Data Protection Declaration
We are delighted that you have shown an interest in our company. For the management of Pöppinghaus Grundbesitz Verwaltung GbR (Pöppinghaus Real Estate Management) data protection is of particular importance. Our website can be utilised without the need to supply any personal data. However, when an individual would like to make use of some of the more specific services provided by our organization it is possible that the processing of personal data will become necessary.
Where the processing of personal data is necessary without a pre-existing legal basis we will request general consent from the affected individual (data subject). The processing of personal data, including the name, postal address, email address or telephone number of an individual will always take place in accordance with the GDPR and conforming to the applicable country and region specific data protection regulation as it applies to Pöppinghaus Grundbesitz Verwaltung GbR.
Through this data protection declaration our organisation would like to inform the public over the nature, scope and purpose of the personal data which we collect, use and process.
This data protection declaration also informs affected individuals (data subjects) of their rights. In order to ensure that personal data processed by this website remain completely protected, Pöppinghaus Grundbesitz Verwaltung GbR has implemented a number of technical and organisational measures. Nonetheless, the transmission of data over the internet can in principle present gaps in security, meaning that absolute protection cannot be guaranteed. For this reason every affected individual is provided with the option of transferring their personal data to us using an alternative channel, for instance over the telephone.
The data protection declaration established by Pöppinghaus Grundbesitz Verwaltung GbR is based on the terminology of the pan-European regulations and guidelines set out in the GDRP. Our data protection declaration should be easy to read and clear for the public, as well as for our clients and business partners. In order ensure this we would first like to set out and clarify the terminology which will be used:
Throughout this data protection declaration we use the following terms, among others:
a) Personal Data
Personal data means all information which is related to either an identified or identifiable natural person (hereinafter the ‘data subject’). A natural person is considered identifiable if they can be identified either directly or indirectly, especially through the reference to an identifier such as a name, ID number, location, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
b) Data Subjects
A data subject is any identified or identifiable natural person whose personal data are processed by the responsible data controller.
Processing is considered to be any process or set of processes performed on personal data; either by automatic means or otherwise. This can include the recording, organization, arrangement, filing, storage, adaptation, alteration, retrieval, consultation, use, transmission, dissemination or in any form publication, alignment, assimilation, restriction, erasure or elimination.
d) Processing Limitations
Processing limitation refers to the marking of saved personal data with the intention of restricting its future processing.
Profiling is any type of automated personal data processing carried out in order to evaluate certain characteristics related to a natural person, in particular to analyse or predict data related to the natural person’s performance at work, economic situation, health, personal interests, reliability, conduct, place of residency or change in location.
Pseudonymisation is the processing of personal data in such a way as to ensure that the data cannot be attributed to an individual data subject without additional information – provided the data are stored separately and technical and organisational measures are in place which ensure that personal data are not attributed to any individual natural person.
g) Individual responsible for data processing (data controller)
The individual responsible for data processing (data controller) is the natural or legal person, government body, institution or other entity which either alone, or in collaboration with other decides over the purpose and means of the processing of personal data. If the purpose and means of this data processing is defined by EU law or the law of the EU member states, provision may be made related to the designation of a responsible person in accordance with EU law or the law of EU member states.
h) External Processor
An external processor is a natural or legal person, government body, institution or other entity which processes personal data on a contract basis for the individual responsible for data processing (data controller).
The recipient is a natural or legal person, government body, institution or other entity to which personal data are disclosed, regardless of whether or not this is a third party. Government bodies who receive personal data as part of an investigative process in accordance with EU law or the law of member states are not considered to be recipients.
j) Third Parties
A third party is a natural or legal person, government body, institution or other entity, excluding the data subject, the individual responsible for data processing (data controller), and individuals who work directly under the authority of the data controller processing authorised to process personal data.
Consent is any freely given, informed and unambiguous declaration of will given by the data subject in a specific case. It can also be any other unequivocal affirmative act by which the data subject indicates their consent to the processing of their personal data.
2. Name and postal address of the data controller:
The responsible party, in accordance with the GDPR and any other data protection legislation in other member states of the European Union, and any other provisions related to data protection is:
Pöppinghaus Grundbesitzverwaltung GbR,
Consisting of Pöppinghaus Beteiligungsgesellschaft GmbH,
Registered at (local court) Amtsgericht Bad Homburg,
HRB Nr. 5790,
of Zimmersmühlenweg 11,
and Dr. Christoph Pöppinghaus,
Residing at: Zimmersmühlenweg 11,
61440 Oberursel, Germany
Tel.: +49 6171 581170,
3. Collection of general data and information:
The website of Pöppinghaus Grundbesitz Verwaltung GbR collects certain pieces of general data and information every time the website is accessed by a data subject (an individual) or by an automated system. These general pieces of data are stored in the log files on the server. The following can be collected: (1) the type of internet browser being used, (2) the operating system being used by the individual (3) the website which refers an individual to our page (4) the subpages which redirect to our website (5) the date and time of access to our website (6) the IP address (7) the internet service provider of the system accessing the website (8) further similar data and information, which could assist for security purposes in the case of a cyber attack on our IT systems.
4. The regular deletion and blocking of personal data:
The data controller processes and stores personal data only for the period necessary for the completion of the task for which they are stored, or for the period designated either by the European regulators, or another legislator whose laws or regulations apply to the data controller.
If the purpose for storing the data ceases to apply or if the period prescribed by the European regulator or other applicable legislator expires the personal data will be blocked or deleted in accordance with the applicable statutory provisions.
5. Rights of the data subject. Right to confirmation
Every data subject has the right under the European regulations to request a confirmation from the data controller as to whether their personal data are being processed. If a data subject would like to take advantage of this opportunity they are welcome to contact a colleague of the data controller at any time.
b) Right of access
Every data subject has the right under European regulations to request and receive from the data controller a copy of the personal data being held by us at any time, without charge.
Furthermore the European regulator grants the data subject the right to request and receive the following information:
- the purpose of the data processing
- the categories of personal data which are being processed
- the recipients, or categories of recipient who will had/have access to the personal data, especially in respect to recipients in non EU countries, or in international organisations.
- where possible, the planned duration for which personal data are saved, or, where this is not possible, the criteria by which the duration is decided.
- the existence of a right to notification or deletion of the personal data in question, or the restriction of its processing through the responsible parties, or an opt-out from the data processing.
- the existence of the right to complain to a regulatory authority
- where no personal data have been collected on the data subject: all information regarding the origin of data
- the existence of an automated decision making process including profiling – in accordance with article 22, sections 1 and 4 of the GDPR, and, at least in these cases, meaningful information on the logic involved, as well as the scope and intended effect of the processing of data held on the data subject.
Additionally, the data subject has a right to know whether their personal data were transferred to a non EU country, or to an international organization. If this is the case, the data subject usually has the right to knowledge of the guarantees associated with this data transfer. If a data subject would like to make use of this right they can contact a co-worker of the data controller at any time.
c) Right to rectification
Every data subject has the right under European regulations to demand the correction of any incorrect data held regarding them. Additionally, the data subject has the right, in consideration of the intended purpose of the data processing, to complete incomplete personal data by means of the submittal of a supplementary declaration. If a data subject would like to make use of this right they can contact a co-worker of the data controller at any time.
d) Right to deletion (the right to be forgotten)
Every data subject has the right under European regulations to demand the data controller delete personal data held on them without delay, as long as one of the following applies and the processing of the data is not required:
- the personal data were collected for a purpose, or otherwise processed in such a that is no longer required.
- the data subject retracts the consent under which data processing was carried out, either in accordance with article 6, paragraph 1 a of the GDPR, or article 9, paragraph 2a of the GDPR, and there is no longer a legal basis for the data processing.
- the data subject lodges an official objection to the data processing in accordance with article 21, paragraph 1 of the GDPR, and there is no longer a legitimate basis for the processing of the data, or the data subject lodges an official objection to their data processing under article 21, paragraph 2 of the GDPR.
- the personal data were processed unlawfully
- the deletion of the data is required in order to fulfil an obligation under EU law, or the law of any member state to which the data controller is subject
- the personal data were collected in relation to information society services in accordance with the GDPR, article 8, paragraph 1.
Where one of the above mentioned reasons is applicable and the data subject requests the deletion of personal data which are stored by Pöppinghaus Grundbesitz Verwaltung GbR, they can contact an employee of the data controller at any time. The Pöppinghaus Grundbesitz Verwaltung GbR employee will ensure that the data are deleted without delay
If personal data are made public by Pöppinghaus Grundbesitz Verwaltung GbR, and our organization is required to delete personal data in accordance with the GDPR, article 17, paragraph 1, Pöppinghaus Grundbesitz Verwaltung GbR will take all reasonable measures to inform other data controllers who process said personal data (including technical measures, taking into consideration the availability of technology and the associated costs), requesting they delete all links to this personal data, or copies of this personal data which are in their possession, unless the processing is necessary. An employee of Pöppinghaus Grundbesitz Verwaltung GbR will take all necessary measures to deal with this on a case by case basis.
e) The right to limit processing
Every data subject has the right under European regulations to demand the data controller limit the processing of their personal data, when one of the following criteria applies:
- the accuracy of the personal data is disputed by the data subject- for a period of time long enough to allow the data controller the opportunity to check it.
- the data processing is unlawful, the data subject rejects the option of having their personal data deleted and instead opts to have their usage restricted.
- the data controller no longer requires the personal data for the original processing purpose, the data subject requires them however to assert, exercise or defend legal claims.
- the data subject has lodged a complaint against the data processing in accordance with article 21, paragraph 1 of the GDPR and it is not yet confirmed whether the legitimate grounds of the data controller outweigh those of the data subject.
If one of the above mentioned prerequisites applies and the data subject wishes to request the limitation of the processing of data being stored by Pöppinghaus Grundbesitz Verwaltung GbR they can contact an employee of the data controller at any time. The employee of Pöppinghaus Grundbesitz Verwaltung GbR will carry out the limitation of data processing request.
f) right to data portability
Every data subject has the right under European regulations to demand the data controller provide them with all of the data being held on them in a structured, accessible and machine readable format. The data subject also has the right to the transfer their personal data to another data controller without obstruction, provided the request is in accordance with the consent set out in article 6, paragraph 1a of the GDPR, or article 9, paragraph 2a of the GDPR or another contract in accordance with article 6, paragraph 1b of the GDPR and the transfer takes place through an automated process, unless the processing is carried out for the performance of a task in the public interest, or for the controller to exercise an official duty.
Furthermore the data subject has, in using their right to the transfer of their data, in accordance with article 20, paragraph 1 of the GDPR, the right to have their personal data transferred directly from one data controller to another, as long as this is technically possible and as long as the right and freedoms of another individual will not be impaired. To apply their right to the transfer of personal data a data subject can contact an employee of Pöppinghaus Grundbesitz Verwaltung GbR at any time.
g) Right to appeal
Every data subject has the right under European regulations, for reasons pertaining to their individual situation to appeal against the processing of their data, in accordance with article 6, paragraph 1 e or f of the GDPR. This also applies to profiling based on these provisions. In the case of an appeal Pöppinghaus Grundbesitz Verwaltung GbR will no longer process the personal data in question, unless we can prove compelling and legitimate reasons- which outweigh the interests, rights and freedoms of the data subject, or the processing serves the Assertion, exercise or defence of legal claims.
If Pöppinghaus Grundbesitz Verwaltung GbR processes personal data in order to carry out direct advertising the data subject has the right to appeal against the processing of their personal data for these purposes. This also applies to profiling, as far as it is connected to direct advertising.
If the data subject appeals to Pöppinghaus Grundbesitz Verwaltung GbR regarding the processing of their personal data for direct advertising purposes Pöppinghaus Grundbesitz Verwaltung GbR will no longer use the personal data for this purpose.
Furthermore the data subject has the right, based on reasons applicable to their individual circumstances, to appeal against the processing of personal data which are being used by Pöppinghaus Grundbesitz Verwaltung GbR for scientific or historical research purposes, in accordance with article 89, paragraph 1 of the GDPR, unless this processing is necessary for the completion of a task which is in the public interest. To apply their right to appeal the data subject can approach a member of staff at Pöppinghaus Grundbesitz Verwaltung GbR at any time. The data subject is always able, in connection with the usage of the use of information society services, unprejudiced by the guideline 200/57/EG, to make their appeal through an automated process, by which technical specifications will be used.
h) automated decisions in one off cases including profiling
Every data subject has the right under European regulations not to be subject to a decision based exclusively on automated processing- including profiling, which has legal implications for them, or would in impact or disadvantage them in a similar way, as long as the decision is (1) not necessary for the closure or fulfilment of a contract between the data subject and the data controller, or (2) based on the regulations of the EU or member states, whose rules the data controller is subject to, which contain legally applicable measures to ensure the right and freedoms as well as the interest of the data subject (3) take place with explicit consent from the data subject. If the decision is (1) for the closure or fulfilment of a contract between the data subject and the data controller or (2) takes place with the explicit consent of the data subject where appropriate measures apply to Pöppinghaus Grundbesitz Verwaltung GbR in order to protect the rights and freedoms and legal interests of the data subject, where at least the right to gain the involvement of someone from the side of the data controller, to present their own position to be heard on appeal to the original decision. If the data subject would like to take advantage of their rights in relation to automated decision making they can approach an employee of the data controller at any time.
i) right to repeal a data protection declaration of consent
Every data subject has the right under European regulations to repeal the declaration of consent they submitted for the processing of their personal data. If the data subject would like to take advantage of their right to repeal their declaration of consent for data processing they can approach an employee of the data controller at any time.
6. Legal basis for data processing
Article 6, I lit of the GDPR serves our organisation as the legal basis for data processing, by which we request consent for the processing of data for a particular purpose. If the data processing is necessary in order to fulfil a contract, where the contractual partner is the data subject, for instance, for processing operations for the delivery or products or the fulfilment of another service, the processing falls under article 6 I lit b of the GDRP. The same applies for other processing operations where pre-contractual measures are necessary, for instance as it applies to questions regarding our products and services. If there is a legal obligation applied to our company through which the processing of data becomes necessary, for example in the fulfilment of our taxation requirements, the processing of data will be based on article 6, I lit of the GDPR. In rare cases the processing of personal data can become necessary for the protection of vital interests of the data subject, or another natural person. This would be the case where, for example a visitor gets injured in our office and information such as his name, age, health insurance data, or other vital information needs to be given to a doctor, hospital or other such third party. In this case the processing would be based on article 6d of the GDPR.
Finally, processing activities can fall under the remit of article 6f of the GDPR. Processing activities not covered by any of the aforementioned legal bases fall into this category if data processing is necessary to safeguard the legitimate interests of our company, or of a third party, as long as the interests, fundamental rights and freedoms of the data subject are overridden.
Such processing activities are especially important to us, as they are specifically mentioned in the GDPR. In this sense the position has been taken that a legitimate interest can be considered when the data subject is a client of the data controller (recital 47, sentence 2 of the GDPR)
7. Legitimate interests in the processing of data by the data controller or a third party
If the processing of personal data is based on article 6 f of the GDPR, our legitimate interest is the undertaking of our business activities for the benefit and well-being of all our employees and our shareholders.
8. Duration of storage of personal data
The criteria for the length of time personal data can be stored is the applicable legal retention period. At the end of this period the corresponding data will be routinely deleted, as long as they are no longer required for the fulfilment or initiation of a contract.
9. Legal or contractual regulations for the provision of personal data
Requirements in order to carry out a contract, obligations of the data subject to provide personal data andpossible consequences for not providing personal data: We are informing you that providing personal data is in some cases a legal requirement (for example, for tax compliance), or for contractual regulations (eg data concerning a contractual partner). Furthermore, it can be necessary for the completion of a contract that a data subject supply us with personal data which must then be processed by us. A data subject is, for instance, obliged to supply us with personal data when our organization forms a contract with them. The non-supply of this personal data would have the consequence that we would be unable to form a contract with the data subject. Prior to providing personal data a data subject should contact one of our employees. Our employee will then be able to explain to the data subject on an individual basis whether the personal data are required legally or contractually, or whether they are required for the formation of a contract, whether there is an obligation to supply personal data and which consequences not supplying the personal data would have.
10. The existence of an automated decision making process
As a responsible enterprise we do not implement an automated decision making process or utilize profiling. This data protection declaration was created through the data protection declaration generator of the DGD Deutsche Gesellschaft für Datenschutz GmbH (German Society for Data Protection) which provides services as an external data protection commissioner in Neu-Ulm, and was put together in cooperation with the solicitor Christian Solmecke, specialist in IT and data protection law.
The data protection declaration was translated from the original German text. Where there is a conflict between any part of the English and German text, the German original will be take precedence over the translation.