Data protection

1 Introductory remarks

This Privacy Policy explains how Capital Bay[1] (“Capital Bay”, “we”, “us” or “our”) handle data protection. It clarifies how we collect, use and process your personal data and how this complies with the legal obligations we carry towards you. We also make reference to the rights to which you are entitled according to current law. The protection of your data is very important to us and we have made it our duty to protect and preserve your data protection rights and to meet the requirements set out in the General Data Protection Regulation (Regulation (EU) 2016/679) as well as in German legislation. We only ever process your personal data in accordance with the General Data Protection Regulation (hereinafter referred to as GDPR). Generally speaking, you are able to use our website without providing any personal data. It may become necessary to process your personal data in order to handle your query in greater detail or should you wish to make use of our services. Should this be necessary and where we do not have statutory grounds authorising us to do so, we will always obtain your consent as the individual concerned (hereinafter referred to as ‘data subject’*). (*For the sake of clarity, we use the term ‘data subject’.) As a basic rule, we process personal data such as your name, address and contact information, which may be your email address or telephone number. We may need to process other personal data in order to fulfil our corporate objective. We have compiled lists of processing practices that document this. To help us put data protection and data security (GDPR Article 34) into action, we have created a data protection plan and implemented it on a risk basis using data protection impact assessments (GDPR Article 35) as well as technical and organisational measures (TOM). This also allows us to safeguard web-based and internet-based data transmission. Nevertheless, these can still be compromised by security flaws for which we bear no responsibility, which is why we provide other ways for you to share personal data with us, such as by telephone, fax or post. Please note: this Privacy Policy will be amended as necessary.    

[1] *Capital Bay includes the following companies:

  • Germany: Capital Bay Real Estate Management GmbH as well as their subsidiaries and branches
  • Luxembourg: Capital Bay Fund Management / Capital Bay R.E.I.M. as well as their subsidiaries and branches

2 Data protection terms

Our Privacy Policy is predicated on the terms and their explanations documented by European regulators through the enactment of the General Data Protection Regulation (GDPR). The aim of our Privacy Policy is to explain how we implement data protection in an easy-to-read and coherent manner to anyone who reads it, in particular our clients, suppliers and data subjects. Please refer to the annex to this Privacy Policy for definitions of terms. They are the wording of the law and provided with sources. 

3 Who is responsible for your Personal Data

Capital Bay may collect, use, share and otherwise process your Personal Data in connection with your relationship with us as a Capital Bay’s client, acting for a client or being generally interested in our services and our publications in accordance with applicable data privacy laws and regulations, which include the GDPR.

We control the ways your Personal Data are collected and the purposes for which we use your Personal Data acting as “data controller” for the purposes of the GDPR.

We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our staff and clients.

For these purposes we may process the following categories of data:

  • tenant, client and
  • supplier data
  • applicant data 
  • and, where applicable, data provided by third parties for business purposes, which we receive either directly from you or from other sources or which we may collect automatically.

4 Contacting us via our website

The Legal Information section of our website contains the information required by law. This also includes information on contacting us by email or there is a contact form for data subjects to use where necessary. When personal data is provided voluntarily in this way, it is automatically stored for communication or processing purposes. Personal data is not shared with third parties.  

5 How do we collect data and information

We collect a range of data and information when you visit our website. We do not use data to draw conclusions about data subjects, but instead we require it for the following:

  • to ensure our website works properly and the content is correct,
  • to optimise this content,
  • to fulfil our legal obligations in the context of law enforcement in the event of an attack on our IT systems,

When using our websites, the data we collect includes:

  • the browser type used, including the version,
  • the operating system used,
  • the website and subpages (referrers) from which our website is reached,
  • date and time of access as well as the IP address,
  • the provider of the accessing system,

as well as other similar data and information that serve as a safeguard in the event of an attack on our IT systems. We also process personal data made available to us by means other than the internet (e.g. by post) and which we need in order to meet our corporate objectives. We process this data manually as well as automatically. We do not use automatic decision-making or profiling systems.  

6 Data protection for application processes

Capital Bay collects and processes the personal data of applicants in order to complete the application process. This process can be electronic, for example when applications are made by email or via web form. Where an employment contract is signed between the data subject (applicant) and Capital Bay, the data conveyed is stored to enable us to carry out the employment relationship in accordance with legal requirements (please see the annex entitled “Country-specific provision to the Privacy Policy – Employment data”). If an application is not successful, then the application documents are deleted two months after the applicant has been informed of the outcome, unless other legitimate interests of the controller or any legal requirements prevent them from being deleted. A legitimate interest in this sense is, for example, the obligation to provide evidence in proceedings covered by the General Act on Equal Treatment (AGG).  

7 Legal grounds for processing

Wherever we obtain consent in order to process data for a specific purpose, the legal ground is GDPR Article 6(1)(a). If personal data needs to be processed in order to fulfil a contract where the counterparty is the data subject (e.g. delivery of goods/services or other services or return services for which personal data is required), any processing carried out is based on GDPR Article 6(b), as well as for any processing required for pre-contractual measures (e.g. quotes, processing enquiries about products or services). If we have a legal obligation to process personal data (e.g. due to tax laws), this is done in accordance with GDPR Article 6(1)(c). Where we process personal data in order to protect the vital interests of the data subject (e.g. in the event of a medical emergency) this is carried out on the basis of GDPR Article 6(1)(d). Where processing is not covered by any of the aforementioned legal authorities, but is required to safeguard our legitimate interest or of a third party (provided that the interests, fundamental rights and freedoms of the data subject do not predominate), such processing is permitted because it has been specifically mentioned by the legislator in Recital 47 Clause 2 of the GDPR in conjunction with Article 6(1)(f) of the GDPR. Where the processing of personal data is based on Article 6(1)(f) of the GDPR, our legitimate interest is the performance of our business objective and our business activities for the benefit of Capital Bay.   

8 Erasing and blocking personal data

The length of time personal data is stored is based on the corresponding retention period required by law. After the period of time required by law has expired, the data concerned will be erased or – where this is not possible without unjustifiable effort – blocked. Capital Bay processes and stores the personal data of data subjects only for as long as necessary in order to process it, in accordance with the GDPR or else national or international law that applies beyond the GDPR or another regulation which the controller is required to implement.  

9 Rights of the data subject

a.) Transparent information and communication with the data subject 

Capital Bay takes adequate steps to convey to the data subject all information referred to in Articles 13 and 14 and all communications referred to in Articles 15 to 22 and Article 34 of the GDPR relating to processing, in a precise, transparent, comprehensible and easily accessible form and in clear and simple language; this applies in particular to information aimed specifically at children. The information will be provided in writing or in another form, where appropriate by electronic means. Information can be provided orally where requested by the data subject, provided that the identity of the data subject has first been verified by other means. We make it easier for the data subject to exercise his or her rights according to Articles 15 to 22 of the GDPR. In the cases referred to in Article 11(2) of the GDPR, we may only refuse to act in response to a data subject’s request to exercise his or her rights according to Articles 15 to 22 of the GDPR if we can substantiate that we are[A1]  unable to identify the data subject. We will inform the data subject of any actions taken in response to a request according to Articles 15 to 22 of the GDPR without delay, and at any rate within one month of receiving the request. This may be extended by a further two months should the complexity and number of requests make this necessary. We will inform the data subject within one month of receiving the request that we are extending the time period, together with the reasons for the delay. If the data subject has submitted a request electronically, we will wherever possible respond to the subject by electronic means. If we have not acted on the request of the data subject, we will inform the data subject of this without delay, and at any rate within one month of receiving the request, stating the reasons for the delay and explaining the options of lodging a complaint with a regulatory body or applying for legal redress. Information referred to in Articles 13 and 14 of the GDPR and all notifications and measures referred to in Articles 15 to 22 and Article 34 of the GDPR are made available by us free of charge. Where a data subject makes evidently unfounded or excessive requests, in particular in the case of frequent repeat requests, we may either

  • charge an appropriate fee to cover the administrative cost of notification, communication or implementation of the requested measure, or
  • we may refuse to act on the request.

In this case we will provide verification of the evidently unfounded or excessive nature of the request. Should we have reasonable doubts as to the identity of a natural person submitting a request according to Articles 15 to 21 of the GDPR, we will ask for more information necessary to confirm the identity of the data subject, without prejudice to Article 11 of the GDPR. Information that must be provided to data subjects pursuant to Articles 13 and 14 of the GDPR may be provided in combination with standardised icons to provide a meaningful overview of any intended processing in an easily visible, intelligible and clearly legible manner. Where icons are displayed electronically, we will make them available in machine-readable form (GDPR Article 12(1)). 

b.) Obligation to provide information when personal data is collected from a data subject.

If we collect personal data from a data subject, we will provide the data subject with the following information at the point in time when the data is collected:

  • the name and contact details of the controller and, where appropriate, his or her representative,
  • the contact details of the data protection officer, where appropriate,
  • the purposes for which personal data is to be processed and the legal grounds for processing it,
  • where processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or a third party,
  • the recipients or categories of recipients of the personal data, where appropriate; and
  • where appropriate, our intention to transfer personal data to a third country or international organisation as well as the existence or absence of an adequacy decision by the Commission or, in the case of data transfers according to Article 46 or Article 47 or Article 49(1)(2) of the GDPR, reference to suitable or appropriate safeguards and how to obtain a copy of them or else where they can be found.

In addition to the information pursuant to paragraph 1, at the time this data is collected we will provide the data subject with the following additional information, necessary to ensure fair and transparent processing:

  • how long personal data will be stored or, where this is not possible, the criteria determining this length of time;
  • the existence of a right to be informed by the controller regarding the personal data concerned and the right to rectify or delete or restrict processing or a right to object to processing and the right to data portability;
  • where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of a right to withdraw consent at any time without affecting the lawfulness of any processing carried out on the basis of this consent until it was withdrawn;
  • the existence of a right of appeal to a regulatory body;
  • whether providing personal data is required by law or contract or is necessary to enter into a contract, whether the data subject is obliged to provide personal data and the possible consequences of not providing this personal data; and
  • the existence of automated decision-making including profiling, according to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing for the data subject.

If we intend to process personal data for a purpose other than that for which the personal data was collected, we will provide the data subject with information about that other purpose and any other relevant information according to paragraph (2) prior to such processing. Paragraphs (1), (2) and (3) do not apply if and to the extent that the data subject is already aware of such information (GDPR Article 13(1)). 

c.) Duty to provide information if personal data has not been collected from a data subject 

If personal data is not collected from a data subject, we will notify the data subject of the following:

  • the name and contact details of the controller and, where appropriate, his or her representative;
  • in addition, the contact details of the data protection officer;
  • the purposes for which personal data is to be processed and the legal grounds for processing;
  • the categories of personal data being processed;
  • the recipients or categories of recipients of the personal data, where appropriate;
  • where appropriate, the intention of the controller to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of data transfers pursuant to Article 46 or Article 47 or Article 49(1)(2) of the GDPR, reference to suitable or appropriate safeguards and the option of obtaining a copy of them or where they can be found.

In addition to the information according to paragraph (1), we will provide the data subject with the following information, necessary to ensure fair and transparent processing with respect to the data subject:

  • how long personal data will be stored or, where this is not possible, the criteria determining this length of time;
  • where processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or a third party;
  • the existence of a right to be informed by the controller regarding the personal data concerned and the right to rectify or delete or restrict processing and right to object to processing and the right to data portability;
  • where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of a right to withdraw consent at any time without affecting the lawfulness of any processing carried out on the basis of this consent until it was withdrawn;
  • the existence of a right of appeal to a regulatory body;
  • where the personal data comes from and, where appropriate, whether it originates from publicly accessible sources;
  • the existence of automated decision-making including profiling, according to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing for the data subject.

We will provide the information as set out in paragraphs (1) and (2)

  • in due consideration of specific circumstances surrounding the processing of personal data, within a reasonable timeframe after obtaining the personal data, but within one month at the latest,
  • if personal data is to be used for communications with a data subject, at the latest at the time of the first communication to the data subject, or,
  • if data is to be disclosed to another recipient, at the latest at the time of initial disclosure.

If we intend to process personal data for a purpose other than that for which the personal data was obtained, we will provide the data subject with information about that other purpose and any other relevant information according to paragraph (2) prior to such processing. Paragraphs (1) to (4) shall not apply if and to the extent that

  • the data subject already has this information,
  • providing such information proves impossible or would require a disproportionate effort; this applies in particular to processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and guarantees referred to in Article 89(1) of the GDPR, or where the obligation referred to in paragraph (1) of this article is likely to render impossible or seriously prejudice the attainment of the objectives of such processing. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making such information available to the public,
  • collection or disclosure is expressly regulated by EU or Member State law, to which the data controller is subject, and which provides for appropriate measures to protect the legitimate interests of the data subject, or
  • the personal data is subject to professional secrecy according to EU or Member State law, including a statutory obligation of secrecy, and must therefore be treated as confidential (GDPR Article 14(1)).

 

 

d) Right to confirmation 

Each data subject has the right to obtain from the controller confirmation as to whether or not his or her personal data is being processed. Should this be the case, the data subject has the right to be informed (GDPR Article 15(1))  

e) Right to be informed 

If a data subject’s personal data is being processed, he or she has the right to obtain information about this personal data as well as the following information (GDPR Article 15(1))

  • the purposes of processing,
  • the categories of personal data being processed,
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations,
  • where possible, the intended length of time for which the personal data will be stored or, where this is not possible, the criteria for determining this length of time,
  • the existence of a right to rectify or erase personal data concerning him or her or to restrict processing by the controller or of a right to object to such processing,
  • the existence of a right to appeal to a regulatory body,
  • if personal data is not collected from the data subject: All information available about where the data comes from,
  • the existence of automated decision-making including profiling, according to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing for the data subject.

Where personal data is transferred to a third country or international organisation, the data subject has the right to be informed of any appropriate safeguards according to Article 46 in connection with the transfer (GDPR Article 15(2)). We will provide one copy of the personal data being processed. All further copies requested from us by the data subject will incur a reasonable fee to cover administrative costs. For requests made electronically, we will make the information available in a commonly used electronic format, unless otherwise requested (GDPR Article 15(3)). 

f) Right to rectification 

The data subject has the right to obtain from the controller rectification of any inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed – including by means of a supplementary statement (GDPR Article 16). 

g) Right to erasure (right to be forgotten) 

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to erase without delay personal data where one of the following grounds applies:

  • the personal data is no longer required for the purposes for which they were collected or otherwise processed,
  • the data subject withdraws his or her consent on which processing was based according to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there are no other legal grounds for the processing,
  • the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR,
  • the personal data was processed unlawfully,
  • the personal data has to be erased to fulfil a legal obligation under EU or Member State law to which the controller is subject,
  • the personal data was collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If we have made the personal data public and we are obliged to erase the personal data pursuant to paragraph (1), we shall take reasonable steps, including technical measures, taking into account the available technology and implementation costs, to inform the controllers processing the personal data that a data subject has requested them to erase all links to, or copy or replication of, this personal data. (GDPR Article 17). 

h) Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing where one of the following applies: The accuracy of the personal data is contested by the data subject and for a period of time which enables the controller to verify the accuracy of the personal data,

  • the processing is unlawful and the data subject opposes erasure of the personal data and instead requests the restriction of its use,
  • the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them to establish, exercise or defend legal claims, or,
  • the data subject has objected to the processing pursuant to Article 21(1), so long as it has not yet been established whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the consent of the data subject or in order to establish, exercise or defend legal claims or to protect the rights of another natural or legal person, or for reasons of an important public interest of the European Union or of a Member State. A data subject who has obtained a restriction on processing pursuant to paragraph (1) shall be informed by the controller before the restriction is lifted (GDPR Article 18). 

i.) Notification obligation regarding rectification or erasure of personal data or restriction of processing 

As the controller, we notify all recipients to whom personal data has been disclosed of any rectification or erasure of the personal data or of any restriction to processing in accordance with Article 16, Article 17(1) and Article 18 of the GDPR, unless this proves impossible or involves a disproportionate effort. We will inform the data subject about those recipients if the data subject requests this (GDPR Article 19). 

j) Right to data portability 

The data subject has the right to receive the personal data concerning him or her, that he or she has provided to us, in a structured, commonly used and machine-readable format and has the right to transmit such data to another controller without hindrance from the controller to whom the personal data was provided, insofar as

  • the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) of the GDPR and,
  • the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph (1), the data subject has the right to have the personal data transmitted directly from Capital Bay to another controller, where this is technically feasible. The exercise of the right referred to in paragraph (1) of this article is without prejudice to Article 17 of the GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to in paragraph (1) shall not adversely affect the rights and freedoms of others (GDPR Article 20). 

k) Right to object 

The data subject has the right to object at any time, on grounds related to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) or (f) of the GDPR; this includes profiling based on these provisions. In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Where we process personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of his or her personal data for such marketing. This also applies to profiling insofar as it relates to such direct marketing. Where the data subject objects to us processing for direct marketing purposes, then we will no longer process the personal data for such purposes. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs (1) and (2) shall be explicitly brought to the attention of the data subject; we shall convey this information clearly and separately from other information. In relation to the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. In addition, where we process personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to the processing of personal data concerning him or her, unless such processing is necessary for the performance of a task carried out for reasons of public interest (GDPR Article 21). 

l) Automated individual decision-making, including profiling 

The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which results in legal effects concerning him or her or similarly significantly affects him or her. Paragraph (1) shall not apply if the decision

  • a) is necessary for entering into or performance of a contract between the data subject and the controller,
  • b) is authorised by European Union or Member State law to which the controller is subject and this legislation lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • c) is based on the explicit consent of the data subject.

In the cases referred to in paragraph (2)(a) and (c), we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Decisions referred to in paragraph (2) shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR unless Article 9(2)(a) or (g) of the GDPR applies and suitable measures are in place to safeguard the data subject’s rights and freedoms and legitimate interests (GDPR Article 22). 

m) Right to revoke consent to the processing of personal data 

The data subject has the right to revoke consent to the processing of personal data at any time. Any data subject may exercise these rights. To do so he or she should contact our Data Protection Officer directly (please refer to Annex I for our contact details).  

10 Disclosure of personal data

Any information that you provide to us may be shared with and processed by any entity of the Capital Bay group where necessary for the execution of our services.

We can and may need to transfer your personal data to the following recipients in a variety of ways and for a range of purposes, as appropriate and in accordance with local laws and regulations:

  • tax, audit or other authorities, if we believe in good faith that we are required by law or by another regulation to disclose such data (for example, because of a request from a tax authority or in connection with an expected legal dispute),
  • healthcare entities such as health insurance companies,
  • external providers rendering services under our name (including external consultants, business partners and professional advisors such as lawyers, auditors and accountants, technical support professionals and IT consultants carrying out development and testing work on our technological systems),
  • providers of outsourced IT services and storage providers where an appropriate processing agreement (or comparable safeguard) is in place,

If an order is being processed, this is based on an order processing contract in the meaning of Chapter 4 of the GDPR.  

11 Provision of personal data for legal or contractual reasons

The provision of your personal data is required by law (e.g. due to tax laws and regulations) or due to contractual regulations (e.g. information on contractual partners or subcontractors). It may be necessary for the data subject to provide us with personal data in order to enter into a contract. This therefore forms a basis for us entering into a contract. If the personal data is not provided by the data subject, it may be that a contract cannot be entered into.

For clarification, the data subject can contact us for further explanations whether an obligation is legal or contractual and what consequence it would have on completion of a contract should personal data not be made available.  

Annex I: Our contact details

Company responsible for processing the personal data of visitors to our website www.capitalbay.de: Capital Bay Real Estate Management GmbH.

How to reach us to update your marketing preferences: Email us at: info@capitalbay.de

How to reach us:

  • to access, change or withdraw any personal data you have provided to us,
  • if you suspect that your personal information has been misused, lost, or been subject to unauthorised access,
  • to revoke your consent to the processing of your personal data (if such consent constitutes the legal grounds for processing your personal data),
  • or comments or feedback regarding this Privacy Policy.

Germany

Postal address: Capital Bay Real Estate Management GmbH, Data Protection Officer, Sachsendamm 4-5, 10829 Berlin, Germany. Alternatively, you can contact our Data Protection Officer by email at: datenschutz@capitalbay.de.

Luxembourg

Postal address: Capital Bay Fund Management, Attn. Data Protection, 2, Rue Jean Monnet, L-2180 Luxembourg, Grand Duchy of Luxembourg. Alternatively, you can contact us by email at: compliance@capitalbay.lu

Annex II – Contact details of the appropriate local regulatory body

Germany

Contact details of the appropriate local regulatory body: For our company, based in Berlin: The Berlin Commissioner for Data Protection and Freedom of Information

  • Postal address: Friedrichstr. 219, 10969 Berlin, Germany
  • Email: mailbox@datenschutz-berlin.de
  • Phone: +49 30 138 89-0
  • Fax: +49 30 215 50 50

Luxembourg

Contact details of the appropriate local regulatory body: For our companies, based in Luxembourg: National Commission for Data Protection (Commission nationale pour la protection des données - “CNPD”)

  • Postal address: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
  • Email: info@cnpd.lu
  • Phone: +352 26 10 60-1
  • Fax: +352 26 10 60 29

Annex III – Country-specific provision to this Privacy Policy

Jurisdiction: Federal Republic of Germany

 

Country-specific legal regulation: Requests to erase your data

If your data is not processed automatically and provided your data is not processed unlawfully, we are under no obligation to erase your data if erasing it would be impossible or would require disproportionate effort due to the storage method used, as long as we believe that your interest in erasing it is only minimal. If your data is processed automatically, we are also entitled to refuse to erase your data if we have reason to believe that erasing it would be contrary to your legitimate interests or if by erasing it we would be violating any legal obligation to store your data for a specified period of time. In this case, the processing of your data will instead be restricted in the manner stated in the GDPR. 

Employee Data

The provisions applicable to employment relationships permit the processing of personal data of employees for purposes related to employment, insofar as this is necessary for recruitment-related decisions or, after recruitment, for the performance or termination of an employment contract, or in order to comply with and satisfy the rights and obligations of employee representatives as provided for by law or by labour contracts or other contracts between the employer and an employee representative body. More information can be found in § 26 of the new Federal Data Protection Act (BDSG). In Germany, we collect data on employees’ religious affiliation in order to simplify our payroll processes. Because this is required by law, we do not ask our employees for their explicit consent to process this information.  

Annex IV – Data protection definitions

Our Privacy Policy includes the following terms: 

a) ‘Personal data’ and ‘data subject’ 

Personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Article 4(1)). Data subject means any identified or identifiable natural person whose personal data is processed by the controller. 

c) ‘Processing’ 

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Article 4(2)). 

 

d) ‘Restriction of processing’ 

Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future (GDPR Article 4(3)). 

e) „Profiling“

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (GDPR Article 4(4)). 

f) ‘Pseudonymisation’

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (GDPR Article 4(5)). 

g) ‘Filing system’ 

A filing system means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis (GDPR Article 4(6)). 

h) ‘Controller’ or ‘data controller’ 

Controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (GDPR Article 4(7)). Controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (GDPR Article 4(7)). 

i) ‘Processor’

Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller (GDPR Article 4(8)). 

j) ‘Recipient’

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients (GDPR Article 4(9)). 

k) ‘Third party’ 

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (GDPR Article 4(10)). 

l) ‘Consent’ 

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR Article 4(11)). 

m) ‘Personal data breach’ 

Personal data breach means a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorised disclosure of, or access to, personal data that were transmitted, stored or otherwise processed (GDPR Article 4(12)). 

n) ‘Genetic data’ 

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (GDPR Article 4(13)). 

o) ‘Biometric data’ 

Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (GDPR Article 4(14)). 

p) ‘Data concerning health’ 

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status (GDPR Article 4(15)). 

q) ‘Main establishment’ 

1. Main establishment means as regards a controller with establishments in more than one Member State, the place of its central administration in the European Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the European Union and this establishment has the power to have such decisions implemented; in this case the establishment, having taken such decisions, is to be considered the main establishment; 

2. as regards a processor with establishments in more than one Member State, the place of its central administration in the European Union, or, if the processor has no central administration in the European Union, the establishment of the processor in the European Union where the main processing activities in the context of the activities of an establishment of the processor take place, to the extent that the processor is subject to specific obligations under this regulation (GDPR Article 4(16)). 

 

 

r) ‘Representative’

Representative means a natural or legal person established in the European Union who, designated by the controller or processor in writing according to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this regulation (GDPR Article 4(17)). 

s) ‘Enterprise’

Enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity (GDPR Article 4(18)). 

t) ‘Group of undertakings’ 

Group of undertakings means a group consisting of a controlling undertaking and its dependent undertakings (GDPR Article 4(19)). 

t) ‘Binding corporate rules’ 

Measures to protect personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a corporate group or group of enterprises engaged in a joint economic activity (GDPR Article 4(20)). 

u) ‘Supervising authority’ 

Supervising authority means an independent public authority which is established by a Member State according to Article 51 of the GDPR (GDPR Article 4(21)). 

v) ‘Supervising authority concerned’ 

Supervising authority concerned means a supervisory authority, which is involved in the processing of personal data, because 

1. the controller or processor is established on the territory of the Member State of that supervisory authority, 

2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or 

3. a complaint has been lodged with that supervisory authority (GDPR Article 4(22)),

w) ‘Cross-border processing’ 

Cross-border processing means either 

1. processing of personal data, which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union, where the controller or processor is established in more than one Member State; or 

2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. (GDPR Article 4(23)). 

x) ‘Relevant and reasoned objection’ 

Relevant and reasoned objection means an objection as to whether or not there is an infringement of the GDPR, or whether envisaged action in relation to the controller or processor complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the European Union (GDPR Article 4(24)). 

y) ‘Information society service’ 

Information society service means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (GDPR Article 4(25)). 

z) ‘International organisation’ 

International organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries (GDPR Article 4(26)).  

12 Cookie policy

At Capital Bay we express our thanks for your interest in our website. We are, however, unable to assume liability for external links to third-party content, despite checking content regularly and thoroughly. Protecting your personal data while we collect, process and use it when you visit our website is very important to us, and we would like for you to feel secure when visiting our web pages. Naturally we adhere to statutory regulations as set out in the General Data Protection Regulation (GDPR), Federal Data Protection Act (BDSG), German Broadcast Media Act (TMG) as well as other legislation regarding data protection. We would therefore like to take this opportunity to explain how we use cookies.

13 What is a cookie?

  • A ‘cookie’ is information that is stored on your computer’s hard drive and records how you use a website. This allows websites to offer you customised options based on information stored from your last visit. Cookies may also be used to analyse movement of data and for advertising and marketing purposes.
  • Cookies are used by almost all websites and do not harm your system. Should you wish to check or change what type of cookies you are accepting, you can usually do this in your browser settings.

14 How do we use cookies?

  • Generally speaking, you do not have to provide personal data to be able to use our website.
  • However, we may need your personal data in order to provide an effective service.
  • This applies both when sending information as well as responding to individual enquiries.
  • Other personal data will only be collected if you provide this information voluntarily, for example as part of a query or when registering to receive our customer magazine. For this purpose, it may be necessary to pass on your personal data to companies that we use to provide services. These include brokers or other services.
  • Where we perform any of the actions listed below or any other action, or where we render a service, we would like to collect and store your personal data and will ask for your explicit consent at the appropriate point on our website:
    • sending newsletters and press releases
    • taking part in competitions
    • personalising our website
    • other services and activities where your explicit consent is required for data collection.
    • If you have used your email address to register to receive our newsletter, we will use your email address for our own marketing purposes beyond the performance of the contract, until you unsubscribe from the newsletter.

15 This website uses Google Analytics

  • a web analytics service offered by Google Inc. (“Google”)
  • Google Analytics uses so-called ‘cookies’, text files that are saved on your computer and permit an analysis of how you use this website.
  • The information generated by the cookie about how you use this website is usually sent to a Google server in the USA and saved there.
  • However, when IP anonymisation is activated on this website, your IP address will first be shortened by Google within European Union Member States or in other signatories to the Agreement on the European Economic Area. Only under exceptional circumstances will the complete IP address be sent to a Google server in the USA and shortened there.
  • On behalf of this website’s operator, Google uses this information to evaluate how you use the website,
  • to compile reports on website activity and
  • to provide other services to the website operator in the context of how the website and the internet is used.
  • The IP address communicated from your browser in the context of Google Analytics will not be linked to any other Google data.

16 Cookie settings

  • You can stop cookies being saved by adjusting your browser software settings accordingly; we would like to point out, however, that in this case you may not be able to make full use of all the features of this website.
  • You can prevent Google Analytics from collecting your data by clicking on the following link: Deactivate Google Analytics. This sets an opt-out cookie that stops your data being collected on future visits to this website. The cookie has to be set again once browser data is erased.
  • You can also prevent Google from collecting and processing data that relates to your use of the website and that is generated by the cookie (including your IP address) by downloading and installing the browser plug-in available via the following link. The up-to-date link is tools.google.com/dlpage/gaoptout.
  • Google uses DoubleClick DART cookies. Users can deactivate the use of DART cookies by visiting the Google ad and content network privacy policy. This doesn’t store any of the user’s direct personal data, only IP addresses.
  • This information helps automatically recognise you when you next visit our websites and makes navigating easier.
  • Cookies allow us, for example, to adapt a website to your interests or to save your password so you don’t have to enter it every time you visit.
  • Naturally you are also able to browse our website without using cookies. If you don’t want us to be able to recognise your computer, you can stop cookies from being saved on your hard drive by selecting “block cookies” in your browser settings. For specific instructions please refer to instructions relevant to your browser.
  • However if you choose not to accept cookies, this may limit the functionality of our website.
  • You can stop cookies being installed by using the corresponding setting in your browser. To do this go to your web browser and turn off the setting for saving cookies.
  • Every time someone visits our website or accesses a file deposited there, this is logged.  These records serve a system-related and statistical purpose. The following data is recorded: date and time of the visit, duration of your visit, name of the file accessed, amount of data transferred, notification of successful access, web browser used and requesting domain.
  • This data is stored without identifying the site user. User profiles can be created, where appropriate, using a pseudonym. Likewise, this makes no connection between the natural person behind the pseudonym and the usage data collected. We also use cookies to collect and store usage data. These are small text files that are stored on your computer and help identify you as a user when you visit the page again. The Federal Office for Information Security (BSI) is one of several sources of information on how cookies work: www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/GefahrenRisiken/Cookies/cookies.html

The sole reason we collect this data is to further improve our online presence and to make our websites even better.

  • We only collect and store anonymised or pseudonymised data that does not allow us to identify you as a natural person.