Data Protection Statement in accordance with GDPR
I. Name and address of the controller
The controller in accordance with the General Data Protection Regulation, other national data protection laws of the Member States and other legal data protection provisions is:
Steinbauer Immobilien GmbH
Managing Director: Andreas Steinbauer
Bierstadter Straße 7
Phone: +49 611 989 51 0
Fax: +49 611 989 51 18
II. General information on data processing
1. Scope of processing of personal data
In principle, we only collect and use our users’ personal data when it is necessary to do so in order to provide a functioning website and for our content and services. The collection and use of our users’ personal data is normally only carried out with the user’s consent. One exception is where it is not possible to obtain consent beforehand for practical reasons and it is permitted by law to process the data.
2. Legal basis for the processing of personal data
When we obtain consent for processing operations for personal data from the data subject, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) forms the legal basis.
In the case of the processing of personal data which is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR forms the legal basis. This also applies for processing operations that are necessary to take steps prior to entering into a contract.
When processing personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR forms the legal basis.
In the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6(1)(d) GDPR forms the legal basis.
If the processing is necessary for the protection of the legitimate interests of our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR forms the legal basis for the processing.
3. Data erasure and storage period
The data subject’s personal data will be erased or made unavailable as soon as the purpose of storage ceases to apply. Storage can also be carried out if this is provided for by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will only be made unavailable or erased if the storage period prescribed by the aforementioned standards lapses, unless continued storage of the data is necessary for conclusion or performance of a contract.
III. Operation of a website and creation of log files
1. Description and scope of data processing
Every time our website is visited, our system automatically records data and information from the system of the requesting computer.
The following data is collected in this way:
- date and time of access
This data is not stored.
2. Legal basis for data processing
The legal basis for the temporary storage of data is Article 6(1)(f) GDPR.
3. Purpose of data processing
It is necessary for the system to store the IP address temporarily to enable the website to be sent to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.
We also have a legitimate interest in data processing for these purposes in accordance with Article 6(1)(f) GDPR.
4. Duration of storage
The data will be erased as soon as it is no longer required to achieve the purpose of its collection. When data is collected to operate a website, this is the case when the relevant session ends.
5. Right to object and right to rectification
Recording data to operate the website and storing the data in log files is essential for running the website. Therefore, the user does not have any right to object.
IV. E-mail contact
1. Description and scope of data processing
You have the option to contact us via the e-mail address provided on our website. In this case, the user’s personal data transmitted with the e-mail will be stored.
We will not distribute the data to third parties in this context. The data is solely used to process the conversation.
2. Legal basis for data processing
The legal basis for the processing of data when the user’s consent has been obtained is Article 6(1)(a) GDPR.
The legal basis for the processing of data that is transmitted when sending an e-mail is Article 6(1)(f) GDPR. If the aim of contact by e-mail is to conclude a contract, Article 6(1)(b) GDPR is also a legal basis for processing.
3. Purpose of data processing
If making contact via e-mail, the use of personal data is used purely to process this contact. This is also the necessary legitimate interest in processing the data.
The other personal data processed during submission is used to prevent misuse of the contact form and ensure the security of our IT systems.
4. Duration of storage
The data will be erased as soon as it is no longer required to achieve the purpose of its collection. For personal data which has been sent by e-mail, this is the case when the conversation with the user ends.
Additional personal data collected during submission will be erased after seven days at the latest.
V. Rights of data subjects
If your personal data is processed, you are the data subject in accordance with the GDPR and you have the following rights vis-à-vis the controller:
1. Right of access
You can request confirmation from the controller of whether we process personal data concerning you.
If such processing is carried out, you can request details of the following information from the controller:
- the purposes for which the personal data is processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom personal data concerning you has been or will be disclosed;
- the planned length of storage of the personal data concerning you or, if it is not possible to provide specific details of this, the criteria for determining the storage period;
- the existence of a right to the rectification or deletion of the personal data concerning you, a right to restrict the processing by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information on the origin of the data, if the personal data is not obtained from the data subject;
- the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and, in these cases at least, meaningful information on the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether personal data concerning you will be transferred to a third country or to an international organisation. In this regard, you can request information on the appropriate safeguards in accordance with Article 46 GDPR related to transfer.
2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification immediately.
3. Right to restriction of processing
Under the following circumstances, you can request the processing of personal data concerning you to be restricted:
- for a period enabling the controller to verify the accuracy of the personal data, if you are contesting the accuracy of the personal data concerning you;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of use of the personal data instead;
- when the controller no longer needs the personal data for processing purposes, but you need it to establish, exercise or defend your legal rights, or
- when you have objected to the processing in accordance with Article 21(1) GDPR and verification of whether the controller’s legitimate grounds override your grounds is still pending.
Where the processing of personal data concerning you has been restricted, this data may, with the exception of storage, only be processed with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted under the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Duty to erase
You can ask the controller to erase personal data concerning you immediately and the controller is obliged to erase this data immediately where one of the following grounds applies:
- The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there are no other legal grounds for the processing.
- You submit an objection to the processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you submit an objection to the processing in accordance with Article 21(2) GDPR.
- The personal data concerning you was processed unlawfully.
- The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of a Member State to which the controller is subject.
- The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) GDPR.
b) Disclosing information to third parties
If the controller has made personal data concerning you public and is obliged to erase it in accordance with Article 17(1) GDPR, he shall take reasonable steps, taking into account available technology and implementation costs, including technical measures, for the data processing to inform controllers processing the personal data that you, the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.
The right to erasure is not granted if the processing is necessary
- to exercise the right of freedom of expression and information;
- to fulfil a legal obligation which requires processing in accordance with the law of the Union or the Member States to which the controller is subject or to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons in the public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, if the right provided in (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
- to establish, exercise or defend legal claims.
5. Right to information
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or would involve a disproportionate effort.
You have the right vis-à-vis the controller to information on these recipients.
6. Right to data portability
You have the right to receive personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, if
- the processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract in accordance with Article 6(1)(b) GDPR and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where this is technically feasible. The freedom and rights of others may not be adversely affected by this.
The right to data portability does not apply for the processing of personal data that is necessary to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right of objection
You have the right, for reasons of your own particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Article 6(1)(e) or (f) GDPR; this also applies to any profiling based on these provisions.
The controller will no longer process the personal data concerning you, unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing facilitates the establishment, exercise or defence of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
Notwithstanding Directive 2002/58/EC, you are also entitled in the context of the use of information society services to exercise your right of objection by means of automated procedures for which technical specifications are used.
8. Right to withdraw declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or similar significant adverse effects for you. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and the controller,
- is permissible under the law of the Union or the Member States to which the controller is subject, and this law provides adequate measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your express consent.
However, these decisions may not be based on special categories of personal data in accordance with Article 9(1) GDPR, unless Article 9(2)(a) or (g) applies and suitable steps to protect rights and freedoms and your legitimate interests have been taken.
In the cases stated in (1) and (3), the controller will take suitable steps to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 GDPR.