Data Privacy Statement

We appreciate your interest in our homepage, www.alstria.de (homepage) and our Company. Protecting your Personal Data processed during your visit to our homepage is very important to us.

 

You can generally use our homepage without providing any Personal Data. However, your Personal Data must be processed to use our order service, investor relations communication or contact form. In this case, we will obtain your consent as the Data Subject.

 

We process your Personal Data, e.g., your name or e-mail address, within the framework of the applicable data protection rules (in particular, the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) as amended from time to time. Here we would like to inform you of the type, scope and purpose of processing your Personal Data and of your rights as the Data Subject.

 

We, alstria office REIT-AG, as processing Controller, have implemented technical and organizational measures to offer the fullest possible protection of your data during your visit to our homepage. However, given that Internet-based data transfers can lead to security gaps, absolute protection cannot be guaranteed.

I. Definitions

Our data privacy statement uses terms as they are also found in the GDPR. We would like to explain a few terms below to make this data privacy statement easier to read and understand:

Personal Data (Cf. Art. 4 No. 1 of the GDPR)

“Personal Data” means any information related to an identified or identifiable natural person (hereinafter, “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing (Cf. Art. 4 No. 2 of the GDPR)

“Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of Processing (Cf. Art. 4 No. 3 of the GDPR)

“Restriction of Processing” means the marking of stored Personal Data with the aim of limiting their processing in the future.

Profiling (Cf. Art. 4 Np. 4 of the GDPR)

“Profiling” means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to advise or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization (Cf. Art. 4 No. 5 of the GDPR)

“Pseudonymization” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person.

Controller (Cf. Art. 4 No. 7 of the GDPR)

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member state law.

Processor (Cf. Art. 4 No. 8 of the GDPR)

“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

Recipient (Cf. Art. 4 No. 9 of the GDPR)

“Recipient” means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third Party (Cf. Art. 4 No. 10 of the GDPR)

“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data.

Consent (Cf. Art. 4 No. 11 of the GDPR)

“Consent of the Data Subject” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

II. Purpose of data processing

When we received data from you, we will in principle only process it for these purposes that we received it or we collected it. In Number III to Number VIII the purposes of the respective data processing and the processed data are described in detail.

 

A data processing for other purposes comes only into question, if the required legal provisions pursuant to Art. 6 (4) GDPR are given. Any information duties pursuant to Art. 13 (3) GDPR and Art. 14 (4) will be considered by us naturally.

III. Recording of General Data and Information when accessing the homepage

Our homepage records general data and information each time our Internet site is accessed by a Data Subject or an automated system. This general data and information is stored in log files on the server. The following data may be collected in such process:

 

  • IP-address of the requesting computer;
  • Date and time of access;
  • Name and URL of the downloaded file;
  • Amount of data transferred;
  • Indication whether the download of data was successful;
  • Data identifying browser and operating system used;
  • Name of the Internet-access provider;
  • Internet site from which the accessing system reaches our Internet site (“referrer“);
  • Sub-websites of our Internet site accessed via an accessing system;
  • Other similar data and information serving to avert risks in the event of attacks on our IT systems.

 

We use this data to ensure the proper display of our homepage and the functionality of our IT systems and our homepage. In addition, we will provide this data to public authorities for criminal prosecution in the event of a cyberattack and, if necessary, to assert our own damage compensation claims.

 

We do not draw any conclusions about Data Subjects when processing their data. We statistically analyze the data in part. The anonymous data of the server log files is stored in principal for 37 days separately from all Personal Data provided by Data Subjects.

IV. Google Analytics and Google Maps

Our homepage uses Google Analytics, a web analysis service of Google Inc. (“Googleˮ) and Google Maps, a map service from Google. We use Google Analytics to analyze the use of our homepage and if applicable to optimize our homepage. Google Maps we integrated into our homepage, so you can get for example an overview of our portfolio on a map.

 

To use these services, the following data from you is processed via our homepage by Google:

  • IP-address of the requesting computer;
  • Date and time of access;
  • Data identifying browser and operating system used;
  • Name of the Internet-access provider;

 

No cookies are used. The data recorded via our homepage is generally transferred to and stored on a Google server in the United States. However, due to the activation of anonymization on our homepage, your IP address is shortened by Google within the member states of the European Union or in other contractual states of the Agreement on the European Economic Area. Only in exceptional cases the complete IP address is transferred to a Google server in the United States and shortened there.

 

Google will use this information on our behalf to evaluate your use of our homepage, to generate reports regarding homepage activities and to provide other services vis-à-vis us related to the use of our homepage and the Internet. Our homepage uses the Google Analytics reports on demographic features which use data from interest related advertising from Google as well as visitor’s data form third parties (e.g. age, gender and interests). These data can not be traced back to a certain person and you can deactivate this in your app settings at any time. We only receive anonymized statistical data on the use of our homepage. You can prevent the use of your data by Google by configuring your browser software correspondingly; however, we would like to point out to you that you might not be able to use all functions of our homepage in full in such case. In addition, you can prevent the recording of the data generated and concerning your use of our homepage (including your IP address) and its transmission to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link (https://tools.google.com/dlpage/gaoptout?hl=en).

 

More information about the terms and conditions of use and data protection can be found at https://policies.google.com/technologies/partner-sites?hl=en and https://policies.google.com/privacy?hl=en. Please note that Google Analytics was expanded by the anonymization method on our homepage to guarantee the anonymous recording of IP addresses (“IP masking”).

V. Order Service and Contact Form

Our homepage offers the possibility to order written versions of our financial reports. We need your full name and address to send you our reports that you order. You also need to provide your e-mail address so that you can be contacted with any questions and the reports can be sent to you via e-mail. The data provided by you on the form will be sent to us by e-mail.

 

We enable you to contact us via a form on our homepage that sends the information you provide to us by e-mail. The data sent to us (first name, name, email address) will be stored and used solely for the purpose of processing your inquiry.

 

It is possible that your Personal Data will be passed on to one or more order Processers which will likewise only use your Personal Data for internal processing which can be attributed to the Data Processing Controller.

 

You are naturally entitled to the rights for Data Subjects described under No. XII below regarding the data provided by you. Please contact our data protection officer for all these matters (Cf. No. XIII below).

VI. Investor Relations Communication

We send out investor relations communication to update you on alstria’s development by press releases and other relevant investor relations communication (invitation to quarterly calls, ad-hoc-announcements…). The press releases contain updates on financial figures, reports and all important company-related events. It might contain information regarding the operation of the investor relations communication service. To subscribe to the investor relations communication, we need your name and e-mail address to which the investor relations communications should be sent. All other information is voluntary.

 

We use a double opt-in procedure for our investor relations communication distribution. This means that we will only send you investor relations communications if you confirm your registration by providing your e-mail address via an e-mail sent by us and confirm again via a link provided to you in an e-mail. This is to ensure that only you yourself as the user of the e-mail address provided can register for the investor relations communications. You must confirm your subscription promptly after receiving our e-mail because otherwise your registration and e-mail address will be deleted from our database. Our investor relations communication service will not accept any further registrations under that e-mail address until you confirm your registration.

 

You can unsubscribe to investor relations communications you ordered from us at any time. To cancel your subscription, you can either send us an e-mail ([email protected]) or follow the link at the end of the investor relations communications.

 

We administer your name and communication data you provided us for the investor relations communication distribution via a service provider. Our service provider, Mailchimp by The Rocket Science Group LLC, Georgia, USA, does not use the data itself but only to assist us in the distribution of the investor relations communication. You can find further information on the data policy of our service provider here: https://mailchimp.com/legal/privacy/?_ga=2.247671239.1301530409.1527580571-967362815.1526631478.

 

In addition, we do not pass your data on to others or use it for other purposes.

VII. Data Protection in Employment Applications or Application Processes

If you want to become a part of our team, we are looking forward to your application – unsolicited or with regard to one of our job offers. If you send us an application, we have to process your Personal Data in the course of employment application processes electronically. For example, when you send us your application via e-mail. The data is processed solely to review the initiation of the process, or, if the application is successful, to later carry out an employment relationship. If no employment agreement is concluded, we delete your employment application four months after notifying you of the rejection unless there is a justified interest in conflict to the deletion thereof.

VIII. Chat feature via Live!Zilla

To enable you to get in touch directly with our IR/PR team, we use Live!Zilla, a chat feature of LiveZilla GmbH, Singen, Germany. Beside the data entered by you, such as name, email address and company, the data named in No. III as well as the chat record is processed. To already minimize the possibility of profiling your IP address is anonymized. These data we store in principal for seven days.

 

We do not use cookies in this context and do not transfer any data to the LiveZilla GmbH.

IX. Legal Basis for Processing

Our data processing is based on the following legal bases:

a) You have given your consent to the processing of your Personal Data for one or more purposes (Cf. Art. 6 (1) Lit. a of the GDPR). We need your consent, for example, to send you the reports (order service) and for the contact form (Cf. No. V), for the investor relations communication (Cf. No. VI) or the chat feature (Cf. No. VIII).

b) Processing is necessary for the performance of a contract, to which you are a party or to take steps your request prior to entering into a contract (Cf. Art. 6 (1) Lit. b of the GDPR). This is for example the case in an employment application process (Cf. No. VII) or for review prior to the conclusion of a lease relationship.

c) Processing is necessary for compliance with a legal obligation to which we are subject (Cf. Art. 6 (1) Lit. c of the GDPR). This is, for example, the case with regard to legal storage duties (Cf. No. XI).

d) Processing is necessary to protect your vital interests or those of another natural person (Cf. Art. 6 (1) Lit. d of the GDPR).

e) Processing is necessary to protect our legitimate interests or the legitimate interests of a third party, except where your interests or fundamental rights and liberties requiring the protection of Personal Data prevail, in particular when a child is involved (Cf. Art. 6 (1) Lit. f of the GDPR). As a rule, our legitimate interests lie in the conduct of our business in favor of all our stakeholders (employees, tenants, business partners, investors…). In the context of our homepage this in particular contains the integrity and security of the homepage, defense of misuse, range measurement and statistical analysis in the context of optimizing the web content (Cf. No. III and No. IV). Moreover, we see a legitimate interest in efficiency and cost saving considerations regarding the involvement of the external services named in No. IV.

X. Other information (Necessity of Processing Data)

For the purposes named in No. III to No. VIII we process Personal Data. Without the processing of the data named in No. III to No. VIII we cannot achieve these purposes, e.g. we cannot provide you the Investor Relations Communications describe in No. VI without processing your email address. Moreover, it might be necessary for you to provide us your Personal Data (e.g., name and address) for the conclusion of an agreement. If you do not, we cannot conclude the agreement because it is necessary to process data to perform the agreement or to fulfill our legal duties. If you are of the opinion that it is not necessary to process your Personal Data, we would ask that you contact us so that we can review in each specific case whether it is necessary for you to provide us your Personal Data.

 

Besides, the data named in No. III and No. IV is indispensable for safeguarding our legitimate interests (Cf. No. IX Lit. e). A milder means with same appropriateness is not evident in particular against the background of the costs occurring.

XI. Erasure and Blocking

As far as there are no explicit storage periods mentioned in No. III to No. VIII, we will only process your data as long as it is necessary or to the extent prescribed by German statutory or European law. A longer storage than the explicitly named storage periods (e.g. No. III) is in particular imaginable, if the data processing is required within the framework of prosecution of for enforcing legal claims.

 

If the reason for storing / processing your data no longer exists or a storage period in accordance with German or European law expires, we will erase or block your respective Personal Data.

XII. Rights of Data Subjects

As a Data Subject affected by our data processing you have various rights in accordance with the GDPR which we would like to briefly point out to you in excerpts. The rights mentioned below may be restricted by the rights of other or legal stipulations which, however, will not be elaborated further below.

 

Please contact our data protection officer (Cf. No. XIII below) to exercise your rights as Data Subjects.

Right to Information

As a Data Subject, you have a right to request a confirmation from us as to whether we process your Personal Data.

 

In addition, in accordance with the GDPR, you have the right to request us to provide information regarding the Personal Data stored about you and to receive a copy of such data. The GDPR stipulates a right to the following information: a) the purpose of processing the data, b) the categories of Personal Data processed, c) the Recipient or categories of Recipients, to which the Personal Data is or will be disclosed, in particular with regard to recipients in other countries or to international organizations, d) if possible, the planned duration for which the Personal Data is to be stored, or, if this is not possible, the criteria for determining such duration, e) the existence of a right to correct or delete your personal data or to the restriction of the processing by the Controller or a right to object such processing, f) the existence of a right to complain to a supervisory authority, g) if your Personal Data is not collected, all available information about the origin of the data, h) the existence of an automated decision-making processing including profiling pursuant to Art. 22 (1) and (4) of the GDPR and — at least in these cases — meaningful information  about the logic involved and the reach and aspired effects of such processing for your person.

 

In addition, we will inform you if your Personal Data is transmitted to another country or to an international organization. In this case, you can also request information regarding suitable guarantees in connection with such transmission.

Right to Rectification

As a Data Subject, you have the right to obtain that the rectification of any of your Personal Data that is inaccurate without undue delay. Taking into account the purpose of processing, you have the right to have incomplete data completed, including by means of providing a supplementary statement.

Right to Erasure (Right to be Forgotten)

As a Data Subject you have the right to obtain the erasure of your Personal Data without undue delay where one of the following grounds apply: a) the Personal Data are no longer necessary in relation to the purpose for which they were collected or otherwise processed; b) You withdraw your consent on which the processing is based according to Art. 6 (1) Lit. a or Art. 9 (2) Lit. a of the GDPR and where there is no other legal grounds for the processing; c) You object to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) of the GDPR; d) The Personal Data have been unlawfully processed; e) Your personal data have to be erased for compliance with a legal obligation in Union or Member State law, to which we are subject; f) Your Personal Data have been collected in relation to the offer of information society services referred to in Art. 8 (1) of the GDPR.

 

If we have made your Personal Data public and are obligated pursuant to Art. 17 (1) of the GDPR to erase your Personal Data, we, taking into account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform other controllers which are processing your Personal Data that you have requested the erasure by such controllers of any links to, copy or replications of your Personal Data.

Right to Restriction of Processing

As a Data Subject you have the right to obtain from us restriction of processing where one of the following applies: a) The accuracy of your Personal Data is contested by you, for a period enabling us to verify the accuracy of your Personal Data. b) The processing is unlawful and you oppose the erasure of your Personal Data and request the restriction of their use instead. c) We no longer need your Personal Data for the purposes of processing, but they are required by you for the establishment, exercise or defense of legal claims. d) You have objected to processing pursuant to Art. 21 (1) of the GDPR pending the verification whether the legitimate grounds of us override those of you.

Right to Data Portability

As a Data Subject you have the right to receive your Personal Data you provided to us from us in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without our hinderance, provided where a) the processing is based on consent pursuant to Art. 6 (1) Lit. a or Art. 9 (2) Lit. a of the GDPR or on a contract pursuant to Art. 6 (1) Lit. b of the GDPR and b) the processing is carried out by automated means. In exercising your right to Data Portability, you have the right to have your Personal Data transmitted directly from one controller to another, where technically feasible.

Right to Object

As a Data Subject you have the right to object, on grounds relation to your particular situation at any time to processing of your Personal Data which is based on Art. 6 (1) Lit. e or f of the GDPR, including profiling based on those provisions. In this case, we will no longer process your Personal Data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

 

If we process your Personal Data for direct marketing purposes, you as a Data Subject have the right to object at any time to the processing of your Personal Data for such marketing, which includes profiling to the extent that is related to such direct marketing.

 

In addition, you as a Data Subject on grounds resulting from your particular situation, have the right to object to the processing of your Personal Data for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

To exercise your right, you may contact us or, notwithstanding Directive 2002/58/EC and in the context of the use of information society service, exercise your right to object by automated means using technical specifications.

Rights related to Automated Individual Decision-making, including Profiling

As a Data Subject, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you. This shall not apply if the decision a) is necessary for entering into, or performance of, a contract between you and us; b) is authorized by European Union or law of a member state of the European Union to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or c) is based on your explicit consent.

 

If the decision is a) necessary for entering into, or performance of, a contract between you and us or c) is based on your explicit consent, we will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention at our company, to express your point of view and to contest a decision.

 

We do not use automated individual decision-making or Profiling.

Right to Withdraw Consent

As a Data Subject you have right to withdraw your consent to process your Personal Data at any time.

Right to File a Complaint

Irrespective of any other legal recourse in administrative law or court, as a Data Subject you have the right to file a complaint at a supervisory authority, in particular in the member state of your place of residence, your place of employment or the location of the alleged breach if you are of the opinion that the processing of your Personal Data breaches the GDPR. The supervisory authority responsible for us is Hamburgische Beauftragte für Datenschutz und Informationsfreiheit.

XIII. Data Protection Officer

The data protection officer of the Controller responsible for processing data is:

 

Ms. Lea Evans

c/o alstria office REIT-AG

Steinstr. 7

20095 Hamburg

Germany

Fax: +49 (0)40 22 63 41 310

E-Mail: [email protected]

 

Data Subjects may contact our data protection officer directly with any questions or concerns regarding data protection.

XIV. Controller

The Controller is:

 

alstria office REIT-AG

Steinstr. 7

20095 Hamburg

Germany

Tel.: +49 (0)40 22 63 41 300

Contact

Homepage: www.alstria.com

 

Please see our imprint for our management and additional information about the company.

 

As per July 26, 2019