Data privacy statement

VI. Analysis tool Google Analytics

1. Description and scope of data processing

This website uses the web analytics service Google Analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter referred to as "Google". The use includes the operating mode & Universal Analytics. This makes it possible to assign data, sessions and interactions across several devices to a pseudonymous user ID and thus, to analyse the activities of a user across all devices.

Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site. The web analysis service sets and uses these cookies to collect aggregated statistical information on the number of visitors to our website and their usage behaviour, such as the duration and frequency of visits and pages visited. The information generated by the cookies is transferred to a Google server in the USA and stored there. This information is used to evaluate the use of the website, to compile reports on website activities and to provide other services relating to website and internet use for market research purposes and to tailor these internet pages to meet requirements. Even if this information is transferred to third parties, if this is required by law or if third parties process this data on behalf of Google, your IP address will never be merged with other data from Google.

We have activated the IP anonymisation function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR. With the tracking measures we use, we want to ensure that our website is designed to meet the needs and is continually optimised. On the other hand, we use the tracking measures in order to statistically record the use of our website and to evaluate it for the purpose of optimising our offer. These interests are to be regarded as legitimate within the meaning of the aforementioned provision. If a corresponding consent was requested (e.g. consent to store cookies), the processing is based exclusively on Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

3. Purpose of data processing

The purpose of the use is the continuous optimisation and need-based design of the website.

4. Duration of the storage, objection and removal possibility

Data stored at Google at user and event level that is linked to cookies, user IDs (e.g. User ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymised or deleted after 14 months. The deletion of data whose retention period has been reached takes place automatically once a month. For details, please see the following link:
https://support.google.com/analytics/answer/7667196?hl=en.

You can prevent the storage of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and Google from processing this data by downloading and installing the browser add-on available under the following link: tools.google.com/dlpage/gaoptout. As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie is set to prevent the future collection of your data when you visit this website. The opt-out cookie applies only to this browser and only to our website and is placed on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can be found in the Google Analytics help https://support.google.com/analytics/answer/6004245?hl=en.

We have concluded a data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

VII. Plug-ins and Tools

1. Google Web Fonts

This site uses so-called web fonts provided by Google for the uniform display of fonts. The Google Fonts are installed locally. A connection to Google servers does not take place.

For more information on Google Web Fonts, please visit https://developers.google.com/fonts/faq and see Google's privacy policy: https://policies.google.com/privacy?hl=en

2. Google Maps

This website uses the Google Maps map service via an API. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter referred to as "Google".

To use the functions of Google Maps, it is necessary to store your IP address. This information is generally transmitted to and stored by Google on servers in the United States. The provider of this website has no influence on this data transfer.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Further information on the handling of user data can be found in Google's data protection declaration: https://policies.google.com/privacy?hl=en

3. Google Tag Manager

We use the tag management system "Google Tag Manager (GTM)" of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") on our website to manage JavaScript and HTML tags for tracking and analytics with our own and third-party software. Tags are small pieces of code that help us measure traffic and visitor behaviour, understand the impact of our advertising, set up remarketing and targeting, and test and optimise our website, among other things. GTM is only an auxiliary service that facilitates the integration and management of our tags via an interface. GTM only implements tags, which means it does not set its own cookies (when empty) and does not collect any personal data itself. It triggers other tags, which in turn may collect personal data. However, the GTM does not access this data.

If deactivation has been carried out at domain or cookie level, it remains in place for all tracking tags insofar as these are implemented with the Google Tag Manager. These processing operations are only carried out if explicit consent has been given in accordance with Art. 6 para. 1 lit. a GDPR.

For more information on the Google Tag Manager and Google's privacy policy, please visit https://policies.google.com/privacy?hl=en and https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

4. Microsoft Clarity

Microsoft Clarity is used for statistical analysis of user behaviour and for optimisation and marketing purposes. The provider of the tool is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Microsoft").

Microsoft Clarity collects, among other things, the following user data

• access time and duration
• operating system and platform
• IP address
• cursor and scroll movements, clicks and mouse-overs

All processing described above, in particular the setting of cookies for reading out information on the end device used, is only carried out if you have given us your express consent to do so in accordance with Art. 6 Para. 1 lit. a GDPR. You can revoke this at any time with effect for the future. To exercise your revocation, please deactivate this service in the cookie consent tool provided on the website.

Collected information may be transmitted to Microsoft servers in the USA and stored there. We have concluded an order processing agreement with Microsoft, with which we oblige Microsoft to protect our customers' data and not to pass it on to third parties.

For more information on the data protection provisions of Microsoft Clarity, please visit clarity.microsoft.com/terms.

5. YouTube and Vimeo

We use YouTube and Vimeo video platform services on this website to display videos in various formats and qualities and ensure that the videos are displayed correctly on all end devices.The provider of YouTube videos is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider behind Vimeo is Vimeo LLC, 555 West 18th Street, New York, NY 10011, USA.

To use the features of the video players, it is necessary to save your IP address. This information is usually transmitted to a server of the video platforms in the USA and stored there. The provider of this website has no influence on this data transmission. The video platforms provide the video in different formats and qualities and ensure a correct display of the videos on all end devices.

When you visit one of our pages equipped with a Vimeo video, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. In addition, Vimeo obtains your IP address. This also applies if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo is transmitted to the Vimeo server in the USA. If you are logged into your Vimeo account, you enable Vimeo to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Vimeo account. Vimeo uses cookies or comparable recognition technologies (e.g. device fingerprinting) to recognise website visitors.

YouTube and Vimeo are used in the interest of an appealing, audiovisual presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is based exclusively on Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on "legitimate business interests".

Further information on the handling of user data can be found in the privacy policy of Google https://policies.google.com/privacy?hl=en and Vimeo: https://vimeo.com/privacy

6. Microsoft Teams - video conference

Apartmentservice use the “Microsoft Teams” tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: “online meetings”). “Microsoft Teams” is a service from Microsoft Corporation.
When using “Microsoft Teams”, different types of data are processed. The extent of the data also depends on what data information you provide before or when participating in an “online meeting”.

Note: If you access the “Microsoft Teams” website, the “Microsoft Teams” provider is responsible for data processing. However, to use “Microsoft Teams”, you only need to visit the website to download the software for using “Microsoft Teams”.
If you do not want to or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” via your browser. The service is then also provided via the “Microsoft Teams” website.
We use “Microsoft Teams” to conduct “online meetings”. If we want to record “online meetings”, we will inform you transparently in advance and – if necessary – ask for your consent.

The following personal data are the subject of processing:

• IP address
• User information: username, display name, email address, if applicable, profile picture, information (optional information), preferred language, etc.
• Meeting metadata: meeting ID, participant IP addresses, service data for the respective session and use of the system (data from devices/hardware used, operating system, time zone), telephone numbers (if dialed in by telephone), location, name of the meeting and If applicable, password from the host, date, time and duration, activities recorded in the meeting (such as joining and leaving), including activities related to third-party integrations, together with the date, time, person participating in the activity and other participants in the meeting with date, time, duration.
• Chat, audio and video data: In order for audio and video transmission to take place, the application needs access to your microphone or video camera. You can mute or switch these off yourself at any time. Any text entries you may have made in the chat will also be processed and saved.

This data is processed exclusively to handle communication via Microsoft Teams, to collaborate on joint projects, to secure the IT systems against unauthorized access by third parties and to improve system stability. No further processing of your personal data takes place.

The legal basis for the processing of your log data is Article 6 Paragraph 1 Sentence 1 Letter a GDPR. Your consent is voluntary: If you do not want to take part in a video conference or an exchange via Microsoft Teams, you have the option of using another communication system such as the telephone or an exchange via email instead.

If necessary, content provided by you will be further processed as part of our public mandate. The legal basis for this further processing is Article 6 Paragraph 1 Sentence 1 Letter e, Paragraph 3, Section 4 LDSG.

Cookies

Microsoft Teams verwendet temporäre und permanente Cookies:
[*.]microsoft.com
[*.]microsoftonline.com
[*.]teams.skype.com
[*.]teams.microsoft.com
[*.]sfbassets.com
[*.]skypeforbusiness.com.

Information about Microsoft's use of cookies can be found at Microsoft's data protection declaration - Microsoft data protection.

Legal basis: Setting cookies is necessary to fulfill the contract (Art. 6 Para. 1 lit. b) GDPR)

You can deactivate the storage of cookies via your browser settings and delete cookies that have already been saved in your browser at any time. Please note, however, that this online offer only works to a limited extent without cookies.

Order processing and processing of your data by Microsoft Corporation

Microsoft Teams is an application from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America. Microsoft's European office, Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland is our data processor for the provision of the Teams application. For this purpose, data traffic is primarily routed via European data centers; only in the event of failures or capacity bottlenecks is transport via servers in third countries, especially the USA, reserved. This is done on the basis of Commission Implementing Decision (EU) 2019/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/976, which is set out in accordance with our license agreement with Microsoft in the Microsoft Data Protection Addendum (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA?lang=1&year=2024). Furthermore, Microsoft claims to process the following additional personal data when using Microsoft Teams: support and feedback data, which you may transmit to Microsoft as part of your use, as well as diagnostics and service data, i.e. data in connection with the use of the service (these personal data enable Microsoft to provide the service [troubleshooting, securing and updating the product, and monitoring performance] as well as performing some internal business operations such as determining revenue, developing metrics, determining service usage, performing product and capacity planning). Use for your own purposes to
this extent is a mandatory requirement for concluding a license agreement with Microsoft; Any dispositive uses beyond this for your own purposes are contractually excluded. To this extent, Microsoft Corporation is an independent data controller in accordance with its data protection regulations (
https://docs.microsoft.com/de-de/microsoftteams/teams-privacy ) and is therefore responsible for compliance with data protection requirements. This processing by Microsoft is based on the legitimate interests of Microsoft (Art. 6 Para. 1 Sentence 1 Letter f, Recital 47 GDPR).

Data deletion and storage period

We generally delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after the respective retention obligation has expired.

Data processed by Microsoft will be stored and deleted in accordance with their data protection declaration for the “minimum period necessary for provision” (see https://docs.microsoft.com/de-de/microsoftteams/teams-privacy ).

Third country

In principle, data processing outside the European Union (EU) does not take place, as we have limited our storage location to data centers in the European Union. However, we cannot rule out that data is routed via internet servers located outside the EU. This can be the case in particular if participants in an “online meeting” are in a third country. Access to data from third countries cannot be ruled out in individual cases in support and maintenance cases or when processing by Microsoft for business purposes.
However, the data is encrypted during transport over the Internet and is therefore protected from unauthorized access by third parties.

Your rights

If your personal data is processed, you have the right to receive information about the data stored about you (Article 15 GDPR). If incorrect personal data is processed, you have the right to correction (Art. 16 GDPR). If the legal requirements are met, you can request deletion or restriction of processing and object to processing (Articles 17, 18 and 21 GDPR). If you have consented to data processing or there is a contract for data processing and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR). If you have consented to the processing by making a corresponding declaration, you can revoke your consent at
any time in the future (Art. 7 Para. 3 GDPR). This does not affect the lawfulness of data processing carried out based on consent until its revocation.

You can also assert these rights against Microsoft for data processing by Microsoft. To do this, please contact their EU Data Protection Officer, Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland / Telephone: +353 1 706 3117.

7. Microsoft Forms - Surveys

Apartmentservice uses the tool "Microsoft Forms" to conduct surveys and polls in Forms or in online meetings, video conferences, and/or webinars. Microsoft Forms is a service provided by Microsoft Corporation. The processing is carried out on behalf of Apartmentservice by

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521
Irland

Please note that this privacy notice only informs you about the processing of your personal data by Apartmentservice when using a Microsoft Forms survey. If you need information about the processing of your personal data by Microsoft, we ask you to refer to the respective statement at Microsoft. You can find more information from Microsoft on this topic:
Microsoft Servicevertrag Security and Privacy in Microsoft Forms

When using Microsoft Forms, various types of data are processed. The scope of the data also depends on the information you provide when participating in a poll or survey in Forms, especially when questions are formulated as "open-ended." The following personal data is subject to processing:

1. IP address
2. Username, display name, email address
3. Profile picture (optional, if stored in Microsoft 365)
4. Preferred language
5. Status (optional, if stored in Microsoft 365)
6. Date and time of opening the questionnaire
7. Date and time of submitting the response

Legal basis:

The legal basis for this processing depends on the specific context in which the survey is conducted. It may be necessary for the performance of a contract (Art. 6(1)(b) GDPR) or for the legitimate interests pursued by us or third parties (Art. 6(1)(f) GDPR).
Your personal data may be processed by Apartmentservice due to other legal obligations, such as a court order. Legal basis due to legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR).
Participation in surveys and/or polls is voluntary in principle.

8. SoSciSurvey

Apartmentservice uses the tool SoSciSurvey to conduct surveys and polls. When processing the surveys, the data you provide within the survey are collected. Additionally, metadata such as browser identification, the operating system used, or language settings are stored to ensure the survey is displayed correctly. The metadata, along with the submitted request (internet address) and timestamp, are standardly stored in a logfile on the server – including with SoSciSurvey. However, the servers are configured in a way that IP addresses are not stored in the access logfiles. This prevents the reconstruction of IP addresses even through the combination of survey timestamps and server logfiles. Cookies are not used. The servers for SoSciSurvey.de are located in Munich.

Information about SoSciSurvey: SoSci Survey GmbH, Marianne-Brandt-Str. 29, 80807 Munich, Germany. Further information regarding the third-party's privacy policy can be found on the following webpage of SoSciSurvey: https://www.soscisurvey.de/help/doku.php/de:general:privacy

9. Captcha GmbH

We use the Captcha service. This service is provided by Captcha GmbH, Muthgasse 2, 1190 Vienna, Austria.

Captcha is a protection solution to make it more difficult for automated programmes and scripts (so-called "bots") to use our website. A JavaScript element is integrated into the source code, which loads the software in the background. Your end device calculates the solution to a crypto puzzle for the service, which is used to determine whether the visitor is a human or whether it is being misused by automated, machine processing (e.g. bots).

For this purpose, we have integrated a Captcha programme code into our website, for example for contact forms, enquiries and orders.

The legal basis for this processing is therefore our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR and serves to prevent potentially fraudulent activities on our website.

• The data is used exclusively to protect against spam and bots as described above.
• Captcha GmbH does not set or read any cookies on the visitor's end device.
• The last IP addresses are only stored in hashed, i.e. one-way encrypted form and do not allow us or Captcha GmbH to draw any conclusions about an individual person.

Further information on the handling of user data can be found in the privacy policy of Captcha GmbH https://www.captcha.eu/dsgvo-user

VIII. Newsletter

1. Description and scope of data processing, disclosure to third parties

On our website there is the possibility to subscribe to a free newsletter (in German language only). The registration takes place via the forwarding to the website www.soapart-insight.de.

When registering for the newsletter, the e-mail address (mandatory field) and the name (voluntary) from the input mask are transmitted to us. In addition, the following data is collected during registration:

• IP adresse of the calling computer
• datum and time of registration

This website uses the services of MailChimp for this purpose. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service with which, among other things, the sending of e-mail marketing campaigns can be organized and analyzed. If you enter data for the purpose of receiving corresponding campaigns (e.g. e-mail address), this data will be stored on MailChimp's servers in the USA. MailChimp includes the EU standard contractual clauses in its data processing addendum and thus ensures compliance with European data protection standards in the USA. MailChimp enables us to analyse our email marketing campaigns. When you open an email sent with MailChimp, a file contained in the email (known as a web beacon) connects to MailChimp's servers in the USA. This makes it possible to determine whether an email message has been opened and which links, if any, have been clicked. In addition, technical information is collected (e.g. time of retrieval, IP address, browser type and operating system). This information cannot be assigned to the respective e-mail recipient. It is used exclusively for statistical analysis of the campaigns. The results of these analyses can be used to better adapt future campaigns to the interests of the recipients.

For the processing of data, your consent is obtained during the registration process and reference is made to this privacy policy. There is no transfer of data to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.

2. Legal basis for the data processing

The legal basis for the processing of data by the user after registration for the newsletter is Art. 6 para. 1 lit. a GDPR if the user has given his consent.

3. Purpose of data processing

The collection of the user's e-mail address serves to deliver the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Accordingly, the e-mail address and the name of the user are stored as long as the subscription to the newsletter is active.

5. Possibility of objection and removal

If you do not want MailChimp to analyse your data, you can unsubscribe from the newsletter at any time. For this purpose, there is a corresponding link in each newsletter. This also enables revocation of consent to the storage of personal data collected during the registration process.
For more information on the handling of user data, please refer to MailChimp's privacy policy https://mailchimp.com/gdpr/.

IX. Payment Processing

On our website, it is possible to purchase a paid subscription for our online magazine. Registration is done by redirecting to the website https://www.soapart-insight.de/.

To access all content as a reader, we offer various subscriptions (insight+). For payment processing, we use the services of Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA. Responsible for the collection and processing of personal data of individuals residing in the European Economic Area (EEA), the United Kingdom, and Switzerland is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland ("Stripe"). For the payment method "Credit Card," payment processing is handled by the Payment Service Provider Stripe Payments UK, Ltd., 7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, United Kingdom. We do not store credit card information in connection with processing the payment. Instead, the credit card data is collected directly by Stripe. The information provided during the order process along with details of your order (name, address, possibly credit card number, invoice amount, currency, and transaction number) will be processed there. Your data will only be disclosed for the purpose of payment processing with the aforementioned Payment Service Provider. The legal basis for the data processing associated with the use of Stripe is Art. 6 Para. 1 lit. b GDPR.

Stripe also collects additional data for its own purposes such as abuse prevention, product development, and marketing purposes. This includes, in particular, technical usage data (IP address, device identifier, or operating system information).

Data processing by Stripe takes place partly on servers in the USA. In the event that personal data is transferred to the USA and it is necessary to ensure that an international data transfer is governed by a data transfer mechanism, the EU Standard Contractual Clauses apply. Stripe commits to ensuring compliance with European data protection principles and the local level of data protection even in the context of data processing in the USA.

After completing the payment, you will receive a payment receipt by email. Stripe informs us of the receipt of payment, and we store the information regarding the payment receipt as well as details of the ordered content or type of subscription, duration, fee, cancellation conditions, and the chosen payment method in connection with your insight+ account, to be able to assign and verify received payments and manage your ordered content in your SO!APART insight+ account. Details of completed payments are kept for accounting purposes in connection with registration data for a period of ten years. The legal basis for this storage is Art. 6 Para. 1 lit. c GDPR in connection with § 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code).

For more information on data processing by Stripe, please refer to Stripe's privacy policy at https://stripe.com/at/privacy.

X. Career

See separate data protection information for applicants (available in German language only)

XI. Contact form, inquiry form, e-mail or telephone contact

1. Description and scope of data processing

Our website contains various contact and inquiry forms that can be used for electronic contact. If a user makes use of this possibility, the data entered in the input screen will be transmitted to us and stored. These data are (* = mandatory field):

• company name
• position
• salutation*
• first name
• surname*
• street
• house number
• post code
• town
• country
• telephone number*
• e-Mail address*
• destination where the apartment is required or specific house name*
• number of requested apartments
• number of adults
• number of children
• age of children
• date of arrival*
• date of departure*
• budget
• annotations
• purpose of stay*
• request for landlord´s confirmation of residence
• request for payment with AirPlus payment solution

At the time the message is sent, the following data is also stored:

• IP adresse of the user
• date and time of registration

Your consent will be obtained for the processing of the data as part of the sending process and reference will be made to this data protection declaration. Alternatively, it is possible to contact us via the e-mail address provided or by telephone. In this case, the personal data of the user transmitted with the e-mail or in the telephone call will be stored. In this context, the data will not be passed on to third parties without your consent. The data will be used exclusively for the processing of the conversation.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given his consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

The processing of the personal data from the input mask serves us exclusively for the processing of the establishment of contact. In the case of contacting us by e-mail, this also constitutes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as they are no longer required for the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the relevant facts have been conclusively clarified. Apartmentservice deletes all data of inquiries which did not result in a reservation after one year.

5. Objection and removal possibility

Many data processing operations are only possible with your explicit consent.The user has the possibility to revoke his consent to the processing of his personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. The user should address his objection to the consent and/or the objection to the storage in writing to the above address or by e-mail to datenschutzapartmentservicede if possible. In this case, all personal data stored in the course of establishing contact will be deleted.The legality of the data processing carried out until the revocation and mandatory legal provisions - in particular retention periods - remain unaffected by the revocation.

XII. Rights of the data subject

If personal data is processed by you, you are the data subject within the meaning of the GDPR and you are entitled to the following rights towards the controller:

1. Right of information

You may request confirmation from the controller as to whether personal data concerning you will be processed by us. In the event of such processing, you may request the controller to provide you with the following information:

• the purposes for which the personal data will be processed;
• the categories of personal data processed;
• the recipients or categories of recipients to whom the personal data relating to you has been or will be disclosed;
• the planned duration of the retention of the personal data concerning you or, if it is not possible to provide specific information in this respect, criteria for determining the retention period;
• the existence of a right to rectify or erase personal data concerning you, a right to limit the processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• any available information on the origin of the data, if the personal data are not collected from the data subject;
• the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.

You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

You have the right to have your personal data rectified and/or completed by the controller if the personal data processed concerning you is inaccurate or incomplete. The controller must carry out the rectification without delay.

3. Right to limit the processing

Under the following conditions, you may request that the processing of your personal data be restricted:

• if you dispute the accuracy of the personal data concerning you for a period of time which allows the controller to verify the accuracy of the personal data;
• the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
• the controller no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defence of legal claims, or
• if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been established whether the justified reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, such data may not be processed - apart from their storage - without your consent or for the purpose of asserting, exercising or defending legal rights or protecting the rights of another natural or legal person or for reasons of an important public interest of the union or of a member state. If the processing restriction has been limited in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right of erasure

a. Cancellation obligation

You may request the controller to delete the personal data concerning you immediately and the controller is obliged to erase such data immediately if one of the following reasons applies:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
• The personal data concerning you have been processed unlawfully.
• The erasure of your personal data is necessary to fulfil a legal obligation under union law or the law of the member states to which the controller is subject.
• The personal data relating to you have been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

b. Information to third parties

If the controller has made the personal data concerning you public and is obliged to delete them in accordance with Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the controller for data processing who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.

c. Exceptions

The right to deletion does not exist if the processing is necessary:

• for the exercise of freedom of expression and information;
• to fulfil a legal obligation which the processing requires under the law of the union or of the member states to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
• for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under section a) presumably makes it impossible or seriously impairs the attainment of the objectives of such processing, or
• for the assertion, exercise or defence of legal claims.

5. Right for information

If you have exercised the right to rectify, cancel or limit the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, cancellation or limitation of the processing, unless this
proves impossible or involves a disproportionate effort. You have the right to be informed of such recipients by the controller.

6. Right to data transferability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without being hindered by the controller to whom the personal data have been provided, provided that the processing is based on an agreement pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out using automated procedures. In exercising this right, you also have the right to have the personal data relating to you transferred directly by one responsible party to another responsible party, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this. The right to data transfer does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. The controller will no longer process the personal data relating to you unless he can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (objection pursuant to Art. 21 (1) GDPR).

If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes (objection pursuant to Art. 21 (2) GDPR). In connection with the use of information society services, you may exercise your right of objection by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC - exercise your right of objection by means of automated procedures using technical specifications.

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent until you revoke it.

9. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state where you are staying, at your place of work or at the place where the alleged infringement is alleged, if you consider that the processing of your personal data is contrary to the GDPR. The supervisory authority to which the complaint was submitted informs the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

The supervisory authority can be reached via the following contact details:

Berlin Commissioner for Data Protection and Freedom of Information
Meike Kamp
Alt-Moabit 59-61
10555 Berlin
Germany

Phone: +49 (0)30 138890
Fax: +49 (0)30 2155050
E-mail: mailbox@datenschutz-berlin.de

XIII. Data security

This website uses SSL or TLS encryption in conjunction with the highest level of encryption supported by your browser for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

We also make use of suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

XIV. Objection to advertising e-mails

We hereby object to the use of contact data published within the scope of the imprint obligation for the purpose of sending advertising and information material that has not been expressly requested. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

XV. Up-to-dateness and amendment of this data protection declaration

This data protection declaration is currently valid and as of April 30, 2024.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may be necessary to change the data protection declaration. You can call up and print out the current data protection declaration at any time on the website at https://www.apartmentservice.de/en/legal/data-privacy-statement