DATA PROTECTION

Part 1: Data protection information pursuant to General Data Protection Regulation (GDPR) Articles 13, 14 and 21, setting out how we process data.

We take data protection seriously. This notice is intended to inform you how we process your data and your entitlements and rights under the data protection rules. It is effective from 25th May 2018.

1. Controller responsible for data processing; contact details

Controller for the purposes of data protection law

Swiss Life Asset Managers Deutschland GmbH
– Data Protection –
Clever Str. 36
50668 Köln

DSB-SwissLifeAssetManagers[at]he-c.de

 

Swiss Life Insurance Asset Management GmbH
– Data Protection –
Zeppelinstrasse 1
85748 Garching b. München

DSB-SwissLifeAsset[at]he-c.de

 

Swiss Life Asset Managers Luxembourg Niederlassung Deutschland
– Data Protection –
Hochstrasse 53
60313 Frankfurt am Main

DataprotectionAM[at]swisslife.de

 

SL AM Aurum GmbH & Co. KG
– Data Protection –
Clever Str. 36
50668 Köln

DSB-SwissLifeAssetManagers[at]he-c.de

 

SL AM Development Commercial GmbH 
– Data Protection –
Clever Str. 36
50668 Köln

DSB-SwissLifeAssetManagers[at]he-c.de

 

SL AM Development Residential GmbH 
– Data Protection –
Clever Str. 36
50668 Köln

DSB-SwissLifeAssetManagers[at]he-c.de

 

BEOS AG 
– Data Protection –
Kurfürstendamm 188
10707 Berlin 

Datenschutz-Beos[at]he-c.de

 

BEREM Property Management GmbH
– Data Protection –
Kurfürstendamm 188
10707 Berlin 

Datenschutz-Beos[at]he-c.de

 

BEOS Logistics GmbH
– Data Protection –
Kurfürstendamm 188
10707 Berlin

compliance[at]beos.net

 

PE Reiterstaffel GmbH & Co. KG
– Data Protection –
Clever Str. 36
50668 Köln

DSB-SwissLifeAssetManagers[at]he-c.de

 

 

Contact details of our data protection officer:

CORPUS SIREO Data Protection Officer
HEC Harald Eul Consulting GmbH
Auf der Höhe 34
50321 Brühl
Email DSB-SwissLifeInvestment[at]he-c.de

 

2. Purposes for which and legal basis on which we process your data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act [Bundesdatenschutzgesetz] (BDSG) and other applicable data protection rules (details below). Precisely what data is processed and how it is used largely depends on the services requested and/or agreed on in each case. You can find further details of or modifications to the purposes for which data is processed in the relevant contract documents and forms, any declaration of consent and/or other information provided to you (e.g. when using our website or in our terms and conditions). This data protection notice may also be updated from time to time. You can find details of this on our website at www.corpussireo.com/de-de/impressum/datenschutzerklaerung.

 

2.1.  Processing for the purpose of performing a contract or taking pre-contractual steps (GDPR Art. 6(1)( b))

We process personal data in order to perform our contracts with you and to carry out your instructions and in order to take steps and actions as part of a pre-contractual relationship, e.g. with interested parties. Thus, in particular, data is processed in order to provide real estate services, such as the
brokerage
letting
sale and
purchase
of property in accordance with your instructions and wishes, including providing the necessary services and undertaking the necessary steps and activities. Essentially this includes contract-related communication with you, preserving evidence of transactions, instructions and other agreements and also quality control through appropriate documentation, goodwill activities, management and optimisation of business processes and in order to comply with our general duty of care, and management and control by affiliated companies (e.g. parent company); statistical analyses for company management purposes, cost recording and control, reporting, internal and external communication, emergency management, invoicing and fiscal evaluation of operational services, risk management, asserting legal claims and defending legal disputes; ensuring IT security (e.g. system and verification tests) and general safety, including building and plant safety and security, safeguarding and exercising occupiers’ rights (e.g. through access controls); safeguarding the integrity, authenticity and availability of data, preventing and investigating criminal offences; and inspections by supervisory bodies or authorities (e.g. audit).

 

2.2. Processing for the purposes of our legitimate interests or those of third parties (GDPR Art. 6(1)(f))

Besides actually performing the contract or taking pre-contractual steps, we may process your data if this is necessary to protect our legitimate interests or those of third parties, in particular for purposes of;
collecting information and exchanging data with credit reference agencies, insofar as this goes beyond our financial risk;

  • checking and optimising requirements analysis processes;
  • further developing our services and products as well as our existing systems and processes;
  • disclosure of personal data as part of due diligence in company sale negotiations;
  • checks against European and international anti-terrorist lists, insofar as this goes beyond our legal obligations;
  • enhancing our data, including by using or researching publicly available data;
  • statistical evaluations or market analysis;
  • benchmarking;
  • asserting legal claims and defending legal disputes which are not directly attributable to our contractual relationship;
  • the limited storage of your data, if the particular way that it is stored means that it cannot be deleted or that its deletion would involve disproportionately high expenditure;
  • developing scoring systems or automated decision-making processes;
  • preventing and investigating criminal offences, other than exclusively in order to comply with legal requirements;
  • building and plant security (e.g. through access controls and video surveillance), insofar as this goes beyond our general duty of care;
  • internal and external investigations and safety checks;
  • the possible monitoring or recording of telephone conversations for quality control and training purposes;
  • maintaining and preserving private or official certifications;

 

taking appropriate measures to safeguard and exercise occupiers’ rights and also video surveillance to protect our customers and employees and to secure evidence in the event of crimes and in order to prevent them …

 

2.3. Processing with your consent (GDPR Art. 6(1)(a))

Your personal data may also be processed for certain purposes (e.g. using your email address for marketing purposes) based on your consent. You can generally withdraw this consent at any time. This also applies to the withdrawal of any consent given to us before the GDPR came into force, i.e. before 25th May 2018. You will be informed of the purposes and of the consequences of withdrawing or not granting your consent in the text of the consent document.
In principle, a withdrawal of consent takes effect only for the future. It does not affect processing which took place before the withdrawal.

 

2.4. Processing for the purpose of fulfilling legal requirements (GDPR Art. 6(1)(c)) or in the public interest (GDPR Art. 6(1)(e)) 

Like everyone involved in business life, we are subject to numerous legal obligations. These are primarily legal requirements (e.g. commercial and tax laws), but also, in some cases, regulatory and other regulatory requirements. Data may be processed for purposes including verifying identity and age, preventing fraud and money laundering, preventing, combating and investigating terrorist financing and crimes against property, checks against European and international anti-terrorist lists, compliance with tax control and reporting obligations and also archiving data for data protection and data security purposes as well as inspection by tax and other authorities. In addition, it may be necessary to disclose personal data for the purpose of official/judicial measures in order to collect evidence or prosecute crimes or enforce civil law claims.

 

3. The categories of data processed by us, save where we receive data directly from you, and its origin

Where necessary in order to provide our services, we process personal data which we have lawfully obtained from other companies or other third parties (e.g. credit reference agencies and mailing list providers). We also process personal data which we lawfully gather, receive or acquire from publicly accessible sources (such as telephone directories, trade and association directories, civil registers, debtor registers, land registers and the press, the internet and other media), and which it is lawful for us to process.

Relevant categories of personal data include in particular:

Data on individuals (name, date of birth, place of birth, nationality, marital status, profession/industry and similar data)
Contact details (address, email address, telephone number and similar data)
Address data (civil register and similar data)
Confirmation of payment/cover for bank and credit cards
Information about your financial status (credit rating data including scoring, i.e. data for assessing financial risk)

Client history

Data concerning your use of our internet services (e.g. time of accessing pages on our website, our apps or our newsletters, clicks on our pages/links and data entered and similar data)

Video data

 

4. Persons or categories of persons who receive your data

Within our company, your data is received by those internal departments or units which require it in order to perform our contractual and legal obligations or in order to process and implement our legitimate interests. Your data will be passed on to external parties only in connection with the performance of our contract;
in order to fulfil legal requirements which oblige us to inform, report or pass on data or under which the transfer of data is in the public interest (see paragraph 2.4);
if external service companies process data on our behalf as processors or under an outsourcing arrangement (e.g. external data centres, support/maintenance of IT applications, archiving, document processing, call centre services, compliance services, control, data screening for anti-money laundering purposes, data validation or plausibility checks, data destruction, purchasing/procurement, client management, letter shops, marketing, media technology, research, risk control, invoicing, telephony, website management, audit services, financial institutions, printers or data disposal companies, courier services and logistics);
based on our legitimate interest or that of a third party for the purposes specified in paragraph 2.2 (e.g. to authorities, credit reference agencies, debt collection agencies, attorneys, courts, appraisers, valuers, group companies and boards and supervisory authorities);


if you have given us permission to transfer it to third parties.
Otherwise, we will not pass your data on to third parties. If we commission service providers as data processors, your data is subject to the same security standards as it is with us. In any other case, recipients may use the data only for the purposes for which it was transmitted to them.

 

5. For how long do we store your data?

We process and store your data for the duration of our business relationship. This also includes initiating contracts (pre-contractual relationship) and performing contracts.

We are also subject to various retention and documentation obligations arising from, among other things, the Commercial Code [Handelsgesetzbuch] (HGB), the Brokers and Developers Ordinance [Makler- und Bauträgerverordnung] (MaBV) and the Tax Code [Abgabenordnung](AO). The retention and/or documentation periods specified in these rules are up to ten years after the end of the business relationship or the pre-contractual relationship.

In addition, particular legal provisions may specify a longer retention period, such as in order to preserve evidence for the purpose of the statutory limitation rules. According to Civil Code [BGB] §§195 et seq., whilst the normal limitation period is three years, limitation periods of up to 30 years can sometimes apply.

If the data is no longer necessary in order to perform contractual obligations or to comply with legal obligations and rights, it is normally deleted, unless it needs to be further processed – temporarily – in order to fulfil the purposes listed in section 2.2 by reason of an overriding legitimate interest. There will also be such an overriding legitimate interest, for example, if the particular way that it is stored means that it cannot be deleted or that its deletion would involve disproportionately high expenditure, and suitable technical and organisational measures prevent it being processed for other purposes.

 

6. Processing your data in a third country or by an international organisation

Your data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries), if this is necessary in order to perform your instructions or a contract with you, if it is required by law (e.g. tax reporting obligations), if it falls within our legitimate interests or those of a third party, or if you have given us your consent.

Your data may also be processed in a third country where service providers are involved as processors. If the EU Commission has not decided that the country concerned offers an appropriate level of data protection, in accordance with EU data protection requirements we use appropriate contracts to ensure that your rights and freedoms are adequately protected and guaranteed. On request, we will provide you with detailed information about this.

Information on the appropriate or reasonable guarantees and how to obtain a copy of them can be obtained on request from the company data protection officer.

 

7. Your privacy rights

You can assert your data protection rights against us, subject to certain conditions
Thus you have a right to be informed about your data stored by us in accordance with the rules in GDPR Art. 15 (subject to the restrictions in BDSG §34, where applicable).
At your request, in accordance with GDPR Art. 16 we will rectify the data concerning you and stored by us if it is inaccurate or incorrect.
If you wish, in accordance with the principles of GDPR Art. 17 we will erase your data, as long as doing so does not conflict with other legal provisions (e.g. legal retention obligations or restrictions under BDSG §35) or an overriding interest on our part (e.g. defending our rights and entitlements).
You may require us to restrict the processing of your data, having regard to the conditions in GDPR Art. 18.
You may also object to the processing of your data in accordance with GDPR Art. 21, in which case we must stop processing your data. However, this right of objection applies only if your personal situation meets certain very specific conditions, and it is possible that our own rights may conflict with your right of objection.
You also have the right to receive your data or transmit it to a third party, in a structured, commonly used and machine-readable format, in accordance with the conditions in GDPR Art. 20.

Furthermore, you have the right to revoke your consent to the future processing of personal data at any time (see paragraph 2.3).
You also have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). However, we recommend that you always address a complaint to our data protection officer first.
If possible, you should address your requests to exercise your rights in writing to the above address or directly to our data protection officer.

 

8. Your obligation to provide us with your data

You only need to provide data that is necessary in order to establish and implement a business relationship or for a pre-contractual relationship with us, or which we are legally obliged to collect. Without this data, we will not usually be able to conclude or perform the contract. This may also apply to data required later in the course of the business relationship. If we request further data from you, you will be informed separately of the extent to which the data is voluntary.

 

9. Automated individual decision-making (including profiling)

We do not use purely automated decision-making processes under GDPR Art. 22. If we use such a process in individual cases in future, we will inform you separately if required by law to do so.

In some circumstances we may process some of your data in order to evaluate certain personal characteristics (profiling).
We may use evaluation tools in order to provide you with targeted information and advice on products. These allow us to take a demand-based approach to product design, communication and advertising, including market research and opinion polling.

These processes can also be used to assess your credit rating and creditworthiness, and also to combat money laundering and fraud. So-called “scores” can be used to assess your credit rating and creditworthiness. Scoring used mathematical methods to calculate the probability that a customer will fulfil its payment obligations in accordance with the contract. Thus these scores assist us, for example, when assessing creditworthiness and taking decisions on product deals, and they form part of our risk management. The calculation uses mathematically and statistically recognised and proven methods and is based on your data, particularly income, expenditure, existing liabilities, occupation, employer, length of employment, experience from previous business relationships, due repayment of earlier loans and also information from credit reference agencies.

We do not process special categories of personal data under GDPR Art. 9 in this way.

Information about your right of objection under GDPR Art. 21

1. You have a right to object at any time to the processing of your data in accordance with GDPR Art. 6(1)(f) (processing based on a balancing of interests) or GDPR Art. 6(1)(e) (processing in the public interest) if there are grounds to do so arising from your particular situation. This also applies to profiling within the meaning of GDPR Art. 4(4) which takes place on the basis of this agreement.

If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the data is being processed in order to establish, exercise or defend legal claims.

2. We may also process your personal data in order to conduct direct advertising. If you do not wish to receive advertising, you have the right to object to it at any time; this also applies to profiling, insofar as it relates to such direct advertising. We will observe your objection in relation to future advertising.

We will no longer process your data for direct mailing purposes if you object to processing for such purposes.

Your objection can be lodged in any form. So far as possible, it should be addressed to

Swiss Life Asset Managers Deutschland GmbH
Attn: Legal Department
Clever Str. 36
50668 Köln

Our privacy notice and the data protection information pursuant to GDPR Articles 13, 14 and 21, setting out how we process data, may change from time to time. All changes will be published on our website www.corpussireo.com/de-de/impressum/datenschutzerklaerung. Older versions are available for viewing in an archive.

 

Data protection information effective from 9th April 2018
Part 2: Supplementary privacy notice for our website
CORPUS SIREO takes the protection of personal data very seriously. We want you to know what data we store and when, and how we use it. We have taken technical and organisational measures to ensure that the rules on data protection are complied with.

Anonymous data collection
You can always visit CORPUS SIREO's non-personalised website pages without telling us who you are. Essentially we are informed only of the name of your internet service provider (your IP address), the website from which you are visiting us, the date and time and the pages that you visit on our website. This information is evaluated for statistical purposes. As an individual user, you remain anonymous.

Personal data
Personal data is information that relates to you. It includes information such as your name, address, postal address and telephone number. It does not include information that cannot be directly related to your true identity (such as time spent on the site or the number of users of the site). Personal data is collected by CORPUS SIREO only if you provide it to us yourself, for example when registering for personalised services. Data that you enter in the form will be saved only for the purpose in question. For example, we need your full address in order to send you our annual report. Your data is not passed to third parties outside the CORPUS SIREO Group if to do so is not legally permitted or required.

Email information
We are happy to send you information, reports, studies or similar by email. If you provide us with your email address for this purpose, it will be used only for the purpose in question.

Use of cookies
Cookies are small data sets that your browser stores on your local hard drive. Cookies may be used on our internet pages at www.corpussireo.com. The cookies on our website do not contain any personal data about you. Cookies save you having to enter data more than once, facilitate the transmission of specific content and help us to identify particularly popular parts of our online service. For example, we are able to tailor the content of our website pages to users’ needs. If you wish, you can disable the use of cookies at any time by using your browser’s settings. Please use your browser window’s help functions to learn how to change these settings. However, this may mean that you will no longer be able to use individual areas of our website.

Links to other websites
Our internet pages may contain links to other websites. We have no control over whether their operators comply with the data protection rules. Nor do we have any control over the legality of the contents of these websites. We therefore decline any responsibility for the content of other websites.

Questions and comments
If you have questions, suggestions or comments about data protection, please email info[at]swisslife-am.com. The rapid development of new Internet technologies means that we have to change our privacy policy from time to time. You will be informed of the changes here.

Use of web fonts
We use so-called Google Web Fonts on our website. These are external fonts. Google Fonts is a service provided by Google Inc. (“Google”). These Web Fonts are integrated by accessing a server, usually a Google server in the USA. This will tell the server which of our internet pages you have visited. The IP address of the browser of the terminal used by the person visiting these internet pages is also stored by Google. For more information, see Google’s privacy policy, available here:
www.google.com/fonts#AboutPlace:about
www.google.com/policies/privacy

Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics also uses cookies. The information on your use of this website generated by the Google cookie (including your IP address) is normally transferred to a Google server in the USA and stored there. Google will use this information in order to evaluate your use of the website, to compile reports on activity on the website for us and to provide further services in relation to the use of the website and the internet. Google may also transfer this information to third parties if required by law or if third parties process this data on behalf of Google. Under no circumstances will Google link your IP address with other data held by Google. By using this website, you agree to the processing of the data collected about you by Google in the manner described above and for the purpose stated above.

We wish to inform you that, in order to improve your privacy, our website uses Google Analytics with the IP Truncation extension. That means that your IP address is first truncated by Google within European Union member states or other states which are party to the European Economic Area Treaty. Only in exceptional cases will the whole of your IP address be transferred to a Google server in the USA, where it will be truncated. This means that it cannot be linked directly to an individual when the use of our website is analysed.

You can prevent the Google Analytics cookies from being set by way of an extension to your browser. This allows you to exercise your right to object to the future collection, processing and use of data by Google Analytics. To do this, you can install the Google Analytics opt-out browser add-on. This prevents Google Analytics from storing information about your website visits.

You can find more information and instructions on how to download and install this deactivation add-on here.

As an alternative to the browser plug-in or within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent Google Analytics from collecting data from this website in future (this opt-out cookie works only in this browser and only for this domain; if you delete your cookies in this browser you will need to click on this link again):

Opt out from Google Analytics