Privacy Policy

I. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

EV Neustadt GmbH

Wilhelmstr. 34

91413 Neustadt an der Aisch

Managing Director: Daniel S. Kopp

Phone: +49 (0)9161 62 29 470

Email: NeustadtAisch@engelvoelkers.com

II. Name and Address of the Data Protection Officer

The data protection officer of the controller is:

Oliver Fouquet

Fürther Straße 98-100

90429 Nuremberg

Germany

Phone: +49 (0)911/3238653

Email: info@metropoldata.de

Website: www.metropoldata.de

III. General Information on Data Processing

IV. Collection of Customer Data

Purpose of Data Processing As a Customer, We Collect Your Data to:

4. Duration of Storage

The personal data collected by us for the execution of the order will be stored until the expiration of the statutory retention period (6 years after the end of the calendar year in which the order was completed) and then deleted, unless we are obliged to retain the data for a longer period under Article 6 (1) sentence 1 lit. c GDPR due to tax and commercial retention and documentation obligations (e.g., from the German Commercial Code (HGB), the German Criminal Code (StGB), or the German Fiscal Code (AO)) or you have consented to further storage in accordance with Article 6 (1) sentence 1 lit. a GDPR.

If you object to the further processing of your data for customer information or information about other real estate offers, your data will be deleted immediately unless there is another legal basis for retaining the data.

Copies of identification documents will be deleted after five years (§ 8 Anti-Money Laundering Act (GWG)).

Proof of income, creditworthiness proof, and landlord confirmation will be deleted six months after the conclusion of the rental agreement.

5. Right to Object and Removal

If your personal data is processed based on legitimate interests in accordance with Article 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided there are reasons arising from your particular situation.

To exercise your right of objection, an email to NeustadtAisch@engelvoelkers.com is sufficient.

6. Data Sharing

In the context of the customer relationship, data may be shared—where necessary for contract fulfillment—with:

7. Data Transfers to Third Countries

Recipients of personal data may be located outside the EEA/UK. If personal data is transferred to locations outside the EEA/UK, we will, as required by law, ensure that your data protection rights are adequately safeguarded. This will be ensured either because the European Commission has determined that the country to which personal data is transferred provides an adequate level of protection (Article 45 GDPR), or the transfer is subject to appropriate safeguards (e.g., EU Standard Contractual Clauses) agreed with the recipient (Article 46 GDPR), unless the GDPR provides an exception (Article 49 GDPR).

Furthermore, if necessary, we intend to agree on additional measures with the recipients to ensure an adequate level of data protection. Copies of the safeguards (where relied upon) and a list of recipients outside the EEA/UK can be requested. Note that such copies may be redacted to the extent necessary to protect business secrets or other confidential information.

If your request concerns license partners of the Engel & Völkers Group outside the European Union, we will transfer your data to the locally/competently responsible license partner based on your consent.

V. Provision of the Website and Creation of Log Files

This data is stored in the log files of our system. It is not stored together with other personal data of the user.

VI. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files stored in or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a unique string of characters that enables the identification of the browser upon subsequent visits to the website.

For details about individual cookies, please refer to Cookie Notices | Engel & Völkers.

2. Legal Basis for Data Processing

The legal basis for processing personal data using cookies is Article 6 (1) lit. f GDPR or Article 6 (1) lit. a GDPR if you have consented to their use.

3. Purpose of Data Processing

The use of technically necessary cookies aims to facilitate the use of websites for users. The data collected through these cookies is not used to create user profiles.

This also constitutes our legitimate interest in processing personal data under Article 6 (1) lit. f GDPR.

Further details about the purpose of individual cookies can be found at Cookie Notices | Engel & Völkers.

4. Duration of Storage, Right to Object, and Removal

Cookies are stored on the user’s computer and transmitted to our site. As the user, you have full control over the use of cookies. By changing your internet browser settings, you can disable or restrict the transmission of cookies. Previously stored cookies can be deleted at any time, including automatically. However, disabling cookies may prevent the full functionality of the website.

Alternatively, you can manage your cookie settings individually at the bottom of our homepage under Manage Cookie Settings.

VII. Contact Form and Email Contact

1. Description and Scope of Data Processing

Our website features a contact form that can be used for electronic communication. If you use this option, the data entered in the input form will be transmitted to and stored by us. This data includes:

Alternatively, contact via the provided email address is possible. In this case, the personal data transmitted with the email will also be stored.

The data will be used exclusively for processing the conversation.

2. Legal Basis for Data Processing

The legal basis for processing data transmitted via email is Article 6 (1) lit. f GDPR. If the email contact aims to conclude a contract or occurs during an ongoing client relationship, Article 6 (1) lit. b GDPR serves as the legal basis. For employment relationships, Article 88 EU-GDPR and Section 26 (1) BDSG-neu (German Federal Data Protection Act) also apply.

3. Purpose of Data Processing

The personal data from the input form is processed solely to handle the contact request. For email communication, this also constitutes the legitimate interest in processing the data.

Additional personal data processed during the submission process is used to prevent misuse of the contact form and ensure the security of our IT systems.

4. Duration of Storage

Data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For personal data from the input form or data sent via email, this occurs when the conversation with the user has ended. A conversation is deemed ended when circumstances indicate that the matter has been conclusively resolved.

Contract-related data is retained longer, as described in Section IV. 4.

5. Right to Object and Removal

The user may withdraw their consent to the processing of personal data at any time. If the user contacts us via email, they may object to the storage of their personal data at any time. In such cases, the conversation cannot continue. However, contract-relevant data will be retained.

Objections and withdrawal of consent can be sent informally to the above address or to NeustadtAisch@engelvoelkers.com.

All personal data stored during the contact process will be deleted unless another legal basis for storage exists.

VIII. Newsletter

1. Description and Scope of Data Processing

When you subscribe to our newsletter, your email address, first name, last name, and salutation will be collected.

If you consent, usage profiles may be created for advertising purposes.

The data will be used exclusively for sending the newsletter.

2. Legal Basis for Data Processing

The newsletter is sent based on your consent.

VIII. Newsletter

2. Legal Basis for Data Processing

The legal basis for processing data after a user subscribes to the newsletter is Article 6 (1) lit. a GDPR.

3. Purpose of Data Processing

The collection of the user’s email address is intended solely for delivering the newsletter.

4. Duration of Storage

Data will be deleted once it is no longer necessary to achieve the purpose of its collection. The user’s email address and name will therefore be stored as long as the newsletter subscription remains active and no other legal basis for storage exists. However, no newsletters will be sent in such cases.

Other personal data collected during the registration process is typically deleted within seven days.

5. Right to Object and Removal

The newsletter subscription can be terminated by the user at any time. Each newsletter contains a corresponding link for this purpose.

You may revoke your consent at any time by clicking the link in the newsletter, emailing NeustadtAisch@engelvoelkers.com, or using the contact methods listed in Section I.

IX. Applicant/Employee Data

1. Description and Scope of Data Processing

If you apply to us, any data you provide will be stored. This may include:

If you are hired as an employee, additional data may be stored:

2. Legal Basis for Data Processing

The legal basis for processing this data is Article 6 (1) lit. b GDPR, Section 26 (1) BDSG-neu, or Article 6 (1) lit. a GDPR if you have consented to extended storage.

3. Purpose of Data Processing

The data is used exclusively for handling your application and managing the employment relationship:

4. Duration of Storage

Data will be deleted once it is no longer necessary for the purpose for which it was collected.

If the applicant does not consent to retaining application documents, they will be deleted no later than six months after the application process ends.

If you enter into an employment relationship with us, personal data collected for the employment relationship will be retained for three years after the relationship ends, unless we are required by Article 6 (1) S. 1 lit. c GDPR to store it longer due to tax or commercial record-keeping obligations (e.g., 6 years under Section 257 HGB or 10 years under Section 147 AO) or you have consented to extended storage under Article 6 (1) S. 1 lit. a GDPR.

5. Right to Object and Removal

You may object to the processing of your data at any time. In such cases, the application process cannot continue.

Objections or withdrawal of consent may be submitted informally to the above address or emailed to NeustadtAisch@engelvoelkers.com.

All personal data stored during contact will be deleted unless another legal basis for storage exists.

6. Transfer to Third Parties

Where necessary for the employment relationship, data may be shared with:

X. Social Media

1. Facebook

Description and Scope of Data Processing

We analyze how users interact with our Facebook page through statistical evaluations known as "Facebook Insights." These insights provide extensive statistics about our page's usage but do not contain any personal data. For more information about Facebook Insights, visit: https://www.facebook.com/legal/terms/information_about_page_insights_data.

We do not create individual user profiles.

The statistics help us tailor our Facebook page to user needs. We use insights based on user interests as evaluated by Facebook. Facebook employs cookies for this purpose, such as:

For more information, see: https://de-de.facebook.com/policies/cookies/.

Legal Basis for Processing Personal Data

The legal basis is our legitimate interest in informing and communicating with users per Art. 6 (1) S. 1 lit. f GDPR.

If you communicate with us via Facebook, the legal basis for responding to your inquiry is our legitimate interest under Art. 6 (1) S. 1 lit. f GDPR.

If your request aims at concluding a contract or taking pre-contractual measures, Art. 6 (1) S. 1 lit. b GDPR applies additionally.

Duration of Storage, Right to Object, and Removal

Personal data from contact inquiries is deleted when storage is no longer necessary. This occurs when the relevant matter is resolved, and the conversation with the user is concluded. Contract-related data is stored for six years (per Section 257 HGB), and tax-relevant data is stored for ten years (per Section 147 AO).

For cookie storage durations on Facebook, visit: https://de-de.facebook.com/policies/cookies/.

You can disable or restrict cookie transmission by adjusting your browser settings. Stored cookies can be deleted at any time, including automatically.

Transfer to Third Countries

Data processing may occur outside the EU/EEA, primarily on Facebook servers in the USA. This may pose risks for users, such as difficulties in enforcing their rights. Data transfers adhere to the standard contractual clauses for the transfer of personal data to third countries per GDPR, approved by the European Commission's decision 2021/914 of June 4, 2021. Details are available at: https://de-de.facebook.com/legal/EU_data_transfer_addendum.

2. LinkedIn

Description and Scope of Data Processing

This website includes links to LinkedIn, identifiable by the LinkedIn logo.

We maintain a LinkedIn page operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, to communicate with customers, prospects, and users.

For data processing, LinkedIn and we are joint controllers under Art. 26 (1) GDPR. Our mutual obligations are detailed in an agreement, the Pages Joint Controller Addendum, available at: https://legal.linkedin.com/pages-joint-controller-addendum.

LinkedIn uses two types of cookies:

Additionally, LinkedIn employs pixels (tiny images embedded in websites and emails). Pixels call LinkedIn servers to provide information about user interactions, such as ad engagement. Pixels may allow LinkedIn and third parties to place cookies in your browser.

If you are a LinkedIn member but logged out on a browser, LinkedIn may continue tracking your interactions for up to 30 days to generate service usage analytics. Aggregated analytics data may be shared with us.

For more information, visit: https://de.linkedin.com/legal/cookie-policy.

Legal Basis for Processing Personal Data

The legal basis is our legitimate interest in informing and communicating with users per Art. 6 (1) S. 1 lit. f GDPR.

If you communicate with us via LinkedIn, our legitimate interest in responding to your inquiry provides the legal basis under Art. 6 (1) S. 1 lit. f GDPR.

If your request is aimed at concluding a contract or taking pre-contractual measures, Art. 6 (1) S. 1 lit. b GDPR applies additionally.

Duration of Storage, Right to Object, and Removal

Personal data from inquiries is deleted when further storage is no longer necessary. This occurs when the matter in question has been resolved and communication with the user is complete. Contract-related data is stored for six years (per Section 257 HGB), and tax-relevant data is stored for ten years (per Section 147 AO).

LinkedIn cookies can be managed by adjusting your browser settings. You can disable or restrict cookies and delete previously stored cookies manually or automatically at any time.

For details about cookie storage durations on LinkedIn, visit: https://de.linkedin.com/legal/cookie-policy.

Transfer to Third Countries

Data processing may occur outside the EU/EEA, such as on LinkedIn servers in the USA. This could pose risks for users, including difficulties in enforcing user rights. Data transfers are governed by standard contractual clauses for data transfers to third countries under the GDPR, approved by the European Commission. More details can be found at: https://legal.linkedin.com/dpa.

Personal Data from Contact Requests

Personal data collected from contact requests will be deleted when further storage is no longer necessary. This is the case when it can be concluded from the circumstances that the relevant matter has been fully resolved, and the conversation with the user has ended. Contract-related data will be stored for six years after the conclusion of the contract (§257 HGB), and tax-relevant data for ten years (§147 AO).

By changing your browser settings, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time, even automatically.

Transfer to Third Countries

Data processing may also occur outside the EU or EEA, particularly on servers located in the USA. This may pose risks for users, such as making it more difficult to enforce their rights. For more information, visit: https://www.linkedin.com/help/linkedin/answer/62533.

3. X (formerly Twitter)

This website provides links to X. Links can be recognized by the X logo.

This website links to X Corporation, 795 2533 N Carson St, Carson City, NV 89706, USA.

We are joint controllers as defined in Art. 26 GDPR.

Please note that you use the X microblogging service and its functions at your own responsibility. This applies particularly to the use of interactive functions (e.g., sharing, liking).

The data collected about you during the use of the service is processed by X Corporation and may be transmitted to countries outside the European Union. This includes, among other things:

These data are associated with your X account or X profile. We have no influence on the type and extent of the data processed by X Corporation, the processing methods, or the transfer of this data to third parties. Information on what data X Corporation processes and for what purposes can be found in X's privacy policy (X Privacy Policy) as well as instructions on how to access your own data on X (Accessing Your Twitter Data).

Additionally, you can request information via the X Privacy Form or through the Archive Request process: Your Account / X.

As the provider of this information service, we also process data from your use of our microblogging service if you send us messages.

Options to Restrict Data Processing

You can restrict the processing of your data in the general settings of your X account and under "Privacy and Safety." Furthermore, on mobile devices (smartphones, tablets), you can restrict X's access to contact and calendar data, photos, location data, etc., through the respective settings. However, this depends on the operating system you use. Additional information on these points is available on the following X support pages: Twitter Support: Settings and Privacy.

Via X Buttons or Widgets Embedded in Websites

Through X buttons or widgets embedded in websites and the use of cookies, X can track your visits to these websites and associate them with your X profile. Based on this data, content or advertisements tailored to you may be offered. Further information and available settings can be found on the following Twitter Support pages:

This privacy policy is available in its current version at the following URL: https://twitter.com/de/privacy.

Legal Basis

The legal basis is our legitimate interest in informing users and communicating with them in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you communicate with us via Twitter, the legitimate interest lies in responding to your inquiry in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If your inquiry concerns the conclusion of a contract or pre-contractual measures, an additional legal basis for processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

Duration of Storage, Objection, and Deletion Options

Personal data from contact inquiries will be deleted when further storage is no longer necessary. This is the case when it can be concluded from the circumstances that the relevant matter has been fully resolved, and the conversation with the user has ended. Contract-relevant data will be stored for six years after the conclusion of the contract (§257 HGB), and tax-relevant data for ten years (§147 AO).

By changing your browser settings, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time, even automatically.

Transfer to Third Countries

Data processing may also occur outside the EU or EEA, particularly on servers located in the USA. This may pose risks for users, such as making it more difficult to enforce their rights. For more information, visit: https://twitter.com/de/privacy.

4. Pinterest

This website provides links to Pinterest. Links can be recognized by the Pinterest logo.

Description and Scope of Data Processing

This website links to Pinterest (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland).

We are joint controllers as defined in Art. 26 GDPR. Pinterest does not offer a joint controller agreement as per Art. 26 GDPR.

Pinterest is a visual search engine used for sharing ideas such as recipes, home decor, and style inspiration.

If you are logged into Pinterest, log data such as the information your browser automatically transmits when visiting a website or data that a mobile app automatically sends when in use may be collected. This log data includes:

More information about the data Pinterest collects can be found here: Pinterest Technical Information.

Pinterest Uses of Cookies

Pinterest uses cookies to store settings, such as your language preferences or other configurations, so these do not need to be reset each time. Some of the cookies used are associated with your Pinterest account (including personal information such as your provided email address), while others are not. More information about how Pinterest uses cookies can be found at: https://policy.pinterest.com/de/cookies.

This privacy policy is available in its current version at the following URL: https://policy.pinterest.com/de/privacy-policy.

Legal Basis for the Processing of Personal Data

The legal basis is our legitimate interest in informing users and communicating with them in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you communicate with us via Pinterest, the legitimate interest lies in responding to your inquiry in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If your inquiry concerns the conclusion of a contract or pre-contractual measures, an additional legal basis for processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

Duration of Storage, Objection, and Deletion Options

Personal data from contact inquiries will be deleted when further storage is no longer necessary. This is the case when it can be concluded from the circumstances that the relevant matter has been fully resolved, and the conversation with the user has ended. Contract-relevant data will be stored for six years after the conclusion of the contract (§257 HGB), and tax-relevant data for ten years (§147 AO).

By changing your browser settings, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time, even automatically.

If you delete your Pinterest account, the information stored about you there will also be deleted.

Transfer to Third Countries

Pinterest is a global service. By using Pinterest, you consent to the transfer and storage of information for the purposes described in Pinterest’s policies to regions outside your home country, including the United States.

5. Instagram

This website provides links to Instagram. Links can be recognized by the Instagram logo.

Description and Scope of Data Processing

This website links to Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA).

Our mutual obligations resulting from joint responsibility are laid out in an agreement between Facebook and us, the so-called "Page Insights Controller Addendum." This agreement can be accessed here: https://www.facebook.com/legal/terms/page_controller_addendum.

We point out that you use this Instagram page and its functions under your own responsibility. This applies in particular to the use of interactive features (e.g., commenting or rating).

When you visit our Instagram page, Instagram collects, among other things, your IP address and other information stored as cookies on your device. This information is used to provide us, as operators of Instagram pages, with statistical information about the use of the Instagram page.

When accessing an Instagram page, the IP address assigned to your device is transmitted to Instagram. According to Instagram, this IP address is anonymized (for "German" IP addresses) and deleted after 90 days. In addition, Instagram stores information about its users' devices (e.g., within the scope of the "login notification" function); if applicable, Instagram can thus assign IP addresses to individual users.

If you are currently logged into Instagram as a user, a cookie with your Instagram identifier is stored on your device. This allows Instagram to track that you have visited this page and how you have used it. This applies to all other Instagram pages as well. Via Instagram buttons embedded in websites, Instagram can track your visits to these websites and associate them with your Instagram profile. Based on this data, tailored content or advertisements may be offered to you.

For information on the use of cookies, visit: https://help.instagram.com/1896641480634370?ref=ig.

The Instagram privacy policy is available in its current version at the following URL: https://help.instagram.com/519522125107875.

Legal Basis for the Processing of Personal Data

The legal basis is our legitimate interest in informing users and communicating with them in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you communicate with us via Instagram, the legitimate interest lies in responding to your inquiry in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If your inquiry concerns the conclusion of a contract or pre-contractual measures, an additional legal basis for processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

Duration of Storage, Objection, and Deletion Options

Personal data from contact inquiries will be deleted when further storage is no longer necessary. This is the case when it can be concluded from the circumstances that the relevant matter has been fully resolved, and the conversation with the user has ended. Contract-relevant data will be stored for six years after the conclusion of the contract (§257 HGB), and tax-relevant data for ten years (§147 AO).

By changing your browser settings, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time, even automatically.

If you want to prevent Instagram from collecting data about your online behavior, you should log out of Instagram, deactivate the "stay logged in" feature, delete cookies stored on your device, close your browser, and restart it. This process removes Instagram-specific information that could directly identify you. By doing this, you can use our Instagram page without revealing your Instagram identifier. However, if you access interactive features of the page (e.g., liking, commenting, messaging), an Instagram login screen will appear. Upon logging in, Instagram will once again recognize you as a specific user.

Instagram retains data until it is no longer needed to provide services and Meta products or until your account is deleted, whichever occurs first. This determination depends on factors such as the type of data, its purpose for collection and processing, and relevant legal or operational retention needs. For example, if you search for something on Facebook, you can view and delete the query in your search history at any time; however, the log of that search will be deleted only after six months.

Data Transfers to Third Countries

Instagram is a global service. By using Instagram, data may be transferred to and stored in locations outside your home country, including the United States. Data may also be shared with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").

6. YouTube

This website provides links to YouTube, identifiable by the YouTube logo.

Description and Scope of Data Processing

This website links to YouTube (Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland).

We have a YouTube page to share video content with customers, prospects, and users. Regarding data processing, YouTube and we are joint controllers as defined by Article 26(1) of the GDPR. Our mutual obligations under joint controllership are outlined in an agreement between YouTube and us. This agreement can be viewed at: https://privacy.google.com/businesses/gdprcontrollerterms/.

When you use YouTube, it stores cookies on your device.

We would like to inform you that YouTube can use these cookies to track your user behavior across devices and outside its online service on other websites, regardless of whether you are a registered user. Please note that we have no control over the data processing associated with these cookies. Additionally, we do not have access to personal data, except for aggregate Insights data that we use for statistical purposes and which does not allow us to identify individual users. Visiting YouTube is possible even if your browser is configured to prevent the storage of cookies by specific online services.

Further information is available at: https://policies.google.com/technologies/cookies?hl=de#types-of-cookies.

Additional information about Insights data collection can be found at: https://support.google.com/youtube/answer/9002587?hl=en#zippy=%2Creach%2Coverview%2Cengagement%2Caudience%2Crevenue.

Legal Basis for the Processing of Personal Data

The legal basis for processing is our legitimate interest in informing users, in accordance with Article 6(1) sentence 1 lit. f) GDPR.

Duration of Storage, Objection, and Deletion Options

By adjusting your internet browser settings, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time, even automatically.

Data Transfers to Third Countries

Data processing may occur outside the EU or EEA, particularly on servers located in the United States. This may pose risks for users, such as difficulties in enforcing user rights. Further information is available at: https://policies.google.com/privacy?hl=de.

XI. Encryption

This site uses SSL encryption for security reasons and to protect all transmitted content. You can recognize an encrypted connection by the change in the browser's address bar from "http://" to "https://" and the padlock symbol in your browser's address bar.

XII. Data Sharing with Third Parties

In the context of contractual relationships, data may be shared with third parties such as insurers, banks, authorities, courts, health insurance providers, pension insurers, and tax offices, insofar as this is necessary for execution. The third parties may only use the data for the stated purposes.

Data may also be accessed by IT service providers during server maintenance or repair if required for the upkeep of IT systems. Additionally, cloud services may involve the transfer of data to cloud service providers with servers located in Germany or the EU.

Confidentiality remains intact. If the data involves confidential information, it will only be shared with third parties in consultation with you. Data shared with service providers is limited to those obligated to confidentiality and covered by appropriate data processing agreements.

XIII. Chat

1. Description and Scope of Data Processing

You have the option to communicate with us via our chatbot.

2. Legal Basis for Data Processing

The legal basis for processing data transmitted during communication is Article 6(1)(f) GDPR. This service is provided by Engel & Völkers Technology GmbH, Vancouverstraße 2a, 20457 Hamburg, under a data processing agreement.

3. Purpose of Data Processing

The processing of personal data entered into the chatbot form is solely for handling your inquiry, which constitutes our legitimate interest in processing the data.

Other personal data processed during the submission process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Duration of Storage

Data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data from the chatbot input form, this is the case when the conversation with the user has ended. The conversation is considered ended when the circumstances indicate that the matter has been conclusively resolved.

XIV. Rights of the Data Subject

If personal data concerning you is processed, you are considered a data subject under the GDPR and have the following rights with respect to the data controller:

1. Right to Access

You have the right to request confirmation from the data controller regarding whether personal data concerning you is being processed.

If such processing is taking place, you may request information about:

(1) the purposes of the processing of the personal data;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom the personal data has been or will be disclosed;

(4) the intended duration of storage of the personal data, or, if specific information is not possible, the criteria used to determine the storage period;

(5) the existence of a right to rectify or delete your personal data, restrict processing by the controller, or object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) any available information about the origin of the data if the personal data was not collected from you;

(8) the existence of automated decision-making, including profiling, as defined in Article 22(1) and (4) GDPR, along with meaningful information about the logic involved and the significance and potential consequences of such processing for you.

You also have the right to request information about whether your personal data is transferred to a third country or international organization. In this case, you can request to be informed about the appropriate safeguards under Article 46 GDPR related to the transfer.

2. Right to Rectification

You have the right to have your personal data corrected or completed if it is inaccurate or incomplete. The data controller must make the correction without delay.

3. Right to Restriction of Processing

You may request the restriction of processing of your personal data under the following conditions:

(1) if you dispute the accuracy of the personal data for a period enabling the controller to verify its accuracy;

(2) if the processing is unlawful and you oppose the deletion of the personal data, requesting instead the restriction of its use;

(3) if the controller no longer needs the personal data for processing purposes, but you require it to establish, exercise, or defend legal claims; or

(4) if you have objected to processing under Article 21(1) GDPR and it is not yet determined whether the controller's legitimate grounds override your own.

If processing has been restricted under these conditions, such data may only be processed (except for storage) with your consent or for the establishment, exercise, or defense of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the EU or a Member State.

If the restriction is lifted, the controller must notify you in advance.

4. Right to Deletion

a) Obligation to Delete

You can request that the data controller immediately deletes your personal data, and the controller is required to delete this data without delay, if one of the following reasons applies:

(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.

(2) You withdraw your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.

(3) You object to the processing according to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing according to Article 21(2) GDPR.

(4) The personal data concerning you has been processed unlawfully.

(5) Deletion of the personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.

(6) The personal data concerning you was collected in relation to the offer of information society services under Article 8(1) GDPR.

b) Information to Third Parties

If the controller has made your personal data public and is required to delete it under Article 17(1) GDPR, the controller will take reasonable measures, considering the available technology and the implementation costs, including technical measures, to inform data controllers who are processing the personal data that you, as the data subject, have requested the deletion of all links to, or copies or replications of, these personal data.

c) Exceptions

The right to deletion does not apply where processing is necessary:

(1) for the exercise of the right to freedom of expression and information;

(2) for compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1) GDPR, insofar as the right to deletion is likely to prevent or seriously impair the achievement of the objectives of such processing; or

(5) for the establishment, exercise, or defense of legal claims.

5. Right to Notification

If you have exercised your right to rectification, deletion, or restriction of processing, the controller is obligated to notify all recipients to whom the personal data concerning you has been disclosed of the rectification, deletion, or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed by the controller about these recipients.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to whom the personal data was provided, provided that:

(1) the processing is based on consent according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract according to Article 6(1)(b) GDPR, and

(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions.

The controller will no longer process the personal data unless they can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling insofar as it is related to such direct marketing.

If you object to the processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

You also have the option to exercise your right to object in relation to services of the information society, regardless of Directive 2002/58/EC, by means of automated procedures that use technical specifications.

8. Right to Withdraw Consent for Data Processing

You have the right to withdraw your consent for data processing at any time. The withdrawal of consent does not affect the lawfulness of the processing that was carried out based on the consent before its withdrawal.

9. Automated Decision-Making in Individual Cases, including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

(1) is necessary for the entry into, or performance of, a contract between you and the controller;

(2) is authorized by Union or Member State law to which the controller is subject, and such law includes appropriate measures to safeguard your rights, freedoms, and legitimate interests; or

(3) is based on your explicit consent.

However, such decisions must not be based on special categories of personal data under Article 9(1) GDPR unless Article 9(2)(a) or (g) applies, and appropriate measures to protect your rights, freedoms, and legitimate interests have been implemented.

In cases under (1) and (3), the controller will take appropriate measures to safeguard your rights, freedoms, and legitimate interests, which will include at least the right to have human intervention, to express your point of view, and to contest the decision.

10. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant about the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.