We point out that any data transmission on the Internet (e.g. communication by e-mail) can have security gaps. A complete protection of your data against access by third parties is not possible.
How do we collect your data?
Your data is collected when you provide it to us. An example is the completion of a contact form. Through your consent when visiting our website, our IT systems also automatically collect your technical data such as your Internet browser, operating system or the time of the page request.
What do we use your data for?
We collect and process your data to ensure that you can use our website without errors and to analyze the behavior of the users of our website.
What rights does the GDPR grant you regarding your data?
You have the right to obtain information about the origin, recipient and purpose of the personal data concerning you. Furthermore, you have the right to have your data corrected or deleted. Through the right of revocation, you also have the possibility to revoke a given consent at any time. In addition, you may, under certain circumstances, request the restriction of the processing of your personal data. Finally, you have the right to lodge a complaint with the competent supervisory authority.
§ 1 Information about the collection of personal data
- Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.
The responsible party pursuant to Art. 4 (7) EU General Data Protection Regulation (GDPR) is:
Heureka Real Estate GmbH
Robert C. Waidhaas MRICS, Andreas V. Rossmann
An der Stadtkirche 6
Phone: +49 6151 52055 86
When you contact us by e-mail, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.
- If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail below about the respective processes and the corresponding storage period.
§ 2 Collection of personal data when visiting our website
- In the case of merely informative use of the website you do not transmit any information to us and we only collect the personal data that your browser transmits to our server.
- If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security (legal basis is Art. 6 (1) p. 1 f GDPR):
- IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website the request comes from
- Language and version of the browser software
- Operating system and its interface
- Websites from which the user’s system accesses our website
- Websites that are accessed by the user’s system via our website
- This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
- Purpose of data processing: The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes are also our legitimate interest in data processing according to Art. 6 (1) f GDPR.
§ 3 Legal basis of processing
- Article 6 (1) a GDPR serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract of which the data subject is a party, as is the case, for example, with processing operations that are necessary for a delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 (1) b GDPR.
- The same applies to such processing operations that are necessary for the implementation of precontractual measures, for example in cases of inquiries about our products or services.
- If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 (1) c GDPR.
- In some cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. In that case, the processing would be based on Art. 6 (1) d GDPR.
- In addition, processing operations could be based on Art. 6 (1) f GDPR. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR).
- If the processing of personal data is based on Art. 6 (1) f GDPR, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.
§ 4 Your rights
You have the following rights against us regarding the personal data concerning you:
- Pursuant to Art. 15 GDPR, the right to obtain confirmation as to whether data concerning you is being processed and to obtain information about such data, as well as further information and a copy of the data.
- Pursuant to Art. 16 GDPR, the right to request the completion or correction of the data concerning you.
- Pursuant to Art. 17 GDPR, the right to demand that the data in question be deleted without delay or, alternatively, to demand restriction of the processing of the data pursuant to Art. 18 GDPR.
- Pursuant to Art. 20 GDPR, the right to demand that you receive the data in question that you have provided to us in a structured, common and machine-readable format and to demand its transfer to other responsible data controllers.
the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 GDPR. You can reach the responsible state data protection commissioner at the following address:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
P.O. Box 3163
Telephone: +49 611 1408 – 0
Fax: +49 611 1408 – 900
§ 5 Your right to revoke the processing of your data
If you have given your consent to the processing of your data, you may revoke it at any time. Such revocation will affect the permissibility of the processing of your personal data after you have expressed it to us.
§ 6 Your right to object to the processing of your data
- Insofar as we base the processing of your personal data on a balance of interests, you may object to the processing. This is the case if the processing is not necessary for the fulfillment of a contract with you, which is presented by us in each case in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adjust the data processing or show you our compelling reasons worthy of protection based on which we will continue the processing.
Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us of your objection using the following contact details:
Heureka Real Estate GmbH, An der Stadtkirche 6, 64283 Darmstadt, Germany, Tel.: +49615152055 86, E-mail: firstname.lastname@example.org
§ 7 Your right to data deletion
- In accordance with legal requirements in Germany, data is stored for 6 years in accordance with Section 257 (1) of the German Commercial Code (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with Section 147 (1) of the German Fiscal Code (AO) (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
§ 8 Contacting
- When contacting us, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.
- The response to the contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise based on the legitimate interests in responding to the inquiries.
- There is no transfer of data to third parties in this context. The data is used exclusively for processing the conversation.
- Data processing for the purpose of contacting us is carried out in accordance with Art. 6 (1) p. 1 a GDPR based on your voluntarily given consent.
- Information is stored in the cookie that is related to the specific end device used. This does not mean, however, that we obtain direct knowledge of your identity.
- In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your terminal device for a certain fixed period of time. If you visit our website again to use our services, it is automatically recognized that you have already been with us and which entries and settings you have made so that you do not have to enter them again.
- The data processed by cookies is necessary for the aforementioned purposes to protect our legitimate interests and those of third parties in accordance with Art. 6 (1) p. 1 f GDPR.
- Most browsers accept cookies automatically but you can configure your browser so that no cookies are stored on your computer or a notice always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.
§ 10 Provision of the online offer and web hosting
- In order to be able to provide our online offer securely and efficiently, we make use of the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.
- The data processed in the course of providing the hosting service may include all information relating to the users of our online service, which is collected in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.
- E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as further information regarding the e-mail dispatch (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data may also be processed for spam detection purposes. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted in transit, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the e-mails between the sender and the reception on our server.
- Collection of access data and log files: We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the websites and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
- The server log files may be used for security purposes, e.g. to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability.
§ 11 Cloud services
- We use software services accessible via the Internet and executed on the servers of their providers (so-called “cloud services”, also referred to as “software as a service”) for the following purposes: document storage and management, calendar management, e-mail dispatch, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information as well as chats and participation in audio and video conferences.
- If we use the cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on the users’ devices for the purposes of web analysis or to remember the users’ settings (e.g. in the case of media control).
- Notes on legal bases: If we ask for consent to use the cloud services, the legal basis of the processing is consent. Furthermore, their use may be a component of our (pre)contractual services, provided that the use of the cloud services has been agreed within this framework. Otherwise, the users’ data is processed based on our legitimate interests (i.e., interest in efficient and secure management and collaboration processes).
§ 12 Data protection information in the application process
- We process applicant data only for the purpose of and within the scope of the application procedure in accordance with the legal requirements. Applicant data is processed to fulfill our (pre)contractual obligations within the scope of the application procedure in accordance with Art. 6 (1) b, f GDPR insofar as the data processing becomes necessary for us, e.g. within the scope of legal procedures (Section 26 BDSG).
- Insofar as special categories of personal data within the meaning of Article 9 (1) GDPR are voluntarily disclosed during the application process, they will also be processed in accordance with Art. 9 (2) GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants as part of the application process, their processing shall additionally be carried out in accordance with Art. 9 (2) a GDPR (e.g. health data, if this is required for the exercise of the profession).
- In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants’ data will be deleted. The applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time.
- Subject to a justified revocation by the applicant, the data will be deleted after a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act.
- As part of the application process, we offer applicants the opportunity to be included in our “applicant pool” for a period of two years based on consent within the meaning of Art. 6 (1) b and Art. 7 GDPR. The application documents in the applicant pool will be processed solely within the framework of future job advertisements and the search for employees and will be destroyed at the latest after the expiry of the period. Applicants are informed that their consent to inclusion in the applicant pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 GDPR.
§ 13 Promotional communication via e-mail, mail, fax or telephone
- We process personal data for the purpose of promotional communication, which may take place via various channels, such as e-mail, telephone, mail or fax, in accordance with the legal requirements.
- The recipients have the right to revoke consent given at any time or to object to the promotional communication at any time. After revocation or objection, we may store the data required to prove consent for up to three years based on our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.
§ 14 Tracking Tools
The tracking measures we use are carried out based on Art. 6 (1) p. 1 f GDPR. With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
§ 15 Use of Google Analytics
- For the purpose of demand-oriented design and continuous optimization of our pages, we use Google Analytics, a web analytics service provided by Google Inc. (https://www.google.de/intl/de/about/ (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website, such as browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address), time of server request, is transmitted to a Google server in the USA and stored there.
- The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to the use of the website and the Internet for the purposes of market research and demand-oriented design of these Internet pages. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf.
- Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymized so that an assignment is not possible (IP masking).
- Legal basis for data processing: The legal basis for the processing of personal data using Google Analytics is Art. 6 (1) f GDPR.
- Purpose of data processing: With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and evaluate it for the purpose of optimizing our offer for you. These purposes are also our legitimate interest in the processing of personal data according to Art. 6 (1) f GDPR.
§ 16 Use of Google Web Fonts
- This website uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.
- For this purpose, the browser you use must connect to Google’s servers. This enables Google to know that our website has been accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) f GDPR.
- If your browser does not support web fonts, a standard font from your computer will be used.
§ 17 Use of Google reCAPTCHA
- We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on our websites. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
- The purpose of reCAPTCHA is to check whether the data input on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
- The reCAPTCHA analyses run entirely in the background. Website visitors are not notified that an analysis is taking place.
- The data processing is based on Art. 6 (1) f GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from spam.
§ 18 Plug-ins and embedded functions and content
- We integrate into our online offer functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can be, for example, graphics, videos or social media buttons as well as posts (hereinafter uniformly referred to as “content”).
- The integration always requires that the third-party providers of this content process the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is therefore required for the presentation of this content or function. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, the time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
§ 19 Integration of Google Maps
- On this website we use the offer of Google Maps. This allows us to display interactive maps directly on the website and enables you to use the map function conveniently.
- By visiting the website, Google receives the information that you have called up the corresponding sub-page of our website. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want the assignment with your profile at Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.
§ 20 Video Conferencing, Online Meetings, Webinars, and Screen Sharing
- We use platforms and applications of other providers (hereinafter referred to as “third-party providers”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings. When selecting the third-party providers and their services, we observe the legal requirements.
- In this context, data of the communication participants is processed and stored on the servers of the third-party providers, insofar as these are components of communication processes with us. This data may include registration and contact data, visual and vocal contributions as well as entries in chats and shared screen contents.
- If users are referred to third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
§ 21 Order data processing and transfer to third parties
- In some cases, we use external service providers to process your data. If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this shall only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is required in accordance with Art. 6 (1) b GDPR for the performance of the contract), your consent, a legal obligation which provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
- If we commission third parties with the processing of data based on a so-called “commissioned processing agreement”, this is done based on Art. 28 GDPR. These are carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
- Furthermore, we may pass on your personal data to third parties if we offer promotions, competitions, contracts or similar services together with partners. You will receive more information on this when you provide your personal data or below in the description of the offer.
- If we process data outside the European Union (EU) or the European Economic Area (EEA) (so-called third country) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only occur if it is done to fulfill our (pre-)contractual obligations, based on your consent, due to a legal obligation or based on our legitimate interests. Otherwise, we process or allow data to be processed in a third country only if the requirements of Art. 44 et seq. GDPR are met.
§ 22 Planning and organization
- We use services, platforms and software from other providers (hereinafter referred to as “third-party providers”) for the purpose of organizing, managing, planning and providing our services. When selecting the third-party providers and their services, we observe the legal requirements.
- If users are referred to third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
§ 23 Data security
- Within the website visit, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the lower status bar of your browser.
- We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.