Information obligation when collecting your personal data

Art. 13 GDPR

Data processor

Name and contact details of the controller

Rudolf Schäfer KG

Max-Joseph-Straße 8, 80333 Munich

Personally liable partner: Martin Schäfer

Company headquarters: Munich — Munich Local Court, HRA 49774

VAT ID No.: DE 226918537

Name and contact details of the data protection officer:

DSB Okon und Meister

Email: info@dsb-okon.de

What data do we process?

Categories of personal data that are processed:

Suppliers (address and function data) and contact persons for the groups listed below, including legal entities (contact details and support information), prospective tenants and buyers for commercial and private properties.

The main categories of data are:

• Name
• Address
• Date of birth, place of birth
• Telephone number (mobile and home)
• Data on account numbers and financial institutions
• Email addresses (for correspondence from you using email addresses provided by you)
• Location of your property (apartment, garage, land, etc.)
• Amount of contributions to communal expenses (WEG)
• Any payment arrears
• Any payment surpluses
• Any outstanding claims
• Identification data (identity card for property sales and rentals)
• Creditworthiness data
• Data from documentation (e.g. consultation, conference and meeting minutes)
• Sales data from payment transactions
• Data from the fulfilment of contractual obligations
• Data on the use of our services via telemedia (websites, newsletters, apps)
• Authentication data (signatures)
• Payment orders

Where does the data come from? (Source)

The stored data was collected within the framework of our contractual relationship and individual orders, or it was generated within the framework of business relationships and business development. The data is stored for the purpose of fulfilling and processing the orders placed with us, as well as for commercial and tax documentation and archiving obligations, recording entries in the management contract, signatures from emails and documents, and entries and additions to the owner master data sheet sent to us by you. In the case of tenancies, the data is taken from self-disclosure forms provided to us. Preparation of handwritten notes in the presence of the data subject, dictation recordings (electronic), telephone correspondence.

Why do we process your data and on what legal basis?

Purpose and legal basis for processing Art. 6 GDPR

We process personal data in strict compliance with and in accordance with the provisions of the GDPR and the Federal Data Protection Act 2018 (BDSG-neu).

Fulfilment of the obligations required by the management contract and rental agreement, performance of necessary maintenance work on rented and owned properties (e.g. house, flat, garden, garages, etc.) and on technical facilities (e.g. lifts, heating, water supply and sewage, house electrical system, security technology, etc.). Preparation of heating cost statements, requirements relating to the entire WEG trust on the part of the property management (e.g. opening accounts with banks and other financial institutions, management and disposal of cash transactions, processing of direct debits), Requirements for the fulfilment of traffic safety obligations, including TÜV inspections and fire protection, as well as compliance with technical regulations (e.g. for roller doors, duplex garages, heating systems, lift facilities, lifting and ventilation systems, legionella sampling in accordance with TrinkwV), Monitoring incoming payments, initiating legal action in the event of payment arrears, managing and disposing of funds in current accounts, invoice control, correspondence with owners, tenants, service providers, processing complaints and violations of house rules, coordinating appointments, convening owners’ meetings, preparing agendas and draft resolutions for owners’ meetings, Preparing minutes of resolutions, including sending them to all owners, claims for maintenance fees, challenging resolutions, assisting with sales, rentals, commercial use, obtaining offers, invoice control, document verification, telephone conversations with advisory boards, owners, tenants, service providers and interested parties.

Data is stored for the purpose of pursuing our own business objectives, for the execution of the management contract with individual owners, as well as with the homeowners’ association (WEG) and other customers and service providers, and for the protection of legitimate interests as the controller.

Permissible data storage also takes place to protect the legitimate interests of a third party, to avert dangers to public safety and to prosecute criminal offences.

Fulfilment of contractual obligations

(Art. 6 para. 1 lit. b GDPR)

The processing of personal data is primarily carried out for the purpose of executing concluded contracts or pre-contractual measures with you and the execution of your orders as well as all tasks related to the operation and management of rental properties, land, real estate (in general).

Customer data: Personal data is collected, processed or used for the purpose of fulfilling the business purpose, in the area of property management and services in the real estate industry, and also for establishing business contacts and providing information to customers.

Personnel data: The collection, processing or use of personal data of our employees is carried out for the purpose of implementing and processing the respective employment relationship.

Applicant data: The collection, processing or use of personal data of applicants is carried out for the purpose of initiating employment relationships.

Balancing of interests

(Art. 6 para. 1 lit. f GDPR)

Taking into account and in order to protect legitimate interests (by us or third parties affiliated with us), we process the following data, among other things:

Credit checks and data exchange with credit agencies (e.g. Creditreform, SCHUFA, Bürgel), technical settings to ensure IT security within our company, measures to maintain security (building access) and ensure house rules are followed, video surveillance (enforcement of house rules, investigation of vandalism, damage to property, harassment, criminal offences) and securing evidence.

Consent

(Art. 6 para. 1 lit. a GDPR)

Further processing of your personal data is lawful if you have given us your

written (in some cases also electronic) consent. Based on this consent, we are then able to pass on your telephone number (mobile, landline) to the affiliated partner companies for the purpose of commissioning tradesmen to fulfil the order. All consents given can be revoked at any time.

Who receives your data?

Recipients (categories) of personal data

Public authorities that receive data on the basis of legal provisions (e.g. social security institutions, tax authorities).

Internal departments involved in the execution of the respective business processes (human resources, accounting, invoicing, real estate brokerage, marketing, sales, telecommunications and IT).

External bodies (contractual partners) insofar as they are necessary for the fulfilment of the contract. External contractors (service providers) in accordance with Art. 28 GDPR for the processing of data on our behalf. Furthermore, data will be passed on to commissioned companies for which you have given us your consent.

Other external bodies such as credit institutions (salary payments, supplier invoices), group companies or other external bodies for the fulfilment of the above-mentioned purposes, insofar as the data subject has given their written consent, this is necessary for the fulfilment of the contract or a transfer is permissible on the basis of overriding legitimate interests.

Transfer to third countries

No transfer to third countries currently takes place!

How long will my data be stored?

10 years – for documents in accordance with the German Commercial Code (HGB), Fiscal Code (AO), Income Tax Act (EStG), Corporation Tax Act (KStG), Trade Tax Act (GewStG), Value Added Tax Act (UStG), Stock Corporation Act (AktG) and Limited Liability Companies Act (GmbHG)

6 years – commercial and business letters and other documents (HGB, BGB)

4 years – review in accordance with Section 35 (2) No. 4 BDSG

6 months – unsolicited applications (email), digital applications in general Tenant self-disclosure (in digital form)

3 months – tenant self-disclosure in paper form

The storage period varies between 3 months and up to 30 years. The storage period is also determined by the statutory limitation periods. In principle, however, the data will be processed and stored for as long as it is necessary to maintain our business relationship. It should be noted that a business relationship is a continuing obligation that lasts for years.

I have the following rights:

• Right to information
• Right to information and objection
• Right to rectification, erasure and restriction
• Right to data portability

Right to information

The following information will be disclosed upon request:

• Name and contact details of the controller (and representative, if applicable)
• Contact details of the data protection officer (if available)
• Purpose and legal basis of the processing
• Legitimate interests (for processing in accordance with Art. 6 GDPR)
• Recipients or categories of recipients
• Transfer to a third country or to an international organisation
• Duration of storage
• Existence of a right to information, correction, deletion, restriction, objection and data portability
• Existence of a right to withdraw consent
• Existence of a right to lodge a complaint with a supervisory authority
• Information on whether the provision of data is required by law or contract or is necessary for the conclusion of a contract and the possible consequences of non-provision
• Existence of automated decision-making, including profiling
• Information about a possible change in the purpose of data processing

Right to information and objection

• Purposes of data processing
• Categories of data
• Recipients or categories of recipients
• Duration of storage
• Right to rectification, erasure and objection
• Right to lodge a complaint with a supervisory authority
• Origin of the data (if not collected from the data subject)
• Existence of automated decision-making, including profiling
• Transfer to a third country or to an international organisation

Right to rectification, erasure and restriction

The following data will be deleted in accordance with Art. 17 GDPR if:

• The storage of the data is no longer necessary
• The data subject has withdrawn their consent to data processing
• The data has been processed unlawfully
• There is a legal obligation to delete the data under EU or national law

§ 35 BDSG (new) Right to erasure

If, in the case of non-automated data processing, erasure is not possible or only possible with disproportionate effort due to the specific nature of the storage and the interest of the data subject in erasure is considered to be minimal, the data subject has the right and the controller has the obligation to erase personal data in accordance with Article 17(1) of the Regulation (EU) 2016/679, in addition to the exceptions specified in Article 17(3) of Regulation (EU) 2016/679. In this case, the processing shall be restricted in accordance with Article 18 of Regulation (EU) 2016/679 instead of being erased. Sentences 1 and 2 shall not apply if the personal data have been processed unlawfully.

The right to be forgotten shall not apply if:

• If the right to freedom of expression or freedom of information prevails
• If the data storage serves to fulfil a legal obligation
• If the public interest in the area of public health prevails
• If archiving purposes or scientific and historical research purposes override the above
• If storage is necessary for the establishment, exercise or defence of legal claims

Please note: We can only comply with your request to delete your personal data once any statutory retention periods have expired.

Withdrawal of consent

Every data subject has the right, within the meaning of Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a, to withdraw individual or all consents given, e.g. for the fulfilment of a contract, at any time and without disadvantage to themselves, without affecting the lawfulness of the processing carried out on the basis of the consent until withdrawal.

Please send your revocation of consent in writing to:

Rudolf Schäfer KG, Max-Joseph-Straße 8, 80333 Munich

Automated decision-making and profiling

No automated decision-making processes pursuant to Art. 22 GDPR or other profiling measures pursuant to Art. 4 No. GDPR are used.

Right to data portability

Art. 20 GDPR grants the data subject a right to data portability. According to this provision, the data subject has the right, under the conditions set out in Art. 20 lit. a and b GDPR, to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller.

Right to lodge a complaint with a supervisory authority

(Art. 13 II lit. d, 77 I GDPR)

In accordance with Art. 13 II lit. d, 77 I GDPR, every company (controller) must inform all data subjects that they have a comprehensive right to lodge a complaint with the competent supervisory authority in their country. This right to lodge a complaint must be exercised if the data subject believes that the processing, storage and use of their data by us is unlawful. This right to lodge a complaint should be exercised in a targeted and case-by-case manner. The data subject should be able to provide substantiated and justified information when lodging a complaint. We advise against submitting a complaint to the authority without substantiated information and facts. It is therefore advisable to contact the data protection officer, Mr Reinhold Okon, before submitting a complaint and to initiate a dialogue with him. Furthermore, the complaint should only be addressed to a single supervisory authority (recital 141, sentence 1 GDPR). This is to avoid so-called ‘double complaints’.

If you have any questions, please do not hesitate to contact our data protection officer.