering into a contract, Art. 6(1) lit. b) GDPR|
|We process your access data in order to safeguard our legitimate interests or the legitimate interests of third parties. In doing so, we pursue the following legitimate interests in particular:
||In the context of balancing interests in order to safeguard legitimate interests, Art. 6(1)(1) lit. f GDPR|
4. Who receives my data?
Within the company, access to your data is given to those employees who require such in order to fulfil our contractual and legal obligations.
Processors whom we engage (Art. 28 GDPR) may also receive data for the aforementioned purposes. These processors are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection agencies, consulting, and sales and marketing. Where we engage processors in order to provide our services, we take suitable legal precautions and relevant technical and organisational measures to ensure that personal data are protected pursuant to the relevant legal regulations.
Data are only forwarded to third parties who are not processors in accordance with legal regulations. We only forward user data to third parties if such is necessary, e.g. on the basis of Art. 6(1)(1) lit. b GDPR for contractual purposes or on the basis of legitimate interests pursuant to Art. 6(1)(1) lit. f GDPR in the economic and effective running of our business, of if you have consented to such data transmission. We do not generally forward any data to third parties if you use our Website for information purposes only.
5. How long are my data stored for?
For security reasons (e.g. to investigate acts of abuse or fraud), log file information is stored for a maximum of seven days and is then erased (see no. 2 above). Data which must be retained for evidentiary purposes are exempt from erasure until the incident in question has been fully resolved.
Where necessary, we process and save your personal data for the duration of our business relationship, which may also include initiation and conclusion of a contract by e-mail or using the contact form, for example.
We are also subject to various retention and documentation obligations arising from the German Commercial Code (HGB) and German Tax Code (AO) etc. The retention or documentation periods specified therein last from two to ten years.
The storage period is also determined in accordance with the statutes of limitations, which is generally 3 years in accordance with Section 195 et seq. of the German Civil Code (BGB), for example. However, in certain cases it may be up to thirty years, whereby the regular statute of limitations is three years.
6. Are data transmitted to a third country or international organisation?
The data provided are processed within the European Union and the USA. Please note that we have concluded standard EU data protection clauses with recipients of your data in states without an adequacy decision from the European Commission in accordance with Art. 45 GDPR, as is the case for the USA (e.g. Google, Salesforce, Adobe).
Note: the level of personal data protection in the USA does not correspond to the level required by the EU. In particular, you do not have any enforceable rights which protect your data against access by state actors. There is therefore a risk that these state actors may access your personal data without the transmitter or recipient of the data being able to effectively prevent this.
7. What data protection rights do I have?
Every user of the Website or data subject has:
- a right of access in accordance with Art. 15 GDPR (i.e. you have the right to obtain information at any time regarding the personal data concerning you which we have stored);
- the right to rectification in accordance with Art. 16 GDPR (i.e. in the event that your personal data are incorrect or incomplete, you have the right to demand that these data be rectified);
- the right to erasure in accordance with Art. 17 GDPR and the right to restriction of processing in accordance with Art. 18 GDPR (i.e. where applicable, you have the right to request the erasure or restriction of processing of your personal data if, for example, there is no longer any legitimate business purpose for such processing and statutory retention obligations no longer require these data to be stored);
- the right to data portability in accordance with Art. 20 GDPR (i.e. where applicable, you have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format, and to transmit these data to another controller without hindrance).
You may furthermore withdraw your consent, generally with effect for the future.
You also have a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with Art. 19 BDSG). You can find out which supervisory authority is responsible for you at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
We would also like to make you aware of your right to object in accordance with Art. 21 GDPR:
Information about your right to object in accordance with Art. 21 GDPR
You have the right to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(1) lit. e) GDPR (data processing in the public interest) and Art. 6(1)(1) lit. f) GDPR (data processing based on a balancing of interests) on grounds relating to your particular situation.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for this processing which outweigh your interests, rights and freedoms, or if this processing is used to establish, exercise or defend legal claims.
In individual cases, we process your personal data for the purposes of direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as such is connected with direct marketing. If you object to processing for the purposes of direct marketing, we will no longer process your personal data for these purposes.
There are no formal requirements for objecting and you will not incur any costs other than the standard delivery costs.
If possible, please send your objection to:
Hines Immobilien GmbH
Joachimsthaler Str. 1
or by e-mail to: Germany.Datenschutz@hines.com
8. To what extent is automated individual decision-making performed, including profiling?
Within the context of accessing our Website or when you contact us using the contact form or via e-mail, we do not generally use any fully automated decision-making pursuant to Art. 22 GDPR. In the event that we use such processes in individual cases, we will inform you thereof separately where we are legally required to do so. We do not carry out any automated processing of your data with the aim of evaluating specific personal aspects (profiling).
9. Am I obliged to provide data?
Within the context of our Website, you must provide the personal data necessary for using our Website from a technical perspective or for IT security reasons. If you do not provide the aforementioned data, you will not be able to use our Website.
When contacting us using the contact form or by e-mail, you must provide the personal data required in order for your request to be processed. Otherwise we will not be able to process your request.
Some of these cookies are necessary for the functioning of our Website, whilst other cookies help us to improve our Website by giving us an insight into how you use the Website.
By default, we only use necessary cookies. Necessary cookies make the core features of our Website work. Without these cookies, the Website cannot be displayed correctly and in some cases individual areas may not function properly. Necessary cookies can only be blocked by changing the relevant settings in your browser.
10.2 Use of Adobe Fonts
In order to make our Website visually appealing, we use Adobe Fonts from Adobe Systems Software Ireland Ltd. 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland (“Adobe”).
This service allows us to access Adobe’s font library. In order to be able to display the fonts we use, your browser has to establish a connection with the Adobe server in the USA and download the font in question. This lets Adobe know that our Website was accessed from your device’s IP address.