DATA PRIVACY

Data privacy notice for potential tenants

General
Protecting your privacy and personal data is very important to us. We only collect and process your personal data with your knowledge and consent. Personal data within the meaning of this data privacy policy refers to any information that can infer a reference to you. The purpose of this data privacy policy is to let you know which data we collect and store and how we use it. We comply with German and European data protection regulations.

Responsible data protection officer:
KL Grundbesitz GmbH
Törringstraße 22
81675 Munich, Germany

If you have any questions regarding data privacy, please contact
KL Grundbesitz GmbH
Törringstraße 22
81675 Munich, Germany
Email: datenschutzteam@investa.de

You can contact our data protection officer at:
KL Grundbesitz GmbH
Törringstraße 22
81675 Munich, Germany
Email: datenschutzteam@investa.de

How do we collect personal data?
We collect and process personal data that you provide to us prior to signing a lease.

What types of personal data do we process?
The personal data we process falls under the following categories: Any personal data provided in the tenant self-disclosure form as well as any other data you submit in this regard. This includes your first and last name, telephone number, email address, profession, net salary and address. Other documents you provide may include the following: salary statements, credit score, official documents, etc.

How do we use your personal data and what is the legal basis for processing your data?
We process your personal data in compliance with all applicable German and European data protection regulations. According to these regulations, personal data may be processed if at least one of the following conditions is met:

(a) Consent (Art. 6 para. 1(a) General Data Protection Regulation (GDPR))
We are permitted under law to process your personal data for specific purposes provided that you have given your consent. You may withdraw your consent to any future use at any time. The same applies to any consent given prior to the GDPR going into effect, i.e. on 25 May 2018.

(b) To meet contractual obligations or take steps prior to entering into a contract (Art. 6 para. 1(b) GDPR)
We process personal data submitted at the time of your inquiry (e.g. the information contained in your tenant self-disclosure form) in order to fulfill our pre-contractual obligations to our clients or to take steps prior to entering into a contract. This also includes customer service.

(c) Compliance with legal obligations (Art. 6 para. 1(c) GDPR) or acting in public interest (Art. 6 para. 1(e) GDPR)
Investa is subject to various legal obligations (e.g. retention requirements under the German Commercial Code (HGB) and German Fiscal Code (AO)). We also process data in compliance with regulatory monitoring and disclosure obligations.

(d) Protection of interests (Art. 6 para. 1(f) GDPR)
We process your data to an extent exceeding our contractual obligations if required in order to protect our legitimate interests or the legitimate interests of third parties. Examples: Enforcing legal claims and defense in legal disputes. Consulting with and transferring data to and from credit bureaus for credit assessment and default risk assessment. Marketing as well as market and opinion research, unless you have objected to such use of your personal data. Consulting with and transferring data to and from credit bureaus for credit assessment and default risk assessment. Revising and optimizing general operating procedures and developing products and services. Preventing and investigating criminal offences. *Ensuring IT security and proper IT operation.

Who has access to your personal data?
At our company, your personal data can be accessed by all parties who require such access to enable us to meet our contractual and statutory obligations. Investa has also commissioned carefully selected companies to handle some of the processes and services outlined above. These companies comply with data protection regulations and are headquartered in the EU. These include companies specializing in IT services, payment transactions, invoicing and debt collection that we commission within the scope of order processing. We are only permitted to transfer your information to other recipients if such transfer is required under law, if have you consented to such transfer or if we have the right to do so. Assuming these requirements have been met, recipients of your personal data may include the following: The owner of the property concerned. Public authorities or institutions (e.g. tax offices) if required under a legal or regulatory obligation. *Other companies or similar institutions to which we transfer your personal data in order to fulfill the terms of our business relationship with you.
We may also transfer your personal data to other parties provided you have given consent to such transfer.

Will my personal data be transferred to a third country or international organization?
We do not actively transfer personal data to third countries or international organizations.

How long will my personal data be stored?
The storage time for personal data depends on when the purpose of such storage expires as well as on subsequent legal retention requirements. Data that is no longer required to fulfill contractual or legal obligations is regularly deleted unless we need to continue storing it, for a specified or unspecified period time, for the following reasons:

Compliance with obligations under commercial and tax law: The German Commercial Code (HGB) and the German Fiscal Code (AO) apply. According to these laws, documents must be retained for up to 10 years.
Retaining evidence within the scope of statutory periods of limitation: Pursuant to secs. 195 et seq. German Civil Code (BGB), the standard limitation period is three years but may be extended up to 30 years under special circumstances.

What are your data protection rights?
Each data subject has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDP, the right to restriction of processing pursuant to Art. 18 GDPR, the right to objection pursuant to Art. 20 GDPR and the right to data portability pursuant to Art. 20 GDPR. With regards to the rights to access and erasure, the limitations pursuant to secs. 34 and 35 German Data Protection Act (BDSG) shall apply. Data subjects also have the right to lodge complaints with the responsible data protection supervisory authority (Art. 77 GDPR in conjunction with sec. 19 BDSG). You may withdraw your consent to any future processing of your personal data at any time. The same applies to any consent given prior to the GDPR going into effect, i.e. on 25 May 2018.

What data am I required to provide and what are the consequences if I fail to do so?
Within the scope of our business relationship, you must provide the personal data required to enter into and carry out the business relationship and to fulfill any related contractual obligations. You must also provide us with any personal data that we are legally obligated to collect. Without this data, we will be unable to provide the requested service, enter into a contract with you or execute such contract.

Do you use automated decision-making processes, including profiling?
We generally do not use automated decision-making processes pursuant to Art. 22 GDPR to enter into or carry out business relationships. Should we decide to use such processes in individual cases, we will notify you as required by law.