DATA PRIVACY

KL Grundbesitz GmbH Data Privacy Policy:

The purpose of this data privacy policy is to provide you with information regarding personal data processing carried out by KL Grundbesitz GmbH. In the following, we address data privacy information pertaining to data processing according to data subject group. Information regarding some data processing activities that only concern specific groups is provided separately.

Contents:
I. General data privacy information
II. Data privacy when visiting this website
III. Data privacy information for potential tenants
IV. Rights of data subjects

I. General data privacy information

1. Data controller within the meaning of Art. 4 para. 7 GDPR
   The data controller for the data processing activities indicated below is KL Grundbesitz GmbH. Data controller contact details:
   KL Grundbesitz GmbH
   Vilshofener Str. 8
   81679 Munich
   represented by the managing director, Dr. Jaqueline Wacker

2. Data protection officer
   You can contact our data protection team and data protection officer at:
   KL Grundbesitz GmbH
   c/o Data Protection Officer
   Vilshofener Str. 8
   81679 Munich
   or send an email to: datenschutzteam@investa.de

II. Data privacy when visiting this website

1. Purpose and scope of data processing

1.1 Server log
Each time you visit our website, we store information regarding your access in a log file, or server log. Each record contains information about:
• the site you visited prior to accessing our website
• the page you accessed on our website
• the date and time of access
• the volume of data transferred
• access status (whether or not you were able to access our website)
• the browser used, e.g. Mozilla Firefox, Google Chrome, Apple Safari, etc.

Legal basis for collection of this data is Art. 6 para. 1(f) GDPR (legitimate interest). It is not possible to object to collection of this data, as maintaining a server log is essential when it comes to guaranteeing accessibility of our website and for use in case of attacks on the website. Data from the server log is automatically deleted after seven days.

1.2 Contact form
Should you decide to use the contact form provided on our website, you do so on the basis of your consent (Art. 6 para. 1(a) GDPR). We use the data transmitted by means of the contact form only for answering and processing your request. If you are contacting us with the intention of concluding a contract, the additional legal basis for processing your data is Art. 6 para. 1(b) GDPR (implementation of pre-contractual measures (initiating a rental relationship) pursuant to Art. 6 para. 1(b) GDPR). KL Grundbesitz GmbH or third parties do not use this data beyond such scope at any time. We store your data until your request has been fully processed and then delete it.

1.3 Cookies
This website does not use cookies. No cookies are used when you visit our website.

1.4 Third-party platforms (Instagram, LinkedIn)
Since KL Grundbesitz GmbH posts content on third-party platforms like Instagram and LinkedIn, the following addresses data processing in connection with third-party platforms, to the extent KL Grundbesitz GmbH is aware of and can influence such activities. We use these social media profile pages to present ourselves to and communicate with Instagram and LinkedIn users and other interested individuals who visit our Instagram or LinkedIn page. Personal data processing pertaining to parties using these sites is based on our legitimate interests in effectively presenting and representing our company (Art. 6 para. 1(f) GDPR).

When someone visits one of KL Grundbesitz GmbH’s profiles (e.g. Instagram, LinkedIn) on a third-party platform, the operator of that third-party platform sets cookies (data records). The operators of these third-party platforms use these cookies to collect your personal data for the purpose of analyzing user behavior. This especially applies if you are already registered with these third-party platforms. Information associated with the social media profile being used is also generally classified as personal data. This includes messages and statements made while using your profile. In addition, certain information pertaining to your social media profile may be automatically collected during your visit. Some of this information may also constitute personal data. Please refer to the third-party platform’s data privacy policy for more information (see below).

KL Grundbesitz GmbH does not have information as to which personal data is collected by operators of third-party platforms and for which further purposes this user data is processed. We have no influence over the data privacy policies of third-party platforms or over the collection, analysis and use of user data. We recommend that you use the various data protection and security settings available on the third-party platform you are visiting and check these regularly. Each platform operator explains which data is collected during use in its data privacy policy:

LinkedIn
LinkedIn Ireland Unlimited Company (Ireland/EU - “LinkedIn”) is the sole controller of personal data when you visit our LinkedIn page. LinkedIn processes your personal data each time you visit, follow or engage with our LinkedIn company page. You can find further information about personal data processing by LinkedIn at
https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy

Please note that under LinkedIn’s privacy policy, your personal data may also be processed by LinkedIn in the United States or in other non-member states.

Instagram
Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, is the sole data controller when you visit our Instagram page. Instagram/Facebook processes your personal data each time you visit, follow or engage with our Instagram company page. You can find further information about personal data processing by Instagram at
https://help.instagram.com/519522125107875
Please note that under Facebook’s privacy policy, your personal data may also be processed by Facebook in the United States or in other non-member states.

1.4.1. Processing data that you provide to us via our social media pages
We process information that you provide to us via our company page on all of our social media platforms. This information may include your username or a message you have sent to us. We only process this personal data if we have previously expressly requested that you provide us with this data. We process this data on the basis of our legitimate interest in contacting people that have requested information. The legal basis for data processing in this case is Art. 6 para. 1(f) GDPR. We may process such data for analytics and marketing purposes. We conduct such processing activities on the legal basis of Art. 6 para. 1(f) GDPR and in pursuit of our interest in continuing to advance our offers and provide you with targeted information regarding our offers. We may conduct further data processing under your consent (Art. 6 para. 1(a) GDPR) or if such data processing required by law (Art. 6 para. 1(c) GDPR).

III. Data privacy information for potential tenants

How do we collect personal data?
We collect and process personal data that you provide to us prior to signing a lease.

2. What types of personal data do we process?
   The personal data we process falls under the following categories: All personal data provided on your tenant self-disclosure form as well any other data you provide or have provided to us in this context, including: your first and last name, your telephone number, your email address, your occupation, your net salary and your address. Other documents you provide may include the following: salary statements, credit score, official documents, etc.

3. How do we use your personal data and what is the legal basis for processing your data?
   We process your personal data in compliance with all applicable German and European data protection regulations. According to these regulations, personal data may be processed if at least one of the following conditions is met:

a) Consent (Art. 6 para. 1(a) GDPR)
We are permitted under law to process your personal data for specific purposes provided that you have given your consent. You may withdraw your consent to any future use at any time. The same applies to any consent given prior to the GDPR going into effect, i.e. on 25 May 2018.

b) To meet contractual obligations or take steps prior to entering into a contract (Art. 6 para. 1(b) GDPR)
We process personal data submitted at the time of your inquiry (e.g. the information contained in your tenant self-disclosure form) in order to fulfill our pre-contractual obligations to our clients or to take steps prior to entering into a contract. This also includes customer service.

c) Compliance with legal obligations (Art. 6 para. 1(c) GDPR) or acting in public interest (Art. 6 para. 1(e) GDPR)
KL Grundbesitz is subject to various legal obligations (e.g. retention requirements under the German Commercial Code and German Fiscal Code). We also process data in compliance with regulatory monitoring and disclosure obligations.

d) Protection of interests (Art. 6 para. 1(f) GDPR)
We process your data to an extent exceeding our contractual obligations if required in order to protect our legitimate interests or the legitimate interests of third parties. Examples:
• Enforcing legal claims and defense in legal disputes.
• Consulting with and transferring data to and from credit bureaus for credit assessment and default risk assessment. Marketing as well as market and opinion research, unless you have objected to such use of your personal data.
• Consulting with and transferring data to and from credit bureaus for credit assessment and default risk assessment. Revising and optimizing general operating procedures and developing products and services.
• Preventing and investigating criminal offences.
• Ensuring IT security and proper IT operation.

4. Who has access to your personal data?
   At our company, your personal data can be accessed by all parties who require such access to enable us to meet our contractual and statutory obligations. KL Grundbesitz has also commissioned carefully selected companies to handle some of the processes and services outlined above. These companies comply with data protection regulations and are headquartered in the EU. These include companies specializing in IT services, payment transactions, invoicing and debt collection that we commission within the scope of order processing. We are only permitted to transfer your information to other recipients if such transfer is required under law, if have you consented to such transfer or if we have the right to do so. Assuming these requirements have been met, recipients of your personal data may include the following:

• Public authorities or institutions (e.g. tax offices) if required under a legal or regulatory obligation.
• Other companies or similar institutions to which we transfer your personal data in order to fulfill the terms of our business relationship with you.
• We may also transfer your personal data to other parties provided you have given consent to such transfer.

5. Will my personal data be transferred to a third country or international organization?
   We do not actively transfer personal data to third countries or international organizations.

6. How long will my personal data be stored?
   The storage time for personal data depends on when the purpose of such storage expires as well as on subsequent legal retention requirements. Data that is no longer required to fulfill contractual or legal obligations is regularly deleted unless we need to continue storing it, for a specified or unspecified period time, for the following reasons:

• Compliance with obligations under commercial and tax law: The German Commercial Code and the German Fiscal Code (AO) apply. According to these laws, documents must be retained for up to 10 years.
• Retaining evidence within the scope of statutory periods of limitation: Pursuant to secs. 195 et seq. German Civil Code (BGB), the standard limitation period is three years but may be extended up to 30 years under special circumstances.

9. What data am I required to provide and what are the consequences if I fail to do so? Within the scope of our business relationship, you must provide the personal data required to enter into and carry out the business relationship and to fulfill any related contractual obligations. You must also provide us with any personal data that we are legally obligated to collect. Without this data, we will be unable to provide the requested service, enter into a contract with you or execute such contract.

10. Do you use automated decision-making processes, including profiling?
    We generally do not use automated decision-making processes pursuant to Art. 22 GDPR to enter into or carry out business relationships. Should we decide to use such processes in individual cases, we will notify you as required by law.

IV. Rights of data subjects
To the extent personal data is processed, data subjects are entitled to the following rights vis-à-vis the controller within the meaning of GDPR:

1. Right to information
   In compliance with the conditions set forth under Art. 15 GDPR, data subjects have the right to obtain from the controller information regarding whether and how their personal data is being processed.

2. Right to rectification
   In compliance with the conditions set forth under Art. 16 GDPR, data subjects have the right to obtain from the controller rectification and/or completion of their personal data to the extent such personal data is inaccurate or incomplete. The data controller shall rectify the data without delay.

3. Right to erasure (“right to be forgotten”)
   In compliance with the conditions set forth under Art. 17 GDPR, data subjects have the right to obtain from the controller erasure of their personal data and may assert their right to be forgotten.

4. Right to restriction of processing
   In compliance with the conditions set forth under Art. 18 GDPR, data subjects have the right to obtain from the controller restriction of processing.

5. Right to notification (notification obligation)
   If a data subject has exercised the right to obtain from the controller rectification, erasure or restriction of processing, the controller shall be under the obligation to communicate such rectification, erasure of data or restriction of processing to all recipients to whom the personal data concerned has been disclosed, unless this proves impossible or would require unreasonable time and effort. Data subjects have the right to obtain from the controller notification regarding these recipients pursuant to Art. 19 GDPR.

6. Right to data portability
   In compliance with the conditions set forth under Art. 20 GDPR, data subjects have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.

7. Right to object
   In compliance with the conditions set forth under Art. 21 GDPR, data subjects have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 para 1(e) or (f).

8. Right to lodge a complaint with supervisory authority
   Without prejudice to any other administrative or judicial remedy, data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of his or her residence, place of work or the place of the alleged infringement, should the data subject feel that the processing of their personal constitutes an infringement of the GDPR. The data protection supervisory authority responsible for KL Grundbesitz GmbH is:

Bavarian Data Protection Authority (BayLDA)
Promenade 18, 91522 Ansbach
Tel.: +49 (0)981 180093-0
Email: poststelle@lda.bayern.de