The controller for the purposes of GDPR Article 24 is:
Company: Capital Bay GmbH
Street: Sachsendamm 4-5
Phone no: +49 30 1208662 0
Our corporate objective is: The acquisition and sale, brokerage, management and realisation of real estate, as well as business consultancy relating to real estate transactions. Our corporation also develops, designs and manages technical construction projects; it carries out construction projects as a general contractor. Any activities subject to authorisation as per § 34(e) of the Trade Regulation Act (GewO) or Banking Act (KWG) are excluded. In addition, the object of the company is to advise on the acquisition and sale of participations and companies of all kinds, to participate as an individually liable partner in companies and to take over the administration and management of other companies. The aforementioned activities are only ever carried out in our own name and on our own account.
For these purposes we process
and, where applicable, data provided by third parties for business purposes, which we receive either directly from you or from other sources or which we may collect automatically.
The Legal Information section of our website contains the information required by law. This also includes information on contacting us by email or there is a contact form for data subjects to use where necessary. When personal data is provided voluntarily in this way, it is automatically stored for communication or processing purposes. Personal data is not shared with third parties.
We collect a range of data and information when you visit our website. We do not use data to draw conclusions about data subjects, but instead we require it for the following:
When using our websites, the data we collect includes:
Wherever we obtain consent in order to process data for a specific purpose, the legal ground is GDPR Article 6(1)(a) for our company. If personal data needs to be processed in order to fulfil a contract where the counterparty is the data subject (e.g. delivery of goods/services or other services or return services for which personal data is required), any processing carried out is based on GDPR Article 6(b), as well as for any processing required for pre-contractual measures (e.g. quotes, processing enquiries about products or services). If our company has a legal obligation to process personal data (e.g. due to tax laws), this is done in accordance with GDPR Article 6(1)(c). Where we process personal data in order to protect the vital interests of the data subject (e.g. in the event of a medical emergency) this is carried out on the basis of GDPR Article 6(1)(d). Where processing is not covered by any of the aforementioned legal authorities, but is required to safeguard a legitimate interest of our company or a third party (provided that the interests, fundamental rights and freedoms of the data subject do not predominate), such processing is permitted because it has been specifically mentioned by the legislator in Recital 47 Clause 2 of the GDPR in conjunction with Article 6(1)(f) of the GDPR. Where the processing of personal data is based on Article 6(1)(f) of the GDPR, our legitimate interest is the performance of our business objective and our business activities for the benefit of our company.
The length of time personal data is stored is based on the corresponding retention period required by law. After the period of time required by law has expired, the data concerned will be erased or – where this is not possible without unjustifiable effort – blocked. Our company processes and stores the personal data of data subjects only for as long as necessary in order to process it, in accordance with the GDPR or else national or international law that applies beyond the GDPR or another regulation which the controller is required to implement.
a.) Transparent information and communication with the data subject
In this case we will provide verification of the evidently unfounded or excessive nature of the request. Should we have reasonable doubts as to the identity of a natural person submitting a request according to Articles 15 to 21 of the GDPR, we will ask for more information necessary to confirm the identity of the data subject, without prejudice to Article 11 of the GDPR. Information that must be provided to data subjects pursuant to Articles 13 and 14 of the GDPR may be provided in combination with standardised icons to provide a meaningful overview of any intended processing in an easily visible, intelligible and clearly legible manner. Where icons are displayed electronically, we will make them available in machine-readable form (GDPR Article 12(1)).
b.) Obligation to provide information when personal data is collected from a data subject.
If our company collects personal data from a data subject, we will provide the data subject with the following information at the point in time when the data is collected:
how long personal data will be stored or, where this is not possible, the criteria determining this length of time;
If we intend to process personal data for a purpose other than that for which the personal data was collected, we will provide the data subject with information about that other purpose and any other relevant information according to paragraph (2) prior to such processing. Paragraphs (1), (2) and (3) do not apply if and to the extent that the data subject is already aware of such information (GDPR Article 13(1)).
c.) Duty to provide information if personal data has not been collected from a data subject
If personal data is not collected from a data subject, our company will notify the data subject of the following:
In addition to the information according to paragraph (1), we will provide the data subject with the following information, necessary to ensure fair and transparent processing with respect to the data subject:
Our company will provide the information as set out in paragraphs (1) and (2)
Paragraphs (1) to (4) shall not apply if and to the extent that
d) Right to confirmation
Each data subject has the right to obtain from the controller confirmation as to whether or not his or her personal data is being processed. Should this be the case, the data subject has the right to be informed (GDPR Article 15(1))
e) Right to be informed
If a data subject’s personal data is being processed, he or she has the right to obtain information about this personal data as well as the following information (GDPR Article 15(1))
f) Right to rectification
The data subject has the right to obtain from the controller rectification of any inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed – including by means of a supplementary statement (GDPR Article 16).
g) Right to erasure (right to be forgotten)
The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to erase without delay personal data where one of the following grounds applies:
If our company has made the personal data public and we are obliged to erase the personal data pursuant to paragraph (1), we shall take reasonable steps, including technical measures, taking into account the available technology and implementation costs, to inform the controllers processing the personal data that a data subject has requested them to erase all links to, or copy or replication of, this personal data. (GDPR Article 17).
h) Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies: The accuracy of the personal data is contested by the data subject and for a period of time which enables the controller to verify the accuracy of the personal data,
Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the consent of the data subject or in order to establish, exercise or defend legal claims or to protect the rights of another natural or legal person, or for reasons of an important public interest of the European Union or of a Member State. A data subject who has obtained a restriction on processing pursuant to paragraph (1) shall be informed by the controller before the restriction is lifted (GDPR Article 18).
i.) Notification obligation regarding rectification or erasure of personal data or restriction of processing
As the controller, we notify all recipients to whom personal data has been disclosed of any rectification or erasure of the personal data or of any restriction to processing in accordance with Article 16, Article 17(1) and Article 18 of the GDPR, unless this proves impossible or involves a disproportionate effort. We will inform the data subject about those recipients if the data subject requests this (GDPR Article 19).
j) Right to data portability
The data subject has the right to receive the personal data concerning him or her, that he or she has provided to our company, in a structured, commonly used and machine-readable format and has the right to transmit such data to another controller without hindrance from the controller to whom the personal data was provided, insofar as
In exercising his or her right to data portability pursuant to paragraph (1), the data subject has the right to have the personal data transmitted directly from our company to another controller, where this is technically feasible. The exercise of the right referred to in paragraph (1) of this article is without prejudice to Article 17 of the GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to in paragraph (1) shall not adversely affect the rights and freedoms of others (GDPR Article 20).
k) Right to object
The data subject has the right to object at any time, on grounds related to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) or (f) of the GDPR; this includes profiling based on these provisions. In the event of an objection, our company will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Where we process personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of his or her personal data for such marketing. This also applies to profiling insofar as it relates to such direct marketing. Where the data subject objects to us processing for direct marketing purposes, then we will no longer process the personal data for such purposes. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs (1) and (2) shall be explicitly brought to the attention of the data subject; we shall convey this information clearly and separately from other information. In relation to the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. In addition, where our company processes personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to the processing of personal data concerning him or her, unless such processing is necessary for the performance of a task carried out for reasons of public interest (GDPR Article 21).
l) Automated individual decision-making, including profiling
The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which results in legal effects concerning him or her or similarly significantly affects him or her. Paragraph (1) shall not apply if the decision
In the cases referred to in paragraph (2)(a) and (c), we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Decisions referred to in paragraph (2) shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR unless Article 9(2)(a) or (g) of the GDPR applies and suitable measures are in place to safeguard the data subject’s rights and freedoms and legitimate interests (GDPR Article 22).
m) Right to revoke consent to the processing of personal data
The data subject has the right to revoke consent to the processing of personal data at any time. Any data subject may exercise these rights. To do so he or she should contact our Data Protection Officer directly (firstname.lastname@example.org).
We can and may need to transfer your personal data to the following recipients in a variety of ways and for a range of purposes, as appropriate and in accordance with local laws and regulations:
If an order is being processed, this is based on an order processing contract in the meaning of Chapter 4 of the GDPR.
The provision of your personal data is required by law for our company (e.g. due to tax laws and regulations) or due to contractual regulations (e.g. information on contractual partners or subcontractors). It may be necessary for the data subject to provide us with personal data in order to enter into a contract. This therefore forms a basis for us entering into a contract. If the personal data is not provided by the data subject, it may be that a contract cannot be entered into. For clarification, the data subject can contact the Data Protection Officer who can explain whether an obligation is legal or contractual and what consequence it would have on completion of a contract should personal data not be made available.
Annex I: Our contact details
Country in which we make use of the services of companies or provide services for other companies: Federal Republic of Germany
Company responsible for processing the personal data of visitors to our website www.capitalbay.de: Capital Bay GmbH. Company responsible for processing the personal data of data subjects, clients, suppliers and the employees of our company: Capital Bay GmbH, Sachsendamm 4-5, 10829 Berlin, Germany. How to reach us:
Postal address: Capital Bay GmbH, Data Protection Officer, Sachsendamm 4-5, 10829 Berlin, Germany. Alternatively, you can contact our Data Protection Officer by email at: email@example.com. How to reach us to update your marketing preferences: Email us at: firstname.lastname@example.org
Annex II – Contact details of the appropriate local regulatory body
Contact details of the appropriate local regulatory body: For our company, based in Berlin: The Berlin Commissioner for Data Protection and Freedom of Information
Postal address: Friedrichstr. 219, 10969 Berlin, Germany
Phone: +49 30 138 89-0
Fax: +49 30 215 50 50
Jurisdiction: Federal Republic of Germany
Country-specific legal regulation: Requests to erase your data
If your data is not processed automatically and provided your data is not processed unlawfully, we are under no obligation to erase your data if erasing it would be impossible or would require disproportionate effort due to the storage method used, as long as we believe that your interest in erasing it is only minimal. If your data is processed automatically, we are also entitled to refuse to erase your data if we have reason to believe that erasing it would be contrary to your legitimate interests or if by erasing it we would be violating any legal obligation to store your data for a specified period of time. In this case, the processing of your data will instead be restricted in the manner stated in the GDPR.
The provisions applicable to employment relationships permit the processing of personal data of employees for purposes related to employment, insofar as this is necessary for recruitment-related decisions or, after recruitment, for the performance or termination of an employment contract, or in order to comply with and satisfy the rights and obligations of employee representatives as provided for by law or by labour contracts or other contracts between the employer and an employee representative body. More information can be found in § 26 of the new Federal Data Protection Act (BDSG). In Germany, we collect data on employees’ religious affiliation in order to simplify our payroll processes. Because this is required by law, we do not ask our employees for their explicit consent to process this information.
Annex IV – Data protection definitions
a) ‘Personal data’ and ‘data subject’
Personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Article 4(1)). Data subject means any identified or identifiable natural person whose personal data is processed by the controller.
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Article 4(2)).
c) ‘Restriction of processing’
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future (GDPR Article 4(3)).
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (GDPR Article 4(4)).
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (GDPR Article 4(5)).
f) ‘Filing system’
A filing system means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis (GDPR Article 4(6)).
g) ‘Controller’ or ‘data controller’
Controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (GDPR Article 4(7)). Controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (GDPR Article 4(7)).
Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller (GDPR Article 4(8)).
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients (GDPR Article 4(9)).
j) ‘Third party’
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (GDPR Article 4(10)).
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR Article 4(11)).
l) ‘Personal data breach’
Personal data breach means a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorised disclosure of, or access to, personal data that were transmitted, stored or otherwise processed (GDPR Article 4(12)).
m) ‘Genetic data’
Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (GDPR Article 4(13)).
n) ‘Biometric data’
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (GDPR Article 4(14)).
o) ‘Data concerning health’
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status (GDPR Article 4(15)).
p) ‘Main establishment’
1. Main establishment means as regards a controller with establishments in more than one Member State, the place of its central administration in the European Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the European Union and this establishment has the power to have such decisions implemented; in this case the establishment, having taken such decisions, is to be considered the main establishment;
2. as regards a processor with establishments in more than one Member State, the place of its central administration in the European Union, or, if the processor has no central administration in the European Union, the establishment of the processor in the European Union where the main processing activities in the context of the activities of an establishment of the processor take place, to the extent that the processor is subject to specific obligations under this regulation (GDPR Article 4(16)).
Representative means a natural or legal person established in the European Union who, designated by the controller or processor in writing according to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this regulation (GDPR Article 4(17)).
Enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity (GDPR Article 4(18)).
s) ‘Group of undertakings’
Group of undertakings means a group consisting of a controlling undertaking and its dependent undertakings (GDPR Article 4(19)).
t) ‘Binding corporate rules’
Measures to protect personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a corporate group or group of enterprises engaged in a joint economic activity (GDPR Article 4(20)).
u) ‘Supervising authority’
Supervising authority means an independent public authority which is established by a Member State according to Article 51 of the GDPR (GDPR Article 4(21)).
v) ‘Supervising authority concerned’
Supervising authority concerned means a supervisory authority, which is involved in the processing of personal data, because
1. the controller or processor is established on the territory of the Member State of that supervisory authority,
2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
3. a complaint has been lodged with that supervisory authority (GDPR Article 4(22)),
w) ‘Cross-border processing’
Cross-border processing means either
1. processing of personal data, which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union, where the controller or processor is established in more than one Member State; or
2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. (GDPR Article 4(23)).
x) ‘Relevant and reasoned objection’
Relevant and reasoned objection means an objection as to whether or not there is an infringement of the GDPR, or whether envisaged action in relation to the controller or processor complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union (GDPR Article 4(24)).
y) ‘Information society service’
Information society service means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (GDPR Article 4(25)).
z) ‘International organisation’
International organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries (GDPR Article 4(26)).
A ‘cookie’ is information that is stored on your computer’s hard drive and records how you use a website. This allows websites to offer you customised options based on information stored from your last visit. Cookies may also be used to analyse movement of data and for advertising and marketing purposes.
Cookies are used by almost all websites and do not harm your system. Should you wish to check or change what type of cookies you are accepting, you can usually do this in your browser settings.
Generally speaking, you do not have to provide personal data to be able to use our website.
However, we may need your personal data in order to provide an effective service.
This applies both when sending information as well as responding to individual enquiries.
Other personal data will only be collected if you provide this information voluntarily, for example as part of a query or when registering to receive our customer magazine. For this purpose, it may be necessary to pass on your personal data to companies that we use to provide services. These include brokers or other services.
Where we perform any of the actions listed below or any other action, or where we render a service, we would like to collect and store your personal data and will ask for your explicit consent at the appropriate point on our website:
If you have used your email address to register to receive our newsletter, we will use your email address for our own marketing purposes beyond the performance of the contract, until you unsubscribe from the newsletter.
a web analytics service offered by Google Inc. (“Google”)
Google Analytics uses so-called ‘cookies’, text files that are saved on your computer and permit an analysis of how you use this website.
The information generated by the cookie about how you use this website is usually sent to a Google server in the USA and saved there.
However, when IP anonymisation is activated on this website, your IP address will first be shortened by Google within European Union Member States or in other signatories to the Agreement on the European Economic Area. Only under exceptional circumstances will the complete IP address be sent to a Google server in the USA and shortened there.
On behalf of this website’s operator, Google uses this information to evaluate how you use the website,
The IP address communicated from your browser in the context of Google Analytics will not be linked to any other Google data.
You can stop cookies being saved by adjusting your browser software settings accordingly; we would like to point out, however, that in this case you may not be able to make full use of all the features of this website.
You can prevent Google Analytics from collecting your data by clicking on the following link: Deactivate Google Analytics. This sets an opt-out cookie that stops your data being collected on future visits to this website. The cookie has to be set again once browser data is erased.
You can also prevent Google from collecting and processing data that relates to your use of the website and that is generated by the cookie (including your IP address) by downloading and installing the browser plug-in available via the following link. The up-to-date link is tools.google.com/dlpage/gaoptout.
This information helps automatically recognise you when you next visit our websites and makes navigating easier.
Cookies allow us, for example, to adapt a website to your interests or to save your password so you don’t have to enter it every time you visit.
Naturally you are also able to browse our website without using cookies. If you don’t want us to be able to recognise your computer, you can stop cookies from being saved on your
hard drive by selecting “block cookies” in your browser settings. For specific instructions please refer to instructions relevant to your browser.
However if you choose not to accept cookies, this may limit the functionality of our website.
You can stop cookies being installed by using the corresponding setting in your browser. To do this go to your web browser and turn off the setting for saving cookies.
Every time someone visits our website or accesses a file deposited there, this is logged. These records serve a system-related and statistical purpose. The following data is recorded: date and time of the visit, duration of your visit, name of the file accessed, amount of data transferred, notification of successful access, web browser used and requesting domain.
The sole reason we collect this data is to further improve our online presence and to make our websites even better.
We only collect and store anonymised or pseudonymised data that does not allow us to identify you as a natural person.