Data protection policy

Personal data will only be processed to the extent necessary for a given purpose, or if you expressly consent to such processing. Processing is principally based on the following lawful bases:

• Art. 6, Sec. 1, Letter a, GDPR (consent of the person concerned)
• Art. 6, Sec. 1, Letter b, GDPR (execution of a contractual relationship with the person concerned, pre-contractual measures at the request of the person concerned)
• Art. 6, Sec. 1, Letter c, GDPR (fulfilment of a legal obligation by our Company)
• Art. 6, Sec. 1, Letter d, GDPR (protection of vital interests of the data subject or of another natural person)
• Art. 6, Sec. 1, Letter e, GDPR (performance of a task in the public interest or in the exercise of official authority)
• Art. 6, Sec. 1, Letter f, GDPR (protection of a legitimate interest of our Company or of a third party, provided that the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (balancing of interests)).

Whenever consent constitutes the lawful basis for processing personal data, you can revoke your consent at any time without stating your reasons. Principally, revoking your consent is only effective for the future. Revoking your declaration of consent will therefore not render prior processing unlawful that preceded our receipt of the revocation of your consent.

We are firmly committed to ensuring end-to-end protection of your personal data on this website. Despite all technical and organisational measures taken by us, security gaps can sadly never be ruled out completely during the electronic transmission of data via the Internet. That is why we always give you the option to submit your required data by phone or via postal letter.

Unless stated otherwise in the following sections, it is not intended to transfer personal data to third countries or to international organisations.

We use neither profiling nor any other procedure for automated decision making.

This website uses the Google Maps service. It is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The service enables us to display interactive maps directly on our website and lets you use the map function at your convenience. It is integrated into our website via a Java Script API.

Use of Google Maps, and thus the processing of personal data by Google Maps, is not possible unless you have consented to it through the cookie settings on this page (“Marketing” category). The lawful basis for this processing of personal data is your consent pursuant to Art. 6, Sec. 1, Sent. 1, Lit. a, GDPR, or (in case the data are transmitted to the United States) pursuant to Art. 49, Sec. 1, Lit. a, GDPR. You may revoke your consent with effect to the future via the same cookie settings at any time.

As a result of using Google Maps, Google will receive information that the corresponding (sub)page of our website was called up while also receiving the associated IP address. This will happen regardless of whether Google provides a user account through which you are logged in or whether no such user account exists. If you are signed into a Google service, your data will (probably) be directly associated with your account. If you do not wish to be associated with your profile on Google, you should log out of your Google account before clicking the button. Google stores the data collected about you in the form of a user profile and uses it for advertising purposes, market research and/or the need-based design of its websites. The purpose of such an analysis is specifically to generate customised advertising (even for users not logged in). You have a right to object to the creation of such a user profile, but you will have to contact Google directly to exercise that right.

The aforesaid personal data will be transferred to the United States during the use of Google Maps. Please note that the United States are classified as a so-called third country under current data protection legislation, and are subject to different statutory data protection regulations, so that the legally required level of data protection may be lower than that in the European Union. In addition to Google, government agencies may also gain access to this data under US law if certain legal conditions are met. This is regrettably not subject to our influence.

For more information on the purpose and scope of the collection of data and their processing by the provider of Google Maps, please see the provider’s data protection statements. If you do, Google will also provide more details about your rights and privacy settings (third-party link): http://www.google.com/policies/privacy.

In addition to the general and basic information provided above, the sections below will brief you on the processing of personal data in the context of your application for an apartment and within the framework of an existing tenancy:

If you wish to apply for a lease to an apartment (the “Applicant” button) or if you wish to request a viewing appointment for an apartment (the “Prospect” button), you will necessarily have to provide personal data to let us process your tenancy request. Such data include general information about your person and contact details like your name, address or e-mail address. In order to process your concrete tenancy request, we will need additional details, which you may submit via a self-disclosure form, substantiated by supporting evidence. You have the option to upload the documents or to send them in via postal letter.

We will process your data for the purpose of handling your request and signing a lease with you. We also need your data for the purposes of running a credit check on you and to review the local conditions to ensure they are adequate for the intended use.

The lawful basis for processing your data for the above purposes is the execution of the lease agreement or pre-contractual measures in accordance with Art. 6, Sec. 1, Letter b, GDPR, as well as our legitimate interest in accordance with Art. 6, Sec. 1, Letter f, GDPR, to minimise the risk of payment defaults by tenants through a qualified selection of applicants, to ensure the optimal use of the apartments, and to complete the processes involved as efficiently and effectively as possible. If you volunteer optional information when entering your data, you thereby consent to the processing of such data by us. Processing of your optional information is done on the lawful basis of your consent pursuant to Art. 6, Sec. 1, Letter a, GDPR.

In the context of your application, we use the so-called “double-opt-in procedure” unless your e-mail address was previously verified already. Once you have filled in the input masks, you will receive an e-mail from us, asking you to confirm your e-mail address by clicking a link. Your data will not be transmitted to us until you click the link. If you fail to click our confirmation link within a 7-day period, all your entries will be deleted and the request will not be processed. You will subsequently be given the opportunity to create a user account. Having your own account will enable you to process the uploaded data autonomously or inversely to delete all records as well as the account itself.

Just before the start of your lease term, at the latest, you will need to verify your data by presenting a government-issued photo ID.

Once you signed a lease agreement, you may use the tenant portal to take care of various things. Services such as the use of the notice board may require the entry of personal data (e. g. when carpooling); yet the decision to do so is always up to the user. In case of room reservations, the tenant portal will display your first name plus the initial of your last name. Your tenant ID is known to the property management for the sake of tracing damages (see “Disclosure to Any Third Party).

In the context of an existing tenancy, your data will be processed primarily for the purpose of executing the lease agreement, for administrative purposes, in conjunction with current maintenance, repairs and the further development of the properties/apartments or else to meet legal obligations. On top of that, asserting, exercising or defending legal claims may also necessitate processing of your data. Tenant data may also be processed in conjunction with possible processes related to internal quality assurance, compliance audits or internal audits.

The lawful basis for processing personal data to execute a lease agreement is Art. 6, Sec. 1, Letter b, GDPR, while the lawful basis for processing personal data to meet legal obligations is Art. 6, Sec. 1, Letter c, GDPR. Another legitimate interest in accordance with Art. 6, Sec. 1, Letter f, GDPR, is our right to examine, assert, exercise and defend legal claims. In accordance with Art. 6, Sec. 1, Letter f, GDPR, we also have a legitimate interest to carry out internal quality assurance measures, compliance audits or internal audits in order to maintain the necessary quality standard to ensure efficient and effective processes, to ensure compliance with the legal parameters, to prevent cases of fraud and abuse, and to guarantee IT and network security. Another lawful basis for such measures in accordance with Art. 6, Sec. 1, Letter c, GDPR, is constituted by certain legal obligations.

In the context of the management, maintenance, repairs and development of the property/apartments or associated facilities, the lawful basis is constituted, on the one hand, by the obligation to fulfil the lease agreement in accordance with Art. 6, Sec. 1, Letter b, GDPR (obligation of continuous provision and maintenance of the leased property). On the other hand, another lawful basis for processing the personal data toward this end is constituted by our legitimate interest in accordance with Art. 6, Sec. 1, Letter f, GDPR, to preserve and increase the value of our properties and to efficiently manage them.

As a matter of principle, we process personal data only for the period of time required for the processing purpose and will delete such data after the purpose has been fulfilled, unless the deletion is prevented by legal obligations to provide supporting evidence or to retain data, or unless legal claims relevant in this respect are asserted.

Data protection when using the myRENZbox parcel locker system.

The following sections provide supplementary data protection information in case you opted for the use of the myRENZbox parcel locker system at the Quartillion.

The general disclosures, e. g. concerning the responsible party, the right to lodge a complaint with the competent supervisory authority and with the data protection officer, remain in place.

The parcel locker system lets you receive parcels even when you are not home. To take advantage of the option, you sign a user agreement with us as the system’s operator while the system is managed by the property management (hereinafter “the Representative”). Creating an account in the online management portal of the parcel locker system will require the entry of your first and last name and of your e-mail address. During subsequent steps, you will have to disclose your data (plus your mobile phone number) to parcel service providers and grant drop-off permissions.

The online management portal for the parcel locker system is operated by the company Erwin Renz Metallwarenfabrik GmbH & Co KG (hereinafter “RENZ”). Within the framework of these activities, RENZ will process personal data on our behalf and for the purpose of using the parcel locker system.

RENZ and the operator’s representative act as commissioned data processor within the meaning of Art. 4, No. 8, GDPR, in this relationship.

1) Which data are processed?

a) User account in the myRENZ portal
Use of the parcel locker system requires a user account in the myRENZ portal.

To create the account in the user administration, your first and last name as well as your e-mail address will be required. Once your data have been submitted, you will receive your access data for the myRENZ portal. Following your first sign-in with your log-in name and password, you will be asked to accept the user agreement with us as the system operator.

You can change your password in the myRENZ portal in the “access data” tab. In the same tab, you will have to enter your landline number or alternatively your mobile phone number, which will be used, e. g., for text messages. You may also review the user agreement and the data protection statement here.

Required fields in the “user data” tab include the boxes “first name,” “last name,” “e-mail address” and “landline number” (or “mobile number”). Optional fields include, e. g., “salutation” or “comfort zone” (parcel lockers on a handicap-accessible level), and you may delete data of this type at your discretion any time.

To receive parcels via DHL and Parcellock (dpd, gls and Hermes) you need to have a user account with these providers and grant drop-off permissions to them. The “Logistics” tab is used to integrate parcel service providers. Here, your residential data, assuming you entered them, will be transmitted to the logistics service provider when you enable the process and will be deleted if you disable it again.

Go to the “history” tab to view your entire history of deliveries or collections. This tab will process information about the parcel service provider and the access procedures for each parcel locker. Such information includes particularly the date and time of access, the time spent accessing the locker, and the access authorisation used.

b) Processing Steps by the Operator or its Representative
As operator of the system, we or our manager will process the data for the (remote) management of the parcel lockers system, for the issuance of access authorisations to users and their suspension, for monitoring state and functionality of the system, for service notifications, as well as for enabling and disabling logistics processes.

c) Processing Routines Used by RENZ on Behalf of the Operator
RENZ will process the data on behalf of the operator for the purpose of analysing the utilisation rate of the system, the lockers, and the number of deliveries / collections. Moreover, RENZ processes personal data that are made available in conjunction with personal communication (e. g. via e-mail, fax or the online form available for this purpose) with RENZ via the stated contact options, again for the purpose of processing the submitted request. The responsible party for these data is RENZ.

d) Anonymised User Statistics
In order to retain the ability to adapt the services to user needs in the future, and in order to ensure the trouble-free use of the parcel locker system, user statistics may be collected in anonymised form.
This includes statistics on incoming / outgoing deliveries by date / time, total occupancy of parcel lockers of each size by service provider, and total occupancy of parcel lockers of each size.

2) Purpose and Lawful Basis for the Data Collection

Your data will be processed exclusively in connection with your use of the parcel locker system.

The lawful basis for processing your data is the execution of the agreement or of pre-contractual measures (Art. 6, Sec. 1, Letter b, GDPR), as well as the consent optionally granted for some of the data in the administrative portal and there in the “user data” tab (Art. 6, Sec. 1, Letter a, GDPR), which consent may be revoked with effect for the future at any time by deleting such data.
In conjunction with item d) under number 1), above, personal data may possibly be processed on the basis of our legitimate interest to ensure a smooth operation or use of the parcel locker system and to be able to check the cost effectiveness of providing the parcel locker system (Art. 6, Sec. 1, Sent. 1, Letter f, GDPR).

3) Who will Have Access to Your Data?

Your personal data may be transmitted to the following recipients:

• the operator’s employees and its representative for the parcel locker system
• RENZ employees in conjunction with the administration, maintenance and expansion of our portal
• logistics service providers and their employees
• providers of service amenities, software development, help desk services (third-party processing)

There is no intention to transfer your data to recipients in countries outside the European Union or the Treaty on the European Economic Area where the level of data protection cannot simply be assumed to be comparable with that of the European Union.

4) Retention Periods

Your data will be deleted 14 days after the termination of your user agreement or your revocation of the agreement, provided that doing so does not conflict with any statutory retention periods and / or longer retention period is necessary to meet statutes of limitation.

The user agreement begins with your consent and for an indefinite period. The user agreement will automatically end together with the termination of your tenancy or else can be terminated by either party during the tenancy at the end of each month, subject to a two-week notice period.

Our data protection statement and our accountability and liability in this context principally do not extend to third-party websites to which we set links or to which you are redirected. Nor are we, in the context of third-party websites, responsible for any data processing undertaken by the operators of these websites.