A. Privacy Policy

Your data are in safe hands with us, IMMOFINANZ AG, Wienerbergstrasse 9, 1100 Vienna (hereinafter “IMMOFINANZ”, “we”, “us”). We are committed to protecting your data and we take this remit very seriously. It goes without saying that we observe the applicable legal provisions on the protection, lawful handling and confidentiality of personal data as well as data security, in particular the General Data Protection Regulation (“GDPR”), the Austrian Telecommunications Act (“TKG”) and the applicable Data Protection Act (“DSG"). Please take the time to read this Privacy Policy and get an idea of why we or a company affiliated with IMMOFINANZ within the meaning of Section 189a no 8 of the Austrian Commercial Code (UGB) (hereinafter “group company”) collect your data and how we process it.

1. Website use, contact data, registration, ordering financial reports and newsletters

We process your personal data when you use our website, when you contact us, when you register to comment on our blog posts and when you order our newsletter. In particular, this Privacy Policy explains which personal data we process and to which extent.

1.1. Access data and log files

When us visit our websites https://www.immofinanz.com, https://myhive-offices.com, https://www.stop-shop.com, https://vivo-shopping.com, use the app or other applications, software programmes, digital media or storage media (“services”), i.e. access the respective server, we process the following data of yours:

the Internet Protocol (“IP”) address used to connect your computer to the Internet;
computer, device and connection information such as browser type and version, operating system, screen resolution and mobile platform;
the uniform resource locator (“URL”);
clickstream data, including the date and time of the content for a service which you viewed or searched for and the URL that referred you to that service.

These data are automatically generated by our servers when you use our services and are required so that we can provide you with the services you desire. We therefore only process server log files in order to be able to provide you with a user-friendly and secure website and the associated services (e.g. to investigate acts of abuse or fraud). Such data processing is therefore necessary to safeguard our legitimate interests (Art 6 Paragraph 1 lit f GDPR).

If you fail to provide certain mandatory information, this may mean that your registration as a user cannot be processed or that certain functions or services on the website cannot be used.

1.2. Contact data

If you contact us (e.g. by e-mail, online form or by phone), we will process the personal data you provide, such as your name, telephone number, e-mail address and the content of your request. These data are required to process and answer your request. This processing is therefore carried out to fulfil our (pre-)contractual obligations (Art. 6 Paragraph 1 lit. b GDPR) and where these are required to safeguard our legitimate interests or those of a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require the protection of personal data (Art. 6 Paragraph 1 lit. f GDPR), in particular in order to minimise legal risks and perform contracts in the context of our legitimate interests for proper and lawful business management.

1.3. Registration

Registration is required if you would like to comment on our blog posts. For this, we process your name, e-mail address and notification preference. This processing is necessary in order to provide you with a personal account and to prevent misuse of the comment function. This processing is therefore carried out both to fulfil our (pre-)contractual obligations (Art 6 Paragraph 1 lit b GDPR) and where these are required to safeguard our legitimate interests or those of a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject which require the protection of personal data (Art. 6 Paragraph 1 lit. f GDPR), in particular in order to minimise legal risks and perform contracts in the context of our legitimate interests for proper and lawful business management.

1.4. Newsletter

You have various options to subscribe to our newsletters. We process the personal data provided for this purpose on the basis of your voluntarily given consent (Art 6 Paragraph 1 lit a GDPR):

If you register for our newsletter or blog via the website, we process your first name and surname and your e-mail address in order to send you newsletters and notifications about new blog posts on IMMOFINANZ products and services by e-mail.
If you have registered for our newsletters as a journalist, we will process your first name and surname, e-mail address, editorial office, editorial office address and business mobile number to send corporate news, ad hoc announcements and invitations to events by e-mail, SMS or mail or for phone contact.
If you have registered for our newsletter as an investor, we will process your first name and surname, e-mail address, company, position, business address, business mobile number and information about the last meeting with IMMOFINANZ representatives, to send corporate news, ad hoc announcements and invitations to events by e-mail, SMS or mail or for phone contact.

Registration for the above-mentioned newsletters takes place in a so-called double opt-in process. After registering, you will therefore receive an e-mail asking you to confirm your registration. This confirmation is necessary in order to prevent misuse, in particular registration by third parties.

We log registrations in order to be able to verify the registration process in accordance with the legal requirements. For this purpose, we process the time of confirmation and the IP address.

The newsletters contain pixel-sized files which are retrieved from the server when they are opened. During download, technical information such as your browser and operating system is collected, as well as your IP address and the time of the download. This information is used for the technical improvement of the services based on the technical data or the target groups and your reading behaviour based on the access locations (which can be determined with the help of the IP address) or the access times.

Statistical data collection also includes an analysis of whether the newsletters are opened, when they are opened and which links are clicked on. We use these evaluations to identify the reading habits of our users and to be able to improve the content of our newsletters and notifications accordingly. We do not monitor individual users.

You can unsubscribe from our newsletters or other notifications at any time with effect for the future. A link to unsubscribe from notifications can be found at the end of each notification. You can also contact us at any time without giving a reason via a downloadable web form at https://immofinanz.com/en/gdpr or send a letter by post.

1.5. Who will your data be transferred to?

We transfer your personal data to the following external service providers (processors) who support us in providing our services:

IT service providers and/or providers of data hosting solutions or similar services;
other service providers, providers of tools and software solutions who also support us in providing our services and who act on our behalf; and
group companies for internal group purposes.

All of our processors only process your data on our behalf and on the basis of our instructions so that we can make our offer available to you.

In addition, we transmit your personal data to the following recipients (controllers) to the extent necessary:

any third parties involved in the provision of services to you in order to fulfil our contractual obligations (e.g. parcel service providers);
external third parties to the extent necessary on the basis of our legitimate interests (e.g. auditors and tax consultants, insurance companies in the event of an insurance claim, legal representatives in the event of an accident);
authorities and other public bodies to the extent required by law (e.g. tax authorities).

1.6. Storage period

We will only store your data for as long as is necessary for the purposes for which we collected your data.

We store data in connection with enquiries for six months in order to be able to respond to any queries. For the purposes of customer service and marketing, your data will be stored until you withdraw your consent or three years after you were last contacted. Data in connection with our business relationship are stored in accordance with corporate and statutory retention obligations under tax law.

Moreover, we also store your personal data beyond the specified retention periods, insofar as legal claims may be asserted derived from the relationship between you and us or until a specific incident or legal dispute has been definitively resolved. This longer storage takes place to safeguard our legitimate interests in the assertion, clarification and defence of legal claims.

2. Property ownership, management and rental

We or a group company are the owner of a property (hereinafter “property owner”). The property owner is named as the landlord in the management agreement with the property or facility manager, or in the rental agreement.

2.1 Who and which data are affected by the processing of data?

The property owner processes personal data of the following categories of persons (hereinafter collectively the “data subjects”):

managers of a property owned by the property owner (e.g. buildings, business premises, parking spaces and/or basement storage units, warehouses);
tenants, lessees or other authorised users of a property owned by the property owner (including persons who have concluded a rental, lease or other usage agreement with the manager of the property);
persons who provide services for the property owner or the manager in connection with properties of the property owner; and
persons who provide services for the property owner, including agents without specific authorisation, other parties who have been enriched or parties who suffered a loss as well as persons making claims against the property owner;

each including contact persons, (statutory legal) representatives, authorised representatives (including legal guardians for adults), employees and other agents of all of the aforementioned.

The personal data of these data subjects consist of:

first name(s), surname, title, gender, date of birth, nationality;
contact data (in particular address, e-mail address, telephone numbers) and banking details;
profession/company address;
land register data,
property data, including rental, lease and user agreements, special agreements (including agreements on structural changes, and billing types and devices) and data on services provided to tenants, lessees, users and data subjects or information received by data subjects;
rent roll lists, invoicing data and compensation keys, fee notices, payments, credits, subsequent payments, balances, arrears, banking details, reminder and collection documents;
documents regarding structural changes, survey and remedy of defects, repairs, maintenance work and other services (e.g. chimney sweeps, maintenance, etc.) in connection with the property (in each case including their organisation and execution);
other data which the property owner receives in its function as the owner of a property or its management, in particular data in connection with business transactions to manage the property (e.g. for maintenance/repairs, upkeep, technical support and maintenance, energy procurement, fire, liability and other insurance, maintenance reserves, invoicing and budget calculation);
invoice, salary and tax authority data, including data regarding the collection of receivables and debt collection documents;
correspondence with courts and lawyers; and
other correspondence, in particular data generated in connection with the use of digital communication media, including e-mail address and/or telephone number, the content of the message and transmitted documents.

2.2 Legal basis for processing

These personal data of data subjects are processed by the property owner in connection with the position of the owner and the organisation of the property management. Processing takes place on the following legal basis:

Personal data are processed to fulfil contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR in order to:

conclude or perform facility management contracts regarding the property;
conclude or perform rental, lease and other user agreements with tenants, lessees and other authorised users of the respective property or parts thereof; and
conclude and/or execute other contracts based on or in connection with business transactions required or helpful for the management or maintenance of the property (including maintenance/repairs (e.g. removal of defects), upkeep, technical support and maintenance, energy procurement, insurance, maintenance reserves, invoicing and budget calculation) with data subjects and third parties.

Personal data are also processed due to legitimate interests of the property owner or third parties in accordance with Art. 6 Paragraph 1 lit. f GDPR,

as described above, in connection with the processing of personal data to fulfil contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR, where such processing goes beyond that, but is required to safeguard the legitimate interests of the property owner or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular in order to maintain and to manage the property in the context of the legitimate interests of the property owner or of a third party, to prepare, conclude, carry out, evaluate and prove the related transactions, to make, reject or cede contractual claims, render account, and to fulfil legal obligations in connection with properties and property management and the associated legal relationships, or to avoid economic and legal risks;
as described below in accordance with Art. 6 Paragraph 1 lit. c GDPR in connection with the processing of personal data to fulfil a legal obligation to which the property owner is subject, where such processing goes beyond that, but is required to safeguard the legitimate interests of the property owner or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular in the context of the legitimate interests of the property owner or a third party in the compliance with legal or contractual provisions (and evidence thereof) as the owner or manager of a property, in the initiation or performance of a contract, for financing in connection with a property, the property owner or a group company, to prevent legal infringements by the property owner, group companies and other third parties and their involvement in legal infringements, and to prevent fraud to the extent strictly necessary;
in the context of the legitimate interests of the property owner or a third party in order to fulfil other civil-law and legal obligations and duties such as disclosure obligations, accounting obligations, obligations to surrender possession and storage obligations, as well as obligations to carry out supervision and evaluation measures to prevent legal infringements;
in the context of the legitimate interests of the property owner or a third party in the best possible utilisation of a property (including financing), in particular in order to convey an accurate view of the relevant key facts (e.g. rent roll lists, ownership and encumbrance conditions, relevant contractual relationships, payment arrears and collectability), to the extent required in each case;
to promote, provide, review and restore IT security, secure communication and security on the property as well as in connection with the initiation, execution, performance and conclusion of the contract for the property owner and third parties;
in order to appropriately inform data subjects in connection with contractual relationships and their conclusion, execution and performance in connection with the property;
in the context of outsourcing functions and tasks, for the provision of services by group companies as well as for internal portfolio evaluations, for reporting, controlling, compliance, finance, audit, revision and consolidation purposes as well as for the financing of the property owner, group companies and the Group; and
in order to exercise and defend legal claims, in particular to conduct, avoid, settle and fulfil imminent or existing legal disputes.

Right to object to processing

Pursuant to Art. 21 Paragraph 1 GDPR, data subjects have the right to object to processing of personal data concerning them which takes place on the basis of Art. 6 Paragraph 1 lit. f GDPR (data processing to protect legitimate interests). Further details regarding exercising this right can be found below.

Personal data are also processed in accordance with Art. 6 Paragraph 1 lit. c GDPR to fulfil a legal obligation to which the property owner is subject, to fulfil obligations, in particular under administrative, company, commercial and tax law, for example obligations arising from the GDPR, trade law, obligations in connection with the prevention of money laundering and terrorist financing, as well as obligations to conduct supervision and evaluation measures to prevent economic crime.
Personal data are also processed based on a consent given in accordance with Art. 6 Paragraph 1 lit. a GDPR, if the data subject has agreed to such processing for one or several specific purposes. The data subject has the right to withdraw this consent at any time without affecting the legal basis of the consent to the processing carried out until the withdrawal. A withdrawal shall have effect for the future only.

Withdrawal of consent

Any consent can be withdrawn with effect for the future at any time. The withdrawal can be made informally, for example via e-mail to datenschutzkoordinator@immofinanz.com or by sending a message to the contact details given below.

2.3 Who will your data be transferred to?

As part of processing personal data, such data will also be transferred to third parties (controllers), in particular to:

service providers regarding the property such as facility managers, workmen (e.g. roofers, electricians, plumbers, painters, bricklayers, carpenters, chimney sweeps) and other commissioned contractors or technical experts, including main contractors and other third parties involved in the provision of services, to fulfil contractual or legal obligations or duties as the owner or manager of properties, in particular for the organisation, planning, execution and inspection of maintenance/repair work, upkeep, technical support and maintenance, energy procurement and insurance;
group companies in order to provide or fulfil contractually or legally owed services and duties, to maintain or utilise the property and/or to remain competitive, also in order to review and improve own or third-party services and to work more cost-efficiently;
interested parties and buyers of properties or shares therein in order to enable and promote the best possible sale or utilisation of the property;
lenders as part of collateralisation through properties and insurance providers in connection with insuring properties or the property owner, or as part of the sale of properties;
IT service providers in order to check and ensure the function and security of IT systems, to store data and to provide computing and storage power;
courts, supervisory authorities, tax authorities and other public bodies; and
lawyers, tax consultants, auditors and other technical experts.

To the extent necessary, personal data are transmitted to service providers (processors) who support the property owner in providing its services and in conducting its business and other activities:

IT service providers, data hosting providers and providers of tools, software solutions or similar services who are given access to personal data as part of their activities; and
group companies in the context of outsourcing functions or tasks, for service provision and for internal reporting, controlling, compliance, finance, audit, revision or consolidation purposes as well as for group financing.

A data transfer to countries outside the EU or the EEA (third countries) will only take place if this is necessary or legally required for or in connection with the initiation or performance of one of the above-mentioned contracts (e.g. disclosure obligations under tax law) or the property owner has been give consent to do so.

2.4 Storage period

Personal data will only be processed and stored insofar and as long as necessary for the purpose of their collection. If the data are no longer necessary to achieve the purpose of their collection, they will be erased, unless their (further) processing is required for the following purposes:

Statutory retention periods which are based on the law applicable to the legal relationship as well as the law applicable to the property owner or, in connection with group accounting and group audit, to the respective group company: in particular, for compliance with retention and documentation obligations under the applicable commercial or tax law, regulations to prevent money laundering and terrorist financing, identification and information obligations as well as other obligations and duties under administrative and criminal law.
for the preservation of evidence as part of statutory limitation periods which are based on the law applicable to the legal relationship or the possible procedural law or the law applicable to the property owner.

In particular, the following are stored:

personal data in books and records as well as the associated vouchers, insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements, as well as for two months for the delivery of documents initiating proceedings, and beyond that as long as they are of significance for the taxation authority in a pending case or for a review or proceedings of an authority;
personal data in books, business correspondence and vouchers, insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements, as well as for two months for the delivery of documents initiating proceedings;
personal data in documents and information which are required for the fulfilment of due diligence obligations in accordance with the respective requirements under trade, company, commercial and tax law, regulations for the prevention of money laundering and terrorist financing, identification and information obligations and other obligations and duties under administrative and criminal law as well as other legal or contractual obligations, and personal data in transaction vouchers and records which are required for the initiation, determination, execution and conclusion of transactions (including the resulting legal consequences) and can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements or from which rights can be claimed against the property owner or group companies, as well as two months each for the delivery of documents initiating proceedings, and
personal data in the records on the initiation, negotiation, conclusion, performance, refusal or termination of a contract or any other legal relationship (including information) of the property owner for the duration of possible complaints, the possible assertion of rights and the resulting proceedings as well as two months each for the delivery of documents initiating proceedings;

and for the assertion of rights (including for defence) and beyond the aforementioned periods for the duration of settlement negotiations (until these are deemed completed or broken off under applicable law) and beyond that for two months for the delivery of documents initiating proceedings, and beyond that for the duration of proceedings of any kind and subsequent proceedings of any kind (including enforcement proceedings and measures) until their legally binding conclusion and, where required, for proof or assertion or fulfilment of claims from such proceedings for the duration of legal limitation periods.

2.5 Withdrawal of consent

Where the property owner has been given consent for the processing of personal data, this consent will be valid until the withdrawal of the consent or the fulfilment of the respective purpose. After the consent has been withdrawn or the purpose has been fulfilled, personal data will be erased within one month, unless such data are required as evidence of the consent, erasure or for exercising rights arising from or in connection with pre-contractual, contractual or legal claims based on the consent or fulfilment of purpose. The withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

2.6 No automated decisions (profiling)

As part of the processing as described above, data subjects are not subject to any decisions based on automatic processing — including profiling — which produce a legal effect on data subjects or significantly affect them otherwise.

3. Buyers and prospective buyers

We or a group company (the “property seller”), as a potential, future or existing contractual partner, process personal data of the following data subjects if they are interested in a property of the property seller, directly or indirectly, as a buyer, broker, agent, financer, authorised representative, representative or in any other function, in particular when they arrange a viewing appointment, request information, refer a prospective buyer to the property seller, negotiate, conclude or execute purchasing contracts including related contracts.

3.1 Who and which data are affected by processing?

In this context, the property seller processes personal data of the following categories of persons (hereinafter collectively the “data subjects”):

prospective buyers and their representatives, authorised representatives, brokers, collateral providers, jointly liable parties and financers who express an interest in a property of the property seller vis-à-vis the property seller;
brokers who express an interest in a property of the property seller vis-à-vis the property seller or who support the property seller in the sale of a property of the property seller or parties otherwise involved;
service providers, representatives, authorised representatives and technical experts of any kind who support the property seller or the prospective buyer, broker, collateral provider, jointly liable party or financer in connection with an interest in a property of the property seller; and
persons who provide services for the property seller, including agents without specific authorisation, other parties who have been enriched or parties who suffered a loss as well as persons making claims against the property seller;

each including their contact persons, (statutory legal) representatives, authorised representatives (including legal guardians for adults), employees and other agents.

The personal data of these data subjects differ depending on the legal relationship and the status of the selling process.

For persons who make or seek a viewing appointment for a property of the property seller, the personal data processed by the property seller consist of the following:

first name(s), surname, title, gender, date of birth, nationality;
contact data (in particular address, e-mail address, telephone numbers);
profession/company address;
any representatives, authorised representatives and brokers, and their respective contact persons, (statutory legal) representatives, employees and other agents;
other remarks made by them vis-à-vis the property seller, its brokers, representatives and other consultants and which are related to the property or its purchase; and
data generated in connection with the use of digital communication media, including e-mail address and/or telephone number, the content of the message and transferred documents.

For persons who express an interest in buying a specific property of the property seller, the personal data processed by the property seller additionally include the following:

copy of passport or photo ID;
financing based on own resources or loan capital, including financers, jointly liable parties and collateral providers;
purchase as owner-occupier or investor (VAT number);
all other information required for compliance with the regulations to prevent money laundering and terrorist financing (PEP check, risk assessment, financing data, asset data, origin of own resources, etc.);
representatives, authorised representatives, brokers, collateral providers, jointly liable parties and financers, and their respective contact persons, (statutory legal) representatives, authorised representatives (including legal guardians for adults), employees and other agents;
credit rating data;
data regarding claims made by or against the prospective buyer, and the defence against or enforcement of such claims;
billing, salary and tax authority data, including data regarding the collectability of receivables and debt collection documents;
correspondence with courts and lawyers; and
other correspondence and remarks which data subjects made to the property seller or which are related to the property of the property seller or its acquisition (including contract negotiations).

For persons who have concluded a purchase contract for a specific property of the property seller with the property seller, the personal data processed by the property seller additionally include the following:

data of the purchase contract and associated contracts;
data related to the execution of the purchase agreement, including payment and reminder data, and of the associated contracts;
data (where relevant for the property seller) regarding claims made by or against the buyer in connection with the purchase agreement or the property sold, and the defence against or enforcement of such claims; and
other correspondence and remarks made to the property seller or its representatives, authorised representatives or brokers in connection with an intended or executed purchase of a property.

The property seller collects most of the personal data from data subjects when they or their (statutory legal) representatives, authorised representatives, agents, brokers or lawyers provide information to the property seller, its (statutory legal) representatives, authorised representatives, agents, brokers or lawyers, for example upon a query, in contract negotiations or as part of the conclusion of the purchase contract. Occasionally, the property seller also collects personal data from public sources (e.g. Land Register, Company Register, Register of Beneficial Owners, sanction lists, internet research) and from special information providers (e.g. KSV1870).

3.2 Legal basis of processing

Personal data of data subjects are processed based on the following legal basis:

Personal data are processed to fulfil contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR in order to:

provide information prior to entering into a contract, and start, hold and conclude contract negotiations,
conclude, execute or otherwise perform purchase contracts for properties;
conclude, execute or otherwise perform broker contracts; and
conclude, execute or otherwise perform management contracts, and otherwise as part of contracts regarding the management of a property of the property seller.

Personal data are also processed based on legitimate interests of the property seller or third parties in accordance with Art. 6 Paragraph 1 lit. f GDPR,

as described above, in connection with the processing of personal data to fulfil contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR, where such processing goes beyond that, but is required to safeguard the legitimate interests of the property seller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular, in the context of the legitimate interests of the property seller or a third party, to value or sell a property, to prepare, enable, evaluate, conclude, execute or prove purchase contracts for properties and related transactions, to make, reject or cede contractual claims, to render account and, in connection with purchase contracts and the related legal relationships, fulfil statutory obligations or avoid economic or legal risks;
as described below in accordance with Art. 6 Paragraph 1 lit. c GDPR in connection with the processing of personal data to fulfil a legal obligation to which the property seller is subject, where such processing goes beyond that, but is required to safeguard the legitimate interests of the property seller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular in the context of the legitimate interests of the property seller, of group companies and other third parties in the compliance with legal or contractual provisions (and evidence thereof), including in the initiation or performance or a contract, for financing in connection with a property, the property seller or a group company, to prevent legal infringements by the property seller, group companies and other third parties and their involvement in legal infringements and to prevent fraud to the extent strictly necessary;
in the context of the legitimate interests of the property seller or a third party in order to fulfil other civil-law and legal obligations and duties such as disclosure obligations, accounting obligations, obligations to surrender possession and retention obligations, as well as obligations to carry out supervision and evaluation measures to prevent legal infringements;
in the context of the legitimate interests of the property seller or a third party in the best possible utilisation and/or sale of a property (including financing), in particular in order to convey an accurate view of the relevant key facts (e.g. rent roll lists, ownership and encumbrance conditions, relevant contractual relationships, payment arrears and collectability), to the extent required in each case;
to promote, provide, review and restore IT security, secure communication and security in connection with the initiation, execution, performance and conclusion of the contract for the property seller and third parties;
in order to appropriately inform potential and existing prospective buyers or buyers in connection with contractual relationships and their conclusion, execution and performance in connection with viewing the property as well as negotiations, conclusion, execution and other performance of contracts in connection with the sale and other utilisation of a property of the property seller;
in the context of outsourcing functions and tasks, for the provision of services by group companies as well as for internal portfolio evaluations, and for reporting, controlling, compliance, finance, audit, revision and consolidation purposes as well as for the financing of the property seller, group companies and the Group; and
in order to exercise and defend legal claims, in particular to conduct, avoid, settle and fulfil imminent or existing legal disputes.

Right to object to processing

Personal data are also processed in accordance with Art. 6 Paragraph 1 lit. c GDPR to fulfil a legal obligation to which the property seller is subject, to fulfil obligations, in particular under administrative, company, commercial and tax law, for example obligations arising from the GDPR, trade law, obligations in connection with the prevention of money laundering and terrorist financing, as well as obligations to conduct supervision and evaluation measures to prevent economic crime.
Personal data are also processed based on a consent given in accordance with Art. 6 Paragraph 1 lit. a GDPR, if the data subject has agreed to such processing for one or several specific purposes. The data subject has the right to withdraw this consent at any time without affecting the legal basis of the consent to the processing carried out until the withdrawal. A withdrawal shall have effect for the future only.

Withdrawal of consent

3.3 Who will your data be transferred to?

As part of processing personal data, such data will also be transferred to third parties (controllers), in particular to:

service providers regarding the sale of the properties such as data room providers, brokers, property experts, notaries public, lawyers, auditors and other commissioned third parties and other third parties involved in the negotiation, conclusion or service provision;
group companies in order to provide or fulfil contractually or legally owed services and duties;
prospective buyers and buyers of properties or shares therein in order to enable and promote the best possible sale or utilisation of the property;
lenders in the context of the collateralisation through properties and insurance providers in connection with the insurance of properties or the property seller or of property buyers;
IT service providers in order to check and ensure the function and security of IT systems, to store data and to provide computing and storage power;
banks, jointly liable parties and collateral providers;
courts, supervisory authorities, tax authorities, housing subsidy bodies and other public bodies;
managers of the property affected;
courts, supervisory authorities, tax authorities and other public bodies; and
notaries public and brokers, representatives, authorised representatives, tax consultants, auditors and lawyers commissioned by the property seller.

To the extent necessary, personal data are transmitted to service providers (processors) who support the property seller in providing its services and in conducting its business and other activities:

IT service providers, data hosting providers and providers of tools, software solutions or similar services who are given access to personal data as part of their activities; and
group companies in the context of outsourcing functions or tasks, for service provision and for internal reporting, controlling, compliance, finance, audit, revision or consolidation purposes as well as for group financing.

3.4 Storage period

Statutory retention periods which are based on the law applicable to the legal relationship as well as the law applicable to the property seller or, in connection with group accounting and group audit, to the respective group company: in particular, for compliance with retention and documentation obligations under the applicable commercial or tax law, regulations to prevent money laundering and terrorist financing, identification and information obligations as well as other obligations and duties under administrative and criminal law.
for the preservation of evidence as part of statutory limitation periods which are based on the law applicable to the legal relationship or the possible procedural law or the law applicable to the property seller.

In particular, the following are stored:

personal data in books and records as well as the associated vouchers, insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements, as well as for two months for the delivery of documents initiating proceedings and beyond that as long as they are of significance for the taxation authority in a pending case or for a review or proceedings of an authority;
personal data in books, business correspondence and vouchers, insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements or are of significance for a review by a court or an authority, as well as for two months for the delivery of documents initiating proceedings;
personal data in documents and information which are required for the fulfilment of due diligence obligations in accordance with the respective requirements under trade, company, commercial and tax law, regulations for the prevention of money laundering and terrorist financing, identification and information obligations and other obligations and duties under administrative and criminal law as well as other legal or contractual obligations, and personal data in transaction vouchers and records which are required for the initiation, determination, execution and conclusion of transactions (including the resulting legal consequences) and can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements or from which rights can be claimed against the property seller or group companies, as well as two months each for the delivery of documents initiating proceedings, and
personal data in the records on the initiation, negotiation, conclusion, performance, refusal or termination of a contract or any other legal relationship (including information) of the property manager for the duration of possible complaints, the possible assertion of rights and the resulting proceedings as well as two months each for the delivery of documents initiating proceedings;

3.5 Withdrawal of consent

Where the property seller has been given consent for the processing of personal data, this consent will be valid until the withdrawal of the consent or the fulfilment of the respective purpose. After the consent has been withdrawn or the purpose has been fulfilled, personal data will be erased within one month, unless such data are required as evidence of the consent, erasure or for exercising rights arising from or in connection with pre-contractual, contractual or legal claims based on the consent or fulfilment of purpose. The withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

3.6 No automated decisions (Profiling)

4. Suppliers and business partners

We or a group company (hereinafter “IMMOFINANZ company”) process personal data of the following persons in connection with potential, future or existing contractual partners and an initiation of a contract or a contractual relationship with suppliers and other contractual partners (hereinafter collectively “supplier”). The IMMOFINANZ company is named as part of the initiation of a contract or contractual relationship or in the contract.

4.1 Who and which data are affected by processing?

In this context, the IMMOFINANZ company processes personal data of the following categories of persons (hereinafter collectively the “data subjects”):

suppliers and persons who are service providers for the IMMOFINANZ company or of a supplier in connection with a contractual relationship with a supplier; and
persons who provide services for the IMMOFINANZ company, including agents without specific authorisation, other parties who have been enriched or parties who suffered a loss as well as persons making claims against the IMMOFINANZ company;

each including their contact persons, (statutory legal) representatives, authorised representatives (including legal guardians for adults), employees and other agents of all of the aforementioned.

The personal data of these data subjects consist of:

first name(s), surname, title, gender, date of birth, nationality;
contact data (in particular address, e-mail address, telephone numbers) and banking details;
profession/company address, position;
contract, service or claim data, special agreements, services or other information received from or for data subjects;
billing data, invoice data, payments, credits, subsequent payments, balances, arrears, banking details, tax authority data, including data regarding the collectability of receivables, reminder and debt collection data;
data for the organisation and performance of service provision by or for the IMMOFINANZ company, including defects, damages, defect survey and remedy, repairs and other services provided to the IMMOFINANZ company or data subjects;
other data which the IMMOFINANZ company receives as part of the initiation, execution and performance of contracts with suppliers or data subjects, or as part of the provision of services (including due agency without specific authorisation or enrichment);
correspondence with courts and lawyers; and
other correspondence and data, in particular data generated in connection with the use of digital communication media, including e-mail address and/or telephone number, the content of the message and transmitted documents.

4.2 Legal basis of processing

These personal data of data subjects are processed by the IMMOFINANZ company in connection with the initiation, conclusion, execution and performance of contracts. Processing takes place on the following legal basis:

Personal data are processed to meet contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR in order to

initiate, conclude, execute and perform contracts with suppliers or data subjects for the company or for third parties; and
fulfil primary and secondary obligations from such contracts.

Personal data are also processed due to legitimate interests of the IMMOFINANZ company or third parties in accordance with Art. 6 Paragraph 1 lit. f GDPR,

as described above, in connection with the processing of personal data to fulfil contractual obligations and pre-contractual measures in accordance with Art. 6 Paragraph 1 lit. b GDPR, where such processing goes beyond that, but is required to safeguard the legitimate interests of the IMMOFINANZ company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular in order to conduct business properly and lawfully as part of legitimate interests of the IMMOFINANZ company or third parties, to prepare, conclude, carry out, evaluate and prove business transactions, work with suppliers or third parties as efficiently and purposefully as possible, to render account and, in connection with supplier relationships and the associated legal relationships, to fulfil legal obligations or avoid economic and legal risks;
as described below in accordance with Art. 6 Paragraph 1 lit. c GDPR in connection with the processing of personal data to fulfil a legal obligation to which the IMMOFINANZ company is subject, where such processing goes beyond that, but is required to safeguard the legitimate interests of the IMMOFINANZ company or a third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data;
in particular in the context of the legitimate interests of the IMMOFINANZ company, of group companies or other third parties in the compliance with legal or contractual provisions (and evidence thereof), including in the initiation or performance of a contract in connection with a supplier relationship, to prevent legal infringements by the IMMOFINANZ company, group companies and other third parties and their involvement in legal infringements, and to prevent fraud to the extent strictly necessary;
in the context of the legitimate interests of the IMMOFINANZ company or a third party in order to fulfil other civil-law and legal obligations and duties such as disclosure obligations, accounting obligations, obligations to surrender possession and retention obligations, as well as obligations to carry out supervision and evaluation measures to prevent legal infringements;
in the context of the legitimate interests of the IMMOFINANZ company or a third party in the best possible conduct of business, in particular for efficient and diligent management;
to promote, provide, review and restore IT security, secure communication in connection with contract initiation, execution and performance, as well as conclusion of a contract for the IMMOFINANZ company and third parties;
in order to appropriately inform data subjects in connection with contractual relationships and their conclusion, execution and fulfilment;
in the context of outsourcing functions and tasks, for the provision of services by group companies as well as for internal portfolio evaluations, and for reporting, controlling, compliance, finance, audit, revision or consolidation purposes as well as for the financing of the IMMOFINANZ company, group companies and the Group; and
in order to exercise and defend rights, in particular to conduct, avoid, settle and fulfil imminent or existing legal disputes.

Right to object to processing

Personal data are also processed in accordance with Art. 6 Paragraph 1 lit. c GDPR to fulfil a legal obligation to which the IMMOFINANZ company is subject, to fulfil obligations, in particular under administrative, company, commercial and tax law, for example obligations arising from the GDPR, trade law, obligations in connection with the prevention of money laundering and terrorist financing, as well as obligations to conduct supervision and evaluation measures to prevent economic crime.
Personal data are also processed based on a consent given in accordance with Art. 6 Paragraph 1 lit. a GDPR, if the data subject has agreed to such processing for one or several specific purposes. The data subject has the right to withdraw this consent at any time without affecting the legal basis of the consent to the processing carried out until the withdrawal. A withdrawal shall have effect for the future only.

Withdrawal of consent

4.3 Who will your data be transferred to?

As part of processing personal data, such data will also be transferred to third parties (controllers), in particular to:

service providers in connection with the contracts and legal relationships concluded with suppliers such as brokers, technical experts, notaries public, lawyers, auditors and other commissioned third parties and other third parties involved in the negotiation, conclusion or service provision of a service;
group companies in order to provide or fulfil contractually or legally owed services and duties, including to review and improve services and to work more cost-efficiently and remain competitive;
suppliers and data subjects in order to obtain offers or insofar as otherwise required on a case-by-case basis;
IT service providers in order to check and ensure the function and security of IT systems, to store data and to provide computing and storage power;
courts, supervisory authorities, tax authorities, funding agencies and other public authorities; and
lawyers, tax consultants, auditors and other technical experts.

To the extent necessary, personal data are transmitted to service providers (processors) who support the IMMOFINANZ company in providing its services and in conducting its business and other activities:

IT service providers, data hosting providers and providers of tools, software solutions or similar services who are given access to personal data as part of their activities; and
group companies in the context of outsourcing functions or tasks, for service provision and for internal reporting, controlling, compliance, finance, audit, revision or consolidation purposes as well as for group financing.

4.4 Storage period

Personal data will only be processed and stored insofar and as long as necessary for the purpose of their collection. If the data are no longer necessary to achieve the purpose of their collection, they will be deleted, unless their (further) processing is required for the following purposes:

statutory retention periods which are based on the law applicable to the legal relationship as well as the law applicable to the IMMOFINANZ company or, in connection with group accounting and group audit, to the respective group company: in particular, for compliance with retention and documentation obligations under the applicable commercial or tax law, regulations to prevent money laundering and terrorist financing, identification and information obligations as well as other obligations and duties under administrative and criminal law.
for the preservation of evidence as part of statutory limitation periods which are based on the law applicable to the legal relationship or the possible procedural law or the law applicable to the IMMOFINANZ company.

In particular, the following are stored:

personal data in books and records as well as the associated vouchers insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements, as well as for two months for the delivery of documents initiating proceedings and beyond that as long as they are of significance for the taxation authority in a pending case or for a review or proceedings of an authority;
personal data in books, business correspondence and vouchers, insofar as these can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements or are of significance for a review by a court or an authority, as well as for two months for the delivery of documents initiating proceedings;
personal data in documents and information which are required for the fulfilment of due diligence obligations in accordance with the respective requirements under trade, company, commercial and tax law, regulations for the prevention of money laundering and terrorist financing, identification and information obligations and other obligations and duties under administrative and criminal law as well as other legal or contractual obligations, and personal data in transaction vouchers and records which are required for the initiation, determination, execution and conclusion of transactions (including the resulting legal consequences) and can still be reviewed by the authorities or courts in accordance with the respective applicable legal requirements or from which rights can be claimed against the IMMOFINANZ company or group companies, as well as two months each for the delivery of documents initiating proceedings, and
personal data in the records on the initiation, negotiation, conclusion, performance, refusal or termination of a contract or any other legal relationship (including information) of the IMMOFINANZ company for the duration of possible complaints, the possible assertion of rights and the resulting proceedings as well as two months each for the delivery of documents initiating proceedings;

and for the assertion of rights (including for defence) and beyond the aforementioned periods for the duration of settlement negotiations (until these are deemed completed or broken off under applicable law) and beyond that for two months for the delivery of documents initiating proceedings, and beyond that for the duration of proceedings of any kind and subsequent proceedings of any kind (including enforcement proceedings and measures) until their legally binding conclusion and, where required, for proof or assertion or the fulfilment of claims from such proceedings for the duration of legal limitation periods.

4.5 Withdrawal of consent

Where the IMMOFINANZ company has been given consent for the processing of your personal data, this consent will be valid until the withdrawal of the consent or the fulfilment of the respective purpose. After the consent has been withdrawn or the purpose has been fulfilled, personal data will be erased within one month, unless such data are required as evidence of the consent, erasure or for exercising rights arising from or in connection with pre-contractual, contractual or legal claims based on the consent or fulfilment of purpose. The withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

4.6 No automated decisions (profiling)

As part of the initiation, conclusion, execution, fulfilment and assessment of contractual relationships, data subjects are not subject to any decisions based on automatic processing — including profiling — which produce a legal effect on data subjects or significantly affect them otherwise.

5. Data security

We have taken appropriate technical and organisational measures to protect your data from unauthorised, illegal or accidental access, processing, use, manipulation, loss or destruction. Furthermore, we and our employees are obliged to maintain data secrecy.

Despite all of our measures, it cannot be ruled out that information which you provide to us via the Internet will be viewed and used by other people. Please be mindful in particular that unencrypted e-mail messages sent via the Internet are not sufficiently protected against unauthorised access by third parties. We therefore recommend that you send confidential information by mail.

6. Changes to the Privacy Policy

In the event of changes in the legal situation or the duties, services and user benefits, we will update the Privacy Policy accordingly. If these changes also affect the consents given by users, changes will only be made with their prior consent.

7. Rights of data subjects

You have the right to information about which of your personal data we process as well as to rectification, erasure and restriction of data processing and to data portability, provided that the performance of the contract is not thereby impaired. In addition, you may have a right to object if this results from your particular situation. If you have given us your consent to data processing, you can withdraw this consent at any time, free of charge, without giving reasons and with future effect.

You can send us your submission to assert your rights as a data subject, for example via the downloadable form at https://immofinanz.com/en/gdpr, via e-mail to datenschutzkoordinator@immofinanz.com or in writing to:

IMMOFINANZ AG

For the attention of the Data Protection Coordinator
Wienerbergstrasse 9
1100 Vienna, Austria.

If you believe that the processing of your personal data violates the applicable data protection law or that your data protection rights have been violated in any other way, you have the right to complain to the supervisory authority. In Austria, the data protection authority is responsible for this (Barichgasse 40-42, 1030 Vienna).

As of August 2024