3. Purposes of data processing, legal bases and legitimate interests pursued by Mähren AG or a third party, as well as categories of recipients
3.1. Visit on our website
When you visit our website, the browser on your end device automatically sends information to the server of our website and temporarily stores it in a so-called log file. We have no influence on this. The following information is collected without your intervention and stored until automatic deletion:
- the IP address of the requesting internet-capable device,
- the date and time of access,
- the name and URL of the file accessed,
- the website from which the access was made (referrer URL),
- the browser you use and, if applicable, the operating system of your Internet-enabled computer, as well as the name of your access provider
The legal basis for the processing of the IP address is Article 6(1)(f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point, we would like to point out that we are not able to draw any conclusions about your identity from the collected data and that we will not do so.
The IP address of your terminal device and the other data listed above are used by us for the following purposes:
- Ensuring a smooth connection setup,
- Ensuring a comfortable use of our website,
- evaluation of system security and stability as well as
- other administrative purposes
The data is stored for a period of 90 days and then automatically deleted. Furthermore, we use so-called cookies, tracking tools, targeting methods and social media plug-ins for our website. The exact procedures involved and how your data is used for this purpose are explained in more detail below in section 3.4.
If you have consented to geolocation in your browser or operating system or other settings on your end device, we use this function to offer you individual services based on your current location (e.g., the location of the nearest store). We process your location data processed in this way exclusively for this function. If you terminate the use, the data will be deleted.
3.2 Conclusion, execution or termination of a contract
3.2.1 Data processing upon conclusion of a contract
The object of activity of MÄHREN AG is the purchase and sale as well as the management of real estate – in particular the activity of a housing company. In this context, we process the data required for the conclusion, execution or termination of a contract. This includes:
- First name, last name
- Billing address
- Email address
- Invoice and payment data
- Date of birth, if applicable
- Telephone number, if applicable
The legal basis for this is Article 6(1)(b) GDPR. Insofar as we do not use your contact data for advertising purposes (see 3.3. below), we store the data collected for contract processing until the expiry of the statutory or possible contractual warranty and guarantee rights. After expiration of this period, we retain the information of the contractual relationship required by commercial and tax law for the periods determined by law. For this period (regularly ten years from the conclusion of the contract), the data is processed again solely in the event of an audit by the tax authorities.
3.2.2 Identity, creditworthiness and transmission to credit agencies
If necessary, we verify your identity by using information from service providers. The legal basis for this is Article 6 (1) (b) and (f) GDPR. The authorization for this results from the protection of your identity and the prevention of fraud attempts at our expense. The circumstance and the result of our inquiry will be added to your customer account or your guest account for the duration of the contractual relationship.
In the event of a delay in payment, we transmit the necessary data to a company commissioned to enforce the claim if the other legal requirements are met. The legal basis for this is both Article 6(1)(b) and Article 6(1)(f) GDPR. The assertion of a contractual claim is considered a legitimate interest within the meaning of the second-mentioned provision. We also transmit information about the delay in payment or any bad debt to credit agencies cooperating with us if the other legal requirements are met. The legal basis for this is Article 6 (1) (f) GDPR. The legitimate interest required here results from our interest, as well as the interest of third parties in reducing contractual risks for future contracts.
3.2.3 Contact form
If you send us inquiries via the contact form, your information from the inquiry form, including the contact data you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.
Data processing for the purpose of contacting us is carried out in accordance with Art. 6 (1) lit. a) GDPR on the basis of your voluntarily given consent. You have the option at any time to object to the use of your data transmitted for the purpose of contacting you. In the event of an objection, your data will be deleted immediately. In this case, it may not be possible for us to complete the processing of your request.
As far as the data processing for the purpose of a specific contract-related inquiry – including those for the initiation of a contract – is carried out according to Art. 6(1) lit. b) GDPR.
The personal data collected by us for the use of the contact form will be deleted automatically after completion of the request you have made, or if the purpose of storage has ceased to apply.
3.3 Data processing for advertising purposes
3.3.1 Advertising purposes of MÄHREN AG and third parties
Insofar as you have concluded a contract with us, we manage you as an existing customer. In this case, we process your postal contact data outside of the existence of a specific consent in order to send you information about new products and services in this way. From time to time, we may send your postal contact information to carefully selected contractual partners from the retail and telecommunications sectors so that they can also inform you about their products. We process your e-mail address in order to send you information on our own similar products, unless you have given your specific consent.
3.3.2 Interest-based advertising
To ensure that you only receive information that is of supposed interest to you, we categorize and add further information to your customer profile. Statistical information as well as information about you (e.g. basic data of your customer profile) is used for this purpose. The aim is to send you advertising that is geared solely to your actual or perceived needs and accordingly not to bother you with useless advertising.
The legal basis for the aforementioned processing is in each case Article 6(1)(f) GDPR. The processing of existing customer data in this way for our own advertising purposes or for the advertising purposes of third parties is to be regarded as a legitimate interest.
3.3.3 Right of objection
You may object to data processing for the aforementioned purposes at any time, free of charge, separately for the respective communication channel and with effect for the future. For this purpose, it is sufficient to send an e-mail or a postal letter to the contact data mentioned under 1.
If you object, the contact address concerned will be blocked for further data processing for advertising purposes. We would like to point out that in exceptional cases, advertising material may still be sent after receipt of your objection. This is due to technical reasons and does not mean that we will not implement your objection. Thank you for your understanding.
3.3.4 Newsletter dispatch
On our website, we may offer you the possibility to subscribe to our newsletter. In order to be able to ensure that no mistakes have been made when entering the email address, we use the so-called double opt-in procedure: After you have entered your email address in the registration field, we will send you a confirmation link. Only when you click on this confirmation link will your e-mail address be added to our distribution list. You can revoke your consent at any time with effect for the future. For this purpose, it is sufficient to send a short note by e-mail to the e-mail address given under section 2.
3.4 Online presence and website optimization
3.4.1 Cookies – general information
If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR for the performance of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of consent given or in accordance with Art. 6 para. 1 lit. f GDPR to protect our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the site visit.
On our website, we use the cookies listed in the following table, with the functions also specified there. The storage period of the respective cookies can also be found below.
Cookie name: _ga
Function / Purpose: This cookie is set by Google Analytics to store a unique user ID
Storage duration: 2 years
Cookie name: _gid
Function / Purpose: This cookie is set by Google Analytics to count and track page views.
Storage duration: 25 hours
Cookie name: _gat
Function / Purpose: This cookie is set by Google Analytics to filter out machine page views.
Storage duration: 1 minute
3.4.2 Google Analytics
For the purpose of demand-oriented design and continuous optimization of our pages, we use Google Analytics, a web analytics service offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), on the basis of your consent (see Article 6(1) lit. a) GDPR). Furthermore, the use of Google Analytics for the purpose of demand-oriented design and continuous optimization of our pages constitutes a legitimate interest within the meaning of Article 6(1) lit. f) GDPR.
The information generated by the cookie about your use of this website such as..
- Browser type/version,
- operating system used,
- Referrer URL (the previously visited page),
- host name of the accessing computer (IP address),
- time of the server requests
are transferred to a Google server in the USA and stored there.
In the event that, exceptionally, personal data is transferred to the USA, Google has integrated the EU Standard Contractual Clauses into its terms and conditions and thus offers a guarantee that the European data protection principles and the local data protection level are also guaranteed in the context of data processing taking place in the USA.
You can object to web analysis by Google at any time. You have several options to do so:
3.4.3 Use of Google Maps
This website uses Google Maps to display interactive maps and to create directions. Google Maps is a map service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. By using Google Maps, information about the use of this website, including your IP address and the (start) address entered as part of the route planner function, may be transmitted to Google in the USA If you call up a web page of our website that contains Google Maps, your browser establishes a direct connection with Google’s servers. The map content is transmitted by Google directly to your browser, which then integrates it into the website. Therefore, we have no influence on the scope of the data collected by Google in this way. According to our knowledge, this is at least the following data:
- Date and time of the visit to the website in question,
- Internet address or URL of the website accessed,
- IP address,
- (start) address entered as part of route planning
We have no influence on the further processing and use of the data by Google and therefore cannot accept any responsibility for this.
3.4.4 Use of Google reCAPTCHA
On this website, we use “Google reCAPTCHA” (hereinafter “reCAPTCHA”). The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
This function is primarily used to distinguish whether an input is made by a natural person or is misused by machine and automated processing. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run entirely in the background. Website visitors are not notified that an analysis is taking place.
The storage and analysis of the data is based on Art. 6 para. 1 lit. f GDPR. The
website operator has a legitimate interest in protecting its web offerings from abusive
automated spying and SPAM. If a corresponding consent was requested, the processing is based exclusively on Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
3.4.5 Google Tag Manager
Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
When Google Tag Manager is started, your browser establishes a connection to Google’s servers. Through this, Google obtains knowledge that our website has been accessed via your IP address.
The Tag Manager is a service that allows us to manage website tags via an interface. This allows us to include code snippets such as tracking codes or conversion pixels on websites without interfering with the source code. In doing so, the data is only forwarded by the Tag Manager, but not collected or stored. The Tag Manager itself is a cookieless domain and does not process any personal data, as it is purely used to manage other services in our online offering. The Tag Manager takes care of the resolution of other tags, which in turn may collect data. However, the Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with the Tag Manager.
The legal basis here is Art. 6 para. 1 lit. a EU-GDPR. You can deactivate the additional services via the cookie settings by not agreeing to the use of Google Tag Manager. This will also automatically deactivate the additional services included in the Google Tag Manager.
On our website, we use a so-called Content Delivery Network (“CDN”) of the technology service provider Cloudflare Inc, 101 Townsend St. San Francisco, CA 94107, USA (“Cloudflare”). A content delivery network is an online service that is used in particular to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the Internet. The use of Cloudflare’s Content Delivery Network helps us to optimize the loading speeds of our website.
The processing is carried out pursuant to Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in a secure and efficient provision, as well as improvement of the stability and functionality of our website.
We have concluded an order processing agreement with Cloudflare (Data Processing Addendum, viewable at https://www.cloudflare.com/media/pdf/cloudflare-customer-dpa.pdf), which obliges Cloudflare to protect the data of our site visitors and not to pass it on to third parties. For the transfer of data from the EU to the USA, Cloudflare refers to so-called standard data protection clauses of the European Commission, which are intended to ensure compliance with the European level of data protection in the USA.
3.4.8 Social Media Plug-ins
We use social plug-ins from the social networks Facebook and Twitter on our website on the basis of Article 6 (1) (f) GDPR in order to make our company better known via these. The underlying promotional purpose is to be regarded as a legitimate interest within the meaning of the GDPR. The responsibility for data protection-compliant operation is to be ensured by their respective providers. The integration of these plug-ins by us takes place by way of the so-called two-click method in order to protect visitors to our website as best as possible.
For marketing purposes, our website uses a so-called conversion tag (also called “Facebook pixel”) of the social network Facebook, a service of Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). We use the Facebook pixel to analyze the general use of our website and to track the effectiveness of Facebook advertising (“conversion”). For this purpose, Facebook processes data that the service collects via cookies and similar technologies on our website.
This enables Facebook to identify visitors to our website as the target group of corresponding ads, the so-called Facebook ads, and thus to show them only to those Facebook users who are relevant to us as a target group. The data generated in this context may be transferred by Facebook to a server in the USA for evaluation and stored there. In the event that personal data is transferred to the USA, Facebook has submitted to the EU-US Privacy Shield.
If you are a member of Facebook and have allowed Facebook to do so via the privacy settings of your account, Facebook can also link the information collected about your visit to us to your member account and use it for the targeted placement of Facebook ads. You can view and change the privacy settings of your Facebook profile at any time.
Our website also uses so-called plug-ins of the social network Facebook, which is offered by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). For these data processing operations, we are joint controllers with Facebook pursuant to Art. 26 GDPR.
In order to determine the fulfillment of the obligation in accordance with the GDPR with regard to joint responsibility, we have concluded the Controller Addendum with Facebook. For this purpose, it was agreed that Facebook is responsible for the fulfillment of the rights of data subjects in accordance with Art. 15 – 20 GDPR with regard to the personal data stored by Facebook after joint processing.
In this context, we would like to point out that data transmission to the USA takes place within the scope of this service, or such transmission cannot be ruled out. For more detailed explanations, we refer you to our explanations under section 4.
As a user of our website, you have the option to share content from our site within Facebook by “LIKE” or “SHARE”. An overview of the Facebook plug-ins and their appearance can be found behind the following link. In this context, we have taken precautions to ensure that such a plug-in does not cause your browser to establish a connection to the Facebook server when you call up our website. Only when you activate such a plug-in (first click), your browser establishes a direct connection to the Facebook servers. The content of the plug-in is transmitted by Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there.
Since this process requires an active action by you, the data processing in this case is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future.
If you are logged in to Facebook, Facebook can directly assign your visit to our website to your Facebook profile. If you interact with the plug-ins, for example by clicking the “Like” button, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.
We would like to point out that Facebook may use this information for the purposes of advertising, market research and the design of Facebook pages to meet your needs. For this purpose, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services associated with the use of Facebook.
For more information about how Facebook processes personal data, including the legal basis on which Facebook relies and how data subjects can exercise their rights against Facebook, please see Facebook’s Data Policy at https://www.facebook.com/about/privacy.
In addition, settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings. To do this, use the following link: https://www.facebook.com/settings?tab=ads.
When you visit our website and give us your consent we use Youtube to make videos available. This service is provided by the YouTube LLC , 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We have integrated the YouTube videos using the “extended data protection mode” of YouTube. This ensures that when you merely call up a page containing an embedded video YouTube cannot process personal data about your visit and YouTube cannot set cookies on your computer. When you click on a video, your IP address will be transmitted to YouTube which is informed that you watched the video. If you are logged into YouTube, this information is also assigned to your user account (you can prevent this by logging out of YouTube before you call up the video). We have no knowledge of and also no influence over any possible collection and use of your data by YouTube.
In order to ensure an adequate level of data protection when transferring data to the USA, we have concluded the EU standard contractual clauses with Google LLC, in the so-called “controller to controller” version.
You can find more information in the Data Protection Declaration of YouTube under www.google.de/intl/de/policies/privacy.
3.5 Job advertisements / applicant data
From time to time, we post job openings on our website, on our social media channels or through dedicated application portals for you to apply.
We process the data you have sent us in connection with your application in order to assess your suitability for the job (or other open positions in our companies, if applicable) and to carry out the application process.
The legal basis for the processing of your personal data in this application procedure is primarily Section 26 BDSG or Article 6 (1) b) GDPR. According to this, the processing of data required in connection with the decision on the establishment of an employment relationship is permissible.
Should the data be required for legal prosecution after the conclusion of the application process, if applicable, data processing may be carried out on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 (1) f) GDPR. Our interest then consists in the assertion or defense of claims.
Your applicant data will be sifted by the HR department after receipt of your application. Suitable applications are then forwarded internally to the department managers for the respective open position. The further procedure is then coordinated. In principle, only those persons in the company have access to your data who require it for the proper conduct of our application process.
In the event of a rejection, applicants’ data will be deleted after 6 months from receipt of the rejection.
In the event that you have agreed to further storage of your personal data, we will transfer your data to our applicant pool. There, the data will be deleted after two years at the latest.
If you have been awarded a position during the application process, the data will be transferred from the applicant data system to our personnel information system.