Privacy

DATA PROTECTION AND DATA SECURITY

Protecting your privacy and your personal data is important to us. We only want to collect personal data relating to you with your knowledge/consent, meaning that we would like to provide you with information below on the data that we may process and the purposes that we use this data for.

Our data privacy information...

Data privacy Version dated: May 2020

Protecting the privacy of our customers and business partners is extremely important to us. The data made available to us relating to you as an individual is collected, processed and used in accordance with the statutory provisions. The employees of HANSAINVEST Hanseatische Investment-GmbH (“HANSAINVEST” or “we” for short) will treat the personal data that you make available to us when you visit our website as confidential. Insofar as this is technically possible and reasonable/where it makes sense, services can be used anonymously.

HANSAINVEST has prepared this data privacy statement to describe how, and for which purposes, which personal data relating to users of the site is collected, processed and used. The data privacy statement also provides an overview of reasonable precautionary measures taken to ensure the security of your personal data.

What is the purpose and scope of application of this data privacy statement?

This data privacy statement applies to all personal data that is collected, processed and used by HANSAINVEST when you visit the site. The content of this data privacy statement may be subject to additional conditions or disclaimers or other contractual provisions that you have entered into with HANSAINVEST, such as data privacy statements or customer information, as well as mandatory applicable laws and provisions.

What information do we collect from you and for what purposes?

When you visit the site, our web server will automatically record details of your visit (for example your IP address, the website that you are visiting us from, the type of browser software used and the individual sub-pages of the website that you actually access, including the date and duration of your visit).

In addition, we collect, process and use personal data that you make available via the site, for example if you enter personal details (e.g. name, gender, address, e-mail address, telephone/fax number) on a registration page or if you subscribe to an e-mail newsletter.

HANSAINVEST collects, processes and uses your personal data:

  • in order to further develop and improve the website
  • for technical administration and development purposes relating to the site
  • for customer and user administration and marketing,
  • in order to provide you with information on our products and services.  

To whom do we disseminate your information?

We can disseminate your information to government authorities or institutions, supervisory authorities or other individuals, in each case in accordance with applicable laws, provisions, a court decision or an official enquiry, or in accordance with, and for the purposes of, guidelines of (supervisory) authorities or similar proceedings, where this is necessary or permitted based on the applicable law.

Which security measures have we implemented in order to protect your information that is collected via the site?

We have taken the necessary technical and organisational measures to protect your personal data that is collected via the site from unauthorised access, misuse, loss or destruction.

  • All instances of access and attempted access are logged as a preventative security measure.
  • Data will not be disseminated to third parties without the consent of the data subject in the absence of any statutory provisions to the contrary.
  • All employees of HANSAINVEST are subjected to written data secrecy obligations.

The data protection officer and the internal audit department perform checks on a regular basis to ensure that the data protection provisions are being adhered to.

How do we handle electronic mail sent to and from HANSAINVEST?

All electronic mail sent to and from HANSAINVEST is protected - in our systems - by adequate technical and organisational measures and may only be accessed by individuals that are not directly involved in the communication in justified cases and in accordance with applicable laws and provisions (e.g. court decision, suspected criminal behaviour, breach of supervisory law obligations); this information is only accessed by certain individuals in defined functions (e.g. legal, compliance, audit).

What should you bear in mind when sending data via the Internet?

The Internet is not considered a safe environment in general, and information sent via the Internet (such as information sent to or from the site or via electronic mail) may be viewed by unauthorised third parties, which may result in the disclosure of the information, the alteration of its content or technical failure. Even if both the sender and the recipient are in the same country, information sent via the Internet may be transmitted across international borders and may be disseminated to a country with a lower level of data protection than in your country of residence.  

Please note that we assume no responsibility or liability for the security of your information while it is being transmitted to HANSAINVEST via the Internet. In order to protect your privacy, we would like to remind you that you can use other means of communication with HANSAINVEST where you consider this to be appropriate.

Use and meaning of cookies on our website

Essential cookies (also functional cookies)

We use so-called essential (functional) cookies on our website, which are necessary for the operation of the website and enable the use of offered services. These cookies do not contain any personal data and are only used to establish a relation between the user and the data.

This category of cookies includes the cookie with the name "1frontend", which enables users to use the newsletter, for example. Here user-related content must be assigned to the correct user.
Another essential cookie is "HI-AntispamQuestion" which is required for the contact form.  This cookie also does not contain any personal data.

Matomo

On our website, we use Matomo for range measurement, to improve the website and generate statistics. Matomo is an open source software that we run directly on our server. You need a cookie that is used for identification but do not contain any personal data.
IP addresses are anonymized (for example: 192.168.xxx.xxx) and we consider also the Do-Not-Track standard. The collected data will not be passed on to third parties and will not be used for advertising purposes.
The data processing for statistical and range measurement purposes takes place in accordance with Art. 6 Para. 1 Letter f) GDPR with the extent that is necessary and appropriate to fulfill our interest in range measurement, taking into account your interest in a visit to this website that is at most confidential and unobserved.

Third party services

Google Maps

We use the Google Maps service on our website. This is designed to make it easier for you to travel and navigate to us. You can find more information on Google’s data privacy provisions here: https://policies.google.com/privacy?hl=de&gl=de

stopforumspam.com

To avoid spam, we cooperate with stopforumstop.com. If you use our contact form, your email address and your IP address will be forwarded for verification purposes to this provider. Your data will not be stored. For more information see the privacy terms of stopforumspam.com: https://www.stopforumspam.com/privacy.

Matomo

We use Matomo to record and analyse visitor data (https://matomo.org/). This is an open source software package that we host ourselves. This means that no data is transmitted to third parties.

Collection of personal data on our website

Basically, the data will only be processed with your approval and strictly for the intended purpose.

Newsletter

You have the option of subscribing to our newsletter via our website. We need various pieces of personal data for your subscription, as well as a declaration from you stating that you agree to receive the newsletter. In order to provide you with targeted information, we also collect and process publicly available personal data.
As soon as you have signed up for the newsletter, we will send you a confirmation e-mail with a link that you can use to confirm your subscription.
You can unsubscribe from the newsletter at any time using a link in the newsletter or using the newsletter settings.

Contact form

The personal data that you provide us with in the conctext of the contact request will only be used to answer your request and for the related technical administration.
In answering your quastions, your data will also be processed by processors on our behalf in individual cases. These have been carefully selected and contractually committed in accordance with Article 28 GDPR.
All personal data that you send us via the contact form will be deleted or anonymized at the latest 90 days after the final reply.

Order of the fund reports

The personal data that you send us in the context of a request regarding our fund reports will only be used to answer your enquiry and for the associated technical administration.
When processing your request, your data will also be processed by processors on our behalf in individual cases. These have been carefully selected and contractually obliged in accordance with Article 28 GDPR.
All personal data that you send us when ordering our fund reports will be deleted or anonymized at the latest 90 days after the final reply.

HANSAINVEST cookie policy

Version dated: May 2020 We, HANSAINVEST Hanseatische Investment-GmbH, Kapstadtring 8, 22297 Hamburg, Germany (“HANSAINVEST” or “we” for short) use this cookie policy to provide you with information on how we use cookies and similar technology on our website (“site”). You can find further information on how we collect, process and use personal data in our data privacy statement.

Cookies and similar technology

If you use our site, we may store a cookie or several cookies - small text files that contain a sequence of alphanumeric characters - on your end device. We use both session cookies and permanent cookies. Session cookies are deleted when you close your Internet browser. Permanent cookies remain saved even after you close your Internet browser and can be used by your Internet browser the next time you visit our site. Your Internet browser may offer various options relating to cookies. Please note that if you either delete cookies or opt to disable cookies, you may not be able to use the functions associated with the services offered via our site in full.

How we use cookies and similar technology

We use cookies and automatically collect information in order to:

  1. personalise our site and the services we offer via our site, for example in order to save information relating to you so that you do not have to enter it again while using our site or the next time you use our site  and the services offered via our site;
  2. to prepare anonymized user statistics that helps us to maintain the operation and correct errors.


How can you exercise user rights?

If permitted by statutory provisions, you can:

  • request information on whether we collect, process or use your personal data,
  • ask us for a copy of your personal data or
  • ask us to rectify incorrect personal data relating to you.

You can object to the use of your personal data for marketing purposes, or for market or opinion research.  

Please do not hesitate to contact us if you have any questions or comments regarding data privacy and your rights referred to above, as well as regarding your right to update or erase your personal data:

HANSAINVEST Hanseatische Investment-GmbH
data protection officer
Kapstadtring 8
22297 Hamburg

You can also send an e-mail to: hi-datenschutz@hansainvest.de

Who is responsible for data processing and who is my point of contact?

The controller is:
HANSAINVEST Hanseatische Investment-GmbH
Kapstadtring 8
22297 Hamburg
Phone: +49 40 300 57-0
Fax: +49 40 300 57-60 70
e-mail address: HI-Geschaeftsfuehrungsstab@hansainvest.de

You can contact our company data protection officer at:
HANSAINVEST Hanseatische Investment-GmbH
Data protection officer
Kapstadtring 8
22297 Hamburg
Phone: +49 40 300 57-0
e-mail address: hi-datenschutz@hansainvest.de

Which sources and data does HANSAINVEST use?

We process personal data that we receive from you personally. We also process personal data that we obtained legitimately from publicly available sources (e.g. commercial registers and registers of associations, the press, the Internet, the media) and that we are permitted to process.

Relevant personal data can include: Surname, first name, address, other contact details (phone, fax, e-mail address), title, position and date of birth.

In addition, we process data that we received by being provided with a business card and/or as a result of participation in events.

We also process personal data that we received because, for example, you signed up for our newsletter and granted your prior consent.

Why does HANSAINVEST process my data (purpose of the processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a) To fulfil contractual obligations (Article 6 (1b) GDPR) We process personal data (Article 4 (2) GDPR) in order to fulfil our obligations arising from information and service contracts, as well as service contracts in which a specific result is agreed upon (Werkverträge), with you or the individual represented by you, or to perform pre-contractual measures.

b)  Based on the weighing up of interests (Article 6 (1f) GDPR) If necessary, we will continue to process your data even after the actual performance of the agreement in order to safeguard our legitimate interests or those of third parties.

  • Assertion of legal claims and defence in legal disputes;
  • Ensuring IT security and IT operations;
  • Prevention and investigation of criminal offences.

c) Based on your consent (Article 6 (1a) GDPR) If you have granted us your consent to the processing of personal data for specific purposes (e.g. when you sign up for our newsletter), then this processing is considered to be legal on the basis of your consent pursuant to Article 6 (1a) GDPR. Consent granted can be revoked at any time. This also applies to the revocation of declarations of consent that you submitted to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that revocation is only effective for the future and does not affect any processing operations performed in the past.

Who gets my data?

Within HANSAINVEST, the departments that gain access to your data are those departments that need the data to fulfil our contractual and statutory obligations. Service providers, vicarious agents and contract data processors (Article 28 GDPR) commissioned by us may also receive data for these purposes if they comply with their statutory obligations and our written data protection law instructions.

We are only allowed to disseminate information about you if this is permitted or required on the basis of statutory provisions, if you have granted your consent, if we are authorised to issue information, of if contract data processors commissioned by us similarly guarantee adherence to the requirements set out in the General Data Protection Regulation (GDPR/BDSG).

Will data be transmitted to a third country or an international organisation?

Your personal data will not be transmitted to a third country (countries outside of the European Economic Area – EEA).

How long will my data be stored for?

We process and store your personal data for as long as is necessary in order to fulfil our contractual and statutory obligations. If the data is no longer required in order to fulfil contractual or statutory obligations, it will be erased at regular intervals, unless its – temporary – further processing is required for the following purposes:

- To comply with commercial and tax law retention periods: examples include the German Commercial Code (Handelsgesetzbuch), the German Tax Code (Abgabenordnung) and the German Money Laundering Act (Geldwäschegesetz). The retention/documentation periods specified in these pieces of legislation amount to between two to ten years.

- Conservation of evidence as part of the statutes of limitation. In accordance with sections 195 et seq. of the German Civil Code (BGB), these limitation periods can amount to up to 30 years, with the regular limitation period amounting to three years.  

What are my data protection rights?

All data subjects have the right to receive information in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, the right to restriction of processing in accordance with Article 18 GDPR and the right to data portability pursuant to Article 20 GDPR. The right to information and erasure are subject to the limitations set out in sections 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a responsible supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

You can revoke consent you have granted to the processing of personal data vis-à-vis us at any time. This also applies to the revocation of declarations of consent that you submitted to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that revocation is only effective for the future. Processing operations performed before the revocation are not affected. 

You have the opportunity to lodge a complaint with the company data protection officer specified above, or to contact a data protection supervisory authority. The supervisory authority responsible is:

The Officer for Data Protection and Freedom of Information of the City of Hamburg [Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit] https://datenschutz-hamburg.de/

Am I obliged to provide data?

As part of our business relationship, you only have to provide the personal data that is required for the establishment, implementation and termination of a business relationship, or which we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the agreement or execute the order, or will be forced to cease with the performance of an existing agreement and possibly to terminate it.

To what extent is automated individual decision-making used?

In general, we do not use any fully automated decision-making pursuant to Article 22 GDPR to establish or perform the business relationship. Should we use these procedures in individual cases, we will inform you separately where this is required by law.

To what extent will my data be used for profiling?

We do not process your data with the aim of automatically evaluating certain personal aspects.

Which categories of data are processed and where do they originate?

The categories of personal data processed include, in particular, your master data (such as first name, last name, name affixes, nationality), contact details (such as private address, (mobile) telephone number, e-mail address) and data relating to the application process as a whole (cover letter, references, questionnaires, interviews, qualifications and previous activities). If you also provided specific categories of personal data (such as data concerning health, religion, degree of disability) voluntarily in your application letter or during the course of the application process they will only be processed if you have consented to such processing or it is justified under relevant legislation. 

As a general rule, your personal data is collected directly from you as part of the application process. We may also have received data from third parties (e.g. employment agencies) to whom you provided your data for forwarding.

For what purposes and on what legal basis are my data processed?

We process your personal data based on the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), other relevant laws (e.g. the German Works Constitution Act, General Act on Equal Treatment) and other statutory regulations under money laundering, tax and social security legislation, for example.

Data processing primarily serves the purposes of implementing and managing the application process and assessing a candidate’s suitability for the contractual relationship concerned. It is necessary to process your data to enable us to make a decision on establishing a contractual relationship. The primary legal basis for this is Article 6(1) (b) GDPR and, in the case of employment relationships, in connection with section 26 (1) BDSG.

If the legal basis for processing the data is a declaration of consent, you have the right to withdraw your consent at any time with effect for the future.

In individual cases we process your data in order to safeguard our legitimate interests or those of third parties (e.g. public authorities). This applies, in particular, to the investigation of criminal offences (legal basis: Article 6(1) (f) GDPR and, in the case of employment relationships, in connection with section 26 (1) sentence 2 BDSG) and to the exchange of data within the Group for administrative purposes.

We carry out data processing for statistical purposes (e.g. examinations regarding applicant behaviour). Statistics are compiled exclusively for our own purposes, are not personalised under any circumstances and are anonymised.

The processing of special categories of personal data (e.g. data concerning health) is based on your consent in accordance with Article 9(2) (a) GDPR and, in the case of employment relationships, in connection with section 26 (2) BDSG, unless permission is granted under legislation such as Article 9 (2) (b), in the case of employment relationships in connection with section 26 (3) BDSG.

Your application data are treated confidentially at all times. We will inform you in advance if we intend to process your personal data for a purpose that is not specified above.

Who receives my data?

Only those persons and bodies (e.g. department, works council, representative body for employees with disabilities) within our company that require your personal data in order to decide on concluding a contract and fulfil our (pre)contractual and statutory duties receive your personal data. Applications are processed mainly through our parent company IDUNA Vereinigte Lebensversicherung a.G. für Handwerk, Handel und Gewerbe, and so this company also processes your data.

What data protection rights can I assert as a data subject?

You can request access to the stored data concerning you personally from the above address. Under certain circumstances you may also request the rectification or erasure of your data. You may also have a right to have the processing of your data restricted as well as a right to receive the data you have provided in a structured, commonly used and machine-readable format. In addition, you have the right to complain to a data protection supervisory authority. Our competent data protection supervisory authority is:

The Hamburg Commissioner for Data Protection and Freedom of Information

www.datenschutz-hamburg.de

Alternatively, you may also contact your data protection officer, as specified above. 

Do I have a right to object?

If we are processing your data in order to safeguard legitimate interests, you may object to such processing on grounds relating to your particular situation. We will subsequently cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

How long are my data stored?

We will erase your personal data six months after conclusion of the application procedure, unless a contractual relationship is established. This will not apply if statutory provisions preclude such erasure or further storage is necessary for the purpose of presenting evidence or you have consented to a longer storage period. 

Will my data be transmitted to a third country?

Your personal data will not be transmitted to a third country. Third countries are countries outside the European Economic Area (EEA).

To what extent do automated decision-making or profiling measures occur in individual cases?

We do not use any automated processing methods to make decisions. That includes profiling.

What sources and data does HANSAINVEST use?

We process personal data that we receive from you as part of our business relationship, e.g. from the tenancy agreement. Where required to provide our services, we also process personal data that we receive legally (e.g. based on your consent) from partners or other third parties responsible for you (e.g. SCHUFA) or will receive in the future (e.g. to execute orders, perform contracts or based on your consent).

We also process personal data that we have legally obtained from public sources (e.g. land registers, trade and associations registers, press, online, media) and that we are allowed to process.

Relevant personal data are personal details (name, address and other contact details, date of birth, birth name and place of birth, occupation, marital status and nationality) and identification data and authentication information (e.g. signature specimen) and other master and contract data (e.g. information on existing contracts, payment data, role of the data subject (e.g. tenant). They may also cover order data (e.g. payment order), data from fulfilling our contractual obligations (e.g. revenue data in payment transactions, information on your financial situation (e.g. salary and credit rating information), data on tenant contacts, transaction processing and other data comparable to these categories.

Why does HANSAINVEST process my data (purpose of processing) and what is the legal basis for doing so?

We process personal data in line with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as all other relevant laws:

a) To meet contractual obligations (Article 6 (1) (b) GDPR). Personal data are processed (Article 4 no. 2 GDPR) to provide letting activities upon request, to execute your orders and for all activities required to operate and manage property.

The purpose of data processing is based primarily on the specific product (e.g. housing) and may encompass utility bills, maintenance/repairs and transactions.

You can find more details on the purpose of data processing in the contract documents.

b) For legitimate interests (Article 6 (1) (f) GDPR). Where necessary, we process your data beyond simply performing the contract in order to protect our or third party legitimate interests, i.e. to

  • consult and exchange data with credit agencies (e.g. SCHUFA) to determine credit rating and default risks
  • assert legal claims and defend against legal disputes; 
  • ensure IT security IT operations; 
  • preventing and investigating criminal offences; 
  • video surveillance to collect evidence of criminal offences. This helps protect tenants and employees and maintain security on the premises.
  • building and facility security (e.g. access checks);
  • measures to maintain security on the premises;


c) Based on your consent (Article 6 (1a) GDPR). If you have given us your consent to process personal data for certain purposes, this processing is lawful on the basis of your consent in accordance with Article 6 (1) a) GDPR. Consent can be revoked at any time. This also applies to revoking declarations of consent that – such as the SCHUFA clause – were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018.

Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected.

d) Based on statutory provisions (Article 6 (1) (c) GDPR) or in the public interest (Article 6 (1) (e) GDPR). As an asset management company, we are also subject to various legal obligations, i.e. statutory requirements (e.g. German Money Laundering Act, tax law) and regulatory requirements (e.g. by the German Bundesbank and the German Federal Financial Supervisory Authority). The purposes of processing include credit checks, identity and age verification, preventing fraud and money laundering, meeting control and reporting obligations under tax law, assessing and managing risks and reporting to authorities.

Who receives my data?

At HANSAINVEST, access to your data is granted to bodies that require this data to fulfil our contractual and statutory duties. Our service providers, vicarious agents and processors (Article 28 GDPR) can receive data for these purposes provided that they maintain data protection. These include companies in the areas of property management, IT services, telecommunication, debt collection, consulting and address detection.

We are permitted to pass on information about you only if this is allowed or required by statutory provisions, you have given your consent or we are authorised to disclose information. Under these conditions, recipients of personal data may include:

  • Public bodies and institutions (e.g. tax authorities, law enforcement authorities) in the case of a legal or official obligation.
  • Credit and financial services institutions and comparable establishments to whom we send personal data in order to maintain a business relationship with you (e.g. guarantors, credit agencies).
  • Other companies within the SIGNAL IDUNA Group for risk management purposes on the basis of legal and official obligations.

Data may also be received by bodies where you have consented to allow us to transfer your data to them.

How long are my data stored?

We process and store your personal data for as long as is necessary to meet our contractual and legal obligations. It should be noted here that our business relationship is a continuing obligation that is maintained for multiple years.

We are also subject to various retention and documentation obligations from legislation including the Handelsgesetzbuch (German Commercial Code – HGB), the Abgabenordnung (German Fiscal Code – AO) and the Geldwäschegesetz (German Money Laundering Act – GwG). The stipulated retention/documentation periods are between two and ten years.

Finally, the storage period is also based on statutory limitation periods. Under sections 195 et seqq. of the German Civil Code (BGB), for example, these are generally three years but in certain cases can be up to 30 years.

We delete your personal data as soon as they are no longer required for the purposes described above. It is possible that personal data may be retained for the period in which claims can be asserted against our company. We also store your personal data where we are required to do so by law. Corresponding evidence and retention requirements are based in part on the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. Storage periods are up to ten years.

Are data transmitted to a third country or international organisation?

Personal data are transmitted to bodies outside the EEA (European Economic Area) or an international organisation only if this is required in order to execute your order (e.g. payment order in a third country).

Otherwise, no personal data are transmitted to non-EEA countries or international organisations. When performing remote maintenance of standard IT components, it cannot be ruled out in individual cases that an IT service provider from a third country (e.g. USA) may in rare cases obtain controlled and limited access to personal data for troubleshooting purposes. We will inform you of the details separately, where required by law.

Where it is necessary for us to transmit personal data to service providers outside the European Economic Area (EEA), data are transmitted only if the EU Commission has confirmed that the third country offers an adequate level of data protection or there are other suitable data protection guarantees (e.g. binding internal company data protection provisions or EU standard contractual clauses). If required, you can request detailed information on this using the contact details for the controller provided above.

What are my data protection rights?

All data subjects have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. The restrictions set out in sections 34 and 35 BDSG apply to the rights of access and erasure. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

You can revoke your consent to our processing of personal data at any time. This also applies to revoking declarations of consent that were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected, 

You can file a complaint with the above data protection officer or a data protection supervisory authority.

The supervisory authority responsible is:

The Hamburg Commissioner for Data Protection and Freedom of Information

https://datenschutz-hamburg.de/

Am I required to provide data?

Within our business relationship, you are required only to provide the personal data that is required to establish, carry out and terminate a business relationship or that we are legally obliged to collect. Without these data, we will generally have to refuse conclusion of the contract or execution of the order or we may no longer be able to carry out/may have to terminate an existing contract.

To what extent is automated individual decision-making used?

We generally do not use fully automated individual decision-making in accordance with Article 22 GDPR to establish and maintain the business relationship. If we use this procedure in an individual case, we will inform you separately where legally required.

To what extent are my data used for profiling?

We do not process your data with the purpose of automated evaluation of certain personal aspects.

Information on your right to object under Article 21 of the General Data Protection Regulation (GDPR)

1. Individual right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing for legitimate interests), including profiling based on those provisions within the meaning of Article 4 no. 4 GDPR.


If you object, we will cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.


2. Right to object to data processing for direct marketing purposes

We do not process your personal data for direct marketing purposes.


Objections take effect for the future. The form of the objection is not stipulated and where possible it should addressed to the contact details of the controller stated under (1).

What sources and data does SIGNAL IDUNA Krankenversicherung a.G. use?

We process personal data that we receive from you as part of our business relationship, e.g. from the tenancy agreement. Where required to provide our services, we also process personal data that we receive legally (e.g. based on your consent) from partners or other third parties responsible for you (e.g. SCHUFA) or will receive in the future (e.g. to execute orders, perform contracts or based on your consent).

We also process personal data that we have legally obtained from public sources (e.g. land registers, trade and associations registers, press, online, media) and that we are allowed to process.

Relevant personal data are personal details (name, address and other contact details, date of birth, birth name and place of birth, occupation, marital status and nationality) and identification data and authentication information (e.g. signature specimen) and other master and contract data (e.g. information on existing contracts, payment data, role of the data subject (e.g. tenant). They may also cover order data (e.g. payment order), data from fulfilling our contractual obligations (e.g. revenue data in payment transactions, information on your financial situation (e.g. salary and credit rating information), data on tenant contacts, transaction processing and other data comparable to these categories.

Why does SIGNAL IDUNA Krankenversicherung a. G. process my data (purpose of processing) and what is the legal basis for doing so?

We process personal data in line with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as all other relevant laws:

a) To meet contractual obligations (Article 6 (1) (b) GDPR). Personal data are processed (Article 4 no. 2 GDPR) to provide letting activities upon request, to execute your orders and for all activities required to operate and manage property.

The purpose of data processing is based primarily on the specific product (e.g. housing) and may encompass utility bills, maintenance/repairs and transactions.

You can find more details on the purpose of data processing in the contract documents.

b) For legitimate interests (Article 6 (1) (f) GDPR). Where necessary, we process your data beyond simply performing the contract in order to protect our or third party legitimate interests, i.e. to

  • consult and exchange data with credit agencies (e.g. SCHUFA) to determine credit rating and default risks
  • assert legal claims and defend against legal disputes; 
  • ensure IT security IT operations; 
  • preventing and investigating criminal offences; 
  • video surveillance to collect evidence of criminal offences. This helps protect tenants and employees and maintain security on the premises.
  • building and facility security (e.g. access checks);
  • measures to maintain security on the premises;


c) Based on your consent (Article 6 (1a) GDPR). If you have given us your consent to process personal data for certain purposes, this processing is lawful on the basis of your consent in accordance with Article 6 (1) a) GDPR. Consent can be revoked at any time. This also applies to revoking declarations of consent that – such as the SCHUFA clause – were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018.

Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected.

d) Based on statutory provisions (Article 6 (1) (c) GDPR) or in the public interest (Article 6 (1) (e) GDPR). In addition, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Money Laundering Act, tax law) and regulatory requirements (e.g. by the German Bundesbank and the German Federal Financial Supervisory Authority). The purposes of processing include credit checks, identity and age verification, preventing fraud and money laundering, meeting control and reporting obligations under tax law, assessing and managing risks and reporting to authorities.

Who receives my data?

At SIGNAL IDUNA Krankenversicherung a.G., access to your data is granted to bodies that require this data to fulfil our contractual and statutory duties. Our service providers, vicarious agents and processors (Article 28 GDPR) can receive data for these purposes provided that they maintain data protection. These include companies in the areas of property management, IT services, telecommunication, debt collection, consulting and address detection.

We are permitted to pass on information about you only if this is allowed or required by statutory provisions, you have given your consent or we are authorised to disclose information. Under these conditions, recipients of personal data may include:

  • Public bodies and institutions (e.g. tax authorities, law enforcement authorities) in the case of a legal or official obligation.
  • Credit and financial services institutions and comparable establishments to whom we send personal data in order to maintain a business relationship with you (e.g. guarantors, credit agencies).
  • Other companies within the SIGNAL IDUNA Group for risk management purposes on the basis of legal and official obligations.

 Data may also be received by bodies where you have consented to allow us to transfer your data to them.

How long are my data stored?

We process and store your personal data for as long as is necessary to meet our contractual and legal obligations. It should be noted here that our business relationship is a continuing obligation that is maintained for multiple years.

We are also subject to various retention and documentation obligations from legislation including the Handelsgesetzbuch (German Commercial Code – HGB), the Abgabenordnung (German Fiscal Code – AO) and the Geldwäschegesetz (German Money Laundering Act – GwG). The stipulated retention/documentation periods are between two and ten years.

Finally, the storage period is also based on statutory limitation periods. Under sections 195 et seqq. of the German Civil Code (BGB), for example, these are generally three years but in certain cases can be up to 30 years.

We delete your personal data as soon as they are no longer required for the purposes described above. It is possible that personal data may be retained for the period in which claims can be asserted against our company. We also store your personal data where we are required to do so by law. Corresponding evidence and retention requirements are based in part on the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. Storage periods are up to ten years.

Are data transmitted to a third country or international organisation?

Personal data are transmitted to bodies outside the EEA (European Economic Area) or an international organisation only if this is required in order to execute your order (e.g. payment order in a third country).

Otherwise, no personal data are transmitted to non-EEA countries or international organisations. When performing remote maintenance of standard IT components, it cannot be ruled out in individual cases that an IT service provider from a third country (e.g. USA) may in rare cases obtain controlled and limited access to personal data for troubleshooting purposes. We will inform you of the details separately, where required by law.

Where it is necessary for us to transmit personal data to service providers outside the European Economic Area (EEA), data are transmitted only if the EU Commission has confirmed that the third country offers an adequate level of data protection or there are other suitable data protection guarantees (e.g. binding internal company data protection provisions or EU standard contractual clauses). If required, you can request detailed information on this using the contact details for the controller provided above.

What are my data protection rights?

All data subjects have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. The restrictions set out in sections 34 and 35 BDSG apply to the rights of access and erasure. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

You can revoke your consent to our processing of personal data at any time. This also applies to revoking declarations of consent that were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected, 

You can file a complaint with the above data protection officer or a data protection supervisory authority.

The supervisory authority responsible is:

State Commissioner for Data Protection and Information Security North Rhine-Westphalia,Kavalleriestrasse 2-4
40213 Düsseldorf, Germany
Tel.: 0211 38424-0
Fax: 0211 38424-10
E-mail: poststelle@ldi.nrw.de

Am I required to provide data?

Within our business relationship, you are required only to provide the personal data that is required to establish, carry out and terminate a business relationship or that we are legally obliged to collect. Without these data, we will generally have to refuse conclusion of the contract or execution of the order or we may no longer be able to carry out/may have to terminate an existing contract.

To what extent is automated individual decision-making used?

We generally do not use fully automated individual decision-making in accordance with Article 22 GDPR to establish and maintain the business relationship. If we use this procedure in an individual case, we will inform you separately where legally required.

To what extent are my data used for profiling?

We do not process your data with the purpose of automated evaluation of certain personal aspects.

Information on your right to object under Article 21 of the General Data Protection Regulation (GDPR)

1. Individual right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing for legitimate interests), including profiling based on those provisions within the meaning of Article 4 no. 4 GDPR.


If you object, we will cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

2. Right to object to data processing for direct marketing purposes

We do not process your personal data for direct marketing purposes.


Objections take effect for the future. The form of the objection is not stipulated and where possible it should addressed to the contact details of the controller stated under (1).

What sources and data does SIGNAL IDUNA Lebensversicherung a. G. use?

We process personal data that we receive from you as part of our business relationship, e.g. from the tenancy agreement. Where required to provide our services, we also process personal data that we receive legally (e.g. based on your consent) from partners or other third parties responsible for you (e.g. SCHUFA) or will receive in the future (e.g. to execute orders, perform contracts or based on your consent).

We also process personal data that we have legally obtained from public sources (e.g. land registers, trade and associations registers, press, online, media) and that we are allowed to process.

Relevant personal data are personal details (name, address and other contact details, date of birth, birth name and place of birth, occupation, marital status and nationality) and identification data and authentication information (e.g. signature specimen) and other master and contract data (e.g. information on existing contracts, payment data, role of the data subject (e.g. tenant). They may also cover order data (e.g. payment order), data from fulfilling our contractual obligations (e.g. revenue data in payment transactions, information on your financial situation (e.g. salary and credit rating information), data on tenant contacts, transaction processing and other data comparable to these categories.

Why does SIGNAL IDUNA Lebensversicherung a. G. process my data (purpose of processing) and what is the legal basis for doing so?

We process personal data in line with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), as well as all other relevant laws:

a) To meet contractual obligations (Article 6 (1) (b) GDPR). Personal data are processed (Article 4 no. 2 GDPR) to provide letting activities upon request, to execute your orders and for all activities required to operate and manage property.

The purpose of data processing is based primarily on the specific product (e.g. housing) and may encompass utility bills, maintenance/repairs and transactions.

You can find more details on the purpose of data processing in the contract documents.

b) For legitimate interests (Article 6 (1) (f) GDPR). Where necessary, we process your data beyond simply performing the contract in order to protect our or third party legitimate interests, i.e. to

  • consult and exchange data with credit agencies (e.g. SCHUFA) to determine credit rating and default risks
  • assert legal claims and defend against legal disputes; 
  • ensure IT security IT operations; 
  • preventing and investigating criminal offences; 
  • video surveillance to collect evidence of criminal offences. This helps protect tenants and employees and maintain security on the premises.
  • building and facility security (e.g. access checks);
  • measures to maintain security on the premises;

c) Based on your consent (Article 6 (1a) GDPR). If you have given us your consent to process personal data for certain purposes, this processing is lawful on the basis of your consent in accordance with Article 6 (1) a) GDPR. Consent can be revoked at any time. This also applies to revoking declarations of consent that – such as the SCHUFA clause – were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018.

Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected.

d) Based on statutory provisions (Article 6 (1) (c) GDPR) or in the public interest (Article 6 (1) (e) GDPR). In addition, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Money Laundering Act, tax law) and regulatory requirements (e.g. by the German Bundesbank and the German Federal Financial Supervisory Authority). The purposes of processing include credit checks, identity and age verification, preventing fraud and money laundering, meeting control and reporting obligations under tax law, assessing and managing risks and reporting to authorities.

Who receives my data?

At SIGNAL IDUNA Lebensversicherung a.G., access to your data is granted to bodies that require this data to fulfil our contractual and statutory duties. Our service providers, vicarious agents and processors (Article 28 GDPR) can receive data for these purposes provided that they maintain data protection. These include companies in the areas of property management, IT services, telecommunication, debt collection, consulting and address detection.

We are permitted to pass on information about you only if this is allowed or required by statutory provisions, you have given your consent or we are authorised to disclose information. Under these conditions, recipients of personal data may include:

  • Public bodies and institutions (e.g. tax authorities, law enforcement authorities) in the case of a legal or official obligation.
  • Credit and financial services institutions and comparable establishments to whom we send personal data in order to maintain a business relationship with you (e.g. guarantors, credit agencies).
  • Other companies within the SIGNAL IDUNA Group for risk management purposes on the basis of legal and official obligations.

 Data may also be received by bodies where you have consented to allow us to transfer your data to them.

How long are my data stored?

We process and store your personal data for as long as is necessary to meet our contractual and legal obligations. It should be noted here that our business relationship is a continuing obligation that is maintained for multiple years.

We are also subject to various retention and documentation obligations from legislation including the Handelsgesetzbuch (German Commercial Code – HGB), the Abgabenordnung (German Fiscal Code – AO) and the Geldwäschegesetz (German Money Laundering Act – GwG). The stipulated retention/documentation periods are between two and ten years.

Finally, the storage period is also based on statutory limitation periods. Under sections 195 et seqq. of the German Civil Code (BGB), for example, these are generally three years but in certain cases can be up to 30 years.

We delete your personal data as soon as they are no longer required for the purposes described above. It is possible that personal data may be retained for the period in which claims can be asserted against our company. We also store your personal data where we are required to do so by law. Corresponding evidence and retention requirements are based in part on the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. Storage periods are up to ten years.

Are data transmitted to a third country or international organisation?

Personal data are transmitted to bodies outside the EEA (European Economic Area) or an international organisation only if this is required in order to execute your order (e.g. payment order in a third country).

Otherwise, no personal data are transmitted to non-EEA countries or international organisations. When performing remote maintenance of standard IT components, it cannot be ruled out in individual cases that an IT service provider from a third country (e.g. USA) may in rare cases obtain controlled and limited access to personal data for troubleshooting purposes. We will inform you of the details separately, where required by law.

Where it is necessary for us to transmit personal data to service providers outside the European Economic Area (EEA), data are transmitted only if the EU Commission has confirmed that the third country offers an adequate level of data protection or there are other suitable data protection guarantees (e.g. binding internal company data protection provisions or EU standard contractual clauses). If required, you can request detailed information on this using the contact details for the controller provided above.

What are my data protection rights?

All data subjects have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. The restrictions set out in sections 34 and 35 BDSG apply to the rights of access and erasure. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

You can revoke your consent to our processing of personal data at any time. This also applies to revoking declarations of consent that were issued to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that they are revoked only with effect for the future. Processing carried out prior to consent being revoked is not affected, 

You can file a complaint with the above data protection officer or a data protection supervisory authority.

The supervisory authority responsible is:

The Hamburg Commissioner for Data Protection and Freedom of Information
Kurt-Schumacher-Allee 4
20097 Hamburg, Germany
Tel.: 040 42854-4040
Fax: 040 42854-4000
E-mail: mailbox@datenschutz.hamburg.de

Am I required to provide data?

Within our business relationship, you are required only to provide the personal data that is required to establish, carry out and terminate a business relationship or that we are legally obliged to collect. Without these data, we will generally have to refuse conclusion of the contract or execution of the order or we may no longer be able to carry out/may have to terminate an existing contract.

To what extent is automated individual decision-making used?

We generally do not use fully automated individual decision-making in accordance with Article 22 GDPR to establish and maintain the business relationship. If we use this procedure in an individual case, we will inform you separately where legally required.

To what extent are my data used for profiling?

We do not process your data with the purpose of automated evaluation of certain personal aspects.

Information on your right to object under Article 21 of the General Data Protection Regulation (GDPR)

1. Individual right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing for legitimate interests), including profiling based on those provisions within the meaning of Article 4 no. 4 GDPR.


If you object, we will cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.


2. Right to object to data processing for direct marketing purposes

We do not process your personal data for direct marketing purposes.


Objections take effect for the future. The form of the objection is not stipulated and where possible it should addressed to the contact details of the controller stated under (1).

DATA PROTECTION INFORMATION FOR EMPLOYEES OF SERVICE COMPANIES

Status: November 2018

We hereby inform you about the processing of your personal data by HANSAINVEST Hanseatische Investment-GmbH and about the rights to which you are entitled under data protection law (in your role as an employee of a company commissioned by us to provide services)

1. WHO IS RESPONSIBLE FOR PROCESSING MY DATA AND WHO IS THE DATA PROTECTION OFFICER?

The person responsible for data processing is

HANSAINVEST Hanseatic Investment GmbH
Kapstadtring 8
22297 Hamburg
Telephone: +49 40 300 57-0
Fax: +49 40 300 57-60 70
E-mail address: hi-geschaeftsfuehrung@hansainvest.de

You can reach our company data protection officer at:
HANSAINVEST Hanseatische Investment-GmbH
Data Protection Officer
Kapstadtring 8
22297 Hamburg
E-mail address: hi-datenschutz@hansainvest.de

2. WHAT CATEGORIES OF DATA ARE PROCESSED AND WHERE DO THEY COME FROM?

Depending on your activity with us, the categories of personal data processed include, in particular, contact data and other data from the contractual relationship concluded with you or your employer. This may also include special categories of personal data.

CategoryExamples
Core dataName, surname, birth date, nationality, personal number, user-ID
Contact dataAdress, phonenumber, e-mail
Further data from the contractual relationshipBank details, qualifications (curriculum vitae), time management data, vacation periods, periods of incapacity to work, skills, training and further education data

As a rule, your personal data is collected directly from you or via your employer. In certain constellations, your personal data may also be collected from other bodies due to legal requirements. This includes, in particular, legally required queries to check your reliability with credit agencies. In addition, we may have received data from third parties (for example, reference customers).

3. FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS ARE MY DATA PROCESSED?

We process your personal data based on the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other statutory regulations under money laundering and tax legislation, for example.

Data processing primarily serves the purposes of:

  • Establishing the contractual relationship with you or your employer: e.g. advertising the position, concluding a contract
  • Maintaining the contractual relationship with you or your employer: e.g. invoicing, access control, managing (further) training, workforce management, time management
  • Evaluating the business relationship with you or your employer
  • Ending the contractual relationship with you or your employer

In individual cases we process your data in order to safeguard our additional legitimate interests or those of third parties (e.g. public authorities). This applies, in particular, to the investigation of criminal offences and the exchange of data within the Group for administrative purposes.

The primary legal basis for this processing between you as a data subject and us is Article 6 (1) f) GDPR. If relevant for you, your consent in accordance with Article 6 (1) a), 7 GDPR is also used as a data protection permission regulation. You have the right to withdraw your consent at any time with effect for the future. This applies only if the legal process for data processing is a declaration of consent.

 

4. FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS ARE SPECIAL CATEGORIES OF PERSONAL DATA PROCESSED?

If special categories of personal data in accordance with Article 9 (1) GDPR are processed, this serves to establish, exercise or defend your legal claims as part of the contractual relationship with you or your employer. This is based on Article 9 (2 f) GDPR in connection with section 24 BDSG. Special categories of personal data can also be processed based on consent pursuant to Article 9 (2 a) GDPR. We will inform you in advance if we intend to process your personal data for a purpose that is not specified above and, where applicable, will ask for your consent.

5. WHO RECEIVES MY DATA?

Only those persons and bodies within our company that require your personal data in order to fulfil our contractual and statutory duties receive your personal data. For example, this may be the department for which you work or the body responsible for invoicing.

Within our Group, your data are transmitted to certain companies. This happens if these companies perform data processing work for affiliated companies in the Group. Examples of this include invoicing, disposing of records and debt collection management. We can also transmit your personal data to other recipients. This is required when it is necessary to fulfil contractual and/or legal obligations as the contracting authority such as:

  • Reporting requirements to BaFin
  • Insolvency administrator in the event of personal bankruptcy
  • Other bodies to which declarations must be submitted on the basis of statutory obligations.

 

6. WHAT DATA PROTECTION RIGHTS CAN I ASSERT AS A DATA SUBJECT?

You can request access to the stored data concerning you personally from the above address (Article 15 GDPR). Under certain circumstances you may also request the rectification (Article 16 GDPR) or erasure (Article 17 GDPR) of your data. You may also have a right to have the processing of your data restricted (Article 18 GDPR) as well as a right to receive the data you have provided in a structured commonly used and machine-readable format (Article 20 GDPR). The restrictions set out in sections 34 and 35 BDSG apply to the rights of access and erasure. In addition, you have the right to complain to a data protection supervisory authority. Our competent data protection supervisory authority is:

The Hamburg Commissioner for Data Protection and Freedom of Information. The website address is: https://datenschutz-hamburg.de

Alternatively, you may also contact your data protection officer. E-mail address: hi-datenschutz@hansainvest.de

7. DO I HAVE A RIGHT TO OBJECT?

Right to object

If we are processing your data in order to safeguard legitimate interests, you may object to such processing on grounds relating to your particular situation. We will subsequently cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

8. HOW LONG ARE MY DATA STORED?

We delete your personal data as soon as they are no longer required for the purposes described above. After ending the contractual relationship with you or your employer, your personal data are stored for as long as we are required to do so by law. This is generally based on statutory evidence and retention requirements, including from the German Commercial Code and the German Fiscal Code. Storage periods are up to ten years. Alternatively, personal data may be retained for the period in which claims can be asserted against us. In this case, statutory limitation periods of three or up to 30 years are possible.

9. WILL MY DATA BE TRANSMITTED TO A THIRD COUNTRY?

Your personal data will not be transmitted to a third country. Third countries are countries outside the European Economic Area (EEA).

10. TO WHAT EXTENT DO AUTOMATED DECISION-MAKING OR PROFILING MEASURES OCCUR IN INDIVIDUAL CASES

We do not use any automated processing methods to make decisions about establishing, maintaining or terminating a contractual relationship with a service provider. Profiling within the meaning of the GDPR is not used.

For what purposes and on what legal basis are my data processed?

We can collect and process personal data only for the following purposes:

a) Processing of the subscription agreement;

b) Communication between us and you, the investors;

c) Administrative purposes (e.g. account management, fraud prevention, assessment of whether you could be considered a politically exposed person (“PEP”);

d) Record keeping and correspondence relating to your investment;

e) Compliance with applicable laws, including anti-money laundering laws, and tax obligations;

f) Protecting our reputation, our activity or our assets and the establishment, exercise or defence of legal claims

As an asset management company, we will process personal data in line with data protection laws only for the above purposes and in a way that is compatible with these purposes.

In individual cases we process your data in order to safeguard our additional legitimate interests or those of third parties (e.g. public authorities). This applies, in particular, to the investigation of criminal offences and the exchange of data within the Group for administrative purposes.

We process your personal data only if we have lawful grounds for processing. Your personal data is processed in particular on the following legal basis:

  • Processing is necessary to meet our contractual obligations (as described in item 3 (a) to (b));
  • Processing is necessary to comply with our legal obligations (as described in item 3 (e));
  • Processing is necessary to perform activities that are in the public interest (as described in item 3 (e));
  • Processing is necessary to for the legitimate interest of ensuring the proper administration, management, promotion and protection of the activities or investments of the fund (as described in item 3 (c) to (d) and (f))

 

For what purposes and on what legal basis are special categories of personal data processed?

Some of the personal data that we are required to process to achieve these purposes may be sensitive data. In particular, we may have to process the following sensitive data about you:

  • Religion, data on ethnic background, biometric data to uniquely identify a natural person (“special categories of personal data”);
  • Data regarding (alleged or actual) criminal offences or criminal convictions (“data for law enforcement”).

It may be necessary for us to process these sensitive data in order to meet our regulatory requirements (including requirements related to our anti-money laundering and terrorist financing obligations) or to assess whether you could be considered a politically exposed person (“PEP”).

  • If special categories of personal data are affected, we will process them only if one of the following lawful grounds apply: you have given your express consent (in this case we will provide you with a separate form for the declaration of consent that clearly states our reasons for processing);
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • Processing is necessary for reasons of substantial public interest, such as our anti-money laundering and terrorist financing obligations or to prevent fraud

Data for law enforcement are processed only if this is permitted by law or where they are processed under the supervision of an official body and provided one of the following legal bases for processing applies:

  • You have consented to this processing;
  • Processing is necessary to fulfil the contractual relationship;
  • Processing is necessary to meet our legal obligations (as described above in item 3(e));
  • Processing is necessary to fulfil our legitimate interest in preventing fraud and protecting our reputation, our activities and our assets (as described in item 3(c) to (d) and (f))

We are aware that special categories of personal data and data for law enforcement are to be protected by corresponding measures; measures suited to the nature of the data will be implemented during processing.

Who receives my data?

Personal data that is collected from you may be transmitted or disclosed to the following recipients:

  • Depository bank;
  • Paying agent;
  • Banks or financial institutions;
  • Regulatory authorities;
  • Lawyers, auditors or consultants
  • Service providers and sub-contractors;
  • Tax authorities and other authorities where required by law, including authorities responsible for the above recipients

The recipients listed in this section include their employees and representatives.

What data protection rights can I assert as a data subject?

You can request access to the stored data concerning you personally from the above address (Article 15 GDPR). Under certain circumstances you may also request the rectification (Article 16 GDPR) or erasure (Article 17 GDPR) of your data. You may also have a right to have the processing of your data restricted (Article 18 GDPR) as well as a right to receive the data you have provided in a structured commonly used and machine-readable format (Article 20 GDPR). The restrictions set out in sections 34 and 35 BDSG apply to the rights of access and erasure.

In addition, you have the right to complain to a data protection supervisory authority. Our competent data protection supervisory authority is:

The Hamburg Commissioner for Data Protection and Freedom of Information

Website: https://datenschutz-hamburg.de

Alternatively, you may also contact your data protection officer.

E-mail address: hi-datenschutz@hansainvest.de

Do I have a right to object?

Right to object

If we are processing your data in order to safeguard legitimate interests, you may object to such processing on grounds relating to your particular situation. We will subsequently cease to process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

How long are my data stored?

We delete your personal data as soon as they are no longer required for the purposes described above. After ending the contractual relationship with you or your employer, your personal data are stored for as long as we are required to do so by law.

This is generally based on statutory evidence and retention requirements, including from the German Commercial Code and the German Fiscal Code. Storage periods are up to ten years. Alternatively, personal data may be retained for the period in which claims can be asserted against us. In this case, statutory limitation periods of three or up to 30 years are possible.

Will my data be transmitted to a third country?

Your personal data will not be transmitted to a third country. Third countries are countries outside the European Economic Area (EEA).

To what extent do automated decision-making or profiling measures occur in individual cases?

We do not use any automated processing methods to make decisions about establishing, maintaining or terminating a contractual relationship with a service provider.

Profiling within the meaning of the GDPR is not used.