37, Boulevard Joseph II, L-1840 Luxembourg
Mr. Frank Roseen, Ms. Jelena Afxentiou, Mr. Ran Laufer (Non-Executive Director),
Mr. Markus Leininger (Independent Director), Ms. Simone Runge-Brandner (Independent Director), Mr. Markus Kreuter (Independent Director),
The company is duly incorporated in the Grand Duchy of Luxembourg under the commercial register number B217868.
Dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.
Data is considered personal if it relates to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address. The provisions below serve to provide information as to the manner, extent and purpose in which we process your personal data.
1.1 Visiting a website
If you visit one of our websites for informational purposes, we process your IP address, information on the device and browser you are using (operating system, browser type and version, host name of the device), the referrer URL and time and date of your request. We process this data to display to you our website correctly, enable its core functions, and to ensure the stability and security of our site.
To provide our website and its basic functions (e.g. language settings, cookie settings), we place cookies on your device. A cookie is a small piece of data placed on your computer’s hard drive that permits it to identify a specific device or browser. Most of these cookies are session cookies that expire at the end of your browsing session. The cookie we use to determine your preferred language which is based on your location as well as the cookie we use to store your cookie settings for our website will both expire within 12 months.
The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR, insofar as it serves to provide our website to you, and Art. 6 (1) (1) (f) GDPR, as we have a legitimate interest to ensure the security of our website, a user-friendly, effective and secure experience and smooth access to its key functions.
1.1.1 Statistical analysis using etracker
This website uses the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) to analyse usage data. This allows the statistical analysis of the use of this website by its visitors. For this purpose etracker stores cookies (see above). etracker cookies do not contain any information that could identify a user. Some of the cookies will be delted after the end of the session. Some cookies will be stored on your computer for one or two years, unless you delete them. You may find more information on the cookies used by etracker on www.etracker.com/support/etracker-cookies-2/. The data generated with etracker is processed and stored by etracker solely in Germany by commission of the provider of this website and is thus subject to strict German and European data protection laws and standards. In this regard, etracker was checked, certified and awarded with the ePrivacyseal data protection seal of approval.
The data is processed on the legal basis of Art. 6 (1) 1 lit. f GDPR. Our legitimate interest is the optimization of our online offer and our website. As the privacy of our visitors is very important to us, etracker anonymizes the IP address as early as possible and converts login or device IDs into a unique key with which, however, no connection to any specific person can be made with. etracker does not use it for any other purpose, combine it with other data or pass it on to third parties. The legal basis for the data transfer is Art. 28 GDPR in connection with the data processing agreement between Aroundtown and etracker.
You can object to the outlined data processing at any time on grounds relating to your particular situation. Your objection has no detrimental consequences for you.
1.2 Registering for restricted areas of a website
Access to some of the areas on our websites is restricted and requires a user registration (e.g. for access to recordings of Investor and Analyst calls and portfolio updates). As part of your registration, you must provide certain information, such as your name, company affiliation, email address, and a password. We use a so-called "double opt-in" procedure to confirm your registration. This means that after signing up, you will receive an email with a link confirming that you are the owner of the email address that has been used for registration. If your registration is not confirmed within 48 hours of requesting the confirmation from you, your personal data will be automatically deleted.
The legal basis for this data processing is Article 6 (1) (1) (b) GDPR. We process the aforementioned personal data in order to grant you the desired access to restricted areas of our websites.
2. Communication between you and us, including newsletters
We may communicate with each other via various communication channels. In these cases, we may, inter alia, process your personal data for the following purposes:
2.1 Communication via different communication channels
You may contact us via various channels, including by post, email, fax or telephone. If we communicate, we share personal data with each other. Therefore, we may process your contact data and communication data (e.g. messages, conversations, shared files). The purpose of this data processing is to enable ongoing communication between us and to take care of your request. Based on the communication channel used, additional data may be processed. For example, if we communicate via video conferencing tools, such tools may additionally process technical and service-related data to ensure an uninterrupted connection for our communication. We also sometimes conclude contracts electronically or sign related documents electronically using an electronic signature tool.
The legal basis for the processing relating to communication with you is Art. 6 (1) (1) (b) GDPR or, if the contact does not relate to the conclusion or performance of a contract, Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in having optimized and comprehensible communication and document approval processes with our customers, contract and business partners and respond to their requests.
2.2 Contacting us via real estate listings
To attract potential tenants, buyers and sellers, we list our real estate on different real estate platforms. If you make an inquiry to us via such a platform (either for yourself personally or on behalf of your employer), we will receive your name, your contact information and the content of your inquiry (including any personal data that you mention therein and in particular information on the real estate object you are interested in) from the platform operator.
The legal basis for listing our real estate with the help of third-party providers is Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in presenting our real estate in a professional, easily accessible and commercially attractive manner via third party platforms and in improving the quality of and consistency in our interaction with interested parties across real estate platforms.
2.3 Newsletter subscription
On some of our websites, you can subscribe to newsletters and mailing lists (such as for investor relations). In the newsletters and mailing lists and depending on the specific newsletter or mailing list you subscribe to, we will periodically inform you about financial results and other investor-related topics or other information related to our company that may be of interest to you. If you subscribe to our newsletters or mailing lists, we process your email address to send relevant information related to the content for which you have registered.
The legal basis for the aforementioned data processing activities is your consent, Art. 6 (1) (1) (a) GDPR. You have the right to withdraw your consent for the newsletter at any given time by clicking on the “unsubscribe” link included in each newsletter or by sending us an email to the email address indicated in Section 17 below. In some cases, even without a subscription, we may send you relevant updates and newsletters if you have entered into a contract with us before, if the mailing contains advertising for similar goods or services such as the ones that were part of our contract, if you have not objected to this use of your email address, and if we have informed you about your right to object upon collection of your email address and in any mailing we may sent to you. The legal basis for such processing is our legitimate interest (Art. 6 (1) (1) (f) GDPR) for marketing our products and services to our customer base. To exercise your right to object, you may use the aforementioned “unsubscribe” mechanism or contact us via email.
For the subscription process, we use a so-called "double opt-in" procedure. You will receive an email with a link confirming that you are the owner of the email address that has been used for the subscription and that you want to receive our newsletters. If your subscription is not confirmed within 30 days of requesting such confirmation from you, your personal data will be automatically deleted.
3. (Potential) contract partners and their employees
As part of our business, we may, inter alia, conclude contracts with each other for the following purposes:
If there is a contract or contract negotiations between you and us or between your employer or company and us, we may process your personal data in connection with the contract conclusion and execution. This may include your name and your contact details as well as other data that is relevant for the contract (e.g. financial information) as far as this information relates to you personally. We may also process contact information of your employees who are in charge of handling the contractual relationship for you.
The purpose of this data processing is to prepare, conclude or execute the contract between you or your employer or company. The legal basis for the processing relating to contract conclusion or execution is Art. 6 (1) (1) (b) GDPR, or, if the contract is concluded with your employer or company, our legitimate interest in conducting and managing this contractual relationship with your employer or company, Art 6 (1) (1) (f) GDPR. Please note that if the services you provide to us include your appearance as a speaker in one of our events or calls and we have agreed on a recording of it, the data processed for contract execution (Art. 6 (1) 81) (b) GDPR) includes video, voice and/or image recordings and their subsequent use / distribution, as the case may be.
3.1 Conclusion of sale or purchase agreements for real estate
In the context of contracts for the purchase and sale of real estate, we may additionally process data on the identity of individuals that are directly or indirectly involved in such sale or purchase to check that the information provided to us in this regard is correct. We do so for compliance with anti-money laundering legislation based on Art. 6 (1) (1) (c) GDPR in connection with the respective legal obligations.
3.2 Creditworthiness checks
For the conclusion of agreements, such as rental agreements, and as far as this information relates to you as an identifiable individual, we may additionally process information about you that we collected to prepare a contract to check your creditworthiness. The legal basis for this data processing is Art 6 (1) (1) (b) GDPR or Art. 6 (1) (1) (f) GDPR as we have a legitimate interest in ensuring the solvency of our tenants. Please note that such creditworthiness checks may lead to use of your data for credit scoring in order to gather information on your creditworthiness for your future contract partners that may carry out such checks as well.
4. Job applicants
You may apply for a job with us, including via careers websites operated by us. In order to enable us to make you the best possible job offer and to fill open positions within the Aroundtown group of companies and within Aroundtown-affiliated companies in the best possible way, your application data will be shared with the relevant group or affiliated company with a suitable job opening, which is responsible for data processing in this case (Art. 6 (1) (1) (f) GDPR). This is in our interest as well as in the interest of the entities involved to be able to fill vacancies with the best possible candidates. We also do so with your best interest in mind to make you the best possible job offer.
In the case of your application, we process your name, contact details, information on your qualifications and previous work experience and other information to select a suitable candidate for the respective positions for the application process. This data processing is necessary to process job applications and, ultimately, to prepare an employment contract (Section 26 (1) (1) Federal Data Protection Act (BDSG)). We cannot consider you for a position without processing the aforementioned data. You may also provide us with information that has been marked as voluntary on our career website (e.g. on how you were attracted to the position you apply for). If you do so, we process this as part of your job application based on your consent (Section 26 (2) BDSG in conjunction with Art. 6 (1) (1) (a) GDPR). If your application is unsuccessful, your data will be deleted after the hiring process has been concluded, at the latest within 6 months.
If you are interested in receiving information about other positions in the future, we will retain and process your data for this purpose based on your consent (Art. 6 (1) (1) (a) GDPR). In this case, the data will be retained for 12 months, unless you revoke your consent at an earlier point.
5. Visiting our business premises, including video surveillance
If you visit our business premises, we process your name and the reason for your visit in order to enforce our access control measures to safeguard the security of our business operations. We cannot grant you access to our premises without processing this information. We process this data based on our legitimate interests to enforce suitable security measures (Art. 6 (1) (1) (f) GDPR). In limited specific cases, we may also be required by law to collect certain personal data for security, public health or other important reasons (such as information about the time and date of your visit for compliance with mandatory measures for protection against the Covid-19 pandemic). We process respective data based on Art. 6 (1) (1) (c) GDPR in connection with our relevant legal obligations.
To further ensure the safety and security of our buildings, assets, staff and visitors, we may operate a video surveillance system in certain areas of our business premises. If you visit our premises, these cameras might capture your image. We process data using video surveillance based on our legitimate interest to protect our business premises, property and information, as well as staff and visitors against threats (Art. 6 (1) (1) (f) GDPR). Video surveillance recordings are not evaluated in the regular course but only in exceptional cases, e.g. suspected criminal offences. The images are retained for a maximum of 72 hours. Thereafter, all images are deleted unless images need to be stored for further investigations or as evidence of a security incident.
6. Invitation to and participation in events
We may invite you to our events. For this purpose, we may process your name, contact details as well as relevant information on your relationship with us (e.g. business partner, press contact, etc.). The legal basis for this processing is either your consent to receive respective invitations (Art. 6 (1) (1) (a) GDPR) or our legitimate interests to maintain and further our relationship with you (Art. 6 (1) (1) (f) GDPR).
At our events, we may take photographs and, as part of this, potentially capture your image. The legal basis for this data processing is Art. 6 (1) (1) (f) GDPR as we have a legitimate interest in internally documenting our events. In case we intend to use images where you are clearly recognizable for marketing and press-related purposes, we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
Some of our events may be held digitally, e.g. as webcasts, video meetings, etc. In this case, we may process additional personal data, such as your IP address and technical information (e.g. browser version) to be able to provide you a secure and user-friendly access to the digital event. The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR as well as Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in enabling digital events to run smoothly. If you participate in a digital event and we wish to record it (e.g. video, audio), we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
If you appear as a speaker or take an active role in one of our (digital) events, please take note of additional information on data processing as part of your contractual engagement in Section 3 above.
7. Press releases and media enquiries
We send out press releases and updates with information about development projects, business updates and other initiatives to journalists and press representatives we have met (e.g. you may have given us your business card at an event). If you are such a press representative, we process your contact data to provide you with such updates based on our legitimate interest to manage our public image (Art. 6 (1) (1) (f) GDPR).
You may also contact us to receive these updates by sending us your contact details (name, e-mail address, the name of your company/institution/employer) by e-mail to [email protected]. We will then add you to the respective mailing list for relevant topics or locations. The legal basis for this processing activity is Art. 6 (1) (1) (b) GDPR (provision of updates based on your request).
You can unsubscribe from receiving press releases at any time by sending us an email to the contact address provided above.
8. Holding General Meetings
If you are a shareholder or proxy of a shareholder of Aroundtown SA, we may process your personal data in connection with the convening and holding of shareholder meetings by Aroundtown SA. This personal data may be received directly from you or provided to us by third parties (such as depository banks).
We may process your personal data for the purpose of holding the Annual General Meeting and /or an Extraordinary General Meeting and/or an Ordinary General Meeting (“General Meeting(s)”). In order to enable you to participate in and vote at the General Meetings, we may process the number of shares that you hold on the relevant record date according to the record date confirmation issued by your depository bank that is holding your shares. Additionally, we may process personal data concerning your attendance at the General Meeting(s). This includes, for example, your name, address, email address and phone number, if you will attend the General Meeting(s) in person or if you will be represented by a proxyholder, and, if applicable, the voting instructions you provided to your proxyholder. Your personal data may be processed even if you do not attend the General Meeting(s). e.g. in case you request to add items to the agenda of the General Meeting(s) and/or to table draft resolutions for items included or to be included on the agenda of the General Meeting(s) and/or you send questions to the Company about items on the agenda of the General Meeting(s) before such meeting(s). The legal basis for this processing is Art. 6 (1) (1) (c) GDPR in connection with Art. 4, Art. 5 (3), Art. 7 and Art. 9 of the Luxembourg law of 24 May 2011 on the exercise of certain rights of shareholders in general meetings of listed companies, as amended, (“Shareholders’ Rights Law”) and Art. 450-1 (2) of the Luxembourg law of 10 August 1915 on commercial companies, as amended from time to time. If we decide to or are required to hold a virtual General Meeting, we may additionally process your name, e-mail address and IP address via web conferencing tools based on our legitimate interest in enabling such virtual meetings to run smoothly and in compliance with applicable laws and regulations (Art. 6 (1) (1) (f) GDPR).
Additionally, the aforementioned personal data as well as your voting decisions will be processed in order to publish the attendance percentage and the voting results of our General Meeting(s). The legal basis for this processing is Art. 6 (1) (1) (c) GDPR in connection with Art. 11 of the Shareholders’ Rights Law.
9. Whistleblowing system of the Aroundtown group of companies
The Aroundtown group of companies has implemented a whistleblowing system that enables employees, business partners and service providers to submit reports on relevant compliance violations via different reporting channels, including the possibility to submit these reports anonymously, if you wish to do so. You may find information about the different reporting channels on our website. We offer reporting via post, email, telephone, personal meetings as well as a digital reporting system. You may access the aforementioned digital reporting system here: https://www.bkms-system.com/bkwebanon/report/clientInfo?cin=6UhYaE&c=-1&language=eng. Under this hyperlink, you will also find more detailed information on the functioning of this system, security measures and data protection in connection with the digital reporting system.
We may process personal data contained in reports from the whistleblowing system as well as any follow-up communication relating to the reported incident, including on potential witnesses and any accused persons, as part of our investigations and potential subsequent measures (e.g. disciplinary measures). If a potential whistleblower reaches out via post, telephone, email or personal meeting, they may voluntarily provide information on their contact details (such as address, telephone, email) for follow-up communication which could reveal their identity. The selected individuals handling the communication and investigations receive regular training on confidentiality and data protection and are bound to confidentiality. As part of the investigation and, depending on which Aroundtown group entity is affected by the incident, some data may be processed by said relevantly affected Aroundtown group entity.
We process this personal data based on our legitimate interests (Art. 6 (1) (1) f GDPR) to have reporting channels that enable us to receive and investigate reports on potential criminal offenses, serious compliance violations and other cases of abuse throughout the Aroundtown group of companies. Additionally, some of the Aroundtown group entities may be, or may in the future be, subject to legal obligations to introduce a respective whistleblowing system. If this is or will be the case, the legal basis for data processing is Art. 6 (1) (1) c GDPR in connection with the relevant legal obligations under the applicable national law.
10. Data processing for IT and IT security related purposes
We maintain and use IT systems for processing personal data (such as email systems). Furthermore, we are obliged to protect the personal data we hold for you, our business and contract partners and our employees. We may process your personal data to facilitate the use and management of our IT systems that are accessible to you (such as email systems or websites). For these IT systems, we have implemented and constantly update our IT security measures in order to comply with our duties imposed by the GDPR and other IT and data security laws. For the aforementioned purposes, we may process information generated by such access, such as names, email addresses and passwords, user names, nature and content of emails (including date and time), IP addresses, device information, network location. The scope of data processing depends on the respective IT system and its IT security protection measures.
This data is exclusively used to maintain and grant access to our IT systems and to ensure a proper IT security standard in this process. The legal basis for data processing is Art. 6 (1) (1) (f) GDPR, as well as Art. 6 (1) (1) (c) GDPR in conjunction with Art. 32 (1) GDPR. We have a legitimate interest in using, maintaining and protecting our IT systems from cyber-threats and other security incidents that could harm our business or your data.
We may engage service providers to provide respective IT security measures. The data transfer to those service providers is justified under Art. 28 GDPR in connection with the data processing agreement.
11. Other data processing purposes
In specific cases, we may process your personal data for the following purposes:
12. Disclosure of your data to external recipients
The legal basis for respective data transfers is Art. 28 GDPR in connection with the respective data processing agreement concluded with the recipient. Through these agreements, we have contractually bound these recipients to process your personal data only on our behalf and in accordance with our instructions.
As far as this is necessary for internal administrative and operational purposes, we may also transfer your personal data to other entities in the Aroundtown group of companies based on our legitimate interest in this regard (Art. 6 (1) (1) (f) GDPR).
13. Third country data transfers
When sharing your personal data with external recipients (see Section 12 above), some of your personal data may be transferred to other countries, including third countries outside the EU / EEA where such laws may not provide the same level of protection for your personal data as the GDPR does. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavor to take the required measures to maintain an adequate level of data protection when sharing your personal data with recipients established in such countries.
In the case of a transfer to a country outside of the EEA, this transfer is either safeguarded by a so-called adequacy decision from the European Commission declaring that such country provides for an adequate level of data protection, or, if such adequacy decision does not exist, the conclusion of EU Standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) and additional measures, if necessary.
We have reasonable state of the art security measures in place to protect against loss, misuse and alteration of personal data under our control. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we will use all reasonable efforts to prevent it.
15. Data retention period
We retain your personal data only for as long as is necessary for the purpose for which it is processed and delete it afterwards, unless we are required by law to retain it for a longer period (e.g. to comply with statutory retention obligations under tax law).
16. Data protection rights
You have the following data protection rights, depending on the circumstances of the specific case, which you may exercise by contacting us as set out in Section 17 below:
You have the right to require information as to whether your personal data is retained and request access to your personal data and/or copies of such data, including purposes of processing, the processed data categories, its recipients as well as potential data retention periods.
16.2 Rectification, restriction of processing, deletion
You have a right to request the rectification, deletion or restriction of processing of your personal data, for example if (i) it is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, or, (iii) the consent on which the processing was based has been withdrawn.
16.3 Refusal or withdrawal of your consent to data processing
You have the right to refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time.
16.4 Automated decision-making including profiling
You have the right not to be subjected to any automated decision making, including profiling, which produces legal effects on you or affects you with similar significance.
16.5 Right to data portability
You have the right to receive the data, which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from use. You also have the right to transmit this data directly to another controller, where technically feasible.
16.6 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, where we process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 (1) (1) (e) GDPR) or where we process your personal data based on our legitimate interests (Art. 6 (1) (1) (f) GDPR). In case we process your personal data for direct marketing purposes, you also have the right to object at any time.
16.7 Right to lodge a complaint with the competent supervisory authority
You have a right to take legal action against any potential breach of your rights regarding the processing of your personal data, as well as to lodge a complaint with the competent supervisory authority.
For questions, suggestions and comments on the topic of data protection, please feel free to contact our group Data Protection Officer under [email protected] concerning the processing of your personal data.
If you are an investor, please reach out to [email protected] for investor-related questions, including on data processing. Please contact this email address to be removed from investor mailing lists or newsletters to which you may be subscribed.
When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.
We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.
Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected: