The protection of your private information when using our website is very important to us, PATRIZIA AG. In the following, we would like to provide you with information on the type, scope and purpose of the collection and use of personal data when using our website. A version in other languages is available upon request.
The data protection declaration (including legally required informational content) is divided into three parts:
- Part 1: Information on data protection concerning our data processing under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR);
- Part 2: Supplementary Data protection declaration for our website;
- Part 3: Information on data protection for applicants.
Part 1: Information on data protection
Information on data protection concerning our data processing under Articles (Art.) 13, 14 and 21 of the General Data Protection Regulation (GDPR). We take data protection seriously; in this section, we would like to provide you with information on how we process your data and what claims and rights you are entitled to under the relevant legal provisions on data protection. In effect from 25 May 2018 onwards.
1. Controller responsible for the data processing and contact details of the controller within the meaning of data protection law
Tel: +49 821 50910-000
Fax: +49 821 50910-999
and its subsidiaries.
In exceptional cases there may also be a joint controllership with other third parties. This is currently limited to individual situations in the area of property and facility management.
Contact details of our data protection officer:
HEC Harald Eul Consulting GmbH
Data Protection + Data Security
Harald Eul (PATRIZIA data protection officer)
Auf der Höhe 34
2. Purposes and legal bases for our processing of your data
We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data protection regulations (details in the following). The details of what specific data are processed and the manner in which they are used depend primarily on the respective services requested or agreed. Further details and supplemental information on the purposes of data processing can be found in the respective contractual documents, forms, declarations of consent and/or other information provided to you (e.g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time.
2.1 Purposes for the fulfilment of a contract or of pre-contractual measures (Art. 6 [1b] GDPR)
The processing of personal data takes place for the performance of our contracts with you and the implementation of your orders, as well as for the execution of measures and activities in the context of pre-contractual relationships, e.g. with potential customers. In particular, the processing thus serves to facilitate the performance of services in accordance with your orders and wishes, and encompasses the services, measures and activities this requires. This includes all business activities focusing on real estate (especially acquisition, sale, brokerage, lease-out and management) and investments in real estate (funds and direct investments). These primarily include contract-related communication with you, the traceability of transactions, orders and other agreements, for quality control through corresponding documentation, goodwill procedures, measures for the control and optimisation of business processes, and for the fulfilment of general due diligence obligations, management and control by associated companies (e.g. a parent company); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, settlement and tax evaluation of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security (including system and plausibility tests) and general security, including building and plant security, safeguarding and exercising domiciliary rights (e.g. through entry controls); ensuring the integrity, authenticity and availability of data, prevention and clarification of criminal offences; controls by supervisory committees or other supervisory bodies (e.g. Internal Audit).
2.2 Purposes in the context of our legitimate interests or those of third parties (Art. 6 [1f] GDPR)
Beyond the actual fulfilment of the contract / preliminary contract, we may potentially process your data if necessary in order to protect our legitimate interests or those of third parties, particularly for the following purposes:
- advertising or market and opinion research, provided you have not objected to the use of your data;
- collection of information and exchange of data with credit agencies if this exceeds our economic risk;
- review and optimisation of needs analysis procedures;
- further development of products and services as well as existing systems and processes;
- disclosure of personal information as part of due diligence in the context of company sale negotiations;
- for comparison with European and international antiterrorism lists, if beyond the statutory obligations;
- enrichment of our data, including by using or researching publicly accessible data;
- statistical assessments or market analysis;
- assertion of legal claims and defence in the event of legal disputes that cannot be directly attributed to the contractual relationship;
- limited storage of data in the event that deletion is impossible or only possible with disproportionate effort due to the specific type of storage;
- development of scoring systems or automated decision-making processes;
- prevention and clarification of criminal offences, if not exclusively for the fulfilment of statutory requirements;
- building and plant security (e.g. through entry controls and video surveillance), if beyond the general due diligence obligations;
- internal and external investigations, security inspections;
- potential listening-in or recording of telephone conversations for quality control and training purposes;
- receiving and maintaining certifications of a private law or official nature;
- safeguarding and exercising domiciliary rights through corresponding measures as well as through video surveillance for the protection of our customers and employees and in order to secure evidence in the event of criminal offences and the prevention thereof and also
- the involvement of service providers as independent or joint controllers to carry out activities for the performance of a contract or for pre-contractual measures (cf. clause 2.2) or for the purposes of the legitimate interests as listed above.
2.3 Purposes in the context of your consent (Art. 6 [1a] GDPR)
Processing of your personal data for specific purposes (e.g. use of your email address for marketing purposes) can also take place on the basis of your consent. You can generally revoke this consent at any time. This also applies for the revocation of declarations of consent that were issued to us before the GDPR entered into effect, i.e. before 25 May 2018. You will be informed of the purposes and of the consequences of revoking or withholding consent separately in the corresponding text of the consent.
As a general principle, revocations of consent apply only to the future. Instances of processing which took place before the revocation are not affected by it and remain legitimate.
2.4 Purposes for the fulfilment of statutory requirements (Art. 6 [1c] GDPR) or in the public interest (Art. 6 [1e] GDPR)
In the same manner as anyone involved in business affairs, we are also subject to numerous legal obligations. These primarily encompass statutory requirements (e.g. commercial law and tax law), but may also include supervisory or other official provisions. The purposes of processing may potentially include identity and age verification, fraud and money laundering prevention, the prevention, combating and detection of terrorism financing and asset-endangering criminal offences, comparisons with European and international antiterrorism lists, the fulfilment of control and reporting requirements under tax law and the archiving of data for purposes of data protection and data security as well as review by tax authorities and other public agencies. In addition, the disclosure of personal data may be necessary in the context of official/judicial measures for purposes of evidence collection, criminal prosecution or the enforcement of civil claims.
3. The categories of data we process in the event that we do not receive data directly from you and where these are obtained from
If necessary for the performance of our services, we process personal data permissibly obtained from other companies or other third parties (e.g. credit agencies, address publishers, property and facility management). In addition, we process personal data that we have permissibly collected, obtained or acquired from publicly accessible sources (such as telephone directories, commercial registries and registers of associations, civil registers, records of debtors, land registers, press, internet and other media) and are permitted to process.
Relevant personal data categories may include the following in particular:
- personal details (name, date of birth, place of birth, nationality, civil status, profession/industry and comparable data);
- contact data (address, email address, telephone number and comparable data);
- address data (residential registration data and comparable data);
- payment/cover confirmation for bank cards and credit cards;
- information on your financial situation (credit data including scoring, i.e. data for assessing economic risk);
- customer history;
- data on your use of the telemedia we provide (e.g. time of access of our websites, apps or newsletters; clicked pages/links of ours or entries and comparable data);
- video data.
4. Recipients or categories of recipients of your data
Within our company, your data are received by the internal departments or organisational units that need them for the fulfilment of our contractual and statutory obligations or in the context of the handling and implementation of our legitimate interests. Your data are shared with external parties exclusively:
- in connection with contract execution;
- for purposes of the fulfilment of statutory requirements under which we are obligated to disclose, report or share data or when sharing data is in the public interest (cf. Section 2.4);
- if external service providers process data on our account as contracted processors or function-holders (e.g. external computer centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data validation / plausibility checks, data destruction, purchasing/procurement, customer management, letter shops, marketing, media technology, research, risk controlling, billing, telephone services, website management, property and facility management, audit services, credit institutions, printing services or companies for data disposal, courier services, logistics);
- on the basis of our legitimate interests or the legitimate interests of third parties for purposes within the scope specified under Section 2.2 (e.g. with authorities, credit agencies, debt collection agencies, attorneys, courts, external experts, associated group companies, committees and supervisory bodies);
- when you have given us your consent to the transmission of your data to third parties.
We will not share your data with third parties under any other circumstances. If we hire service providers in the context of contracted processing, your data will be subject to the same security standards there as with us. In other cases, the recipients are only permitted to use the data for the purposes for which it was shared with them.
5. Duration of the storage of your data
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various obligations of retention and documentation such as those under the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods of retention or documentation specified therein amount to up to ten years beyond the end of the business relationship / pre-contractual legal relationship.
Furthermore, special statutory provisions may require a longer period of retention, such as the retention of evidence within the scope of statutory limitation requirements. While the regular statutory limitation period under sections 195 et seq. of the German Civil Code (BGB) amounts to three years, limitation periods of up to 30 years may be applicable.
If the data are no longer needed for the fulfilment of contractual or statutory obligations and rights, they are normally deleted unless temporary continued processing of them is required for the fulfilment of purposes listed under Section 2.2 on the basis of an overriding legitimate interest. An overriding legitimate interest of this type also exists, for example, if deletion is impossible or only possible with disproportionate effort due to the type of storage and processing for other purposes has been made impossible by means of appropriate technical and organisational measures.
6. Processing of your data in a third country or by an international organisation
Data are only shared with parties in countries outside the European Union (EU) / the European Economic Area (EEA) (‘third countries’) when this is necessary for the execution of an order/contract from/with you, when required by law (e.g. reporting obligations under tax law), when this falls within the scope of a legitimate interest of us or a third party or when you have given us your consent.
In this context, processing of your data in a third country may also take place in connection with the engagement of service providers (e.g. in the context of contracted processing). If there is no European Commission resolution on the existence of an appropriate level of data protection for the country in question, then we will ensure that your rights and freedoms are appropriately protected and guaranteed by means of corresponding contracts in accordance with EU data protection provisions. We can provide you with corresponding detailed information on request.
Information on the suitable or appropriate guarantees and the possibility of obtaining a copy for you can be requested from the company data protection officer.
7. Your data protection rights
Subject to specific requirements, you can assert your data protection rights against us:
- You thus have the right to obtain information on your data stored with us in accordance with the provisions of Art. 15 GDPR (potentially with restrictions pursuant to Section 34 GDPR).
- At your request, we will correct the data stored on you in accordance with Art. 16 GDPR if it is incorrect or incomplete.
- If you would like, we will delete your data in accordance with the principles of Art. 17 GDPR if doing so is not in conflict with other statutory provisions (e.g. statutory retention periods or the restrictions pursuant to Section 35 GDPR) or an overriding interest on our part (e.g. for the defence of our rights and claims).
- In consideration of the prerequisites of Art. 18 GDPR, you can request that we restrict the processing of your data.
- Furthermore, you can lodge an objection to the processing of your data pursuant to Art. 21 GDPR, on the basis of which we are required to end the processing of your data. However, this right of objection applies only in the case of highly specific circumstances of your personal situation, in which case our company’s rights may potentially stand in opposition to your right of objection.
- Subject to the prerequisites of Art. 20 GDPR, you also have the right to receive your data in a structured, common and machine-readable format or have it sent to a third party.
- In addition, you have the right to revoke any consent given to us for the processing of personal data with future effect at any time (cf. Section 2.3).
- You also have a right to complain to a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always direct any complaints to our data protection officer first.
Whenever possible, your applications for the exercise of your rights should be made in writing and addressed to the address provided above or directly to our data protection officer.
- You are also entitled to the aforementioned rights if we process personal data in the context of joint controllership with a third party in accordance with Art. 26 GDPR. This is currently limited to individual constellations in the field of property and facility management. Insofar as you interact with a property or facility manager commissioned by us and we have concluded a contract with this party on joint controllership, it is agreed that the parties must fulfil their obligations under data protection law in accordance with their respective responsibilities for the individual process stages. It is stipulated that the property/facility manager is available as the primary contact point for the rights to which you are entitled under the GDPR. On the basis of the contractual agreements made in these cases, the contractual partners support each other in order to comprehensively guarantee your data protection rights.
8. Scope of your obligations to provide us with your data
You only need to provide the data which is required for the establishment and implementation of a business relationship or for a pre-contractual relationship with us or which we are obligated by law to collect. Without these data, we are generally unable to conclude or implement the contract. This can also pertain to data required later within the scope of the business relationship. If we request any data beyond this from you, you will be separately informed of the voluntary nature of providing the information.
9. Existence of any automated decision-making processes in individual cases (including profiling)
We do not employ any purely automatic decision-making procedures as defined in Article 22 GDPR. If we employ any such procedure in individual cases in the future, however, we will inform you of this separately if legally required to do so.
We may potentially process your data in some cases with the goal of evaluating specific personal characteristics (profiling).
We may potentially employ evaluation tools in order to be able to provide you with information on products and advise you in a targeted manner. These facilitate needs-oriented product design, communication and advertising including market and opinion research.
Such procedures may also be employed in order to be able to evaluate your creditworthiness and for combating money-laundering and fraud. ‘Scores’ may be used to evaluate your creditworthiness. In the event of scoring, mathematical procedures are employed to calculate the probability that a customer will meet their payment obligations in compliance with the contract. Scores like this provide us with assistance for purposes such as the evaluation of creditworthiness and decision-making in the context of product conclusions, and are also taken into consideration by our risk management. The calculation is based on recognised and proven statistical mathematical procedures and is carried out based on your data, particularly income situation, expenses, existing liabilities, profession, employer, duration of employment, experiences from previous business relationships, contractually compliant repayment of past loans and information from credit agencies.
Information on nationality and special categories of personal data as defined in Art. 9 GDPR are not processed in this context.
Information on your right of objection under Art. 21 GDPR
1. You have the right to lodge an objection to the processing of your data on the basis of Art. 6 (1f) GDPR (data processing on the basis of a balancing of interests) or Art. 6 (1e) GDPR (data processing in the public interest) if there are reasons for doing so which originate from your specific situation. This also applies for any profiling based on this determination within the meaning of Art. 4 No. 4 GDPR. If you lodge an objection, we will no longer process your personal data unless we can produce evidence of compelling reasons worth protecting for the processing which outweigh your interests, rights and freedoms, or if the processing serves the purpose of the assertion, exercise or defence of legal claims.
2. We also may potentially process your personal data in order to conduct direct advertising. If you would not like to receive any advertising, however, you have the right to lodge an objection to it at any time. This also applies to profiling, insofar as it is connected with direct advertising of this type. We will comply with this objection in the future.
We will no longer process your data for direct advertising purposes if you object to processing for these purposes. The objection does not need to be made in accordance with any specific formal requirements, and should be directed to the following address if possible:
86150 Augsburg, Germany
Tel: +49 821 50910-000
Fax: +49 821 50910-999
and its subsidiaries.
Our data protection declaration and the information on data protection concerning our data processing under Articles (Art.) 13, 14 and 21 of the GDPR may change from time to time. We will publish all changes on this page.
Part 2: Supplementary Data protection declaration for our website
1. Responsible party
The responsible party for data collection, data processing and data use in connection with the use of our internet offering is PATRIZIA AG and its subsidiaries.
2. General information
The use of our website does not require prior registration except in the institutional login area. When you visit our website, we collect and process the information that you automatically share with us digitally (see Section 3) and/or personal data (see Section 4).
3. Usage data
When you visit our website or use our services, the device you are using and the internet browser you use to access our website automatically transmit log data to our server. This log data particularly includes the names of the files accessed (web pages), the volume of data transferred, the type and version of the web browser used, the operating system used (type and version), the date and time the website is accessed, the referrer URL (the website from which you were sent to our website via a link) and the IP address of the requesting computer. After it is no longer technically required for accessing the website, the IP address is stored for statistical evaluation exclusively in abbreviated (anonymised) form.
The automatically transmitted data described above is collected and evaluated exclusively for the purpose of the proper and optimal presentation of the information offered and for the purpose of statistical evaluations. It is not possible for us to assign the data automatically transmitted to the server to specific natural persons, i.e. it is fundamentally impossible to directly identify you based on the automatically transmitted data. We would like to inform you, however, of the fact that with the cooperation of your internet access provider, it could theoretically be possible to determine the holder of the internet connection through which you access our site over a specific period of time on the basis of the transmitted IP address. Information on the duration of the storage of used and assigned IP addresses by the internet access provider is provided by your internet access provider.
4. Type, scope and purpose of the collection and use of personal data
We collect, process and use personal data such as names, addresses, telephone numbers and email addresses on this website only for the purpose of contract execution and for the protection of our own legitimate business interests in regard to advice and support for our clients. Apart from this, we use your voluntarily provided data exclusively for the purpose for which you shared it with us. Your data will only be used for the additional purposes of further offers or marketing purposes if you provide us with your consent to use them for these purposes as well. Your personal data will be deleted as soon as knowledge of them is no longer necessary for fulfilling the purpose of storage, but no later than the complete execution of the contract and the expiration of the periods stipulated under tax and commercial law.
a) Contact form
You have the option of contacting us through the provided email address. As a matter of course, providing personal information in this manner is voluntary. The personal data you share in this context are used exclusively for handling your inquiry, insofar as you have not separately consented to the use of your data beyond this purpose. If you use our contact form in the Shareholders area to contact us, the data entered from your PC are transferred encoded in line with the latest technical standard (SSL) to protect it against misuse by third parties.
b) Sharing with third parties
Personal data transmitted when using our website are only shared in consideration of the strict requirements of the German Federal Data Protection Act, namely if you have given consent to the data being shared in advance, if we have the right to do so on the basis of statutory provisions and/or if we are obligated to share the data on the basis of laws, regulations or official or judicial orders. As a general principle, data are not shared with third parties for advertising purposes.
c) Information, correction, locking, deletion
You have the right to request information on the personal data stored about you, the recipients or categories of recipients with whom these data are shared and the purpose of storage from us free of charge. In addition, you may potentially have a right to the correction, locking or deletion of personal data subject to the applicable legal requirements. Contact information can be found in our legal notice.
When visiting and using our website, cookies are stored on your computer. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
The legal basis for data processing when using essential cookies is Art. 6 para. 1 sentence 1 lit. f GDPR, when using all other cookies the legal basis is your consent according to Art. 6 para 1 sentence 1 lit. a GDPR. For more information on individual cookies, please see the information in the cookie banner on the website. You can revoke your consent at any time by calling up the cookie banner again. This can be done by clicking on the icon at the bottom left of the screen.
Insofar as we do not process your data on the basis of your explicit consent, your personal data will only be processed to the extent that this is necessary to protect our legitimate interests or the legitimate interests of a third party and does not override your interests or fundamental rights and freedoms that require the protection of personal data.
6. Scope of application of the Data Protection Declaration
This Data Protection Declaration applies for all websites and services or offers for which PATRIZIA AG and its subsidiaries are responsible. This Data Protection Declaration does not apply to services which are subject to separate data protection declarations which do not encompass the present Data Protection Declaration, such as pages which fall under the responsibility of efonds Solution AG.
If you access an external website from our site (external link), the external provider will potentially receive information from your browser on which of our web pages you are coming from. The external provider is responsible for these data. We are unable to influence this process, as are all other website providers.
PATRIZIA employs both technical and organisational security measures to protect the data you have provided from random or intentional manipulation, loss, destruction or access of unauthorised persons. Where personal data are collected and processed, the information is transferred in encoded form to prevent misuse of the data by third parties. Our security measures are continually updated in line with technological developments. Our employees are obligated to maintain confidentiality.
Part 3: Information on data protection for applicants
Information on data protection concerning our processing of applicant data under Articles (Art.) 13, 14 and 21 of the General Data Protection Regulation (GDPR), available here for download in PDF format.
Your trust is important to us. If you have any questions that this Data Protection Declaration could not answer for you or if you would like more detailed information on a specific point, please contact our data protection officer at any time. As a matter of course, we will fulfil your standardised right to information in this regard.
Contact details of our data protection officer:
HEC Harald Eul Consulting GmbH
Data Protection + Data Security
Harald Eul (PATRIZIA data protection officer)
Auf der Höhe 34
Occasional adjustments must be made to our data protection declaration in response to the continual development of the Internet. We reserve the right to make appropriate amendments at any time.
Last updated: 04 February 2020